Stephane Asselin - Security Frameworks and Zero Trust

[Music] Okay. So, yeah, thank you, Patrick. Um, so next up, we're gonna we're going to get to uh Stefan uh who's going to be talking about uh security frameworks and zero trust, right? Perfect. Go ahead, do I need to turn this on or is it does he turn it on right away? Awesome. Can you hear me? There you go. Thank you. Am I going to get feedback with this? Maybe. Yeah, I'm just going to get him to turn off the mic. Sure. Yeah. Good morning everybody. How's everybody doing? Good. Awesome. It was a good talk. So, thank you Patrick for doing this. It's really good information. So, I I want to talk about I guess a bit of the

alongside of what he's mentioned regarding the lateral movement and all that. I want to talk about about uh identities, right? and how we manage these uh as it relates to security right so when a hacker is actually going through uh doing his attacks and getting that persistence and doing that lateral movement I want to focus on that and how we actually raise awareness for company that are not looking at this right now right so it is it is a bit of a I guess a maturity model right you want to protect the organization first you want to have an EDR solution you want to have an EV solution in place and then what right so we're going to talk about that

this morning sorry I'm going go over this. So, um, I've been doing this for about 20 years. Prior to CrowdStrike, I did about eight years at Microsoft and 10 years at VMware. I've been doing endpoint security for a very long time. I know I'm old. I was actually doing security for Windows 95. There was no security in 95, but we still had to do it, right? And u even though I'm from Montreal, so I don't have a French to English translator. So, if you don't understand me, just, you know, come to our booth and I got somebody that speaks really good English and I'm a huge basketball fan. So what I want to talk about is the

challenges that have been I guess have been accelerated with the pandemic when we had devices that had to come online for your organization faster than expected. It's not a recent problem, right? I've been talking about BYOD for at least eight years, right? If not more. When I was at VMware, we're talking about allowing people to bring their own device and connect it to a corporate asset or you doing virtualization and having a desktop that was secure and their asset would be just a jump point. But that asset is still connected to the network. Right? So Frost and Sullivan had some some I guess some good interesting feedback where it is saying the number of devices

connected to our environment. So our corporate environment is going up non-stop. All right. So I want to ask you a question. If I would ask you today, how many devices do you have with you that are used for either work or personal that might be used for works? Right. So let's do one. Who has only one? You have only one. You're you're now an exception. So who has two two devices? Three. So we're getting more the on the average, right? Three, four. Four or more just go in the water and you'll sink. So you know, so we see that the number of devices people have to support is just going up, right? Funny enough, when I was doing uh talking about BYOD

way back when, you know, one device was more than enough for for everything, right? And now we're just ease of use. you know, I want an iPad, I want a phone, I want a couple of laptops, a work machine, a home machine. Like these devices are connected. So, it's just a bigger footprint for the hackers to actually attack the weaker factor, right? The people that are working from home that need to connect remotely, you know, and and you don't have to raise your hand because that's a bit of a tricky question, but have you ever done war driving? It's still a thing today. We still have people doing war driving in neighborhoods and just trying to get

stuff. And now these see, okay, well, I can also get to people's Wi-Fi and oh, by the way, I get access to a CFO laptop because his home Wi-Fi security is crap, right? So, it's it's getting more and more like those those remote connectivity, those remote machines that need to be corporately connected needs to be secured, right? So, if you have a good AV solution in place, if you have an EDR solution in place, that's fine. How do we actually get to the next level where we actually validate that the people using those assets are the right people and they should always be using those assets and those assets only to do the work they're supposed to

do. Right? I don't know Robert, but Robert's maybe something somebody that's actually helping me out on the weekend and he's an admin. But should he be connecting to an Exchange server at midnight on a Saturday night? If he is, I might want to challenge that. Right? I'm paying him for doing this 9 to5 during the week. So why is he doing this on the evenings? So there might be a crisis, you know, it could happen, but I need to be able to see that like is he the right guy doing this at the right time for the right reasons or is he a guy that gone rogue or maybe he actually lost his account or somebody was able to

impersonate his account and do something he's not supposed to do. We need to be able to see this. So what what we're hoping is raise awareness of the people doing what they're doing are the right people and not a hacker that's impersonating an account that he was able to abuse. Right? That's where we're trying to go. So we released a few months ago a a a global threat report where we were talking about you know what's important of course identities you know endpoints the machine themselves the workloads and data right so we're doing pretty good. I think people are getting there and and if you're not there yet definitely something you need to to do sooner than

later. I think people are doing good on the codes execution side. People are doing well on protecting the machine itself, protecting the endpoint and looking over what's going on in that machine. So their traditional security solutions that got replaced by the you know next thing I think that's fine. I think we're doing well there. I could be wrong. Right. So and feel free to come and see me at the booth and say no you're wrong. You know we're we're just starting steps. And I gotta say maybe the US is a bit further ahead than Canada is, but that's that's what I'm seeing, right? We're doing we're getting there from an endpoint and workload perspective where these machines are

usually pretty well protected, but are we looking at the identity is hardly managed and are we protecting that data that critical data that needs to stay where it's supposed to be. So we that that report is free. You don't have to pay for it. It's interesting because this is done by the uh the Overwatch team, the our threat hunting team. We have a pro tread hunting team and they do this full-time. So it's um it's something we release every quarter and we actually talk about what we see in the field, right? So there's a it's a worldwide team, right? We cover the globe and we have people looking at this non-stop. So we'll tell you, right, in

the last three months, here's what we seeing from these countries, from these groups of hackers. We call them adversaries and this is what's going on right now. And this could be a trend that we see in a different country that might be coming to Canada for healthcare or that might be coming Canada for retail. We have that information. We actually release this publicly. It's not something we charge for. It's a free report. But we see more and more, like Patrick was saying, we see more and more hackers actually using living off the land built-in tools. So built-in tools, if you're using traditional solutions, those tools are not something that might that will raise a detection, right? Or

that will trigger something. If it's a tool that's built in the OS that's used by valid credentials, in a lot of cases, it'll go it'll go quiet, right? Nobody will see it or at least it won't it won't raise a detection. So we need to find ways to be able to without blocking the people that still legally not legally but that still need to use it. We need to be able to block the bad people from using it if that makes sense. Right? So percentage that percentage actually increasing. Uh we we're seeing a a trend where we're doing uh we call them malwareless attacks, right? It's it's getting more and more because the hacker are evolving. We need to evolve

as well, right? They're getting better at using tools that are built in the system. We need to be better at actually blocking them for using those tool where they're not supposed to. The other one that's good that also released on our site that's free. You can you can pull down Gartner pulled out a report about identity detection and prevention. This is something that's big. This is something that we see increasing. That's why I wanted to talk about this today. um you know it is it's been increasing since the beginning of pandemic but it's actually accelerating over the last couple of months um I guess timing wise you know the bad actors the adversaries we saw from

Eastern Europe started this alongside a few months before the Ukraine invasion right so January February time frame and it is increasing now we're Canada is sort of lucky because we're a smaller target but that's not gonna that's not going to stop the bad people right if these things are interesting to them that might be some monetization they can do. They'll come after us. They'll come after the organization in Canada, right? So, we're just it's we're not in a fight yet. You know, they're focused more on the Eastern European countries, but that's, you know, nothing is stopping them for just opening up a door if that door is open and just going through. And we need to be able to make sure that we

can see and manage and protect those identities, right? It is key to the enterprise. It is key to what you are allowed to do. So when you log into your system, you're using an identity, right? Everybody needs an identity to log into a corporate system. So is is that identity always monitored? When I log in, sure, you know, I have a Windows event log or I have a Mac, I have Linux, whatever I'm using, Red Apps, whatever that is. I I track that information. I know what's going on with my identity. But who how are you checking if you know Jodi who works with me or Patrick if those people tomorrow morning are you know pissed at

the company and they they they want to say you know what I'm going to grab everything and I'm going to go right are we actually able to monitor this are we able to say he's doing something this behavior is not normal he's supposed to do these this during the week we have a defined role we know what he's doing or she's doing and they're not doing what they're supposed to do so what's going on and can we can we actually see it or are completely blind because they have valid credentials, right? That's pretty critical. So, those keys are being uh stolen from from the from the company, right? They'll be stolen and it'll be something as as simple as what Patrick

mentioned through a fishing email, not even spear fishing or it'll be a brute force password spraying, right? We're talking about mimicats and doing elsas dumping. You know, those rainbow tables hashes, those rainbow tables dictionaries, they're sold on the dark web and they're constantly being updated. There's actually a really big market to actually get those database, right? They used to be sold and it's funny because uh I'm going to show my age now, but France was a big market for this about 10 years ago where actually selling the rainbow hashes of all the Windows potential passwords on CDs. You could actually mail order the CDs and it would get there and it was really efficient. You would get it in like two

days and then you would actually do brute force hacking against those CDs. Those those groups got caught, but it was just funny like that that hasn't stopped, right? the hackers are just more well they're well organized they're more organized and they will actually sell you those on dark web so we got to be careful those brute force password spraying when you got offline sa LSAS you got those credential dumps you can get to those right so we need to be able to protect those so when we focus on the you know when we actually look at the we zoom in on the first couple of steps on the uh on the cyber kill chain we see that in a

lot of cases the first steps you know when you're getting those initial access and you're getting uh that execution. They're using valid accounts, right? You see, sorry about the colors, but you see a lot of those steps, they're using valid accounts. They're using accounts that will bypass normal EDR and the AV uh solutions because they're not triggering anything. We got to be careful about that, right? And when we look at the uh the global threat report that we release, we're seeing that at least from a crowdfight perspective with our customer, we're seeing that there's over 80% of those attacks that are starting with identity theft, right? Or identity compromise, whether it be again, you know, fishing email password

spring or just dumping LSAS. What however that hacker is actually getting their hands on that on those those password, they're not starting at the initial cred initial access. they're starting way down the cyber kill chain. So, it's going up and it's not it's not stopping and it's not it's not slowing down. And from a increased perspective, one of the other things we see is a lot of a lot more companies have unmanaged host whether that be a legacy system that for some reason needs to stay in the enterprise like we're talking about medical imaging is really one a big one. Um, we're talking contractors that are coming in and not actually you're letting come in because

they need to do work for you, but you're not doing you're not putting all the stuff that you should security tools that you should should put on those machines because they're not part of your domains or depending what it is. You have a temp worker who's coming in with his own machine that's a weak spot, right? A legacy host. And then you get valid credentials and from that they can they can do lateral movement and and compromise even a managed host. We see more and more of that in the last year, the last 12 months, our threat hunting team has seen increase of almost 300% of abuse of valid credentials. The hackers are evolving. We need to evolve as well.

We need to be able to block them. We need to find new ways to make sure that they don't, you know, they don't do the bad stuff that they want to do. Does that make sense? Yes. Still, I get it. Is this something that you're able to do like just uh by raising hands like is this something that you are talking thinking about today? Have you started to look at how will I control valid identities within my environment? A few hands. That's there you go. It is something we need to do. This it is something that everybody you know from a community standpoints we need to be able to look at. And kudos if you have projects. kudos if you're

already doing it because it's it's I think for Canada it's it's we're not far enough in that sector and we need to do more for that standpoint right when you talk about the the identity and the threat actors right their objective is abusing they want to do broad access they want to do broad execution and they want to monetize somehow monetization for e-rime actors again ransomware money some sort of extortion monetization for state sponsored you know China Russia Korea They want to get some IP. They want to get some credibility. They want to get services down, right? So, they want to go wide and go big. So, when they get into a system, they'll look around. A

hacker gets on a system, he's going to look around. He's going to stay quiet. He's going to try not to disturb anything. He's going to try not to launch tools that will actually trigger detections. So, he's going to find out who is he, what does he have access to, where is he trying to go? And you know, in a lot of cases, you're opening up a command prompt. you know, you're doing an AR request. You're looking at stuff that you have access to. Oh, okay. I got these domain controllers I got access to. I got these critical infrastructure server I can get to. And then he's inside. He doesn't have access yet, but he's able to run those, you know, again,

living off the land tools without triggering anything big. That's what he's looking for, right? So when we talk about the cyber killchain and and going back to Patrick's example, right, that initial access and they're doing the discovery, I guess we're usually pretty good at that. But what if the the bad person is actually starting at lateral movement stage, you basically bypassed everything you had put in place from a code execution standpoint, everything you had, the solutions you put in place to protect yourself, he's bypassed all of that and he's just starting at lateral movement stage. So if u from his timelines what I remember was between the time that the actual patient zero was infected and that lateral movement

it was about two months just under two months. Two months is a long time for a bad person to be in a system not raising any flags but gathering intel. Nobody wants that. Nobody wants to have that person there for so long right even a few minutes is critical. So when you're talking about two months and funny enough uh our what we've seen and going back to the Frost and Sullivan company what they've seen the last 12 months is that the average is actually 250 days of a system someone being in a system and actually doing full resolution and getting back to green, right? 250 days. It's almost a year before they actually able to get back to normal. We need to

shorten that window. And how do we do that? like we need to be able to protect again the valid identities from being abused. So going back to my little uh separation right the first part is execution you know stuff like uh mimic cats or doing anything of credential dumping doing lsass dump you know we're able when the tool is executing itself all the traditional solutions on the market will be able to catch that but if they're not using that because they don't need to because they have uh good identities then we need to have a solution to cover the last mile which is hurting the most right when he's going from a laptop top to an exchange server or going from a

laptop to a DC. That's the part we need to be able to block. But first, we got to be able to see it. And a lot of places, people can't see it. They're blind to it. They don't know what's going on. We need to be able to see that part and protect it. I already covered that. So, what's how's the health of your identity store? Right? And and you don't have to answer this because I know sometime it's a bit uncomfortable to actually raise your hand for this, but you know, let me ask you this. How how many privilege accounts do you have in your organization? If I ask you tomorrow morning, can you tell me how many

privileged accounts you have within your whole organization? Are you able to say or it's going to take, you know, a day, a week, a month to actually be sure that you have all the answers to that? How long will it take? Can you know at any given point? Why is that? Was there a question? Sorry. Nope. So, how are these privilege accounts being used? You know, Active Directory is awesome. It's been around forever. I gotta say, because it's been around forever, in a lot of cases, there's a lot of crap in there, right? And a lot of people don't have activities, projects, people actually cleaning up and looking at this day in day out. Nobody has a cycles to do this. I could

be wrong, right? And so, if people have time to do this, you are awesome. It's really really rare that people will actually go back in on a regular basis, look at what actually is in there and say, "Okay, I need to clean this up. I got 21 privilege accounts that are me that I, you know, jointly embedded in three different distribution groups that maybe they shouldn't be embedded into." Right? It's not something that's easy to do, but we have to do it. That's how hackers are getting in. They're taking advantage of of these access and the fact that it's been around forever. Nobody's cleaning up. Let me take advantage of it. I'm sure I'll reach at

some point an account that was going to have enough privilege to get me to that domain controller. Identify service accounts. Again, the same questions, right? Do you know how many service accounts you have in the enterprise? Identify stale accounts. You know, what's your policy when somebody's actually leaving the organization? What's a policy when an account is not being used for months? What are you doing with this? Right? Is that account going dormant or is it still accessible? If it's an admin, do you have a different policy for it? Right? So, that's something we need to know. That's something that you have you need to make sure you have in place. And if you do, kudos to you. A lot of people

today don't have that. Don't don't have that hygiene on the active directory side. Of course, assess the risks. That's what I talked about, you know, members, group memberships, groups, having access to groups, having access to groups. You know, it's not the direct access that's going to hurt you. It's the embedded access. It's the ones that you, you know, you don't look at because it's, okay, he's part of that group. I'm good with that. And then you find out, oh shoot, that group has Exchange access or SQL server system access. Oh, I didn't know that, right? Because somebody made that change two years ago and that person left and nobody cleaned up that group membership. That never

happens right? And then u you know at the end of course if you have multiple domains if you're a big organization and you have multiple stores and they're actually you know talking to each other are there any crossovers right are you stitching those identities are there permissions are going across those boundaries that might be impacting you right nothing worse than being infected by a somebody you're actually doing business with or you have a you know a domain join with when that you're doing your job but they're not doing theirs. So you're going to fall victim through, you know, something that's that's permeable and and that you're able to get compromised from someone else, right? So state sponsored, why I raise

why I bring this up? Um Patrick mentioned it through Conti, right? But we're seeing this in the wild today. State sponsor is usually going to be some sort of group or hacking, we call them adversaries that are going to be partially or entirely funded by the country itself. and they're going to have really established a a place where they need that information, but they don't need it quickly. Right? China is famous for getting to places and staying in there for months. Super discipline, low and steady, not raising any flags, but getting to where they need to go and it'll take a long time before you actually know they're there if you're not putting the right the right policies

and the right solutions in place. Right? That's the main difference. Monetization usually is going to be quicker. They're going to go in, they're going to make a loud bang. They're going to compromise you or they're going to say, "I want this amount of bitcoins to, you know, to give you the decryption key." But the nation state, a lot of cases are going to go a lot more a steady slower pace, but they're going to be in your environment for a long time. And that's even I think for us at least, it's just scarier. We don't want them in there. We don't want them to stay there for a long period of time. We want to make sure and

we we're able to see where they are, what they're doing, right? So um so again going back to my code execution and and identity access the the middle part is the impact right for the state sponsored the people that are state sponsored the group the hacking groups that are state sponsored is um when they're in there and they have access to a single system it's almost all time almost all the time where they will actually won't raise any trigger until they reach a critical infrastructure server something that's going to be important to you and that's where we're able that that lateral movement piece. That's where we need to be able to to see it, right? So, that's

usually not going to be, you know, go big organization going to have a lot of those servers, but it's usually not going to be as hard to do as monitoring at the same level of scrutiny all the systems, right? So, if you have an organization of five 5,000 employees, you might have 300 servers. So it's it's I think it should be easier to look at usage of privilege access on those 300 servers than looking at privilege access on all the machines all the time if that makes any sense. Right? So you have basic policies on the EDR side on Xg side and you're going to protect those machines from code execution but when you're talking about lateral movement

and where the the bad people are trying to go you want to be able to to protect that lateral movement. So whether it be an RDP connection, SMB access, uh just you know launching a uh SQL debugging tool, right? You you need to be able to see that the account doing this is the right account. We're still seeing today service account. We're still seeing today's service account that have interactive login, which makes no sense to me, but you know, still the case today. We're still seeing account today that can actually trigger applications on system that they're not even supposed to have access to. Right? So nothing worse than a SQL or Oracle admin coming to see a

security guy saying, "Hey, I need domain admin credentials." Why? Well, it's a SQL server. It's my server. You need me give me domain admin credentials. Why? Because I need it. And if you don't give it to me, I'll go to your boss, right? That never happens, right? So giving too much permissions too fast is still a thing, right? And we need to push back. I know it's hard. I know you have the hardest job when you need to do that, but we need to do it least privilege access and monitor those critical infrastructure server from those privilege access use. Another good one that I wanted to bring up and this is something that was uh observed in a while pretty recently.

Um it was um you know I'm not going to name the hacking group but is it's a it's a very well-known hacking group where they were able to convince um the organization in a in a Eastern European country to divulge their credentials through a valid office portal right does it reach your antiirus and edr solution then it doesn't it's a public portal that person just got lured into entering their credentials they thought it was going through a real Office 365 portal. Guess what? They were not. So without even reaching the front door, that hacker has valid credentials. That person we got, I guess we got sort of lucky that person. Can you actually see anything here or is it

too small? It's pretty good. Okay. I can't see anything here. Um that person was actually able to get into the system and then run a dcc DC sync on the system itself. He was stopped. You know, we got lucky and uh and that person was stopped. But it was not only an execution issue, it was also an identity where they were trying to run some um some tools to actually compromise the domain controllers. Right now I want to talk about the NOAC. So anybody here had to deal with NOAC in November last year? Nobody. I guess you all got lucky and you patch as soon as Microsoft said you needed to patch. So Noac was released in November

last year, right? And if you haven't I guess my the counterpoint to this is if you haven't looked at the CVS yet maybe you should look because if it's not patched you are definitely in in a high-risk situation right now right uh Noac was basically a u and and why was this actually critical was when noac was released it was a responsible uh disclosure right so the researcher group and the people actually built the tool disclose it to Microsoft but the turnaround time for Microsoft to actually do something build a pack was super short I can't remember But we're talking days. We're not talking months, right? Usually security researchers, good people actually find holes in in

vermilies and actually solutions. When they do responsible disclosure, they'll give people they'll give companies ultimatum, right? They'll say you got 30 days to do it and then they release, right? They won't wait for you, but at least they give you time. In a lot of case in a lot of cases though, the the I guess the the gray the gray hat, they'll give you a really shorter period of time, right? One day, two day, 48 hours, not more than that. And that's where the companies need to turn around faster and release those those patches. Right? So for NOAC basically it was uh from an initial access to actually getting the the compromise was super quick. We're

talking seconds. Right? So the way it worked in a high level was uh there was a vert in the assign account name and a domain controller impersonation where a a hacker built a tool to say I'm able to create a domain a computer account and then I'm going to rename that computer account to the name of my domain controller and just remove the trailing s right so the account itself and then what happens is able to actually reach out to the kerros tgt and get a ticket as a domain controller and that's all with just limited domain user accounts. He's not he's not a system admin yet. And then he actually renamed his do his

machine to his regular name, right? Because he needs an an account, a computer name that has the right information with the dollar sign at the end to be able to communicate with the domain. But now he has a TGT, what we call a golden ticket. And he's running another tool and say it's not my computer name, it's a DC name. And now he's able to offiscate and be a domain controller. Right? Two tools. They were weaponized super quick and people were able actually to use it in a matter of seconds. That's pretty impactful. That's super high risk, right? Microsoft did release patches, but we don't know how much time actually between the time that the patches were released. Actually,

between the time of the disclosure to Microsoft how long it was for the weaponization itself, the tools, I think his name was Charlie Clark, something like that, Charlie something. The tool was released super quick after the patches. That's the dangerous part because then you got people all over saying, "Hey, let me try this." And you you use it in Cali, it works like this. I'm not an expert by any mean, right? It's been at least 10 years I've done really some really really good pen testing. I was able to use a tool. So even if a manager is able to use a tools, a lot of script kitty are able to use a tool, right? And that's the

danger. People that don't know what they're doing can actually do cause more harm because they don't know what's going on and they don't know what they're doing, right? So what should have been done? What how what approach have we taken instead, right? So when the name change happened, it's not normal. We can actually look for it. There was a guy from Splunk that released a really good Splunk query that you if you have Splunk, a really good query to say, look at all my events through all my environments to see if I have an account name change and if that account name chain has removed a dollar sign. Should never happen, right? when you're doing this in one step and then

if you do this then you're able to report it to the EDR tool and the EDR tool is able to alert you and that's the goal we want to see that change that suspicious behavior on its own it might be okay I don't see a valid reason why but there might be a reason you know a blue team exercise tabletop somebody actually doing this for the right reason there might be a reason but you know in 99% of the cases there shouldn't be a reason to do this we need to be able to catch it you need the tools to be able to see those suspicious theor and block it. Does that make sense? And then the famous log

forj. Maybe I didn't see any hand raised for notepack, but have you guys had to deal with log forj? Oh, thank you. I was kind of starting to sweat a bit, right? Log forj was another one, right? Using uh they were dropping a shell on a system. They could stay there for a while, right? they were not getting detected and it took a while for people to actually see you know am I affected do I even know all the log forj places all the middleware I have that potentially have that vulnerable system they don't know they didn't have any tools to actually even investigate they didn't have any tools to look at all the components within their environment and

say I might have something I don't know it might be I can't reach it so the bad people that were you leveraging log forj and you know the host burst fiasco and all that they were able to get in there and stay in there for a long time before being detected. So if we're talking, you know, command and control the first part, you know, we're talking about the average that we saw that they actually the customers that were working with us and we're helping out, it was about a day. It was about 24 hours. But between the time they actually dropped the shell and were able to exploit that code, do that lateral movement and get compromised,

it's still seconds, right? So that's pretty quick. And that's why we want to be able to block So where do we block it? Well, we would have blocked it, you know, at the at the middle, right? When the adversary uses those credentials, right? So it was a system account using system privilege accounts doing something they're not supposed to do. It's not easy to actually detect, but you have to be able to detect it. It's an application on a system that's doing something it's not supposed to do with accounts it's not supposed to do to to be doing that. We need to be able to detect that. And that's again the next level. Are the entities being used that are valid? Are

doing what they're supposed to do? Are they doing something that's suspicious or at least need further investigation? We need to be able to block that. And if you would have something that would actually be looking at identities, they would have been able to block that RDP connection, I guess, to the domain controller or whatever that critical infrastructure server was.

Um, I got a couple more. Those are actually, uh, super recent. So, um, we, um, so at CrowdStrike, we name our the bad actors, the the the threat actors that we actually tracked. And I guess I want to open a small parenthesis. We, uh, we received, I guess, a lot of Twitter hink uh, at Black Hat and, uh, and at Defcon this summer because people were saying that we idolize them. That's not the case at all. We want to name them because we wanted them to for our customers to understand who they are. It's a lot easier for a customer to understand, okay, I got a an adversary group, a hacking group that's coming from Russia and that's targeting

healthcare than I'm going to say to him, well, he's using 2478 and they're targeting, you know, x amount of systems. When we put a face to the bad guy, it helps. It helps our customers. That's the whole point of why we do adversaries. The whole point we name them and you actually if you want to look at it, it's free. We got it on our site. It's called adversary.crosswrite.com. You can look at it. You you don't have to agree. And you know, I'm super open to comment if it looks bad, but the whole goal is to be able to name those people. Show to our customers where they're coming from and who they're targeting. Right? So, we

got good graphic artists. Personally, I'm a nerd. I like it. Um, you know, some people don't, but it's it's cool to see. And you know, you see a bear, you see it's Russia. You see a penna, you know it's China. It's easy to remember. You see a well, a lot of people don't don't know this, but you see a kale lima. A kale lima is actually the uh the fictive um animal from Korea, right? It's sort of like a unicorn that has that has I don't know some sort of stuff. It's weird, but anyway, supposed to make sense, right? Um so for this group, for this hacking group, right, the group is called actually Godic Panda. We uh I I

had to anonymize it, but uh the the group itself is called Godic Panda. And uh we've seen the last couple of months them actually going after targeted attacks in environments where they're going to run living off the land tools and look at credentials, right? I gave you a couple examples actually. This is our Overwatch team. This is live stuff. This is customer where that we work with and we help that said hey some that were using reg regular tools but you see here there's a couple that were run um I can't even see myself what's written there but basically there was some prog dump prog dump is a system internal tools so they were able to add

credentials there or even just trying to save the uh the lsass itself offline and then trying to do some brute force hacking this is happening now this is not something that's from two years ago. We see this more and more, right? And this is uh against customers that are uh that are in North America, right? I'm not going to say the customers, but it's close to us as is what as I want to say, right? So these bad people that we're targeting more Eastern European now are are really targeting the nation state are targeting North America and we want to be able to to stop them because they're going to they're focused 80% plus focus on identity.

The other one was uh so the spiders for us are e- crimes. So people that go after it for money, right? So ransomware or or offiscation of of uh getting getting some sort of dollars for it, right? And the examples I show here, which I can even read myself, but I think it's like a few dumps from Elsas memory and trying to get to it. And then oh, I can see it here. There you go. The second one was a PowerShell. We're actually using a debugging tool. So SQL dumper is uh is installed with the SQL diagnostic uh suite from Microsoft. It's free like so a lot of people a lot of SQL developers actually use this and

they put it on systems and in some cases which they should never do. they will actually use and install those debugging tools on a SQL server itself. Right? If you if you see this or if you haven't done this in the past, shame on you. Don't don't tell me. I don't want to know. But, you know, don't let debugging tools be installed on production systems, right? They're there for a reason. And they could they should be remote accessed securely the right manner. But these tools were used uh on a SQL server and they were able to to go a bit too far, a bit further than expected. So, use cases that I want. So I I guess sort of wrapping up use cases.

I want us to keep in mind we're talking about validating identities and what you need to think about, right? Of course, everybody's going to say it. You need to secure Active Directory. Yeah, it's easy to say, not easy to do if if it's been there for more than a year, I guess, right? But we still need to do to to do it. Um, if we're you're working with an outside firm, if you never done it, get some tabletop exercise going, right? You have uh I think you have a couple companies here that can do it. uh we you can work with us as well. Get some tabletop. You did some red team, blue team exercise. Stop, you know, start

with the easy stuff, get with a um if you never done it and you don't want to fall off your chair, you know, stop with more of a collaboration approach where the company's going to come in and work with you and maybe show you ways that where you can protect yourself, but if you think you're ready, go for the big one. Go for the red team exercise. It's an eye openener, right? And and we have, you know, we work with a lot of banks and and they do this every quarter. Kudos to them, right? And I understand it's something that's going to cost money. It's not easy to do. So, I'm not asking you to do it every quarter, but

doing those exercises will raise your security awareness and we'll give you a better approach to equip yourself to stop the bad guys from doing it, right? Uh cyber insurance, we're starting to see cyber insurer ask for this when you actually sign up with them. I think we're sort of lucky in Canada that it's not required everywhere, but if you're working with a cyber insurance firm in the US, they're actually starting to put it on the paper itself. You need to do every half a pentest. You need to show me the the results. You need to do an audit every quarter. You need to show me the results when you sign up with them. So, maybe it hasn't reached us yet, but

it's coming. And I see this as being even more important in 2023. legacy system. Um, of course they're still around there. I guess there's they're a really huge weak point. We want to be able to protect them. You know, if you're still running Windows 98, please please get rid of it. You know, even even people and we saw it uh with the uh the Ireland hack, right? A lot of Windows 7 systems still around. You know, that's a system that's over 15 years old, right? So, it's uh you know, it's time to move on. It's hard. It's hard. And if especially if it's actually like um like Patrick was saying with applications are dedicated to imaging to

the medical environment, the manufacturer needs to certify it on a new platform which takes years, right? Um so you know even I'm working with a company right now that has a Kadia system and they're on Windows 7 and they're swearing that it can't be migrated and then we find out from another customer in the US like well they migrated three three months ago and they got certification for it, right? So sometimes the vendor and you got to push back, right? I'm not saying it's that that the case all the time, but I would, you know, friendly the Canadian way friendly challenge the vendor to say, can we migrate that machine? And if not, why not? And have

you had any success or have you had any customers somewhere else that actually did it, right? We got to we got to accelerate that because it's it's hurting us pretty bad. Uh if you're not using MFA today, definitely strongly recommend to use up MFA solutions. You know, it's it's again when you're talking about managing identities and and zero trust, it's always looking at what do you have access to? And then I challenge you. I don't necessarily block you from being able to access that resource because I don't want to stop your work, but I want to challenge you. Again, I'm going to pick on Patrick, right? If Patrick is working 9 to5 during the week, there's no reason for

him to be in an Exchange server on on the on the weekend after midnight. There's no reason for that. So if it's a crisis and he's an exchange admin, I won't block him because I'm going to have to wake up and pick up the phone myself, but I want to challenge him. That's where MFA comes in. We need to have system in place if you have MFA already that you can look at and say, "Okay, these critical infrastructure servers, when somebody's doing something they're not supposed to do, whether that whatever that policy is, you need to be able to challenge it. You can block it if you want, but if you don't want to stop work because it's a valid purpose,

at least challenge it. That's where MFA comes in. And uh if you haven't if you haven't educated yourself on the golden tickets and pass the hash, please do. This is something that's actually going to be increasing over the next months. We see it. We see it as a big risk. And uh if you can't look at your AD, if you're not sure what to look at, you know, come see us. Come see any of the the other vendors on the other side. Uh we need to we need to to have to be better protected for this. I'll leave you with this. You know, this comes from Gartner. you know modern attacks requires continuous validation of identities right see the

path get some real-time response and uh have some risk base uh to be able to manage that and uh I think I'm I did a few I caught you a couple minutes back but I got time for a few more questions or any questions any questions out there wow should I have done this in French instead

That's a great question and if we think that Mac is not a target that's absolutely false we see more and more attacks being actually done on the Mac side and even on on because Mac Apple has the same issues that Windows has. There's a lot of Catalina still out there unpatched that are there for a while that Apple hasn't supported for over a year and it's still out there and it is a target. It is we see it. We actually had to intervene with um one of our big customers in in the province, not here in in in Ontario recently about a Mac attack because a lot of cases it's higher exec people or directors and

above that have that want that little nice shiny toy and they're using it. Well, guess what? they're not patching it, right? And it will actually block some of those policies. So, yes, we see it. And if you think that Mac is not a threat or a target, you you are 100% wrong. And same thing for Linux. Even worse for Linux, I guess because of all the kernels versions and all that. Good question. Thank you. And see, Patrick gave you a pair of socks. They're cool socks. Any other questions?

What about

um I I guess what I'd like to suggest and and I'm not being paid by Okay, sorry. The question was, what if you have legacy systems and that's and that company that actually built a system for you that's purpose-built for a specific application is bankrupt, defunct, and no longer exists. What do you do? Do you just bite the bullet? I would have to say before you do that, um, I would look at, and I'm not being paid by VMware or Citrix, but I would look at virtualizing that machine and filtering traffic in and out and putting it into a secure data center. That's what I've been working with with customers in the past before I joined CrowdStrike. It's like

if you're stuck, you got to keep it. Find a different way to actually make this available. You know, you can even have you put it into a dirty network or or a sorry, a separate network and then you have a jump box to access that machine. So, you mitigate your risk. You find a way to leave that machine available to your environment, but in a much secure manner. Don't just leave it on their desk of your secretary or next to a copier machine, right? Uh that's the wrong thing to do. So, find a different approach to it. Good question. Thank you. Got time for one more? Yes, sir. Some MFA solutions seem to uh only check the

MFA when you're registering a new device, logging in, and then it's trusted maybe for 30 days or maybe forever. Is that a bad idea? Should that be avoided in favor of, you know, daily or more often checking? So I we went the other route every single dedication you do should be challenged right um yes 100% correct like if you're talking about application portals like octa or even VMware VMware has workspace one you know it'll be identification and then you're going to have a session cookie for your browser it'll be good for x amount of minutes I would say if you're able to look at the next level solutions where you are actually challenging at every single

authentication that how you eliminate the risk completely that's where we're trying to go. There might be some in between solutions, but getting a ticket getting sorry, getting an authorization for a device for a window, it's how you manage your risk for how long that window is. Yeah, good question. Thank you. I think that's it for me. Yeah. Awesome. Thank you very much. You've been a great audience.