Choose Your Own Adventure: Group Interactive IR Scenario

[Music] hi um like he said my name is Marina and I will be introducing Bryson so Bryson is the founder of Sky a startup building a Next Generation threat emulation platform and Grim a cyber security consultancy consultancy and co-founder of the IC Village a nonprofit advancing awareness of industrial control system security he is a senior fellow at the National Security Institute an adjunct senior technical adviser for The Institute of security and Technology as a US Army Officer he served as a battle captain and Brigade Eng engineering officer in support of operation Iraqi Freedom before leaving the Army as a captain he is recognized as a top 50 in cyber by Business Insider Security executive finalist of the Year by SC

media was awarded Tech Titan twice and is the 2023 Sands Difference Maker Award winner for innovator of the year please welcome Bryson on choosing your own adventure group interactive IR [Applause] scenario check check check who remembers my keynote last year hold on seriously who remembers my keynote last year really awkward way to kind of be in the same position again but I'm ready so before we get into the Choose Your Own Adventure which is really nicely fitting with the theme of being the dungeon master and the Dungeons and Dragons and stranger things um and I'm tap dancing like uh poor Josh had to do here this is actually now part of the talk so I created this because who's

done a tabletop exercise and you've been to one of my talks before so you know how interactive I get and for the first time in any one of the talks I've given and I've probably given it's a very large number I don't even remember I've never had a group that could Escape me because I like to get into the audience and get interactive so congratulations you're safe and I even debated figuring out how to run up there to still try to make a point of it but I'm not going to do that and so tabletop exercises are a great way to teach they're a good way for us to communicate with each other inside as it

practitioners and it security practitioners it is a great way to communicate with leadership and it's a good way for beginners and folks who are not in our space to get to participate but the problem with hundreds of folks is I can't do a tabletop that way so I Choose Your Own Adventure which ties also back to the Nostalgia um coach he said he's a 90s kid I'm a 70s kid um and we did grow up with these things called books that were made of paper and I know what we didn't have cell phones back then either so the choose Yoda Venture idea is that there are hardcoded Concepts built or hard-coded choices built in so you are

all going to be participating we as a group are going to go through this together now what makes this industry so hard you made eye contact but you're up front so I'm going to let you slide what makes this industry so hard because you have the smart luck glass um choosing a direction choosing a direction fortunately for everyone here there is a career hacking village with resume reviews professional photo um pictures and mock interviews we got you yeah you you looking away doesn't help you lots of unknowns lots of unns is security solved no guess what that's called job security security woo they can't fire you I mean you can get laid off from a

company but another one's going to hire you back security is unsolved but there's an emotional cost to that everyone is here because of passion and interest you are defending the world it may not feel that way when you're like I work in a nine-to-five job in a cuticle but Russia China North Korea Iran they've made us the for and you are part of that front line and because of that passion and your interest in what you're doing it makes you very vulnerable emotionally think about all the things that we have been through as a country and a society in the last four years it is taking a toll burnout is not just a word and so I caution you to be able to

put it in perspective reach out for help if you're a vet I do a monthly dinner it's a private dinner reach out to me I can't guarantee you will get an invite but please get help reach out there's three parts that make us humans physical emotional and spiritual if you are not taking care of yourselves you can't take care of everyone else and I'm G I'm going to give you an easy one when you are on an airplane and they give you the warning about the mask what's the first thing they tell you to do do yourself not your

children mother of the

year hypoxia is when your brain doesn't get enough oxygen and the thing about it is you don't know that it's like being drunk you don't know how drunk you are you just think you're funny and good-looking and the problem is and the reason that they they do that is because while I'm trying help you put on your mask if I pass out I can't help you and I can't help me step one you have to take care of yourself first that doesn't mean be selfish that doesn't mean be cruel that doesn't mean cheat that doesn't mean steal that doesn't mean take but that does mean you need to look at yourself and go where am

I taking care of me two then who can I help put a mask on around me to help them this is is hard work and it takes a toll take care of yourself take care of each other it's the only way we're going to go through this because for those of you who are wanting to come into this industry you will then learn that feeling as a three-day weekend approaches am I going to get it is my phone going to ring in the middle of Bryson talking and can he find me feel free to point them out if you are sitting next to them I'm looking if you were up there damn it again going to put it into my contract

writers for speaking no no second floors also a sign of my age I used to be acrobatic and I would just jump up on the stage to impress you I ain't doing that [ __ ] anymore let's go you already got my intro I do crazy [ __ ] the IC Village I'm the co-founder of the with Tom Van Norman I will be camping out there for most of the day also just to put it on your minds we have our own conference called hack the capital the seventh one is coming up in Washington DC at the end of May we will have a hybrid option so for those of you who cannot make the trip up there you

will be able to watch what we're doing it is the introduction to critical infrastructure and we came up with the idea because we travel all over the world teaching industrial control system security and it occurred to us wait a second these [ __ ] are Washington DC with money and regulations let's do that with them so we get members of Congress directors from agencies and a lot of govies who actually come to that to learn and to build relationships with you they really are trying to get past the oh I what does the K Street lobbyist say they want to meet you they really do want to craft regulation and ideas that make this country safer with your input

so that is what we're doing with the ICS Village that's where I'll be most of the day that's me actually me had a lot of people like wait what so a lot of people did some weird [ __ ] during Co I decided to not cut my hair or cut my beard and it turns out if there was an Olympic sport for beard growing I'd be the gold that was in eight months of not shaving and so I decided to do a bunch of characters so for those you who know cyber Gandalf that's cyber Gandalf that's actually me all right we talked this you don't have to be technical we're going to be doing democracy and by

the way democracy means whatever I feel like is what the answer is from what you're all raising your hands that's how we're going to do it you can ask questions I mean you've already seen I'm going to get out there and I'm going to ask questions for you so you can ask questions I want you to feel uncomfortable it's the best I got discussion is encouraged next slide oh um I I guess I did take out a disclaimer CU I get the well actually crowd big surprise look folks this is a game like any game there's parts of it that aren't quite accurate there's parts of it that may not apply there's parts of it you know chill out relax okay it's

meant to be fun it's meant to be educational and just like the real world in any of these incidents as you go through it you're not going to have all the information just like real life life it's 4:45 p.m. in the office I remember when being in the office is a thing and sadly who's being forced to go back to the office who's happy about that have you seen that Meme where it's like like come back to the office the office culture and it just shows cubicles winning hearts and Minds almost time for the weekend your mind turns to your plans well let's be honest it's most catching up on sleep with nothing to do but you're hoping

there's no incidence the phone rings do you answer it we are going to can I take a picture of you with

that is that cooches that sounded like coach who said that hold it up there you go sweet not to be pedantic is it your work phone or your personal phone how many of you have a bring your own device policy at your company how many of you that are not raising your hands knew there was one I want to make sure I get you a sticker I have a special sticker that is only for people who really participate in this talk for

her so for those of you who said no raise your hand own it all right employers you you see round them up who votes yes yes it is hello a clearly disguised voice speaks are you awake what find anything strange today stranger things reference strange we do you want don't make me do dad jokes we can just I will stop it right here and I will start doing dad jokes non-stop you play along Jane from marketing is is that you pranking me again I'm not going to fall for that one again did you pick up your daughter from school today I don't have kids yeah sorry I I just I just couldn't resist messing with you anyway you've

been hacked send 10 Bitcoins to the following wallet your coworker or Ted is looking at you your face must have given away that the call wasn't good who's ever received that call who's been through a ransom or incident and wants to admit it publicly up you're already moved too late don't worry for your public embarrassment you will get a sticker so Life Choices man so what was that like going through a ranser incident uh just long hours very stressful annoying yeah just miserable [Laughter] oh

FBI you get one for that too that's cool I'm going to assume everyone here is on the side of good it begins was an unlisted number your mind begins to race as the current on-site lead for the company's Incident Management process the next step is up to you and while you have done a tabletop in the past year you never did quite get around to documenting the process

if you don't write it down it's amazing how you forget you know because more important things sure would be convenient to have that available now Ted stares at you waiting all right this one's tough because it's the beginning we got a lot of choices right so as he was talking about what we're about to go through in real life would be miserable what is ransomware

free encryption software who said

that you can proactively test your infrastructure or we can do it for free what was that a post-paid pen test also a very good answer right why is ransomware who said money really really think about it who's doing ransomware state sponsored there are different levels of relationships between organizations and states you remember want to get into detail about it go check out Jay Healey at um out of colia and he has a great table that walks through the different affiliations so in 2020 I gave a keynote with Chris Krebs who was the director of CE at the time at RSA the biggest takeaway from that keynote in February 2020 February 2020 was ransomware ransomware is

coming and everybody said the part that gets everyone's attention which is money but money isn't the real motive behind all of this motive is different than what's happening right what actually turns into the ecosystem because ransomware is not this monolithic thing we have folks who specialize in breaking in and getting access we have folks who build the ransomware and we have folks who operate the ransomware they're all driven by money in fact not only are they driven by money they run themselves like they're a business some of them are large enough they even have HR criminal HR I don't remember that part in The Godfather but it's probably the one part of Human Resources I could even get on

board with but behind them are military and intelligence objectives ransomware is not just about money the money is what gets the attention and imposes the cost beyond the denial of service but there is a lot more going on behind that chess board that you need to be aware of now there is one of the adversaries that I mentioned that actually is primarily motivated by money who is it North Korea why North Korea because they need money my knees let's talk about that uh well North Korea receives most of its funding well not most of its funding but a large portion of its funding for its nuclear weapons program through ransomware I believe they were one of

the they had what one of the largest ransomware no not ransomware but the it's in one of the dark net diary stories but Jack Rider talked about how they pulled a lot of the the money out of I can't remember the name of the bank account but but that's that's an example of why they're monetarily that has nothing to do with ransomware but that's like an example of why they're monetarily motivated but like you said there is an intelligence motivation behind it also but they happen to benefit also from money they don't have a lot of the uh wealth that like Russia and China might have but they they yeah sanctions what is North Korea's currency

their what their currency I couldn't tell you yeah what is their currency what is what is their currency please I don't know either cuz nobody [ __ ] cares it's worthless something only a few people know about me is I grew up in the Soviet Union way totally I moved here in 1990 from Moscow um Middle School was not kind to the fact that um my fashion Choice was still Europe in the s kids can be cruel so the uh Russian currency the Soviet currency was rubles they had the same problem outside of the Eastern block no one would take rubles just like again I don't know what North Korea's currency is because it doesn't have any

meaning and so to conduct their intelligence and military operations they need hard currency so there is an adversary that is literally like an organized crime state to accomplish these objectives the others are using it as a foil for other National Security implications okay so to our choices who wants to call the CEO I'm a CEO who wants to call the

ceso power off all systems YOLO I will give you some life advice and this is true take it to the bank you can do anything once call the lawyers I can't tell if you're tall or you're just really good at raising your hand because that was like the highest hand I've ever seen check the endpoint logs Sim log analysis how do we pronounce that is it cm is it Sim is it s s s I personally have had Jen easterly correct me on how to pronounce I still don't do it right is it cisa or is it sisa whatever call the red team oh come on nobody we get lonely show us some love cut off all

internet connections also see asteris you can do anything once all right it looks like um check the endpoint logs had the most the Unicorn Company Incorporated is a large multinational company please see your SEC filings and your 8K that is a lot of end points to look through and you're not quite sure yet what you're looking for without any data to narrow down your search it's like finding a needle in the hay stack this is one of the hard Parts when you work work in a sock the systems are not there really tuned for you you are looking at a hay stack most of the time and you don't even know if there's a needle what is the solution to

that not getting hacked in the first place good luck with

that no I was just trying to be awkward like I can't run across the beach in slow motion toward you hold on the solution is to get all the logs in one place before you desperately need them and you know search on them with queries like this is what a scene does right this is why have looked at okay so as we're going through an incident what could possibly be the worst moment it evolves right in front of you it evolves right in front of you you that that's going to happen anyway keep both hands inside the roller coaster ride you just have a kind face the worst thing that can happen is you can't find it you don't well the

good thing about ransomware is it calls you and tells you it's there so we have found it you don't know what you don't know it doesn't exist the search can be infinite if you're looking for something that does not exist the search can be infinite I will tell you having done this for a long time I can tell you I'm on a box and you'll never find me that's how hard this is the worst high five Boom the worst moment in any part of an incident is when you go to the backups the backups don't work they always work when's the last time you tested your backup when's the last time you tested your off-site backups because if they are

local I'm nailing those the second worst moment is what we're coming to here yes I am trying to build my sim with visibility wouldn't you believe it that that sometimes breaks the logs don't always get there I could have swore we put them in last week oh oops and then most of us focus on visibility am I able to see all of the assets can I prove them which is just putting more hay in the hay stack here is a fundamental truth that is a different way of looking at all this stuff than you've ever thought of it before it's all just data science it is data science our jobs are data science the Fidelity that I can establish alerts

which bring a human into the process and the time that that happens because here's another thing that will blow your mind most of you who have practiced Telemetry have done it in a lab and I put a rule in and it goes right into the Sim and it's instantaneous in the real world it can be ours you did the right thing you had the visibility you had the right alert it still took five hours to populate from Defender into your sim you need to know that all right so you give it a shot for about an hour and a half before Ted groans I don't know why he graned that way uh can we check the firewall logs

maybe we can correlate suspicious outbound traffic there so do we want to do that or do something else first check the firewall logs you have to raise your hands folks fine checking the firewall logs you check the firewall logs and sure enough there are a few suspicious outbound connections and several computers are beaconing out to them How likely is that initial outbound traffic we're going to see going directly to Ru why why isn't going directly to the operator in

Moscow goip rules are blocking that because it turns out we don't do legitimate business with ru particularly since they invaded a sovereign country [ __ ] them slav UK so where do they go Amazon who said Amazon that's a sticker that is an

answer you can't script that [ __ ] they go to Cloud because AWS or aure or any of them not saying the other one I was going to say Oracle but I hate them their licensing schema just is meant to create pain so it is easy for the adversary to create what's called gray space right going directly to Red where they're coming from is a giveaway and you're going to stop that easily and so so I need to create a benign connection and what better way to do it than to have Trey saunter down that's Trey say hi to

Trey then to have it look like a legitimate connection who's heard of Shadow it who's heard of The Shadow internet you're going to go two for two Shadow internet dark web nope Shadow internet is not the dark web what's the shadow internet there's no wrong answers except for the wrong answers folks you're going two for two would that would that be connecting a uh maybe another interface to a separate like let's say for example you have a work computer and then you decide to connect it to your hotspot could it be a rogue ISP that a customer at your company set up without your knowledge the best hackers in the world are your employees when you get in

their way think about it get some calisthetics in I'm G to go with all those sketchy IP ranges that belong to like Russian isps no those are easy those are easy who do we do business with other businesses do we have ephemeral or continual VPN or sessions with those other businesses that is the shadow internet there is an entire way that I can communicate around the world through all of your legitimate connections that you have for business purposes yeah try and find me what is the most common command and control traffic what protocol

443 https y https versus [Music] HTTP security I didn't have to create some fancy Russian cryptographic system you're giving it to me we're going to take a quick trip down history Lane you're welcome to

Gran World War II the German Army used the Enigma machine to be able to communicate encrypted around all of their units you've all seen the movie with Benedict Cumberbatch or however you pronounce his name how they broke it but before that we were actually getting a lot of information so some of you may realize this again because you're old like me things used to be done manually Enigma machines were manual and The Operators that ran those machines that sent the messages between the units it turns out there was a very particular Cadence to the way they typed which meant the Allies were able to determine who The Operators were tied to wet divisions and so I could track troop

movements tied to that tied to to times even if I couldn't decrypt the message the takeaway here is even if I can't decrypt what is inside of an https packet I there's still interesting metadata that you can use for analysis all tying into what we're doing here for discovering our outbounds so we learn we learned there are eight machines that have reached out and pulled a page from pin.com which is not normal behavior who has pin.com not blocked nobody wants to admit that that's cool come to think of it why is pin.com on the allow list to begin with now that you know exactly what to look for and where you decide to check the endpoint

logs so now we have tied it down to eight machines we tied it to outbound traffic and a suspicious site that is involved sure enough once you knew what you were looking for the log query immediately returned exactly what was going on you review the endpoint logs and see new files being created an encryption of key local files on eight machine then a new file is pulled from pin the activity is coming from an executable named more bacon more bacon is also trying to establish SMB connections with other IP addresses on the subnet a classic example of lateral movement as documented in t1570 miter attack who knows miter attack I want all of you to repeat this

with me miter attack is not a bingo card miter attack is not a bingo card it is Russian Roulette I want you to think of miter attack as a periodic table of elements the Brilliance of miter attack is it finally gave us a common vernacular to be able to describe attacks the problem is is it's so useful and simple it you look at all those boxes and you're just like do not do that so just like a periodic table of elements the way I describe the physical world with one part hydrogen one part oxygen when you're thinking of testing do not just limit yourself to testing those things that way because an attack is State based I didn't steal

credentials to high five everybody we're going to switch it to Beijing around the opposite i' be like yeah we got there we got it we Cur roasted I got the tickets we're done I stole those credentials because it advances what I'm doing next that looks different on that computer and that looks different on the network so the detections we're building to log and to do these things need to be taken that into account because now we're going to do some Bruce

Lee it is not hydrogen and oxygen it is water you can sit in the reserve seat you're reserved oh you're are in one our

keynote because that looks different that is showing up as water which is not hydrogen and oxygen so for those of you looking where to start free tool by Red Canary Atomic red team who's used it great place to start but it's in the name Atomic red team is where you start from there you need to grow to being able to build these complex pieces so you're driving enough signal going back to our data science so that these are working the way we want it okay SMB should SB be leaving the perimeter you need to be yelling though is a local file transfer protocol it is leaving your perimeter we have already seen a lot of

reasons that is bad but it is a great way to move inside because I look like legitimate traffic again the same reason I'm using HD ttps is the same way I'm using every protocol that is already on your network I am using your tools why would I create things that I don't have to it's more work and it's harder to look like you anyway hackers are lazy thank you for giving me the tool in this case the rans sare is using SB to file copy self so far it appears that is only managed to infect the eight machines you've identified so far we've got four actions here should we segment these eight systems into a quarantine

Network call the ceso do you not like your ceso what what's the problem why don't you like your ceso she's really nice she looks so stressed out all the time all right call the lawyers well I understand why you don't like them that's easy perform forensic analysis on the eight systems with the more bacon IDE EX all right you all jumped right you did this one quickly okay segmenting you've identified that the rans where is trying to affect other computers through SMB so you decide to quarantine the affection would be the next step it doesn't help to fix some computers if the malware is still spreading has anybody ever had that happen before you reset a system and it

gets immediately popped that happens could possibly reinfect the machines as you fix them Ted let's segment the a computers that are infected and quarantine them from the rest of the network that's a good idea but do we know the impact to the business what you are about to find out Leroy Jenkins yeah I guess we don't Ted's a little wiser than you if only our asset management included business impact and value who has a cmdb put your hands up who has a cmdb come on put your hands up you all have a cmdb who has a cmdb you trust no hands and this is one of our challenges in security we are customers to it

telling us what's there you want to know a really funny hypothesis the entire reason we do vulnerability management we do is because we literally don't trust the cmdb we as an industry are spending 11 billion globally with the three providers to do scanning because we don't have a cmdb I mean at this point we've got an affection maybe it's worth the risk you know I respect you but maybe this is a safer as a decision made above our pay grade cover your ass you know good call this is a great time to call the ciso we've confirmed the problem in detail and now we just need a business decision call the ciso finally call the

lawyers we are calling the ceso and hopefully none of you ever get a UI the ciso answers immediately it's like oh oh all right this usually is a woman but I actually did this um as a private uh Choose Your Own Adventure for a company so the ciso was named Andy so I like worked him into it because I mean his people didn't respect him it's okay fair enough it is Andy the woman was expecting your call you explain the situation have you briefed legal on the incident no we haven't but apparently that option is missing apparently you did you're you're fortunate you did really want to brief the lawyers in earlier so let's we're

going to go break the fourth wall here on that why should we have called The Lawyers earlier again I get it I feel your pain feel your pain I feel your pain why should we have called The Lawyers earlier why what is legals role in an incident raise your hands come on just like we know that purple teaming is because red and blue are primary colors boys and girls congratulations for graduating kindergarten you raise your hand Keenan to protect the company and organization from any legal Fallout that might come from the disruption of privacy and

data and she raised her hand you jackal

holog click yes including your conversation with Kendra that is the lawyer you did not talk to earlier but you're lucky you did because quality control on slides and her recommendation to make foric copies for further analysis and proceedings so beyond what keen and had talked about about legal liability chain of evidence chain of custody for evidence this is where a legal threshold is required if you cannot guarantee that evidence then they cannot use it in court and while you're going well what are we going to do against the Russians anyway this is an operator problem it's not about taking down infrastructure this is where the Department of Justice and the FBI have been doing a lot of what are called

mlats um multilateral um treaties where they are working together and we have actually been having an impact on arresting operators as they decide to vacation in Thailand or other places but I do hope they keep going to Thailand because we definitely get them there but you have to have that kind of evidence which requires either that training or the lawyers involved to make sure you're doing it properly beyond the liability she takes a sip of what you can only assume as a my tai since she's vacationing isn't that funny how executives are always on vacation whenever there's an incident and there's a problem at least she answered your call right so what do you recommend I'd

like to segment the currently infected computers to contain the Mal let's see and practically hear her thinking that's Nick's Department stand by he's back on the phone with you or she you can take them offline Nick says it'll have no impact especially if we get them back align by Monday morning we can get them done within the hour you can hear her smile that's great if it works out that way take the team out on me Welco boss so we segment into a quarantine Network you successfully segment these eight systems from the network make copies per Kendra's recommendation and can now form forensics without fear of further outbreak you identify a fishing email to a new employee that was assigned one of

the night eight systems why would I want to fish a new employee first of all how do I know they're a new employee ATT attack view LinkedIn LinkedIn is the greatest ENT Treasure Trove of everything you could ever want and you all brag about it all the time I'll tell you also as an attacker when I'm building my target package do you have jobs that tell me what software you use for defensive purposes and you brag about that too it's what we advertise for the job yeah so I know you use crowd strike I know you have Splunk I know you're using zscaler and based on statistics I know 50% of the time you're doing it wrong

either with default credentials or you installed it improperly 50% of security software fits in that furthermore a new employee psychology is I don't want to ask for help I don't want to look like I don't know so when they get that fishing email they haven't been trained and they don't want to be the person sticking up and be like hey I think I've got something no I just want to look helpful they are a very vulnerable population this led to remote code execution and deployment of a new malware more bacon the new images did not have the latest updates leading to a privilege escalation vulnerability that was exploited automatically by the malware with the Privileges credentials were

dumped and lateral movement attempted with the local admin password the eight new systems all had the same local admin password which allowed the malware to propagate to the other seven data on these systems were encrypted exfiltrated and now show a ransom thankfully these were new systems so they didn't have much data you easily rebuild them since you just have to reform out with the golden image within the hour the team is done and there is no further malicious activity you know how to make the tough decisions and now the next order of business is employee morale the ciso said she's treating us to Margaritas at Guava on to unlimited free chips salsa flare as far as the eye can see and the

ultra Grande super classical Margarita trademark to celebrate your win and close out another successful week at the Unicorn company

congratulations and because I forget I think he was the CIO he was a marine so you can the crayon number Rita you can find me at the IC Village all day have a great conference [Applause]

[Music]

[Music]