Closing Keynote: BSides Calgary 2020 (with Lee Holmes)

[Music] hello there and welcome to the closing keynote of b-sides calgary 2020. we wanted to thank you all for attending but first off we want to just uh give a huge welcome to lee holmes lee holmes is the lead security architect for azure storage media cloud edge at microsoft he's the he's also the author of the windows powershell cookbook and he's an original member of the powershell development team so without any further ado i'd like to hand it over to lee thank you lee awesome thank you it's great to be here um it is incredible with all that's been going on in in uh this pandemic and everything uh to be able to come here and and join

you all for besides calgary um so today for the the closing keynote what we're going to talk about is surviving your first incident response you know over the over the span of the last two days we've had a lot of great talks dealing with logging and collection and referring to incident responses and what i wanted to do was to talk you through what a response might look like and ways that you can survive it now normally at this part i would go through an about me slide but um if you saw keenan's opening keynote like nothing i say is gonna impress you i have not defused live bombs i do not have a successful private company and so uh but i will

give you a little bit background about me and uh where i'm coming from now besides calgary i'm super excited to be here because i'm a calgary i grew up most of my life in calgary uh went to bonus high broke a couple bones wrestling got a couple concussions with uh um doing rugby and so uh had a great old time um and then from there i went to u of t took software engineering and then after that came to microsoft so i live in seattle washington i spent the first you know bunch of microsoft working for as a developer on the powershell team i wrote the the powershell cookbook and uh was the primary person responsible for

everything related to powershell security and security transparency and stuff like that and so over the last uh years i've been working as a lead security architect in azure security and man the the world that we have is is so so exciting um you know calgary i miss stampede breakfasts but i will say that i'm single-handedly introducing uh tons of the west coast to poutine so trying to do what i can um what i will say during the talk today is that if you have questions we will have a little bit of time at the end so if you have some questions feel free to to mention them in the event i'll try to keep my eyes on them

and either incorporate them or or we'll have a chance to talk through things nearer to the end so we're talking about surviving your first incident response and the names have been anonymized to protect the incident uh the innocent but what i'm going to talk about today is a real story that actually happened with a major major service in azure so might not surprise you that azure has a red team microsoft is a multi multi-billion dollar con company and protecting the security of of the microsoft cloud and azure is super super important now when we're doing red teaming uh within microsoft we kind of let the folks start with the basis of assume breach um you know it is easy enough you all

see it how easy it is for phishing to make it into a corporate infrastructure and so one of the things that we'll start off with when it comes to the red team is giving them a unprivileged access to the corporate network you know if they can access internal things uh using this unprivileged access and kind of escalate from there then it's game on so when they came to this red team we had a we had an arrangement that we knew it was going to happen and we knew which service it was going to happen against but this was among a select few folks that were aware of this now one fine day we get the heart stopping breach notification

now an interesting thing to think about is what is the number one most effective intrusion detection device in the industry you might be thinking oh right it's going to be one of these new xdrs or something like that unfortunately the number one intrusion detection device is generally government agencies the fbi or something like that where they're investigating cyber crime or something like that and then you get a call from them that says hey by the way we're investigating something as unrelated but i want to let you know that we found one of your ips attacking this customer and that means you're probably compromised now we're talking about surviving your first incident response and in this situation we kicked it off with

a fictional breach notification from the fictional cyber security authority um when you first get your breach notification there's going to be a ton of stress now in azure this gets even more interesting because we treat engagements as before compromise and after compromise assessments now a lot of red teams once they accomplish their objective you'll get a readout to the folks that are involved and say hey this is exactly what happened this is what we got access to this is how we got there and and then you have that kind of bad place of having to clean it all up now one of the things that's really important is attackers aren't always going to do that and so

actually remediating a breach and to have somebody come in and set up a beach head and it's your job to get rid of them well this is really really important and so this is once you got this breach notification this is the red team saying hey we're in now get us out and they're gonna and they're gonna get in there and try to stay in there and so this is where it got crazy now when people talk about incident response you often think about it being carried out by this very single highly structured entity called the blue team [Music] but real life it's a lot more fluid it's a crazy crazy effort in a dynamic

situation your hair is going to be on fire your eyes are going to be bugging out you're not going to know north from south east for west as mike tyson likes to say everybody has a plan until i get punched in the face now this dynamic blue team it's going to end up becoming a huge collaboration between your sock your operation center legal corporate security members of the features and service teams the one thing that people do not realize about the blue team is that in an incident and in a breach literally the whole company is the blue team so you're going to be surrounded by support and you're going to have all of the

resources you need at your disposal and in this haze of war what's even better from a responders perspective we have an incredible advantage as defenders this is our network we understand it the best we might not understand it terribly well but we understand it the best and attackers they're walking barefoot and blindfolded across a floor full of lego and mousetraps the more lego and mouse traps that you can set up beforehand the better of course but this is your network and you're going to know it way way way better than any attacker

so here's the thing when you're in this situation panic it will set in when you first learn that your compromise you're going to panic your first instinct with all of this and similar situations is going to be to just react like just to do something to make the pain go away you like you're going to feel this pressure to like immediately scramble work the weekends but if there's one defensive lesson i want you to take from this entire discussion is that you need to be careful and mindful of every action you take one thing that i will say if anybody here is is a participant in a red team [Music] one thing we found really really useful

is that an initial triage of the breach by an uninvolved party is really important so in azure if the red team ever finds something that they consider a you know a very very dangerous exploit right so a patched system exposed to the internet or something like that well then they don't play around with red teaming this is like you got to get this fixed immediately and that's kind of game over there but when they're doing their internal prioritization they might not realize about the actual risk of some certain systems they might not realize that the classification that it's got high business impact data or something on it and so this is where it's good to have a

initial readout with the red team and somebody who's high enough to be able to make rational decisions about risk and say yep we agree the path that you found in is a risk and it's terrible that it happens but it is not a thing that we need to just kind of stop everything and get it fixed as though this is a real incident so as i was saying panic it will set in at literally every stage of the process you're going to get pressure of yourself and others to react and the thing is this is not only a personal pride but this is your customers or this is your business you're going to feel this

just got reaction to want to do something but even with all of that taking a very careful and measured approach is one of the most important things you can do now in our industry a response like i mentioned often starts with something concrete so this is a tip from the fbi that they've seen an ip of yours during a criminal investigation and at that point you can start to do something like okay this ip is compromised and start to really focus on that and when you do that then you can start to expand out the breach and investigation but in our situation we weren't so fortunate we weren't even notified what had been breached we were only notified that

they had gotten access and so our first stage was discovery like this is traditional hunting where at this point you have the benefit of knowing that somebody is in there so we started to take a look at things like you know how does production change and how does your infrastructure change and it's things like suspicious deployments have you have you deployed anything new to production lately within azure we don't allow any standing access to production we all go through a just-in-time access system when you need to do some some actions so have there been any suspicious just in time requests recently any management actions against the machines suspicious binaries system behaviors and things like that

and so this is the part where you start to dig around and at this point you're just looking for anything out of the normal now uh one of the useful ways to do this is in azure using azure sentinel your your azure services and your cloud services are probably going to be a mix of infrastructure based services as well as hosted services so kind of platform as a service so one of the first investigation streams that we kicked off was against infrastructure itself so traditional hosts and things like that so as you know it's possible to collect a tremendous amount of useful security data from your systems with this data you can use hunting queries looking for

suspicious process executions uh users being created and those kind of things so in this example here in azure sentinel if somebody is running who am i on your infrastructure then they're probably not your friend and this is something that you can dig into deeper [Music] so um if you haven't had a chance to look into azure sentinel i would really recommend it the query language that you see here this is called the custo query language or kql this is used in a ton of places across microsoft from defender atp to azure sentinel log analytics lots of different places so if you're looking for a thing to investigate deeper really spend some time learning this is

really worth your time [Music] so tons of data is usually a good thing um but here's the thing waiting around is for chumps it's possible of course to collect a tremendous amount of security data and you know tremendous is a polite term for it because you can pick up data from hosts you know all the event logs all of the firewall logs all this kind of stuff and in azure our data collection policies have evolved over time it's really really easy to drink from this fire hose of data collection because if you don't collect it you obviously can't use it but here's the thing that's that's easy to make a mistake is if you collect too much you can't use it

either if if it's taking if searching for people invoking who am i for example if that times out or even takes days you can kiss your hunting trips goodbye you're not going to be doing any sort of ad hoc hunting if these things are are timing out so one useful thing that we do is to validate response times on queries so you can do things like just automatically know that for a common set of of kind of hunting style queries these things should all be able to be accomplished in 30 seconds or less and if you're finding that's an issue then it's time to start either trimming your data collection or you know upgrading storage on things or

upgrading your your plans on your sem or something like that because being able to to ad hoc query this data is so important so in this operation we started we found it very very useful to hunt in the code integrity logs now code integrity is a blessing that very very few people realize the true potential of now code integrity is using something like app locker or windows defender application control or things like that now you'll hear all the time that code integrity in enforce mode is ideal right like no one can run malware if you haven't explicitly approved it and this is a thing that you can do against your all your systems ideally but you're going to start to focus on

your most sensitive systems or the systems that are least variable or the ones that you can control deployments the best but even when you're in a transitional state audit mode is incredibly useful because at that point with the audit mode in code integrity you already have access to the things that you knew might not be allowed you're already excluding everything that you know is supposed to be there so you're getting the processes their command lines their hashes if they're assigned by anything this is a just an absolute bonus of data collection and if if you haven't done this yet code integrity in at least audit mode now is the time uh this is a really

really useful source of data now here's an interesting thing when you're wading through data the options they can seem endless so you know this situation we're saying okay let's start taking a look at the code integrity logs and look for suspicious things but the problem is how do you look for suspicious things and the answer is that long tail analysis is amazing at ad hoc data reduction so in this graph here you can see this is us grouping our code integrity logs where or in this situation this was us looking for suspicious command lines now most systems follow these pretty regular paths and so when we grouped by command line we could exclude straight up exclude 95

of all the command lines in production because they had been run thousands or hundreds of thousands of times already now unless an attacker is being super super spammy it's unlikely that they're going to be in that part so then what you can start to do is take a look at the long tail so wow in this investigation now we're just looking at this long tail and doing some sort of patternistic reduction and stuff we started to get some signs now i mentioned the whole team is the blue team during this so in a simultaneous investigation stream we started to dig into audit logging and audit logging you know you have this everywhere you anytime somebody is granted access

to a resource this is the thing that you're going to want to be looking at ideally the audit logging includes who did what but even just knowing that somebody was authorized to connect to this system or log into this device or connect to this portal that is really really useful data to start digging through so in azure if you're hosting things in azure the azure activity log is an incredible source of data so you've probably poked around in the azure activity log but it truly is amazing what you access you have all of azure's management actions go through arm so the azure resource manager and that includes everything so deploying new vms creating new storage accounts

all that kind of stuff so the the azure activity log gives access to all of these management actions that have been taken against your azure subscriptions so here's an example where we can take a look at the audit logging on the left we see a grouping and some really cool things like somebody doing list keys on a storage account or registering for send grid notifications and things like that but we started to get some additional findings here and this is where again you have full access to the kql query language and then you can start to take a look at why do we have callers from an ip address that we've never seen before dumping a list of keys

so at this point we started to get really suspicious we found some suspicious command lines some specif suspicious uh activity logs some specif suspicious command lines [Music] yeah you just you know okay red team i don't like what you did but i can respect it but now we have something concrete we could go on and it was game on at this point we started to engage the sock and our legal team and while we were going through that we started to reverse engineer some of the binaries that we had found on these systems now here's an example of one of the things we found this is a net based reflective loader so this is a net executable or dll

that would take an arbitrary array of bytes dump it into memory and pass off execution to that thing in memory now well net by the way has become like a new hotness in in red team tooling and and offensive security tooling but it is the easiest thing to get going with reverse engineering this tool here is called dnspy.netspy and it will open up and decompile the.net code and it's pretty much just like reading straight up c sharp um in this example you can see that there is a a loader loading in the dll and and creating some shell code and running this in memory the cool thing about dm spy as well is that even with this source code when

you're starting to reverse engineer it and try to figure out what's happening this is just a decompiled version and you can set a breakpoint and dig through it and see what's happening so this is really cool dn spy if you haven't had the chance to take a look at it i would really really recommend it now one of the dlls that we found was a python based c2 this is an example of and this was just straight up native code native code dll being loaded so we loaded this in gydra the open source native code reverse engineering library from uh the nsa um now if you see in the strings of a library that uh waiting for a victim probably

not a good thing so we did some analysis of this um and this was actually hosting python and then performing most of his uh c2 actions using python scripts um you know the the work that's been done with powershell security transparency and everything else has started to sour the environment for people using power shells obviously attackers are still using it when they can but there is so much visibility in powershell that smart attackers are moving off of it and moving on to other things that are less transparent that's for sure so we did some analysis here and we were able to find some ip addresses that it was connecting to and in terms of a c2

so discovery we at this point knew we had a couple of those things that we could that we could find were actually uh compromised machines and we had a couple things um and these were things that we could start to look at um so at this point you're looking for scoping initially you find a compromised machine maybe a compromised account and you might be thinking hey this is the time to start remediating right we know that this production machine is is bad um you're going to get again a ton of pressure from both your own mind and others to start remediating but here's the thing how do you know what to remediate if you don't figure out how they got in

they're just gonna get right back in after you clean up so the next stage is really really important and that's scoping at this point you're taking a look for what all is compromised what machines in in the corporate environment service accounts user accounts other corporate resources maybe you're trying to find external entities so where the c2 is connecting to or where some servers have communicated with have they taken over any any of your subscriptions in azure or aws so scoping is is a really iterative process you've got a corporate service account in our situation we knew some machines that had executed some suspicious tasks some ip addresses of maybe some of the c2 services and so as part of scoping you say things

like what did they connect to what computers or ips or shares did they connect to who connected to those things because anything that connected to them maybe they were compromised uh what did they connect to going outbound and another big thing too is what else is in that security context so if you knew that a machine was compromised well at that point you should think everything on that machine might be compromised and so if this machine is being used to ship executable code to other machines well then you should consider those machines to be compromised as well and so scoping is this this process of going through this over and over again and starting to build out your

understanding of exactly where the attackers are and what they're doing so this is where we found as part of this where we found a security group that uh had been far too open and we found the account of one of the red team operators in this incident that had joined the security group and uh it's kind of like how you met your mother kind of thing is uh kind of bad kind of good to put a face to the name this is what makes me think it must have felt like when you know mandiant and fireeye were first digging into apt-1 and and seeing the actual building in china where actual hacking is happening in

this building um you know putting a face to your attacker can can make a big difference so at this point you might have a fantastic idea of what a compromise map will look like as you track down all this stuff and here's an example of multigo where everyone talks about hey these machines connected to these machines and it was just it's all great um realistically this is what it's going to feel like your hair is going to be on fire you're going to have notes spread everywhere one note that you tried to put some order to but everything's just in a to do it's going to be a mess it's your it's going to be a mess your brain is

barely going to be functioning but at this point you know after enough scoping and enough work we had a concrete working hypothesis of how these things were changed together to ultimately get access to a compromised service account but we started to run into some scoping challenges um in our case uh scoping on a corporate account you know inside the microsoft network it's manual and it's time consuming for the corporate security team and you never want to have people feeling like they're just blowing time for war games when they've got other things that they're investigating as well also as as you mentioned we started to get to a point where we're finding the actor being a

red team operator using a you know their domain credentials to do something and you're going to run into privacy issues if you dig into that more um you're not going to be taking a look at every website they viewed because it's going to contain like their payroll data and stuff and at that point you do want to back off because this is a privacy thing now as i mentioned when we run operations in azure at least some people have pre-coordinated on this so this is where we had an agreement with the red team in sort of a referee kind of thing where we could ask somebody as though they're a an oracle kind of thing where we could say

hey we're starting to run into scoping issues this is what we think everybody has access to we could learn more but it's going to start to be you know painful and costly so we engaged them um and they confirmed that we had access had figured out all impacted resources and at that point we're like uh sweet we can start to move into the eviction planning phase and this is where you start to learn more and more about your service and your infrastructure and your architecture as well a extremely significant win in this whole process came from the architecture of the service in question for the most part you know clusters in this service were isolated

they have their own security domains they didn't share common identities this was partly for the way that scaling can work and stuff and also from a security perspective but what we were able to do is realize that because they were so isolated that when we found out that this cluster had been impacted at no point did we have to look and determine whether all of production was compromised and these are the kind of benefits that you can get from an incident response when you're looking backwards and saying oof sure glad that that was true anytime you find something where you're sure glad that this was true this is a thing that you can later go

back and say well we're going to double down on things like this so plan notice we've fully scoped but i'm not talking about eviction right now eviction requires planning and when it comes time for eviction patience i cannot stress enough how how key this is most engagements rush to respond and they fail to evict the red team or the attackers in their first couple of tries and here's a couple key points your current intel at this phase of scoping is the easiest you'll ever come by if you're not planning the eviction carefully when when an attacker realizes that they've been discovered you get them out and they come back in well you just lost all of the things that

they had done in terms of rummaging around your environment making mistakes using accounts that should never have been used for anything connecting from systems that never really have any reason to connect that intel net fumbling around that's the whole like mouse traps and lego kind of stuff and that gave you intel and at this point the attackers are much much more aware of your environment they're not going to make those mistakes again another huge risk is you make a false move here and an attacker just might burn it all down when they realize that their game is over they might just trigger some ransomware or whatever and not necessarily to get some ransom but just to

scorched earth get out of there not get caught and run away so that's a very real real risk them trying to clean up after themselves torching production nobody ever wants that so for planning trip wires i can't stress enough how important setting trip wires are one example of what we did is we implemented some behavior as a logic app which has a connector an azure logic app to azure sentinel so at this point uh we could start to do regular custom queries that were finding all of the indicators that the attackers had used up until this point if we ever saw this again we would know that they got back in and be able to

focus exactly where they got as opposed to stumbling around and trying to figure things out from scratch again now here's an example that i love and i really ended up helping us a lot in this investigation when you're looking for a setting trip wires you might do something like you know we talked in the past about looking for unique command lines so during an incident response you might say something like hey you know what we're we're doubling down on this i want to just manually look at any unique command line that we've never seen before that sounds like a really complicated thing to do but it turns out that there's a really really elegant way that you can do this

now you might think okay set a baseline compare against the baseline but what does that baseline look like is that you having a list that says hey if it's this command line ignore it if it's this command line ignore it that's going to be a hard work and you're going to never be able to set up baselines that way one thing that really helps here is take a look at this trip wire so here's an example that shows all of the command lines that have been run in production in the last five days in this situation there was like 966.

now here's an example of setting a a tripwire in sentinel itself so i can set a crate and azure sentinel alert based on this kuso query so this kuso query is just telling you all of the distinct command lines that have happened in your infrastructure uh you know and this is a thing that that us as just infosec pros can investigate as well so you can set up um uh sysmon with a collector have that thing going into log analytics and sentinel in the cloud these things all exist so you can be doing this against your home network at any point in time now once you have a query that says hey here all of the unique command lines

that have been run all you got to do is say create a sentinel alert and say alert me whenever that number goes above a certain amount so then you get a alert that says hey this is a new command line that hasn't been seen before and you can review it or you can do things like find me all unique command lines and that haven't been seen or that have only been seen in the last five days and you can get really smart about this and set some really really cool trip wires [Music] so you know in terms of planning eviction it requires planning um what we did here is we laid down tripwires for everything we knew about the attacker

and their behavior one of the big things is we have found that the attackers they were communicating to an azure subscription as as the hosting for their command and control infrastructure so one of the things we wanted to do is work with azure fraud and abuse to plan a takedown of that subscription and this isn't something that we have a unique right to do within microsoft azure and microsoft has a a public portal that you can engage with that's the microsoft cars api you can use this for reporting phishing reporting attacks happening from azure infrastructure to your infrastructure so we prepped fraud and abuse that we wanted to do a legal takedown of this at that point we had to get

legal sign off that we had correct proof that this was being used maliciously we're going through all that process we started to evacuate production workloads from systems so that way once we went to actually trigger and a trigger a rebuild of these systems we wouldn't have to worry about it impacting any customers or anything like that and we prepared this very careful ordering of these takedown activities with the idea that we would start with the ones least likely to tip off the attackers and gradually get more and more obvious until we cut off their access and they would probably realize it but at that point they would have no luck of getting back in so we reviewed the plan with all of the

impacted parties uh prepped leadership you know directors all this kind of stuff and we planned to kick this off with everybody in a war room on a friday morning i was excited i was going to make a bit of a party of it we were going to sit down with donuts and all that kind of stuff but sometimes the best laid plans they do not go as you expect all that careful planning and orchestration that we had done um here's the thing we miscommunicated that we were looking for pre-approval to take down this azure subscription so as soon as azure fraud saw that it had been appropriate appropriately legally approved they acted and uh i got

a call from somebody who is involved in that and they're like lee i got really bad news uh yeah we had this whole plan and taking down the subscription was going to be the last thing we do uh but you know our hand is tipped and is taken down we gotta move immediately [Music] so you know we were really fortunate here um that our plan was comprehensive enough that all we had to do was carry it around carried out we knew that this was what we were going to do and we're like all right i know we were planning to do this at 9am on a friday but we're doing this at 2pm on a thursday

so we engaged the war room immediately and basically just worked through the eviction plans um but in the middle of all this i got a call i wasn't expecting uh from the lead of the azure red team and uh i'm gonna play it for you here is hilarious awesome from the azure red team we have the subscription that we're using for the dropbox operation it seems like i don't have access to it anymore including our onenotes and other red team infrastructure any chance to know anything about this so let me know thanks a lot this was hilarious so turns out that this azure subscription is also the same as your subscription that they were using for all of their

management stuff so they're one note that they were sharing their operational details about um the word document that the red team lead was working on for the preparing for the readout and all of that went away um i talked about it with him and here's the background and it makes total sense in retrospect um he you know we're you're seeing here how much microsoft invests in security and azure and we did this with the idea of we have these rules that say you must host literally everything about your operation in azure because if they're being forced to host things behind tor or dream host or just garbage like that then uh you're just putting microsoft and

azure at incredible risk obviously they could have hosted it and you know behind some sketchy hosting environment that wouldn't react to takedown requests and stuff and so you know after talking with about that i was like yeah of course so um oops so yeah changed updated our plan to give back the subscription and after giving it back had a sync with with him and said hey uh we think we're done uh let us know and and um you know i was just so so happy this was the happiest mail that i've ever sent in my career at microsoft you know remember that i talked about the beginning of an incident where everybody is going to be stressed out

they're working to do whatever they can the majority of the people that were involved in this incident response they were not security people by trade they were smart they understood the service and things like that but based on this uh the red team was able to confirm that that they had lost all access to the subscription they had lost access to the infrastructure they had lost access to all the entry paths they had got in there and this is 100 percent because of all the care and planning that we took in doing this very carefully you know and with this exercise there were some major major wins even after what initially felt like an incredible punch in the face

you know this is like your infrastructure you take personal pride in it but we evicted the red team within seven days of being notified that is you know a record in a sample set that we're aware of we this is way way way way below any sort of industry average we learned that the cross company collaboration that we did here was going to be extremely effective and we learned a lot of things about our infrastructure that we hadn't learned before and we didn't know before in terms of security things that had massive massive positive beneficial impact one thing i will say you know the security isolation thing that i talked about another huge thing is that

this team in terms of a cloud infrastructure and cloud architecture had tons of experience of like repaving nodes being able to say hey we know that these nodes are compromised pull a trigger and just blast them away having that experience was super super important in all of this and the existing security investments that we had in terms of auditing and code integrity just-in-time access all those played a huge huge aspect in our investigation and so the one thing that i will we'll call out here is that this is a new day you know we've been used to hearing about attackers and all the fun tools they share and we get to see all their retweets

getting all the likes and all that kind of stuff and we can feel kind of downtrodden sometimes from a blue team perspective and from an incident response perspective but the truth is we have an incredible resource for things like besides calgary all of the things that are being shared here all of the defensive things being shared on twitter and everything else this is an incredible community and when you take a look back at this story and this background and this incident response if you see anything in this where you're like boy you know i wish we had something like this in our company there's no better time to start than monday thank you all for an amazing

besides calgary 2020 and we'll have a wrap-up coming shortly thank you okay great stuff well this is uh one of those sad and happy moments at the same time you know happy i'm gonna get some sleep uh sad that it's over it's just been an awesome conference it's been a very strange thing where we're connected but not connected at the same time but i i can't say enough about how much everybody's pulled together to try and make this really the spirit we're looking for in b-sides with a lot of collaboration and a lot of cooperation so um i'm doug lease i was running the ctf this year we had a number of uh different people that were also involved

that are sort of behind the scenes but the one two people i want to call out the most are paul smith who built the lego city online and if you i'm sure it's going to be there for quite some time we were streaming it and just an incredible work of engineering there's actual physical things that you could do with that and we connected that back up to cyber targets we wanted to mimic the entire flow of an attacker coming in from the outside just like lee was talking about doing their whole way through and could they actually get down and turn off the lights uh i think if they had another half day they would have done it we were getting

real close there at the end and i can't say enough about how hard it worked but we also had tremendous help from the bow valley staff colleen uber was instrumental in making sure everybody got looked after we put together a lot of stuff on the fly we were sending out packages and google bounced them back and said you can't send that that looks like malware no it's just the vpn software trust me it's good you know pivot doing google drives you know it was it was nuts but we got it and she eventually was running and handing me sticky notes and do these users everybody got looked after everybody played hard so without further ado uh i do want to

start acknowledging the people that did win you know we can say everybody's a winner a lot of people say is the first time they've played this they want to do it more and talk with both valley they're excited about getting on board with that but number six in line so let's start from the bottom you don't serve at the top yeah coaching man long days long days exactly raspberry pi so we had two of these one of them uh one earlier today in the hacking 101 which turned out to be some pretty fun classes after all um plan b again the whole thing was besides plan b i think the whole thing and uh this goes

out to m swanski so we do have your actual address and stuff like that but we will uh we're just going by your screen name today okay the coolest name of them all and the shortest and they're so cool they don't even care if you answer them back udp come on that was good i liked it yeah yeah get them off the stage okay this is a full raspberry pi 4 kit i feel like vanna white this is great this is i should have played this is a really nice rake this is the full uh whole piece and that is going out to udp for the number five spot in the test and this was not an easy ctf this

was lots and lots of different confusing things number four is a very nice kit it's an ubertooth uh one kit we originally had plans to do radio stuff this year me and steve swaronski were kicking around some stuff we both got ham licenses we're legally allowed to transmit yeah mostly hang on to this you might need it next year when we all get back together in the same room that's for nikhil now number three um wow this is quite the collection of stuff okay this is going out to um coronet uh again a real hard working guy found out he was uh you know on the board of owasp so very talented man some cool stuff he was

pulling off there and this is the hack five essentials field kit again on my christmas list so good for you um now this is wild low score won an xbox series x now from what i understand they don't have it here because i think one of the staff would have walked off with it already so it's under lock and key but that's coming to you and the grand prize goes to wiz beard and i know this guy he seriously has one of those easy top things going on this is a fantastic treat this is sans net wars for four months and uh one of my co-workers won this one year and he said you know he'd come back in but you're up

playing networks all night you get murdered oh yeah it's great