BSidesIowa 2019 ZeroDaytoHeroDay

good all right everybody welcome back from lunch we're gonna get started here in just a few seconds before we get started let's give a big round of applause to everybody that's volunteer and today speaking today this stuff doesn't happen without these people so thank you to everybody in besides alright so today we're gonna talk about taking a company from a pretty big breech to kind of a you know getting to a security organization at least a foundational level so quick question before we go how many of you here work for a large corporation with a pretty mature security organization where you have separate incident responders you have separate penetration testers okay if you feel good good how many of you

worked for small businesses where if it hits the fan you're staying up late night and it's on you to recover there we go those are my people just bit of housekeeping um this is a series of talks I have all my talks are up on the SlideShare sorter handle is right underscore whiz it'll be up on the slides later but all my talks are public feel free to take pictures record take notes whatever you want but know that we're gonna fly through these slides I got like 70 slides that go through but all the slides are posted so if you missed something feel free to go steel so as I talk through this is a kind of an

amalgamation of a few different incidents I was part of they are all basically the same story so I just wanted some of the statements I want to make are pretty outlandish but these are true scenarios there are real-life they're not exaggerations so these are companies you know small businesses where they have underfunded IT and basically non-existent security so these are your school's your non-for-profits your charities your churches right your mom and pops down the road these things actually happen so since I've given this talk there's been a couple of updates so not Pat yeah was oh it's a June 2017 about the White House has estimated with more than ten billion others of United States impact not petty

Oh was the attack from supposedly the Russians against the Ukraine critical infrastructure but there was a lot of collateral damage on this attack Maersk the large shipping company that ships big containers across seas they were they have a couple publications out there on how it impacted them monde delays the Orioles everybody knows Orioles they were impacted by this as well there's some lawsuits going on with those guys but um it's it's a big deal and just recently if you follow the Twitter's this company via female small email provider very transparent apparently on their security posture he's live tweeting an attack that he found essentially the attacker was just writing zeros over anything they could find including their backups I haven't

followed up on via email anymore but I know that they did lose all their data so if you were using these email providers they had nothing this poor guy couldn't recover so these are real-life situations we're gonna take a hypothetical here we all know what hypothetical means in our industry we're under NDA right so let's take a hypothetical all right you just started this organization trying to you know you you know where the bathroom is in the office you know that you're running Windows at least so you get a strange a message sent to your phone you know hey can you take a look everybody's complaining that nothing's working so you log on the server you see something

like this maybe you see something like this heaven forbid you see this one work we're under attack do you want to kill the speakers otherwise I can talk loud and you can get it on the recorder still let's kill the speakers I can talk loud and right into the mic so you can record still this works cool yeah so this is one oh Christ this bad one in the case of VF email maybe they were seeing something like this I don't know what exactly your disaster is gonna be but there's going to be a point that you're gonna have some type of disaster that you're faced with and oftentimes these companies you start Incident Response no problem so you come in you

know your words your instant response plants well we know it's important to do we just we got this huge exchange migration going on and we just haven't got around to it okay fine forget instant response we gotta get this company back up where's your disaster recovery plans well yeah about five years ago this guy named Jim here and ER plants all the time he he told us it was great okay cool where's Jim uh he retired four years ago all right do you have any system back does anybody know how this is built oh yeah remember Jim so here we go so this is building incident response while in an incident step zero is to remember to breathe so I

stole two quotes from our armed forces slow is smooth smooth is fast you don't have time to screw up right now does anybody know how long their business can operate without technology seconds anybody else hire 24 hours okay lunch okay so a lot of times it's the answer is we don't know we can't or two weeks because that's when people get paid right so second quote here embrace the suck this is gonna be terrible this is probably gonna be one of the worst points of your life people are dependent on you if you don't come through most likely the company's going bankrupt and people are gonna be out of jobs so you're literally gonna be paying

people's mortgage it's going to be terrible but then you can come talk it besides afterwards first thing that you do is engage a legal counsel if you have a general counsel great if you have a lawyer on staff great otherwise call a lawyer you're gonna want them to engage your incident responders guys again we're small business we got hit because probably we had a two thousand three box up there we don't have an instant response team we want legal to engage the instant response because there's a special legal privilege where things can maybe not be discoverable in court if they find other things now if your legal team doesn't engage this everything that the incident

responders find can be discoverable in court might uncover things that you don't want to be uncovered so always engage legal first all right now it's time for us to work it's bad we know it's bad we need to stabilize this patient before daizo so we're going to ask three questions what do we know how do we stop from getting worst and how do we make sure that we don't make it worse there's nothing worse than you think you're doing a recovery and you accidentally format all your drives so what do we know this is the most general IT diagram that can describe 90% of companies out there you're gonna have legacy windows because you can't figure

how to move this one application off this Windows 2003 box you're gonna have a whole bunch of clients because that's what people do you're gonna have a cloud because that's really cool and that's where everything's going but you still haven't figured out how to move everything up there so you're kind of segregated and then you're gonna have this old machine with some dust on it called the mainframe or an as/400 or a power system this is running your ERP because IBM has you and you can't figure out how to get off of them so it is where they at nine 9's now I'm gonna talk to you later there's a X IBM er so but um so that's normal what do we see

now Vil that's the question that we have to answer right so let's say we got hit by wanna cry or something doin s and B one because we're terrible people and we had s and B out to the world easy already P I don't care what the attack vector is somehow they got in and they started replicating everywhere all of our Windows systems are hosed right they are locked up there ransomware they're formatted somehow some way we're starting to see clients exhibiting the same behavior as people boot up five to ten minutes in all some they get a blank screen you stand up in your cubes and you can actually see the cascading failures coming through at

8:00 8:05 whenever people are showing up so as long as people haven't powered on they're unaffected but once they power down they're affected cloud looks okay IBM stuff looks okay but we see some c2 traffic going from both the server networks and the client networks and we see the malicious traffic going between the clients and servers so what do we want to do how do we stop this from getting worse this is interactive part it's after lunch I don't want people sleeping unplug the switch next next communication to clients that's seriously if communication is huge here how do you communicate to your people though no technology backbone

exactly so oftentimes your incident response will be send an email out to everybody saying don't power on your systems it's not gonna work all right use your Cisco call center to do this that's not gonna work right okay so what else we doing automatic communications excellent don't so again you're in an incident don't send confidential information across your compromised email system hey was it backups go find your backups yes what if your backups are infected off-site what if we haven't read them in seven years in there on actual tape Jim if you can find Jim yes anything else all right so yeah I think we hit most of them we can disconnect the internet all

right we got c2 going back and forth that's command and this stuff let's disconnect it and see what happens we somehow have a compromised user we don't know what user it is yet but this thing is propagating across chances are it's got a user account or a DEA account should we disable everybody it's Jim right do we just power down everything I bet you I can stop the malware infection if I just pull the plug on the data center yep exactly so the next step that we're gonna do thank you for the segue we're gonna list out the bad things that could happen right so if I just go and unplug the data center you just lost all

your memory forensics all right what if I corrupt transactions all right chances are I got this legacy system on IBM running db2 but we wanted to write applications in dotnet so we got a sequel database on the other side they're replicating back and forth if I pull the plug on one am I gonna have corrupt transactions or the other when's the last time you touched your db2 rollbacks probably Jim right so what if we disconnect the internet and block the c2 is there a kill switch in the malware that's just going to start wiping everything so it started with a ransomware they wanted 300 bucks now they just wiped everything because you killed their c2 all right so we have to

kind of think through these pretty quickly because again business is down but we got to think through these make sure that we're not gonna impact it any worse now we're gonna execute right so this is usually what happens we're gonna disable routing and things can't spread if they have nowhere to spread to we're gonna disable all domain accounts this this is rough nobody's gonna be able to work but we don't know what's compromised yet we know something's compromised disable be safe and now that nobody can work send people home you're gonna have to do a little bit of PR work here too because the rumor mill is going to spread quickly can't tell you how

many people's eyeball that one guy that came in the office two weeks ago he looked the Russian do you think it was him like guys no it's it's gonna get ugly make sure that you send people home a lot of people don't want to help they're coming from good place but there's not going to be helpful if they were helpful they would have patched that system but um then you're gonna have to figure out which senior leaders to involve in this because you're gonna need them to figure out business continuity planning they're gonna know how to keep your business running at least for the time that you need him so we do this here we go we got the

business down right no systems are communicating anywhere but we do have the systems up and running so we do have a little bit of a place for forensics we do have a place for recovery because we have to figure out how to rebuild all this so now that we know where we're at we have to kind of come up with what we're gonna do now so here's some more questions you can ask yourself what's broken how bad is it what do we need to fix and what do we need to do first okay so what's broken be careful with this I've screwed this up before don't ask what's broken it makes sense to us because we need to know what's broken so

we can fix it but when you ask what's broken this is the answer you get hmm I actually have a live feed from when I asked sea at the sea level sweets about this this is what they look like right hi it's so rephrase this okay what do we need to do to stay in business this gives them something to work on right so when you're talking to the board when you're talking to the sea level this is gonna sound really terrible but they're very good at very little they know exactly how to make money using your company and they know how to manage risk okay give them questions that they can use so they can help you okay so what do we

need to do to stay in business they're gonna come back to you is something that probably looks like this this is a basic business cycle there's gonna be customers that want us to do something we're gonna do something they're gonna pay us and then we're gonna pay whoever we have to pay all right so if you're in manufacturing you're gonna take orders you're gonna make a product you're gonna ship the product you're gonna pay your suppliers you're gonna receive payment for your goods all right so chances are 90% of the businesses are going to look like this changes if your Facebook but Facebook has faced with problems right so next question is how do we do these

things cool we need we need to know how to do this this is where our skills come into play we have to find information we are on a black box pen test we are red teamers at this point we need to figure out exactly how these systems used to work we still have the systems up and running take everything with a grain of salt because you don't know what's good what's not we're gonna go through absolutely everything we find anybody work in a data center with a raised floor ma'am okay so suction cups pop off your floor tiles no joke I found a dr binder underneath a floor tile once it's good stuff right so we're going to absolutely

anything that we can find okay let's start making a whiteboard sticky notes I don't care what you're using organize your thoughts okay so it's going to start to kind of made sense to you but this is what's gonna look like to other people okay so once you have it straight in your head get it down in Excel here's a protip for everybody if you want to get something done in business put in Excel magically it gets done okay we're gonna create this matrix that has our critical functions for like take orders send products whatever we're doing we're gonna have our system names that are supporting these functions and then we're gonna have what step in the

recovery that they're at I'm color coded management loves colors they understand colors red his bad green is good put this up on a projector on a TV screen somewhere where people can go and not bother you for status the last thing that you want is every 15 minutes somebody coming in and asking how it's going you have to work okay they're in this bad situation that's fine give them the information they need keep them out of your hair so you can work so again going back to step zero and we can't screw this up how do we do this safely what if we restore the malware that'd be bad what if we reintroduce the malware

because we're careless it'd also be bad right so we're gonna restore the systems into this quarantine zone then we're gonna move them to the network there's one problem with this diagram though notice the backup systems are running Windows they are also impacted so if you have online backups chances are those are also gone so we go back to our real tapes we go back to anything that is off-site offline and does anybody here still use real tape cool cool who has offline des dear storage okay who only has online backups if you have only online backups chances are you're not gonna survive a ransomware attack or some other type where they're just wiping disks and think about that strong

and hard and how you're gonna recover if they wipe everything so if we still have real tapes are offline we're gonna rebuild our backup catalog I don't care if you're using con volt Symantec whoever backups if you can provide them all the raw disk they can be able to rebuild your backup catalogs onto a new system so that's how we're going to store this quarantine zone it is out of band and air-gapped and when I mean air-gapped I mean literally air-gapped it is in a cabinet that has no network connectivity anywhere if it's a virtual machine you have a new egg so that's host you're putting them on there you're checking them out if it's a pizza box

you're physically moving them into this rack make sure that these are air gaps as most likely if this attackers been in your network for a while although he hit the wiper maybe he's in there six months ago maybe a year ago and you're gonna restore some type of back door that he's planted on his de zero in implementation you're gonna monitor the crap out of these things for any indicators of attacks or compromised after you've deemed these things clear you're gonna cut copy them to a brand new formatted hard-disk and move them in your production or you're gonna physically move them or then we're gonna move them to the new network so this new network what do we want in

the new network this is our time to go implement security without change control nobody cares if you impact it cuz that are down so what do we want in this new network I get interactive interactive everything okay cool what are we starting with we have nothing right we have absolutely nothing we're gonna be moving systems in how do we want to instrument our new security all right we want to make sure security so checklists right make sure you have all your agents on their antivirus and all that stuff what else segment your network excellent well us we got this is your chance security profiles what do you mean firewalls yes we want firewalls yes patch patch patch patch patch patch

patch patch some more yes get rid of your windows 2003 server rebuild them this is your chance to move that application you could not move for sending stuff don't care get real embassy Epson we couldn't restore I'm sorry yeah you're gonna have to figure out another way to calculate postage now

so the question is online backups the drives aren't mapped how are the attackers gonna find them UNC paths yes any red teamers here this is usually a full blue team alright red teamer how do you find a system that isn't mapped to another system yeah right I got a file server that's not mapped to anything how you gonna find that file server on the network okay our net discover run an nmap run a pink sweep I don't care how you find it if the system's online your red team's gonna find it right from there it's just becomes a play a playground it's like hmm wonder what this system is doing cool it's running Windows 2012 and it's still

vulnerable to blue eternal pop all of a sudden they got all your data so although that your clients can't see the data I can see the data it's online right so that's kind of how they can find it so they're just gonna kind of traverse your network they're gonna laterally move they're gonna pop whatever they can we already said that they have domain admin so they can see anything and everything on your network so alright man you guys know fun what wish list items you got all right we'll cheat all right so network segmentation we hit that one we need a new domain our domain got popped we have no idea what's good what's bad what's indifferent start

building from scratch go find an employee roster from H our start building from there it's gonna be terrible but this is like I said you can't risk a reinfection at this point nobody mentioned Splunk security onion logging Sims we need to be instrumented because we just kicked the had the attacker out of his playground Pam privileged accounts management for anybody that didn't hear that one yeah if if we're trying to protect domain admin access protect them don't just have them right oh I'm a domain admin I log into my email my internet here - no don't let them do that so get us in because we just kicked the attacker out of his playground anybody here have kids

if you take away a ball from a kid what is the only thing the kid now wants he wants his ball back we just took the ball away from the attacker guess what he's gonna do he's gonna come back in I keep saying he it could also be a female attacker there females are just as good but um application-aware firewalls I worked an incident they were no records of exfiltration until we started looking at DNS there is gigabyte DNS requests leavin well they weren't DNS everybody make sure that you can inspect your traffic and understand what's going on all right it's in a response toolkit we didn't hit on that one if the attacker comes back how are we going to do this

better next time all right there's a good tool out there eager Google Rapid Response it's basically a rootkit that you can install on anything and everything you can remotely capture memory then you can see what processes are running so this is going to really enable you to catch something in the event before they can do something multi-factor off you probably got popped because somebody was using Oh what are we in now summer 2019 or spring 2019 all right multi-factor off anywhere that on your perimeter and then start working inside patch patch patch patch patch get a vulnerability scanner in there we patched that's cool it's not good maybe see the job of vulnerabilities that we

have all right Equifax struts it's always Java alright struts it did Pecha stuff right on a perimeter get some email protection in there maybe you got fished that's how they got initial not sure get a proxy out there send everybody through a proxy it's gonna protect a lot of stuff now this is difficult because we're doing this in the middle of the restore we're doing this because we need to it's probably a hundred 150 hours and no sleep at this point you need to define a point of being done as we can do this to the cows come home but you can't forget that you have a business to run so when are you done can you perform

your critical functions can the business operate you're not gonna have the efficiencies that you used to have but at least can it function how much longer can you keep the business down then in cases where you got the executive board saying we go bankrupt at midnight of this day we have eight hours left we need to turn the systems on and how much can you do without sleep sleep deprivation is a real thing if anybody wants to get junk on the cheap don't sleep you start seeing things and at this point at least the business is running we can go take a nap so I got miscellaneous tips up here just from being in these war rooms all the time

try to remember three to one rule of cons and try to get three hours of sleep you're not going to in the initial you're gonna go three four days without sleep but once you get the initial backups kicked off and they're restoring take a nap in the datacenter it's nice and cool in there and try to figure out how to shower the war rooms gonna smell dis shower this is really key assign a war room manager this is gonna be a person that's in charge of all the food feed your troops you gotta keep people happy they're also gonna be in charge of getting any supplies have them go and buy all the USB drives that you they can

find and they're gonna schedule the meetings they're going to have the conference lines open they're going to be liaison in between law enforcement and your legal counsel critical resource to have save absolutely everything you don't know what's going to be used for or against you make sure you save everything USB drives are cheap go buy them all and then ensure out-of-band communication yeah don't send your new da creds over the compromised email system please okay become it's but it's encrypted but you just sent the keys also but um so lesson to building a security organization so I never want to do that again that was awful so how do we prevent this take a little bit of a

proactive approach so we kind of think about where are we weak then kind of how do we prioritize there's gonna be a lot of work all right cuz we just saw where were weak the answer is everywhere right so you're gonna start thinking about this you're gonna do a little bit of a gap analysis we know where we're at right we're in our infancy we're still in diapers we want to become this Olympic athlete so our job is really to define how do we get there so the Olympic athlete where do we want to be go steal somebody else's framework these people get paid to do this they're a lot better than us they've done it already

go steal either NIST GDP our CIS OS your favorite framework go steal it and modify it for your organization if you want I have one out on my website as well it's nice and pretty for management it's color coded it's you can take little circles it's written in English anybody here read 853 from NIST yeah I'm sorry so this is summarized off of 853 and written into plain English so you can kind of give your directors your management your sea levels exactly what you're trying to do and then kind of explain out why you need all this money so you're gonna have these different cards on this so my example it's an easy one physical assets are inventoried

right you're gonna give you a score between one and five on how good you are and then we're just gonna kind of talk through how do we do that okay so the one to throw out five I've got any CISS peas in here capability maturity models this is the boring stuff so how do we rate ourselves based what we are right so you start from one one is an ad-hoc process so for our example in physical security or a physical asset inventory ryan goes and buy something i go put it in i've have somewhere on a spreadsheet or maybe i write down here's the serial numbers and our support process right that's an ad hoc process i can do it i probably can

explain it to somebody else but they're not gonna do it the exact same way number two it's a repeatable process right so i have a checklist now i have a process document i have something that i can hand do another person and now they're going to get the same results that i do number three is defined so this is taking that process document actually making a process out of it so now we have a purchase order that's assigned to a barcode scan that's assigned to a production change control that's assigned to some type of support date contract and you know so you start building up this maturity level so instead of me going to best buy buying a

server now we have a purchasing department that buys and prepares then we have an Operations team that puts in so it's this tracking right so if we go to four this is now a managed process and we're gonna notice this exceptions so in our change control process we see that an asset number has not been assigned we don't approve the change it doesn't go live you know so this is actually a managed process now we notice exceptions five is continually improving so this is we're getting better and better and better every single time we do it I don't have a good example for this for physical assets but remember not everything has to be a five and if

you get everything to a five you're probably spending your resources irresponsibly every dollar that we take from the business is the dollar that they can't use to make more money all right so worth as much as we like it we're a cost center right we're a necessary cost Center but we're still a cost center we have to make sure that we're using our resources wisely so don't put everything in a five but figure out what you need for your organization so we decide we want a three we want to define process for physical assets so how do we get there so so we're gonna spin up an asset management program all right we're going to make a system that's going to follow

our procurement here's our requirements once this is implemented we know that we took the process from a1 to a3 we can show management what we did everybody's happy they applaud and then what you happens is you start getting all these project ideas and you can organize these project ideas into these different areas right you're gonna have an asset management project you're in a vulnerability management you're gonna have dr you can have everything else up here it's a lot of work what do we do first right we have a small team if we're not one person oh we threat model this hurt so this is going to define our priorities so we make this a whole bunch of diagrams of

do an attack matrix we do is surface a tree we're gonna define all this stuff we're gonna look at the geopolitical relationships between the Middle East in America and yeah yeah we're not there yet we're gonna keep this simple threats are the bad guys protection is what we just put in assets are what we're protecting we're gonna draw a pretty graph so this is based on lost expectancy if we know that a catastrophic event is going to cost our business ten million dollars and it's gonna happen once every ten years I'd say we can actually get to a loss expectancy number this is kind of using the insurance business but let's say you have a 50 percent chance of losing five

dollars you're actually lost expectancies 250 so what we do is we multiply out we see what our highest risks are all right so what happens is the top right these are the things that are probably going to happen and they're gonna be big impacts when they do so these are things that you got to take care of bottom left there are things that aren't going to cost you much money and there's probably not gonna happen don't worry about those for now the other two quadrants are a little bit trickier to doom so I kind of adapted this and called the bang for buck so we're gonna take that loss expectancy number and we're graphic against how

easy it is to mitigate now all of a sudden we get a little bit different so top right is going to be things that are hi high probability high impact but they're very easy to do we want to do those first anybody use laps local admin passwords solution if you're not using it go google it get it done okay so what it does is you got a client he's got local admin on there right chances are I'm not gonna assume anybody out there but chances are that local admin is the same across all your computers one client gets compromised they have local admin across your fleet don't let them do that install apps it's a GPO push it's real simple put it

in about two hours including testing what it's going to do is you push out from your domain controllers the clients are going to talkback and they're going to rotate passwords automatically for you there's a little GUI client that you can give your helpdesk you type in the computer name it spits out the password you press the reset button now it's rotated really simple to do it's gonna get 90% of your you know local traversals lapse la PS local admin password solution free from Microsoft okay so now that we kind of know the work that we're gonna do we know what order we're gonna do it let's just go do it so we bring this in front of our

management they give us a whole bunch of money because we're really good at talking to them now we know how to explain what we need we can show them our progress on our maturity models they're gonna give us money and then they're gonna ask how are you spending this money right you guys set up some type of governance set up quarterly meetings however you want to do it and then just kind of track progress keep doing your risk analysis and congratulations you're accidentally a Cecil so at this point this talk is a kind of high-level it's not technical I like to leave this part really Q&A with everybody so we can cover anything and everything you guys want so thank you

for coming after lunch and not falling asleep on me any questions at this time yes what does iOS and IOC stand for indicators of attack and indicators are compromised so these are going to be malicious peek apps they're gonna be some type of snort alerts they're going to be your antivirus alerts right so it's anything that is going to indicate that there's an attacker or an adversary on your system how do how do we justify a budget when we don't have any money to spend now update your resume uh-huh so it's gonna be a really interesting phenomena that what happens after you have a major breach you're gonna have a blank check for a very short amount of

time there we say what do you want go get it now and that runs out in about a month so my best advice for how to get budget and kind of keep this thing going show them results right so you get into the mind of a business person right if you want to talk about social engineering what motivates a business person it's all money so how do we show that our security program is actually making us money anybody know yep excellent so justify the breach that you just had how much did that cost the business right let's say that we were down a week and we know it cost us 18 million in operating expense and I have a plan that you're

gonna give me three million dollars and we can prevent that now so you're gonna spend three million to prevent an 18 million dollar loss that's a 15 million dollar gain all right that start that conversation kind of starts and they start understanding what we're talking about so quick tangents so I'm from Chicago anybody from Chicago all right you know when you're walking down the street and you get these alley vendors they're sewing you looking little knickknacks and everything welcome past a guy and he's got these little wooden elephant it's kind got a hole in the mouth and stuff and like that kind of looks cool good for kids how much he's like it's $18,000 okay

18,000 hours for this little thing no no you don't understand this is an elephant whistle okay I'll bite well that's an olefin whistle he goes every day I wake up and I blow the whistle and it keeps the elephants away all right so okay $18,000 that's a good price keeping all the elephants out of Chicago no how do I know you guys will you see any elephants okay so that's kind of what we do in security all right we go to the board and say hey we need this new ideas you know thing with this blinky box okay why do you need this new appliance because you just spent six million dollars and all these firewalls that you told me I

was confronted well yeah yeah yeah but we don't protect everything we need this other thing to alert when we are actually breached okay so you spent all these millions of dollars to prevent a breach but now you need another thing to detect the breach right we're selling elephant whistles at that point we don't want to do that we need to be able to really precisely describe what we're doing all right so if we go back to that framework kind of broken down to product protect effect whatever the frameworks are right respond recover and you can kind of pick and choose exactly where you want to put emphasis and explain why all right so in my opinion detection is

more important than protection protections can always be breached all right house owners everybody live in a house at least even if you live on the streets in a cardboard box there's a blast so if somebody wants to come and break in how easy is it to break into your house all right everybody has a window a door a little flap on your cardboard box it's easy to break in but you know what I'm not letting him leave I know where the squeaky boards are I'm gonna hear him in a house I know where he's going right he's going for the crown jewels protect that stuff make sure they can't leave I'm okay with you breaking into my house but you're not

gonna steal anything from me same thing with security right so that's cool I mean antivirus so do I have anybody that's going to profoundly defend antivirus is a silver bullet to everything cool right but antivirus does serve a purpose because what if you get breached and you say that you don't have any virus good luck spinning that in the PR right it's like taking vitamins the vitamins actually help us now I mean we got good food but it's not gonna hurt take the one a day all right so I have no idea where that question goes but please one today sponsored where did that question you can start we took there we go take a one in a vitamin

so how do fun empirical evidence that's gonna be what you want to do you want to show that you have 4,000 vulnerabilities you have a vulnerability management program that's gonna decrease your burn down rate through 10% a week we're gonna burn down at three months and then we can do the whole thing again cuz vulnerabilities keep popping up but um business people like data don't sell them elephant whistles that's where we can and take your vitamins everybody v8 questions any other thing we had plenty of time yep so in this situation do I care where the breach started yes or no so this is going to depend on your situation you got cyber insurance

yes I will lead a huge debate if we want to split up cyber research is great on this side cyber insurance is terrible on this side and we can do this for next three hours it's going to depend right so I went back to school got an MBA I learned one thing the answer is always it depends so there you go everybody's got an MBA now so exactly so Mondelez right now I mentioned Mondelez not Petya they came out and said we had this terrible unfortunate event there was this crazy nation-state that came and attacked us we suffered all this breach right and then they contacted their cyber insurance vendor and they said well that's great nah but if you read

your policy we don't cover acts of war you came out blatantly and said you have attribution this is an act of war we don't cover that his insurance company sorry so attribution is a very sticky topic do you need to add tribute your breach if you're a small company 200-300 employees you make widgets do you care who breached you or do you care that you got breached so and then we have to talk about prioritization of spending - attribution is expensive do we want to spend that money right now when we're down in the one level of maturity or is that coming when we're at the fours or the fives right now if I'm a huge

financial institution I process credit cards I probably care at that point but I'm spending a lot more right because that's a critical access to my competitive advantage right so it depends

if we want to split up attributions important on this side I I'm in the camp so I have a business focus mind if I attribute the attacker to something is that going to give me any value add back to the business chances are no it depends exactly I will get you your degree soon sir but if I'm working for counterintelligence agencies might might matter right so depends

excellent so the comment is if you were breached do you care how you were breached 100% yes TTP's tactics techniques procedures right they're hard to do but if we're in this situation that I'm talking about chances are the TTP's was whole Metasploit cool I'm gonna look for Hema 1710 or MSO 867 all right I'm gonna look for these little things because these are mom-and-pop shops they don't patch their systems they don't know they have the systems out there so yeah we got breached by Oh 867 I need the patch that's what I'm learning right so that goes into the lessons learned projects you know where you kind of dig through the rubble and figure out exactly what it is chances

are in these types of situations it's gonna be pretty easy to find out what happened you know you got a skid II kind of just going out there who OS CP what is that teaching me and they find something in breach right if it's a little bit more advanced you're gonna have to spend more money this comes down to the economics of warfare right so it's funny because the criminal activity is very well funded and is anybody ever had to call a ransomware offender they have better helpdesk than most of our cell phone providers they they get ticketing system because all this stuff is making them money they want to be efficient as well what we need to do is

make it so that's inefficient right so or make something else more efficient anybody noticed ransomware is kind of fell off and crypto mining kind of took off it's cheaper and easier for them to make their money crypto mining instead of ransomware ransomware is harder and harder as more and more people aren't paying the ransoms they're getting better at attacking most people aren't reacting to crypto miners what's another 10% on my CPU that's okay there is a story out there that the crypto miners were actually patching systems to keep other adversaries out and they just took it like great this is a cheap outsource right so yes TTP is very important anything else a couple more minutes yep okay

so the question is how do we get management to define a good point of being done so let's say that we had a thousand servers and all of them are infected we can't possibly recover all thousand servers at the same time we got a prioritize and we also need to sleep because we're not super humans so the way I do it is we're gonna get the business back up and running we're gonna take a break and then we're gonna see we're just gonna sit and wait chances are the attackers coming back for its ball all right at this point we're well instrumented and we kind of know what's going on now we know how he came in

we're gonna watch him we got law enforcement involved now we got the incident responders we got our legal team we're much more better prepared than where we were before let's wait and see what happens business we understand you're not gonna have the efficiencies that we used to have but we're staying alive we're floating right if we don't do this and we start injecting more and more change into the environment we're gonna run more and more risk now you're kind of back into the IT operations on how do I mitigate change risk we're implementing new systems were more capabilities we're introducing more risking environment maybe we introduced another vulnerability and get popped again we don't want to do that so there

is a balance and there has to be an understanding between people again be as clear and as honest as you can be right if you got critical ICS systems running that is producing your product you want to make sure those are running but if you have something that's calculating postage it's one scale that somebody ways and it tells the male company hey charge us 54 cents for this stamp put it on there I really don't care about that system right now I care about protecting the company so that's kind of the conversation and it's kind of a come-to-jesus close to heart like you have to understand we're in a terrible situation board and you know we were on

the brink of being bankrupt we're running now you just got to give this a little right we're all good any other questions see me at the after-party thank you everyone [Applause]