← All talks

Target Acquired

BSides Dallas/Fort Worth46:20500 viewsPublished 2021-11Watch on YouTube ↗
About this talk
BSidesDFW 2021 Track 1 Session 5 - 06 Nov 2021 Target Acquired In information security, we love to refer to terms like OPSEC, OSINT and Social Engineering. We need to go deeper into the human intelligence and counterintelligence disciplines to really identify the tradecraft and techniques used to target organizations for access to critical systems. Nations states have always targeting employees with placement and access, now we are seeing Ransomware gangs doing the same.
Show transcript [en]

hey how's it going i'm chris russell and i'm about to do my talk on target acquired and i bet you're wondering why are you listening to me today what is it that i have to say why am i a sme on the subject and the reason is is i did human for 10 years between 2000 2010 all i did every day was talk to people in multiple forms to gather information based on the objectives i was given so for ten years my only job was to elicit information exploit information talk to people through interrogation strategic debriefings source operations screenings everything you name it so that's what i did and over that time i learned it quite a

bit interrogations and source operations are obviously quite interesting but you learn about a lot about humans during that period about how people are motivated about what makes people tick about how you do listen information so what i want to do today is take that information and kind of relate to infosec on a kind of insider threat kind of tangent so you have to bear with me this isn't the most natural progression but i think you'll see where i'm going with this and we'll get to it so so this is some of the contents that we're gonna go through you know who's who recon target and assess approach testing recruiting training operations termination detection remediation summary and a thank you at the end of

course um so let's talk about in the realm of human operations who the agents are who are the people that have an objective that are looking for assets to uh recruit to gather information for them so obviously these nation states now nation states are obviously the most um complex and have the most resources but they're also the least likely to be targeting your organization you know you're infosec for a small business is china russia targeting you probably not but in some cases they are if you're a defense contractor if you're working for the government um you have some sort of proprietary information maybe even financial stuff there's a chance you're in there but again least likely

business competitors people don't feel like business competitors do that much competitive intelligence but the fact is they do they do hire ex-military and intel people to gather informations on their competitors to hire their competitors to get proprietary information from the competitors and bring over engineers and projects and download data and steal things and everything you can imagine so it's not talked about a lot but this definitely happens and people need to be cognizant of that uh ransomware gangs so this is kind of a new one people don't think ransomware gangs are in the human gang they're not into recruiting people not into talking to people they got information but what they are doing is they're offering people large amounts of

money to plant the malware because their fishing campaigns are failing and the reason why i bring this up is because i feel like this is a trend that's going to grow ransomware obviously has been commoditized they have a whole ecosystem this is something that is making good money it's not going to go away and the fact i'm seeing a lot of intel on them reaching out to people specifically developers and people with inside access to plant the malware and offering them close to half the ransom this isn't going to go away so we have to take this you know as a real you know consideration as far as them being into the kind of human

realm criminal organizations have you know for a long time been involved in human you know they're the people that are buying off the physical security making people look the other way while they you know steal this or that this is not a new tactic not a new thing but they're definitely on the chart activists and extremists are kind of in the same vein maybe you have an organization that's doing stuff that's you know not quite on par and there's some activists that want to get that information out or want to expose you they want to talk to employees that know of some things that you've been doing that aren't great these are all part of the insider threat

kind of human track that i'm going to talk about and lastly extremists and extremists is you know very broad term in this context i'm going to say it's you know more about i'll say terrorist extremists that are maybe want to do harm to your organization by getting some sort of inside access and you know taking down your your some sort of infrastructure organization as a terror tactic okay now human used to be a hundred percent face to face um that's what i did face to face you know meetings talking to people you know this ugly mug used to talk a lot of people nowadays this can be done remotely and that should be a little scary to people

you know you used to have to be in a room face to face kind of charming people winning them over you know winning hearts and minds this can be very remote now based on just of the world we live in these days so we have to take that in consideration too it used to be very geographically isolating now the fact that people can reach over via the internet your various social media platforms video chats whatever make connections on a different level than they could before makes this capability a little bit different than it used to be so now i've gone over the agents let's talk about who some of these targets are for this kind of human insider threat

you know situation i'm talking about who are the targets developers 100 number one target they are the data holders they are the application creators they are the people that hold the keys the secret keys they're the people that are a hundred percent being targeted and that's one thing i wanna take away from this is these are the people we need to protect these people we need to look after these people in your organization that we need to stop treating like mercenaries and stop underpaying them because these these individuals are doing everything for the applications in the organization not necessarily being treated right and can easily very easily be manipulated to do the wrong thing now obviously executives they've always

you know have placement access to you know wide parts of organization so they're you know traditionally a high target information security another high target because they can you know change things to change access they can delete audit logs and do a lot of things physical security another thing where people can again look the other way guards can open up a gate leave a door open you know they're you know traditionally a pretty big target system administrators just you know based on their their access they can create access and then finance obviously anyone who's close to the money can help other people who want to get close somebody get close to the money so big takeaway there developers are the

number one target here we need to watch out for them so recon this is the first phase in the human cycle of targeting and assessing someone so in the recon phase we're looking for who is placement access to our objective so whether you're a nation state you're some sort of business that wants competitive intelligence whatever it is you have an objective and you want to say okay who has placement access to this information who has placed an access to this prototype to the the scientist who's the lead scientist this is what placement access is and during this phase they spend a lot of time figuring out all the people that have legitimate placement access to what

they want again this can be data this can be prototypes to be systems personnel it can be many different things but the point is they want to know who has proximity and access to on a regular basis and then based on that they're going to create a list and that list is going to be prioritized based on who has the best access they're going to take their time they're going to look at these people very closely they're going to research them you know all the things that you know we know goes on with intelligence collection they're going to go through this whole process and they're going to come up with a primary person who is their lead

person to target and assess this is the person with the best placement access to whatever objective they have so again whether it's a database prototype whatever it is they're going to find the one person who's most likely to be able to get whatever they want and they're going to put them number one on the radar and after that they're going to target and assess them now targeting assessing them means they're going to look at their life very deeply they're going to look at their profile they're going to look at their lifestyle how they live their life what they do their social media content what are they do on weekends how they spend their money what are their

hobbies what's their love life like what's their debt like this is the reason why when people get security clearances the government consistently goes through all these things because they're looking for weaknesses and chinks in the armor that these you know other agents want to exploit but when you're targeting assessing someone you're figuring out everything about this person that makes them in some way available to you for some form of manipulation so to target rich environment they're going to look for disgruntled workers individuals with high debts loners idealists they're disenfranchised now it used to be this had to be a very again human thing they'd be have boots on the ground they'd be near the business they'd be near the people to

find out you know at bars at you know group meetups at social you know situations who these people were but with social media and online activities you can identify these people pretty easily now so we got to keep that in mind that we you know even with the best opsec people are putting themselves out there on on kind of what their life situation is and these are things that are being used to you know identify these people so um once we identify this group of people that have placement access and we've identified what their motivations are we're going to determine who's the most likely who's the best candidate to be recruited for a process of doing some

sort of objective for them so the next step is an approach now again we've identified some with placement access who has some sort of weakness they have some sort of vulnerability they have some sort of in their armor that gives us an opening and we're going to design the perfect approach that is going to blow this person's mind this is we're going to find the thing this person's been looking for their entire life is it their love life is it a hobby is it a business deal whatever it is we're gonna find what that is and we're gonna use that to create an opening into their life in a way that's so meaningful that they're going to want us in their

life um i'm being very emphatic about this because this is a very powerful thing for people who have been missing something in their life and we're going to offer that and we offer that knowing they're going to jump at it because that's human nature so our approach is going to be you know answering things like love problems money problems you know some people want to be part of something some people want to be something some people want to own things some people want to be part of history to be famous to be a you know a change agent they want something that that means something to them and the the agents we talked about earlier they're gonna find out what this

motivation is you know people have typically tangible and intangible motivations some people are very much motivated by just cash what they can buy what they can own but some people want to be something they want to be you know like i said before famous but some people want to be pious some people want to be a helper some people will be known as someone who did the right thing whenever they're asked they want to be part of something known in history as a good act these are major motivations in people's lives and when you tap into these things you can make people do things that you know typically would be against their nature as i said before for 10 years what i did

was i got people to do things that were not in their best interest that was the reality i had to talk to people and say you know what normally it would be not a good idea for you to betray all of your countrymen and give me this information but we have this thing between you and me that we've established that is important to you and it's more important than anything else and that's why we're going to do this and i'm i'm really dumbing that down but it's a very powerful thing because everyone's searching for something in their life and when someone comes along and answers that people put their blinders on and they accept it

you know people joke about you know someone you know some guy wins a million dollars all of a sudden he has a beautiful wife um and he knows why he has a beautiful wife's one million dollars but he kind of lies himself a little bit doesn't he that it's the million dollars it's not him um everyone does that that's the reality if you have the opportunity to live out the dream you've been waiting for your entire life you don't necessarily stop and ask questions so let's say you want to be known in the gaming industry as someone who's part of some great um group of gamers or whatever and this group you know brings you up and says

you're going to be our our paladin you're going to do whatever if that's been your goal in life you're not going to really ask questions why they picked me you know maybe you do but as soon as they're like no you're our guy you're the badass you your scores are great you don't step back and think about there's some ulterior motives you're just like this is what i've been waiting for you know now i use that as kind of a silly example because it's online but this is the method in which people are being approached these days it's not as much in person it's not in bars it's not in you know you know gyms it's online so

you know forums gaming um dating these are places where people who have been looking for something are being given something they've been looking for and they're in a susceptible state so they don't necessarily ask any questions so again we're looking for people that are looking for the perfect match the perfect friend the perfect offer whatever it is and when they get offered that they don't ask a lot of questions so now the agents approached someone they've offered them this thing that they love whether it's the friendship it's camaraderie love whatever it is and they have this bond and they're hanging out well the agent still needs to know this person is capable of doing the objective getting the thing they

want at the end of the day so they test them and they test a bunch of different ways because you know they're putting a lot of resources into this they don't want this to fail they don't want someone who just has good intentions to screw something up so they test them with things like let's see what i can get them to do early on let's make sure they're the right guy even though we have a good approach they've got placement access let's make sure they're really the guy for the objective for the operation so we're gonna test them we're gonna give them easy tasks to start hey um and it's not necessarily tasks that are like hey go tell us you know you

know who's on your payroll your company something like that these are simple things like hey send me a picture of you because you're online not really like you know you don't really show your picture but let me show you a picture of you and it's it's making them show that they trust you so that's one of the first things you know you test them there then you test them with like oh hey we're friends and we're doing this thing and we're you know we're part of this group and hey can you find this information for me and you ask them something you already know so when they come back to you with the right information you okay great and you know

you can trust them a little bit because they came back with the right information then you trust them with then you ask them something that doesn't exist you say hey again we're friends we're buddies we're lovers whatever it is can you go find this and it doesn't exist and if they come back with an answer you know they don't have the heart to tell you they failed and that's also kind of important what they should do is come back and say you know what that doesn't exist i looked forever that doesn't exist this information doesn't exist whatever it is you ask for doesn't exist but what happens in intel and in this whole situation is that in this

relationship where someone's come into their life and offer them something they love and they've been looking for if the thought of failing them is not great so they'll come up with information or come up with things that don't exist and that's not good either so that's part of the testing process um we're going to test limitations we're going to test weaknesses we're going to find out how this guy or girl works what they can and can't do what they can handle are they technical proficient are they not technically proficient are they good under pressure they're not going to impress we're going to test all these things because again we have this whole plan for them to get us some information

or access to something we don't want to fail the last minute so we're going to go through all these tests and then once they've passed these tests and they're suitable we're going to recruit them now we talked earlier about hey we got them on our team we did this approach they really liked us for whatever reasons but recruitment is different up until now they've been an unwitting source up until now they thought this was just some hey we're friends we're you know maybe you know you know romantically interested we're colleagues we're business partners they've been on waiting until now now's the time where the mask comes off and we say no you know what we were friends we talked to you because

you're awesome we did this with this and this and this but the reality is is we have a real mission for you turns out we're really this we're competitor we're nation state we're activists we take our mass off we say this is who we really are but we think you're still going to like us because we still are doing the thing that you want we still have aligned with this passion that you've been looking for and so the the recruitment is getting to go from unwitting to a witting source where they're gonna now knowing that they're working for someone that they're they're dealing with someone who has an agenda that they're still gonna do it now at this point

some people do some people don't you know it's not necessarily exact science on on on how likely someone is but let's say someone says hey you know what we were like great friends uh we were love interests we were great business partners but now you say that you're actually a chinese you know intelligence agency i'm out well that's when the gloves comes off in the chinese intel agency says well that's great but you know we dug all this dirt on you and you actually did this this and this so if you don't do that we're gonna expose that or we've been recording everything you've been doing with us and if you don't do this we're

gonna do this operation anyway we're gonna blame it on you and we have all this contact we have all the paperwork we'll just pin it on you anyway so you might as well go along with us it's not the best way to get into a human operation but sometimes that happens you know the black mill part not great we want to go with the you know the honey part but sometimes you got to go with a stick but let's say they're still on board they say you know what you're right um it's a little bit weird turns out that you're a competitor you're a nation state you're an extremist you're an activist whatever it is but i really

connected with your message i really believe that we have this bond we are really buddies lovers whatever it is now the agent's going to train them because they need again they need to perform this objective they need to get the job done so we tested them before now we're actually going to train them so we're going to say okay this is the things you're going to do to get ready for this objective we're in a plan we're going to plan what day it is the time of day it is the best possible situations for the outcome to be beneficial to all of us we're going to help you plan all that and we're going to make it we're going

to go over it so many times it's going to be in your head you don't need to write it down there doesn't need to be any paper trail it doesn't need to be a diagram of this we're going to go over it so many times in a muscle memory it's in your head we're going to go over a communication plan this is how you get a hold of us this is how we talk this is how we pass messages to different parts of this group that again doesn't need to be written down doesn't necessarily need to be in a cell phone we're gonna have them remember numbers remember codes all these things communication plan is very

important because in the middle of operation you don't want very obvious things like i'm about to go steal the secrets now we don't want that in the text we don't want that in email it's just a paper trail we want it very smooth very natural everyone assumes that you know they'd be a really good agent but the reality is most people are not a very good spy most people are very bad at it they're like oh i'm in this i'm in the room i'm in what do you want i can get all the things and like shh don't email that don't text that just get the stuff and get out so that's part of the

communication plan then there's the operational plan what they're going to actually do what they're infiltrating what they're stealing what they're placing whatever it is this will be a whole process where we go through ad nauseum how they go through step by step everything they need to do to not just do it but do in a way where it's not necessarily traceable so they clean up after themselves so they don't leave evidence so they don't leave things that can come back to haunt them or they're urging origin uh originating agent we have a backup plan so if one door is locked one system is down okay this is what we're going to pivot to because we picked a day we

picked a time we have a whole operation we don't want to fail last minute just because some random maintenance thing happened we're always going to have a backup plan and we're going to train them on that so they naturally pivot to it don't freak out because the average person when they go to open the door that's supposed to be open and it's locked freaks out and then they're going to start dancing looking around they're going to make faces of the camera and that's not going to be cool so we're going to go over the backup plan so smoothly that they just naturally transition to it they don't raise any more red flags and then let's say everything goes

smoothly we're going to go over the blowback plans so that let's say they do this operation everything's fine but then they're going to get questioned afterwards most likely because they do have placement access we're going to go over how they beat this test how they have a cover story how we parked their car 10 miles away at a bar during this time so it looks like there's someone else we're going to go over this at nauseum so if someone just does a rudimentary check they have a good answers they're not going to be like ah it turns out i was working for spies i'm sorry uh we don't want them to do that so we're going to go over the bull black

plan so you know so well that it's a second nature to them they don't feel like they're lying then we're going to do the operation which ultimately is the most anticlimactic part everyone assumes the fbi is waiting the cia is waiting they have to break into fort knox reality is no one's waiting there's very little resistance they get to do what they want to do and they leave and no one even notices um the deed is done they drop the malware they stole the information they took the prototype they deleted vital systems they placed a black door a rat or a key log or whatever it is and they think wow that was pretty easy

again they're waiting for the national guard to be waiting outside when they came out but chances are no one's really watching no one's really paying attention no one really cares because there's so many things going on that one little guy stealing one little bit of information just isn't on anyone's radar but because we've made such a big deal about this they're just assuming it's going to be that bad but it's really not so the operation typically is the easiest part of all this the training the approach everything leading up to this that's the hard part the operation is like pretty simple but we don't want it to go wrong so we spend all that time making sure it's

right and then later we're going to ask why was it so easy and that's part of my remediations later on okay termination so termination sounds bad but no one dies you know usually termination is where the ops over and we want our asset to still like us so still believe in our our kind of message to believe in what we got together to do so that when asked they don't immediately just rat us out we wanted to think that they did the right thing that they are on the right team that they didn't make a mistake that they didn't betray everyone they loved we want them to still feel like that this still may happen

we want to extract ourselves because the agent doesn't want anything to do with this ass anymore but we don't want him to feel like that so it's you know it's not you it's me i gotta go do this other thing but we'll be back and we'll do more of these cool things and we'll do all this stuff that you were excited about so we keep them all riled up so that the asset still believes the story they don't think it's over they they don't feel like they're used they they're actually going to miss their agent they're going to miss that connection that thing they had that got them roped in immediately originally when you read some of the

some of the um some of the history of of spies and tradecraft you'll find that often people have been caught still actually believe they were doing the right thing because the the whole process was so so good that they actually bought into whatever agenda it was and they felt like they were on the right side and even after they were in jail for a while they felt like they had been done the right thing the whole time so that's not uncommon so after termination let's talk a little bit about um what could have been done from the blue team side to maybe stop all this because we just went through this whole process of how someone was recruited

approached target assess they did the operation this is all stuff that happened outside of a company's network this happened outside of anything that's logged it's happened mostly outside of anything that you have any purview of so what are defenders going to do to protect their company against this sort of activity it's very hard isn't it um but there are some things we can do and that's what i'm gonna get into right now so let's talk about defenders let's talk about detections so you know obviously in intel i'm sorry in information security it's all about detections about your data loss protection your endpoint detection response your intrusion detection systems your user behavior analytics removable media you know policies your

dark web monitoring these are all things that people talk about your insider threat program or ways you can detect people doing these things stealing this information accessing this information getting into things they're not supposed to the problem is is that this is a very wide area and a lot of people might have access to this so it's very hard to write detections that are that are actually really good at detecting someone who normally should have access to this because we established they have placement acts of this that they're really doing something abnormal so while it's good to have all these things it's good to have an insider threat program it's good to have dlp edr ids uba mobile

media and dark web it's not going to necessarily solve all the problems this is what the vendors are going to tell you to buy this is what you're going to see in most of the announcements on this is how you deal with insider threat you deal with the sim you deal with the uba uba is the number one thing people talk about you know all of a sudden they're logging in at weird times well they don't always log in weird ties when there's still information because their handler is going to say don't log in at a weird time that's going to set off a trigger not log in in your normal business hours that's the first thing i would tell

someone don't do something weird don't do something abnormal that's the first thing that's going to get you picked up so these things are great from like you got to have them in place but these aren't really the solutions for how you solve this whole dilemma of how human and insider threat interact we have to do with some things that are a little bit more basic we have to do are the remediations so what we have to do is create an environment where people don't feel like they can get away with doing any of this without really there being any repercussions so how many of you have been in an environment where everyone had admin rights

we've all been there right everyone had access to everything you know startups has happened some even enterprise organizations happen this is a problem there shouldn't be a situation where people can feel like they can access anything they want at any time and there's really going to be no questions asked that's an environment where people who are recruited to do these things think okay i really bought into all these things this agent told me i really believe in the story i really believe in this agenda they told me and i'm not gonna get caught if i do this so this is a win-win for me what we need to create is a a shadow of doubt for them so they go

you know what i really believe what you're saying mr agent man i really want to be part of this thing you said i really want to be an agent of change but if i log into this and i start pulling this information that's like immediately going to be detected that's immediately going to be something that's noticed or i don't even have that access on a normal basis without a little bit of scrutiny that's the situation we want and the way we do that is you know the basics least privilege you know we don't have everyone having access to everything so that limits the amount of people originally on that list in the very beginning of people with placement

access we want to make this harder for the bad guys if everyone has placement access they've got the full gambit of people with weaknesses to exploit we don't want that we want them to have to work for it and find one or two people that have actual access to that sensitive information in a way where they could gather it so we want to have least privilege employed um immutable immutable infrastructure now this is not something that everyone every organization can can you know roll out but if you can think about this we want as few humans interacting with servers as possible on a manual basis because that's in that's the situations where data is is pulled or things are dropped

or key loggers or malware whatever it is if humans can go and touch a server whenever they want and there's really no one asking questions they can do whatever they want that's not a good situation what we want is automation to be taken care of this where someone if they want an updated server it happens via automation makes it much trickier this is a whole cicd pipeline there's roadblocks there's approvals there's all these things where hey joe just can't ssh to a box and start pulling information without a bunch of people asking information and you do that with the mutable infrastructure again not every organization can pull that off but if you can it makes it so much easier to

notice when hey you know what uh so and so just you know ssh into you know the jump box and went to here that's not normal because we don't do things that way we don't necessarily go in and do surgery we just killed the host and let the auto scaling group bring it back up the more you can move to that it makes it much easier to detect when people are doing things that are you know unsanctioned we want to have two-person integrity for pretty much everything we can do now this is again this isn't a product this is a process you know there shouldn't be anyone that can do anything in environment no there's no questions asked

you know you could be the the vp of infrastructure you shouldn't be able to go in and do anything without someone being saying hey what what are you actually doing here you know there's no change window for this you don't have there's no reason for you to be touching this these alerts should be going off there should be someone who who's alerted to this that's either equal or or or even higher uh seniority they can say you know what i don't understand why what you're doing messing with all this stuff like during off hours or during you know early morning or even at all because it's really not your job two-person integrity again not a product

it's a process but we need to incorporate that more so that people don't feel like they can just go and do anything and there be no repercussions another important thing is training so again we live in a world right now where applications are pretty much you know most organizations life blood almost everything is an app now every service you can think of is an app so the developers that work on those are are again the number one targets for anyone who wants to get data from them or or mess with them or cause problems for them we need to talk to these people like hey you just took a job for a fintech company and you're part of an important you know

financial thing that you're developing someone may come to you at some point and start talking to you about your job or make friends with you and it seems a little bit weird you know we need to train these people to say that you may be a target for this thing now it's again it's very unlikely a nation-state is targeting your people but how many times do recruiters come and steal your people and they take them a different company and maybe they take some of the stuff they're working on with them that's not abnormal that's a lesser version of what i'm talking about and we need to protect ourselves from that too so we need to train our people to be

like hey you know what you know you're in a sentenced position you have access all these things someone may start talking to you randomly about these things and if that happens you know you got to be sensitive to that and kind of pick up on that and and kind of you know make sure you don't have blinders on that you know that it's that's that it's not a natural situation another thing we do is code analysis you know we got to scan our codes we got to find vulnerabilities early but also unsanctioned you know parts of our code we talked about solar winds um solarwinds the supply chain exploit you know they got in and they added snippets for to add

back doors to their to their code now they were doing some code analysis but clearly not enough to pick up that there was changes to the hash to the environment um that they had you know that had been altered so you know if we start incorporating that start letting people know hey yeah you're a developer but you can't just write a backdoor into this you know let's say you're working crypto and you want to you know like office space steal just a couples you know f of gas per transaction to go back to some wallet that should be scanned and that should go through you know peer review so that people don't think they can get

away with those things it's not that it's necessarily going to catch it but if it's in place people are just not going to try it and that's really the main point another thing people need is the means of reporting when this stuff happens so let's say my situation i explained earlier where someone was approached they were recruited and then they decided oh crap this isn't what i thought it was if they don't feel like they can go to talk to some other organization without getting in trouble they may say crap i gotta do i have to like go through this because now you know i have no means i don't even know who i'm supposed to talk to if they know

hey this is who i'm supposed to go out to i'm supposed to go talk to the cso i'm also supposed to go talk to compliance whoever it is set some designation up where hey you work in a sensitive part of the company and someone approaches you to gather information they should know exactly who they should talk to so it's a no-brainer and they feel relaxed about it and they know they're not in trouble because a lot of people will feel like oh i don't want to like cause stress in my life i don't want to cause friction i don't want to like invite this this issue so i'm just going to not say anything about it but then they can get

dug deeper into a bad situation they should know that hey um yeah i was i was at a bar and you know this guy was talking to me and he was asking a lot of stuff about the business and what what not they should have a means of reporting that to get it off their chest and to and to you know and and get some in some feedback so they know what to do next if that person comes back now let's uh let's talk a little bit about the the summary of all this so we talked about the adversaries and what they're going for they're going to go for placement access they're looking for to find motivation they're going to

manipulate your desires they're going to prep the asset they're going to deploy the asset and they're going to leave the asset thinking they did the right thing and what the defender is going to do they're going to restrict access they're going to create consequences for the asset they're going to create barriers for the asset they're going to trust but verify they're going to log the assets actions and the right detections and they're trained to talk people about the situation now again yeah this is a very there's a very broad spectrum of of human from nation state to you know just a business competitor where you know business competitors aren't going to have the same resources but

these concepts are all pretty much the same they're all kind of going after the same things so we want to have the same things in place we want to maybe assume the worst maybe assume it's me you know nation state level and their capabilities but put those things in place so this is not an environment where someone feels like if they're approached and things are going well that yeah i could probably get away with that and it's not going to cause me my job probably not going to be blowback probably people can't really find what it is i did it's really key more so than detections to really hamper down on this kind of threat

now in the beginning i talked a little bit about um you know who the agents were and who the targets were and i want to kind of rehash that a little bit because i feel like that's a really important part now developers as i said they are the gatekeepers of data right now they are the gatekeepers of your applications and everything is an application right now so they're the number one target and if we're treating them like mercenaries and we're not paying them well and we're not vetting them well how well can we really depend on them to to really be loyal to us we really can't and we really need to change that too so that's another piece

i didn't really add in here we really need to change our behavior about how we're treating developers and people who who help us um launch our our applications in a way where we feel like we're not giving them the keys of the kingdom without getting this mistake in the game because if there's no stake in the game they don't care if we fail they don't care if they give up their intel to a competitor they'll go to a competitor and bring everything they worked on with them we got to change that dynamic because that's again a lesser part of human but how many times have you seen uh a you know selfless driving car company has to sue another selfless

drive driving car company because their lead engineer left and he happened to have all of his data on his own laptop well why did that situation even happen in the first place really you know why was it on his personal laptop why is he the one guy with all the data how was he able to get approached and kind of pulled away so quickly why wasn't the company who employed him like treating him if he's the lead guy for their main project and that's their main business line why were they so removed that they didn't even see this happening again it's very hard thing to do from an infosec standpoint but we have to start thinking about these

terms because this is going to become a very big part of our our issues going forward again because everyone can start touching us remotely unlike before so china russia you know we're dealing with with phishing attempts and we're dealing with all these other things we're going gonna start seeing human and targeted recruitment of our own employees in an insider threat vector if we don't start you know preparing our people for that um deep fakes how many times have we started seeing where deep fakes have confused people and we're you know you know social engineering is what we're calling it right now but deep fakes can be much more than social engineering once we start getting into

recruiting people and uh convincing people that they're you know working for the right people we're going from like you know winning you know unwitting to winning sources is what i'm talking about the the winning sources who are willing to do something these are this is all evolving thing that we're really on the cusp of right now and technology's really um really exacerbating how bad it can get so you know before the pandemic where you know life wasn't as remote this wasn't as much of an issue but because everyone's remote now we have so many remote capabilities the ability for the agents to reach out and touch our people has expanded astronomically along with our ability to work remotely

so we have to think in these terms and consider these terms and look at our employees as you know not necessarily liabilities but susceptible to these things you know they're online all the time now last two years what did it have anyone else to do after work when we're all locked down they're online well what do you think they're doing they're talking to people they're they're meeting people they're doing whatever it is this created a perfect storm for this sort of thing to become normal and i guarantee you and i know for a fact because of this intel i've been involved in this is happening you know nation states business competitors you name it they're using this

opportunity to get to people they couldn't get to before they're talking to people that were unreachable before and it's only going to get worse this is something we have to take into consideration as one of our future threat vectors it's one of the things we have to threat model against it's not just phishing this is a much more advanced version where they're going to convince people to go in and get stuff for them they're not just going to trick them they're going to convince them it's what they should do we talk about i don't know i shouldn't say we talk about but you know as many you may know people can perform physical pen tests where someone

comes in and they try and get into your environment and steal stuff or plan stuff or get access to something that's great that's a great test but the reality is is why would someone do that if they can just recruit someone to do it for them that it's already in the office that's the real threat that's what's really going to happen it's already been happening quite a bit it's underreported because it's almost never caught but that's the real situation we're dealing with now where why would someone go in and risk getting arrested why would a nation-state or a criminal organization or a ransomware game try and go in and plan a usb or steal data

or whatever why would they do that if they could just recruit someone who takes all the blame if they're caught but already has placement access it's much easier it's it's it's a no-brainer and if we're not thinking like that's a possibility we're not thinking clearly this is very much a possibility it's happening now again because it's just kind of you know we used to think of the old days of human being like cold war russia china u.s you know honey pots and dead drops and all these things that's not the world we live in anymore we're engaged online 24 7. people meet people and fall in love with people and make best friends online now

and if you don't think that someone can get online and make a connection and convince somebody to do something against their best interests then apparently you've been online lately because i see it happening every day i see stuff on every social media platform you can think of where people are constantly influenced easily to change their opinions to conform to something to be excited about being part of a group and that's with very little effort imagine if someone's trying to do it if their goal is to recruit someone how easy it is and especially with all this information available again back in the day human you had to do all this you know intel research where you had these

dossiers where people had collected information manually through a bunch of old tactics well now it's just online you can look at someone's song playlist and know what they're feeling pretty much in the minute oh you're playing a bunch of uh guns and roses you're rocking out to the 80s i got a little bit idea about who you are um oh you're listening to x music well probably having a bad day bro um maybe you need a shoulder crayon maybe you need a hug maybe you need more than that it's not that hard is it you know you combine that with photos and everything else people are sharing it's very easy now um now you guys will probably you

know watch the video maybe look me up on twitter or whatever it is and say okay you share information chris and you're talking about human you're talking about how easy this is why do you share anything well the reality is is that for years i didn't again 10 years this was my life and for 10 years i did nothing online i literally had no photos and no nothing and no presents and i decided you know what i'm done with that i haven't i want to be out there i want to be part of this this thing we're doing i don't have a problem with it because i know what i could face and i know if someone's going

to come at me that like it's a honeypot or some kind of scam wherever it is not as concerned about it it also you know doesn't hurt that i also found out that all of my information was breached by the opm so literally both china and russia have not just my dna all my financial records my psych records all the stuff they did to investigate me when i got my ts sci so if they wanted to know anything about me they already have all that so there's really little they're going to get from social media that they don't already have um most people are in that situation but that's mine personally so i'm not saying all this stuff about

social media scaring anyone share your photos share your life not a big deal but just remember if all of a sudden you're having a bad day and someone pops up and there they answer all your problems ask a question is this natural is this normal why are they talking to me you know why all of a sudden when i've been searching for my whole life for this one thing is it popping up right at the moment my lowest maybe it's a natural thing maybe it's not but you should ask the question you shouldn't just be like oh thank god finally finally the woman of my dreams after 45 years of being single has found me

is it possible yes is it reality probably not so anyway i'm going to say thank you right there i hope i made this interesting again humant tradecraft how this relates to infosec and the kind of guarding your your infrastructure is a little bit of a leap for some people they don't necessarily you know i was kind of stressed like my concerns about this um i know not many people are necessarily buying into that yet but i feel like with the trends that we'll start seeing this is gonna be a very real thing i really do believe in this and that's why i gave this talk because i wanted to get ahead of this i feel like as a community we got to think

about these things before they're a problem we're on the cusp of that right now so i hope people listen to this digest it use it where it's applicable um not all of it is yet again not everyone's getting approached by a nation state and recruited for you know chinese and russian espionage um but the techniques are there and it's very real and as you know with social media and online online platforms it's very easy for people to get you know manipulated on a daily basis without much effort so just imagine if someone wanted to do it so take that in mind help protect your organization protect yourself and have a good day thanks

Related talks

34:39
A Drop of Jupyter: A Modular Approach to Penetration Testing
BSides Dallas/Fort Worth
36:40
Hashcat and Survivorship Bias: Cracking uncommon passwords
BSides Dallas/Fort Worth
51:16
Rosetta 2 Keeping Mac Malware Alive for Years to Come
BSides Dallas/Fort Worth
39:13
Minimizing AWS S3 bucket attack vectors at scale
BSides Dallas/Fort Worth
29:00
Unraveling the Russian Snake Turla
BSides Dallas/Fort Worth
47:04
Intro to API Hacking
BSides Dallas/Fort Worth · 2022