BsidesLV 2024 - Proving Ground - Wednesday
Show transcript [en]
[Music]
[Music] [Music] I'm just try to this have to I'm just TR to give you [Music] something I'm just TR to give you something do for you I'm just trying to give you something [Music] o [Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
[Music]
[Music]
[Music]
[Music]
a [Music] oh [Music]
w
[Music]
[Music] n [Music] [Music]
[Music]
[Music]
[Music]
the [Music] [Music] [Music] a
[Music]
[Music]
[Music] a
[Music] o [Music] [Music]
[Music] [Applause] he [Music] [Applause] [Music] [Applause] [Music] he a [Music]
[Music]
[Music]
[Music]
[Music] TR [Music] TR
[Music] hey hey hey [Applause] [Music]
hey hey hey he he [Applause] [Music] [Music]
he [Music]
[Music]
[Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music] he [Music] [Music]
[Music] [Applause] [Music] oh [Music]
[Music]
oh
[Music] h [Music]
[Music] [Applause] [Music] [Applause] [Music] yeah a [Music] [Applause] [Music] I'm just I'm just trying to give you [Music] something I'm just trying to give you something I'm just TR to you something [Music] oh [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just I do you I'm just try to give you [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] m [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
a [Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
oh
[Music] you are in the uh proven ground track if you us the wrong track just want to make sure you're in the right place the title of today's talk right now this morning is CVSs V4 a better version of an imperfect solution we have Mario here a uh a few reminders please do make sure that your phones are either silent or completely turned off for the duration of today's talk out of respect for the speaker as well as those that are joining us live uh on YouTube this is being live stream and will be recorded for later viewing we want to especially thank our Diamond sponsors prism cloud and vanta as well as some of our gold
sponsors Adobe Drop Zone Ai and semrep it is their assistance along with all of our owners other sponsors and volunteers that make this event truly possible so without further Ado Mario please take it
away morning everyone um look at this ball let's say this single ball is a vulnerability and you can focus all your attention on that on that ball and our systems will always be vulnerable so maybe a vulnerability alone it's not really the end of the world and let's say now that you have a lot of vulnerabilities all mixed up and a rubber duck doing God knows what in there then you start to have a problem as Security Professionals our goal is to make sure that we will try to mitigate as many vulnerabilities as possible or put as many security controls in place to try to avoid exploit exploitation so you can start finding some order trying to give some order to
those vulnerabilities maybe you will group them into severities and that's how you come up with CVSs CVSs stands for common vulnerability scoring system and it's defined as a vendor agnostic industry open standard uh by the book it's owned and managed by first uh us Bas nonprofit organization that started originally with the mission to help security incident response teams across the world uh then it has been adopted by Mitra from the beginning uh who runs the CV program and to associate as well with CVS as the scoring standard soon became adopted by everyone as well number one scoring standard the idea is that it will convey characteristics and severity of software vulnerabil abilities very important keep these two terms in
mind so really quick about me I'm from Portugal uh I'm curious I guess I have to be in this line of work I consider myself a cyber security Enthusiast uh for around 10 years I've been working for nearly 10 uh four years at check marks as an application security analyst doing research as well and I've been practicing cab Maga for all almost 14 years and I love to read I love to write I love to travel uh so enough about me now let's go to what matters and we we're here to talk today about the latest version of CVSs and how it's still not it's better but it's still not a perfect solution so why version 4 first of all
there wasn't enough granularity before to provide precise severity scores um you could have two distinct vulnerabilities that would end up in the end with the same score uh which wasn't really good if you want to distinguish them and be able to prioritize somehow then options themselves are limited uh for instance you can Define in version 3.1 uh granularity uh you can Define some I mean uh what did I'm user interaction sorry sorry I was trying to remember the parameter can Define user interaction and uh you can say whether it's required or not but you couldn't really say whether it was a paive or an active type of interaction for instance and parameters still and what they were
supposed to describe the characteristics they wanted to bring about the vulnerabilities still was a bit blurry in some cases for instance I know what the tyack complexity means but do I really know what it means uh and why not why not try to improve the previous version if it's not that good so we came up with this new version of CVSs it's now running everyone is starting to adopt it adopt it gradually and these were the main changes in terms of groups uh the score is divided by groups the main group that everyone uses is the base metrix group but then you have temporal metrix that is now called threat metrix with a few changes then supplemental metrix as an
entirely entirely new group and in terms of uh changes in a base metric group there's a new parameter attack requirements and the scope was removed but it was just uh in reality moved to the impact part to be divided into vulnerable and subsequent system uh you can now Define the confidentiality integrity and availability parameters in terms of these two different systems and then you got uh the exploit maturity the only parameter being defined in threat metric group to Define how is a vulnerability currently being exploited in the wild and then we got the environmental metrics group that allows the consumer to modify the metrix according to his specific uh environment then supplemental metrics to provide still some extrinsic
characteristics uh of the vulnerability and allowing us to cover other sectors that might not be properly covered with the other parameters so really quick uh looking at an example uh you can see that is for this vulnerability it was taken from the official documentation but a a bit modified for the sake of this exercise and we're talking about a a juniper router that has the an our protocol enabled and an attacker could poison the cach and put there a spoof IP entry and it would cause a denial of service to the user of that IP eventually and then he can also redirect traffic to themselves cause some sort of man in the middle and we know that Dynamic RP
inspection is enabled by default so looking at this example I wanted to ask for your input on this you can see here the the vector for version 3.1 with some elements highlighted and what do you think would be the final score in here if you were to guess can say just some rough number from 1 to 10 seven S8
okay you're just trying to say different right because you you got it right you're good um yeah this is the final score that would result from this vector and now let's look at bit at it in a different perspective to in terms of version four so well the attack factor is still the same adjacent because of the protocol we're talking about ARP in an adjacent Network and then we also have a tech complexity as high but this is actually one of the big differences because before you would still have attack complexity but as I said ATT teack complexity is one of the cases where you really don't know what it means it could mean a lot of things and
mean nothing at all so it was quite shitty to tell the truth and now you can probably make it a bit less shitty and and so you can say that that complexity is specifically about having uh active measures active protective measures in the system that will somehow delay or slow down the attacker and the attacker will have to circumvent those measures in order to achieve successful exploitation so now we know that the T complexity means specifically that and other stuff that you can mean by attack complexity are actually part of the attack requirements now and that's how you get supposedly more precise um characterization now and that will count a bit to should count a bit
lower the score because I attack complexity but then also really really important is that now you can define whether the vulnerable or subsequent system is being impacted and we now know that in terms of vulnerable System since we're just creating SPO IP entry in the art protocol we have a low impact on the on the um sorry conf Integrity on the Integrity you can see there the the and the vulnerable Integrity metric we have a low impact but then you can Define more precisely that you have a high impact on the confidentiality of the subsequent system because the attacker can read the traffic from the user and then also in terms of availability because it can
cause a denial of service so also a high impact on the availability so if you were to guess now what would you say it's the resulting
score seven again six
okay nine so we think it's more less the same or worse or maybe lower well it's lower and I'm not here to argue if it's correct or not you would have actually to compare between other vulnerabilities other different vectors but well it is what it is right away you don't know but you can argue that it's probably a bit too low regarding the actual impact they're causing or to the users or not or maybe version 3.1 was a bit too high well it was just for you to understand uh some of the main differences and so in general in a nutshell what CVSs wanted to bring was first of all reinforce and they emphasize it a lot if you read the
documentation that CVSs is not just a base score you should use all the other metric groups also finer granularity by adding new elements you should now have more variations of scores uh then the in Impact metrics as we've seen with the vulnerable and subsequent system and they wanted to promote accessible information making it more transparent uh being able to tell a better story overall more clarity and is of use of the vector and this is awesome right well not really let's not rush and let's talk really quick about open source first and very important element we all know it's philosophical it's philanthropic magical everyone is using open source according to the census 2 study 70 to 90% of modern soft where
Solutions are using free open source and we can do a quick test here looking at an npm package called Gatsby a popular one for building websites and you can see all these dependencies popping up direct or transitive this would be the final result of all the dependencies you get in this single package which is quite a lot and it would be of course naive to think that at least Le you don't have one vulnerability you don't control all these dependencies but yeah one vulnerability is say to to few you have hundreds if not thousands of vulnerabilities in all these dependencies so is CVSs a solution or even now version four for this well back to the colors you can group it by
severity as I've shown you but you can still tell whether the system that is is being impacted is really exploitable under its conditions how the exploitability in Practical terms if the measures that are in place in your system are really going to be circumvented in this vulnerability if you can do something with it there are a lot of factors that you need to consider besides severity but well if it's CVSs we're talking about severity so this of leads us to the idea of risk vulnerability management and these terms are used interchangeably a lot of times risk or vulnerability management and even CVSs for risk and vulnerability management this is of course wrong and it's one of the first problems one of
the main problems of misunderstanding the the purpose of CVSs and of course one thing is very another is the risk of exploitation for an instance and that you could even incorporate into vulnerability management but again all different terms and to explain the next points to make it clear I will need to use a lot of memes so sorry about that if you don't like memes um but it's better to prove my point so first of all of course is misunderstanding the purpose of CVSs um well you can run it other way but if you want to get the most out of it you need to again understand that CVSs is about severity then relying only on CVSs for
risk and vulnerability management again CVSs is just for severity and even worse is if you're relying only on the base group alone this is something you don't want to be doing and in practice is much harder than in theory uh because vulnerabilities are often complex as you know there are a lot of nuances uh this is some some limitation uh and the score in version four is supposedly more precise and customizable but that doesn't mean that it's necessarily more easy to use also I make many vulnerabilities we're talking about because the more vulnerabilities you have the more difficult it will be to try to have a good score and um well also with all this
customization all these other parameters and all it might have introduced more subjectivity and that can also not be not that good also limited information this is a big problem if you don't have enough information you don't really have the context about about the vulnerabilities you can't really know how to properly come up with a score you need the information and okay this is obvious sorry about that but well it should be said still H because it doesn't happen in reality and what about OSS libraries that's another problem we have uh because associated with the lack of information and context we even have lack of context or we can't really implement it when we're attributing a specific score to OSS
libraries we will have to resort to the information we have because it will still depend on specific implementations of that library of course and then that takes us a lot of times to score over inflation because if you have that information you're limited to it you are limited to using a a general scenario so you need to use the worst case scenario that's actually part of The Official Guidelines you need to have a worst case scenario but this is also often misinterpreted because worst case doesn't mean you also need to have the worst case for the impact metrix you should use only the most reasonable outcome according to the information you have and you I can give you a really
easy example for instance you have some vulnerability which is having passwords that exposed in clear text and you can eventually use those passwords you found there is some command line you can use with those credentials to you log in in there then you have remote code execution but the impact is not remote code execution because the vulnerability itself it's only limited to the to the clear text credentials so that would be the impact and not remote code execution and also you get that a lot from bug Bounty Huns vulnerability reporters they will overinflate the score on purpose uh that's the the meme you have there uh it's usually for financial uh or reputational rewards because over
inflating the score will make the vulnerability look more critical uh but if you do it on an.com for instance you will get a penalty for miscalculating the CVSs in your in your reputation and uh of course manual can be a hassle but automated doesn't always work you should uh you should use both uh you really need to use both actually because as consumers you can use Automation in environmental metrics and in threat metrics using threat intelligence sources but you as providers of the score you still need to provide the base car in a manual matter to do it properly and also if eventually you want to supply with supplemental Matrix as well and then we have like a classical
problem of Time Versus quality of course you can waste a lot of time making the score perfect for a vulnerability but can you really do it if you have 300 vulnerabilities for instance of course eventually Somewhere in Time quality will be sacrificed then of course willingness to do things properly um because we have consumers we have providers all having to we have to rely on both of them and then it requires focus it requires Direction it requires learning obviously to properly use the the score so it's not easy and you do have to rely on both provider and consumer and this is a problem alone because you need to EXP expect that both of them will properly
use the the score also another problem another problem is the neglect fatigue and discouragement in the open source uh generally you find a lot that software maintainers won't really care about vulnerabilities they don't really care about um wasting time with vulnerabilities because there's still the idea that it's a waste of time they want to focus on on coding and improving in their their projects so uh how can we try to tackle some of these challenges some underlined of course because we can't solve everything we can really um make this perfect but we can try to get the the best out of version four and again never too much to stress this out severity as many times as you can have it CVSs is a
tool not a entire solution you can use it for risk management but you can use it for risk management it's not risk management again uh there it's still not enough to tackle the the question of of risk management so again uh and you should be using uh fully CVSs capabilities as obvious the base core should be used properly as I said earlier uh we're case scenario based on the information but not always uh but then you shouldn't forget the other elements you have a threat metrics group for uh knowing whether there's current exploitation activity in the wild it's very important environmental if you really want to classify it in terms of particulars consumers environment and supplemental even for
additional characteristics when it makes sense uh so well uh whoever is supplying information about the vulnerabilities advisories they should provide as much information of course this is obvious because without context as we've seen you can't really build a reliable score and even open source advisories in the end are relying on CVSs it's the the main used standard for classifying sever well we need manual work automated work not everything can be automated as we've seen but you can use automation whenever possible uh so this is also an important guideline providers will be able to provide with a base matric and the supplemental metrics consumers will be able to automate the part of the threat metrix and the environmental metric and
one way to do it is with Asset Management database this is actually a great recommendation for automation you can have an asset class being defined then all the confidentiality integrity and availability requirements how it impacts that specific asset in terms of these elements and then the exposure meaning if it's internally or Internet facing also really important for that um and of course read the [ __ ] Source because well if you don't uh read a source you won't know how to properly used the vector it has a lot of great specifications like confidentiality and integrity versus availability and other important stuff that it will explain more in depth and contains almost everything you need to know about it of
course and what's next then well providers and consumers need to cooperate of course because as we've seen both are needed more transparency more transparency of information uh well software maintainers product owners uh product vendors vulnerability reporters everyone B bount Hunters should disclose as as many details about the vulnerabilities as possible there's a really good step towards it Mitra is now encouraging that CNAs will Pro provide as much details as possible including CVSs because in the past they would just left it for they would leave it for Downstream mentors like nvd just leave it empty nvd would fill in the CVSs but that doesn't make sense of course because CNAs are responsible for reporting the vulnerabilities creating
the advisories so they should be the ones filling the CVSs they have the most details so this should make in the future the available CVSs scores much better associated with the CVS then there's the CVSs extensions framework which is uh also a very important uh thing to consider defined as a some methods some formal methods that will allow it to that are defined in the documentation and will allow it to extend the framework between the um above the the core metrics group and allow it to even classify other sectors and of course collaborating with open source communities very important whenever possible and if you're interested for instance you can you can and everyone is allowed of course to be
part of the CVSs special interest group from first where they are constantly contributing to the Improvement of CVSs and so that's it I want to invite everyone for to talk with me after the questions in case you are interested to discuss CVSs I will be glad to do it and I want to thank everyone for being present thanking the organization as well and for the opportunity to talk here today thank you
[Music] n [Music] n [Music]
[Music] [Music] right now is a gen Z critique on sock 2 presented by Carissa Kim here just as a reminder please make sure your phones are completely off or silenced for the duration of the talk out of respect for the speaker as well as those joining us live this talk is being recorded and being live streamed simultaneously at the moment um if you do have any questions towards the end if we do have time I will have a uh we don't have any working microphones unfortunately that doesn't have cross fad so uh just ask that you uh raise your hand and do ask it loudly um and and we'll I'm sure you'll be able to you know repeat the
question and we'll be able to go from there but without further Ado here's Carissa thank [Applause] you hi everyone I'm Karissa and this is a genz critique on sock 2 so to start off with I interviewed 50 software engineers and Tech Executives to get the lowdown on governance risk and compliance GRC specifically on sock 2 the liance framework that everyone loves to hate but can't ignore and so here's how the interview went down I asked three questions the first being what is sock 2 in your own words and are there any brave souls that would like to share their take on what sock 2 is yes anation that is presenting the company's um ID are secur um some
somewhat right but you are the only person who answered this question amongst the 20 30 people here yes it's a way to prove that you're a large compy that you can AFF to give money to I think it's so funny that you mentioned that um but anyways this is some response I got but before I like go any further I'm going to Spill the te on the survey and spilling the tea is just like giving you gossip and jenz slaying um here are some people who answered someone said a nightmare of compliance that feels more sorcery than anything else NGL I have no idea other than it's something that smaller companies often can't afford a big pain
in the butt or maybe a distraction from making redacted secure and I honestly have no idea although I came across it while setting up some DB related monitors so there's an overall theme I think most people think it's like busy work and they don't have a clue with what sock you really is and now I have another question for you guys how many of you guys actually read your company's policies with a show of hands okay so for the people who didn't raise your hands like you guys can lowkey get fired but um it's okay I'm not a big mouth but I'm going to give you guys more tea and regarding this oh no no no
okay so there was chart but 33.3% of the people I surveyed just sign off without a Second Glance another 33.3% they just scmed through it um and another 10% they don't even read it at all and then 10% they actually read through the policies which is a really low number and the other 133% I think they were just like vibing with the survey honestly so what is the key takeaway here software Engineers are allergic to Sock 2 and most people are not oblivious to Sock 2 unless they're higher up in their career ladders like cesos but since not a lot of people know what stock 2 is is this a good or a bad thing and this is what we'll dive into
in this talk so hi everyone today I'll be dropping a jenzy critique on sock 2 and who is z um me and probably most recent batch of hires at the company you're at and before I go any further I just want to quickly introduce myself um I'm Carissa I've actually became interested in cyber security since high school when I competed in different ctfs and security competitions I then went on to Berkeley and started immediately at samre as a security TPM and during my time there I actually got a lot of hands-on experience with stock 2 and gdpr compliance and then just like a fun fact I'm a content creator for fun okay so this is our agenda we'll
dive into what so to is what the implementation entails um I'll also break down the entire process for all of you guys and then we'll hit some of the benefits and my critiques on sock 2 and the closing statement and so forth also quick disclaimer are there any Auditors here group and user oh I don't want to offend anyone I I'll just want to keep it very fun and informative I'll be using jenz sling throughout with translations on the bottom so yeah get started so sock two is SAR boring I don't know if you guys know but SAR is the new so for jenzi but you need to have it with the Australian accent um so it might seem boring at a
first glance but it's essentially a framework for auditing and Reporting on controls related to the five trust service criteria which is security availability processing Integrity confidentiality and privacy these criteria form a framework for organizations to demonstrate their commitment to maintaining a secure environment and the aicpa crafted it crafted sock 2 in the early 2000s as a response to the need for standardized data protection thank you uh so I I um I love this talk and I love how uh you talked about AWS gcp um oh sorry oh sorry sorry I thought someone was asking a question my bad um anyways these criteria form the backbone of sock 2 and so it's the gold standard for compliance trying to
certify their security efforts in America and if you're doing sales Cloud flare I consider that a cloud environment and that's something I actively worry about access um working one I would ask what are the tools that you would point me to to start doing this kind of analysis in those kinds of environments and uh two how would you kind of um hypothetically even if there isn't a tool oh please oh okay sorry sorry about that no no no no no no worries um that was stress test two but anyways if you're doing B2B sales or selling to large Enterprises in America your customers are going to be asking you about your stock to certifications so now let's talk about
controls so controls are basically your com company's defense Playbook they're like policies procedures and practices to set up set up to mitigate risks and protect your company's interests so you can think of them as the backbone of any robust security and compliance program they'll they'll set the guidelines of what's okay and what's not okay so some examples like policies like access management vendor management risk mitigation work they all form together to protect everything from Digital Data to your personal physical space and there will be regular reviews to ensure that these rules stay current and effective um other examples of stock 2 controls can also include like two Factor authentication to protect sensitive data encryption protocols for
data at rest and in transit and detailed incident response plans so now there are different types of sock 2 reports there's a sock 2 type 1 and a sock 2 type two and the major difference is just the monitoring period type one is like a snapshot while type two is when you're being monitored over a period of time and I have a cheat hack that I really am very excited to share with you guys but I'll share that later towards the end but at the end of the day sock 2 type 2 is more well regarded it's more comprehensive and it shows the reliability of your systems and controls so I will be I will be mostly referring
to Sock 2 type 2 from here on out also many opt for type one due to a faster turnaround but type one only confirms the right controls and written policies without testing if the controls actually work because they don't really ask for evidence and another thing to know is that you actually don't need to get a type one before you get a type two you can also just get a type two audit right away so sorry I'm going to just quickly connect um I don't know why my Hotpot is not working and I really need to show you guys this picture sorry you're doing great technology
I know I mean I've long been in the opinion Compu were a horrible IDE
okay if this picture if I can't connect to my hotspot just imagine that there's a picture for me yeah got oh yes yes yes I I'm still connecting to this wi-fi really quickly
sorry I I have been but it hasn't been connecting okay I think I'm barely I have 14 minutes left okay I think I should
yeah that's why I don't know why my hot yeah I think there should be like a present button soon but it's just no it's it's not loading okay okay I just don't know why it's not presenting I've never used it's okay it's okay it's
okay no that's fine
I don't know why my hot spot's not popping
up okay it's okay I'll just no no no no it's okay it's okay that's oh shoot
do you think I could by any chance is this
you sorry guys just one minute
okay okay okay okay and then then where's the present but okay perfect thank you thank you thank you
okay I'm just toay right thank you thank you okay so this is what the sock 2 timeline should look like within the first 3 months is like a pre-audit preparation so this is where you prepare a list of controls and ensure that you're doing everything that you claim to be doing um this is where the most work actually occurs so you definitely should not underestimate it so if you say that you list like a 100 controls you have to make sure that you're applying them consistently across your company and you maintain confidence in the implementation next 3 to 12 months is the compliance observation period um this period can have a lot of a lasts
time so you want to make sure that you have the right evidence and this is like the cheat hack that I really want to show you guys um you can do sock 2 pretty fast and it's not cheating so many people expect that a 12 month stock 2 observation period is important and that is the case but actually at samre when we first started with our sock 2 compliance Journey we actually had a 3-month observation period first so we saved a lot of time when the Auditors came in and this approach makes customers happy because you can deliver results in 4 months instead of 14 which you're getting more customers right but the thing is you don't want to apply
that method too often or else you're paying for a stock to audit every single time and that racks up a lot of money and so what you can in what you can essentially do is start with a shorter observation period like 3 months or however long you want which will tighten the feedback loop and if any issues arise during those 3 months and if controls aren't working appropriately you can catch them sooner and then after that first round of stock 2 you can maybe lengthen the feedback loop to like 12 months as your observation period so that's the little cheat hack um and then the first to three weeks is the official audit and this is just like a lot of back and
forth with your auditor and just making sure that you deliver the right evidence and then the 2 to 6 weeks is just like the weight game um your auditor will be creating a report and compiling all the information that you provided them and during this time you can just tell customers like oh the report is coming soon so
yeah so there is quite a process with stock 2 you need to prepare and make sure that you are aware with the trust service criterias and you define your audit scope you also have to make sure that you spot the weak points in your controls and tighten them up and create detailed records of your policies procedures and controls and like you want to make sure that you also establish clear goals within like your company's security compliance objectives to make sure that you can identify key points throughout your organization so the stock 2 timeline varies depending on the complexity of the organization and your existing Security Programs as well too and L organizations or those with a complex infrastructure
will require more time with more compliance and more of a longer observation period but it's also really essential to engage in stakeholders from different departments to ensure a comprehensive understanding of security practices so overall you can have a smoother audit process there's a lot of organizations and departments in your companies that are all affiliated with getting your stock 2 compliance like for example the engineering info team um you would have to work with controls regarding like Access Control change management code review Sr it's like incident response monitoring and logging and creating like a disaster tabletop um and business continu business continuity plans HR you need to make sure you get background checks security aw awareness
trainings and making sure you have like the proper termination procedures sales data Protection security vulnerability ma management even marketing like no one ever really talks marketing but but they're getting a lot of personal information so you want to make sure that you're communicating throughout within the different departments in your organization so now I'm like very excited to show you guys this word maybe you guys know it Riz um it's the new word for Charisma and you can definitely rise up your customers with your sock 2 report honestly but essentially it's just it's like sling for style charming someone and so forth but I sort of wanted to talk about like the benefits of sock 2 and even if your
customers aren't already asking for the sock 2 passing a sock 2 audit objectively proves that you're taking steps to prevent a data breach um it can also be a GameChanger in customer relationships especially in a world where data breaches often make headlines having stock to certification assures customers that their data is safe in your hands because you're taking protective measures also this trust can translate into more increased business opportunities because it's like good credibility right as clients are more likely to partner up or with companies that prioritize security um another benefit to keep in mind is that companies will also regularly reject potential vendors for a lack of stock to certification um even though it's not mandated a lot of of
companies actually look for sock 2 certifications it's not like Europe and gdpr but a lot of companies will look look at it another thing to keep in mind is that it sock 2 also enforces security Basics and it keeps and it makes sure that you're building continuous living processes um especially in a world where there's so many things that are happening so many changes so many technical complications and so forth by making sure that you're regularly up updating security practices and addressing vulnerabilities Um this can make sure that you and your company are maintaining compliance and also improving your overall security posture and I think this overall approach will also make sure that you're staying ahead
from any evolving threats in the future and building customer um trust so now for some critiques um when did CPA become certified lover cyber Security Experts um so certified lover boy is from Drake if y'all are maybe not aware Drake is the rapper who was just like in the headlines recently um but CPAs didn't really major in computer science or security so auditor quality is really important um and some are strict While others may not be another thing is that Auditors can be susceptible to cyber Dazzle and cyber Dazzle is like a term that I learned from my manager but it's like when someone who isn't as technical might see something and might see something
technical in front of them like regarding like evidence that you provide them and it could maybe hypothetically lead the auditor to not conduct an audit properly that's just like a hypothetical situation for you all Auditors here like I know you guys are probably doing things great um but the quality of the audit very much depends significantly on the auditor's expertise and just making sure that you select an auditor with a strong background in cyber security can enhance the audit process throughout and it just makes sure that you have a thorough and accurate assessment of your controls which is important for your company another thing is that stock to is bougie um or it could be expensive so
the cost of preparation implementation and auditing can be significant especially for small businesses or startups and the audit itself can range anywhere from $10,000 to $50,000 and that's literally just the audit itself we're not even counting the investment in pen testing and other security measures necessary to meet compliance so while that cost might seem slightly steep especially for startups or smaller companies um sock 2 compliance can definitely provide a substantial return on investment especially if you're demonstrating a commitment to security um you can gain access to larger markets and customers who require stringent data protection standards another thing to keep in mind is that so 2 is like a broad umbrella it covers General Security principles but
it doesn't really deep doesn't really dive deep into like absc right so just because you're sock to compliant doesn't mean you're bulletproof companies can still get hacked even though you're stock to compliant so it's also crucial to recognize there are some limitations to stock to and there are proactive steps to address them um and this could also just include conducting regular code reviews implementing secure code practices or using tools like static and dynamic application tools so overall tldr sock to compliance isn't a oneandone deal it's always about continuous Improvement stock 2 compliance is an ongoing process that requires organizations to regularly update their security controls and practices and this iterative approach will help companies adapt to new threats
and technological advancements and ensuring that they remain secure over time um stock 2 isn't really like just about checking a box it's about building trust and also ensuring your customers data is safe and the journey to compliance might seem challenging but the benefits far outweigh the costs and by prioritizing your security and compliance um your organization or company can build a strong foundation for future growth forever so yeah um also just like a quick shout out to the coolest manager jonthan he's not here for exposing me to stock 2 and gdpr and then Tom my bsides mentor Leaf Tanya Andy Margaret and Misha I think none of this would have been possible without this talk and so thank
you so much for listening and feel free to connect with me on [Applause] LinkedIn thank you
sorry that was [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Applause] [Music] hey hey hey hey hey hey [Music] [Applause] [Music]
[Music] n [Music]
he
[Music]
[Music]
[Music] [Music] TR [Music] hey hey [Applause] [Music] Las Vegas this is The Proving Ground track um the talk right now is uh George who will be presenting building a security logging stack on a Sho string budget a problem I'm sure we are all too familiar with uh just as a reminder out of respect for the speaker as well as those joining us live right now this talk is being live streamed and will be recorded So please make sure your phones are either silent or completely off um but so without further Ado George please take it away all right hello everyone uh welcome to my talk uh by the way I've got this QR code on every single slide
so if you want to look at anytime you can follow along uh just as well thank you all right so first of all um why would you even want to build a uh security login stack well this is because um problems happen all the time and um for intrusion detection and um I IDs and IPS you really have to be able to capture those events to actually do something about them so it's very important to do that um your company might already have existing places um to store logs but it's good to have like one centralized location for everything and also always good to have a data sync for this type of events a lot of times I
see that things things happen but because there's no great place to um shove data these events get lost so it's great to have just a generalized place for that um a little bit about myself uh my name is George I work at a company called Cloud kitchens uh we bu build a lot of ghost kitchens we do a f delivery uh my company runs in kubernetes uh we actually run across multiple clouds um I used to work AWS but we currently runs across you know multiple different clouds um I built one of the largest uh elastic search slop search login Stacks I think in the world perhaps um and I actually buil several several more
afterwards um and one specifically for security oh what happened to
the did I step step on cable sorry could you help us a I don't know if I step on the cable or something I don't think
so turn off and back on again yeah we don't have the budget for that as we as we establish I think it might be back wait wait for it there we go all righto all right be careful not to make any sudden movements all right so my takeway for you this hopefully is that um you get a sense of when to build versus buy once's not once's actually not cheaper than the other as it turns out um if you do choose to build I like to show you how to build it uh very cost efficiently and also how to pay for the stuff you need to make it very efficient in terms of um uh cost and performance and uh went
through about a year of optimizing for Speed and cost I like to disel that down and then pass that knowledge onto you so here we go all right let's talk about the benefits of uh Bill versus buy so let's start with uh buy obviously if you buy something it you make it someone else's problem and that's very nice for being a manager and also engineer because you don't have to worry about as much that's a fantastic uh point of view um also gives you uh your team a single point of contact when something goes wrong that's a also very nice um and sometimes you already logged into a vendor so for example you have a big contract with
existing uh provider actually can give you very very good discount on buying buying stuff so actually that can be cheaper than anything can build yourself um I can talk about that later as well um some downsides to buying is that number one you're vendor locked so over time you know they rce the price it's hard for you to get out so let's say all your data stored in one uh loging framework going to another one it's hard to make move that data across um sometimes they actually will lie about their performance so a lot of demos I saw from other companies is that they will give you a demo that works well for like a small size but as you
scale up over time actually doesn't scale at all so that's actually a big thing to watch out for um and sometimes Al also thing we seeing is that support for them can be kind of slow as well there's multiple sport years for everything you buy and for the cheapest sport here they don't get back to you with like a month or two or several weeks and that could be a big problem you have something that's going wrong um oh and also uh key features are sometimes hide behind pay walls which is a a problem as well uh but for build um you actually uh you build with no components so you actually don't want to
roll with your own crypto to get the best bank for the buck the biggest benefit of build is actually you own everything both the software infrastructure and the data so one example is that if you work with government compliance uh you buy software from another country in case of war with some kind of diplomatic Fallout uh you may no longer have access to that software that could be a big problem uh if you build yourself you you can always choose what you store that data so you also can have a backup for it uh should you need it oh you can also choose to optimize between cost and speed which is a big thing uh typically when you buy
from a vendor they give you like these tiers that you put data into um you really have no choice over that but if you choose to to build um you can actually really make a lot of um good choices about how you optimize for cost uh oh you also have a generation op you also have knowledge of how to operate this so in case something does go wrong you can fix it yourself which is way better than having someone else manage your stuff um obviously some downsides to build as well uh number one is the time and energy so you have to be willing to do this um you can build a stack and proposing in about two weeks
comfortably if you got some knowledge of um Cloud um Cloud uh one week is probably fine um to tune it you probably want another two weeks or so so maybe a month just to um generate for this you have a bit of uh liability as well because after you build you're responsible for patching your own data you're responsible for all the ESS Ingress rules as well it's kind of a headache but um it's probably worth the cost if you want to save money uh and finally it might be a little bit of people's Warehouse because uh people like to do um you know like penetration testing it may not be familiar with building stuff uh but a friend who's
really good at hacking stuff together I told him if you just hack more things together eventually come up with a full logging solution which is what happened with our company he did a really good job doing this cool all right so let's talk about some of the benefits other benefits of uh DIY uh besides control over data security um you can really do that slider between the cost and the speed which I'll show you um oh also you can build your own plugins so I'll be talking about using open search so open search has a really rich plug-in framework um almost all of it is not behind the pay walls so if you want to
build like a plugin for you know managing like Korean or like searching like Elish for example if you need to you can actually build that for yourself um you also control your own security model and actually have a very rich security model you can control who can access what very easily all right so let's take a look at the the cost so here I'm using the public information um obviously with different discounts you have different negotiations it can vary greatly I'm just using what's out there so if you start with Splunk which is the biggest guy in the in the room um they charge about $150 per um gigabyte of data GJ per per day so it comes to about $60,000
per year and oh also the size of the custom using here is pretty standard it's a 40 gigabytes of ingestion per day comes to about uh4 megabytes of ingestion um per second so let's say you have like 100 um applications each generate about 10 kilobytes per second that's kind of it comes out to um ins up with 7.2 terabytes of storage per month so your cost will actually breaks down to both the compute Port portion which is memory and CPU and also the Cost U also the storage portion so the longer you operate a stack the um the more the storage will um come into effect I'll show you how to optimize that as well um
if you go with the next one which is elastic search from the vendor you actually get a cheaper package but this actually using the the cheapest possible support package meaning if you message them they'll get back to you with um three to five business days uh if you pay for the best support package you double your cost actually almost doubles so you have to make a decision there about you know support versus um what you get um also AWS sells a version of elastic search as well called open search they actually broke from elastic search well back because commercial licensing disagreements um typically runs slightly slower than elastic search but that's something you actually know
the difference if you run it yourself um they have a service like that if you pay if you run if you get it it's about half the cost of Splunk um and if you just uh run open search yourself um with the same exact specs without paying AWS for the management you get about 20% cheaper and finally if you just build yourself super cheap um you can get down to even about half the cost of um using AWS manage yourself so yeah there you go all right before we dive into how to build a cluster let's have a quick Overlook at how the open search liar works so your data basically lives um in things called indices essentially like a
file of data um as time goes on your file gets larger and larger you probably want to draw that file from one indic to another so like week one is indices one week two is indices two so on so forth uh each uh file or indexes also braks into shards so essentially components of the file you don't have to do this but uh doing this has some benefits because number one the shards can live on multiple um computers for you know resiliency uh two is that the shards can be um searched uh in parallel by multiple CPUs so the more CPUs have the um the better your search could be but there's obviously like a Trad off
between number of shards you have and also the speed so you want to optimize for that as well I'll talk about all this towards the later slide for optimization cool all right yeah so this is the uh simplest um architecture for the login stack this will work for pretty much everybody and actually use a lot of off shelf components so you start with the uh application which um or whatever generat log sources and you have an application that takes that data and shoves it into open search so there's a lot of op of the show components um I think log uh what you call log stash is actually a common one that people use um
an open search or you like search will will do the job uh just fine um as you start building this you actually want to think about access already uh because each thing that push data into open search has different access to different indices you want to already think about how you want to control um what they can right to so for in our example um when we build this basically different sources have different log forwarders and different log forwarders have access to different indices and they can only write to them not read to them so even they're compromised you actually don't lose any data uh from the perspective of the uh the user they go through something
called the open search dashboard or keyb if you're familiar with the elk stack uh it's a simple UI allows you to search the framework itself um and then the simple login solution is username password uh set up for them uh which will work just fine uh Prof for this is that I think it should work fine for almost every setup uh the setup I built in my company actually ingested about a thousand times the um the ingestion of this I'll show you a architecture that's more complex that can deal with a high level of skill uh but I think for most people this will work work great um some cons is that it's not as resilient to
failures because um you obvious have failures in both the um the log forwarder the uh open stash itself or the um application that shows data that give some problems I'll show you how to deal with that um and also you don't have probably the best way of managing logins because I'm usame passwords to to do this is uh kind of troublesome all right so here is architecture I use for the stack that inest about thousand times the uh the rate of the previous one um actually this stack only cost about 10 times more than the um the St you so about 200k to to do this uh the biggest changes are are several so let's start with um uh
the log applications so applications can live anywhere they can live in multiple clouds multiple um regions whatever you want uh they pour data forward uh down down the stream and what you need to have is actually you have a buffer and uh here we use C we can actually use almost anything this is actually like a key um importance because with so many log sources and so much information being put with sell the buffer like kka to buffer it uh failures will cause you to lose information and this is actually a very important key to make it work the second thing you need to have is have a second log forward after the buffer uh
this is really smooth thing out the um the data you ingested because events don't happen like you know at even rate sometimes you have a burst events some have no events without a buffer to really like make this even you have to have problems pushing this stuff into um open search itself and when you push data into open search you want to push it into chunks and a good chunk size I I like to recommend is 5 megabytes at a time for large size you have to do up to like I think like 30 megabytes but um I think you do get some Dimension return uh over time uh now if you look at the
open search clusters uh there are multiple of them so they actually they can be collocated with the data meaning if you have data in AWS or Azure or gcp you can have one open search cluster per region um with the data this makes it actually faster in terms of you know Lev agency you also like um saves a bit of money because you can be collocated for that and the beauty about open search is that you can actually search across multiple clusters multiple regions simultaneously as some have the right access uh rules and uh for the user perspective you got a user you also have SSO so SSO is a simple integration that built into
open search uh using saml you're able to um use that uh for your system and the good simp about SSO is that a lot of people companies already have people defining ssos and they're tied to different groups so for example you you'll know someone come into application are they a engineer are they product manager Etc and from that you can give them the appropriate access to the data they're trying to search so Engineers can only search something other people can search other stuff so with this result you actually have a very resilient um application you can basically um scale to a very large degree and um also you don't have any pay walls that prevents you from doing
SSO because you're using open search all right cool now let's talk about optimization so I'll first talk about cost and I'll talk about performance so for cost um you really want to understand how people use your application and that's the thing with um loging Frameworks basically events happen you typically people typically only care about stuff that happen recently like uh usually something happened is like you know with the last day or two and one just SP and that's where you want to spend your money so one thing you can do is that you can store the data that's most um commonly accessed um in a hot cluster and everything else push down to a lower
cluster so let's say you have like two um uh computers the first one is for hot data has the most CPU the most Ram the best ssds for example and then anything past you let's say a week or so you push to other computers that have less Ram less CPU and more a larger discs so there's a little bit of trade-off for that because if you search data that's older obviously can be slower but um you do save a lot of money doing that uh the second second thing to do is use S3 bucket storage so this actually is one of the biggest Innovations I think have happened in terms of storage because your cost is so expensive for
storing large amount of data let's say you store like um multiple terabytes of data over time that becomes tens of thousands dollars pretty easily but you S3 you actually become much much cheaper it's about a 90 sorry 90% reduction in cost in a lot of use cases but you don't want to do that you do not want to do that for um frequently Access Data because you're charged per API access so if you constantly access S3 data you actually end up paying more than you actually pay for this oh the third thing to do is use spot nodes so spot noes is a concept with kubernetes where basically people will pay for um additional uh resources
but they actually can't use it up and then when people are not using the resources paid for uh the car providers will actually leas them out to other people to use um in the meantime uh one downsides spot noes is that um you can actually be kicked off The Spot noes any time um so you really need have a result in buildin so you can really recover your cluster if you kicked off the one of notes you can be spot schedu on a different note but the cost reduction is actually really high usually get about 50% to 90% of reduction in using costs um oh yeah uh in terms of optimization for performance so one
thing I recommends you don't have exactly two replicas so you have a primary primary Shard and repca Shard so this means at any time half your cluster can technically be down and you speed up and running you do double the cost but actually is pretty useful so that combined with spot no meaning you paying way less uh infrastructure cost but you also have a really high degree of resy we running spawn no for like years and actually being mostly fine but sometimes you do run into uh trouble when spawn no are discount being kicked off so you actually do need need permission like a real um Reserve node or on demand node to really pay for that but I think most
of the time you're probably okay um for short sizes you w have as many shards as you have CPUs allocated because each CPU can search A Shard in parallel and The Shard sizes should be between 20 and 50 gigabytes this is done through empirical testing and plus a lot of numbers that Ela search publishes but does vary from computer to computer so you can want to experiment that a little bit but generally that's a pretty good um guideline uh finally if you do injust the rate as we do like you know several hundred megabytes per second you need to use ssds uh recommend magnet maget magnetic storage from almost everybody um because it's fast enough um because
most things are cached in memory but for ssds you really you really need ssds for um like you know hundreds of megabytes per second for ingestion and one thing to know about ssds they actually vary across the clouds so for the same dollar uh in aure you probably get more um more storage but you do get less uh iops so one thing you actually hardly limited on is the iops for um for this uh for your cloud provider another thing to note that we learn is that the iops is based on the size of ss provision so let's say you only need like a 10 ter 10 let's say like one terabyte SSD but you actually
need a higher iops than that you actually need to provision a two terab SSD so even though you was some space you need to have that iops to support your operations another thing too is that if no one complains about your search speed you can actually reduce the CPU memory over time we did that gradually over a period of several months we actually to save a lot of CPU and memory just by doing that because you know you don't need to spend that much money on the performance if no one complains about your cluster being slow so there you go all right uh let's talk about security oh and also maintenance so maintenance actually is pretty easy it's
um there's an idea of a ISM policy in open search which basically allows the cluster self-manage how you roll the data forward so um once you said that seeing like hey all this data lives um in this awesome really powerful box and after that it goes to gradually like slower boxes and eventually get pushed out um you can just do that once you said that it pretty much set and for G um let's see what else oh yeah you want to use git Ops for configuration because very easy for people to apply configuration and forget about them so it's I think it's just good practice to do that um cic is also very important for pushing out in
Tim manner uh finally once you document the process you can basically just relax and you know drill it and you're pretty much fine uh for security it's actually kind of like an ongoing process you need to constantly think about um access of different data uh one of the biggest takeaways I had from previous jobs is that you want have like a quarterly access review so when I was say Amazon every quarter people ask ask hey you should you still have access to this and if you don't answer back to basically remove your access just so people don't have access to things that you don't need uh oh yeah also you have to roll out patches yourself which is kind of um
it's not that hard it's just something you have to keep on doing because you build your own cluster all right so uh that's basically uh my presentation um hopefully I give you a good idea of when to build versus when to buy and um when you do build um how to like optimize for cost and performance um and uh oh yeah and thank you very much uh to bides for letting me do this talk my mentors and people who are here to support me uh that's my talk um if you have any questions uh please let me know uh my name is George thank you
yeah oh yeah I've got a Bonus slide with a bunch of references for tech technical references um for Best Practices if you guys care about so all right thank
you last SL please oh yeah sure the QR code will Le to documentation the QR code will leave it to us as well yeah if you want that has my whole presentation
thank you George no problem yeah good talk to you thank you guys [Applause] [Music] [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] he [Music] [Applause] [Music]
[Music]
he
[Music]
w oh [Music]
[Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] oh I'm just okay I to I'm just trying to give you something [Music] I'm just TR to something I do I'm just TR to give you something [Music] w
[Music]
[Music] [Music] I'm just try to this have to I'm just dring in [Music] something I'm just dring in [Music] something I'm just trying to give you something [Music] m [Music]
[Music]
[Music]
[Music] [Music]
all right good afternoon everyone it is official afternoon uh welcome back to Biz Las Vegas this is The Proving Ground track uh I have Randall here who talk title is you can be neurod Divergent and still thrive in infosec just a couple of reminders you've heard it many times before but I have to say it again and again please make sure your phones are silenced or completely off out of respect for the speaker as well as those joining us live on YouTube this talk is being recorded as well as simultaneously live streamed um but without further Ado R please take it away thank you thank you I will also ask um yeah I know you
can take pictures of slides um to try to not do that because it's kind of distracting uh anyway thank you for being here uh as he said my name is Randall um the title is you can be neurod Divergent infc and Thrive a little about a little bit about me I'm an application security and vulnerability management engineer at Cai meds I have a mcken counterpart here I'm sorry um I was diagnosed with being on the autism spectrum and generalized anxiety during the worst moment in the world during the pandemic um I'm a video game Lego and book nerd I just finished my I'm 27th I'm on my 28th book probably going to finish it this afternoon and
I'll go on my 29th book out of 35 for the year uh I'm also a technofile way too many gaming handhelds I actually have my Legion go in my room so I can play balers gate if I wanted to some facts in 2021 the unemployment rate for college graduates with autism was about 85% almost 20 uh almost 20 times the national average and about 22% of autistic adults are gainfully employed meaning they can pay their bills and have some sort of money to live on afterwards why this topic um there's tons of Articles written about how you get an osc it's you can say 30 days or take this course or lie on a resume
don't do that it's stupid um there's also a gap of neurode Divergent Talent within the infosec community um we tend to not go for the big roles because it's puts us out there and we don't like being in front of things why am I here essentially um so not everyone is a front of the house type of person again the question probably comes through your mind why is he doing this because it needs to be talked about uh not everyone is also suited to be a leader as it is currently meaning you don't have have to be that front of the front of the pack person saying hey we're our team is going to do this you can be a support
role or servant leader um we can change what it means to be a manager instead of one person leading and be a colle a collective of people so everyone makes a generalized agreement and they go forth with all of this and uh ner Nur Divergent people getting into tech for many reasons Independence range of topics and to be honest the money's quite well um so you want to work in infos um many say that infos isn't really an entry level field it's quite true uh but there are some caveats to that um it's hard to also break into this industry unless you have a connection of some sort my connection was my manager I luckily I made that
connection it's even harder if you're socially awkward exactly uh it can also be really difficult if you don't feel like you're a perfect fit we've all been through Job searches where you're like okay this doesn't work for me so I'm not going to apply for this apply for it because it's just a basically throwing gell off the wall and see what sticks um like I said on here open rex for roll is scattershot and most of the people who put those rols out there don't know what they're talking about and we also have a particular set of skills not killing things per se unless it's a process um we're particularly suited for Tech cuz in my
mind infos is a puzzle and you got to figure out what what pieces go where um it can also typically get through a thought process faster than my neurotypical counterparts and it freaks them out sometimes but that's what we're here for uh leadership typically also doesn't have neurod Divergent people there it's mainly neurotypicals thinking like oh we have to do it this way this way this way but what about the other way what about combining two into one step instead of the other stuff also inherent understanding of things is not always good I don't work well with an incomplete set of instructions I have to keep telling my manager that but he'll learn eventually but which way to go um it's
hard to really give confidence uh guidance on this um depends on what you want to do do you want to do uh Disaster Recovery do you want to do forensics do you want to do cryptography as crypto means cryptography not coins because that's just stupid um there's so many facets GRC there's other stuff uh neurod Divergent people typically find a thing latch on until they burn out so many times and then they get back to it because that's what we do um and you can change the different specialities within it for instance I was doing application security I still do it but I'm also doing vulnerability management and asset management as well so you can you can move throughout
everything um and again money everything's expensive and we like things so the game is a foot let's get your [ __ ] together when you're looking for a job you can what I've done is I created a spreadsheet when I was looking for a job to put things in categories who I've spoken to what stage of the interview process are you in the company name and if it's a recruiter asks for the company because sometimes they like oh it's this our client who is the client because I don't want to work for an awful company um ask for a salary and if it's a job ask for a job description if it's a cold call or just a random LinkedIn email as
we all get sometimes so when you're interviewing what I generally generally do if I'm interviewing I send an email prior to introducing myself and asking for some some accommodations like hey is it okay if I just you know have my camera off for after the initial introduction period um also if you ask for accommodations this and they don't typically give them to you that can clue when sometimes on what the environment like is like at the actual employer um yeah if they say no run like I said if you ask to keep keep your camera off after the initial intro period camera fatigue is real um 75% of the meetings I'm in at work my camera's
off cuz I also I look at myself in the camera and I see myself speaking I'm like I look stupid stopped looking so I typically try to keep my camera off um and if person asks for accommodations for dress Cod this does not mean show up in jammies just be as casual as possible jeans button down or a polo it's also okay to say no if you don't want a job if you get to the end and you're like okay this isn't really going to fit for me it's okay to say no um you're interviewing the company just as they're as much as they're interviewing you you have to make sure you fit there and if the culture doesn't
work or if you feel something's off then generally your little Spidey senses is generally true but also which one do you go with if you get more than one job interview job offer decision fatigue is also real that's why some people wear black and brown quick and easy put it on or um just saw someone tweet out about what their their wardrobe looks like for Black Cat and Defcon it was black or white t-shirt jeans and shoes decision fatigue just I know I'm going to wear the next day and go on um create a list of pros and cons for the role so okay this has decent benefits for health insurance because medicine is expensive um Health
Medical uh mental health is also pertinent there too what is their time off policy like is it permissive to just take time off when you need it or do you have to acrw it um it all depends on what your needs are and N division n div individuals may take a bit longer to make a decision so be okay with sitting in that decision process don't you don't have to jump to it because oh this is a $130,000 job offer yeah but you may get 45,000 next one so just take the time think about it go through the pros and cons also it's okay to negotiate why do we just say yes okay they have the money they're hiring
you for a reason say I want more money or I need extra time off or I need these accommodations so I'm in he said in his best best hacker voice I call this one in mapping the workplace I'm hoping most of you know what end map is if not it's end map Network you so B you scan the network see what's there open ports OS and all that stuff uh micromanagement is not fun I'm not a child um there's no children in here so good um it can make you feel like you're not doing your job well or make you feel like you don't know what you're talking about so that constant nagging imposter syndrome is almost reinforced with
something like that uh asking for frequent and constructive feedback I'd like to know what I'm doing well and if I can improve even if I'm doing well because there's always room for improvement no matter what it is also making meetings better I created a Confluence page at work that says how to make meetings better turn off your mic if you're not speaking don't talk over people wait a couple seconds before you respond to someone if you are on camera don't pick up your laptop and start rning around that's really distracting um and also if you send out an invite to a meeting please include an agenda we have a have trauma based learning of oh
[ __ ] we're going to get fired because there's nothing on here and it's an important meeting that happens in 20 minutes send an agenda it's not hard um learn how and also learning how to self- advocate for yourself that's quite redundant but it takes time to learn how to say this is what I need and be confident in it and when you finally get a team that supports you and backs you it makes all the world a difference also be a servant leader I hate that saying but it's true um adapt be adaptive to your team's needs if you're a leader lead assuming good intentions don't read into people's speech pattern if I generally
speak with a flat tone don't think I'm coming off as being an [ __ ] or or anything other than I'm answering your question I'm being direct with you uh things go wrong humans are messy people are going to be messy probably I don't know what 8 o' the PO party starts or something like that messy um honesty and trust is key also if you lose trust with me it's damn near impossible to get it back so don't break trust with NE indiv individuals people are different but for me if trust is broken good luck so what's next when learning do you go over style or sustenance that's a two Wong Fu reference if you guys don't know what
that movie is uh learning new things is fun but can be very expensive ask me how I know several books um one can learn a myri of ways books YouTube videos training shirts and yeah guessing people don't understand that reference That's The King and I Y brener uh choosing your own adventure um there's no one correct way of learning everyone learns completely differently um sometimes I can read a book and say okay I think I know what this is and someone asked me a question from the same exact paragraph I'm like what what what do you mean and someone asked literally sometimes pointed out to what what they were asking um prescribing a one- siiz fits all learning course
leaves out those who don't fit the mold thanks massen while there are drawbacks to indiv individual learning being flexible allows for greater absorption of the knowledge that may or may not be gleaned from it um just randomly going through clicking through a this is what a fishing Emil looks like doesn't work how are we going to teach people to look for these instead of just saying oh this link looks weird how about you open up the headers and see does it say threats him does it come from a different sender there's a different ways to learn about this for the normal person that's not really in technology can figure out oh this isn't real I shouldn't click this
so what's next is what's good for the goose good for the gander what works for one may not work for everyone the world is quite diverse as we can see there's different nationalities uh gender identities here everything it runs the gamut um understanding this and allowing to call your intentions help to expand your mind um once you realize that you're not the only person in the world and we are a speck in an infinite infinite real reality and depending on if you believe in the string universe theory that decision will Branch off to other branches so what happens now or what even what happens next we don't know neurodivergence doesn't present in any one certain way um and also this
industry is in dire need of a shakeup more women more people of color more uh diversity within gender identities just everything needs to be changed no more sorry old white men come on and if you met one person on the Spectrum you've met one person on the Spectrum we are all different so if not now when be patient take things take time your career is that yours uh things don't happen overnight if they do um you either from aparti South Africa or it's a lie also keep moving forward that's all you can do so that's about it for me um questions
yes um yeah so the question was how do you help your co-workers uh self- advocate for themselves or your manager how can your manager also help advocate for your you is is a little bit of a uh a s side step of what's happened recently my manager and I got on a call because something happened and he's like okay I understand this is the process you need to go through but realize that Randall is neurod Divergent and things like this kind of are triggering for him and how can we make sure going forward that people don't misunderstand that he's just saying what he's saying and doesn't mean it awfully or any kind of um I can't think of the word just not
being mean to people just I'm just making an off-hand comment or just being completely direct because people can read into that awfully yeah it's good did I answer your question
exactly for the stream one second before the stream he said um he's been called Direct in abrasive and it depends on what the uh the environment calls for um Direct in abrasive is essentially the same thing uh I'm sorry that you read into something that's not there that's on you to you trying to figure out what's wrong with you first and it's not my not my issue yes sir
yeah uh the question was what other accommodations have I requested for or of other people uh to be honest those are the only ones so I I tried to start at the bare minimum and it not only helps us neurodivergent individuals but also helps neurotypical people because you get sidetracked and someone asks a question and someone chimes in on something and you just like wait what happened where are we going with this conversation so yeah it's I started with those BAS minimum things um I've been trying to bra BR Branch into more mckin like hey you can't just throw meetings on calendars without saying what it's for I understand some things may be confidential but try to
drop a line somewhere tell me what it's for so I'm not freaking out yeah I think he was next in the blue
shirtn start to see that people they don't know they are as well in your work how you appro that
[Music] peopleare the question is how do you approach people and spread the basically evangelize um Nur div virgin accommodations essentially okay um good question I don't know because I've I've been working in my team and then slowly branching out from there with the teams the engineering teams around me so stay tuned what are some GRE flags and red
flags question was what are green and red flags uh during the search um it depends are you call or blind [Laughter] um good question I I don't know to answer that uh typically if I read through the one thing is we're a family I'm sorry I don't know if we can C no the [ __ ] we're not we're co-workers we're here for a reason we're going to do a job we're not yes we're a team we can get along we can be close friends with inside of work but once work time stops that connection is severed for me like I I'll be friendly towards people but I'm not going to be like oh let's go
to your house on the weekend no I'm go to my partner's house sorry
yeah I believe we did but
layoffs dni oh I heard Dei but that might be a pejorative to some um I think so um the Dei person that was that c meds was H let go during what we call the culling or The Happening um so there are resource groups employee resource groups for within like greater mesin it's [ __ ] um but with some companies throwing it out because it's a bad word now looking you Tractor Supply um I some may have it some may not but I mean do your reseearch uh glass store reviews are a great thing even if some may be lying just Google don't L limit because it'll tell you what you want to hear um I think we're almost closed that
any other questions um as far as application processes they always have the disability question you know a yes no or don't want to answer I want to lie no and how much you think process the question is um disclosing potential disabilities on application paperwork uh it's up to the the applicant you do not have to disclose it if you get into the role and you say hey I'm asking for these these accommodations for a reason if they try to push into it that's that's illegal they can't ask why you don't have to disclose your disability and asking accommodations is good for everyone not just n Divergent individuals
[Laughter] yes there's bi absolute bias
yeah um oh hello hello you're comfortable talking about being neurod Divergent yourself MH but it is also a medical diagnosis it is it's just the same as having AIDS or anything else right yes a lot of people don't want to talk about what their personal stuff is yeah how do [Music] you is it on you to advocate for yourself or do you want are you comfortable with others within your organization advocating for you do you feel like you grant them permission to do it first like you said your boss said says these are trigging for Randall others might not be so cool with that like hey boss I told you that in private how do you navigate those sort
of social situations I guess it depends on the trust level with your manager because if you don't really trust your manager you're not going to kind of trust it also I'm comfortable with it because I I saw the the need for side conversation hey guys gentlemen Gentlemen please um I I talk about it because I saw a need for it there was a huge gap in accommodating people because technology run goes fast and it goes through people faster so I mean it all depends on what company it is how what like again your manager how comfortable he is or she is or they are with who you are and it also depends on if you want
to actually disclose it you don't have to if it helps do it but it all depends on who you are in your circumstances I hope that's a good enough answer yeah uh would it be okay if I provide a second opinion on that question um so A good rule of thumb if you're dealing with you're dealing with specific individual ask that individual talk to that person say Hey you know so if you're the person just closing say hey I'm sharing this with you I would rather you not share it with anyone or I'm sharing this with you so you can help advocate for me um if you're on the other side and someone has shared with
you make sure and explicitly ask them if they don't say say is this something you'd like me to keep private is there something I can do to help advocate for you what can I do do you want to Signal me do you want me to always do it um and that's true of not just ner Divergence but anything if somebody discloses something to you um and asks for your support um this is something that happens to women a lot in Tech is that um there's a lot of unasked for support in some areas and then in other areas we're not getting the support we need so sometimes we need someone to say hey did you hear what she just said or what this
person just said or whatever and sometimes that's kind of patronizing and we don't need that and so talking to the person involved is the most important thing here because everyone is different every situation is different absolutely yeah very well thank you Randall very much let's give another round of applause [Applause] [Music]
[Music]
[Music] [Applause]
I
[Music]
[Music]
n
[Music]
[Music]
[Music] a
[Music]
[Music]
[Music] a [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music]
[Music] he a [Music]
[Music]
[Music]
[Music] n [Music] track [Music] hey hey hey [Applause]
hey hey hey hey hey hey [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] oh [Music]
[Music] now
he
[Music] h
[Music]
[Music] w [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm I you I'm just TR to give you [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] oh [Music] a [Music] [Applause]
[Music]
[Music] [Music] I'm just to I I'm just [Music] to I'm just [Music] TR I'm just trying to give you something [Music] he [Music] w
[Music]
a
[Music]
[Music]
a
[Music]
he
[Music]
[Music] [Applause]
[Music]
[Music] [Music] a
[Music]
[Music]
[Music] this [Music]
[Music]
[Music] [Music] [Music] a [Music] [Applause] [Music]
[Music]
[Music] no
[Music]
[Music] n [Music] [Music] [Applause] [Music]
[Music]
[Music]
a [Music]
[Applause] [Music] he he [Music] [Applause] [Music] a
[Music]
he
[Music]
[Music]
[Music]
[Music] TR
[Music] hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music] he [Music] [Applause] [Music]
[Music] he [Music] [Music]
[Music] [Applause] [Music] he [Music]
[Music]
oh
[Music] h [Music]
[Music] w [Music] oh [Applause] [Music] [Applause] [Music] I'm just TR to give something I I'm just TR to give [Music] something I'm just TR to something I to BR you I'm just trying to give you something [Music] a [Music] [Applause]
[Music]
[Music] [Music] I'm just I'm just trying to give you something [Music] I'm just trying to give you something I do you I'm just trying to give you something [Music] w
a
[Music]
look [Music] [Music]
[Music] St
[Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
[Applause] [Music]
[Music]
[Music]
[Music] e
[Music] he [Music]
n [Music]
[Music] [Music] [Music] [Applause] [Music]
[Music] a [Music]
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music] a [Music]
[Applause] [Music] hey hey hey hey he
[Music] [Applause] [Music]
he [Music]
he
[Music]
[Music]
[Music]
[Music] track [Music] oh [Music] hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Applause] [Music] he [Music]
[Music]
[Music] [Applause] [Music]
[Music] he [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music] [Applause] [Music] he [Music]
w w [Music] oh oh [Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just tring get some this okay I do I'm just trying to give you [Music] something I'm just try to give you something I do I'm just try to give you something [Music] he w
[Music]
[Music] [Music] I'm just I'm [Music] just I'm just something I I'm just trying to give you something [Music] oh [Music] w
[Music]
[Music]
[Music] [Music]
the [Music]
[Music]
[Music] [Applause]
oh right [Applause]
[Music] [Music]
[Applause]
why
[Music] the
[Music]
[Music]
[Music] [Music] [Music] oh [Music]
[Music]
[Music] [Music] [Music] a [Music]
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music]
he
[Music] d [Music]
[Music]
[Music] track [Music] hey heyy [Applause] [Music]
hey hey hey hey hey [Applause] [Music] [Music]
he [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music]
[Music]
[Music] he [Music] [Applause] [Music] he [Music]
[Music]
oh
[Music] h
[Music]
[Music] [Applause] [Music] [Applause] [Music] I'm just to something I I'm just TR to [Music] something I'm just I'm just tring to give you something [Music] he [Music] oh [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just I'm just dring [Music] something I'm just dring something I I'm just trying to give you something he [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
oh
[Music]
[Music] [Applause]
[Music]
[Music] [Music] yeah a [Applause]
[Music] okay all right hello everyone and welcome to a new host touches the beacon let's do a quick question has anybody here played a little game called Skyrim cool has anybody played Skyrim with mods all right even better you're going to love this I'm excited to talk to you today about how we combined our passion for video games and hacking and applied the hacker mindset to explore the landscape of one of our favorite games in a brand new way just a quick note I will share a link at the end that contains the original blog post and these slides my name is Devon Clary I'm also known as a RAC I am a penetration tester
and I've been taking a crack at this cyber security thing for about six years now and down below is my better half partner in crime Marlo W Clary also known as isne um she cannot be here today due to a last minute family emergency so all that means for this talk is that you're just stuck with me for the whole thing um she did earn her place to remain on the slide as she is important to the story really I just couldn't figure out how to remove her without breaking the whole slide but we won't tell her that we're both big fans of Skyrim and this all started as she was gearing up to start a new
playthrough to summarize Skyrim real quick Skyrim is a very large single player open world role playing game that's full of quests Landscapes magic and dragon so what makes Skyrim a great candidate for this project well almost 13 years after release people just keep playing this game why well partly because they keep focusing on making content for the Fallout series and not giving us Elder Scroll 6 anytime soon but also one of the great greatest attractions to Skyrim is the modding community so let's talk about mods for a second mods are developed by fellow players and third party developers to modify and alter some aspects of the video game and for Skyrim there's just so many mods out there enhancements to
character Creations cosmetics new quest lines graphics and textures like you see in the screenshot here on the side comparing a non-modded scene versus a modded scene so there she was isne looking to start her like 11th playthrough of Skyrim and as she was browsing through the mods she notices like virus scan safe to use label on the website and that made her curious like what does a what does an unsafe Skyrim mod look like so we started talking about it and the timing was perfect because then I was just starting to get into studying mware development and I thought of this idea that would be a great challenge isne said and I quote I cannot
even play this game until we figure out this mystery so we began planning out on how we were going to make this happen some may even ask is anyone even playing Skyrim anymore at the time of this recent screenshot there were more than 24,000 people playing the game the game has around 22 million owners and had an all-time peak of 287,000 plus players on release now keep in mind these stats only reflect the steam platform on PC so not console Gog Alexa fridge lawnmower or wherever the hell you could play Skyrim anymore these days now keeping those numbers in mind let's take a look at the bottom part of the slide exploring within a popular mod
website we see that both versions of Skyrim have more than 60,000 mods available to download and more than 6 and a half billion downloads combined how does one even make a mod for Skyrim there's two popular ways to get started making a mod the first one is using what's called The Creation kit and this was released by Bethesda game studios with some restrictions and very limited coding languages then we have skse which stands for the Skyrim script extender this is a community main mod platform that allows skym mods to be developed in C++ so now that we have covered some of the basics the question was can we make Skyrim something can we make Skyrim
summon external programs and windows by Conjuring something to trigger it or in other words can we make Windows execute something based off of an in-game event the answer is yes and I'll show you how in just a minute so I'll have to borrow a line from Todd Howard here and ensure you it just works but first we just needed to figure out what conditions should be met in the game for our code to execute and since our end goal is to execute a C2 Beacon we decided go with going and picking up Meridia's Beacon in the game Meridius Beacon is a quest item that spawns into the world once the player hits level 12 once this item is found and picked up by
the player that loud voice comes through probably through your headset and says a new hand touches the beacon no to Skyrim players to be trolled by this experience so what do we need besides Skyrim we've tested this on the Gog and the steam version of the game so either one of those should work fine we also need ssse that we just talked about the Skyrim script extender Visual Studio to compile our code vcpkg which is just a C++ package manager a scripting template available on GitHub just to get us started our proof of Concepts that we've put up on our GitHub and finally a C2 framework and for this project we chose to go with
Havoc here we see an example of local code execution this entire code just says do something when when a hit event is registered and the only purpose of lines 8 through 11 are to open the windows calculator app so putting this logic together we say when we hit someone in the game open the windows calculator app I think we're ready to check out a quick video of what this actually looks like so here we go we're running into the village like a maniac smacking an NPC in the face boom calculator this is an exciting Milestone When developing any kind of malicious code because if we can get something like calculator to run we can get just
about anything that we want to run as we will see soon enough since everything in this project revolves around picking up Meridia's Beacon we needed to find a way to obtain the beacon item other than hitting level 12 and running all over the world looking for it to figure out how this game interacts with its objects we went down this Rabbit Hole of form IDs and Base IDs so I'll try to summarize this concept the best I can form IDs are unique identifiers for everything in the game so everything has one everything from quests NPCs dragons followers lockpicks you name it it's got one now this matters because we're going to cheat the system a little bit we're
going to be using an in-game console system and just spawn the beacon item in front of the character instead of spending all those hours looking for it in the world right as you can see in this slide we found Meridia's Beacon form ID pretty easily on the web Elder Scrolls Wiki page and that is the 4 E4 E6 you see here next we're just going to use some logging techniques to find out how the game generates a copy of Meridia's Beacon and how the game tracks that item here's the meat of the logging script we use to log how the game is able to identify Meridia's Beacon item in the world we compile this in Visual
Studio to a dll and then we load that dll into our Skyrim game okay let's take a look at a video that will help us get the final value that we need here we're going to use that in-game console to spawn the beacon with a specific command player.pl at me4 E4 E6 which is that form ID that we just found and that Beacon will be placed in front of the character the character picks up the beacon and then we're just going to completely exit out the game for now the objective here is to locate and review the logs located with within the game's directory this will show us how the game recognizes the copy of Meridia's Beacon
that we just spawned here we find that new value or the base ID for the Meridia Beacon item listed here at 32742 moving forward we will utilize this new value to finish our Quest so we go back into the source code of our mod experiment and we start figuring out how do we use that base ID that we just got to expand on our malicious mod we see here in line 22 towards the bottom of the image we start implementing this if statement or if condition that says if an in-game object that matches this specific ID 32742 is activated or picked up by the player execute this following code let's take a look at lines 10 and
11 towards the top of the screenshot we see here this is just where the attacker would put in their IP address and their listening port number the rest of the script is simply just reverse Shell Code obtained from the ever resourceful worldwide web let's let's see this in action first we quickly see a netcat listener on Port 88000 we go back into the game we use that console system again to spawn the item hopefully on a flat enough surface the roundish beacon item doesn't just roll away on us the character is going to pick it up we'll switch back bam we have a reverse shell cool mission accomplished right we'll check the IP address listed here with the one shown
against on the desktop to make sure they match so reverse shells are nice right they do the job but we couldn't help but ask ourselves what can we do to take this concept A step further as mentioned before the ingame item is called Meridia Beacon so in the Oho Jolly Spirit of the LOL we're going to upgrade this reverse shell to a command and control Beacon uh we're using Havoc C2 straight off of GitHub and notice here that we're using the windows Shell Code format for the agent which is going to generate a binary file uh if you ever tried viewing a binary file as a plain text you'll recognize this format of encrypted Beauty seen at the top of the
slide but how do we get this binary code into our militia C++ Skyrim mod code in comes a program called xxd to save our day xxd is a command line tool that primarily used for creating and analyzing heximal dumps from files all we had to do was utilize this command line to tool to convert the binary file contents to a hexadecimal represented on the left side of the screen then we place that Shell Code within the C+ plus mod Shell Code placeholder seen in the red box on the right side of your screen from here here in Visual Studio we simply build the code load the mod in the Skyrim and check the results this time we set up three
separate virtual machine instances each running Skyrim all with our new Beacon mod installed we set up havoc on one uben 2 virtual machine and then one by one we cycle through each virtual machine each instance of Skyrim bring up that console command system spawn the beacon item that triggers our code on pickup we can see in the video here that each Beacon executes separately and successfully calls back to our Havoc C2 server this is a very small scale demo for a proof of concept but imagine this kind of functionality already hidden within the popular mod you'd be seeing a lot more beacons here and now that we have all three beacons we go through the IP addresses
one by one and verify with each Windows host IP address that we see on the desktop this is definitely cooler than a standard reverse shell but again how can we take this concept A step further so we just demonstrated figure one with separate instances of Skyrim running within separate virtual machines but what if we were able to turn Skyrim into a multiplayer game where all players are synced to the same server in the same world instance of course this is Skyrim so there's a mod for that too called Skyrim together let's see what happens when we chain that mod with our mod to further the chaos here we see a blank Havoc user interface no beacons
running and now we're going to simulate three players in the game on the same server at the same location bear with me here as I cycle through each player to show full control one of these players is going to simulate as our cber criminal and the first thing this player is going to do is open up that console system and spawn three of those malicious Beacon items straight into his inventory next this player is going to go and drop off two of those malicious beacons and do a random barrel and keep one for himself we'll now swap over to the second player and we're going to have this player go to that same barrel and
pick up one of those malicious Beacon items this player is going to open their inventory and show everybody that they do indeed have the beacon item in their possession the last player will repeat the same steps it's going to go to that same Barrel pick up one of those malicious Beacon items and expose their inventory to show us all that they have it perfect now let's switch back to Havoc server and see what happened we successfully finded all three malicious Beacon callbacks excellent so we we built this code off of a pre-existing in-game item but just imagine the kind of possibilities with proper mod support like for example new spells could be created and when it
strikes another player this kind of malicious code could execute almost like a twisted game of tag for hackers and maybe this is all too much and maybe like a stealthier approach is desired to be taken let's take a look at a a different path where instead of a reverse shell or a beacon maybe we just run some basic system enumeration commands on the Target also to change things up and to show the flexibility of this concept we change the if condition to execute only when the player dies so getting rid of the Meridia Beacon thing altogether so only when the player runs out of Health represented in Code by the first box our new code executes and performs a handful
of enumeration commands on the Target and then stores those results into a local file and all of that's represented by the bigger box once all those results are collected that file is then sent to a remote HTTP server set up by an attacker so let's get a visual of this concept and see what kind of information those commands are able to give us at the bottom right of the screen we see this Troublemaker get what's coming to him by the fine citizens of Riverwood as the player goes down take a look at the top left of the screen we see a new file gets populated on the HT TTP server nice the game continues to run
completely clueless of what just happened let's review what kind of juicy details the attacker was able to obtain from the victim for the best demo of this instead of using like a test environment I actually ran this on a computer that's used dayto day and just redacted anything sensitive details obtained included local username local admin accounts personal username and email account accounts for various services such as like Microsoft Adobe GitHub there is even some of my remote desktop IP addresses and usernames saved here next we find the good old System Info results informing us of the target's operating system and security patches installed not shown here but we could have just as easily obtained like
thirdparty software that's installed on this host helping a malicious actor discover various attack paths here we see SMB shares uh available to this specific host these kinds of details can give an intruder a decent idea mapping out the target's environment and finally my favorite part here we see an example of stored Wi-Fi SS IDs and their plain text passwords from the target host I've even set up an example just for this talk seen here named besides demo and the password shown at the bottom besides demo password well folks our Quest has been completed and we have reached the conclusion of this talk hopefully what you take away from today's talk is just a reminder that code is just that it's just code
and when you're so busy staying Vigilant all day doing everything in your power to stay safe from cyber criminals it's just so easy to sink into your favorite pastime and forget that malicious code comes in many different forms including video game mods that can look quite attractive for your next playthrough I hope you walk away with the knowledge that not even the gray beards of high Hoth guard could provide you Dragon borers and by the night have a fantastic bsides I do want to give a quick thank you to bsides for letting me stand up here and talk about our project and a b big thank you for all of you who came to see it no Lolly gagging there's only a
few minutes for questions and please feel free to visit us on our website hexb heads.com to find this blog these slides and check out more of our adventures thank you [Applause] I don't know if it do we do the microphone thing in here we have one of those I can sure just like the viability you try upload like mods or a part of me wanted to sorry a part of me wanted to but no I didn't go that far yes do
I I don't um and the the hard thing is and I thought about this is like looking even analyze this one if you wanted to try and test mods out there how would you even do that because you can run the mod you can execute the game and you can play for hours and it may not actually trigger anything like this example it doesn't even trigger until you hit Level 12 and you pick up the Meridius Beacon so you could be hours into the game before you even notice right so good question
Yoo so so are the mods not soures they're typically they're compiled on DS so no no right yeah how Port is this so my nyear old son plays sky on switch okay and I could for malicious code running Environ Bas transferable at least to to the last of my knowledge since this does require that skse framework I do not believe that's available on Console platforms I believe that is PC only cool thank you anything else yeah think GES B the same
engine um I believe the other one was Fallout 4 that they have an sksc version of Fallout 4 I have not tested it myself for this proof of concept but I I'm sure with some tweaking it would probably be very similar yes yep that multiplayer demo they all have to have the mod install or just the server the they all the have the mod installed yes yep so
many so Nexus does some form of scanning which was almost making me curious if I upload mine what happened but I didn't um but when when we did this this is this is not known or signatured right so even Windows Defender didn't care I mean so I think it would be pretty difficult to to track something down when you talk about over 60,000 mods and trying to you know if you're on the Reddit or something you see playthroughs with have 400 plus mods easily you know it's it's a lot oh who I don't know
yeah you could um I'm sure you could inject the server I I did play with it a little bit I didn't get far enough to to make that kind of proof of concept but I'm I'm sure um I'm sure you could figure out a way to even if you had to redirect and have it download elsewhere but yeah I'm sure y what's the limitation you work with mostly tools you use um as long as it compiles in in C++ yeah and executes there there um I did use CMD because specifically the um the netsh command that took the Wi-Fi stuff that was like that was the only thing I got to work and that took a little
tinkering but sure I'm sure you yeah have a Powers shell alternative As You Wish yeah might a guess question do you know how many skym installs on corporate maches I'm just asking for I guess it depends on where you work and what you're doing on late night shifts and when you're supposed to be working but uh no don't have any numbers like that and if you haven't already I do have a couple sticker things left but yes go ahead do you have any ideas as potential defenses teches like this is something that like
all there probably could be some defenses built on SK but we do also have to give those guys enough credit because they put in a lot of work to get as far as they did so anything beyond that I mean it's just um it's hard to try to convince somebody to sandbox Skyrim for an entire playthrough to make sure you don't have any listeners pop up right that's insane
yeah Skyrim e yes skyrimse.exe because it was using the special Edition yes yes yes cool good awesome thank you so much for coming again I got a couple more sticker packages up here if you didn't get one [Applause] [Music] oh [Music]
[Music]
[Music] oh [Music]
[Music] [Applause] [Music] a [Music]
[Music]
[Music]
[Music] [Music]
[Music] n [Music] [Applause] [Music]
[Music]
[Music]
[Music] world of Knicks and flakes by Jason Odom let's give him a hand [Applause] hey everyone thanks for coming to this talk um this is a bit of a um clickbait in real life because uh there is no secret role of Nicks and flakes but I hope it'll be interesting enough for you to you know consider this oh by the way there's a QR code here that'll be one in next slide so if you want to follow along um you know go ahead so yeah this is our agenda for today this is what we're going to discuss uh basically um what I want to talk about is you know why NYX right why this is
important to me why you should care about this so I started out with NYX about two years ago um it was sort of um out of annoyance you know as a longtime Linux user specifically and a boont user I was frustrated with having to um after you know reinstalling uh this show having to install all my packages and stuff right you know regardless of whether or not I scripted up a solution right had um you know finicky scripts and and whatnot right to get my environment everything back uh to my Lykan uh over time I grew you know annoyed by that um and it just wasn't um good enough to to you know manage so I
discovered NX uh when I was sort of like in a Dev out space for a bit by mistake and I ignored it because I was like why would I use this right this is a bit complicated right and it is right it's it's intimidating it's you know um very steep has a very steep learning curve but it's worth checking out right it has a lot to offer you know if you're a user of uh home brew as a Mac User or a Linux user um Brew is just basically a package manager for Unix right it doesn't always only support Mac OS um you can use it on Linux as well but you can install uh
packages uh you know same way you can use like apt which is specifically for Debian distribution or yum Etc um NYX is like that right NYX started off as a package manager but also it's an operting system build system and of course a language so yeah software security we next so there's a problem with software security um and the issue is it hasn't really changed that much in my opinion right we think of devops and we think of the problem that devops is self tries to solve right which is mainly a cultural issue right in the past uh developers you know what develop and then move the final product move the source to production right um but that's not
efficient right you have to test your code right and devop is like we're going to change the culture of that we're gonna we're going to move our code through different phases right before we push the production or we're going to test our code uh through different um you know different stages right dev then then uh testing then staging right and production so in my opinion um the way we develop now needs to be reformed right there are a bunch of tools that don't care about dependencies they especially don't care about security um and they don't really Force the developer to think about security so yeah this provides more information regards to what I was talking about in
you know um about the current situation of development um you know a you're developer think about you know using a package manager like mpm right um out of the box what does it offer you um to track your dependencies or or or to place emphasis on um just you know caring about if they're up to date right um because your task I understand is just a code and you know maybe it's not your job to think about um you know if if security is important because you know you're not tasked but in my opinion n empowers you not to only think about that but it helps to take you know some of that load off right some of that work away from
you know you so NY as I mentioned is a package manager it started off as a package manager then became an operating system and of course it's a language so n the operating system combines the language and the package manager um into one sort of like entity right so all these features are are built in together um when we talk about declarative um what it means to be DEC if you have this conf configuration file that defines everything um you know what you users exess on the system the programs available you know what s Keys uh each user should should have right public keys and whatnot um you know what what uh desktop environment you want to use
gnome um you know you can you can Define that declaratively so one configuration to R them all and that's what I like that's what I was looking for when I wanted to you know go away from bash scripts right and and and just have something that you know one file right that will allow me to um back up my system and move to somewhere else right whether it's a different machine or you know locally or server that's this is you know this solves a lot of my issues personally I know it does for a lot of companies and other people as well so some of the security benefits that you have for n NYX include
sandboxing right isolation uh when we build a package it's in a sandbox it can be touched um when you think about um you know a derivation which is all n file is n expression it's also called der derivation uh derivation it's just a set of instructions for how to build a package um NYX requires you define a lot we'll get in that into that later so yeah this is this is going to be an overview of Nyx and Nyx flakes I'll talk about NYX uh you know the I guess the classic um deriv derivation and then why NYX flakes so yeah I mentioned NYX is a package manager um you can install any application you want similar to uh other
package managers like apt or Brew but it also provides you with the you know with the ability to roll back you know if you think about the concept of atomicity uh you can roll back to a previous version if you don't like um you know the changes that a new package provides or even in the example of NX OS right if you build a new configuration you can also roll back uh your whole system based on you know uh new installed packages I will also talk about the next door later uh because the n store is where all the packages are stored and it sort of makes um different not necessarily different opinions doesn't follow the the Unix
hierarchy uh you know the F system structure everything is stored in a separate location yeah so this is some of the things you know that I mentioned so something think about right for for ni if you you know build a new configuration you're probably thinking man doesn't this take up a lot of space in my system right because if I build a package right or if I upgrade to a new package and I'm no longer using it will it just disappear and of course the answer is no right because we care about you know atomicity we care about um you know keeping things available right so we can switch to them later on but if
you don't need them you know NYX has a great command called n uh garbage collect and it'll just remove what you don't need freeing up space so it's not you know an issue so yeah NY flakes are you know is the I guess modern way to think about um derivations um of course n itself as portable right I can take a derivation I can share with someone but here's the issue you have to figure out how to build it right what if you know um what if there they no instructions given to me by you know the the the user right or the writer right if I get a deration like what flags do I need to
build it with what options do I need right uh flake is basically another level of of that right it sort of like fixes the problems associated with that you don't have to do any guesswork everything is defined everything is sort of like given to you right it creat it increases um portability so here's here's where I I'll say uh regarding you know the current state right of Nyx itself so there are two commands one is NYX hyphen build and one is just NYX build you're probably wondering like why do you need two commands to you know build a package in NYX right so NYX hyen build is the modern way right it tries to fix all all
the mistakes that niyen build um created all the things that it doesn't address it tries to address them tries to fix them of course yes you still have to use NYX hyphen build because uh you know default. NYX files still exist right um if you look at n packages which is like a huge collection of uh just you know packages in general you know if you if you think about um if you think about dban or um uh a arch user repository right you have a repository of packages like think about your favorite pack package um let's let's say um MC Vim uh whatever you know package you use uh NYX has a huge repository on GitHub that
repository is called Next packages and it has a bunch of package I think it's like number two I think it's number two second to the Aur so it's pretty huge you know lots of contributors uh lots of you know developers and and you know it's it's really useful and it's sort of um a build and block of foundation um when it comes to de revation or flakes you can build a flake remotely you don't have to clone it right it it comes with a special command you can you can run a flake you can show a flake you can see what outputs it provides you without I have having to actually like copy and paste the flake and then open a
file and paste in its contents or just clone in a repository right um something to mention is Nick's packages NX packages is a monor repo right so if you were to clone it yourself you know you're going to be waiting um a couple minutes depending on your network connection and system in general so unless you're looking to contribute to the repository itself you probably don't want to do that um but that's not even necessary to mention actually because um if you have an ex install anyway you can just install a package you don't have to actually clone repository but that's just something to keep in mind um so I probably should have mentioned this in
the beginning um this talk is only 25 minutes there's a lot of things I'm not going to cover you're not going to leave out of here and be a n expert right this is just to show you hey this is what's possible this is what's available to you this is what you can do when you go home um when you go to work um for you you know for your personal project something to just you know think about I want to look at different aspects or show you different aspects of Nyx itself and you can choose just you know what to pay attention to if you go home and you know uninstall brew and just use NYX as a
brew replacement you know personally I'll be disappointed but that's your prerogative right you have that freedom to do it but you'll be you'll be sitting on a technology that's way more powerful than what you're using it for so yeah this is a traditional NYX expression um something I I you know realized when I was looking back at these slides was I actually did an uh link to a configuration example configuration. n so configuration configuration. n is also just a derivation right and these are just instructions on how to build you know a package uh configuration not configuration. in specifically is how to build a system you can as I mentioned previously Define the user Define a
desktop environment uh if you wanted to um assign you know s s key to a user you can do that programmatically through the Nyx expression the Nyx language you can think about all the things you can do in Unix from INF voken you know a shell on login for a specific user right think about your little uh environment variables right custom environment variables or dot files you know this also one of my pet pews right it's so difficult to manage all these little things right as as Unix users we love to customize stuff we love the freedom that it provides us but you know management is not very easy sometimes and you get lazy right in my opinion this is one you
know the one tool through them all because it provides us with all these benefits you don't have to rely on any other third party tool because this can also be your operating system right and provide you with these uh you know um features so the first link is just a example of the configuration syntax uh you can also write a flake right flake. n to do the same thing there's some examples on GitHub if you wanted to look at my GitHub you can too but you know there there are many ways to do this and the second one is just a link to this specific a um and this one is just for I believe a python
package so I'm not going to click on it just because this is a you know this a presentation anything go wrong my computer can freeze or it just won't look quick enough and the time is ticking here but what I want to show you here is like we're just defining how to build a p a python package right we have the name of the package right well first we have the arc set right um you know the dependencies that we need need so when we say something is functional right we care about it inputs and its outputs right NYX expects you know first it expects in in regards to security for you to have a hash right it
can't do anything if you don't have a hash and we'll get back to that later but we see we have the arc set and then we have instructions for how to build this specific python package and we have you know version information and we have uh you know we're using fetch from Fetch from gitlab so I guess you can imagine what that means right we're grabbing this package from gitlab there's also many other Fetchers like fetch from GitHub we're defining uh the user the owner and uh the package name of course the version and the hash that I mentioned that's really really important and these are some uh build phase options like pre pre-configure which might look familiar to you know
Unix users Among Us um when building packages but also pay attention to that the meta section right uh we have the homepage description and all this other stuff and think about like what it means right we'll get into es bomb later but all this stuff is really important for ES bomb yeah and this is similar to the previous example uh that one was the classic example the derivation this is the Nyx flake example this is the Modern Way um I should mention that NYX flakes are experimental but that doesn't mean that you shouldn't use them you should totally use next flakes they're they're really fun and they're extremely useful as I mentioned you can build a nyf flak
nyf flake remotely you don't actually have to download a file or copy um you know the the the plag itself um if you have next installed here's a command at the bottom for example uh if you want to see what the outputs for you know this um awsh package just doing nlake show uh GitHub and then you know COV is the owner and then the repo is awsh uh we can see that this you know built on Darwin right built on Linux and the different architecture supported and when I was looking back at this I realized that actually didn't have um in the in the flake itself it didn't actually Define a Dev shell so I
went back and added the dev shell just to make it easier as a as a better example but the Cod the left will still build a Dev shell oh actually explain what a Dev shell is so there's a command called Next develop right which will put you an environment with all the dependencies of the package so you can you know develop on it so forget about installing um forget about installing a dependency I you know just think about when you're you know writing code you need uh a dependency to build your application forget about installing that system watch right just having this one file that will just have it available in this isolated environment um so let's think about this
from a security perspective if you were to install a library or a system right that relies on other packages that library was you know had a vulnerability right it'll just increase the tax surface right this library that depends on other applications but if you have this this you don't have to necessarily worry about that because you know it's all in one place yeah and this is the Nyx fou system basically you know the whole all the outputs of your application are hashes and this how it verifies you know um via Integrity that what you built is secure right so every everything that you build everything that you build you know you always get the same
result all the outputs will never change essentially is what I'm trying to say um you know you look at something like Docker Docker isn't very um reliable right the output when you do Docker Bild it really depends on the environment right if the environment changes um you know your package is not going to build accurately right like works on my system is definitely a thing that's that Docker doesn't solve but n solves right for dock you have to look at other things right the tax right if the image changes um you know you can't expect the same results you know for you to get the same results so NYX you know fixes that so let's look at Salsa before we uh
dive into esom so when we're talking about Source integrity we're talking about you know the hashen aspect of Nyx right NYX expects a hash right to verify that you know the the packages that you give it you know are you know not necessarily secure but um verifiable right so this is also another example of for derivation but we're skipping all the arc sets we're skipping everything we're just looking at you know um the python package right and the name um if you try to build this with a hash it's going to complain it's going to give you a hash and then that's the hash that you um paste in so when we talk about Bill script
Integrity um we talk about we want to focus on you know the things that are provided to us right as as you know next users next you know builders um so you know basically if I have you know for example this derivation right if I want to build it right NYX has different features like sandboxing uh that ensures that regardless of what happens to my system right the package will not be affected right uh the build the build output the build uh result and actually that's part of the Integrity part build environment Integrity uh Integrity right the sandboxing right which goes back to my Docker example which you know Docker doesn't um support or actually
um provide so Providence and repr inducibility you know I can I can send a flake right to someone uh someone can grab a package uh and build on a different system and they'll always get the same output they always get the same result result nothing um you know will change right you can you can build it as many times as you want um as long as the package um doesn't change right dep pendencies don't change the build you know you know is reproducible uh something I want to mention too um let's let's you know so okay so there's there's a term uh so some of you are probably thinking you know why would I use those build system
there other build systems right um you know I guess you you can say one of the drawbacks right of Nyx is it will build every component of a package right if something changes is it's going to build a whole package right even if it's just a small component it's going to have to build the whole thing again so that's probably you know the downside um there other build systems I I I imagine someone will probably um you know ask about that um but we can get to that later yeah so salsa uh and Nyx level four right so we have this derivation right and it's going to show us um you know where it is in next store
and of course this connects with sbom
right this just an example of the output so uh if we look at derivation if we you know just choose a a random package in our next store it'll give us all these options right the environmental bar variables that are provided right and some different options that are within the ration themselves uh including the name so basically everything that's defined um all the arguments and the derivation the outputs we see here so I wanted to focus on static and dynamic analysis um there are you know I know this is like important topic for some people and there are programs that you can actually like make use of in ex itself this is something that isn't done
automa ially or built in but it's something that can enhance your Nick's experience so you know we just have different tools like clang and V grind right you can integrate them within you know your NY Flakes and now we're going to get to esbal because if you remember um when I showed you the example flake uh you know we have the meta section not to mention the outputs of Ni store and how it provides you with all this information right is essentially doing what es bombs can do so I I figured I'd link to this blog post here next as software identifier because I think it's the perfect conclusion for this presentation because it basically sums up uh what I've been
trying to talk about right you know why why you would use this you know um of course there are tools um that you can use for esom themselves but NY also like provides you with that with those outputs right with that information um and below are those additional tools as well yeah so this is the conclusion um if you want to install n Go to the N installer I recommend a terminate systems installer if you want to learn NYX go to N.D if you want to try NYX maybe replace your uh OS uh go to Nix .org um thanks to cygen for helping me prepare cyber Jenny for helping me uh prepare for this presentation um she
worked with me a lot um you know this is proven CL proven ground on my first-time speaker so um this was you know good first time experience yeah thanks so much any questions take
[Applause]
okay [Music]
[Applause] [Music] hey hey hey hey he [Music] [Applause] [Music]
he hey hey you [Music]
[Music]
[Music]
[Music] TR [Music] hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Applause] EX [Music]
[Music]
[Music] [Applause] [Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music] PhD y let's give it up for Paul [Applause] okay so as was said uh we're going to take duus to explore the Bluetooth landscape um brief little overview just so you know what is kind of coming up EX for us we have to escalate situation we do have potential sighting so we're going to have to enhance our security here the detail we don't feel is enough T pleaseed anti device I didn't ask for
this Mentor application stated that your outrageous speaker request was that we make sure that didn't put you in a headlock oh that's right that'll prevent it only the only during the so uh we we're taking all necessary precautions leave you and uh we want to make sure that you enjoy your Con in a safe and you know psychologically safe fashion let's sorry can we can we
bring sure sure absolutely the two of you looking behind you I'm helping Y no don't help so much okay thank you all right apologies uh you're handling this very well thank no worries always fun to have exciting things go
down no no not at all this yeah this is definitely not an academic conference that is for sure not yeah you're not NOP not even close all right go ahead okay so let's dive into this um who am I uh I'm a PhD I'm a Bluetooth security researcher and a security research scientist uh General boilerplate stuff all these things that I'm going to be talking about are my own work not that of any employer past present future all that good junk so why are we talking about Bluetooth well Bluetooth whether you like it or not enjoy it or even really think it's it's worth it it's becoming pretty ubiquitous so the two good examples that I have
here are the first is doing some wiggle W driving in an 80 person puddle jumper Landing in an Airfield 80 people on a plane 200 something Bluetooth devices all within range of just my phone the other is so the other the other side of this would be um for those of you that may be familiar with a story about wired uh Apple headphones not working without the Bluetooth capability it basically boiled down to a product saing scheme so that by implementing Bluetooth chips they could produce the cords for cheaper even though they're supposed to be wired so whether you like them or not they're getting pretty ubiquitous and they're popping up just about everywhere but why
do we care about this well really as we'll hopefully see uh the Bluetooth landscape is a bit of a wild west and so we should really have better insight for what Bluetooth Wildlife is out there get a better idea of what the landscape looks like and ideally augment these tools so that the security research Community can dive in and get their hands dirty into this stuff because it was a pain in the ass to figure out any of this uh two things that I want to make sure you all understand before we dive in because they'll be very key to following the rest of the talk the first of is um when you're looking at the
Bluetooth protocol model this bottom layer or controller layer or host controller interface is exceedingly important because what is going on in that layer is you have translation of Hardware to software communication you can't inject anything to this layer you can't interact on this layer but you can sniff it so you can see everything that's going on but any communication you're doing is either Hardware directly or it is software on top of all this the second thing you'll need to know is what does a ble device look like well essentially what you're running is what's called a gat server without getting too much detail into it essentially what you have is a device that that device has some number of
services on them the services can have nested in them a series of characteristics those characteristics can have within them uh a series of descriptors now that we've gone over the really boring stuff we can get into the larger meat of this so what are we talking about well we're talking about my tool uh the Bluetooth landscape exploration and enumeration platform or as I so lovingly call it this bleeping tool um what does it do well the real purpose for having made this tool was a lot of the command line tools and things that are out there are depreciated by eight or plus years um they've been you've got odd tools that have been folded into other tools where you lose a
little bit of really nuanced granular control on some lower levels so the whole point for this was to have a device that could perform the enumeration of the landscape around you enumerate these devices in a meaningful way so you can figure out what you can read and write to and just give you a platform for being able to do this under a nice user interface now there's some more advanced stuff that's getting worked on such as adding in Automation and logging to make it easier to do Post attack analysis or just even post enumeration analysis um capturing of signals is a little weird but the basics and and stuff are all in there and more interestingly I
started adding some points for doing some cartography of the landscape that we end up seeing as we as we search for uh devices so what you can do is you can think of this tool is kind of a set of binoculars um as you go about uh the Bluetooth landscape what you might want to do is go on a safari so let's go looking for what devices are out there right what Bluetooth an an do we see and and what what uh what Wildlife is out there what do they look like or do they have weird characteristics what are the outliers that are out there in the world when we go looking around so here is uh the training data
I'm going to give you guys uh I think you can figure out what device this is um it's pretty straightforward it is a pixel 4A device um there's some maybe interesting information here right we have some service data that is is kind of present um not really sure what these Al okay so everything B is hex it gets represented here is decimal but almost all communication back and forth is is hexadecimal so we've got some interesting hex values maybe that's that's kind of cool if we use bleep to take a look at the characteristics that are here on this device we see okay here's this really interesting hex string that maybe means something super important I'm not a Google pixel
developer I don't necessarily know but it's it's Unique to this space now if we take a look at a device that I'm not going to tell you who made it what do you notice about it so one part is that it's decided to name itself the same as its Hardware uh interface so okay it's using a MAC address as a name maybe that's a means to kind of hide itself um instead of service information what we have is manufacturer data and what we see here is a uent uh number along with again some set of hex data attached to it those of you who are painfully uh aware of the Bluetooth Sig documentation know what device this is
already but let's keep looking so we use bleep to take a look at the characteristics and descriptors that are there it is a hot mess staring at this thing we see maybe some interesting descriptors that are perhaps a binary value but let's use bleep to only readback the characteristics now can you tell me what device this is yeah pretty pretty straightforward it's an Apple device that U in76 is a dead giveaway that's the manufacturer code for app Apple um we also see it's a watch running version 6.6 so now we've got a clear picture of of the device that is in front of us now here's a similar examination of an iPhone and you'll notice here as well
that uh once again you don't have the name necessarily hiding itself you do see that uint number one more time so you can identify it again from the manufacturing data that's there but then we also see this very odd uh error here at the bottom that is bleep I've written all the error handling on it so what bleep believes is going on is that there's an authentication event based on a code that's delivered um on that HCI layer that we'll get into later um and it believes that some sort of pairing request has failed so okay bleep is able to not only try to get an idea of what the landscape is but also tries to give
you an idea of what are what are the issues that are happening under the hood if we take a look at one more device which I'm not going to give away um here what we're doing is we're using bleeps pretty print uh function in order to print it more in that structure that I was telling you about earlier so here's the top level service in nested characteristic descriptor if we take a look at uh service 0010 um which this is a handle the terminology in ble and Bluetooth gets very annoying after a while but the point is on this one we start seeing some names we start see or we start seeing codes maybe version
numbers down here if we keep looking at the device we can see a little more information again we've got a version number and most importantly here zebra Technologies we just found a zebra and a safari hunt now I know from my own uh personal life and work I have done that zebra Technologies in this case is a package scanner a a physical package scanner most likely a handheld device that used to scan barcodes uh get signatures all that sort of stuff so let's take a look at the details on this device so here what we're doing is we're using a deep dive mode that is also in bleep and it will go through and print out all
attached information for all characteristics descriptors and services that it has enumerated on the device and so once again you know there's some interesting strings maybe we get some version numbers I mean there there's a lot of info here but maybe it's nothing right I wrote The Tool why do you trust me I could be lying to you and this is just doing stuff that I think will trick you into using it well the way we can do that is let's go deeper so if you remember that HCI layer I was telling you about what we need to do is we need to start examining Communications on that layer see what we can tell about the communication that's being sent
there and corroborate whether or not bleep is actually a useful tool or just a fun hobby that is hallucinating and doing its own thing so here is communication for two Bluetooth devices communicating ble on an on just that HCI layer this is using a tool known as bton um again open Simple to use most folks that are developing Bluetooth are using it to sanity check their work what's important here is that you can see the direction in which communication is going based on the uh Arrow brackets that you get the color coding makes it a little easier to read but what you're seeing here is you've got an attempt to read some handle so if you remember that handle is
just another way to identify characteristics and things um it's complaining about insufficient authentication it then attempts to pair goes through this pairing proc process and we hit some issue about an agent not not existing so okay that ends up being detrimental to us because authentication fails and down here the device ends up disconnecting us from its communication but hey now we can kind of read what's going on under the hood and make sure that that what we're seeing is what we expect so here I've got another uh capture from bton and it's it's pretty easy to see what's going on here right I mean you've got an Intel Corporation device now there is some information that even the
uh bton doesn't know what the hell this is because Intel just decided to use this device flag what does it mean I have no idea I don't work at Intel I don't do their their uh Bluetooth development but we see that the device continues to communicate we're not getting the same authentication error so we get instead a connection response some configuration requests that's great it then blasts an insane amount of information because it's telling me about every capability that it has on the device device towards the end of this blast of information we see it gets a complaint about a2dp syn and Source okay maybe that won't that won't tank me entirely unfortunately we keep
going and it actually does because since that is a key part of of this Intel device it ends up leading to a remote user termination connection and disconnects me entirely so I've shown you two two fun examples of this now uh raising your hands how many of you recall what was going on with Bluetooth last year year and a certain uh dolphin named device that was messing around with apple yeah so let's go bobing for some apples and see what's weird about them and what kind of difference we've seen since that time so here I've got the HCI capture for that iPhone uh communication I was showing you earlier in bleep right and what did we see there we saw oh it
screamed something about authentication and not being able to pair so what we see in the HCI communication is once again here's that request for this handle uh we end up getting an error response to that screaming about ins uh insufficient authentication if we recall from the earlier one it ends up not being able to authenticate and the device ends up disconnecting us okay fun so does it happen every time so here I'm taking a look at yet another uh Apple iPhone device and we see again that same sort of pattern you've got a handle that it attempts to read from insufficient authentication it's not necessarily the same handle but you get this this pattern of activity and
what we notice is this sense of okay well you can start reading from this Apple device up until some error response happens and then we'll kind of forget about it now it's not just Apple devices that I've seen this on since last year um this is just a small list of handles that I've seen for various devices the unknowns are just ones that hid their identity well enough I couldn't quite identify what it was um but most importantly what do we notice about the pattern of this of this Behavior we notice that essentially we're we're communicating with the device until we reach some Panic Point trip this Panic reaction and the device freaks out on us so what does
bleep show for this from its side well when using bleep we end up getting errors telling us that the device is has disconnected so okay we're we're seeing the same information both on that HCI layer and from bleep itself so now we need to start mapping this problem because I would like to get around this I'm tired of every Apple device just telling me I can't talk to it um so I decide I'm going to start mapping these L landmines I keep walking across and you know the bigger question is can we prevent this disconnection is there maybe information hidden behind there that they're they're just trying to prevent me from getting at it because of
the way that I'm going about it and so what I did was augment how bleep would end up collecting this information normally what you're doing is you're communicating to the device and collecting the Gap information which is the general access profile those are those um levels of details that we saw earlier that had the name the Alias the Bluetooth address High Lev stuff um but what I end up deciding to do is we'll create a map that we can use in order to track which characteristics we we read see if there's any issues once we've got that skeleton we'll create the coordinating map once we do the enumeration pretty straightforward check the map is this a known bad issue it is
great I don't want to bother reading from it it's going to waste all it's just going to waste my time it's not known to be an issue great let's try to read from it get back the response we'll do some error checking on on the communication we received back if it turns out to cause an issue great Market is bad and we'll just go that way rather than some systemic panic and and and run and so we run the Su bleep taking it against an iPhone um and we see here that we're still reading from it right no no errors yet we see we get towards some of these characteristics that we saw earlier like zero 0 1 Z but it
continues going so okay well what if what about some of the other ones that we saw on that list right 002e well we keep going and no we managed to actually get past 2E all right well does anything ever trigger doesn't view like it right we get all the way to the end of this menu there's no errors nothing screaming about anything but again don't believe me right I wrote bleep for all I know I did a really shitty job and just it's it's hallucinating answers and telling me that that it's fine so let's check that HCI layer and what do you all notice about this
output
yes yes exactly so the only reason the device disconnected us is that it timed out I can tell you from at the time I was scanning this cuz the device got away from me but we didn't trip a panic reaction this device let us read all of its characteristics through without kicking us off or throwing us off anywhere so awesome hey we did it um just grabed the wrong version of it okay this is this is a little uh more clustered than I'd want but what are the things that we end up learning from this well okay first and foremost Bluetooth devices are really platform specific manufact facturers are right now basically dictating how these devices
get implemented and how they're put out in the wild it really leads to this wild west sort of En environment in it um with that hey we found an actual zebra on a safari hunt I don't know many talks you can say that you got to see a zebra so I I think that is that is worth it um the more interesting two points are these two at the end so what uh first and foremost what I found most interesting is that it appears that apple is using canaries in order to prevent you from continuing to enumerate devices and characteristics from what I could tell from what the flipper was doing during what is it sour apple bad
apple whatever the hell we decided to name that one um is that it was essentially systematically going through in just blasting Communications against the uh against the characteristics in the Gap server that's running so by just having this Panic reaction disconnecting they're hoping to circumvent that um the second one is depending on how you present yourself as a Bluetooth device will change the interaction you get with with uh devices so that a2dp audio sync and Source issue that I saw earlier um once I installed pulse audio on this machine and scanned again I ripped my headphones away from my phone to my laptop without realizing what had happened until all of a sudden I'm hearing a YouTube video I didn't know
was even playing um so it's fun stuff uh for those of you that want to play with the tool this is where you go um to find it uh it's looks like this very straightforward I'm going to show you guys a bit of a demo of it operating so um just so that you can get again some more experience looking at it and seeing how it works um so let's go to the demo um so here as before I have uh that B team on so that we can take a look at the background communication um along with it and then here we've got uh bleep in order to start it up in user mode it
is this simple you just have to have python installed and the requirement libraries which are all on GitHub um but you just write uh bleep tacm for the mode user for user mode hit go um it will start enumerating around the room and seeing what devices are in range there are some annoying things um about uh the debus and how it works it will then start producing a series of devices um this Pokemon go yes there is a Pokémon go plus device around here that I've been trying to talk to for the last two days and it will not speak to me um the the mpy uart is a PW um server that I've I've made to help test this
against there's this Oppo a15 we'll notice that a lot of these other names are more or less trying to hide themselves from us um that last one is my phone uh which fun fact about uh ble even though my bluetooth is off on my phone it will still show up I won't be able to talk to it but I can still enumerate its location within the wild so picking one of these devices okay so this is the fun thing about the dbus the dbus will forget uh so if you take too long to pick a Target it will just tell you I've forgotten about this I don't know what the hell you're trying to talk
to um so as again we do uh that M user pick a device at random um and let it go and try to communicate to it so taking a look on the back end we can see that um the device has connected we attempted to get features and the device did not like this and has booted us off so once again we're seeing that that panic and I hate you reaction bleep will attempt to still communicate to it a few times it ends up leading to a timeout in those cases um yes it it looks slow and is confusing hence the need for having this B team on again if you're getting really in into the weeds and under the
hood um but because I can't always control the environments around me I have also made demos so if we take a look at say the b CTF and decide that we are going to brute force a series of rights to it um much like before you'll see that it's going to type uh bleep tacm user I added A-D file for this version which I'm going to upload which allows me to identify a device uh that is because I didn't know how many Bluetooth devices you all were going to bring and I didn't want to go digging for it um as we expect to see it's going to go through and enumerate the device here's that Gap
layer information um the text is really big so all of this is kind of flying by what it's done is it has enumerated all the characteristics on the device we are then generating a list of the characteristics that it found using that list of characteristics to then perform an action so here what we're doing is we're reading from a characteristic that we've decided uh once I hit enter I am then picking a characteristic uh that I know has um a flag on it where well well sorry here we're showing the score here's that readall that shows again all those characteristics and a nice easier to read um format here we see that there's a right up there where it's
attempting to Brute Force so I'm saying okay okay right to this device use brute force mode uh it will then ask me how many characters the right should be whenever it hits enter and continues um so I'm picking that characteristic I'm saying it needs to use two B uh two bytes of information start brute forcing it and it will just go through the entire Spectrum uh from 0 to 255 and write everything it can to there um what we'll see at the end of this is uh the um write characteristic that had the flag that told us to Brute Force these values we'll end up producing a flag it's a bctf so it's a CTF we're playing with um
we will then go and read from that device here is that flag we'll then copy the device write it to the score characteristic which is separate from where you read from it um where here we go picking the characteristic to read from which I think is Char 0029 to B go off by one um so B is where we write uh the string to great it's written it here as a string instead of an integer as we saw before um we then read from the characteristic and uh see that we have in fact scored the flag hooray we've got basic IO interaction um I've got demos for signals I've got demos for this and that um but I would
like to leave some time for questions so please as this continues playing in the background ask questions as you need don't have time for questions oh even better okay okay well if you want to talk to me more about it please come up otherwise thank you for uh listening to my insane ramble about Bluetooth wildlife [Applause] [Music] [Applause] [Music]
[Music]
[Music] w [Music]
oh
[Music] oh w [Music] a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] a I'm just dring give something okay I I'm just dring give [Music] something I'm just something I I'm just to give you something [Music] w [Music] w
[Music]
[Music] [Music] I'm just I'm just dring in [Music] something I'm just dring in [Music] something I'm just trying to give you something [Music] oh [Music] you are indeed a wonderful mentor and we have provided you with this proof of that would the two of you hold that up together would you be willing to do that [Applause]
everybody be very careful what you put in forms
people all right good afternoon everyone thank you for being here today my name my name is Carlos Gonzalez I'm the CTI leader at bu Brazil and I am excited to share with you our journey and some insight on how we're doing intelligence bed purple chimy and we explore how integrated interaction to with purple chiming has sign signicantly enhancing our security posture and first information about myself here is another not picture of me when I wasn't in infoset C it was good times yet no no no white hair yet so who am I I graduated in physics I po graduate degree in NBA I've been working in foret for the last 12 years at Bank to Brazil I managed the
incident response team and established the first right team at the bank and and right now I'm responsible for foring the C team at Bank Brazil and I'm say Bank to Brazil who is Bank Brazil it's Brazil's oldest and largest public Bank we have a worldwide presence operating n 92 countries we have 83 million clients out of this 28 and a half are are active and 93% of our digital of our transactions that are occurring through digital channels we have 110,000 internal users and to clarify common misconception in Brazil we speak
Portuguese okay and how are you doing thre TOS so we are using the M platform to facilitate the threat intell sharing we are connected with over with more than 4,000 entities in our T sharing Network we have a CTI platform it's open CTI it's it's a central repository for ingesting data from a variety of sources including 1 T feits open source intelligence the incident response efforts from the in the bank and this platform allow us to correlate several data entities and map map the technique used by attackers it allow us it gives us a comprehensive overview of the TR landscape and tell a bit more the data flow of the of the TR interal process at
the head h of our operations there is the platform I said opcti it's it integrates data from all this the sources the the threat sharing Network open threat fits sandb analyzes and sever databases such as virus too MIT attack CV Etc and this data goes to our transal team which uses the platform to analyze and this vast amount of information and turn them into actionable ins sites and with this as a they're able to identify ioc's uh compile threat reports and monor the attack surface and extract the top technique that being used or that will be used for against the bank two they will be used on our proping campaigns and during these campaigns we
use another tool it's called Vector this tool we are using it as a as the as the purple CH campaign management so so to give you an example let's analyze a rans wasted Locker this R will be use was used in a simul campaign so this is a bit on how you use open C the platform to visualize and manage intelligence about specific threat so we have a comprehensive overview of this malware all the data sources that we are ingesting are correlated to provide a high level description we can apply labels visualize everything related to that entity such as I the latest reports which groups are using this m the the attack techniques that us that are used to employ this m
Etc and when you put it on a on a a bigger bigger review so this is how we are analyzing the all this information so this is visualiz this visualization represents how we are connecting the dots across several reports to form a comprehensive overview of a thread so each node here represents an entity within the platform such as reports I's uh techniques and to give a a better better view right there is the m and each purple node here is an report on that M and they are alloh related all all this yellow nodes are are the known indicators the ioc's but for the campaign we don't actually we don't care about the ioc what we care about are
these nodes in in in green these are the techniques that have being used that are not to be used for in for when employing this Mare and when we take these techniques we put it against the matter attack Matrix we get for for Lo had 23 techniques but for simulation don't necessarily simulate all these technique of these 23 techniques because no one has all this resources and that's why the TR Cham they evaluate which technique should be prioritized in the to to be simulated so right here for the specific power these were the five techniques that were that are tring the CH evaluated as the most important for the bank me I don't don't can't find my cses
so anyhow and how are you doing this prioritization we are using um a framework called uh top attack techniques by the M Ingenuity project this this methodology it has three points it's prevalence choke point and actionability prevalence it simply tells how much specific technique is being seen on several attacks check choke point is um a measurement on on specific techniques that that will be useful to to to to to to to to to focus on a specific attack like process injection when you analyze an attack chain we can see that in many attacks there are several techniques that are called that are used before calling process injection they are many techniques go to process injection as the next step and
after process injection they are going to several other techniques so instead of instead of focusing on all these techniques around process injection if we we focus on on that specific technique that is a choke point we might have a better chance to stop the the full attack and the the the last one is uh actionability is a measure of what can I do against technique so if there isn't much much there isn't I can't do much much about that technique it Hees a low score and all this all these the three components are combined into a i to give us the significant the significant of the top techniques so at the matter engineer website there's a
calculator to have n find out which techniques are you should prioritize but I suggest that you understand the methodology and tailor it is specific to envir to your environment so okay so when we take the top techniques we we are we inest them into the the other two it's Vector for the purp te campaign management this facilit facilitates the tracking of the red and blue Chin T activities and with this tool we can create assessment groups that include a collat campaigns that that to simulate specific threats so this campaign can cover all the that they can cover all the attack Matrix from all from Discovery to to the impact or you can make it you can make specific
tailored tailored campaigns to assess specific specific techniques so let's get back to the to those technique that the thre to team Di has priority prioritized to to simulate so even though it doesn't cover a tech chain consider considering the top technique the choke points having a good detection on these techniques would give us a better chance to stop an attack that would implo that mare so let's go deeper into one of the techniques like let's go to Window Service when you click on that specific Technique we are presented with this screen and it has been populated by the tra team with with information that technique there are uh details on how it was been using on on attack and there
are two sides so the left hand side is used by the red by the red team and the right hand side by the blue chin and the right CH we information such as when the attack simulation started uh which were the targets which one were the sources and all this information have the blue team navigate through thousands of logs to find out if the r team was is being successful and we also have a fi for theil the attack the description sometimes we have even depending on the reports that you receive we have specific like command lines which tools are being used to exploit that specific technique right Z so and on the right hand side it's used by The Blue Team
there's information that has been also populated by the tring team and here the blue team we specify if the technique that the r team run was successful if if it was detected if it was blocked there was a left there was a this the log or there wasn't anything at all so all this information they are going to be used to assess the cap the the capability of the teting and mitigating each technique that was simulated by the the red team so let's get back to that techniques so when you we run all these five techniques to simulate this this specific techniques we can get some reports so for this campaign for this campaign there there was a with a locker there
are five techniques our first round of of of this of this m we came up with two two techniques were blocked block it two headlocks it wasn't blocked but at least two headlocks and one of them we were blind we could we couldn't see anything and when you go to the right side you can you can create a hit map specific to the to the attack Matrix to to assess to assess how is our our defense capacity so it goes to Red the was scario to Green when the attack was blocked and as we moved we did first round of of of tests during six months and during that first round we came up with this Matrix the attack
Matrix on it was over 18 1880 tests that were done so so this was the first our first heat map our first Mar track heat map testing whether that techniqu is being success was if one if each technique was was used against the bank would that that teack be successful or not so with this knowing which techniques we must be stronger we are able to better inform other the security teams on specific C that should be taken to improve our defenses so from this some results we got so as I said we were able to make targeted improvements identified some shortterm shortterm actions like prooved logging we saw that there was a lot of log that wasn't reaching the CM the the
BL couldn't couldn't see them and some detection rules that should be improved and also some long-term reactions for specific techniques like uh command command and script execution so we need we need a uh we need to to reevaluate our policies we need to change them and we bring the security team the change the The Bu teams to to to to discuss this and assess the impact of any any action that will be taken by the by by by security and we also came up with new tools that we needed that was UN available and okay this was all going great as I say six months we're doing tests but let's take a look at this uh the
differ success rate in this graph you have the in the Y AIS the different success and on the x axis we have the the time so when we saw it on the first six months the defense success rate was getting lower and why is that so the red team was moving very fast they they able to they were weaponizing themselves and moving fast and blue team was lacking behind not because of the lack of capacities because the characteristics of the defense actions are much harder much slower to implement than simply executing tests as a right team so what was happening was this the tring T team was R team play okay this is fun we
break a lot of stuff we we find a lot of lot of room for improvements but the blue team was like was was getting drowned on all these reports that were that were that the red team was throwing at them so we saw this okay this isn't this is work this this we need to improve this so at the first round as I said we takeing a more red and blue team approach or the red team was doing their their actions the blue team was coming up later to evaluate the the the ACT done by the red team and then on the second round we changed the approach for a purple team approach so we saw the defense
success rates increase and on this purple team approach we we had a on a call the red team the Blue Team the T Cham they are all on the same call sharing screens and the red team only mov to the next technique when the blue team has done has it whatever they could to to tell technique so whether it be a new a new rule and improve it loging or at least identify okay we need something we we can't we are not able to do anything against this we need a new tool we need some Poli changes so only when the blue chin is able to to to to find whatever the the red chin did and make
that Improvement or at least okay help me I can do this by myself there right te moves to the next technique so if you compare the hit map this is again this was for the first round red and blue when we changed that approach to a purple team this was the the the the the heat map for the the attacks that were done after that that that change for purple team so this is a direct result of the Improvement as were identified by the by the blue chain including new tools and better visibility better process that was done by the fence team so we still have a long road ahead and as the threats are Dynamic this this
evaluation must be constant and retesting the techniques with new procedures so just to give a overview comparing side by side you can see that some techniques that were read so we improve on that and also other new techniques so yeah
sure yeah because on the as I said you have to constant evaluate which techniques are U should you should you should be you should assess you should test so on the first round you for for who who did hear that he asked if we shouldn't shouldn't have xation on the first round on the first round exitation wasn't a top technique when the threat int team evaluated all the techniques that were all the threats for the bank the second round it went there to the to be tested so okay conclusion so what can we take from this so testing is a very effective way to evaluate the security controls and purple chaming Ys better results than red and blue chaming
but uh from experience we see that this is this approach it's lower to move it moves lower it gives better better results but Mo it moves lower so it's it's important to balance purple teaming with red te traditional pain so you can have a broader a broader test AO a broad broad view of your risk surface so um and bring together diverse streams is a better way to drive change to the organization we when we are discussing when we are doing the stats we are also bringing the risk teams but it's another topic for another discussion how we are bringing the risk teams together with the the together together with the the the purple team
red team blue team risk teams out all together and you have to constantly evaluate the top techniques the threats is very Dynamic the attacks are very dynamic they adapt very fast and you have to to to be able to adapt to adapt fast too so if you have any questions sure let go go ahead to the mic so people in who watching can can hear the question go ahead go ahead uh my question was you in the first approach um you talked about doing you kind of focus on one malware at a time or at that time yeah U moving forward do you when you're working together in the purple team do you focus on like one malware time like
one malware strain or one actor at a time and then move on to the next one or do you do them concurrently how does that first round you took on specific M trct the techniques okay these are the techniques we are simulating for the next rounds we are we are not looking at specific Ms we are looking right now just the the techniques I don't care which M are going be used I care which techniques are being used by attackers and are these techniques going going to affect me or not so the m is just a a guide to to to to the simulation to the campaign to tell a story for the campaign but we are focusing on
techniques does that answer your question so it's more of a broader like threat landscape yeah yeah specific act yeah yeah the actor is just as I said it's just a guide to ex the techniques but we we are we are evaluating the threat scenario as a whole so not just the not the specific adversaries so you had a question with you so when you're doing these like purple team exercises do you actually like tet production environment or production when we have some uh if there is a critical critical application or a critical asset we go to another environment but mainly on production but do you actually is that like Mo data or do you actually like see
you can find X within the environment we didn't do we didn't do xfu yet so when I sorry they did x f all right we did we just test tested the the capacity of doing for example can iary establish a command and control and exate exfiltrate data we didn't test which data would be exfiltrated we test if that exfiltration technique would be successful successful whether the data was was real or not just testing the technique that exfiltration technique so like say you don't get initial access do you just tell them to like turn off what is blocking you we don't when when we evaluate the top techniques initial access is it doesn't come up come up as
a as a prioritization as a top technique and we also taking assum Bridge Approach so we can have Insider with 110,000 people probably there's going to be Insider sometime so we take this approaches assumed Bridge what we do those we do some some we also do some some initial access tests when when I need it so but it's not our Focus really informative I love the graphic love the graphic of the blue team drown is but I get it how do you manage running purple teams like what tools you deploy or is it just that you're kind running and break down weing as we go so we are using that two Vector for Ming the purple team each
each each each team can has access to that tool they are able to to fill out their specific informations and and and as I said we're Lear as we go and that was the results are getting we we not foll in specific book so vector or is that it's open source it's open source it has commercial as it say commercial licensing for support and but it's an open source too awesome thank
you all right anyone [Applause] else thank you I'll be available if any if anyone wants to talk so have a wonderful day [Applause] [Music]
[Music]
[Music] n [Music] [Music]
[Music]
[Music]
[Music] be he
[Music]
[Music] [Music]
[Applause]
he
[Music]
[Music] e [Music] n
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
w [Music]
[Music]
[Music] a [Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music] w [Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] [Applause] [Music]
he [Music]
he
[Music]
[Music]
[Music] TR [Music] hey hey [Applause] [Music] hey hey hey hey hey [Music] a [Music]
[Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music] [Applause] [Music] he [Music] what
Related talks
51:51
32:48
33:48
54:33
31:06
20:51