BSidesNYC 2023 - Keynote - Lance James

good evening everyone welcome class take out your textbooks for cyber security 101 on no no all right so feels like John Jay thanks John Jay for uh having uh having the facilitating this I'm super honored to be here I know Huxley keeps making a big deal that I'm the keynote and that I said yes and all this but actually this is like the places I'm found from this is the places that mean to me this is my root besides tour con the hacker conference is the community and I'm actually really honored to like actually be in New York City talking to as a keynote so this is an exciting time for me as well um theme is reboot which is actually kind of cool because congrats we got BC lights in New York City back everybody get a little positive you know all right so who the hell am I is a big question because sometimes I wonder that on a daily basis um so um my background is I've got about I think I'm getting old so 25 plus years of information security and counterintelligence I focused around trying to bridge hackers to with uh feds in the years that actually mattered so that we can actually you know things like threat hunting and digital forensics and criminal justice actually uh happen because when you get people with handcuffs and you get people that are really good with computers together it gets a little kind of fun right so get to stop bad guys um I'm the CEO of a company called Unit 221B as in Sherlock Holmes um you know and I uh it's an investigation an r d think tank we do a lot of really cool forensics we do pen testing we do like investigations we find bad guys our mission is to Define them and disrupt them and we get to work a lot with law enforcement because of that as well because we like to really kind of like put an end to the problem and send a nice message um so yeah forensics and uh all that kind of stuff is kind of on our area so it's great for that uh you know I'm at a school that actually teaches forensics here this is great um I also like to Mentor so those 200 people that are going to ask me did it please come up to me I have a free training school actually so and we do all collaborative creative stuff and I say yes to everyone so essentially this is just to kill that whole like glass ceiling a little bit and it's been a project since coveted because I figure you know what you got to do something cool right so we do cool projects we can do forensic projects we can do all these different things so um earlier days I founded i2p it was the dark web tool back then before tour um Zeus malware was kind of like one of the big things that I got to do and play with and stuff and I also am a violin and piano player and Love karaoke so if you you know if anybody likes to karaoke you give me a call so I also worked on I got into ransomware around 2013 when crypto blocker came into my view and we actually started a crypto Locker working group and uh recently we released an article that like uh showed that we had secretly cracked uh the Zeppelin ransomware and helped people during covid mainly small to medium businesses where they would have probably been you know ended their organizations uh to crack it because they hit the homeless first and I was not happy about that and if you hit the homeless you're going to get someone like me with ADHD and a lot of focus to go not cool so all right so the problem with all my talks is usually people call me and say will you keynote on emerging threats right that's like the big thing you know everybody wants to know that stuff but the problem with that is that I sit there and go that's a yabat right yet another boring emerging threats talk which I don't want to do and actually ironically when I came up with this talk it was kind of in the moment and I realized I want to actually do something more about reboot you know and and the concept of where we are in our stuff because what is another emerging threats uh conference going to do for us sorry just raise your hand okay got it double checking still a classroom uh but what's that going to do for us we're going to basically be a little bit entertained look at this cool threat you know all these bad guys are doing this stuff that's we get that right we'll go back to the office and do what about it right oh gosh you know that was a cool talk but what's that uh what how can I apply it I might be scared because yet another emerging threat and now I got another problem on the stack on my thing if you're a ciso that's probably just a headache uh and we're not gonna get really prepared just by talking about this anyways so I want to talk about something a little bit different I've actually figured out the emerging threats algorithm for cyber security and here it is okay we start with what are the emerging threats from 2023 you can either ask Google or chat GPD Plus Google or Bard one of those three things nowadays and you get a list I'm just going to start with the top four because you know screen space and all that stuff but that's enough anyways so the the four ransomware email compromise supply chain attacks iot device attacks right then the next part of this is then you go have we solved any of these if yes what are they and remove from the list I don't think the list has been modified for a while right and then on the other side how do we solve for any of these no then we carry over to the next year right notice that then what we do is there are there any groundbreaking texts in 2023 that scare the crap out of us yes Ai and chat GPT right that one so let's add that to the list number five wow the list is getting longer right so then we wait for a vendor to come along and say they sell something that will fix your problem and you're taking a Gamble and spending all that money to see if it will or not because everybody you know I'm not saying they don't I I respect the vendor space and there are people that are solving real problems but you know there's you know that's how we kind of like sit and solve our defense problems today right any groundbreaking Tech uh that we uh everyone knows about no phew keep trying to the same thing we did last year and hope the numbers get better so we'll go back to number four if Ai and chat GPD weren't on it but we'll add five today it'll be fun right so anybody want to tell me what the definition of insanity is repeating the same thing repeating the same thing over and over again it's expecting a different result cool let's verify this with chat GPT what's the depth of common definition common definition of insanity is doing the same thing over and over again and expecting it for 12. congratulations you passed the test I used chapter to grade my test for me so okay so obviously we're asking the latest right you know and it seems to know the answer better than we do which is kind of fun so obviously we're doing something and we all need jobs do we all admit we all need our jobs but like today a security researcher is more of a marketeer right they write blogs and stuff not that this is also important but most of their careers read blogs to push a device to like say look at my malware analysis stuff so it becomes basically media fodder for like essentially some company's device that's fine that is a model but is that really what the security researcher wants to be doing all the time or do they want to be solving a problem with all the malware they analyzed right and we don't really make room for that and I think now with the way the jobs are today we can do both and it'll actually benefit us so I'll talk about that but first let's talk about how we're tired covet is still you know there are people still wearing masks and covet is still a threat but it is probably nice to get out and we can actually finally be in a room together you know that Turtle deserves a freaking Applause right but let's talk about the existential crisis we actually really had we all shared a collective trauma that we were all afraid that we were going to die right and that is its own thing and then we had work we had to work at home our prefrontal cortex was probably only going around 30 because of all the stress in the back of our head about all of this stuff and it was hard and we had to adjust and zoom and I got to learn 10 of Neuroscience because of Zoom because my uh my wife's a PhD student so I'm like all right cool but like essentially it was a big change it was a big shift it scared everybody and I think we can all admit that are we good with that right okay so that is some serious trauma and it's changed how we might look at the world it's changed how we looked at ourselves a few things which is kind of the beauty and all that part right if we survive it so 2023 comes in anybody feel in January February how it started going faster the world started going back to faster and it was kind of stressful when everybody's kind of heads down just shut down and they're like where's my friends at and they're like I'm just too busy to even text you how many people had that feeling starting January February world just starts spinning at that like normal Pace again and we had like what happened to our coveted Pace right and that was hard to adjust for and that's its own trauma that's its own problems and we're tired and the template has changed but we don't have to one thing we learned in covid if we did you know that there is tragedy to it and I'm really sorry about that side of it but there are also like you know what they say it doesn't kill us what's making us stronger is that there were some gifts that we could learn we learned our own Tempo we got to sit with ourselves and like do more creative things in many cases because we had the time where we spent our time with the family like you know those kind of things and so what's really important here is that we can take the gifts from we that we did learn coming into coven come out and slow down to actually go faster and we got to remind the companies out there that it's not just going to go back to how it was because actually we found and found our creative space maybe or we found some other things that's really important to us right so let's step back and do something different with those gifts so we've spin sucking on like I said the security Market Kool-Aid our problems caused by our current approach is this if you're a CSO or garden Network um or you're the organization security defense is a cost to cost center there's no profit for them or at least they don't look at it this way so unfortunately you see those or people who have to guard it have to spend time negotiating whether they want protection from a breach that's likely going to happen which is kind of ridiculous when you actually that way and we're going to talk about that later so for your security vendors it's because they're they're being themselves as well see it is billions of dollars and a big sale so if you're the mandians of contracts or whatever all the good big players out there they're doing something don't get me wrong but they're they're in it for the industry aspect of it now at this point which is not a judgment it's it's just the way of the nature of the Beast then the threat actor and adversary all need all he needs is one bad line of code in a few hours now with chat GPT maybe a few minutes um so just basically one line of code in a short interval and all the million dollars of devices you spent and the tens of millions of dollars you're spending on 10 people running that device is all falls down it's a zero-sum game and it's a losing one on our sense so we is this how we're going to continue solving security do we think this is working I'm saying and I'm not saying like for instance all the policies they don't like rip them out because they are working 90 of ransomware that comes at you is actually caught so there is a lot of pieces here that are more reality here but the reality is the security Engineers cost a lot of money just to write to work with a a Sim or this or that and it's like so it's kind of like reminds me of like when gunpowder came out uh in the old days in Warfare and essentially you got all these castles that start crumbling and they have to sit there and there's this time where you have to adjust because castles are sitting still and you've got this Dynamic set of weapons that are new and so what's that adjustment period I think it's time that they finally we get past this adjustment you know period and stop being just the castles anymore right so when we talk about the zero-sum uh game for this we're actually looking at the real emerging threat is us it's our systemic Behavior we've gotten complacent we negotiate and we need a job and that's those are realities we get overwhelmed we're costly I mean every time we do a red team we end up seeing where there's like you know 80 tickets on a 10 person security team how the heck are you gonna even stop us when we're in your network you've got all these other tasks going on right and that's the problem so like obviously arguing for the investment all that stuff is a big thing but it's weird to me that it's an argument in the first place um so basically you got all this fear of conflict as well so when you kids that are doing your new job when you get a new job out there I'm going to teach you one Secret in life don't fear conflict you'll get more yeses everywhere you go so let's talk about fear and Innovation okay so how many people actually play with chat GPT Yay good this room I don't need to talk and lecture about fear but how many people are a little afraid of it like holy crap this might be some things okay see that so it's like you play with it and you're afraid of it that's probably why we're playing with it because it gives us a sense of control yay so we are in the AI era we have now had that disruption just like when the internet came out in 1995 for like everybody obviously the internet was out there before some you know for hackers that knew about it but essentially there's we've had a new disruption large language models all of this stuff and yes it's going to make a threat actor write ransomware much faster because all you have to do is say make me a backup file encryption Pro and it will write that for you right um but instead of being completely afraid of it like the fears are you know somewhat rational it will happen we've seen some malware recently used low code chat GPT and stuff that it was in the news um and the code will be faster for threats actors but it's not like it anything changed all it did was put us there too security Engineers can now be faster too I can actually write an entire risk model it won't take me 10 minutes months on training on tensorflow it can literally you can finally speak language to a computer a human language and it will do what you you need you can make automated risk scoring automated intelligence reports this is actually a thing where I set up virustotal and it will literally pre-prompt and every time I look up a hash it will simply like make a full malware analysis report in a human readable format this helps train our juniors in malware analysis this will help get us there so there are uses that are actually really quick because how much does it cost to get someone a reverse an engineer and then like write the malware analysis report and all that that's the whole thing that doesn't mean it's taking away your job it's allowing you to look at the we're overwhelmed with malware these days no one's got time to do that malware analysis should be chosen when it's ready to be doing it because it's a matter of like oh this is unknown we don't know anything about it also pen testers anybody like pen testing okay you know those deliverables the the hard part but everybody wants them everything so I actually um I made this thing and I think this actually works here it's a little bit of a video but I don't think you're gonna be able to see it but essentially I wrote you know some Python's OS command system command type code and I basically had it where I can put prompts in it and it would automatically scan my network so what you can do is you could technically feed these large language models A playbook and if you have a good parsing system it will literally run your playbooks for you so all the low-level red temp stuff and the exciting stuff you actually want to get to is a human you let chat GPT do the Junior stuff and you move on to let's write some malware and like get you know do a side Channel attack or whatever it is right you do the fun stuff so there's like you could fear it and go it took our jobs or you could say that this is actually going to be awesome because now I can work on the creative stuff I want so there is a great piece here so red teaming cost savings time the market and we can hit all the low hanging fruit on a more automated Manner and you don't require a bunch of Engineers to do it anymore because you can actually just give it the Playbook right deception technology allergies this is actually it looks like I don't know if you can see it very well but it basically looks like Linux but it's not Linux I'm sure some of you guys have seen this concept but essentially it's just AI responding as Linux so you can use it as honey Nets or adversary uh uh you know modeling or messing with them or trolling or gaslighting or whatever you want to do with it you know um psyops it doesn't matter just let's have fun with like a bad guy on our Network and he's actually just talking to AI you know so so that's also one of the things that I actually I got so excited when chat GPT came out was I wrote and put chat GPT into my copy and paste so essentially when I'm doing deliverables which everybody freaking you know has to go ah you know because most time when you're in a dock you have to go back out you got to go to this go to that so essentially what I wanted to do was here's like a example of it it's a botnet a bunch of cves for like an rce whatever I literally when I hit copy it will come up and prompt I can hit of course Escape if I want to move on but I can say summarize all the uh cves in a detailed form for me right I don't have to go look for them get cve go cut and paste this watch this and like essentially what will happen is I think down here and this was the first version I have a faster version now because they finally got faster um so essentially boom copy the clipboard and when I paste it look at that I'm not done cool so like you can integrate there's so many things you can do do I need to know the detail I was going to copy and paste CDs off of CV you know enum anyways so this is like boom I've got one track and you can speed up those deliverables do more pen tests have more fun so let's talk about the definition of disruptive thinking okay because we've talked about all right so we've got this old defensive systemic way of handling things we've got this kind of like standard narrative that we have of how the security is we know it's a zero-sum game we've got all this figured out now so how do we get into disruptive thinking into our work environments so disruptive thinking if I'm actually looking at I'm just going to focus on questions assumptions and challenges of status quo and yes I borrowed this from check GPT two considering unconventional Solutions and three be open to new ideas and perspectives the good news is your students so your mind's already kind of getting there um but it might get disappointing if you go find a job and you go don't get to be disruptive anymore right what changes though is if you're a leader that actually isn't a company and you hire these John J students and you let them be creative you're going to also feel like you're finally leading and have a purpose you don't go home and say man I don't know why I don't like my job I think I might leave soon and you know we get that a lot in our industry whether it's like two years in and they're lik