BSidesWLG 2017 - Mark Piper - Confessions of a Red Teamer

oops jump on this stage to talk about security good morning I just want to preface this talk a little bit so this was actually a talk that was written out of frustration for a smaller conference in Australia earlier this year and someone came up to me afterwards and said you know man that would make a really good keynote and then a few months later halvah put in a slide deck that keynotes golf or retired researchers so this is not a keynote or anything related to it and it's a pleasure to be here about 10 years ago myself and a couple of friends started a conference here in Wellington and one of the things when you run a conference is

you don't really get to attend for conference so it's actually pretty awesome just be able to tend them to speak at a conference so a little bit of introduction my name is Mark people call me pipes my official job title is anywhere and soccer and really what I wanted to talk to today is even though we're in the red team track this is more of a talk for the blue team and this is a talk about how to make my job harder right and that could be seen as a little bit why would you want to do that pipes and it's blue because I like a challenge I like it when my job started so what

we're going to do is we're going to go through some strategies today we're going to go through some strategies related to how the red team and adversary's and attackers sort of play their game and how the blue team can sort of leverage understanding those strategies to get some really quick and simple wins across their systems we're going to go beyond patching I recently gave some talks to Microsoft and remember there were working out like what is the number one mitigation that you should be doing and unfortunately patching still came up tops and I'm like well I don't really care about patching everyone should be patching anyway before I get started I really wanted to touch on threat modeling how many people

here saw Darren Bobby's talk a cubicle and I think it was last year yeah one of the things that Darren had was a really good point is that when it comes to looking at adversary's and when it comes to looking at attackers as we love to threat model and we don't do it very well and James Mickens from Microsoft Research gave this really awesome white papers sort of in to use necks which sort of outlined the fact that when it comes to understanding risk and comes to threat modeling we tend to go straight to the massage right like if Mossad wants to massage you they're going to massage you with Masotti things right and so one of the things that I

want to keep in mind as we go through this morning is that strip modeling is important and it's important to go beyond what we see in the headlines is important to go beyond the apt threat reports it's important to go beyond nation-state as we like to call it and really consider ecosystems as a whole how many people know this guy yeah Willie Apiata sort of Victoria Cross winner it's a special forces operative leader stormed Kabul took out the terrorists and the Red Team a lot of people like to think we're this guy right we like to think that we're Special Forces operations that we have tactical gear and that we've got some cool tricks and we're going to come and

show them off on your network or against your organization and it's gonna go through and we're going to win right it's not true we're talking about computer security right we're talking about what literally just laptops and servers and we're talking about like you know running scripts and sort of going through strategy but so one of the things I want people to consider and take away from today is that there is no magic when it comes to attack in an organization or a network right there's some considerations there's some technical thinking there's some process as we go through there's you know a little bit of creativity behind it but there's no magic right this isn't wizardry this isn't hardcore Special

Forces operations this is just computer security so one of the things I want to do when we go through this morning is we want to break down sort of common strategies that attackers were use and how we can sort of mitigate against them and one of the things I was doing when I was working on this talk was thinking about how can we distill it down can we just still it down to us absolute essence on what this magic that people seem to perceive is and the answer is pretty simple attackers want to get creeds and own stuff right and if you look at any sort of modern attacker nowadays like the way they do it's very different sometimes

the approach that we take is very different sometimes the may be like you know fishing for credentials or it may be fishing with a payload to get execution on a laptop and then getting credentials out of memory right the idea is is that we want to get creates and we want to use them to own stuff and it's pretty simple in its its most of the attacks I mean even some of the newer ransomware variants as I understand it are very much leveraging like you know out of memory credentials to spread laterally across networks to encrypt more files and stuff like that so my job my job is an immigrant checker it is to break into organizations it is

to do application security testing it is through all the offensive security stuff that we left it over when it comes to explaining my job it's actually pretty difficult right my job is effectively playing pinball right I am on your network your network is the table applications the table if you've ever played pinball it's a really awesome game there's lots of ramps and traps and bonuses and combos and lots of tricks that you've got to go through with various trick shots so as an attacker I'm playing both pinball and in order to play pinball I have to get a ball on the table right so if I have a ball on your table what can I do with

that ball I have to sort of maneuver it up a ramp or I have to get it up the same ramp three times in order to get the bonus points or want to trigger multi ball right motor pool would be awesome because it means I've got multiple credentials model always around your network or environment so when it comes to working through strategies it's kind of like okay can you make your table as hard as possible for me to play on can you make it as tricky as possible mid cloud can you make it easier for my ball to get sunk into a hole on your table can it make it easier for me to trigger tilt mode and shut down the the

flippers so that the ball comes back out of in there work right and in order to play on your table I need to spend money like my mum used to get really grumpy whenever we went to coffin code because I demand 50cm pieces to play The Terminator 2 game and money is what we need to sort of get onto your table right now we're talking about money in the sense of coins in this case and not bitcoins or any other sort of dogecoin or whatever it is nowadays but really looking at there's an investment from my point right at some point I've decided to invest time or money or risk a strategy or a technique in order to get

into your environment right and what that price is varies greatly and how I spend my money can vary greatly depending on who I am right so we love to talk about nation state having infinite resources and they've got lots and lots of budget and I've got all the cool techniques and they can come in and put it into the table and drop onto your network with six different balls and they can go to town and that may be true but there's also various other levels of attackers and various other levels of motivation for Venables sunless up really nicely after the Snowden leaks where he said attackers have bosses and budgets to write and if you think about it most attackers in

2017 I'm motivated by Finance I'm motivated by money right some are motivated by more political aspects but they have effectively either themselves or someone else they have to justify their time and money to write and if they're not making money or achieving their goal inside an environment right then they're going to move on or try a different strategy or go go target you know the HVAC provider for your organization happens to have a point-of-sale network for example so he had a really good point about that and I thought it was really interesting then it was followed up by this awesome tweet by Dean Erdos Ovie which effectively dinner was sitting there saying look defenders have two approaches to

reducing attacks raising cost right and decreasing value right so if you consider the most simple strategy is if the attackers have a budget and they have a motivation and a goal and data they're after or a goal that are after if you can raise the cost of them to be able to get onto the table to target that goal while reducing the value of what they can actually get out as they play the table right they're actually going to be in a better position than most and it's beyond patching right it's like how can we really drive some strategies around it and and that tweet stuck with me I can't exactly remember when he dropped out I think it was

probably around 2015 and it's been ringing in my ears ever since right son a nutshell when it comes to the blue team and you've got the pinball table your job is to increase the cost and decrease the value of the data that I can get right so increase the cost to me decrease today what happens is when you do this when you when you change the way if we make us go off playbook if people abusing the same playbook across different environments over and over and over a results on a deviation I have to start taking risks right I have to start trying techniques that I may not have tried before attackers may try a different payload

that they haven't tried before and you see this hugely at the moment across like the Microsoft Office payload space right but what happens is is that deviation increase risks and risks means mistakes and if we're making mistakes and attackers are making mistakes then you're more likely to catch them within the environment right and so when you're red teaming this is this is kind of always in the back of your mind right like we have this tried and proven method and all of a sudden it doesn't work so what are we going to try next what is the risk of trying there next are we gonna get quarterly edge leaving a achieve our objective where's it gonna

go for right so the goal is to turn us into this guy right which is like it's ten past eleven and you want to order a McMuffin or some crap like that and just lose it right way one of the things that red teams don't talk about and one of the things that you don't often hear about is the frustration right there's nothing worse for example they're having credentials to an environment and not being in a position to be able to use them right there's nothing worse than it being eleven o'clock at night and it's week three of a test and you actually haven't been able to get into the organization because of various controls

that are in place right it's frustrating and it's aggravating slow with that little sort of super basic introduction to attacker economics and and what our goal is today let's have a look at what's going on so strategy number one so we mentioned earlier that attackers love to get credentials and they love to use them to own stuff right so if you're the blue team Mada factor off and I mean proper multi factor authentication right one of the things that we see continuously is for example you'll have on-premise corporate network there'll be legions of controls that are in place there's VPNs or cell VPNs that all Madhi factor oft they all go through and then all of a sudden the organization is on

office 365 with a TFS 1 factor auth right and it's kind of like what's going on here and they're like wow you know it's the cloud and we haven't quite figured out what we're going to do there and it's like well actually no like you know there's you need to consider where their credentials are going to be used from right there are Victor's from office 365 back onto on-prem right there are Victor's that have been being used quite successfully so when it comes to that non fishable is prepared right like we're talking UTF keys that sort of stuff right and if you're wondering about wine on fishable right it's like you know fishing proxies are a thing like being

able to on pass like the agile TOTP and actually login decisions are a thing a quick note there there's a subject to much controversy as I'm actually an advocate for SMS if that's all you've got right like a lot of researchers and a lot of organizations say never assume is right the signal seven sort of issues there's number portability issues there's so many different ways to Jackies mess and even on red teams we have successfully got an SMS tokens to be able to log into other systems that are sensitive look if you have 3000 users and you're choosing between one factor auth and one or an SMS go SMS right like it's a no-brainer like it's gonna add complexity it's

gonna add risk why if I have the number portability attack a phone for example and swap out the Sun through social engineering there's an increased chance that the target that I just did it to goes my phone no longer works right and that happens right if you look at the coin based attack that went on where they actually did that against AT&T they noticed pretty much immediately that their phone wasn't working presumably because they couldn't get to Twitter right like it's it's that's the way it goes so anything's better than nothing and one of the other things about manufacture work that we we tend to forget is that ax is a very good sort of

distributed alerting system right there's nothing worse than if you're on a very team you see an RDS service you log in is Remote Desktop Services these applications published you click on it and nothing happens right and the reason why nothing happens is because somewhere a user just got a notification saying hey we're trying to log into ba-ba-ba-ba-ba-ba-ba-ba-ba right and it's a sinking feeling for the attacker because it means that differently in court on that victor and those those things mean been right so Creed's often become useless right if you manage to fish credentials or you grab credentials and you identify credential reuse that of say like you know other slight compromises leaked database and stuff like that or even

just being of a guess credentials right like you know went to 2017 still good most of the time you know they become useless they don't they are not a useful victim got the Croods but owning stuff becomes a lot harder right now sure why maybe we can reach strategize on how we're going to send a payload maybe we can go on site and try to plug into an e reporter we've got the main credentials at that point but really it becomes layers of frustration right and that's what we're after here because anytime we're frustrated you've increased the cost right strategy I'm too restricting operating environments so one of the things that once you've got credentials

or even if you manage to sort of successfully fish with a docx or any K X or whatever for example you're on a laptop or inside the target environment right quite often there's absolutely no controls that are actually effective right like you know what one of it and when we say operating environment we don't just mean the laptop I mean it may be the video I if you're talking about applications and maybe the way that the web application sort of structured to presume the data back to the user and stuff like that but really what you want to do is you want to restrict execution right like any and all and we talked about AV and we talked about

whitelisting and like you know I guess having a V's good if like you know I'm sure whatever so disagrees with us on that but the idea that you can restrict the operating environment right you want to lock me down right make a lateral movement more difficult it's a great way to bottleneck the attacker right so for example if it is a video environment for example you can put the controls and behind the background right so you may be on a desktop but what's actually happening in background what monitoring is happening in the background is they're anomaly might be happening at background is there traffic monitoring happen in the background there's their you know memory scanning file rights I'm

going to the stand and that's the stuff right so anytime you can restrict the operating environment and cubes switches and the Petra is a great example of us means that you're gonna win and I mean if you're looking at something like windows like if you're looking at like you know device guard and and sort of various other technologies they're coming in at a Windows level it's getting pretty good but the idea is is that you want to restrict it the other thing that we sort of see a couple of times as we've seen a policy where the concept of privileged access workstations right pause right so that's where your domain admins have a separate workstation build and a separate

environment for doing sensitive tasks there can be really frustrating because they may usually have a policy if we can't be bothered logging into that other sort of vdi of the user and and checking it out so we're just going to rebuild that video right so you can end up in positions for example where you've managed to compromise an endpoint and you may be rummaging in memory for those credentials that we love and we want to be able to use and you find that actually no administrator has logged in to this video I know when hovered and this user has logged into this video and there's no credentials cached in memory to sort of go onwards from there so you

can do a lot of work when you lock down the operating environment for especially for your admins where you know either getting credentials will mean figuring out how to move on next and sure if we look at application whitelisting for example if you look at something like app Locker for example like there are bypasses right these magnitudes of bypasses but here's the thing quite often when you're dropping a payload and you're ending up on an environment you're doing it blind right not all bypasses are generic right not all bypasses apply to the same environments across different customers so working out stuff blind can be frustrating and increases cost right also increases the customer for likelihood of mistakes and

therefore increases the likelihood of detection so when you restrict operating environments your innocent re here sort of it's just frustrating right if you can't actually execute the tasks that you want to do to move laterally on target it just really destroys it strategy number three who can name the guy on this slide Rob Joyce good cool who's seen this talk half-a-dozen hands maybe if you haven't seen Rob Joyce's talk from enigma last year go watch it Rob was the head of tailored access operations for the NSA and he showed up in the nygma which was kind of strange and he gave a talk about how nation-states are going to target you right and what was really pleasing

about this talk is it aligns greatly with our the way that we operated insomnia right so I was like felt justified I was like yeah if indicated but it was as a talk that was kind of seen as flaky it was a talk that was kind of seen as like well you know he advocated using AV and we all know that they have but he had a really interesting point right and his point was attackers are going to know your environment as good as if not better than you right they're going to take the time to know the environment as good as if not better than you they know how you manage your environment right and this doesn't just

apply to nation-state right if you look at the Swift banking hacks that occurred recently there was a reconnaissance phase where they set in there and they monitored how do you do your job which systems do you do your job on how do you go about it where is it locked right and it's the same for a lot of the more I guess financial like CFO have you seen the CFO fraud where email accounts are being compromised and you go away and you send off an invoice man in the middle of supplier they're taking the time to understand what is the process how does the business work where are the systems who manages those systems so

he's responsible for them what are the users what are the users groups what are those users work and they go through their process right and so shadow IT is the buzzword right but the reality is is that it's getting people owned and it's getting people owned hard right and the reason is it's quite often easier to spot anomaly systems right like if you look at an environment and it's all standard build standard configured standard security controls there's like everything's in place and then all of a sudden this is one system right and it's out there and you look at it and it hasn't been patched or it's kind of like got no no sort of restrictions on it so

I'm the domain if you're looking at cloud right for example the amount of times you can look at organization and I've got everything locked down they've got office 365 it's just sweet for the users and he mixes going through there they've got their own prem vp end and then all of a sudden you find like you know and i'll tasty Endura instance or saying that's just randomly up there that's got no - if a oh no that's got like credentials that can be reused and - and quite often when we go back to the organisation and talk to them away uh yeah we kind of knew about that box it was just like a vendor environment it's

not really our problem and it's like well it is because it's on your domain right we designed it or they go oh yeah we didn't actually know that your instance was in use right up in the cloud and it's like because someone just went and got a manager's credit card after being told no right I got my managers critic card logged and signed up a new Juran's that's right so one of the biggest capability guests we see is that people don't know their environment or they don't want to know their environment right and the thing is attackers will know your environment and they will find the weaknesses and exploit it and they really understand trust relationships right the amount of

times that we move from cloud into on-prem right is pretty decent and customers are always surprised right because it's up in the cloud it's not it's not on our premium it's up there but there's a trust relationship right in the case of Active Directory or maybe a forest relationship back up to zero in the case of something way you know Google services that maybe that drivers in use and they're syncing files down onto the file system right in the opening Word documents and a miss word on the file system from a trusted source as far as that concerned right so there is avenues to come back in so one of the things about saying yes is that you get

to enforce your controls right so a great example of us was a little while ago I was doing a routine and during the routine we noticed that they had adopted a cloud storage service and we were like rubbing our hands because we're like yeah we're gonna get creates we're gonna pop into the air we're gonna own everything and we got crates and we popped into it and we could see all the files right and we started download in the morning going through and during the debrief afterwards were talking to them and they kind of had seen it right because one of the things they had gone through is they had leveraged the backend api's of the service to monitor

where file downloads were coming from we were geographical organs working from where anomalous amount of volume of the downloads were going to and when we were on the internal network and we were stealing files the front of SMB shares they had no visibility of that right so they're actually in a better position because they decided to say yes because the business was asking for our customers were asking for it and to be able to share data and so what they did was when they said yes they actually went right what are the controls we can put in here and it's a classic example of where then modern technology controls can actually mean bit of visibility and

bit a bit of restrictions on your data and your users than your traditional sort of enterprise network right and you also get to gain insight into what's happening in your environment right live especially with account life cycles like the amount of times that you look at an organization and they've got like you know Active Directory they've got like six thousand users or whatever and they had the stringent audit policy once a month someone's going through a matching Excel spreadsheets to what's actually an ad right and they're going through hardcore and then you find like you know the admin for that random box Y password is password right and that happens right it's because they're not

understanding like what is the trust relationships where do they set and and keeping in control on it and everyone always comes back to me and say yes but pipes the vendor said in the SLA that they have to put the Box in we're not allowed to touch it right it's like fine figure out a way to get more visibility on that box figure out a way to get more visibility on the network that's going to that box right figure out a way that you can actually if you can't control it you can actually see what's going on as much as possible there right moving on quickly strategy number four distributed a living this is the newer one and one

of my favorite ones so the idea that you know and one of the things that when it comes across incidents especially from modern incidences like it's very really the security operations into rings up and say hey we saw bus right it's a user saying my box does blue screen right and it's me sitting there going we do my shell go right or it's like you know it's anomalous stuff like users know how they use their systems they know what their day job looks like they know what's normal they know when it's not right you can monitor sort of help these tickets and really understand people that I've had why lots and lots of problems and then like you can look at

it and say well actually what's the root cause here and this was a great example of us was the White House chief of staff recently right took his Android into the White House Sporty's can see I can't update to the latest version and I like this because Russia's been on this phone for the last three years right like and it's like that sort of you know people understanding how they do their job and the tools they use it's actually a really useful alerting mechanism right a really great example of this and there's a really good blog post too it was Ryan Hoover and the team at slack basically haven't pointed at for say SSH logins right and the idea is is that if

the user logs into a privileged system over SSH or whatever they get a flake notification saying hey you just logged into the server was it you useful no and if you had no incidents raised right because it means that someone somehow I was managed to authenticate as you on to a sensitive server right and I actually emailed Ryan because late they dropped this blog post this if we've inflated this amazing distributed system we've got crowded leading going on yada yada yada and I said to him like how's it working for you right as I was including my own version of it I said why it can't give you specific numbers but at the moment we're probably responding to less

than 10% of requests right so they were the the signal-to-noise had gone down for them they were getting when they got notified saying no actually I did not log into that server right they can take it seriously because the user knows what they're doing right go back to mod effect or authentication there's nothing worse than as I said as an attacker of you cooked something or you've done something and nothing's happening because you know these are prompt on someone's phone at 11 o'clock at night and then about 10 minutes later the security managers ringing you laughing right and caught you so this case you're gonna catch up and you're going to catch us pretty quickly right like it's it's

it's a really effective mechanism whereas case we've got to have to move slower right because they'd say we've been caught once all of a sudden we know well any action I take as an assumed role of this user because that's what we do we get crits and own stuff as those users is gonna be noticed right and we're going to have to tread lightly how are we going to go about this we have to now go through and say well rather than just easy searching what are we paying to the server I'm going to have decision right on an existing session that the users authenticated thrown out to go through that process right and that is

achievable and we can do it but it increases costs right restricting privilege so this is different than restricting operating environments so how many people here have domain admins that have low privilege and high privilege accounts yeah how many your admins reuse passwords across those accounts it's about 30% in our experience right and again why we love to talk about how much we hoard it's tough but how are you auditing the right things right I could take us have tools now like bloodhound if you haven't seen bloodhound it means that I can figure out where I landed on your network what credentials I have why I have where the users I'm interested are we're the groups that I'm interested

are and we're the systems they are logged into and various other paths that I can take visualized in front of me right and so it means that you know we can understand it comes back to what Rob was saying we will take the time to understand your environment as good as it's not better than you right the first thing in the tech will do when they get onto a box is desync down your ID and then go through it and look at it right who is important who is the domain admin who manages finance right what groups are they as their vendor contracts who are the vendors what are the event accounts look like are they service

accounts what are the service accounts look like what groups have privilege like we are they right because we're acting on a goal we have a target in mind we want to get to so being able to go through that is kind of important so one of the things we know about credentials is that they will always get stolen right and one of the things we know that password management is that we're terrible at it even the best are terrible at it right we're just not good at it right which is why we're seeing this increase in strategies for the the defense side where we can do stuff like and femoral access controls right like just-in-time

access right like I need privileged access to conduct this task inside this environment and maybe a secondary approval occurs or maybe that approval occurs for just particular time window bliss is a great example of us from Netflix they open sourced it where like you know effectively every SSH session as a custom SSH key that's been assigned to the user keys revoked afterwards even if I managed to steal the key from the users workstation it's not reusable back into their system without some other sort of authorization process occurring in the background right and identity where access controls they think about ID anywhere access controls us you go okay well this is where fun logged into a

particular workstation the network access controls presented to me for that ad users group right and they can be really frustrating right because all of a sudden if I'm inside an environment I can no longer RDP straight from the video to the domain controller for example or the laptop to the main controller so I have to go where's the domain admin and I have to fire up bloodhound to go hunting for the domain admin and then find out they're on a privileged access workstation and they're not on Windows 7 with no controls they're actually on the latest Windows 10 build with lots of controls and they've got multi-factor authentication and and then you find out they were use the password anyway but

the point is it increases the frustration increases the cost right and it's some of them can be easy ones right one of the things about all of these strategies is that a lot of people go well pipes like you know we're a small organization we have 30,000 users and for admins and it's like well wait you can get these ones right you can't put them in I mean Darren's sitting here going beyond Corp and it's like yes it's nice if you're at Google scale like if you have resources I mean but like you know the strategies will increase preach the gospel so again figuring out where to go gets complicated impersonation becomes harder right because that's effectively what we like

to do is attack is as a pure impersonate people and assume roles and become those roles right window of opportunity gets reduced as well hard short recommendations limit macros right even with Y and I'm going on about life including DDA and everything else anything that's dynamic as far as your office documents are considered just get rid of them right like why why is it in 2017 that we just have time and time again about such-and-such was popped through a macro such-and-such was popped through a DDA explained it doesn't matter right there are very few times when we go into organizations and we talk to them and they're way oh yeah actually there's a hard business

requirement to accept unsolicited Word documents so our helpdesk with macros enabled it's like okay like if you need to have them sign them right deny anything that isn't signed it's doable it's achievable it's not that difficult it's a reason why it's like in the top whatever on is DS anything is top for like it's number four and a s DS essential mitigations it's just no reason for it to actually be a risk and if you if you do have a requirement to accept macro enabled documents from other organizations like move it out of email right move it to an authenticated secure file transfer server or something like that a service that's sort of out-of-band away from email right and two-factor

that file transfer service the last strategy they really want to touch on is again another soft one right but it's situational awareness now the amount of times that we go to places we storm through the network the team sort of has stolen everything got da five different ways owned the act of network that they were targeting and the customer sitting there going well we have a security operation center we've got AV we've got like a three million dollar Splunk deployment and we didn't see right and it's like whoa okay what were you looking for it's like well no one's reading the logs all right we pay someone else to do that well what are they looking for all right anything that

can actually flag in a photo generally across all the customers that they're looking for right so there are some ones you can have a situational awareness right like Zayn from I think it was a HD at the time okay that just perfectly right know when your house is burning down you don't need to read every log but if you get a spike that says all of a sudden I have a ton of failed domain admin authentication going on right maybe that's a warning sign right because you can turn to Steve and say Steve did you just log into pity boxes no what's going on here right so it's not about reading all the logs right

it's about visualizing the logs can you figure out baselines within your environment and do some really basic visualization keep pullin mark slippery items can you just pull out elastic instance and just actually start having a look at what visualization we can do with this data right and it means that you don't get lost in the details like how many people here have seen a suspicious have been in their environment and started looking at logs and all of a sudden thought that there was six different nation-state attackers in their environments telling what they data right like it's really hard to filter down and to watch actually concern about and what is normal right if you've seen an anomaly where you've

seen a spike of failed logins quite often you'll be like I actually have no idea where to begin on this right but it gives you an indicator it gives you something that you can monitor just have on the side and it means that you don't have to have 37 thousand emails a week out of your scene going seen this for you to ignore because you know that it's like you know Joanne accounting doing something right canary tokens are another one that I really wanted to touch on canary tokens keep me awake at night right for those who aren't familiar with canary tokens the idea is is that you can place a document a service AWS API keys you can

put them there's kind of like a classic honey neat example honeypot example but you put them in your environment and when someone is really document they should never be read you get a notification right when someone is you tried to use an API key that should never be used you get a notification when someone has tried to RDP to a server that should never be able to be RDP to you get a notification right so the idea is is that again it's almost like visualizing right like rather than worrying about what's going on within your logs you can actually be like I only care if someone tries to RDP to this box called DC zero one super

important internal organization right and so or someone's just clicked on payroll dot xlsx and the g-drive admin temp do not open restricted access right because that's what we do we go to G Drive we go hey it says do not open we're gonna open it have a look right so it's really important way to consider that as well sort of summarized right attackers of budgets they have bosses they have goals they have things they want to go for right and if you can look at these strategies and you can put in some basic mitigations like if you adopt one of the strategies that we looked at today you're already doing about better than 50 percent at least of the

organizations that we see if you adopt to your all of the sudden on the top twenty percent easy right and if you work through it like all of the strategies that I've discussed like you know I have talked to customers about we've gone through it doesn't matter if they get oh like if your visualization of your failed logins is ghetto and it's horrible and it breaks every now and doesn't matter because it's still better than nothing right if your MFA is this mess it's still better than nothing right if you all of a sudden just slide okay well we can't really change the way that passwords are credentials managers it's kind of privileged access workstations just for

our domain admins it's still better than nothing right and all of them will increase the cost to attackers when they're executing inside your environment so the last one is obviously and then just joining macros are saying yes right like shadow IT is a big problem right attackers will know the environment as good as it's not better than you they'll do it in record time which is always surprising and they will take advantage of it right those trust boundaries those trust relationships matter right and even though they don't fit in your architectural diagram when you boot your network 23 3 years ago they matched it today right and if you really want to understand more about

that go see Middle School's talk tomorrow afternoon because well I enjoyed it anyway and you UAC users knowledge right users are the best protection mechanism in my opinion as far as the anomalies right like that all of a sudden like I got this two-factor problem to like tell me about it all of a sudden I noticed that I had a new login to my cloud like you know file service and my inbox and it wasn't me right that sort of stuff matters so I think I'm a couple of minutes over but I can't really take questions here now but I will be around for the conference and yeah enjoy [Applause]