BSides CLT - Track 1
Show transcript [en]
okay I all right so welcome back to B-side Charlotte this is the first time we've been back in person since you know our last time which was our first time in 2019. so thank you for joining us as most of you have known we were home for the last two years which was sad but we kept going we continued by streaming and having talks over the last two years virtually with Discord so thank you all for participating in that but we are way more happy that you all are here today because honestly I've miss seeing faces I've just watched my husband for the last uh two years sitting across the desk for me so I mean
new faces are always good right all right so my thing for you all today my challenge for you make a new friend make five whatever meet new people everybody's here everybody's nice and if you are one of those introverts who don't like to meet people and feel nervous about meeting people come to a walkback village I will have you meet new people I promise all right so before I hand it off to Tori for all the agenda all the I will um well I have two things first off I would like to thank our board who's put this together Tori Dawn not in here Drew downstairs Alex there's five of us we worked hard we got this together
thank you guys Staffing volunteers of course thank you all been awesome so let me thank you guys [Applause] so let me thank the sponsors so first off obviously we are in Bank of America building so thanks to Bank of America for being the Platinum tier and providing the place we are here today and drinks and food and all that jazz including lunch which lunch is here as well we're providing lunch but it's here you don't have to leave so that's good all right um up next we have black hills information security gold tutor and special thanks for providing backdoor and bridges yeah yes back door and bridges sorry it was cut off um we have offensive security gold tier
special thanks for the three training vouchers jscm group they have a table next door please go by and say hi try Axiom security gold tier they also have a table next door flare systems gold tier table um recorded future blue buoyant which I know they put some stuff in your swag bag for that um so you care Works silver to your security innovation silver tier Sentinel one silver two nice they are also next door you can't tell um we also have Wiz bronzed here Issa Charlotte secure ideas that's my team and besides Triad and then last but not least we have secure code Warrior which is part of the CTF they are running that today so you are able to go do that
today there is a room down the hall that you can go chill in and work and last but not least box pick so Fox pick is block pick Village that I run my husband is over there um there is another member Jimmy he hasn't shown up yet but we'll get there um so Fox pick is a free Village come by learn how to pick locks practice how to pick the locks and we also have a challenge um it's Felix's breakout you got to get him out of jail in less than eight minutes to do that it is pay to play which is donations for a hack for kids which if you don't know what hack for
kids is it's a children's conference in Chicago they are the attendees not the adults so they get to be like us for a day so it's really fun they get to learn code Java everything and anything it's a blast um and I do have 20 20 lock fix that's for sale that are donations to work so if you'd like some come by The Village a reminder the village is not open until after the keynote so enjoy the Keynote and last but not least again thank you for being here and I hope you bye now I hope you all have a wonderful day and I'll see you in the locked in Village thanks [Applause] I'm getting my coffee
I'm coming back coffee so again a huge huge huge thank you to the sponsors um Maybe
all right uh we we absolutely could not have done this without the sponsors uh this was a challenging year even in the scope of we've we picked up besides 20 in 2019 got things back going then hit covid and had to readjust so we're working on getting everything back going in and super super challenging the sponsors really stepped up it was uh just an amazing outpouring of support that allowed us not only to put on this conference but also to work on expanding it to cover two days and some extra activities and we got asked several times over so that's why I wanted to cover it today why two days like a lot of times these are one day conferences
and whatnot so we wanted to give an opportunity for training in workshops as well as so that's the day two that's tomorrow and there's three of them I'll hit that in just a second just for anybody who hasn't gone on the website and seen the schedule yet uh definitely do that so you can get some more background and info on all all the things going on we wanted to do the training we've we've always wanted to do that so we we're kicking that off this uh this conference and hopefully we'll keep working through training going forward and then the other piece of it is Chill time uh just to basically Network socialize play board games play Magic the Gathering uh
spin up a DND campaign pickup group at tomorrow something like that so the doors will open tomorrow at nine in the morning and lunch at noon and then we'll we'll end up closing things down around four in the afternoon there's not opening ceremonies or closing ceremonies or anything like that for tomorrow there is another Capture the Flag competition which will have uh some prizes and whatnot so if you're available tomorrow should be a lot of fun we're hoping we love the talks love the info love the education piece of it this is really the core of what b-sides is but we want to do more and we want to to do something a lot a lot more fun this year hopefully
um sorry getting back to notes making sure I don't miss anything um with uh there's another couple of things that are slightly different so at lunch we'll go ahead and do some bag bag Raffles they will not affect your end of day raffle tickets or anything like that we have some really really awesome things to raffle at the end of the end of the day as door prizes uh the offensive security training vouchers we've got a couple of those today one tomorrow we've got some Black Hills uh information security swag as well to raffle we've got some other actual physical prizes and things like that um so that that should be a really really cool thing to end the day out on
plus of course the CTF uh prizes in in things for the the winners in that um there is one extra thing that we have that unfortunately it did not make it in your in your bags this morning and that is a stamp card for you to visit the sponsor area and get stamps and when you get the stamp card stamped and turn it back in that will get you an additional entry to the raffle at the end of the day just something something we thought would be kind of cool uh coffee um I think folks have found there's some coffee floating around so we've got that uh lunch um will be here for those that that want to
do lunch here uh you're not obligated to do lunch here there's great places nearby that that are also awesome if you want a quiet space or have meetings you want to do or something like that on a Saturday um so feel free we'll kick off we're going to try and catch up some of the time a little bit so we're going to try and have the afternoon keynote still at one that may push a little bit depending on what lunch looks like just noticing our our delay this morning [Music] um the CTF competition it's must be present to when CTF and prizes and things like that and that goes for tomorrow too so today uh sorry for all the logistics there's a
lot of it today is open where anybody who's here can play it tomorrow there's only 30 seats so if you're playing in the CTF tomorrow important to note get her get here early make sure that if that's the thing you want to do tomorrow make sure you're here early because it's first come first serve uh that's info you need to know um I think that's really the key key things I wanted to cover this morning other than uh just please be respectful of the facility uh again we're we're at Bank of America they've been really really awesome with working with us on getting us a space that was a huge problem this year there's a lot of
venues out there that are not doing events yet that might have been more cost effective might have been cheaper so on and so forth they just weren't an option for US Bank of America really stepped up uh worked with us not only to provide the facility at at a rate that we could actually end up afford but we had some serious audibles called in terms of which rooms we were using and those types of things so it was it was really really awesome for them to work with us so please be respectful of the space uh the don't go past signs the end of the internet signs are your don't go past so please don't go past those those
and other than that I think just in case there's questions about restrooms I believe the women's restroom is right outside the the track areas and the men's restroom is down and around the corner to the left so just for logistics for that and again if you're looking for Fox pick or the CTF there over on that side as well um and and that's it so with that I would like to welcome up our keynote speaker Greg Brock and he's a graduate of Virginia Tech and Greg spent almost 14 years at a CBS affiliate station in Roanoke Virginia helping to leave the company through a transition into digital as online content continue to transform the media landscape Greg
Greg founded Firefly and award-winning digital products branding and content strategy agency in 2010 and along with his two partners John korthwaite and Matthew Sams they've grown to be one of the largest agencies in Southwest Virginia Firefly has been recognized along CNN Time Warner Cable and HubSpot at the Webby Awards in addition Firefly has won numerous other honors from the American advertising Awards and the public relations Society of America groups in 2021 recently Firefly was ranked as a top 20 best places to work by the Virginia business magazine uh for a commitment to company culture and employee growth so if you're looking for a job check their stuff sounds like a pretty pretty cool place to work uh Greg
carries 25 years experience in advertising marketing management entrepreneurship and business development and has spent time in print radio television and most recently digital media and named advertising Person of the Year by the Roanoke chapter of the American advertising Federation so Greg also sits on the board of the Roanoke Regional Chamber and The Jefferson Center so Greg lives in Roanoke Virginia with his wife Donna and two two children both attending VCU so let's give a hand for Greg [Applause] and and now we get to do the mic slot
you're good testing is this on hear me okay all right good um well first and foremost um Tori thank you for that introduction um I can tell you with confidence that um all the platitudes aside I am the dumbest person on my team um I can promise you that um you know I tell you it's really really humbling and really awesome to be around this group of people today um you know it's kind of interesting um I had a professor one time tell me that you start to feel pretty average when you're around peers of like-minded ability and talent if you feel average it's because you're exceptional um this what you're doing right now in this day
and age with how the world is upside down is so incredibly freaking important my hat goes off to every single one of you in this room it is a critical time for your skill sets and the abilities that you bring to the table and I'm just I'm honored to be with you and not not to be cheesy I'm sorry but really just for you guys I mean that that is really really impressive um so without further Ado um just real quick um our mission and you'll see how this kind of ties into where we're going in a second um Firefly's mission is to deliver digital strategies and solutions that create meaningful impact for Brands communities and lives
um located in Roanoke Virginia everybody's like oh it's Asheville no it's not it's Roanoke um we're this little building that's over here uh in downtown but it's interesting as the pandemic has kind of kicked in um we we started there but I don't know that we're really headquartered anywhere we've got employees in Austin and Miami and DC um it's just a different world as you know so I I pay rent every every month and I'm not sure why um but um uh again I'll kind of skip over that but what I want to do today is kind of talk about some things what it's interesting we're going to complement each other because outside of where I
work it's the volunteerism that I've done with the state department that I think has relevance to our our time here together this morning um what you guys do is kind of over here and what we're doing over here on this end when we're actually working with with an organization called IRS which we'll talk about in a minute um it's more of the propaganda piece the information the misinformation um the influence some of that kind of stuff has how do you protect yourself against it so we'll kind of go down that path if that's good by the way I'm going to pause can everybody hear me okay we're good okay um so with your Indulgence let me kind
of walk you back a little bit with some history um if you remember it's about it's about November 2000 and uh November 1989 um I am 19 years old I am a sophomore Virginia Tech I'm not kidding you this is real time we're watching television and there's only like basically a few networks and some cable TV I think we were watching CNN um some of the older people will remember this day I'm literally eating chicken nuggets Frozen that I've heated up in my oven and as I'm eating it the Berlin Wall is coming down and we just sat there and ate chicken nuggets and watched the Berlin Wall come down and it was really a Monumental kind of moment
because all of a sudden again as a Cold War Kid Generation X or we were terrified of getting nuked every day which now of course welcome back to that but um we're we were like holy this whole thing's finally coming to an end and so pretty much now this whole thing with with Germany and how now Germany was kind of becoming United you can start to see there were things happening with Poland and stuff and about two years it was literally Christmas day um and literally one one moment the Soviet Union dissolved and what was really fascinating about that I'm going to kind of pivot back for a second watch the boundaries see watch how much land all of a sudden got lost
and that scared the excuse my language out of Russia and for a couple of countries that were on the on the border there Ukraine and Georgia well it made them very very it made them very nerfed because they didn't really want to be part of the Soviet Union anymore they wanted to be independent they wanted to go down a democratic path by the way I'm also going to preface today I am not about getting into politics I'm not going to pick a side I'm just laying out just simply things that I've experienced so please kind of bear with me if you have a side um but anyway so what was really interesting is that um you started to see some unraveling if
you will of old Soviet Norms just like in our country you had pro-soviet and anti-soviet um you know Republican Democrat different kinds of points of view and um with I'm going to probably inject some videos just kind of here and there this is the first audio test on this so bear with me let's see if this works yeah
foreign
[Music] crumbling back Victory Diana Coleridge the winner far from backing down to the shakeel is called for a nationwide strike or in this country is on the verge of Civil War
there's nothing that can overpower the will of the people meanwhile overseas in Ukraine today anti-government demonstrators finally had something to celebrate the parliament voted to disband the government of the candidate who has been declared the winner of the disputed presidential election the ruling called for a re-vote in three weeks doctors confirmed that opposition candidate Victor yushenko was poisoned during the campaign NBC's Pat Dawson reports the effects were startling the healthy vibrant opposition candidate for Ukraine's presidency transformed in a matter of a few weeks this fall into a Gravely ill man his face almost overnight changed into a scarred bloated mask in kiev's Independence Square where the historic protest began over a month ago opposition leader Victor yushenko
joined his supporters in a Victory celebration early this morning with most votes counted the Western leaning Economist leads by an insurmountable nine percentage points he thanked the hundreds of thousands who had taken to the streets to demand Democratic change earlier his opponent the soviet-style Prime Minister Victor Yanukovych looked defeated but conceded nothing and predicted more turmoil ahead I am ready to lead he said but if I lose yoshenka will find out what opposition really means foreign that began to happen 2004-ish and of course now the the Powder Keg has been lit and you have just like you have now going on there you had um kind of in the background political pressure happening with implants and things like that that
were Moscow or Pro Moscow um you had the Democratic movement happening um in Ukraine and then in 2014 this is basically Freedom Square in Kiev Kiev if you're Russian um where all of a sudden it kind of came to a head and victory Yanukovych had come back um and basically there was a vote to join the EU or not and majority of the ukrainians wanted to go EU minority didn't he voted to go not to not do the EU this erupted and this was a flash point underneath people were killed some by snipers a very different world than what we have here and um that was when things started to really go sideways now that's Ukraine now remember Georgia is
the other country that was kind of struggling with this um this may look somewhat familiar with what's in the news right now with uh the nesk and the lewansk regions in in Ukraine but in Georgia in the country the Republic of Georgia you had other two areas that were also struggling with Independence um from from from the country of Georgia um I'm trying to pronounce this right of kazia and South osetia um very similar situations where Russia was doing a land grab in that country and basically taking territory and claiming it's really a part of of the motherland and so in 2008 tanks rolled into Tbilisi the capital and between Georgia and South of Setia in
2008 Russia and Georgia fought a five-day War over the region Al recognizes south of sethia as an independent state while Georgia still views it as part of its territory along the contested border Moscow is constructing a fence it crosses through communities and in some cases people's property separating families from each other and their Land South or Setia gave control of its border to Russia in 2009 saying it had no border force of its own as part of the ceasefire agreement an EU team monitor the area but they're unarmed and have no power to intervene people on both sides of the Border have lost land and are forbidden to cross over both the U.S and NATO have
condemned the construction of the fence
been either to Ukraine and or the Republic of Georgia it's a very good percentage it may just be the the career choices you guys have made um I'd love to get some time with you am I in trouble okay good by the way I'm like maybe five four so if you can't see me definitely watch the monitors um so my very first time um to to Ukraine was literally right after the orange Revolution um uh when yoshenko basically was sworn in as president and um that was in it was basically through an organization NGO called irex
irex is a non-profit organization committed to promoting more just prosperous and inclusive societies around the world many people know irex for the work we do on Youth Empowerment education access to information and building Civic institutions but we began with a single Focus bridging geopolitical divides by fostering the exchange of Scholars teachers and ideas between the U.S and the Soviet Union the core of the exchange was to maintain open channels into societies that were considerable extent closed but this was right with cold war and they were in its first year alone irex facilitated the exchange of more than 100 Scholars which served as a bridge between the United States and the Soviet Union and since 1968 we've had over 20 000 exchange
participants worldwide the history of RX is a history of change the work of iron accepted the fall of the Berlin World in 1989 changed dramatically what began as a people-to-people exchange this organization is now a global organization operating 122 countries that promotes just prosperous and inclusive societies Eric started as an organization that believes in human potential we do this by engaging and empowering youth by cultivating leaders at all levels of society by strengthening institutions and by extending access to Quality education and information Yep this is cool um so as a recap um it's a U.S state Department initiative um it's an acronym for the international research and exchanges board it's a non-profit committed to Global
development and education focused on people and communities since 1968. born out of the need to facilitate conversation collaboration understanding between the U.S and the Soviet Union and again I love this they first obviously hit was in the access to Quality education and information um and I love this quote from from Tara Sussman Pina who's a senior technical advisor there media and information work of the oxygen of democracy and so in essence the work that that I got excited about was that there it's twofold one it's it's it's kind of um out in from the journalistic standpoint then and then in back out from the people who actually consumed the um Iris was very very big in training
journalists um to know how to report from a non-biased standpoint I'll give you an example of that in a minute um teaching media safety teaching how to spot propaganda things like that was on the other side where the consumer side is um so it there's a lot of tentacles that go into trying to promote democracy when you're when you're using media one of the things that's really really cool is they have this thing called the meaning of sustainability index um and just to kind of give you an example um how this thing kind of works sustainability index provides in-depth analyzes of the conditions for Independent Media and reveals Benchmark insights into how media systems have
evolved since 2001 and across borders using our dashboard you can see understand and interactively explore the current status and the recent history of media sustainability in 21 countries our dashboard offers multiple views to see Geographic Trends timelines rankings and correlations the map view shows the most recent overall score per country by default simply hover on a country to see how its overall score changed over many years in addition you can choose one of the five core objectives and choose a specific year for analysis when you click on a country you will see its current status including its classification individual scores and rankings for each score below the chart area you can access yearly reports with detailed analysis to
view a different year use the year list with drop down click on a ranking value to open the list view with rankings for the selected year this view also features a quick Country summary chart which shows the categorized country status over time on all objectives overlaid with year-to-year change finally let's explore the time trends of the overall score for all countries each line shows a country and its overall score over each year you can click on the selected country to open its profile you can also view Regional Trends with our dashboard Mouse over will highlight the countries in that region and clicking will filter so that you view only these countries you can also select an individual
country using the list on the right side and add multiple countries to compare information about the methodology behind the MSI data and other Rich data exploration features is also available we invite you to take a closer look at the sustainability of media in Europe and Eurasia through our dashboard and reports so I'm a huge data nerd I love analytics I love I love benchmarking and what's really interesting about about this interactive dashboard if you will is that it shows over time where areas need help where are areas need more education maybe and it also correlates very very closely to some of the hot spots that are happening and you can kind of Almost Do like a prediction model of what's
getting ready to happen in a certain area so case in point right during the orange revolution in 2004 and by the way right before this I had my hand up to irex I was like I'd love to go I want to be a part of this and then all of a sudden I got the holy moment and this stuff broke loose and they're like you're going in January and I was like well um I it sounded good on paper but um so anyway I'm over there for my very first trip over there was on the western part of the country in an area called Ivana Francesca which is we're close to the Polish side and this is a a TV station
called beija which by the way got shut down twice after our visit there by the state um but what I want to point out too that's kind of a subtle thing there's rather the orange Revolution they paint their entire set Orange and we were like no you don't want to line with any government whether you like them or not because you want to be independent and that's the kind of education we were trying to do with them so it was it was this constant lots of little points of of of um importance that like to be really independent you've got it you gotta swing a certain way um and it was really cool the state
department gives you a translator um this is felana which by the way her dad this is so cool um her dad was actually uh an ex-soviet sub captain um and she would tell me stories about when she was a child she would wear a little Christian cross around her neck and her parents would make her bury it deep into her shirt so that when she went to school she would not get called out on it so just a different world altogether um in the country of Georgia for example this is another TV station this is the most horrible acronym for a TV station it's called garb oh I guess it translates easier into Georgian but um again this was another
another example of some of the people we were working with and one of the things I'll point out is that we were so focused on broadcasts back then even though I was coming from the digital aspect and I kept screaming screaming we've got to get away from broadcast but they were about 10 to 15 years behind us from a technology standpoint and from where their interests were so they were very much focused on radio and print and TV which are important but I kept seeing the tsunami that was coming and and um they kept sending me to TV stations um and so what we would do um this is kind of cool this is a group of people
if you want to think about like like an association of broadcasters this was a group of of burgeoning Association of broadcasters we were trying to get those consortiums together in the country to show how they should band together and unite for for independent free media and um we would have we would have fantastic conversations about the semantics of what pre-media is how you actually implement it um how you stay unbiased this is at a university I was at um where this was a thing that hit the board up there and I had to take a picture of it where they're basically saying you know freedom of expression as a fundamental Institution for Democratic Society and free economy
um they were they're on they were on for this they were excited for this the room was packed um and so in essence you know as digital started to become more and more um of an important piece of this you know we're showing them how how to actually get on to search engines how to use your code so that you're turning things on appropriately um and you make these fantastic friendships um this is this is another group um this is Georgia um and then this one's kind of cool This was um in Mary upoll um the area code there is 06290629 Dot org or com I can't remember it's a news Outlet there and this is an
example this is um some of the branding that we were working on they didn't even have a concept of branding we take it for granted here because we're around it 24 7 in our country and my my eyeglass cheater things on but if you can kind of read the screen I'm not allowed to leave the mic supposedly so I'm going to stay right here um but you know look at some of the buzzwords like that third down about talking about freedom and we finally came to the place that they wanted to be at the very top of the brand pyramid that they wanted to be a trusted Source they didn't want to be known as a
government Lackey if you will so we were helping them with stuff like that but even outside of of being over there they would come to us this is where some of the ukrainians are actually in our shop and we're doing some q a with them and they're asking us how do we roll and how do we you know do some things and from a code standpoint um to help our our organizations out this is one of the coolest moments I have to point this out and I'm so glad I've got this on on an image here this is another group from Mario by the way a name that just rolls off the lips now because now we've seen I
couldn't pronounce when I first learned it back in the day and now it's like you've been in the news um but this is one of those moments where we were showing them you know how the national news websites get ranked on Google and and so forth and then we looked at their website and for the ones that that know um HTML website code they had something very scary turned off if you will they had do not follow on their code which basically meant Google like to search and don't don't put this website up there you know when we turned that on it was a light it was like a lighthouse for them for people searching news information
about the the desk and the other op-loss there that were having challenges um with some of the things that were happening and now here comes comes this new source that just turns on so just a little list of things you think are simple here um they weren't aware of but they also I had them in my home and there's a reason I'm going to bring this up in a minute even more so um but you know this is Christmas time and you've got Jordan's in your house I think my kids this is the best part they thought I was a spy because there would be like Cyrillic lettering you know left over in the house or you
know all these strangers keep coming into the house every once in a while and speaking all these crazy languages we had we have a piano in one of our rooms and like one of the guys grabbed my son's guitar and they started playing this amazing Georgian music and my son was like what the f is going on one of my proudest moments though was in 2016. um we actually brought the head of the Ukrainian part of this and the head of the Georgian part of this into Roanoke people came down from DC and I finally we're going to now put the money and the energy and the people in the into digital um and so while this is kind of
important is when you're there there are these reminders of what it used to be like this is a sticker in one of the windows I mean you could you can tell that they're very much on for for um what what the past was um that's absolutely everywhere in Ukraine again for the ones that have been there you may have seen this it's it's in the Subways it's on the streets it's a reminder that even though they're not part of Russia Russia is still very much involved this is the Chernobyl Museum in downtown Kiev and when you walk in it's not just a museum about hey isn't it cool how to reactor work it's about look what Russia
did to our country that's that's the message when you go in there um also um this is a car that they decided to go ahead and let be in the museum so you can see some of the the brutality that happens um you can't really see it but it was eye-opening to me on that car seat you can literally see where the bullet comes in just barely grazes and just keeps going in like you see the force of it when you're there um one of the most interesting things this is a Soviet rocket launcher the the country of Ukraine grabbed this when Russia said they this was many years ago when Russia said we don't have any
troops there we don't have any hardware there okay to be like yeah you do trying to call them out and everywhere you go you get this um um socialist realism art and it's kind of sad I'm kind of a fan of it I don't know why I just think it's kind of odd looking um it's everywhere I was told not to take pictures of it because they they absolutely hated it there um but it's everywhere um this is Joseph Stalin's desk um again I'm I'm fascinated by this stuff just because of a Generation X or I'm just being terrified of them um and I've always loved this one this is um this is how they see the world
over there um so I wish I'd brought some actually that was stupid of me um but but in all seriousness and humorous side this is so I want to show you kind of the the horror of all of this in real time you get connected to these people and this is me when I when I showed up at this 0629 organization news organization and Mary yupo they pull out the stop they're so kind and generous and what I want to point out there is um this is me taking a picture of of the group I'm working with and those windows you see there this is that this is that same building now
um this was the video I was playing for a sound check earlier this is a mother and her child eating pigeons another stroller over there on the right this building is the NASA academic Regional Children's Museum our theater excuse me um you may have remembered this building in the news this is the one where they painted children in Russian saying please don't bomb this they had 300 people in the basement it was actually a bomb shelter down there 200 people died this is the train station in Mary upole this is the train station now one of the things that absolutely hit me that was really powerful this is a Jewish opera house that survived World War II and they left it
standing as a testament to their strength I really wonder if it's still there now so with all of that aside I want to kind of give you some things to think about and this is where I just want to get your brain spinning with what you do and maybe there's a way to compartmentalize some of this with what you guys do for a living this is Google Maps and what's really interesting is when you're in the country of Ukraine this is how technically and this is my bad art so I apologize but this is how the the your country map looks if you're in Ukraine Google is trying to be somewhat on partisan here but they also have
businesses in Georgia and in Ukraine and in Russia and so forth YouTube's very strong in Russia you're in Russia this is what your border looks like so why wouldn't you fight for it very confusing I think depending on how you look at it another thing that kind of has been really interesting is we're seeing Tick Tock really become an interesting factor in all of this um 2002 2022 study by fact check new by fact checking um organization News Guard found that new users were fed in misinformation within minutes even if they weren't searching for it and um I love this quote um in just one month Tick Tock went from being considered a serious threat to
Putin's National support for the war to becoming another possible conduit for State propaganda here's an example of this when the war first started the blue that you see there it's kind of hard to read this at first when the that is basically information that is anti-war coming from Russia being posted inside Russia outward on Tick Tock clearly the dominant bit of information that's coming out but watch what happens again this is a china-based company as you know as the war begins to tick on all of a sudden the the pro-war stuff starts to go down and the the I mean the pro war starts to go up and the anti-war starts to go down the blue all the way till when finally
the band kicks in and now even though even though it's been technically shut down in their country it's still a a a safe haven for Russian propaganda to still be being pushed out here's an example of this in real time
foreign
Media Matters discovered 197 videos between March 4th and March 9th that had identical captions and video and text all having favorable pro-russia stances aimed at English-speaking audiences so it was something that was sort of happening across the board one of the things I kind of I've been kind of fascinated by even though we've got a lot of digital capabilities in our country um if you think about how the war was exposed before it even got started I was so proud of our country and how we actually put a step forward to at least call things out before they happened in real time it was a little bit almost like opposite of how we normally do
things um but I want you guys to think about things of how can we actually continue to help them because VPN subscriptions and downloads through Russia have absolutely skyrocketed they're dying for this information even though it's being shut down um telegram for example is still widely used YouTube 75 of Russians use YouTube and there's a real dance right now because Russia doesn't want to shut it down because they know how popular it is and Google's trying I mean um Google's trying to figure out how do we do that balance There's an opportunity there um and again to to my fellow people in the room here hacktivism um you know have at it um Instagram for example was used as a
um as an opportunity here where they basically were putting how to actually use Tor and giving them the tricks on how to do that in Russian um so let's think about this for as as we are here at home um so about 48 of the US adults say they get news from social media according to Pew research 48 percent what happens when these social media platforms are owned by a foreign government um tick tock's a good example of that um ironically quid pro quo YouTube is owned in by a United States company we now have access and to and to to Russia um and how do we educate and protect ourselves against information and propaganda
um I want to pause that just for a second and entertain a couple of thoughts on that if anybody wants to be brave and and have a voice this morning um how what do you think about social media platforms being owned by other countries and what do we do about it is it is it an issue is it not how do we how do we navigate that please
well said thank you who else yes
well said managing and educating you're next
and that was AI
um
oh
thank you who else back there
yeah thank you um I'm not going to be as knowledgeable as some of you on the room um but lights my understanding um that Tech talk has the ability to actually once you say yep I want this app on my phone and I you know everybody does this two second scroll except what you've also done is given them permission um to actually see your modem and your history fascinating scary fascinating anybody else yes last one
foreign
it's well said and and I want to kind of point out one thing too that absolutely is horrifying to me because I think we're all in this camp together in this room and then our peers but if you watch some of the Congressional hearings with Zuckerberg and some of the other technology Giants Congress hasn't a clue about any of this stuff and they're the ones making the rules and we have got to start championing this stuff bottom up because it's not going to get done without us getting involved by the way there's also going to be a Mentos Coke challenge as part of the event so we're going to make that happen um good comments um and so you know let's
take some of this stuff and look at it what's happening right now I was talking to Tori last night um this is real we're now seeing it in our country and going back to the point about having education in our country which I still I'm going to hug you after this conference so take off running all right um but it over in Ukraine and Georgia there are media um media hygiene classes if you will or what they say that's what it is it's it's learning how to identify propaganda learning how to think independently learning how to see to the DS we got to start having that in this country um it keeps me up at night because we're
now seeing the effects of this in real time um you know I'm going to point out a real example of this that's going to cut home and this is this is kind of a 360 moment for me um this stuff is so absurd um but this whole you know Buffalo shooting false flag I'm going to take you back to several years ago when my CVS affiliate station hit international news if you remember this this was a live Facebook um what do you call that thing um live whatever it is I'm not on Facebook huh Facebook live um and literally um a disgruntled cameraman decided to film him shooting in real time um the reporter and the person they were
interviewing one of my best friends in the whole world was vice president and lived not far from that when that happened it was early in the morning and he was the first one to be called to go look at the bodies which by the way he still has post-traumatic stress because of that moment but here's why I bring this up to the room years later he lives in the middle of BFE Virginia he's got a farm he's from New York City but wanted to be down this way and he had two people come driving down the road one day with Massachusetts tags on and basically came to his front door and said we know you're making this
stuff up so it's fascinating how the human mind can be quickly bent in all kinds of fun directions um so kind of my my last little takeaway um just kind of to Echo some of the things in the room you know check the source and the date of Publications encourage your friends to do this um ask who authored this why was it created is it credible is it biased look look beyond the headlines and the images what kind of keywords or tone are they using if you hear a if a news organization is talking about something being censored you know I I see a lot of that like you know there's a law right now I think
it's um on the books in Texas that um the way the law is written is that the Google and Facebook and Instagram and so forth are are applying censorship that's a if you think about the publicly leaning way to say a politically leaning way to say that using censorship instead of maybe another word um be aware of confirmation bias where is your own head when you're reading something um check multiple sources question numbers and figures step out of your own comfort zone become a responsible content creator yourself this is kind of a last little thing this is um really really interesting like for example there's something called the media bias chart um I'm happy you kept me online with my
email address if you want more information but this is again an attempt to try to figure out you know the bottom the bottom axis is you know left leaning to right leaning and then the the up and down axis is you know basically credible or not and you can kind of see where things fall on that um I share this with friends of mine all the time that are really one way or the other um so you know why does all this matter um if you will if you'll just indulge me for a minute I want to share with you some moments and some friends of mine and I want to talk about the human race
kind of thing
Ukrainian Nazis and Mary upoll this is a friend of mine's that Lana in downtown cave this is a group of journalists in a very far remote corner of the country of Georgia um another very dear friend of mine we're having we're having dinner together um and so on and so on and so on um very very normal just like us kind of people with hopes and dreams they want to be free they want to be able to do what they want to do and live their own lives um this is so embarrassing these two I was having dinner at a friends of mine house in Tbilisi and the two daughters decided to draw a picture
what they thought I looked like um it was not flattering but you know it was endearing at the same time um this is a concert I was taken to just for the energy of it in the room just just watch
oh we spend a day having lunch out in the country and they've rented a bus to take a whole bunch of us it's too it's me from the states and then my translators and then this is a bunch of ukrainians we're driving back home after a drunken afternoon okay they're absolutely lit on this on this bus ride back and they've been singing Ukrainian songs and I'm like I can't understand a word of them and I finally I'm in the very back of the bus and I finally just kind of yell um I said can we maybe just sing something we all know and here you go
[Music]
me laughing um we got back that evening and they they this is on the sea of azov um the the metal workings plant would literally be right behind me taking this picture um but I just I share these people with you because they're real and it's important work that you guys are doing it is important work which you guys are doing critical and I think we're looking at all kinds of fun challenges right now as the world continues to unfold so with that in mind and trying to keep you guys on timeline I'm just so honored to be with you today are there any questions anything that are on your mind
I agree I wish I could be really intelligent have an answer for that one I think that's the big big question in the room these days and it's a it's a well-spoken question um I think it's going to have to come from Grassroots bottom up I don't think it's going to come from the big companies um and again I I'm gonna try to not straddle a fencer and get political um but I think it's so interwoven and systemic everything from capitalistic models to socialistic models to the way media is basically um run it takes money where does that money come from from advertising and if you got it if you got a psychographic demographic audience that leans one way
and that's where your money comes from you're going to probably take your news content this way and on how do you challenge that I don't know
well I think it's a good point and I will give you my two cents on it and you may not agree with me you can throw onions and potatoes and whatever else if you want to um it's a really interesting dichotomy because ironically enough usually think of freedom and having lots of choices um there was an old television producer his name was Cabbie and he was 70 years old when I first started in television way back in the days like the late 90s and I was in his office he was he was a grumpy curmudgeon kind of man and he goes Greg you know what the problem is with with everything these days he's like there's just too many up in choices
and I was like what do you mean Cabbie and he goes you ever go try to buy mustard now he's like there's like a thousand different kinds of most I just want mustard and it's really well it's really a good point because even though it's nice to have you know Dijon honeysuckle whatever mustard um it shuts your brain down um I'll give you a great example I'm a Spotify person I have got thousands of hours of music and I've driven to work before and not listened to anything because I keep trying to figure out what song I want to listen to right we're all kind of kind of there so the challenging the discrepancy is
choice is great but I think it's causing problems but yet you don't want to limit choices because then all of a sudden that's too much power in ones I don't have the answer but God we got to figure it out yes
I'll tell you what I do not that it's the best practice or anything but um I'm a human I'm a huge News Junkie by Design and every morning um by the way my wonderful beautiful wife is here Donna she can attest to this which by the way I think she's here today to see if I'll stumbled and she can tease me all the way home um but what I do in the morning is I literally across my browser toolbar I've got bookmarks and I lit kind of I was really nerdy and I I have like almost Ada but um over here is left lane who's all the way over here is Right leaning and I will literally you know this is
the bad part I'm headline skimming and it's not a good idea because then you're not getting in depth but also I'm 90 miles an hour I've got things to do I got a business to run and kids and all stuff and so what I'll do is I'll start with one and I kind of look at the patterns of where the stories are hitting and unfortunately or fortunately is It ultimately comes down to yourself being educated enough again not having um biased if you can try to and try to try to digest what you're reading so I literally will be over here starting with CNN and I'll end over here with fox and I even have Al Jazeera and BBC but
what I try to do in the middle is a AP and Reuters those are the ones that I feel like are surfing probably the most appropriate because they really don't have an agenda they're literally just journalists giving stories out that then the news organizations take and make their own um it's not it's not the best model but it's right now the one that I've come up with it's a great question yeah I'll take one last question if anybody has anything okay um good morning yeah um it's been an absolute pleasure to be with you guys fantastic conference um already kind of get the day started with thank you for taking a moment and putting up with me this morning
thank you [Applause] that was awesome all of it running
around a couple of logistics updates for things so we're going uh so as a little bit ago there's fresh coffee there's Donuts so that's the part that's going to happen now while we get that in place uh registration has moved upstairs the important part about that is the stamp cards when you get them stamped for those of you that want to do that for your extra Apple ticket you will want to go and turn that card into reg and they will give you the extra Apple ticket so uh that's one thing and then the last thing is workshops tomorrow just for awareness there is a threat modeling Workshop a resume and interview Workshop so those of you that are
input on resumes input on interviewing things of that sort please show up to that spring resume couldn't hurt right um and then the last Workshop will be malware and C2 development they'll also be in addition PowerPoint roulette
and some hacker government so just uh hope to hope to see folks there tomorrow so all right so we're going to get the room reconfigured and then the talks in track one and track two will resume once we get the reading period great
thank you yeah literally
is it better now turn it off and on again
all right there we go we got it now
now how do I make it stop doing this I
all right
absolutely
oh yeah
okay I check my check I'll check it all right that's all you chief
s
please
foreign
thank you so much all right um for those of you who don't know me all right mind talking to Mike oh you have our mic mm-hmm I panic I can hear it from here [Laughter] we have each other oh welcome to the chaos oh this is amazing I love it love it well they're phenomenal wonderful people thank you um but yeah I don't need a mic I'm more than loud enough got a big mouth it's fine but yeah so sorry if I'm a little out of it right now uh I'm hungover it seemed my liquor about as well as Russia told fighting positions oh yeah it's gonna be like that yeah um so I have a very interesting background
we're going to cover all of that but before we do I have to cover this disclaimer I understand that by voluntarily disclosing the following information I acknowledge that my statement's made in the following disclosures may be used as an emission confirmation and or acknowledgment of actions taken on my part that may or may not Define me as a mercenary tour cyber warfare operator pirate and or spy which disqualified me from any protections afforded to me under the Geneva conventions you will soon enough I have been afforded every reasonable legal opportunity to enlist in the Ukrainian military via official channels and due to my personal choice to maintain my United States security clearance voluntarily opted not to take
the look of enlistment and accept my contract with the Ukrainian military the actions I have taken and continue to take I do some of my volition free of any coercion supports threats abuse of force extortion intimidation and or bribery I received no compensation for the actions I have taken or will take or statements made in the following information I understand that my conference talk will be recorded and distributed publicly and that I have absolved in writing beside Charlotte beside security or security b-sides and all the sponsors administrators board members volunteers and third-party services of any liability for anything that should happen to me by my conference talk publication that should set the tone we are going to have
a lot my background I am ex-military Army and I had a hell of a good time doing it loved every minute of it I miss it every day um after I got out I got defense Contracting I did that for a solid 10 15 years I've worked on everything from the Pentagon this uh Doom SBA nuclear sites the Aurora supercomputer project if it's big it's bad it's loud I probably touched it at least once I have confirmed Intel campaigns against the Russians the Chinese and North Koreans for the FBI and afo Intel swap in Tampa um I've had active operations against the Chinese additionally which I worked with and collaborated with the Senate intelligence committee
um I've supported multiple intelligence committees doing multiple defense contract work Mark Center Pentagon Fort Meade I worked the sock teams I've worked with so many socks oh my God it gets old uh RSA SBA nuclear sites the list goes and goes and goes and goes and then I've worked with oddly enough because they're almost identical fraud because fraud and stock work are almost completely linear the only distinctive difference is this one pays substantially more should definitely look into it fintech um now a lot of people have been asking me this I have personal attachments to what is going on in the Ukraine because as you can see in this picture here I'm literally standing beside the b-sides
car key sign as I'm giving my conference talk there I have personal friends there um I've known them for years they're very good people very honest people I've spoke in that car give give and UI g-con um me and the Russians we also have a very I've had a history with them for years now uh it started back when I was working at the Pentagon and I found my first love letter on my car I went through Standard Security processes I reported it to my security officer they took it MP's investigated blah blah blah whatever and then it got spicier from there um that ended up once they've what is it three two or three years ago
there was an app called face app if anybody remember it so face app was an app that me and my crew we decided we were going to sink our teeth into as a test project to see if we could cut it as a pro crew we were the guys that hacked face app dumped their Firebase their Firebase key pilfered all of their user exfiltrated all of the information about their Network infrastructure and discovered that they were working directly with the Kremlin and so that caused a huge issue with that the Russians got very much so pissed off um and you know that was our cutting of teeth our real fun started after we hacked the Kremlin
um that got really spicy um that's when we ended up meeting with the FBI and afosi but it wasn't even about the Russians really I didn't really care about the fact that they were smuggling weapons uh that were North Korean in nature and make as a guise of Chinese weapons that they were moving into Russia and selling in the markets those Chinese weapons are North Korean by the way the mk-60s those aren't actually you know Chinese they're really made in North Korea for super cheaper um but uh that was probably when they got involved was after we already did substantial damage to their operations and the fact that we had you know popped their systems and stolen their data
um but uh shortly after that we started to get into some interesting things I went to my first and only appearance in Defcon to make an Intel drop and that's when I got probably the worst call um as I've said many times reporters don't just randomly throw themselves off a balcony a week after making a negative report about the crippling dogs don't randomly die the same day that you do an Intel swap at Defcon and so Maybe maybe it's just a fluke accident either case I shouldn't have had to be there in the first place had I been home I'd still have my good boy and so in either case I take it very personally
I'd like to give a special thanks to a couple of people that have helped me put this together uh Ryan Macbeth he's a weapons expert and an Intel Enthusiast Aficionado uh he helped me to identify several Weapons Systems that were actively involved in theater so that I could create a system that could automatically analyze it through NLP and image analysis um fire captains here at the conference helping me to modify the images and the films to make them to where they're family friendly and our good old and vladi because the storm of a century but uh he's provided quite a bit more Intel than he's intended to um this is just a breakdown of all the
things people have done for me I like to give credit where it's due fortunately vladi couldn't be reached for comment because he's currently doing donuts over the ocean uh shortly after he did a release his seems like he didn't expect that to go over too well so he boot scooted Boogie but um people keep asking me am I poking to bear I think this answers the question I ain't here to poke the bear I'm here to slap the out of it so getting straight into the fun part we're gonna go into breaking down core components then we're going to move very very quickly into very very sophisticated components but we got to start the basics what is hacking hacking
is the compromising devices digital or otherwise and network through unauthorized access to account or computer system I don't personally agree with I think it's a very bad definition leverage as a way to effectively criminalize our entire industry my first hacking is the art of using system Services processing Tools in a way other than their initial design and intent to achieve a goal or objective I feel like what we do is Art and not a crime and then on which a lot of people misconstrue quite often the intelligence that's the act of gathering and analogly available data for uh intelligence purposes an example of that would be using your speaker discount code to accidentally order shirts tickets and
badges meant for staff only turns out that code works for everything oops and then Austin would be using a variety of openly available information sources to catalog and distribute information detailing war crimes and criminal offenses of a hostile nation which will remain unnamed including its supporting pmcs uh oh by the way quick note I've got Intel drops to make so if anybody would like a copy of the current active goodies just let me know and so we're gonna go right into the next component this is where things typically get confusing for people is the difference between data data flow and intelligence they are not the same a lot of people misconstrue these data is facts and statistics collected together
for reference and Analysis it's effectively from a scientific perspective just generic information from our prospective computer data is files sitting on a computer system with a particular use data flow is the movement of that throughout this system intelligence is not the same intelligence is a core component of a subtype of data that has an intended purpose and that is either for military or political value in most cases from standard definition but from an application of an intelligence perspective it has a wide array of implementations everything from political to scientifica it all depends on what the use case is and there are thousands of types of intelligence we're going to cover six and so examples of this to break it down
would be video files that's data data flow would be would be like the aforementioned files running through an NLP system and then intelligence would be those files running through an NLP system that reveals allegedly people are being forced into enlistment through the use of sex extortion for and or by certain military organizations and pmcs which I did find the video there is actual evidence that's part of the drop now getting into the types of intelligence that we will cover and use here there's counterintelligence which is the active design to prevent or thort spying intelligence gathering Sabotage by local or foreign enemies I'm not a fan of a lot of these definitions but I didn't military is the informed information
that is gathered by the government or Army about the current enemies of the country and their activities that one I agree with born information is information related capabilities intentions or activities of foreign governments or elements thereof foreign organizations or foreign persons or International terrorist activities I would think that would fall under a commendation of both and then you've got business which is very effective for here I don't know if y'all looked into it but there's actually quite a few companies here if you consider everybody's employer so business intelligence is phenomenal like the fact that I learned how Bank of America does Access Control oops um technology driven process for analyzing data and delivering actual information that helps executive
managers and workers to make informed business decisions that falls very heavily into more of the bis practice I personally agree with that I think that business intelligence could also have a hybrid implementation of a subset for human int because if you look at how a to get this function ats's function as a means to have the leveraged human Intelligence on your Collective staff which collectively make up your Workforce which collectively make up your company and so that's one of the areas where it gets gray and very quickly collides but one of the things that we'll cover in this talk is what happens when you have actual intelligence versus definition intelligence because in most cases there's no such thing as a standalone
intelligence system most intelligences are hybrid they work together like with recruiting that's human intelligence meets cyber intelligence because you're not just looking at the person of the person as a resume you're also looking them up by profiling them you're checking out their Facebook accounts you're checking out their social media accounts they're checking out their previous work history you're combining multiple things there at the same time you're pulling their credit you're analyzing their criminal histories all these things are different types of intelligences working together and then cyber intelligence which is not to be confused with cyber threat intelligence they are not the same as acquiring processing and analyzing or disseminating information that identifies tracks and predicts threats
risks and opportunities inside the Cyber domain to offer course of action to enhance decision making cyber threats are more so Intelligence on Cyber actors cyber intelligence is more like threat map so if you think about it from a perspective of what is my cyber infrastructure Enterprise infrastructure versus cyber threats threat actors it's easier to see the differential between the two it's also how you handle with the indexing in a more efficient manner because if you try to blend the two together if anybody's actually ever tried vulnerability management that's that disaster that tries to merge those two together and it's why all those people hate their job well maybe not all of them there are some Psychopaths among them
and then human intelligence which is commonly known as many people as social engineering is the intelligence gathered by means of interpersonal contact as opposed to more technical intelligence gather disciplines such as signals and imagery and the measurement of signature intelligence now what's valuable about human intelligence especially if you understand how people work is that you can leverage human intelligence to do a lot more damage in my personal opinion than anything else a perfect example is what literally just happened to Uber by the way they arrested him as of this morning our young man has been captured oh our poor Soldier uh they got him they got them they got him in Oxfordshire 17 year old
he hacked Uber he had Grand Theft Auto 6 and several other minor instances that they didn't bother to mention um he is unfortunately looking at significant time hopefully they will see an asset instead of an and they will turn him into a upstanding citizen that will contribute significantly to the future of cyber defense for the UK government or throw them in a box now I left out the counterintelligence one I didn't want to have any kind of issues with ttps being potentially breached so I left that one blank however I did include one for the military intelligence which with a collective current day as of yesterday count of total collateral losses for the Russian military which is substantial
I mean I'm no math genius but if a tank is 20 bucks for Mr Putin um one of my favorite ones for foreign intelligence that I found was the fact that one of his own oligarchs have become so dissatisfied with his performance and experience that put a 10 million dollar bounty on his own president in broad daylight which by the way be redeemed in any currency and any bullion including Bitcoin case we got any you know Green Berets in the crowd so I'm just saying I ain't saying 10 million dollars is a lot of money one of my favorite things that popped up recently days prior to the partial mobilization announcement made was this wonderful little piece here
from Google as business intelligence which was the number one search I think on the planet which is pretty impressive how to leave Russia and that was like three days ago and I think it's still in the top five like a lot of people are looking to leave one of my personal favorites because of course advocate was what I found with Wagner they are a multi-billion dollar company with 8 000 employees and forty thousand military combatant contractors effectively Mercenaries and they're using let's encrypt for their CA process and it's not even the long-term one it's the 30 60 90 and they've refreshed it like 16 times in the past five days definitely can't say that their
Securities on point and then this wonderful artifact is courtesy of Ryan this is their recruiting people for their military specifically their armored Battalion division for their tanks given the fact that they've lost 4 800 tanks in less than a year to be a little short on Manpower but uh for thirty eight hundred dollars a month you too can drive your own Russian tank now like I said some favorites of mine are the hybrids this lovely piece of artwork has been blurred out courtesy of our friends here it's a little bit rough so I understand that like they wanted to you know blur it out this was what was left by the Ukrainian I.T Army on the recruiting page of Wagner
so what they did was they were like well you're going to publicly recruit it in July by the way they didn't bother to get their website stood up until after July really bad bad be a theme but uh they got this website up and they were like hmm WordPress and then they just you know popped this bad boy on there and showed all the things that you get for enlisting in Wagner and all the different types of outputs and so needless to say Wagner just seems to be having
I can't put my finger on it but I think I know why so getting into intelligence who in here has an elastic stack in their workplace gotta be at least one of you poor soul do either of you run your elastic specs you like elastic stack thank you [Laughter] that's a good model that's a good model plastic stack is actually one of my favorite systems uh and I apologize if I made your life miserable about a year ago but I'm part of the reason why elastic stack now has X-Pac for free when I might have had three elastic stack system on the planet that didn't have X-Pac active and I kind of went on my LinkedIn and
was like yo dubs I want 40 petabytes of data they weren't happy let me rephrase that the people I worked with thought it was hilarious the upper management were not a fan but it's a live and learn lesson on why you should make security a default and like with airplanes safety isn't really an additional optional feature kind of need a plane to land I'm just saying but um getting into the intelligence components intelligence is one of my favorite places to play I love intelligence it's where I got my start heavily in the sock intelligence is incredibly important managing the data is incredibly difficult incredibly painful you have to understand what is intelligence then you have to understand what is good
intelligence then you have to understand what is good intelligence for you because what is good intelligence for me is not good intelligence for him is not good intelligence for her everybody has a different use case for specific types of intelligence the problem is the industry tries to have a bucket shotgun approach where they just have one massive feed it's intelligence for everything and two-thirds of that intelligence while good and confirmed known good high fidelity it has no application I as a bank am not worried about cyber security targeting against video teleconferencing companies I'm not Netflix I don't care if someone's trying to steal content because I don't have any content to share however I am highly interested in
anybody who's a zoo spot operator because I am highly highly allergic to Zeus so let's keep that far far far away from me that's where intelligence becomes a very very important component that's where understanding FICA comes into play it's fidelity integrity quality age each one has its own separate purpose each one has its own separate significance so we're going to cover the definitions then we're going to cover examples so if faithfulness to one's cause of belief by continuing loyalty and support Integrity quality of being honest and having principles the inequality is the standard of something that's measured other things of similar con so it's likeness so if you plastic stack manager and elastic stack manager if he's running a terabyte
system and he's running a zeta byte system that's similar kindness but that is not similar scale and then age how old is the information who in here I see the love virus how relevant is the love virus to today's modern implementation would you include that in a security stream for hashes for malware probably not because the odds of seeing it unless you found it in a museum from a computer that was in the basement that you had to blow the dust off and spin up by accident when security freaked out because you plugged into the network like odds are very very slim that you're gonna find that so that's when we get into things like
the examples we've got people streaming once a day they're very very dedicated to it you've got your favorite streamers I know some of you watch Gamers on Twitch for some weird reason creeps wants to play the game yourself like but it's a great example because it's easy to understand some people only stream once a month they're not that committed Fidelity is very important when it comes to security because if you only send me an update every once in a blue moon not going to help my organization it helps everything that you contribute but the odds of it being significant in terms of impact on the long term and to the high level scales it's slim if
you're only sending me one updated day if I'm only getting an entry a day it doesn't help me integrity a great example of bad Integrity would be U.S mainstream media I think we can all agree they're all full of I'll say it nobody else will high integrity though Toyota and Honda I found this out when I started researching it Toyota and Honda are two of the best engine makers in the world Honda only has one engine and out of 364 failed one out of 364 Honda Motors fail that's point three percent failure rate that is a 99.7 percent Integrity rate that is phenomenal and if anybody's ever done business with Micro Center if you get the warranty it doesn't
matter what decade it is they'll still take it they're just that phenomenal as a business I've had things blow up on me because of a faulty power strip and they honored the warranties that expired on all of my hardware for my computer tower simply because that's their level of integrity phenomenal company that's where I buy everything from then we've got quality jumped off the bridge right what's that tell you what bridge where when who's he I don't get any information from that that computer's infecting people okay great what's the IP DNS ports give me something then compared to on April 4th 2022 John Doe jumped off the Johnny B good bridge on Fifth Street why no parachute Florida
because of course it's Florida man of course it's Florida man then age event cards on the 10th real life example we'll find it the same day on the 10th other Intel analysts like Ryan will find it on the 15th New York posts won't find it till the 20th 25th never who knows that just is what it is understanding those hold on to those in your mind very importantly now this is where we get into Data data structure versus data model they are not the same as any database admin that you know they get very angry when you start to confuse the two especially if they're a software developer because they have to deal with both
data structure definition is The Logical View and a file structure is the actual physical arrangement of the data data modeling describes the conceptual view of how data which purports to month reality is arranged in computer system one is a method of organizing large amounts of data more so that operation becomes easy like the implementations of an elastic stack or a database the representation of a state processor system that we want to understand and reason about you have an application you have a data structure you have an elastic stack you have a postgres database something then on the application side you have a data model you have your primary your foreign key then you have all your key
value pairs that's structured in a particular manner it helps you to visualize in your mind through verbal cue typically in writing a diagram perfect example is just like this structures where I'm sticking the data versus model I've got my data and it's got a primary key of source and then it's got a name a country of origin a site Fidelity score Integrity score quality score age score each of those are key value pairs those key value pairs are all tied to its primary key now if the primary key also has foreign keys inside of that primary key that's where you have multi-tiered hierarchical data models that's where things get spicy just ask the elastic now how it can look for something like
what we're doing right now we've got Source it can go into one type of data infrastructure you could have user accounts authenticating against postgres that's a data model and a data structure then you could have the source which is a primary key that could be in the postgres system then you can have events which are all cataloged each with potentially more primaries or secondary Keys you've got in this one you've got foreign keys so you've got artifacts artifacts is tied to the event events tied to the source so it's a foreign key and a foreign key so it's a multi-tiered three-tiered hierarchical data model and then in that you've got them structured out and each one is stored in
a different place some are stored in the postgres system some information is stored in elastic some of it's stored in manga what you do with data structure is data model is you have a data model which indicates what you will have as data your data structure is where you will put it based on performance one is for diagramming one is for performance you want to understand the difference because some systems are not created equal in terms of performance of the same file type postgres is not as good with video data as why because that's how it's built now we've got our data we've got our data structure we've got our data model now what well data is just a giant bucket each
table is just a giant bucket each of you have information he's got a left eye he's got a laptop he's taking notes he's on his cell phone each of y'all have different sets of data each of y'all have different sets of information you could probably tell me what I said five sentences ago he could tell me my entire talk I don't know what he can tell me at all but what happens if you need a piece that he missed and then he needs a piece that he missed how do you get that information together you've got pieces of the same information but not all of the information collectively together to build the picture that you want that's
where normalization and ETL comes in exchange or extract depending on who you ask to extract transform low this is the process where you go into normalizing in the data and its basic definition is the process of organizing data so that it seems consistent across all records and Fields why this is relevant is if I have different fields than you do and I build a python script for instance or a flask application to process data and it's looking for all of the data and it's not there most cases they fail safe which means it fails closed errors out kicks an error and you're sitting there debugging for the next four hours trying to figure out what the hell happened only to realize
that you forgot the period in column 27 of one of your data fields and now all of a sudden you've got this huge mess you've got to go fix now exchange transform load that's a fun process because that's the process of taking the existing data from multiple sources you're taking all of that data you're saying okay well this is what I have in this I've got video I've got picture I've got statements I've got Twitter posts and Instagram posts this is all the things that I've got how can I normalize this what can I do to say okay well here's all of my data points in all the places how do I make this look the same
and you take that information and then normalize it you exchange uh you extract transform and load it pushes it into that format and now all that information in each of the events will be standardized even if the fields are blank which is fine you don't have to have every field populated because systems like elasticsearch can do queries based on what field you're looking for and ignore all the other ones which is why it's an incredibly good indexing song now what that looks like in production is a visualization like this especially in modern day Cloud infrastructure you'll typically have some kind of a bucket typically an S3 bucket all the data gets shoved in the bucket please
turn on your bucket security because you're just giving me all your raw data you make it too easy man come on you'll have multiple types of data sets here from Source One Source two and Source three well I don't want one two and nine I just want one and two three and four five and six so I take that data and I ETL it into this well how does that transform into a production implementation on a modern day Battlefield well let's talk about Susie Q I'll leave her name out she was a Ukrainian Soldier she thought it was a wonderful idea to boost the morale of her fellow Soldiers by taking a selfie video about 560 feet
from a high Mar system firing missiles upon enemy Russian position and then posted said video online well Susie Q welcome to the S3 bucket your video is now being processed by the NLP and the image reprocessing libraries of python I've identified he entries one two and six of value your longitude your latitude and your weapon system my D courtesy of Mr Ryan I know it's a high Mars system well guess what a high Mar system is an incredibly high value Target so now I'd take that information I forward it over to my fact my fo or my spotter for their fire order application and you and all your colleagues are dead before dessert that is how very very quickly one video
can become an incredibly expensive learning experience for a military unit this is why they tell you one do not share your position with anyone other than your unit individuals two do not under any circumstances take pictures of where you are or what you are doing or what gear you have and three definitely don't post it online because we know you're going to yeah now that we've got data we've got intelligence we've got the definitions of good intelligence now we got all our buckets and they're organized we've got our elastic stacks and we've got our databases that's wonderful everything's being shoved in well here's the problem I gotta query that somehow I've got to make it human interoperable I've got to
integrate some kind of search and filtering component what happens if you go and you type in Ukraine Russia War right now in Google search how many billion hits is that going to give you all of the things probably so how does Google for instance decide what's actually relevant because first of all this isn't the first war the Russians and the ukrainians have had and that's where things like FICA come into place H how old is it because I don't think you care about the 97 engagements the 2004 or the 2014 engagements you care about what's happening today things like Fidelity where is it coming from Integrity what's their value who is it from who is it by
and then obviously the quality the more in-depth and the more unique to what you're looking for and the more times in that search instance Ukraine Russia War mentioned the more likely that is to be put to the top that is waiting that is the value of waiting now the definition of waiting depends dramatically on who you ask some people will tell you waiting is statistical based some people will tell you waiting is scoring based some people will tell you waiting is purpose-based my personal opinion it's driven by purpose for quality of outcome you focus directly on what your quality of outcome for the system what is the purpose what am I here for if I'm a fire
for effect or a fire uh fire order or Ford operator what I want to do is I want a system that's very very good at what it does so I need information that's very very relevant to what I wanted to do everything else is useless I've got this whole elastic stack system 270 indexes I only care about two and in those I only care about half the data in those two I want to launch I want the lat I want the authorization order number from the person who requested it I want their point of contact information in case I have to confirm and I want the target what am I shooting because I want at least a decent idea
but I'm pointing a giant gun at then you pull the trigger boom now like I said purpose objectives relevance wait this is how you determine what you're going to do with any application and any form of intelligence what is it supposed to do what's my objective completion map how do I get from point A to point completion where my boss is Happy enough to give me another project after this one the third one is what is the relevance for the intelligence what does this data do specifically for the purpose for the objectives how is it relevant to me and the more relevant it is the more weight it gets this is how you can do an actual scoring
mechanism time frame frequency how often does it pop up filtering what are my search parameters because I know better than the system does for what I want it's an administrative implementation and in the back end is the scoring component for FICA I want to know how high they scored the higher they scored the more valuable it is perfect example of that is Cia director Mortimer Smith Senior reports that senior Cia scientist Richard Sanchez has assassinated U.S civilian Jerry Smith over familial Affairs gone awry yesterday morning this is going to have an exceptionally high score one because it's coming from a CIA director two it's reporting something negative about his own Organization three he confirms the
employee who did it for the victim when it was and why you wouldn't lie about somebody in your own organization killing somebody else but a perfect example of a bad score would be c-137 Rick has decided to hand over the portal gun formula if she had seen how that was going to go this is what pipelines look like raw sources into storage deduplication you're either going to accept the data because it's relevant because it's intelligence you're looking for troop movement or you find pictures of people moving forward cars probably don't care about that rejected then it moves into the pipeline secondary pipeline which is where we get into tools there's a variety of tools that you can use I use these you can use
whatever you want then it moves into the tooling process you separate the data sources based on where they come from you want to be able to manage that advocately you want to separate third party so other Intel analysis the perfect example local news media government agencies you want to handle that completely differently different types of data and then social media sources you want to handle each of those in that point but from different indexing components either their own elastic stack instances or databases depending which one to work with and then also separate it out based on each of those individually implemented because Instagram's data model is not going to be the same as Twitter's it's
not going to be the same as Facebook's and you're going to have to normalize all of that to the same component which is why you bucket them together because government's going to be entirely different model wise to them comprehensively ttps these are all popular ttps the core component to notice from this are the groups the hacking groups that are active right now this is one of the first times we've had a major conflict where active cyber security groups civilians have gotten involved to a level to where the collateral damage and impact is substantial right now that's Cozy Bear and fancy bear they're pretty much the only ones that are even worth considering then you've got the tactics from the
governments Russia in this case they're both doing a lot of the same thing fabricated videos like when they bombed The Nest they didn't actually bomb the nest doesn't even match the same fire effect for the same type of rounds fabricated images like dead civilians and you've got fabricated documents like Invasion information you've got fabricated attacks covered that already and then you've got false reporting like the Russians say they haven't lost that many people the piles and piles and piles of Tanks being dragged around by tractors would probably say otherwise I'm just a second I'm just saying troop count I've been occurrence casualties all things of these Natures all problematic all unique though and the TTS are based on the
agency both of the governments have their own agencies now one of my favorites from the Ukraine is hack your mom we're gonna cover what they did in a moment because what they did was phenomenal and then you've got the Ukraine I.T Army which actually did a public recruitment here recently fortunately I missed that opportunity that would have been fun then the implementation of Intel from an accountability perspective these are artifacts that I have gathered from leveraging these exact processes and pipelines I found war crimes for looting rape mass murder and mass Graves found castration videos which is incredibly unfortunate and cruel sex torsion where they're being forced into enlistment against their consent and kept an enlistment against their will
then I found cases that are more criminal in nature petty theft speeding by the way even if you're invading a country you still have to obey their speed limit who knew and then one that makes me just incredibly sad was one video where they carved a z on a dog snout and I'm just there was this no need for that that was just uncalled for work but there's a special Circle in hell for people like that um but getting to hack your mom these guys leveraged human intelligence to cyber intelligence to counterintelligence to Military Intelligence to human intelligence by leveraging social engineering to successfully flirt with Russian military soldiers to get them to divulge their
current location as a military operation which they then fed to the Ukrainian primary military and they turned them into space dust with this information this is a perfect example of round find out when you leverage all of the fun things with human intelligence social engineering this is called e-houring then they took that information to engage them on a cyber level interact with their social media accounts Facebook while your military units tell you expressly under no circumstances do you tell a complete stranger or even your own family members where you are what you are doing or what you are doing with what with who this is why they turned it into counterintelligence because they found out enemy position
enemy information weapon size unit strength all of these things they even talked about defenses and what air defense systems they had in place then they converted that into Military Intelligence by handing it over to an opposing power who then turned that into human intelligence in the form of an obituary so this is a wonderful wonderful example of the combination and a perfect example of a hybrid implementation that effectively demonstrates the value of intelligence at large at scale effectively when it's weighted with value they found out who they were they only targeted them they eliminated anybody who wouldn't have the information they pressed where they knew it would hurt they got the information they successfully implemented the information
it got escalated it came from a high FICO score Source because they'd had previous interaction with Ukrainian I.T Army in the past because of that they acted quickly on the information because it was weighted and because they acted on it it was way that they destroyed an entire military base and a very high-end high-value capture Target for an active military place that allowed them to advance the efforts in the war but that's all I've got for slides because I expect a lot of people have a lot of questions so feel free and also let me know if there's any questions in court
okay cool who's got questions there's always one that's what we've got
cyber and intelligence I started in the military and so when I got into the military I started in systems I moved from systems to compliance compliance to security when I got out of the military I started working in DOD and then I was ending up in hybrid roles where I was doing cyber intelligence and systems simultaneously I'm assuming you want to get into intelligence oh perfect you're looking to work for the feds
have you downloaded open CTI or Miss you need to download both that's where you're going to learn misp and then open CTI those are phenomenal platforms for intelligence it's a great place to get started most people know what they are and then once you're done with that you've got that up and running you want to start playing with rabbitmq 0mq Kafka and kinesis because that's going to get you into messaging that's when you get into big kid land small fry just lets you learn the tool production implementation is with messaging because you want an event driven process what other questions you got yes sir
this one or that one pipeline
that one quick Dentistry
model s so in regards to dedup for rejection or dedupe or rejection just in general because you don't want the data so when you don't want the data you've typically made the conscious decision either through a manual or automated processes of identifying the data by looking at the data and deciding that's not data I want now that being said just because you got rid of it here at the reject phase that data still exists exists in raw it's still in your S3 bucket so you can go back and pull that data later it's archived it's just not going directly into your elastic systems or your database the raw still if you want to go back later by saying okay
well the organization said okay well we didn't care about four data but now that we know that they're putting in the ble technology which allows you to literally walk over and stop the Ford car with a cell phone all of a sudden now we want to know who's driving a Ford because I can literally take a 20 Android put a ble messaging app that Ford gives you and it will automatically stop the car if I throw it near the vehicle because it will assume it's a person the car will be messaged by the cell phone it will automatically assume that it's a human being and it will stop the vehicle that is 2016 Ford Ford Sync or Copilot
360. but that's a perfect example of why you would want to keep that information in the bucket that's why I recommend it that way because you can go back and revisit it if somebody like Ford decides to do something incredibly stupid and give someone the ability to effectively turn your car off on a whim with a 20 device what are the questions we got
um oh my God I love the military every day every day man you throw me in a box you ship me overseas I'd be so damn happy absolutely throw me the box here in the states I'd be so damn happy military and civilian interactions are not the same we are a different breed and it's just something you've come to accept when you get into the military and more importantly when you get out and there's two very different octopus with two very different approaches to the things that we do from my perspective I take what I do very seriously because my work history has collectively always involved the lives of hundreds of thousands to millions of people whether
it was healthcare.gov where I directly provided Insurance to 20 million plus Americans or if it was something like the nucleus where if I made a single mistake one mistake there wouldn't be an Eastern Seaboard anymore because when you're pin testing nuclear devices something goes awry it's FEMA that's writing the after Action Report not you things get very ugly very fast and so when I'm working in that environment type when I'm working with the military March Center Pentagon those environments are very different when you get out and you go work for RSA it's you're playing mother may I with corporate America it's you hope your manager cares about their job or at least the paycheck what else we got
it depends on the person everybody's got their own particular interests and passions mine is a hybrid between multi-platform implementations and software development for building tooling so my professional operator handle is toy box because I'm the guy that makes the Cyber weapons I've got all the toys toy box I like what I do do I like pin testing I'll play sure let's pop some boxes absolutely but in terms of like do I want to sit down and be the guy that hand jams out the Bloodhound command to to pop the 80 credential dude I don't really care give me that and 600 other items that you want and I'm going to build an infrastructure that'll go out
and find every Target on the Enterprise instantly and then we can cherry pick what we want to blow up today like that's my kind of approach I don't want to hit one system I want to hit 100 of systems so it depends on the person absolutely any other questions what we got mm-hmm yeah
oh definitely the pay yeah technology and forward thinking that depends on the organization almost exclusively when I worked for the U.S army cyber school and I built their infrastructure they were very bleeding edge technology they wanted to see the best and brightest of everything that was to be offered when I worked with Mr Shalon when he was running the Pentagon components they were very very very Advanced they were actually ahead of most Corporate America you start to look at places like the SBA I've got cars in my front yard that have more advanced technology like it just is what it is um and then with fintechs it really depends if you've got your really old
Banks they're very very conservative very very historical they want to see everything vetted and for good reason I mean if you're talking Bank of America's Wells Fargo's if they fall off the map you just lost 28 30 of all you know small business loans in America or you know 30 40 of all mortgages they can't afford to go offline you've got these new Scrappy startups like Tomos and your I don't know your squares now block or whatever they want to call themselves they can afford to fail because they're a billion dollars they're an accounting error for real organizations not to say that they're not a real org but the amount of processing and the amount of things that
they they effectively impact are just night and day different the SBA it goes offline nobody in the world can get a small business loan even considered that's why I took the SBA one siber one contracts and built those platforms to ensure that lending and grants are always available to Americans and people who want to come to this wonderful country but it it really depends um and yeah money is definitely a major impactor it's why I turned down my operator role that I was offered for the government they just I made more money in help desk not to be me but I mean if they seriously want to take us seriously and they want to take our community
seriously and more importantly they want to take cyber warfare seriously which is going to be the major battlefield for this war by the way they need to take cyber salaries seriously because I think it was what 80 86k or something with a guaranteed four-year lock-in mandate to effectively be an on net operator breaking into foreign governments I mean I could steal access to the Kremlin and sell that for a million dollars that's like I would work what three months and make what I'm making 10 20 years they just don't compete and until the two it's not even it's not even a discussion now you see you see a red team operator from the guys next door they pay more
than the government and they're a small business you start talking to big companies like in-game and game and Facebook and Google who are offering three four six hundred thousand dollars absolutely not you're not gonna get the best talent if you wanted to any other questions no awesome well awesome thank you all for attending my talk I really appreciate you guys [Applause] oh
well apparently well no never apparently the mic is all spinning out on his neck get it all right it looks exactly the same as it did before though there's a little green dot but as long as it's working
for the morning
so uh introducing Jeremy Straub Dr Jeremy Straub is director of the North Dakota State University cyber Institute and he has over 20 years of experience in the design development and security of I.T Solutions former technology industry executive scrub was founding associate director of the NDSU cyber security able to PhD in scientific Computing and they mastered in Ms and MBA two bachelor's degrees and the software and electronics Industries Rob held executive strategic leadership and software and Technology development management positions multiple firms in the U.S and the Asian Pacific however long-term technology development was always his passion leading to his return to Academia um sorry for the pickup is published over 80 Journal articles and 250 full conference papers he is a
team member recipient of the North Dakota Governor's award service roaming bison award Straub is also a fellow of the injury University seminar on armed forces and society and has served as a lead inventor on two U.S his work has been fun U.S Department of Defense the National Security Agency and the National Aeronautics and Space Administration at among others his research includes technology development and Technology policy so let's welcome back [Applause] well thanks very much everybody as I as I was getting to a second ago I'll go ahead and kind of recap the theme here one more time um but I want to talk to you about today is this concept of automating penetration testing and obviously we
have this cool theme here besides Charlotte of spy versus spy which I really love and I think it's a really great way of thinking about cyber security it really is a classic spy versus spy Bale right I mean if you think about the cartoon that kind of popularized the concept of you know the two guys doing stuff to each other I mean that really is you know it's red versus blue or or Now red versus blue versus all the other colors that we're beginning to put in as we're trying to give other teams colors but any way you look at it it's a really big challenge you can't assume that the other side is ever standing still and that's where the
automation comes in so what I would say as I'm going today if you have questions please feel free to put your hand up in the middle I don't worry about waiting until the end if something doesn't make sense there's a lot of different people with different skill sets in this room so I would prefer to have somebody quickly ask me a question and clarify what in the world I'm talking about as opposed to half of the room having no idea about some acronym in my view s or something like that I do think I've removed most of the acronyms from the presentation so that particular one is a little bit unlikely but again let me know if you have a
question um or if you're bored if I'm going too slow um either way the big thing here is that we we're living in an environment where we're still in a lot of companies a lot of Industries in a lot of areas thinking about penetration testing is something you do occasionally right you know you get a uh PCI DSS audit you know for a lot of companies that may be an annual thing that's great the bad guys don't go away for 364 days or maybe you did the week-long version so it's like 358 days of you know the problem is you have security problems when you have them you mess up configurations when you do it it doesn't happen you know maybe
it does happen right before the security audit just because of bad luck but normally you know that type of stuff if it's happening if you have problems it's happening all of the time so doing a annual doing a quarterly doing even a monthly security audit really isn't a viable solution when you're dealing with a firm of any size that has adversaries that are looking at you know your systems all of the time now obviously big your firms like Bank of America whose great building we're in here today they're doing this continuously right they have their own red teams other companies have you know a variety of different approaches to this so it's not to say that everybody's only thinking
about this once a year once a quarter or once a month or something but for a lot of firms you can't afford to do it more frequently at least not with the type of investment that you make bringing in an external penetration tester and so that's why thinking about automation thinking about something that doesn't do exactly the same thing is what the penetration testers do but can help you kind of fill Gap is at least a short-term solution so that's one of the things I'm going to be talking about today I want to talk a little bit about the how the different phases different types of automation can be done too and so we'll get into that in a minute but
the basic theme Here is thinking about how you can take what you might already be doing as an Enterprise as a business as you know whatever and then add to it with the idea of automation from the flip side of course you know the bad guys are also automating as well we'll talk about that a little bit more too so the other thing that I wanted to uh to bring up here is this isn't like a brand new idea right software engineering has been doing this for a while you know when we do testing and software engineering and we do testing automation when somebody checks in a piece of code if you're dealing with a robust testing
system in a lot of cases there'll be some compliance checks that can be run on that piece of code immediately when it's checked in or for things where maybe a build process or something is needed it's done at least with certain level of okay you know frequency so this concept really draws upon some pretty common elements of software engineering and the beauty here is that we've learned a little bit from this right software engineering has benefited a ton from thinking about testing and you know software engineering is kind of a problematic discipline will come back to that in a second but it's benefited a ton from thinking about how to build and testing to the greatest extent possible
um and the key here is once you figure out that you have something that you want to test you want to test it over and over and over again because it turns out that bugs even bugs you think you've crushed come back why does this happen well the person that made the logical error that brought the bug in the first time may get back and they might be coding they might be fixing something else heck they might even see the thing that somebody fixed and say no no that's wrong and put it back to the way that they thought it should work right computer code is really complex and it's difficult for humans to understand all
of the different pieces and how all the different pieces fit together so the little logical Gap the thought process that's a little bit different from developer a and to developer B this is where a lot of bugs come from and how do we catch these bugs well ideally we'll catch them you know when people are doing the code somebody else notices it somebody else says hey you know this doesn't make a whole lot of sense or did you know this other thing over here Works a little bit differently so you know you can't have this working like that but if it doesn't if nobody else looks at the code if nobody else notices that issue that's why we have testing
and we test over and over and over again again because people make the same mistakes the same types of mistakes mistakes that may be different mistakes with the same impact um recurrently so if we know something that's critical if we know something has to work a certain way if we know something can't do something Etc we build the test we try to automate the task and then we do the test a few times right we try to figure out um you know what the best tests are and run them frequently to make sure that we don't have you know the same problems over and over again cyber security obviously has a similar challenge right the same concept of
somebody doing a you know programming stake can be somebody doing configuration mistake the cyber security issue you might have in your code translates to a cyber security issue you might have in your network so these Concepts the very things that the software engineering techniques we're trying to prevent they really Port really well into it as well very similar causes means of very similar solution is viable but the big question here isn't software engineering part of the problem I mean from a cyber security perspective software engineering is a lot of our problem right most of the stuff that we're dealing with you know some of its configuration some of it's you know other stuff but a lot of the stuff we're
dealing with the Cyber Security Professionals you know particularly the things that are built into the software these are the failures of software engineering coming back you know three months six months five years ten years down the road so it's important to also realize that you know one these are this is you know more modern software engineering so we're not talking about you know trying to replicate all everything software engineering was doing 15 years ago or 20 years ago when the processes weren't quite as robust and two even more importantly it's important to realize that this type of thing is not the only solution it's has to be part of something bigger so testing automation is a part of as I see
it a solution to a broader problem but again it has to kind of be part you know with a lot of other things as well so I mentioned a few different types of Automation and I want to throw these into three categories the first is complete automation right this is you know we hit the button the AI does everything everybody can go home and you know if something too bad happens you know you get a call on yourself from the AI right this is not something that is you know a 10-day from now thing right this is a ways off it certainly is something that a lot of people are interested in right from a cyber warfare
perspective being able to Target your adversary with an entirely automated mechanism is really kind of the Panacea from the perspective of government agencies that are having difficulty paying people enough money to be able to do a tax and to be able to develop those attacks and launch those attacks being able to have something that they can push a button and be the authorized operator the person who is authorized to attack on behalf of country and not have to necessarily know how all the pieces work behind the scenes that is a really big thing there's a lot of interest in this but again it's a ways off selective automation is something that we see a certain amount of right now how
we have things that test for various types of things again the term thing here is intentionally quite generic we have things that will test for certain types of network configuration issues we have systems that will test for certain types of software bugs we have buzzing systems that will test for different types of things adjacent to other issues that we may already know about this is an automation in certain areas where we have a particular tool for that the third type of automation which is when I want to talk more about today is human defined automation the idea here is that we figure out as we're doing the testing manually what we want to test and then
we automate those tests as opposed to me going through and testing once and saying okay I'm done I've you know I made my report I'm going to take a little bit more time and I'm going to build my tests up as a test Suite so that once I've built them up unless something changes dramatically about the system I'm testing anybody else can take my test suite and can largely run it against the same systems and see what it does right now again you make changes that may have to be adapted a little bit but if I can reuse 85 90 95 of my testing I get a really high Roi on my initial activities plus if I'm the very
expensive penetration tester that's coming in for a week every quarter say I can leave behind an artifact that somebody can run every morning if they want to obviously depends how long the thing actually takes to run and it takes three days maybe not every morning but I'm leaving behind an artifact that can actually be really effective to letting people um figure out what's going on on a daily basis so at NDSU we've done some work on this I want to talk a little bit about this as an example I don't want to spend a ton of time on this but I wanted to kind of show that this is possible I want to show where some of the limitations and
some of the challenges are right now so we've developed a system that actually allows you to build up it's a pretty manual process at the moment a Suite of attacks and then to plug these attacks in and you have to Define all the plumbing that connects these things together the engines are already available on GitHub this is entirely open source this is something you can go on and play with if you want I'm going to show you for about the 10 second version of it because it gets really complicated after that but the big thing here is that this is conceptually possible and the idea is that this is something that you can actually use
right now if you don't mind taking the time to Define your tests and then also taking the amount of time that's needed to actually Define how your system works from a network perspective um in them things so again I told you this is a little bit cumbersome this is how we Define what is effectively an attack in this type of system it's called an action in Blackboard parlance for those that may not be familiar the Blackboard architecture has actually been around a while it goes back to the 1970s it's been updated a lot you may have heard a term of expert system the Blackboard architecture is kind of like the expert system on steroids it adds one critical capability
which is this it adds the ability to have the system actually go out and do something so an expert system a recommender system what it does is it takes in a lot of data and it says okay you know I've looked and I see that there's some water on the ground I see that the sky is gray I think it might be raining right that's a that's a recommendation it's a dis you know it's not really a decision it's telling you you know something you can Intuit a Blackboard architecture you might take those same pieces of information and then take that one nugget okay it's about to rain or it's rained or whatever that is now if I have some mechanism to
actually do something maybe I have the ability to deploy a you know a roof on a stadium right that action is where that comes from and so we can use these same actions as part of a Cyber attack framework and that's how we've built out what we've been working with again this is only one way of doing this the other two things that I mentioned here just a second ago the facts and the rules are how you actually get the logic behind this thing right so all the little factoids we bring in you know this is a Windows 95 system it's Linux it you know has Port 23 open whatever it is those are facts rules are the logic the thing
like with the rain when I mentioned okay I'm taking you know there's water on the ground the sky is dark bringing that all together that's how the rules work so again rules and facts are part of the concept of expert systems the idea of the actualization is where the Blackboard architecture comes in and the basic gist is that we take a network again a very basic kind of small office Network right here and we can turn that into a collection of logical pieces of information in this type of a system right so the squares or rectangles are are facts the diamonds or rules and the stop time stop sign shape the octagons are the actions so when we build this
out we can take some information about the different types of systems you might want to have we'll have some rules about how they you know what these pieces of information mean together we can bring in other factors and we can turn that into this one piece of critical information right here which is that a particular vulnerability actually exists and once we figure out that a vulnerability exists or that a vulnerability could exist in the case of a testing system we can run the attack against it and see what happens right now just like any type of penetration testing you have to be careful with what you're doing we are you know particularly if you're going to do this
every morning we don't want you to do something that is going to you know knock stuff over you know but doing something that validates the problem is still there or that a problem is not there that's a very feasible type of mechanism for this type of thing the other thing that you might decide to do with this is opposed to actually really triggering an attack you might do something else like a scan you know again whatever it is that allows you to determine what issues you may have in your system is the type of thing you would build into this and again this comes down to the difference between blinging a particular tool that says
okay I can test for you know open ports that have misconfigured mail servers on them versus actually building something up that actually is targeted at the particular infrastructure that you're interested in so this type of thing whatever it ends up being this is based upon the human analysis of the network did you have a question sorry um so we'll go from there so I really want to really quickly very very quickly just show a little bit of how this works again this is pretty straightforward from a software perspective this is a very very basic implementation I create a few facts I create an action and then I create a rule so the first five lines create the facts the the
lines with the asterisks are just ignored the uh I guess what would be the seventh line down if you consider the asterisks creates the action the ninth line creates the rule and then the last line is where I tell the system to actually do something this is called a present command I don't worry so much about exactly what that means but the key here is when I do that just like the action tells me to I'm able to pop up notepad so this is really really really basic using the engine the other thing that I can do here with this same kind of thing I can add a little bit more to this do the same
thing again I get the notepad pop-up again but I can also pull information back out those qfs towards the bottom allow me to query what I found out so if I had set whatever I guess it's Fact one to be that particular vulnerability exists if that was the the stop sign shaped icon at the bottom of my network this would have been something that I could take back later and I could use that in my reporting to actually say okay this is what I've learned from doing that so again I don't want to spend a ton of time on this but I did want to show at least enough concept so that people are not saying okay
automation is great but you know this is pie in the sky right this is Hal and 2001 which I guess is now 19 years old A Space Odyssey this is stuff we can actually do um right now if you want to and again this isn't the only way to do it this is the way that we've been playing with again this is engine the engine I was just playing with you can go download from GitHub and play with yourself if you want to as you saw it's a little bit cumbersome you're writing a lot of lines of script to create this we're playing with right now trying to figure out a way of making that a little bit easier
um we have a few people that have actually been playing with trying to do scans of the network and pull that in the other thing that we've been working on is just making blocks of this pre-packaged script that you can bring and if you know something that has a particular device configuration that brings in a lot of testing with it as well it's really flexible again like most things you don't have a UI you you know when you're typing you can do a lot of stuff that you wouldn't necessarily be able to do as well if you had a UI because the UI constraints which you can do and again we're trying to make this a
little bit more usable in the future but really kind of the key takeaways from this I think you know the first thing is to remember that automation is really the future of this of cyber security right I mentioned already the notion of automated attacks automated defense in the realm of um you know the cyber warfare and actually going out and attacking systems defending systems Etc um and so that's a really really big thing right when you're dealing with those types of automated attacks and automated defenses your testing also has to be automated we can't test at the speed of a turtle while everybody else is going at the speed of you know the hair so to speak so it becomes really
really important to actually make certain that you have the automation of the testing as well that you're able to validate that the systems that you're relying upon for whatever um are able to you know to be robust and to actually be able to withstand whatever types of attacks um you know they're being faced with in the longer term I see fully automated testing as a goal and I think a lot of people do that so I don't think that's unique to me but there's a long way off to get there and there's a lot of things that you know could be done in the interim that I actually think the human selective testing is actually a really
good Gateway for and quite and specifically as we're defining you know it's if I go in and I Define say 10 attacks that work against my systems you know if I have a you know little net your switch that I'm trying to attack for whatever reason because it's there and I need to test it and it has an IP address so you know I I make my little path for it I'm adding to the the base of knowledge um that allows me to you know put this out there I can put out attacks against this particular piece of Hardware as we get more and more of those things and we actually have a testing Suite of more
and more of these little attacks that actually takes you to more and more automation right because that means all of a sudden I can do a network scan I can see that okay I have this little Netgear whatever there and now I can see somebody else has made already some tests that I would use against that maybe it doesn't test everything that I want to do maybe it doesn't test it the way I have it configured but at least some of the time I'm able to take those kind of modules those components and and bring those in and do them for you know use them for my own testing as well so I think that's another
um kind of neat thing about the way the the different pieces fit together and certainly in the short term doing retesting uh with this is a very feasible approach to uh you know again it doesn't take so much time to set up a automated retest as compared to doing it manually once you know it takes a little bit more time on the front end but even if you're just doing a penetration test as a one-off being able to go back and see if certain things have changed during the individual test can be a significant additional component to a report right um you know we had a very interesting thing happen we have an event every year
at least for a while we had every year pre-covet we had it for every year for where we had at NDSU we had gave students the opportunity to come in and in a controlled environment actually do some hacking against the I.T infrastructure at the University and there was one instance and it was it was amusing I was sitting off to the side so I had a really good perspective at this there was one instance where the person that was demoing at the front of the room and was kind of leading people through this found uh stumbled upon something and the I.T guys at the back who had been saying oh you're not going to find anything it's all great suddenly
the computers were coming out they were beginning to type and what it was I think was they realized that the vulnerability that somebody had just stumbled upon to wasn't a single system vulnerability it was something that would have replicated and so you know again I can't say specifically what this was or what type of system this involved but of course now all of a sudden I.T staff have an incentive to start trying to fix stuff if I had that automated and I knew what the scope of something like that was even as a professional penetration tester where your you know your target I.T administrators may try to fix stuff while you're testing I have the ability to go out and Syndicate my
test really quickly right if I say okay this is a problem that I think could be on every workstation on your local area network you know for example all I have to do is really quickly get a scan of IP addresses once I find something and I can use my retest as opposed to against the single system I can use that against every system that I think could have a similar vulnerability and it's an interesting way to again identify a lot more potential problems as you know it professionals might be trying to fix them even in the context of an individual penetration test so there's a lot of interesting ways that this uh this kind of plays in the other thing
that I would throw out is for people that are looking to get into the industry students that are looking for something to do making these types of modules you know it's kind of like the cyber security equivalent of contributing to open source right as a programmer one of the things you can do you know early in your career is you can contribute to a well-known project right you get something built in you know that gets into an Apache build or that gets into you know uh open office or something like that that's a really good resume item these types of modules I think actually could be similar where if you define a really good mechanism for
you know say attacking Apache just as an example product that's out there a certain amount and it gets used a lot it's a really good kind of calling card item to be able to go out and say Hey you know I made this and now XYZ professional penetration company penetration testing company is using something that's got this this code this module this uh attack that I built into it um in it so that's another kind of neat thing I think that kind of comes out so at any rate I think there's a lot of kind of cool synergies from this I think I'm almost out of time here I know we started a few minutes
late so I'm trying to trying to balance but uh if there is time I'm happy to take any questions anybody have any questions
on that case thanks everybody [Applause]
perfect ah those are asleep thanks
manufacturing environment I still want to know what to do why they do it how packaging and patching teams so much time and effort so careful to understand when when digging in with your teams to say you know what do you need how can I help you um is you know recovered um get into talking about you know penetration tests
these have gotten highly connected when we first started dealing that's how I'm measuring these connections I want to know different assets because how would you be disclosed that can ultimately affect our day-to-day this is a scene from a movie that was shared and I gave a version of this at Queen City
oh you're good
go back he has a background in U.S intelligence community and also in sof as a cyber instructor his experience in the intelligence Community provided a foundation for Insider threat digital forensics and cyber intelligence Consulting to pharmaceutical financial and Tech technical entities sorry y'all um he is a graduate of Georgia Tech holds multiple for a digital forensic certifications as well that of a certified fraud examiner and has appeared on several news broadcasts discussing cyber security issues will is also the director of digital forensic services for operations a volunteer-run non-profit existing domestic abuse victims as they begin their new lives so we'll bag it take it away oh here's the fun part I've actually had to wear shoes and socks and pants I've
not done that for the past two years I'm probably not the only person first I can tell you Wake Forest is up 21-20 over Clemson in the third quarter if anyone cares did silence all right not everyone's a Clinton I guess oh so we're going to talk about the Defcon voting machine Village in the digital forensic effort so thank you for coming to this I know there's three tracks thank you for choosing this one and she said this is me uh I'm local I'm in PUK just across the border down in near Fort Mill near Carowinds and after leaving DC I had no desire to go back up there so to start off with we're going to talk
about voting machines and it is college football Saturday so the Nick Saban approach he won't discuss politics he said half of my audience will disagree with me why would I want to piss them off to start off discussing politics that's the approach that everyone taking this and the other since they are moving here in 2023 the ACC referee model you enjoy does anybody go to an ACC school here a bit seriously in Charlotte ACC referees are part-time referees they come from health insurance to Car Sales they're not professionals the number of games that have been blown because of terrible referee calls are numerous going back through decades and tile that back in together accuracy is key if my team loses in a massive
blowout we lost if we lose because like I believe it was Virginia Tech cut a ball against Michigan ruled an out of bound catch and after the game oh yeah that was a legit catch you should have won the Sugar Bowl but we script called sorry multiply that on national election we don't really need a oops sorry we got it wrong we forgot to count these votes in this machine we need accuracy and in doing some research for this I found this stat last couple of days after the 2019 Defcon conference press conference like press coverage for the voting machine Village the results we did the what we sent up to Congress the United States was viewed 2.5 billion
times I said something different other than while when I read that but yeah um you know here I am just South Carolina resident going out to Vegas with my machine doing digital forensics or talking to reporters I had no idea that this was going to take not that I did it but just my results are going to get published in something this big and a little bit of humor you thought that one jira resilient ticket had a lot of views for management to find out the digital results that you've got had that level of healing oh crap so you got to get it right this was added in after I saw that I uh was going to follow FBI with some people
who've stolen voting machines and are charged with federal crimes I wanted to get that in there the machines that we have the Defcon I'm gonna the difference between this talk and the one I gave it uh Defcon we actually had the Boating machines in the room we were working on them people are taking it apart doing digital forensics reverse analysis here you can only hear about it as opposed to actually seeing it in person uh Harry Hersey is a Norwegian word you'll buy the machines on eBay secondary markets they're all legally procured trail of evidence from uh purchase all the way to the time they show up at Defcon if they're procured illicitly we had an
event where people after Defcon 2022 took one of the devices as they tell me off the loading dock at Caesar's Conference Center took the device loaded their own stuff on it and then said oh look at this here's evidence of cheating in the 2020 election well no because one humans and deer don't look up I said with living in TGK with all the deer here we don't have it okay Bank of America at school but but usually when you look up in Vegas the conference Halls here's little black camera dots all over the place when you walk into a conference Hall like that in a casino they've got facial recognition they can see the minute you walk in you're on
camera all the way in and out of the facility so to do that to steal a machine that's worth more than 500 which is a felony and then to make false election claims like dude you're getting a one-way ticket to jail congratulations that this isn't hacking this is just stupid you have no technical tradecraft I kind of speechless that they would do that but that completely discredits any opposition level discussion of credibility I want to talk about the Chinese voting machine prototype that's the current project that came directly from Alibaba it was 150 pounds delivered to the Defcon room I wasn't expecting lift with teams and getting a dolly to move it but that's where we are sucker was heavy
uh one plug to throw in here if you are interested in working on the voting effort either go to Defcon voting Village or volunteer locally at the polling offices to help out to set up with uh throughput for getting people in and out but the only way to really make a change is to get involved yourself if you don't like it and you're not getting involved there's not much you can do you're just complaining so people are always glad at the government level to have assistance 2017 I was in Vegas I left the government I had a um always get paid up front in forensics but um I had my full digital toolkit with me
went to Black Cat excuse me went to besides Vegas went to Defcon saw the Boating machine Village and absolutely transparent here I didn't know they had it it even been to Defcon couple folks massive conference right you can easily go down a rabbit hole fighting there's drone forensics there's hacking smart cars social engineering the main big talks there's so much you can find your specialty to get into pretty much anything you want sheer luck that I walked by I saw this I walked up to Harry Hearst the founder of the conference a voting machine effort and said I've got an actual forensic kit right blockers with black light uh in acquisition Discovery kit do you have any unintended for machines
that I can get a professional result as opposed to just hinkering he was excited took me off to the side I got a machine a window box and in 2017 and why I took screenshots one document that's gonna be a big thing you guys for y'all are not my students from NATO but still document when you're working on something like this document non-stop because you never know when it's going to be key it was an unpatched Windows XP machine that had been put into service and it looks like 2001. so you want to talk about your vulnerability management your threat management unpatched running office 97 access database an encrypted hard drive voting as admin USB ports are accessible it wasn't
really Imaging it was I think 128 Meg was the hard drive it was ridiculously small so image it the first go-round and you know logs don't lie this is the only instance that this machine had been connected to the internet realize I'm streaming out here and people are going to look in parts to see because being political in America is what it is so yeah we did have evidence that this one voting machine Dominion releases with the image connected to clear text FTP inco.com and sent these files unencrypted to infocom like oh that's interesting again it was one time it happened so I feel like I'm on Pawn Stars here I called a friend who worked in a news
service he does oscent reporting he's left there now didn't like living in downtown Atlanta so he just moved out to Countryside imagine that so he digs into infocom we find out it's a Canadian company and Ocean's amazing doing open source research found out Canadian company IP address tried to log in probably shouldn't do that but you know whatever that's interesting that this is going on that we they say these machines don't connect to the internet but the one test image has been connected so that was interesting when I report up to Congress and that was the one big finding okay it's completely vulnerable and it's online problem 2018
thank you
for this world
basic principle was what we've developing the factory
this one seems pretty self-evity
if you're going through standard evidence the person doing I don't want to is my freedom for Charlotte Metro we're pleased to save my phone I want to be watching YouTube
and there are a ton of guidelines people training courses academic accesses
noticeable
we good all right so we've taken these principles and make backup copies we'll get into this we validate the hash codes I know my three forensic colleagues what's hash code medical signature of the data it's like Pinnacle sand on the beach saying these two match it's it's happened but it's now impossible to files have the same signature so we verify each other's work I'll let me just arrive person from another large company will image the drive and someone from third company images and we compare to say yes these Racket and thinly be in the process and make sure we're working from the same page well I I'll image the drive with an acquisition fpk imager and a write
blocker basically that ensures that any changes we make we don't tamper with the original evidence it's just copying it in read only mode on the Apple side I'm an Apple guy write to a DMG it's very simple to do on the Windows side that's what we call it NATO soft you would create a virtual hard disk image to that that way you could take the virtual hard disk and then pass it from analysts to analyst instead of having the physical removal media that way warzone which is used to be overseas the sand was rough on the electronic components the SD drives the micros micro SDs that compact flash cards so going this route you at least took one
variable of environmental damage out external media I'm not really big about passing around USB drives a bunch of random people at Defcon I don't know about y'all but it seems like a pretty poor decision all these images are created in a read-only format tools we've used autopsy blacklight disc drill fpk imager acquisition magnet Axiom and red dripper I personally ain't familiar creative ante stools from the cop right here one few autopsy is great for the Tactical but for a legal situation oh so you built this freeware you configured it yourself and no one else has checked it in the lab to validate this and you want to use this thing you built yourself and your lab
to put my client in jail no it great for testing great for red team great for malware analysis not so great for legal situations uh blacklight and acquisition are now part of celebrate uh the founder of blacklight black bag used to was used to be the chief of security for Apple so they had a lot of close ties with Apple for digital forensics magnet I believe now is the Premier program sorry to celebrate but it is what it is right now they're the best their price is going to a little bit steep they're about ten thousand dollars per seat per license per year records just another uh registry examination tool for the windows box so we do the forensic processing now
we're getting to the meat of the presentation here the reason we take such steps before we get to the device just because you have access to Windows XP machine you have your USB drive and you can load a jpeg of Rick Astley doesn't mean you hack the computer congratulations you're on CNN but you haven't done Jack SWAT you've loaded a JPEG this is what people love to watch on the news but this isn't actually doing anything for the effort all it means is you had unintended access to a computer that we wanted you to have access to when it gets to this point there's no machine it's just something for a show for the audience to look at
one of the tools uh disc drill that will run I think it's 79 or out of Southwest Atlanta it's a good program I really like it it goes through the unallocated deleted files on the hard drive and recovers them step one if you find something document it right away because remembering the names of all these files going back after the fact to remember you're looking for generic SD generic SD cards.dll under the ABS common files directory or you document it when you see it trust me you don't want to go back and I learned that one the hard way but finding the deleted files is key there is a congressional finding my colleague Karsten from I believe it came
over Copenhagen for the voting machine found a Chinese MP3 loader in CD burner on The Root Drive the core image of one of the wind boat machines so every win vote machine had when they build a machine they take the one that Master image he found a flaw
we didn't find anything else to appear so been a singular attack on the one computer rather than white attack also this is why if you're not to mix my talks I'm talking next week in Augusta I feel like Matt fully motivational speaker here but domestic situations if you have to give a file to an ex former employer former partner whatever clean media is good because if you give them a USB drive with a deleted files on there and you run disk reel you can see everything they've ever given to you so basic security hygiene there but it is incredibly easy to pull these out it's not much of a party trick at all so we're there we're formally set up
we're running and then 2019 our little party tricks ended up on Fox News didn't know that oops so that looks like hacking but it's not it was a different test we had here so um touch on that soon some of the pictures we actually do take the machines apart to get to the hard drive and trying to do going through the USB drive so again realizing we're not actually in the Boating machine Village because or y'all to see what this is and yes going through my photos I did have two super sized iced coffees a monster energy and a water so once you're on the X doing the work you don't want to be interrupted the rest of the
day and basically don't sleep for four days probably not good for my heart but so on this one it looks like something off the sand crawler from 1977 to the Jaws family and Luke this is this is a vote counting machine I believe from Iowa it's still in use it has a 10 horsepower motor on the back to cycle the ballots through quickly one could lose a finger on that too that's Overkill it runs a version of a Blackberry open clear text OS I forget the name of research you couldn't find it but it's still arcade it's 128 Meg of clear text file just so we sorted that out they're programmed via zip disk well I feel a little bit
short hands anyone used to sit this lately one a few a few people yeah now that fries is dead good luck finding a zip Discord to bless you oh also just in case you need to program your DHCP Port which is what the advertised come with a pin-based T Jack so you can connect this bad boy to the internet why I don't know there it is still surprised it's really in use election system software m560 650 it's electric lunch a lot of the machines this is one of the blind boat machines you see so much in the news so many con so much controversy about it mainly runs off of compact flashcards the old school
you know your parents use that in the cameras they bought at Circuit City like again really there used to be a prize at the end of the strip in Vegas until fries went out of business and we just have a shuttle going back and forth buying archaic software and Hardware to the the voting machine is still counting your vote today a machine analysis for the diebold Electric System same thing RF cards you can actually see the RF card reader here I mean we're not talking high-tech this is Back to the Future this is ancient stuff but still running Windows CE Windows XP this is going into the local crowd somebody vandalized one at the University of
South Carolina state or so there we go one of the big takeaways keep going back to instructor mode anybody familiar with the Sunshine Law state says you have to publish meeting notes minutes and that includes voting machine data so from the Sunshine Law from a lot of our states you can go online find the machine username and password the admin username and password the security username and password and well we'll get ahead to that one about the machine but this isn't hacking this is just glorified Googling I don't even call it osin again for instructor mode just because it is what it is here we have our machines out set up in an unclassified lab I would suggest
y'all pick your favorite state identify the voting machines used in the state you give you about 20 minutes tell me the username password admin username password security username for all of the machines that you found exercise just really hacking this is just something so just to pause there for this isn't hardcore pin testing with you know an expensive The Brute rattel three thousand dollars a year C2 platform this is just basically knowing what to Google for this one the premier voting machine all right anyone done nerk sip or anyone done audits yeah I don't want to submit audits it pays boring but that pays this bad boy the Auto Mart machine connected to a printer printer vote out
it gives you the firmware hash list
gives you the firmware and it prints the hash values for each file 56 pages of hash values that print out for you how absolutely useless let me back up
it says this file this Windows dll File the value for this is X the manufacturer says the value for this is x file is unchanged that these values change you get a different value but just by looking at this 56 page out of the registry files you're not going to the hash values you won't know what's been tampered you've got a complete list it meets audit specs but it's completely useless because there's no way to compare the differences between a and b so we cook this Theory we got subscribed and said it's telling us for the machine
does it actually check it for the boot processors this just show for security theater like TSA I shouldn't say that so what we did we took the logo header we took my friends image from the Georgia Tech message site yes we want to get our head coach fired he's horrible and we um took his image took a big cry logo in the Defcon logo and made that filing roughly the same so that when we booted up the machine
see if my video runs video is not running it was there we go yeah the modified header comes up but you can still vote on if you wanted to so is that a success was that failure we don't know but that was one of the findings of you may still be able to use this after the machine's been tampered with
so getting to the newer part of the presentation the Chinese voting machine prototype how we've examined it and the observations from it ah this year Harry bought a seven thousand dollar vote Alibaba 150 pounds we have chain of custody going from uh private ship from in China to Los Angeles see Defcon I met the thing that at Caesar's Convention Center hand truck team lift all that good stuff we brought this bad boy into be thinking about the average age of the Boating volunteer helping set up this is so okay so looking at this and you know trigger warning for anybody in cyber security this is going to hurt it runs on an Android OS it has a thermal printer anyone ever
done an expense report with thermal receipt horrible right it fades so you've got two printers you have a facial recognition scanner you have a ID card scanner and a thumbprint scanner in the United States we're supposed to have private ballots so now you've got three points in the same time your face facial recognition your driver's license okay the printer let me back up here you get a receipt and a copy of your vote is also dropped down there in the washing machine Style Bin with that thank you like one those are thermal receipts do Fade over time and to go back and try to count these it's going to be like the Florida issue for the Hang Chad you had
to take the box no one's going to be able to read the physical ballots we're not sure how it's stored on the drive and this is oh being 10 in the back that that's kind of concerning right because this also has 4G Wi-Fi and a Bluetooth on at the same time uh blue promiscuous it was the connections unless it's a great double-edged sword access to the iOS Bluetooth playlist you can see every single uh Bluetooth device you've ever putting someone in proximity conversely if you're playing an attack and say if we didn't do it because it's illegal but if it was up here I had a Bluetooth sniffer like the net toolbox on my phone
which I didn't do I wasn't down there because you'll play with FBI I don't like going to jail but I could have picked up their Bluetooth signature and then use that to start tracking their movement around with the signature so you've got beaconing out I think it it's talk but uh if anyone hadn't seen the latest Star Wars Endor series one of the people tells the hero that you don't carry a device in your pocket you don't know which is very applicable for this as well if you've got a Bluetooth and a Wi-Fi and 4G where's your data going is there any control on this so from the website again a little bit closer granularity
directly from Alibaba control C control V no evidence on Hill period um so this is what it would look like have we peppered it on for the public to see a little bit of a pop quiz where's the manual for this oh that's wrong we haven't found one so I feel like I'm doing name dropping here but uh Ray Baker one of our Operation Safe Escape ocean specialist she's got a book coming out on Ocean she searched I've got pretty good chops I searched uh the ocean Community has been looking for a manual device we haven't found it yet it's been a month um how do you get software updates and patches well you have to DM the seller
custom patch software through the deal
also no excuse my language I we've really just gotten to the point where we've extracted the image I've got drivers for it but in terms of going through to see what the malware is like oh yeah so if you know this machine is a sensitive District of Ohio and we send these drivers just you there's no blanket there's no community analysis there's no open source analysis it's just broke trust me it's good that's not what you want for your voting system the same for having Spike I'm not trying to preach you wouldn't just take a PDF that you got knowing you're a government official from the Chinese government and open on your system but again that's where we
are getting this directly from the Chinese manufacturer so a couple of videos here there's the Prototype when it came in took photos of it get it set
the reason I took that video and we didn't discuss that until after the fact we had to leave overnight in the Caesars Palace Convention Center excuse me so we've gotten this far without it being tampered with I wanted to have one last step to make sure this box was still as it was left the night before but before we began Imaging it so what I did a little bit went back verified where the tape was where the hinge was and then for these two pieces of tape come together to make sure that this had not been altered if I had put this online hey we've trapped this we've made trapping me to verify no one's accessed
the device without our knowledge then that defeats the whole purpose of being clandestine in what you're doing we did this and the next day came in took the image verified that no one had opened the box with undocumented features to make sure this hadn't been tampered with that way the next time when we open this we know we're the first ones to touch it since it had been put in the Box by the manufacturer we used a very high speed low drag kinetic tool to open the box this also fixes printers it fixes monitors it fixes worst sections um fixes your duty page you're really good you also get like weeks of unemployment after you do that I've heard
all right so what's in the box let's see if this runs this is the actual prototype took an image of it
so you get your driver's license scanner one of the first things we did again not having 100 control the environment so the USB excuse me the power cord for that left it in the bag put it in my backpack and just to my hotel room until we were ready to image it could have I voted sticker over the back Port that way it would take a lot of effort for somebody to be able to plug in the machine and tamper with it before we could image it just the little things that this take us took a lot of effort we don't want to have just someone come screw it up just for the fun so looking at actually what's inside the
machine
so we're looking to see if there's an actual hard drive and SD card slot anything videos so we can really build it as we need it
if you saw he'll rewind here nope hey you can see there's a a small thermal printer small two meter thermal exhaust Port no wait wrong with me there's a thermal thank you there's a port that ballot actually drops in for the printer for the voting machine to run both spools have to have paper in there so if the internal ballot printer doesn't work it won't run if the external ballot printer won't work it won't run four or five of us had trouble changing the paper I mean I'm embarrassed to say it we're not slouchy's engineers it was Byzantine and complex at best and thinking about again if this ever went to be the standard for the United States
if we have trouble changing it the average person working the poll voting system it's yeah it's going to go offline they're not going they're going to put an out of order sticker the line gets longer and CNN's gonna be out front oh voters it's in front no it's just terrible design there's nothing malicious it's just horrible design that we would never endorse
all right so we get to the motherboard and we find this sort of like a foreign Pines we don't know what we've got I think there's something here so we're doing a it's not like you know uh just following the steps on a YouTube channel on how to image this one of the other kidneys one of the things I love about Defcon is you get so many random people with different experiences doing this as opposed to how you always do you always learn from others they took a photo of the motherboard and did a Google Lens search and found okay to the letter this motherboard from the Chinese manufacturer is this Android chipboard there are no malicious there's
no other Secret Sauce here there's no chip that's going to receive images from the Italian satellite like Q Anon says it's just the absolute value this is a standard motherboard without any additional I had honestly never thought to do reverse image searches for a non components that's pretty slick I'll give them that that's why I'm kind of teaching here that never thought about it's a clock slowing down it's about a day and a half into Defcon we've opened all the reports are coming personal note a lot of them are claiming credit for the research and I don't see them in my life but that's yeah not bitter um just like on the other side of the wall
there was The Internet of Things conference going on we approached them we recruited them we offered swag and gave them some shirt they imaged the Box they got to play something new and exciting too as opposed to oh on image yay in all seriousness they came over with their gear because I don't chip officer out of my league I don't do those and they actually did a chip off extraction from the board meaning they connected this to jumpers and then after we finally had ignition
we were able to get 123.8 gigabytes of the image of the motherboard itself so we have the OS this is one of the more extreme steps it would take to image something
and once the gentleman got disconnected and running it did take overnight so this is another 24 hours out of our 96 hours at Defcon another 24 hours or so lost to get the image but if you're on target you have to pull the image when you can again going back to instructor mode realizing that people are different skill sets whether it was CIA NATO here Q is one and one is none I flew out my right blocker kit and that beautiful low visibility yellow case yeah that was weird taking that through Tia the entire kit relied on the USB type A to type B cable up top the reason I know my entire kit relied
on that one cable was because one end was crushed during examination after I checked the bag so there it was at Defcon had to take it apart rebuild it but shame on me I didn't think about that I will next time so if you've got limited access to a targeted device plan for the worst have all the year you'll need and backup gear because you don't know if you'll have that second shot to go back and get it because now if we got Micro Center there's a couple in Atlanta we don't really have anything near Charlotte for electronic stores right pretty Barren we've got Amazon if you want to wait a day or two
and again if this is my NATO forensic course but primary alternate contingency and emergency so I've made one copy of the drive we finally get that one chip off extraction first thing I do is make a secondary copy and from that two more that way I've got one colleague has one third one's in a safe another one's with another colleague on the west coast that way we've got four geographically dispersed because if one goes down the only copy we have getting all those elements back together to re-image it it's not going to happen again uh from just years experience the higher this case sensitivity the greater the odds that something is going to fail and again Star Wars nerd here but if
you'd like to know the odds of failure they're high very high the more your job depends on getting something done you need to have backup copies regardless of what it is just because I don't cross technology so get the drive do a basic grip on a terminal line my Mac hates me for it well they don't have feelings but you know me was able to grip get the actual version of the Android the next thing I did was go to don't have the slide for it I went to nist and got the uh list of known good files it's about three or four gigs and once you unzip it it's thousands of known good hash value files so I can take this
loaded into black light my forensic program and then sift out for all the known good files for this image and now I'm left with only the files that we don't know what they are and from there then I can dig in for the reverse engineering to see what is going on with this machine that's got 4G Wi-Fi Bluetooth where are my votes going where are they stored then I can really dig in to see what the Deltas are but if I go through the hundreds of thousands of files of that machine I'm just going to go crazy it's not going to be humanly possible
and here's one of the bad influence side getting you to spend money that little device is a Kali linuxbury pie called a dope scope you know hey audience participation anyone ever used one part of them one very limited use but they're sweet when you use them it's a little model a finger buttons and you can actually go through and look for the Wi-Fi scan see what devices are connected same for Bluetooth so either a you've got kids on the devices late night kids never lie about being on their phones after you put them to bed not once ever yeah um but for this the Boating machine to look to see what Wi-Fi network was created what Bluetooth
was being created at the same time that was undocumented we didn't find anything yet but just having it took it on hand doing what we need these are fantastic you know for either red team engagements uh if you're doing sensitive side exploitation for oh they have a Apple TV router hidden in The Fault ceiling of this uh ceiling that we know oh there's something up there we know to find it versus just doing a sweep of the room and finding nothing so realized from a bit of a wrapping up here the main takeaway findings we haven't found any evidence of foreign interference nothing of domestic on the machine itself we're not talking about the voting rules what happens after the
votes go to the state for aggregation the absolute value of the machines themselves we didn't find malware we also never found any security updates period full stop both advice is never connected is it
use it for that a little bit of a different mindset you're not looking for okay I haven't found anything malicious but what am I okay they're voting on the admin account the USB ports are accessible there's hundreds of devices connected to them but they're all they're all keyboards they're all mice they're printed there's nothing nefarious here unless you rename the USB device to Kingston Mouse when it's actually malware but again you would see malware being loaded no encryption of output the boats are so the boats are stored on the USB drive in clear texture txt with no hash value does that bother anybody so when you're in oh when you're ain't Karen and your uncle
Keith get that USB drive and they look at it in their car going from the voting Precinct the York County Point regional here where they aggregate the boats and they oh my candidate got 49 their candidate got 51. you get the adapter you switch the votes on the clear text file because there's no accountability that's where the major hack now the hacking changing text file it's not hacking is it I don't know that's vulnerabilities solution would be get a lock back just like we in the Bank of America building I used to be a banker right out of college old school lock bag twelve dollars the key to a sheriff's deputy police officer whoever you have party a party B
in the back of the car holding the bag third person drives them to the precinct you've got accountability a lot further than just oh well we can't do anything that would be better than what we now so there's no firewall there's no antivirus programs period there's no audit Trail for the UB drives we didn't find any personal information period we did not evidence of boat tampering we're looking for it we have to be yet and if we did find it two or three times over before we said anything because in this field if we found something it would go viral that oh you found evidence of foreign interference in pkk South Carolina well let's make sure we're right
one other thing to talk about the foreign adversary sure you can connect to a device remotely through this that or the other means sitting in the parking lot but if you think about it not that I know anything about it I don't um someone over here an alias in a different name with a backs up Social Security number the backstop credit card to sit in the parking lot
votes if you're Mission State actively interfering for the have to have an army of people coming over here to do it not feasible it's not deep State that's just the risk versus reward there the other thing we would never approve an operation where the goal would be take your USB drive with malware under heavy observation on voting day plug the malware in with everyone around you in the Boating Precinct access the drive change the vote and then get out with it you don't have time on target or privacy it would never be approved that's a fast way to get arrested go to jail if you're overseas if you're acting like that to influence an operation
you might be unalive after that in some country that's pretty stiff penalty one of the others they say oh there's this Arm and Hammer whatever boating machine hacking software written by the CIA these machines sit in High School cafeterias untouched they sit in church storage rooms if there's classified software on the machines you have to hold it as skip get up heavy accountability it's not just left down the First United Methodist Church of York County it's not going to sit out like that it just doesn't the two-person handling rule would definitely increase confidence and the result a lot legs would be the other way but what we've seen right now we're not finding anything it's a good effort
definitely recommend if you have any interest in the information security side cyber security side of this definitely it's worth getting into it's fun it really is to get this unknown unique device look at it in the world's ever analyze this and start today again it's far more fun I shouldn't say it far more fun than my day job my day job actually pays this doesn't and I like eating I'm a big fan of eating them myself so the tldr voting machine Villages are imaged before the public gets to them because again the Rick Astley picture once you have that they're useless we haven't found any boat tampering by any foreign entity minor changes to handling how the raw
boats are handled we definitely need that and we document everything for the record as they occur because we never know where this is going to be part of a bigger issue and with that I think we might be back on track for time any questions comments concerns
all right thank you
okay decent response detection engineering managed threat hunting and security operations he spent eight years of mandate environment working in Rio 24 7 response Organization for joining portraits as the Director of their operations center his experience at ambient Hunters has given him unique unique intrusion from small mom and pop businesses to Fortune 500 and theology thanks Genie appreciate it so thanks to everyone for hanging out this afternoon and stick around for this talk I really appreciate it and it's been a couple years since I've done anything at the local level so it's cool to see the community continue to grow get to see people in person again so that's awesome again a little bit about me Max Rogers I
get to serve as the Director of the threat operations center at Huntress and before that like Genie was saying eight years with Mandy and FireEye instant Response Security operations a lot of digital forensics a lot of instant response type work and then also creating detection content that goes into the products that find evil attackers when they're kind of getting onto networks so moving forward a little bit about Huntress in case you haven't heard of them we are a 24 7 managed detection response service or a stock as a service we primarily focus on small and mid-sized businesses so like when I was at Mandy and FireEye it was a lot of Fortune 500 Enterprises large 50 000
endpoint hundred thousand endpoint environments what we focus on at Huntress is more mom and pop type shops smaller businesses so veterinary offices lawyers law firms dentist office doctor's office retail that's not you know National franchises so that's kind of where we focus a little bit different landscape for sure but kind of similar threats that are hitting them and through that partnership with msps to get out to those customer environments we have 1.6 million endpoints deployed and that turns into roughly four to ten Hands-On intrusions every single week so in our operations center what we end up dealing with is when I say Hands-On intrusion somebody is physically sitting at a keyboard somewhere on the internet
facilitating an attack moving through the environment and typically their end goal is to deploy ransomware in these environments but occasionally we do run into the a couple nation states here and there especially when we end up landing on sensitive different companies that handle sensitive information so to do that we have our own proprietary EDR we also have Microsoft Defender that we use for antivirus detections and a legacy Huntress agent that we use for some Telemetry around persistence mechanisms so how malware stays on systems even through reboots to dive in a little bit set the context of kind of where we're going to take this conversation we're going to talk a little bit about what defensive Asian is
kind of get a common understanding of what we're talking about there then we'll kind of briefly take a detour and talk about how these Concepts and techniques facilitate their way through the information security Community as a whole and then we'll be talking about as Defenders we can do to get in front of this a little bit because you'll probably start feeling at some point in this conversation that is kind of stacked against us so we'll talk about how we can turn the tide on that front so defensive Asian we're going to use the miter attack definition for this and very a lot of people probably familiar with this but if you haven't heard of it
techniques that adversaries use to avoid detection throughout their compromise that's essentially the top things that we see in in our Huntress environments are uninstalling and disabling security software obfuscating commands so that human beings can't read it very easily or that they can go undetected and then leveraging and abusing trusted processes to hide and masquerade their operations so pretty much home here is anything an attacker can do to try to not get detected so keep craft has kind of evolved over time uh we'll kind of flip over to Twitter so if you're on Twitter if you don't have a Twitter account yet your information security you got to get a Twitter a lot of good information out there we've
really noticed if you think back 15 years ago cyber security was a very young industry a lot of uh the techniques that were being shared with people were happening in these closed private forums where gain the trust of that group to get in it was very hard to just see this stuff you know picked up on a blog or something like that we didn't really communicate about our findings about how to get around security controls how to break into systems it was all private groups or nation state governments who are doing this on a full-time basis and so what we started to see you know last eight years five years ago people kind of using their findings and we've
developed this entire industry around red team blue team advocacy Network so we have this industry of red teamers who kind of use their findings as professional career and I'm not saying it's necessarily a good thing or a bad thing but they kind of go to the internet and say hey I found this way to get around this common security control or I found a way to deploy my malware and go undetect in this environment here's how I did it and they kind of create with their Twitter repository or their GitHub repository a resume of how skilled they are in facilitating these different intrusions and so we're going to dive into some of those today and again this isn't really a talk we
have blue teams and red teams I don't really want to get into the ethics of creating Red Team Tools there's a whole bunch of conversations in the community about that in general and maybe later today we can kind of talk about some of that stuff too but what I'm not trying to do is argue you know one is the right way or the wrong thing the ethics behind it um it's just more observations about what we're actually seeing in the wild in these customer environments in these partner environments so real world examples this is a really good one I won't try to make you read all this tiny text on the screen but if you can kind of read the tweets that fly
by on defense because people are probably familiar with it if you've ever had a Windows PC you've used Windows Defender best out there on the market but even with it it's high performance it still Falls victim to a lot of things and if the defender can fall victim to that then Sophos and all the other AV vendors also call victim to this too we see it every single week in customer environments so in this example this person basically identified that any user on a Windows system whether they're privileged or not meaning they're an administrator or not they could simply go and see anywhere whereas exclusions on the system meaning Windows Defender will not look at that
file or anything running out of that folder at all and so in this example A lot of times what we'll see is attackers land on systems and they will in their playbook just see if there's any exclusions already existing on the host and you might think that's kind of really uncommon but surprisingly in a lot of I.T environments especially small and mid-sized companies or even large Enterprises what what you find is somebody runs into an application that antivirus keeps eating it keeps quarantining it and they want to get the thing to work and so what they do is they go put in a very broad exclusion probably more broad than they should have done right so they had an entire
folder in there attacker gets on a system sees what they have access to puts their malware in that same spot and now they no longer have to worry about the security control finding that piece of software and stopping them from progressing in their attack in this example this is one that we saw on a real world incident at Huntress uh this I think this was back in May so the attacker would land on a system and this was one of the common ransomer groups I can't remember if it was like Conti or who it was but one of the ransomware groups landed on the system they run this batch script and inside that script there's a whole bunch of other commands
that they would run and these are Powershell command lists that basically go through and exclude every single folder that they're going to want to put their malware in so they kind of have this Playbook they know where they're going to show up they know where they're going to run these tools from you also seen here I've underlined they completely exclude any dot bat file so all these batch files that they're going to run these scripts that they're gonna AV completely goes blind to it right off the gate so if this attacker lands on a system they have local administrator rights they kind of add some exclusions and they're Off to the Races facilitating the rest of their attack
and you can even see it kind of reads like what they're going to do so if you find this forensically you can pretty much go and find everything that they ran right what executed are these directories what had these extensions what processes some of these processes that they excluded down here what did they do when they ran these and it kind of tells you the whole story of what the attacker was doing on that host another good example and again these are all simple these are elegant they're not like on here in this example for a brief while with the defender if you renamed executable to instead of dot exe DOT log Defender would completely
so you would think that wouldn't happen but it totally did for some time they ended up fixing it a lot of the stuff that I'm mentioning has been patched since but when they fixed didn't fix it for dll files which functioned very similarly to an executable file dlls and in that screenshot what you see is the attacker downloading a malicious file I think it creates a reverse shell back to the attacker's machine they execute it and the first time they try it it's completely blocked the second time they do it as a dll and change it to a DOT log file instead execute the file it'll still execute if it's a DOT log file when they run it on the right
you see the successful connection back to the Packers machine just that system uh Defender did did nothing to get in the way on this one this one's this one's good for a laugh or what but if you re if you named a file hug the defender would just ignore it and so I'm imagining that this song he's out with the fender had a file that you know they were just trying to you know attackers end up finding this out I don't know how they found it out but the second this gets into the public sphere and has access to this and so every attacker that's out there every threat group that's out there in between that time of initial finding
to using this in the wild or see kind of attempts at this for unpatched right there you see this somebody demonstrated this by using the tool mimikats which steals credentials from systems they try downloading it executed got blocked as in previous examples and then the bottom side of that terminal there you see them a lot you now have access to use mini cats on this system without defense you have a little bit of progress from what we've seen on the AV front so we have any virus out there we have EDR software out there in this example what is Defender actually realizing hey someone's trying to kill me someone's trying to get Defender to stop running
and Defenders actually doing a great job of pushing out hey something is trying to turn me off the only downside of this is if it's typically people who are managing this like managing antivirus in smaller environments and even in I.T environments a lot of times the security department doesn't even control antivirus it's usually like the Legacy it orgs they see that okay antivirus alerted and it says it removed it or quarantined it or blocked it and so you kind of move on and say great defender did its job I move on but if you work in security operations and see intrusions every single week you realize like just because Defender blocked this thing one time there's still a good chance that
this is actually indicative of a Hands-On threat actor in this environment trying to facilitate their attack and so it's easy to ignore this stuff at face value so this was kind of like Defender trying to say like hey please help me but at the end of the day they ended up probably disabling AV and getting around it if you don't respond to these in a timely fashion because once attackers realize that they have some type of security tool in front of them that they need to get around they're going to figure out what tool they need to run to get around it so they identify if it's Defender Sophos or ESET or or an hour bytes or whatever it
may be they all have a tool kit of things that they might use really just about landing on a system figuring out what's there realizing something stopped you and then using the tools you have to get around it so kind of pivoting a little bit away from Twitter is backstab so I'm not sure if people in here have heard of backstab before I had not before this incident where I saw it pop up it's a really great tool for killing off EDR products so a lot of companies now have EDR products where they can detect okay Hands-On interact lateral movement it's more advanced than antivirus and it gives you a little bit more of a real-time forensic detection
source to triage your investigation on and so the actual description here is do you have local admin credentials but the EDR is standing in your way uh and then right after that says well why not just kill it so this is a really easy simple tool to use to get the security control out of your way as long as you have credentials what it does is it relies on the assist internals process Explorer driver which is a signed driver by Microsoft so it's using a legitimate tool to gain the trust of the system and as an administrator credentials to basically get rid of the EDR and move it out of your way so attackers have a
whole bunch of whether it's Twitter posts stuff that they have in their repo playbooks maybe they've they're part of an affiliate program like a ransomware group and they're getting trained up different things they have their sets of tools that they're going to use and for the most part what we've noticed is it's just becoming more and more common to get these for free offline instead of having to have your own cyber crime group develop these spend time you know time money resources building out these capabilities for a lot of folks who are facilitating these campaigns they're just getting access to this for for zero dollars so before that incident again this was actually on May 18th a world example of
the data from our EDR that we use and you can see the attacker coming in here and killing off the sofos endpoint security agent so they land on them they ran that to use backstab to kill off an EDR product so we saw attackers doing this the good thing about having 1.6 million end points and seeing all the Telemetry coming off of that is we don't we have to go and try and search and figure out what attackers are doing for the most part or movement and it brought us to the system and from there we were able to see okay what does that do they were trying to evade customer environment have so that's pretty common to see see
attackers try to kill stuff off and that way another good one uninstalling security products we see this all one example that was just straight up trying to get another process a tool this is actually a real chat from our operations center where one of our analysts names
um go and manually try to remove our Huntress agent from the system and so this is very um I'm not sure if it was just the name Huntress tipped them off I don't know if they'd seen us before or just kind of were were looking was on the system it stood out um but I think what's really important here is again you want to have a tree you don't Paris or just your EDR or just your sim you really want to make sure that even if someone can kind of kill off the AV product or an endpoint security product you need to have some Telemetry coming back that tells you that that was attempted or at least attempted or
possibly even attempted but failed this is a good one I won't spend much time on this one but amsi was kind of Microsoft's answer to try and find all these obfuscated scripts and give us some ability to detect these and kind of just and so it worked really great for a little while but of course red team came up with this tool amsi you can totally just generate commands that completely get around uh amsi I don't know how well it still works today the website is still up um but yeah I'm sure for a hot minute this is being used quite widely uh to get through networks and environments last couple ones here this is a very
popular one you might have heard of this one invoke obfuscation so the concept here is that Powershell you can really slice and dice it into a whole bunch of manual text that is impossible to read as a human being you look at it your brain just cannot piece it together right it's taking strings it's piecing them back together it's reading from variables it makes no sense to the human eye you know if you're doing like a CTF Challenge and you're looking at all those obfuscated code that's exactly what it feels like when you're trying to write detections based on some of this logic but for a computer to piece this all back together when you run this in a
terminal it takes milliseconds for the computer to piece it all back together and figure out exactly what it needs to run so that's kind of what we're dealing with here as far as like writing detections and invoke obfuscation is a common red team tool publicly available on a GitHub repo that plenty of attackers use to try and skirt around security controls so talking a little bit about how can we win how things you're probably feeling like you know if I'm managing a network or I'm getting into cyber security about burnout in General within the industry how do we kind of get in front of this stuff where are we at this is just kind of my reflection on the last
10 years and I will say as an industry we're getting a lot better and the reasons why motivation it is inevitable there's thousands of additional evasion techniques you Twitter every single night I I look at stuff I say oh look at all this new stuff that gets around warning I write detections when I go back to sleep wake up oh okay look at all the new stuff that I gotta write detections for it happens every single night and so that's this is important in today I mean just sitting there you're like I mean it really does feel kind of um it's just a technology so again the good news though pivoting a little bit making a more lighter mood
defensive Asian is inevitable we know without a doubt that when attackers they start moving laterally through the network they're going to have to use some form of defensive Asian to get around the technology controls and what I've found is that for the most part when attackers are trying to get around things they're trying to get around technology and they're not really trying to get around people so security operations in general is still pretty immature across a lot of organizations even the top organizations in the world have complexity it's it's tough to actually detect Hands-On intrusions as they're moving through the network and so when these attackers are trying to get around technology they're trying to get
around an AV a product an EDR but what they're not realizing is that they're creating a noise and a lot of blatant noise so sometimes in security operations if you've looked at alerts it can be really hard to know if it's legitimate or you know totally malicious is it benign or malicious is it a legitimate admin doing weird admin things or is it an attacker with defensive Asian you don't really have that I mean you don't see an admin load up backstab.exe to you know get on with their date right that doesn't happen you don't see a lot of Administrators exclude very specific especially if that process is literally malware so that doesn't happen a lot
it's indicating and it's also one of the earlier stages of the intrusion so what I love about this is there's a whole industry created off of trying to find the initial access right the the phishing email the fishing lure the initial malware that gets dropped the exploit kit that you hit in your browser that stuff changes every day it's very hard to keep up with defensive Asian I kind of cluster with like defensive Asian lateral movement privilege escalation uh at that point the attacker is on a system you don't gotta guess like was it successful or not they're clearly there they're clearly stealing credentials they're clearly moving laterally if you can detect that piece of the attack I know
that on the fast end we have four hours between that and ransomware that's that's a very fast intrusion but more often than not we're talking seven to ten days of that attacker being in that Network going through figuring out where they're at how they want to facilitate this and today we even see ransomware as a service right where initial access Brokers are getting into the network setting up their initial access doing some of this defensive Asian this lateral movement this privilege escalation and then they're handing it off to another group to actually facilitate the ransomware deployment so we see that pretty much every single week so you do have about a seven period if you catch it at this stage
which means scope of the intrusion and being successful and kicking the attacker a little bit about how we detection engineering mindset which is kind of developing as its own career path within cyber security a lot of people uh you know they come to separation teams and they kind of gravitate towards that then they work in an operations center detection engineering is becoming a much more depending what attackers are doing creating custom detection content and then publishing that into your EDR product into your sim whatever you kind of have at your disposal writing these detections you really want to focus on the Pyramid of pain this is a really great graphic because it demonstrates how you want protections
the mindset you want to be in want to do it what you want to do is avoid the bottom of the perfect you don't want to write detections that are basically I use IP addresses domain names these are things trivial for the attacker to change pretty much in real time so if they want to modify their malware IP addresses they can swap in and out domain name what you want to do is write your detections in a way that find the network and host artifacts something and their ttps so their tools tactics and procedures or their place all of the commandlets being run to add all their exclusions that's their playbook right patients they want to run their tools
from this location and if you have a crimeware group of people who are trying to do this and train new Affiliates to come into this group and and do these operations they kind of repeat the same things over and over again so it becomes more investment on their part to change those procedures over time it just raises the cost and imposes cost on them in that way what's up we all kind of knew that as an industry but we were all you security products and so your detection logic would be different for crowdstrike EDR versus Sentinel one EDR versus Sim versus Splunk Sim and so we had a lot of people working on this problem
but not in the same way that threat actors were doing it right like a threat actor writes a tool like backstab loads it up to GitHub and everybody has access to it it works on every single system and they get to go for us it didn't work like that we knew what we wanted to look for or at least we had some idea but we just couldn't really consolidate in a way that we could all contribute to the same repository of what we want to look for and so that's why I wanted to plug Sigma in this conversation this is an open source project it's a unified generic log format and so it allows us
as a community to create detection logic in the same way in a very simple text kind of format where we can all take these Sigma rules and convert them into whatever tool we want elasticsearch or elastic Sim Splunk crowdstrike EDR Sentinel one EDR this is finally our way to consolidate our efforts figure out what the things I want to look for and then very quickly Implement them into our products through the converter that they've provided and there's also a couple open source converters out there as well so you want to look into that definitely use that QR code or Google them Sigma HQ will get you there so these are Sigma rules that we're all
I won't spend too terribly long on it but you can tell it's a very well it gives you what I want to look for the the miter attack that were involved there once you put that into your your EDR system or your sim you're immediately going to get lit up if someone runs these commands and it's a identify people during the defensive Asian step of the attack so again invoke we have the dumpstack.log even that one got a sigma rule so if anybody in the environment log you get an alert we've gone from seeing it in the wild to seeing it posted I've seen it posted on Twitter seeing it in a while and attackers using
it you're having a sigma detection and it's in your product within hours instead of every single person trying to have to come to this conclusion on their own so that's one of the big Reasons I'm a big proponent we'll check it out after this so parting thoughts uh threat actors really give us a prime detect opportunity you know they you they utilize tools design to cut or what you need to do is utilize tools designed to catch the middle of the attack again we talked about defensive Asian here today but I really want us to focus on defensive Asian credential access ion that really gives us the best chance at capturing us before it goes too deep
again that is if you have an EDR you have antivirus it's very rare for an attacker to be able to kill all of it in one um I think can tell you that something else is going on and then again focus on that pyramid of pain the tech tools ttps and impose cost so that it forces threat actors to ultimately evolve so thank you so much and I'll answer any questions about it and then also I want to plug I didn't mention at the start but 10 years ago I was in the fortnite security division so is there anybody here from the 49th yeah all right awesome yeah come after we have to chat give out some cards and
just curious what you guys are talking on so thank you everybody any questions all right thanks oh yeah you got it thank you everybody appreciate it [Applause]
all right ready we have Alan cook is a senior access engineer for financial institution performing penetration testing and purple teaming
from in-person governance and auditing you guys have a wonderful
pretty good so welcome this got a great bio uh it's basically this information here have worked in a wide variety of or maybe domains as well across uh critical I have matched my now the so this quote from consider a top 10 hacker movie it's from sneakers Cosmo played by Ben Kingsley is talking to the character played by Robert Redford and uh it's basically talking how tactics have changed and it's not the old way war was conducted what I'd like to point out though is that it's about who controls the information ties into the Spy versus spy theme and really all the hacks I'm going to cover it's about who controls that information confidentiality to that information of
that information the Integrity of that information and the availability uh to that information we're going to go over just quickly how the talk is structured there are hacks that I will cover the hacks are self-contained so if you have specific questions about those hacks feel free to ask those we can address those while we're in the hack there will be a q a session at the end and I have information about where you can obtain the slides or contact me I'm going to go over the hacks mainly the known technical details I'm including a very loose definition of hacks here either specific events groups of events could be vulnerabilities or tool sets I'll review the controls and
how those hacks could have been stopped or maybe controls that have been implemented since then preventative detective corrective controls we'll review the political economic and social effects of those hacks um what's changed governmental regulatory as well as any standards bodies ngos any things that any groups that might produce types of regulations or guidance that might be used economic impacts and social impacts let's start the first hack I'll review is Operation get rich or die trying this was a name that was tongue-in-cheek that the uh the hacking crew gave their their operation obviously it's a reference to uh 50 Cent solo album and journalists picked up on this and wrote about it and many of them have
referred to it as the great cyber Heist so what was the Hat well the hack was a series of hacks in the mid-2000s that targeted credit card data started targeting uh many retail outlets these are pictures of these are ones that have been confirmed or were reported to have had intrusions it was perpetrated by a group they also referred to themselves as the green hat Enterprises so not black hat not white hat they were green hat they wanted to earn the money it was led by Albert Gonzalez Albert Gonzalez was an informant for the Secret Service had worked on operation firewall which was an operation that took down the shadow crew forums which was a early
2000s carting Forum where you could go and buy dumps and uh and bulk of track two card data you could you could buy equipment to write that data to cards and then go out and cash out those accounts he had been an informant he helped the Secret Service and other agencies to successfully uh prosecute and and shut that Forum down one of the things he did was he peddled a VPN that routed traffic through Secret Service controlled servers and allowed for that information to be accessed and and logged um at the conclusion of that he moved to Miami where most of these organizations had retail outlets and so how did he get in how did they get in
well the initial vectors were Wi-Fi um they would start in these retail locations branch locations and gain access to that local location then from that access pivot into corporate Networks most of the intrusions started later on they also did many intrusions with SQL injection either from a e-commerce site or corporate websites in fact they were so successful that uh and this was gained through court records and in some of their intrusions they had so much data and these organizations were storing so much old data they had a hard time finding valid credit card numbers that they could dump quickly there was too much too many numbers they actually wrote a sniffer uh this gentleman wrote
a sniffer so that they could find data that had transactions more recent um and then data and exfiltrated out they're real jackpot was when they attacked Heartland Payment Systems the way credit card transactions work is one of the steps you have to go through is through a processor that uh it's a process that transaction and Heartland payment systems were uh initially compromised via their corporate website it's a SQL injection there was incident response performed they identified the activity so all those things that Max kind of started about uh talking about those initial indicators where they they know there's activity and but then they thought they had eradicated all of um the access and the activity and and the
attackers stayed in the system bited their time and then jumped to the payment processing Network so they initially came in through a corporate website SQL injection we're in separated networks we're able to avoid getting all of their access um eradicated in the incident response waited about six months later they jump into the payment processing Network where they scrape all those transactions they compromised or numbers during this time period in cardholder data too this this was a significant amount of of cards that were compromised some cash out was performed directly by the crew and I'm referred to him as a crew it was really a loose group of Associates they also sold many dumps through a
reseller this was actually how they ended up getting caught the reseller uh got caught and uh and ended up leading back to to the crew so what what could have stopped this well uh strong encryption on the Wi-Fi network would have been great this was during the time of of WEP and so uh definitely strong encryption on Wi-Fi isolating the Wi-Fi networks from transmitting card data some of the compromises that occurred uh were transmitting um the the actual card data and doing processing over wireless networks and those networks weren't separated from other parts of the organization's Network changing default passwords and secrets on network devices purging sensitive data detective control logging and monitoring for alerting on anomalous activity like
when you see that data being exfiltrated back out using a waft the Monitor and block the requests for the SQL injection with whips that's Detective incorrective and what's the effect well one of the main effects of this the actual uh PCI standards body stood up a group to investigate wireless security and and then about ears after that they published the wireless security guidelines so that's you know uh the standing up of the bodies kind of a direct result in the publishing the guidelines and indirect results there were economic damages to the organizations the justice department reported there were 400 million dollars in Damages this this I've got an asterisk next to this because other reported figures
don't exactly jive with this and there may have been um political reasons to um to in
Related talks
49:50
29:30
50:56
24:46
58:05
46:29