Trust Issues: How Gen Z Attackers Hack Without Exploits - Tom Barnea

So before diving in, usually in this kind of first three minutes, people are coming in and out of the all. It's not really like that in Germany, but uh people are still coming out in and out of the all and trying to understand what's going on. So instead of giving like a very long introduction or talking about the agenda of the talk, I'll just tell you a story that is 100% not related to the talk about one of the most thrill moments of my life. uh in the army I was a cyber security course commander uh and the cyber security course in the IDF is not like a nice computer club. It's very intense. The trainee study for days and nights in

front of the screens trying to solve impossible problems. Uh it's really it's really tough and the team all the all the crew are we are really kind of keeping straight face no small talks no smiles really serious people and going towards the end of the course we thought about okay what can we do to to melt the ice a little bit to make the trainee think we are a bit more more human and one of my teammates thought okay let's collect childhood pictures of all the trainees and we'll just show them the pictures and it will be funny and thing and few weeks go by, we collected all the pictures. One of my uh colleagues did this work and we came

the whole staff to the to the class. They were quite nervous to see all of us coming together with uniform of course uh to the class and they were kind of curious what's going to happen. And then we start to show the slide deck and as you expected some very cute pictures, some child with Spider-Man costume, one of the child with uh ice cream or something. And we had one trainee uh who grew up in Russia and not in Israel. So we expected something will be a bit different, but we still expect to see some, you know, cute picture with a sandwich or something. Uh, and then we clicked next and we saw a very cute girl in a yellow dress with

pigtails standing next to this. This is not AI, I promise you. It's a real grizzly bear and you know each country and their culture and their childhood. Uh, this what we have. So moving forward to the to the presentation today the attackers hack without exploits. Uh I know this this title might be a bit weird to some of you and I will explain everything during this talk promise uh believe me but I want you all to have one question in your mind uh during this talk and I know this question might be a bit odd and you don't really understand this question by uh by the all of it but you will but keep it in your mind.

All this talk will be from the attacker perspective kind of a playbook to show you the idea of what are the steps what are the chapters to hack humans to act trust and what exactly does this mean. So before diving in to what is acting trust and some stories and examples and everything, we should start with who are gen attackers and what does it mean because I'm talking like it's an obvious term and obviously it's not. Uh by the way my name is Tom Tom Bara. I'm from Israel for the last two years. I worked at Veronis if some of you familiar with Veronis data security company. And actually two weeks ago I uh changed

positions and now I'm working at Tennabel that I guess most of you familiar with Nessus and everything. I'm working in the AI security uh group in Tennabel doing some researchers on very cool stuff. So if you want to talk about after this talk about AI security tennel veron whatever you want I'm open to everything. So, who are Gen Z attackers? And I'm 25, so all of my friends and myself are Gen Z. And I can see some people around my age here. Uh, and some people might have children around my age here. So, Gen Z have some criterias that are quite known to to everybody. They are young. They are creative. They are because of

their age not necessarily technical or not trained enough because of lack of experience. Curious. They want to explore more and they live with their parents. So they do their hacking from their bedroom. And one interesting thing is that a lot of them are gamers. Okay. There's a kind of this gamer's approach played some game talking with their friends on discord and then hack uh some very big companies and one of the most interesting things is laziness or what I call efficiency. Uh efficiency talks about low effort and high impact. Okay, what does it mean? How can I work less but gain more? And they understand that sophistication and and actually simplicity is the new sophistication. You don't need to really

work hard and have the most sophisticated and and extreme complicated malware to get like high gain and to do like all the encryptions and all of that. All of that you can just hack humans because hacking humans it's much easier. And this gamer's approach that you want to win, but you understand this is just a game and the game ends at some point. This after researching some interviews of people that were arrested with this type of attackers, they don't really understand that in reality we have some legal consequences and the game don't doesn't really end at some point. And as I said, hacking humans is much easier than hacking systems or software or anything like that. And you might think to to

yourself, okay, this is nice idea, nice agenda, but where this come in in practical where we do we meet reality in this kind of stuff. So one year ago, this guy was arrested. He's only 22 years old uh from the UK, native English speakers and is one of the leaders of one of the biggest transformer groups of our time K spiders that I saw there is right after me I talk about this group and he's not alone more have been done for people around the ages 17 to 20 in the last year or two years around that and if you ask the Europe 69% of the teenagers uh of in Europe were involved in some

way in uh cyber crime. And if you will ask the FBI, the average age of cyber crime people committed cyber crime is 19 comparing to 37 for any other type of crime. So anyone that needs to do some checks at home, it's recommended. uh and I think starting with kind of the introduction to the playbook before diving into the to the examples and the and the chapters of the this playbook we need to start with introduction of mapping the area. Mapping the area means mapping the organization uh to two parts trusted and untrusted zone. What do I mean by that? The untrusted zone is everything that we always have been warned about. Okay, some fishy and

suspicious websites in the browser getting an email for from external uh user or using any analog software in organization. Those are all the things that we know that uh this no before uh training that we just to click click. These are these are the things that we know to be careful about. The trusted zones are the areas that we should feel safe using them. use them on a daily basis. We don't see any reason that they can be uh malicious in some way. Talking about uh task management apps like Jira or Trello or ClickUp, any allowed software that we use in the organization on a daily basis or email from my colleague or stuff like that or

communication channels of course or our internal organization uh one drive. Starting with the first chapter, speak their language. And by that I mean not speak English or German or anything like that. Talking about speaking the organization language. And I want to tell you a very interesting story that happened a few months ago that we investigated for actually a few companies. Imagine 7:30 a.m. You just woke up and you start to get thousands of emails like 2,000 3,000 of spam emails in 2 hours. your Outlook is is blowing up and who you going to call? What you going to do? You're going to call your IT guy. Okay, your IT technician. A great IT guy. Uh

you're going to call your IT guy and he's doing everything you expect him to do in the untrusted zone. Okay. is resetting your password, revoking sessions, even checking Outlook and Mcast and creating a very strict and specific rule for you on your inbox. Whatever you want, did everything you expect him to do as an IT guy, IT security guy in the untrusted zone. But it's not enough for Gen Z attackers because they don't think about the untrusted zone, think about the trusted zone that want to exploit. So what happens here is really interesting. A few minutes after he's done all the thing is done, our employee spoiler the victim receiving a phone call and on his screen is is seeing a

help desk. Okay, so he's answering the phone saying, "Hey, um on a meeting I will call you back in a few a few minutes." It was the Fred actor. Then after the meeting, he's calling him back and he's not answering. And he's calling back back again and he's not answering. So I want to pause for a minute and think about the situation. And the situation is the trust is so high that the victim calling the threat actor twice trying to chase him running after the threat actor to do is malicious purposes but he's not answering to him and then we have a real screenshot from the teams uh of this user and we see that like a very typical IT guy the

threat actor is saying to the to the employee hey I'm working on another ticket I will call you back in a few seconds and the victim is saying to the threat actor thank you and then they have a talk later on. Uh this talk was around 20 minutes and during this talk the the fato understands that the team's call will end at some point. So he's uning again a very native and uh tool of quick assist that existing of most of Windows PCs. Quick assist is the native tool of remote control of Windows just doing control winky Q open quick assist putting their code and has a completely uh access to the laptop not any technical step or code

exploiting here no CVE nothing and obviously you won't fall for it but just your employees uh you are all perfect uh moving on to the next chapter share native sharing. Native sharing by that I mean all the native uh sharing mechanism in the apps you use on daily basis. Think about right click on one drive share and then you receive notification and everything that is fields native fields routine all of that nothing from external addresses or anything like that. So I want you to start by putting your blue glasses on. And this is a real email from Microsoft of a notification that someone shared a file uh with you from the user/victim uh kind of eyes. And someone shared the

file with the with the user. It was a one out file. A very good choice of the attacker. We won't dive into why, but it's a very good choice with obviously a very uh legitimate link. Uh and if we we move a position from when we investigate the attacker perspective and we investigate the what we have seen during the the investigation. We saw on Veronis that this file was created on the on one drive and then we saw this huge spike of folder sharing created. We checked 90 days. We had 411 412 events. 411 of them were on the exact same day which was as you can see abnormal for this user. This is the way we detected it and we saw

that this user share the file. So what happened here eventually is that the attacker got access to the user account and instead of starting pulling data or putting uh pulling out all the inbox, it just decided to go to the one drive creating only one file and then massively sharing this file that bypassing all email security platforms. Everything was bypassed because it's just a one note file that was shared from the organizational wide drive and you receive a message from your colleague. Hey, I shared a file with you. This is the file. Enter to this file and from now on bad things happen. And this specific link was extremely interesting because moving to the kind

of era of AI and all of all of this stuff, he did some investigation on this uh client. From the left, you can see the original login page of this company that was uh hacked. From the right, you can see the page that the attacker created. And as Gen Z was a bit cheap, so we didn't even paid for the software that created the p this page. This is a free trial. You can see the popup. It just took a screenshot, put it in the AI website builder, and then told him, "Okay, create this website. Amazing results." Uh this is what we called instead of VIP coding, VIP scamming. uh and this kind of the new era of of

doing things in ease uh as an attacker. You don't really want to work hard and we are getting to the kind of the last chapter in the attacker playbook which is borrow their tools and there is a very popular tool among attackers that has all these amazing capabilities that ready for the attacker to use. they can do whatever they want. And if you have some guys here from the from the raid side, red teaming, penetration testers, those are absolutely incredible uh uh capabilities. I don't know if everyone familiar with this uh attackers tool. This is Atera. This is from the website IT management tool. And if you're not familiar with Atera, you're probably familiar with this ones. Attackers don't

really want to work hard. Genzy attackers want to make things in ease. And why creating your very sophisticated C2 uh or or malware when you have like legitimate software that can do probably almost the same things and for a few reason. First of all, it's already there. You don't really work need to work out. And we see we saw many incidents when where the attacker just search for any desk team viewer stuff like that. And it was like finding a treasure for them. they just open the the uh the software and they have access to whatever they want because no one thinks that you should put bound boundaries on team viewer. Uh it looks benign. Most of the platforms don't

detect and alert you about someone using any desk and excludes everything you need as an attacker ready for you. And maybe another example from kind of the SAS uh applications side. This is ClickUp. This is like Trello, Jira task management. And what happened here? It's also very interesting. The attacker did some reconnaissance and search what apps specific organization use. It's not very sophisticated. He just opened the job descriptions on their website. And then he saw they use ClickUp. And at this point he created a fake email that's the name of the CEO uh at Hotmail something doesn't really matter. And then he sent uh an invite to a dashboard of ClickUp to all of the sea

level employees. And those of you who work in corporates know that if you receive an invite to a dashboard from your co you drop everything you do. You just enter to this dashboard. So this is what happened. So they entered this dashboard and it was filled very native because it's just join as another dashboard to their click platform they use on a daily basis in on their trusted zone. uh they saw all their friends there all the sea level uh employees and there was only one file on the dashboard obviously some of them open the file and then uh the chaos started but this is another example of not doing everything sophisticated everything technical but

still uh getting the game and again humans it's just much easier and I think We saw all all of that and we think okay those are some nice stories nice example. I have plenty of security tools and none of your security tools probably will detect these things. So why traditional defenses are fail against Gen Z attacks? There are a few reasons for that. I think first one is trust gets you in much easier and smoother than anything that you can think about of exploiting CV. Second thing is most of you probably very proud on your EDR XDR more letters that make it more expensive. uh but it doesn't really matter if trust is exploited and I think

one of the biggest things is the I call it kind of an illness that CISOs have. This is the security illusion. I paid millions of dollars for all the best uh security platforms and now I should be protected. It it's not really working like that. uh there is some work to do and trust is not getting the best firewall or data security platform or anything like that and while we tried to play checkers and protect our assets and protect our walls of organization gen the attackers are playing a different game they're playing among us with us trying to to get between us trying to makes everything feel very very native and so what you can do and not just

being uh sad and sarcastic. So I think there are three main things. One is bever detection. Bever detection talking talks about not only spotting what is bad generally but spotting what is not normal for a specific user for a specific department in my organization. If someone from I don't know it trying to access files that are fi related to to finance this is abnormal but this is not bad generally for any organization in the world and every organization is different. So spotting like abnormal behavior user awareness should be beyond fishing should be around context and credibility not just spotting between zeros and O's because it doesn't really matter anymore and rethinking trust boundaries. We talked about that even if

I have like a software or a process I think is is safe, I should really think about how it can be exploited. And if it want to put it in a nice phrase, it will be patch people, patch processes and patch assumptions and kind of patch assumptions. Again, uh summing up, jenzi attackers show us it's not about exploits, it's about credibility. And I want to go back and circle back to the question I started with. And I want you to all about to think about your organization or your own clients and to think if you were the attacker, how would you exploit your organization uh trust? Uh that's it guys. This is my LinkedIn. If you want to connect, I'll

be happy. Thank you very much.

Thank you very much Tom for the nice presentation. Now we have the best time for questions. Any questions?

If you don't have a questions then I will take the opportunity Tom if you don't mind answering one or two. Uh what are the most critical differences in uh treat modeling within native sorry >> makes gen zen attackers uh so effective at bypassing traditional security measures in comparison to >> so I think it's really working by the playbook of starting with mapping between the trusted and untrusted zone and if you think okay what is trusted what can I exploit what is uh have more people have more trust in those are the areas that we usually be will have less uh boundaries to to get in. We'll have less suspicion around it. So this is the

areas that Jenzi attackers usually want to want to exploit >> and how can organizations make a better detection of these abuses cases because these are usually legitimate tools. Yeah. So I think it's what exactly what I showed and specifically talking about um behavioral detection. I think this is kind of the the main gap in most security platforms that usually trying to build detection that will spot and will catch u or even hunt some bad activity in general. But we need to think about our own organization and what is normal for our own organization and how we can spot the abnormal for our each user separately because each user is different. Someone that works for as

HR is different from someone that works as the CFO. There are different humans that have different habits and they access different files and they have different software that they use. And if we see something that is abnormal as we saw in the the spike on Veronis, this is the things we should detect and be alerted on.

>> You get the mic thrown to you. >> We have one brave guy. >> Hello. Thank you for the talk. Excellent. Thank you. Um what do you think about uh zero trust and approach to zero trust or zero trust architecture? which of the attacks that you just uh outlined can it stop and which can it not stop? I think zero trust generally really, you know, it's a good point because it really fits the to the ideas that I try to to share. Zero trust generally, you know, it's it's it's an idea. Okay. And and we talked about trust boundaries and rethinking trust boundaries and it's really align with what I tried to to say. So it it's

really align with with the idea of the presentation. I don't really have much to add on that. But if you think about zero trust, it means okay, everything is not safe. Everything can be exploited. Everything could be uh uh yeah could be exploited and we should think what can we do to to be protected each time. And this is exactly what I try to show with with the trust boundaries and and the trusted zone. And we are really kind of want to protect first the areas that we were trained that are untrusted. But this is not really true because we should protect everything even the trusted areas because these are kind of the the new goal or the new targets of of jenzi

attackers as I see it. So I hope it answers your question in some way. >> Any other questions? >> Then I would like to thank you Tom for being with us today. Thank you for having me. Big applause for Tom.