Trey Ford - Keynote: Virus! Malware! and Threats! Oh My!

thanks for having me I'm very excited to be here I want to reiterate a couple of things that the leadership said one b-sides I think it's part of who we all aspire to be and it represents the best of what it is we as a community want to be this is volunteer LED they're running a not-for-profit if you see the core organizers the volunteers give them a high five give them a hug thank them number two the rookie track go and encourage those guys I don't I hope they weren't all canceled just a couple okay just one canceled excellent go and encourage those guys finally go think the sponsor spend some time with them thank them for sponsoring it takes a lot

of money it takes a lot of energy it takes a lot of resources to do something like this so uh go visit with them be an encouragement and thank them for their time and investment viruses malware and threats oh my lions and tigers and bears I have no idea where this title came from um very briefly a brief introduction my name is Trey Ford I'm the Global Security strategist for rapid7 um I've held a couple of different roles inside of the industry probably much like many of you I wasn't in any one of them for too long um as a consultant or a Solutions architect I've worked with a lot of very smart people as a product manager I

talked to a lot of smart people an incident response I hired a lot of smart people and in general management I ran spreadsheets and recruited a lot of smart people um I considered the security Community Family and the primary role I have at rapid seven is one of advocacy my job is to be a resource for uh our partners and for our customers so one of the things I want to drill into very deeply today is the dbir you guys downloaded in red the latest version oh come on if our industry had an NTSB this would probably be the right document right we don't have Reams and Reams and reams of Actuarial data to dig into as a

community cyber insurance is based on what where do they get these numbers from if we look back into the history of infosec there's kind of the Spectrum in place in the early days we looked at the theory of self reproducing automata this theory that code May Echo we saw creeper and Reaper following to clean it up the term virus was coined in 83. a couple years later the Morris worm was released hey hey hey that ran on like Linux or Unix right that's safe from viruses I run OS X I know I'm fine Morris is actually interesting um in the United States what brought Morris into play what later became as the Computer Fraud and Abuse Act this uh this notion

where legislation said hey this secure this computer stuff these hackers we need to do something about it we need to create a way to manage that it was in response to this Morris was actually the first person thrown in jail under the Computer Fraud and Abuse Act in the 90s we saw a dos and windows viruses 2000 was fun because through the 2000s we saw all kinds of things I love you slam Slammer my Doom um in that time zone we went from where we were cleaning up viruses How many of you guys can like just rattle off all the um the registry key hives you need to go through and clean out when you're

manually removing a virus like this was old school like not old school I'm young old school for me um that all changed with code red Nim disaster this is where the notion of we can't clean up to get to a trusted Computing base things changed a little bit so we went to the nuke and pave timeline but thankfully antivirus saved us

this isn't being recorded is it is it all right shout out to Dave Marcus I'd love to give him a bad time so we saw an evolution the storm botnet Zeus crimeware this is where things started going from research and amateur work to professional spy eye apt it's our favorite acronym stuxnet became a reality so we're talking weaponized government-backed malware spy eye Bitcoin mining and Dexter point of sale one of the things that we I think we all would acknowledge and one of the things that we're still trying to help people understand this isn't about prevention this isn't about blocking things out this isn't just about hygiene a determined adversary will find their way in whether on purpose or

accidentally we will have a footprint given up in our environment no industry no vertical no infrastructures resilient enough to prevent it so the question becomes what do we do about that so the classic discussion is knowing your opponent I think we're all somewhat aware of these guys

just chew the ice cubes it's like the rudest thing I could do we're not going to talk about the dbir I think the dbir is very important data I think it's something that we should all spend time studying I think there's a lot of relevant wisdom I think there's a lot of data that helps tell a story Executives the business these individuals all like to be able to compare themselves I think the dbir is the first data point we have or we can actually reference this or we can actually look across the industry and look at the largest coalesce incident report and kind of share here's common threads here's common points of failure here's things that we know

people are blowing it on so what I would like to do is spend some energy talking a little bit about the good and the bad and how we compare ourselves a little bit and how we're different our opportunities so criminal economics I think we're all aware that money comes with specialization we're all aware that the bad guys the criminal hackers the bad guys the evil ones I want to think of them as our opponent um they've specialized specializes very simply there are groups that write the malware there's groups that build the exploits those that Wrangle the Bots those are actually responsible for the attacks you don't have to be an expert in any one area matter of fact you could be a

solid businessman or businesswoman and gather buy up recruit train work with each of these people people from around the world with their expertise their bias their infrastructure and run this business Outsourcing every component of it and we're all aware that most of them are in to make money this isn't the hacktivist discussion or doing it for the lulls this isn't talking about whether or not they're in it for the money it's a question of what in your environment what infrastructure do you and your clients your customers work to try to protect the FBI recently uh announced that the healthcare industry is considerably further behind than a lot of other verticals and in discussion one of the things I

wanted to underscore with those asking for thoughts on this was that if we take a look at this and this is not very clean this folds information uh we're all familiar with how databases work we spend a lot of time messing with SQL injection finding ways to interact with interpreters finding large tropes of data data that's easily parsed easily identified you can write regex to identify and pull off this is how Target Neiman Marcus all those kind of guys run into problems what's interesting about this is payment systems are designed to detect fraud they have a single point of uh identification if I and the people in this first well not four rows the first

four rows are empty but the first ten rows if we all shopped at the same place stopped at the same coffee shop on the way here this morning and one by one our cards started being used for fraud they would have a single point of purchase they would say hey all the cards within this window of time had been compromised we're all aware of these systems right how does this work in healthcare we guys have all been to a clinic seen a doctor in our information may or may not be in a highly structured database I've seen a lot of paper flying around in the United States we signed a HIPAA form I know that you guys have something

similar in the EU but when people start taking copies of this information home they don't just have my name my social security number my national ID number they have my medical history the names of all of my friends and family addresses I've lived in because they may need that from a thorough history I can't change any of that information they've got everything it takes to apply for credit on my behalf what's nice for that attacker is that from the moment of data collection to the moment of attack the moment of actual compromise When a credit Line's open a credit card's received a loan is placed those sort of things happen there's a large window from the initial theft

to that actual compromise they have this large window padding and protecting them we're all familiar with the intrusion kill chain I believe it was Lockheed that put this together the Cyber kill chain I think this is important I think we're all aware of the different types of defense mechanisms that plug into each of these I assume you guys almost all have aspects of this would you consider yourselves truly expert in any one or two of them seriously give me a hand here like some of you guys I know will have a level of expertise in some of these defensive areas all right almost all of the incidents in the new dbr did talk about deployment of malware

they also talked about compromise of credentials use of stolen creds brute forcing or reuse of those credentials there's a couple key pieces that we all need to keep track of but throwing away all the statistics if we acknowledge at some point they're going to get in I think we need to have a discussion about how we over emphasize or have historically over emphasized prevention and we need to drive a balance for response so I want to talk about the good guys I believe that we understand our adversaries I want to talk about how an ounce of prevention is not the same as an ounce of response I want to talk a little bit about why I believe as a community we

have a little bit of a myopic Focus so us this room this family our brothers and sisters our colleagues are on the globe at b-sides I'm going to lump in black hat because I consider them family the trainers some of you that are here present today we're the professionals people look to us for guidance for perspective and I think we've got a pretty solid understanding of our adversaries we understand what inside our environment they're after we were fairly confident how they use the data that we house the data that we don't own the data that we're custodians of how they monetize that how they value that what they're going to do with that I don't think we need to dig into that

I think we appreciate and respect our businesses I don't have to Hash the fundamentals you guys all know what your business values how you guys make money and how our job is to support that I don't think prevention and response are necessarily the same I've come to appreciate that I believe response is more important there's nothing I could do with my team at black hat to protect the network we were going to deal with incidents sometimes you take these things on the chin but I think that detection containment eradication and communicating openly about this stuff is every bit is important in managing your trust that you have with your customers and your business partners are you guys familiar with the term

Shadow I.T some of you I'm getting some nods we all used to talk about going open source we used to talk about going SAS

but we don't control that anymore my wife as a green business she has a her Master's in Divinity my wife's a lot smarter than I am far more educated than I am far more eloquent than I am she has no technical background zero my wife runs I.T for a medium-sized business three four hundred employees global kind of scary she runs their Exchange she runs their Exchange she runs box she runs all of their Enterprise architecture she does the new hire training she has got access to everything did I mention my wife's not technical honey I want to talk about OCTA what's OCTA well it's single sign-on well that's interesting why would you want single sign on Meg

well I would have one place to control people's login so I could set them up and it goes everywhere if I change their password it goes everywhere what sounds interesting why would you want to do that I swear I didn't start this well I don't know I think it's important it seems like like it's going to save me a lot of time well that's great and when people are having issues I'll have one place to go that sounds really smart and last week when we had to let this guy go it took me like 45 minutes to clean this stuff up and we saw that he was still logged into some things oh that sounds bad why is that bad what do

you want to do about that this is interesting to me my not technical although extremely bright wife is explaining to me things that you and I know one of my best friends Quentin he always says if you're explaining you're losing yeah I've found that if I try to explain anything to my wife I've already lost and when she starts articulating to me core principles of what you and I would consider to be good hygiene now we haven't got to this patch thing for her company but you know I'm not really their CSO I kind of coach and throw things over the wall like hey this heartblade thing get on it it's kind of amazing because when they

own it themselves the conversation is different are you with me so there's this other thing user accounts a human to an account this is not a one-to-one ratio how many of you guys use personal accounts for work two you're lying stop it all right how many of you guys only use your work account for LinkedIn yes what I thought now marketing professionals deal with this all the time most of this infrastructure we don't have a one-to-one ratio we're all accustomed to spoiled to I'm an old Novell guy I can't say old old's not real I believe in novel I love novel there's this idea they had the NDS like the the directory architecture right really brilliant

do you guys remember getting excited in active directory when you could drag and drop a user into another OU that was awesome and we had that like I don't know in 2001 maybe before NDS old school uh management it's all based on the X500 standard I come to appreciate Marketing in light of Novell because they had some really brilliant stuff brilliant stuff remember that argument that broke out between Apple and Windows we came up with the UI the GUI well no that's not true hey guys if you want to fight just letting you know I'm over here at Xerox that actually came from us um they I I wonder how much different the world would be if they invested in

marketing Communications and this is something I think we're starting to resonate with in security so the point I was trying to make with the users uh not being a one-to-one thing we talk about users we talk about accounts the thing is that's not a clean one-to-one ratio the enterprise we have a new higher ticket that's generated we're all doing this Enterprise thing right we're all compliant with our socks or whatever International standards we're using new higher ticket comes up we set them up at count and active directory that populates out the sales force and Oracle and all the other infrastructure items they've got all these all these accounts mapping back to one human but then

there's also these other accounts that are outside of the environment that aren't mapped to Central login and maybe OCTA and things like that are kind of cool but how are we tracking this stuff how many of you guys wear whether directly by title or by volunteer firemen type of uniform an incident response title for your company come on get your hands up be proud of that you're my people yes all right God bless you guys um how many of you guys have dealt of that group or how many the rest of you how many of you have dealt with accounts that weren't corporate accounts you're finding out that personal accounts on some level are affecting

corporate resources it does have well that's more hands than IR all right this is a serious problem we've got to be thinking about how to keep track of this what I'm finding is that you know I'm not going to talk about deprimerization there's too many syllables in there for it to make any sense I want to think about this notion that partnering with the user empowering the user championing their safety becoming their trusted counterpart I I don't think that there's any greater cause and there's something that we're going to have to shift in our attitudes and I'm going to go there in a second we as a community I think have a myopic focus on the technical

why do you think that is it's not something we set out to do I don't think we all aspire to be Dilbert is Dilbert International do you guys do Dilbert over here okay I don't ever know

it's easier it's more constrained we know exactly what's going to happen I'm not a very good Unix admin I came up in Windows still a lot with Novell Novell apparently has some Unix roots um but what I found in managing systems is I ask it to do a lot of things and with the constrained bit Martin's Dead on when I ask a system to do something I provide a script an installer a GPO there's a fairly structured amount of behavior that I expect to come back out of that right how many of you guys have made the jump from the technical track to the management track and I'm not saying successfully but you're you're in the batting cage

swinging at it a handful and those are low hands there's a lot of them though all right I like technology because it is constrained I do have a measure of expectation but what's interesting about this is uh I spent my entire life aspiring to it I studied my maths that's how they say it here right maths I did a lot of science I took a lot of uh I don't know I didn't take a lot of programming as much as networking and systems management but I studied this forever I banged my head on a hard table forever I've broken my share of keyboards I've always been working this I'm always reading new materials studying the

latest technology stuff that's coming out we all do this we do this nights and weekends but I think this is an aspirational thing and because this is something we've spent so much energy pursuing I think we Elevate that now when we make this jump over to uh to management historically in infosec we've not really respected so greatly our management counterparts there's a lot of csos out there there's a lot of middle management out there I think they get a pretty bad wrap man my manager just not very technical and he doesn't understand what we do why were you in the office so late oh what was it like golfing buddy I mean like we're in here trying to fix stuff

it's like they don't understand us right now in this moment in this chapter of History I think we're in a really neat place because we're seeing more and more executives more and more Senior Management in infosec and I.T that have moved over made the jump from technical contributors to management these people understand us they've fought our battles they've bled in the same dirt they've had pager Duty and they know what that is I had a manager when I was in IR come back in at three in the morning he personally didn't dispatch his admin he actually brought us coffee showed up brought us coffee brought us some warm food and left literally came by I want you guys know I

appreciate you I know what you're going through who's at home sleeping and what time are they up I'll check on them that that's me's leadership that was amazing middle management technical management they get a bad rap how many of you guys have said the following that's crap that's crap middle management brought you something your boss no your boss doesn't always sit on the executive board they don't it doesn't go from God to the CEO to them down through no no at their middle management something I'm guilty of all too often and I'm sure that you've faced this as well they've come to you with something a directive a decision that we don't agree with and of course being the strong infosec

type we let them know we laid it out because clearly I don't get it we're not in that age anymore what I think we lose sight of is that these managers they listen to us they care for us they support us many of them have walked a mile in our shoes maybe five miles in our shoes I mean come on guys we're the Next Generation most of us are standing on the shoulders of giants some of those Giants are in fact our managers and we lose sight of the fact that these managers are bloody on the side that we're not looking at because they went to management they fought the fight and they gave every argument we just gave

and more are we guilty of that I'm guilty of that I don't want to be guilty that but I am I have to eat my dog food on this and so there have been times I did this in IR of course IR is kind of emotional and when you're sleep deprived you're extra stupid Club mate doesn't help that um at black hat I did it but this is interesting right because we lose sight that we've worked so hard to educate our managers and our counterparts that they lose track they don't know what we're doing they've fought the Battle for us and it's our job to help educate them on hey making sure that you're articulating the

arguments correctly and did you remember all these other points and sometimes you just have to take it you pick your battles and that's their job not ours

oh dear imposter syndrome who here has imposter syndrome don't raise your hand I guess we all should Marty I love you're sitting in the front you're the first raise your hand you're probably the only man in the room you're my boy imposter syndrome's interesting because I think with our pursuit of technical knowledge technical Mastery we achieve a certain level of uh I clearly don't know enough is it not true the more you learn the more you understand you don't know crap is it not true when you meet with these trainers this this is this was probably one of my favorite things that I'll never live down at black cap working with the trainers and the more senior

speakers I've never met a more humble community of people that will meet you wherever you are I promise you working at black hat you don't know crap you're talking to trainers you're talking to researchers especially the new kids they're coming man I got this what does that even mean you're a black hat well no you don't understand dude like you're one of three people to get it can you use small words and talk slowly and help me understand what's coming out of your mouth right now because I do not get it imposter syndrome is interesting because I think in product management I should do a blog post on this and product management I learned about the curse of

knowledge you're a security professional you're a security professional you're a security professional when you go talk to your wife your spouse your girlfriend your neighbor the coffee shop girl whoever about anything you do for a living start a stopwatch and see how long it takes for them to glaze over unbelievable dude I spent all kinds

the curse of knowledge is awesome because once you know something you just assume people know it's so clear I figured it out scariest position I've ever been in coming off stage from doing a big talk at black hat fired up nailed it I think I nailed it and some dude walks up he's like hey so that that application you were talking about did you find this and this and how did you get past it I'm like oh it was in as deep as I was oh help so what's interesting about this is one when you're doing this research when you're finding something not only are you doing something that is rarefied air you're one of a handful of people that

may or may not get it number two when you go on stage to talk about it you're one of a few people in the room that it's actually going to keep up let me illustrate my point Dan Kaminski on stage opens a terminal window I did not say popped a shell opens terminal terminal inner pops terminal standing Thunders Applause at black hat can you explain to me what that's all about how often do you open a command Shell at work do you hear Applause your stalker tweeting over the Internet yes no there's nothing happening so the curse of knowledge just be aware of this and don't assume don't be upset when people don't follow but just be

aware of this this curse of knowledge that haunts us everywhere so when I think about the middle manager when I think about the presentation that we give to it when I think about aligning somebody out even inside my security team that understands me you guys know this is I can promise you when I did a Google search to find permission to reuse this graphic I cannot find a copy of this so this is not going to be the official slide deck it's coming out Muhammad Ali standing over Sonny Liston you want to lose your money you better bet on sunny how often do we walk into a meeting fired up because we've done the homework

people often misunderstand us because we're cocky we're smart I think that doesn't necessarily map to the best uh the the best Traditions the honor that is the community the shoulders that we stand on the Giants that have held us and coached us and supported us and lifted us up I think that we're often miscast because we speak from a place of conviction it's actually humility and passion we stayed up all night we read the rfcs we banged on it till we got there and I think we're often misunderstood it's what separates the bad guys the hackers the criminals from the good guys it's not the Relentless pursuit of accuracy Relentless pursuit of actually popping a shell success in an attack

even necessarily even success in our business objective which by the way isn't necessarily breaking the dam production environment

after Muhammad Ali laid out Sonny Liston he got to walk away totally 28 years old look at me not a mark on the face the criminals are in it to cash in they have a singular objective a singular Focus that's what makes them successful Clarity of vision they know what they're out to do they're driving a business they're driving Revenue they're cashing out those for the lulls they've defaced your page they didn't take anything that's great all right good game but that's that's not us the thing is when I think of infosec when I think of the community that has been so warm and kind to me to welcome me and my peers and put up with

me and I wanted to tell my first trip as a PCI auditor story to you guys I don't know that I've got the guts to do it that's probably for another time but when I think of information security I think of a picture more like this what is her name Megan Vogel winning the argument drop in science that's not success Megan Vogel is a track athlete I believe this was in high school she's running a race she's not doing so great the gal that was in the lead dropped she collapsed she overcooked it I think we all come out of the gate it's a little hot sometimes I'm just starting to get back to running

I hate running I still hate it so Megan's coming towards the last round and uh you know rounding towards the Finish Line towards that last straight 100 meters or so out this gal's collapsed track has rules it says you don't offer assistance to any other athlete that's basically designed to prevent you know me from boxing someone out because I'm slow and out of shape so my track star athlete can pass Megan stops and picks this gal up totally crushes her opportunity of putting up a solid performance but this gal she was leading it she had a bad go picks her up and helps carry across the line being right proving someone wrong God help us embarrassing somebody

that that's that's not who we are it's not what we want to be how many of you guys control the p l and the resources in the I.T Department two hands see me afterwards I'm buying you beer I've got to learn your trick your secret I don't know how you do it for the rest of us in the audience guys our our success is found in our Partnerships and our counterparts we've got to support these guys we do a lot of self-policing we and we have to as a community and there's a right way and a wrong way to do it and I'm guilty of this I was poking somebody this week that shall go unnamed

and my attitude was wrong and the Wolves were true and real but um as a community I think we need to find ways to partner to pick each other up to support and encourage find the right way to call people out but at the end of the day I think we're all kind of focusing on the same thing how many of you guys during the Heartbleed incident got on the phone with a competitor or a peer outside of your company to compare notes hold your hands up higher Stand Up Guys give these guys a round of applause please

you know there's nothing in this industry that encourages us to do this I'm not going to ask for the number of hands Bound by multiple ndas in this house how many of you have to clear with legal before you can do a talk let alone put something in writing let alone a customer facing email it's hard but in those moments remember we're entrusted with this data this isn't ours that's not my credit card number I I you gave it to us we did a transaction but we're custodians it turns out our competitors down the street this isn't competitive Advantage this is protecting the greater good right I think this is important and I think these conversations have to happen

so when I think about things I want to think about how some of what our opponents are doing are better than what we're doing I know it's against the rules you're not supposed to put a bunch of words up on slides but I don't know how bad jet lag is going to be so I'm going to cheat I'm sorry playing to your respective strengths specializing the bad guys turns out the best exploit Riders aren't the best botnet herders aren't the best money mules they specialize right early on has a pretty decent systems engineer wasn't too bad with Windows management group policy it was pretty decent at troubleshooting a network I don't want to think I'm very good at

Excel but I'll be dogged at black hat if I didn't get really good at Excel it's where I live my life but I think we need to find ways to specialize to drive energy into that we need to capitalize our natural strengths the criminal Enterprise has something a little different in terms of competitive issues and having beer with a grug and I recommend if you ever have a beer make it one those of you that know the grug know that that's the right solution hey Marty when we partner with organizations we partner with other professionals when you hire your partner when you're interviewing and meeting with security talk to the IT team and figure out who

you're going to be working with they're your lifeblood when you partner you don't have to worry about them potentially being a snitch what you're doing is on for the most part up and up most of the time when you do something stupid that's different we clean that up later but you don't have to worry about them being a snitch or necessarily trying to cut you out or double crossing you and stealing your money criminal Enterprise has a different trust barrier trust architecture and liability structure than we do so finding ways to make it safe for your research team to do research making it safe for your Communications team to communicate how many of you guys work in marketing

working Communications I don't see I know you're lying there's two of them over here turns out I now work in a marketing crew my jobs to help with that but it's very strange because how many of you actually trust the marketing team to say hey on behalf of the research team this is the right thing to say and I'm not going to review it I trust you not a hand it's truth it's scary finding ways to trust finding ways to give things away I think the hardest part about security is finding the right way to trust I love that from a user standpoint users are becoming more suspect heart believe is interesting wasn't it is there have been and I throw this out

for feedback has there been a single incident in the history of the internet where people not just techies not just security folks people at large we're launching scans against our web servers banging on our site my mom asked me about this what is that all about I got an iPad so I wouldn't have to deal with like computer questions dude no I'm scanning this and what is it safe to log into Cox I got to pay the kids and use Cox but I want to log in and pay my bill can I do that I don't know Mom why don't you call and ask who do I call I don't know figure it out call them

kind of cool like this isn't just like I don't know the NSA General Alexander giving us the opportunity to go talk to our families at the dinner table this was different right it became personal finding new ways to expand their gifts the bad guys have it a little easier than we do our opponents have it a little easier than we do I'm trying to get to this gender-neutral messaging and I'm doing a horrible job I like my fighting and War metaphors I got away from bad guys that's one too sorry they have it easier because they get to specialize in very lucrative ways don't they how many different hats do you have to wear on a daily basis those of you and I

are wearing at least a dozen but how many of you guys have one clear job function let me get this straight your job is to fire up a VM log into Tor check in to three encrypted email accounts move some funds around and get off the internet and get back across town no it's the Grog the rest of us are checking the page or checking the cell phone checking the Twitter checking the Facebook checking the LinkedIn check the corporate email checking the jira checking the Confluence check and what never stops what's interesting about this is how many of you have spent time outside of our technical Pursuits exploring how to better communicate to our business counterparts

have taken managerial classes maybe worked on an MBA for those of you that don't believe in that stuff jumped into like Advanced Excel classes worked in public speaking even did something silly I've started to take an improv and let me tell you if you want to get past your notion of I'm uncomfortable on stage they make you do everything stupid in the book it's unbelievable make up a Sci-Fi creature and act it out for the next 10 minutes horrible but it helps you communicate a little differently what's very strange about this is um in improv I come to appreciate that it doesn't have to do with the science I drop how eloquently I hit my messaging

how very clearly I articulated a solution an architecture a problem or a business case remember that thought if you're explaining you're losing communication is what the listener does communication is what the listener walks away with has nothing to do with you has nothing to do with how you did or what you covered the meeting is literally about getting them to walk away with ownership of a problem I want to move to centralized Authentication when we moved to OCTA it's mind-numbing I don't know how it happened I wish I could figure that out my wife is so smart so sometimes when I start looking at the problems we're facing in infosec I think of Dave Marcus and I Channel my

spirit animal Dave Marcus and I realized some of the kids coming out of college right now have been watching us turns out Twitter removed that veil of Brilliance where we sounded so smart on the mailing list we spent a lot of time sorting things out our own networks and talking to peers in IRC um these kids are coming out with far more expertise running incident response for Zynga I assure you I've worked only a handful of our incidents but hiring these kids out of like CCDC are you guys does Europe have like a CCDC kind of thing CCDC Collegiate cyber defense competition it's basically like a red team exercise for college colleges all right dude you guys got to get in on

this all right so what they've got is a bunch of universities that get together and um they've got it's like a CTF environment they're running a Full Tilt Capture the Flag just like Defcon or anywhere else you'd attend except it's organized college teams do these kids know how to lock down a BSD box they've learned web app SEC they've learned uh exploit development I mean like these guys know everything that we spent forever trying to figure out or for me sitting back and watching uh what's interesting is they have all these skills but they can't communicate it they can't message it they they can't put together a p l a profit and loss sheet they can't communicate it to the

business they're excited they want to take over the world and they want to do it all right now uh one guy literally tore apart our entire um puppet infrastructure owned the puppet platform and I was literally rebuilding aspects of the git repos in production without talking to anybody on his lunch break I cannot articulate what that meeting went like when my boss called me in to say dude what's going on puppet and get it people can't get in they don't know where stuff went it's like the Chipmunks Alex amazing the things these guys teach you so um I've got to be sensitive to time I want to wrap this up so you guys aren't late getting started how do we live this

something that rapid 7 CEO and I don't always love how things are positioned but I love the sentiment behind it Corey in my interview process and I spent seven weeks reflecting on do I want to go to rapid7 to work there they've had a bum wrap they've had some rough sales history in the past launching and this company has made some hard decisions and made some big Investments something Corey has he's put this into the minds of all the employees all the teams and something that he does himself every week he stops and reflects on the question what am I doing what have I done this week right now what is on my calendar for this week

that makes me more relevant what am I doing right now and I'm not talking existentially through to my job duties in the umbrella organization I'm a part of what am I doing myself right now that makes me more relevant how am I changing the information security space how am I doing to leave what am I doing to leave this better than I found it and this is something that I think we have to live and we have to instill this in our teams and our peers and we need to demand this of ourselves and we need to hold ourselves accountable to this idea we need to find and create Heroes these are people that are going to stand

for what we believe is going to be the best in information security these are the things that we aspire to personally and professionally this is something that I really got into something I really think makes a lot of sense one of the things deals with helping others seek to do the right thing doing a good job is marginally more expensive than doing the job and exponentially more effective I have no idea where that quote came from these aren't like statistics where you can make them up on the spot somebody said this and I feel bad I couldn't find the source some of my favorite quotes usually come out of chats with Mercurial if you guys

know or if you've got a phone look them up on Twitter and follow them he's awesome um earlier when I talked about reaching out to people outside of your organization for feedback I get in trouble for this I love to reach out to people I know that are experts in my opinion smarter than me in areas that I can learn from that will challenge me that will stretch my perspective or will call me out trade that's crap I understand you're upset but that comes out of your mouth you're gonna fail that's not going to be effective you're not going to win people over they have to own it help them get there we've all talked about this uh wasn't there like

some sort report that says it costs like 10 10 or 100 times more expensive to fix a bug after it's released to production than it was in QA this is one of those source code production reports um I don't know that we've solved any of those problems we're making progress but I think the sentiment carries that if we're going to do something you know this probably flies in the face of agile methodology and that's a whole different philosophy we're not going to get into that today but doing something right is worth the additional investment Rich came all the way from San Francisco today rich is I call him the director of awesome he was my senior marketing guy

at black hat I used to preach something called virtuosity anybody know what virtuosity is shut up might be all right so virtuosity this is uh the notion of doing the common uncommonly well I don't know why it's always like a little Asian kid on the piano or the violin that I always think of little childhood virtuoso they pick up an instrument they sit down and they play they play something simple and they play it elegantly doing the common uncommonly well I didn't help found I didn't help organize blackhead I was only there for two years I had the honor and the privilege to work with the team to try to help serve a community in this role

and there's no one on Earth that wants to put on a t-shirt with a bullseye in the front back and say I can run this that's why I hid in the back I didn't want my name out there virtuosity what I thought are keys for Success what our table Stakes were to stay in the game was to focus on core components where every time we touched an attendee I wanted to be the best experience we can make it I wanted to try to find and distill and execute on what we felt the core principles were I think this applies to every aspect of life I don't know who originally came up with this I'm pretty sure every coach I ever

played football your football not America's football every coach I ever played for always preached the same thing we're gonna focus on the foundation that little Shuffle step where you kick the ball back and forth you do the all little dance moves with the soccer ball football doing the comment uncommonly well and I think this applies to everything else when we tear apart the dbir and we look at the failure report card and I don't think this is because we're focused on fail don't let anybody feed you that when we focus on the report card what we're studying is lessons that we can learn from other people's beats right we're falling down in the fundamentals who here has patching nails and I mean

nailed and I mean nailed yeah what's up let's not go there so I'm not going to hammer this any further if it's worth doing it's worth doing right and maybe it's worth doing right the first time that's the department of redundancy Department ode is always fun and I like to argue oday we get into this discussion a lot around major conferences I think eloria if you guys are following what's the uh the little GIF Twitter stream yeah security reactions that's awesome follow it not always safe for work but you guys are a little more relaxed in Europe um security action is awesome because I always make fun of like the one person that's dropping no day at a conference

and there's like the cat freaking out and all the puppies crawling all over the cat dropping oday is important and interesting how many of us in all seriousness literally fire off red alerts to our teams and launch into action every time I know day is discovered all right some of us are full of it you see we're all aware and I think we all believe this on some level but we have to articulate this clearly at any point in time there's always Oda floating around out there we can't be responding to this ode is simply a sanity check we have to be prepared and be defending against this sort of stuff we need to be prepared to instrument

when we find things the most interesting conversation about Heartbleed was how do I really know like can I figure out not just am I being hit but who maybe is more interesting well it doesn't have really artifacts of attack I didn't have intrusion indications we're going to land in one of these departments gin Savage probably had one of the most succinct thoughts and this came through probably around midnight last night when I was rebuilding my PowerPoint deck manual tasks you don't do regularly aren't emergencies I think the Salient point that she's making here is that I don't know if we always do the most effective job of automating the things that need to be done frequently how many of you guys are

tracking I'm not talking logging actually doing something with the data that comes from successful login attempts we have two people here that know about PCI two of them successful login attempts are terribly interesting for those of you with production environments having a jump box is great because India lateral logins that didn't come from that box lights on let's go right these are interesting thoughts how we leverage data that's available yet another quote from Mercurial and I'm going to wrap this up pretty quick resilience in the face of failure is better than planning for zero failure resilience in the face of failure is better than planning for zero failure how many of you guys have ever dealt

with a water or power outage Mass hysteria in the streets dogs and cats sleeping together it's like the worst parts of the Bible right no dude you fired up your you guys call them torches here right your flashlight and you're fine it departments are not motivated in that way how many of you to this day have I.T departments that are motivated they get their bonuses their additional income based upon uptime percentages raise your hand Martin almost everybody right it's all about uptime it's all about availability this is hard because resilience doesn't always dictate safety doesn't always dictate being online and being available yeah you got a couple Giggles there come on bro do you even chaos monkey

you guys know what chaos monkey is right this is Bill Burns uh 501c3 on Twitter uh chaos monkey is literally a script design in production to turn off servers to kill processes to break things in production why is that a good idea how many of you are in pin testing red teaming attacking keep your hands up y'all yeah I said y'all I'm wearing cowboy boots get off my lawn how many of you guys have how many of you do not have scopes of work keep your hands up when you do an engagement you don't have anything that's out of bounds come get some I got a couple shaky hands a couple shrugs and a couple of real big

smiles attackers don't have scopes at work they don't and I had a discussion with a CSO and I'm praying and hoping and I'm pushing and converting I'm going to find a way to blackmail him into doing this there's a CSO prominent organization on the internet that we all know and love and use that is advocating the elimination of this notion of scopes on his red team entirely we all do tape backups we do online backups if we're using VMware virtual Hardware Cloud infrastructure backups are totally different how can we can't test this stuff somebody gets inside what do we do I think we would all agree with this this is an interesting problem I'm hoping I can talk this guy into

doing this I keep wanting to say his name just to force him and I can't bring myself to do it this next bullet is brought to you by America's TSA hahaha

I hope they're not a rapid seven customer 100 defense is not possible so parting shots I request uh I think it was Kevin Mandy at RSA that said the Air Force taught him that you can only give three bullets so I'm going to blow that I'm just gonna give you a whole bunch more respect criminal hackers as business professionals we need to honor that our opponents are focused they're diverse they're specialized and they're efficient at what they do we need to achieve virtuosity on the fundamentals this isn't something we do on our own this is something we rely on our Partnerships and those who are supporting and we're investing we carry those that have fallen and those are our

partners and we're there for their success Champion response and prevention part of this means discussing a day better not using it as a fire drill item but as a sanity check and discussing well this has been out there Fireblade or Hartley was out there for two years this is interesting what's our solution set for this automate where you can winning isn't enough don't give up on being right and challenge each other to expand your skill set things that aren't just technically oriented I'm not saying Everybody Needs to Go middle management I'm not saying everybody has to jump from being a technical contributor to being a people manager but we need to help those guys that's a hard transition

it's hard to do it's hard to be successful and it's hard to be happy doing but help expand your gift sets long rant I think I'm right on the money got 10 minutes left any questions or Rotten Tomatoes or eggs guys it's an honor privilege to be here thank you so much for having me