BSidesSLC Saturday
Show transcript [en]
okay welcome everybody everybody to bsides um glad to have uh you're back I know you know it's Saturday morning so people are still waking up but uh but I think you know you're in for a treat here Wayan Grange he's going to be presenting um about this custom badge built that we be Distributing out later in the year at the hangout um so you know I'm hopeful that you know hopefully a little bit later in the year after uh the pandemic dies down we'll be able to put together kind of like a beside Salt Lake City hang out and uh you know distribute the swag and you know have fun right so um you know and anyone
who's purchased a ticket will will get an email and be invited to that um so you know um so with that being said I'm going to turn over to whan so he can talk about the design because uh it's truly One of a Kind all right cool hey thank you very much uh as you can see obviously in these pictures the badge doesn't look like uh any of the other badges at least that I've seen I know we've done something like this or not we but people have done kind of wristbands before but I think this one's kind of very different I didn't mean for it to look like a medical band that's kind of I
don't know like with this whole virus thing it kind of applies but um I don't know I'll talk a little bit more about are you uh are you ready to go yes I am you can't hear you can't hear me hold on a minute let me no you're you're good we'll just mute Bryce keep going okay so you can hear me yeah you're good all right okay cool so I'll just keep going um I kind of want to give a little background on uh what led to this badge so this is a picture of me uh the one on the left uh that's specifically this is me at Defcon and that is all my badges I
was wearing at Defcon and I kind of felt a little like Mr T right with all my like bling going on there and like you know I mean the rock is heavy and then some of those other Badges and all their batteries it started to add up I kind of felt like a Backpacker my neck just you know just hanging on me there so that was kind of one inspiration is I wanted to do something lighter than the the usual neck chain um one of those badges I got there was the Defcon China badge which is really kind of cool it's a flexible PCB badge with these little lights that'll blink on the side and I thought that's
really cool I want to try to do something with flexible PCB but I'm not sure what and then the uh the Third Kind of Designing factor that I wanted to hit was uh based on last year's badge so I'm not sure as many of you were here last year but um in my talk I described how I totally screwed up and ordered a processor when I went for the final Fab I had a wrong part number and that basically ended up with me ordering a processor that was onethird as powerful is what I designed everything for which led to some really crazy two weeks of reprogramming and redesigning to try to get everything to run on a really tiny
processor and that was really painful at the time but after Brie sides was all kind of done and I I kind of had a chance to breathe I was like man that was kind of fun squeezing as much as I could out of a processor I felt kind of like one of The Biggest Loser coaches at but like for processors Al right like no you have to do this on this little bit of energy or power or whatever you had and I kind of wanted to do that again but this time instead of on a on a lower process processor I wanted to do it on power I wanted to run on as little power
as possible um so those were my three real designing goals flexible PCB something not heavy around the neck and very low power um so I was just kind of chewing on those and I came across one of these Dick Tracy comics and I was like oh that is it that's what we're gonna do so that's kind of what I designed this around um I I don't know if you've seen this video on Twitter already but um basically in a nutshell the watch is a functional watch or the badge is a functional watch um there's a text based Adventure game built into it um the P it's eaper display a 3D printed case around the size um on the bottom there's
some snap a snap button that we can resize or size initially to your wrist um it's also a USB Mass Storage drive a CD serial and there's there's a lot more going on as well on the badge that I I don't want to reveal at this time so like I said the back side there's of adjustable snaps um this is kind of part of the reason we decided against trying to ship everything is that these snaps require this special little tool to set the snap and I didn't want to set the snap just based on what you tell me your wrist size is it would been easier I plan to do this at the conference after you got your badge you
just kind of come over and get the snap that matches youri you know put the snap on that matches your wrist size but uh things didn't work out quite as planned there uh here's kind of the the din design flow of the badge the top left is my initial prototype that I wore around for a few days my kids were very embarrassed as I wore this uh piece of paper pretend watch on my wrist as we went everywhere um after I kind of proved that okay initially this this might actually work uh I went for the the Prototype on the breadboard down below um that was my test setup you can see my multimeter hooked up all along
the way I had to be very conscious of how much power the whole system was using in that screenshot it's showing it's using three milliamps which what that's when it's typically running and then my first prototype is in the center of the screen um I kind of had some mistakes that's why there's this little yellow wire afterward I had to kind of uh solder that to fix some of my wiring errors I have to thank confu kid for helping me uh solder or he helped me uh put all the SMD components on that badge so that I could actually have my first prototype again the two pins off the side are for measuring power usage and
then the two in the end are the final production run one with the 3D case and one without the 3D case so just talk a little bit about the hardware that went into this um it's based around a 32-bit stem processor that's designed to use very little power it's the whole band itself is a flexible PCB band um we have an eaper display it does have a recy a rechargeable LiPo battery on it uh so if you whenever your USB plug it in it'll charge it charge it up um the watch on its own should last about 10 days without a charge so I mean charge it every day every other day whatnot and keep it'll keep the battery
running just fine there accelerometer uh flash storage there's realtime clock um kind of wanted to talk about the flexible PCB I don't feel like that's something that's done very much oh I I forgot to mention earlier questions please just throw them in the Q&A and then if there's time at the end I'll get to them there um I just won't I won't interrupt myself as I'm going so I'll hit those if there's time at the end but anyways flexible PCB I've seen it used once or twice for Badges and I wanted to try it and see how well it works it's really kind of cool right like what badges can you bend and twist like that however it does have
its drawbacks and I'm not sure I would do something like this for a badge again um just so you know if you're a badge designer you're thinking about this um there's a few issues that you face one this picture in the top left or pop top right is one of my early prototyped boards testing out uh NFC and as I would pop and pop that off pop it on and pop it off the breadboard it put stress on the flexible PCB which led to those traces cracking and so when the traces cracked I had to solder one of those little yellow jumper wires to replace the broken trace and then i' use it and another one would break and so those
three yellow wires are because three different traces on the flexible PCB just would break during the what I considered regular use so it it bends but it also breaks and so you want to kind of limit the amount of Bend or in critical places the type of Bend another picture another thing is the picture just below that I was initially planning to use some double-sided kind of film rubber underneath the flex screen and the components and just kind of give that kind of padding there but um it turns out that double-sided tape actually when you would bend it started pull components off the flexible PCB you can kind of see in that picture the battery leg is been has been ripped off
the flexible PCV so in the end I had to determine way to keep the flexible screen moving independent of the board but without the flexible screen being um exposed a lot um so that battery that you see in the center there that is a lipo battery and it has it holds 40 m milliamps so to put 40 milliamps in perspective one of those little coin cell batteries is hold six times as much as one of these rechargeable batteries and those coin cells right like you can power an LED for like a day on them they're not very much and so to consider we have one six of that is a real limiting factor uh I
toss initial design I toss togg go back and forth between wanting that coin sell or a rechargeable and like the rechargeable you could charge obviously the coin sell you could just replace after so long um ultimately I obviously went with rechargeable mainly because it was just such a pain to get to that location and I didn't want everyone have to take their badge clear apart just to replace the battery so I just assumed everybody around us probably has a PC they can probably charge this at least every other day so I'm going to go with rechargeable route um for some comparison though to work on 40 milliamp hours for what I can planned on a 48
hour conference I had to really cut down on power usage so I'm I have side by side here this graph showing what last year's badge how much it used in each state and how much initial capacity I had to work with compared to this year and across the board it's it's you know about a tenth it starts to drop as the the different states go so uh just the the sleep is when you're not active it's just kind of sitting there and then standby is in was not a state in the last year's badge standby is almost everything off the processor shuts down all it's doing is keeping track of time which presented some of its own issues
because uh when the processor shuts down all of the memory is wiped so I had to kind of stay save enough state so that as soon as you pressed the button you could return to exactly the same screen and exactly the same place in the game you were to make it look like to the user it never turned off right but um the whole processor the memory the buff frame buffer everything is wiped um but to see in stand we're using that's 25 microamps um it it's really it's really kind of cool to see that that it actually worked in the end so the flexible eaper display I thought was the coolest thing when I saw
it online um I really I really am enameled with or I don't know the right word I'm a country hick I really like the uh eaper displays I think they're the coolest thing in that you can just set the display once and it takes zero power to maintain that um it's very low power and it looks very crisp and the flexible was just on top of that just even better or so I thought um I only found one manufacturer that would make flexible p e paper displays and it turns out the reason I in my mind the reason that not many people do it is because they're not as flexible as they seem if I try to do what they're showing in this
picture with here I ended up with a broken display and in fact after the production I ended up with many broken displays these are all in the screenshot displays that failed in some way or another and were not suitable for the badge um that became a really sore point at final stage of production is that I had to find a way to protect these better than I was and that they're just not very flexible um they don't take any kind of beating any touching they don't like bent even though they're claimed to be flexible so when you get your badges if you don't take anything else away from this talk please take away the screens are really really flexible or
really not that flexible they're really fragile um so if you press on the screen or you smash it against something it's going to break and we really don't have a lot of extras because I went through most the extras so when you get your badge it's flexible yes but don't push it just just be be gentle be gentle okay so to to help mitigate some of those uh flexible issues I designed a 3D print a 3D printable case um here I have two videos I'm going to show one is the design process and the other is the printing process process of one of those kick them off of the both both at the same time but um it was kind of kind of
fun I don't do much 3D printing so this was a good opportunity to build something that I felt was slightly useful we went to a 3D printing company to have these printed after I did my test one runs and turned out that their margin of error was a lot higher than I expected so some of the frames don't fit together as snugly as I would have liked but um I am releasing the STL files for this so you'd like to print your own case I imagine all the ones that I printed fit well very well and I imagine if you print your own it would probably fit even better than the ones that it came with but even still the ones that
it came with are just fine it's just kind of a perfectionist thing so the software or the firmware I used um stem Cube IDE to build all this which provides this really cool kind of interface on the side here you can just assign pins and it shows you graphically okay this pin is assigned to this this is what you've got left um it also builds out a lot of the code or the the stub code for you and so that was really nice to work with uh as you can see from this screenshot I'm using almost all the pins the three gray pins down in the bottom corner the only three pins of that processor I'm not using and then
below that it shows the flash space I'm using 92% of it um and that's after pulling a lot of dialogue and game code onto the uh the flash chip that I'm use the external flash chip and then I'm also using a lot of ram I have to use a lot of ram because the eaper display takes two buffers um when you're doing a partial Refresh on the eaper it takes one one buffer you have to pass it what the screen currently is and then you pass it what you want it to be so that it can do a kind of a pingpong and um come up with it so double kind of a double buffered frame for this seat
paper display um after initially and everything there was one bug that really annoyed me and that was after about a week of the watch running it would fall behind about 4 minutes and debugging was really painful when I would debug the while the processor was running it was beautifully keeping track of D time down to the microsecond it was very precise um but um the processor was shut off right and then turned back on and update the time and I can't debug a processor that's off like I there's just no debugging of it it's gone on and when it would come back up it would somehow somewhere it was a few micros seconds behind every time it would come back up
and I couldn't figure out what that issue was well it turns out during a reinitiation as the processor would reboot it would I had it
you know 60 times an hour 24 times a day for seven days ended up being about three to four minutes of time loss and so fixing that one bug resolved this complete issue but finding that bug bug was extremely painful um another issue I had is uh during the course of the game you will unlock files or case content and that will be available to you on the USB drive but um I wanted a way to not have those files be available until you lock them and I but the problem was I didn't have anywhere else to store the files like that flash space was the space I had to store these files so I needed a
way to have them only appear when they were available and um I was just thinking okay well I'll just you know modify the file list and only show the files that I want to be there but the problem is is a USB uh command a storage device doesn't speak like directory listings it speaks raw scuzzy commands like show me this sector you know give me the contents of this seor give me the contents of this sector so my solution for this is I actually designed a semi I don't know you I considered a rootkit but basically I'd interrupt sector calls for the file allocation table and modify the file the fat table sorry that's the
fat to um only show the the file listings that I wanted to appear that the actual data is on the sectors but only that file allocation table is modified and if the machine doesn't know the file there then it just assumes there's no data there um that is something that may come in handy during the puzzles just to know that fact that uh data is there but the file allocation table being mucked with so the theme for this game is a DFI last year's theme was kind of an attacker kind of a pentester more the puzzles were more geared around that these puzzles are more geared around the defender I think that fits in well with
kind of a a Dick Tracy detective type um theme so all these puzzles there there's like packet carving there's some reverse engineering I promise I'm a lot easier than last year's um malware analysis dis Imaging stenography there's a lot of DFI what I would consider dfir basic skills um that are built into this I do I did kind of try to build them to challenge you somewhat but I didn't want you to have to spend a they should all be doable in one day so they should be that rough of puzzles but uh at least if anything they should get you an entry into DFI if you've never done this thing kind of before as the badge is running it'll
have it has a little LED on it that will occasionally blink four times and those four blinks represent your game State how far along you are they'll initially it'll just blink four red lights which kind of means you've done nothing and the goal is to get it to event to four blue lights when you've got four blue lights you've made it all the way through the puzzle um the puzzle does kind of play into a story that you are kind of solving and I didn't want it to be l I wanted it to be so that you could work on multiple puzzles at one time um so this is my kind of logic chart I've kind
of blinked everything out but um I wanted to be like if you're stuck on one puzzle that's all right there's like five others you can be working on until you kind of narrow yourself down to the end and then it draws into one line so this chart it flows actually left to right right being to final goal that little green box says finish and um any green box on the left is a is a puzzle that's able to be solved from from the get-go and then they just kind of chain along from there so you've kind of got multiple passs you can work until you reach the Finish Line I took a lot of design theme from a
really old uh Macintosh game called Deja Vu I'm not sure it's worth going worth going back in playing yourself it it doesn't hold up to the test of time very well but I thought it was really cool how they got so much with just a monochrome display and just the story that they were able to build into so I I took a lot of um inspiration from this as well here are a few screenshots from badge gameplay a lot of these you've probably seen in in videos I didn't want to reveal a lot more than already has been revealed um but as you play you will be able to find things pick up Clues use items you've picked up and um
as like uh in the picture in the top right uh this you just this dialogue something happens you talk to this guy and he seems to he has now added this file to your case File so then you can plug in your USB drive you have access to that file you can do analysis on it and then use that analysis to open up more game path kind of toggles back and forth like that throughout the game and that's how am I doing on time I talk kind of fast okay I'm about out of time so this is good all right so I have just a few items of administration since uh this won't be available um I sorry
one of the I don't know when the badges will be able to be handed out I I'm leaving that up to the board right to the decide they're the ones in charge whenever that is I do plan to be there and I'd love to see how this works um in person I will once this is all done post the the source code and all the files the images the scripts I use to compile everything to the link below but I'm keeping that repository private until after that date um also this little badge so on the badge there's a a little programming header that you just plug into and this little green box is what I
use to program it to interact with it to to dis debug it whatever and um I have a few of those so the first so many people that are able to completely solve the badge I plan to give them one of those along with a mini breadboard and some wires to kind of help them get started and then all the code will be released so if you want to reprogram this to do something else you know go for it it it has a real-time clock it has an acceler ometer so you can make it like a pedometer I you know there's I feel like there's a lot that could be done here and many things that I'm just not even
thinking of so I'd like to hear what eventually in the future what you guys do with this um so to initially set the date uh I have a I decided to put a switch on this and and I'm glad I did there's a power switch most watches don't have a power switch right they're always on I did put a power switch this so the watch is completely off until you get it that mean there will the battery won't be dead um and as soon as you turn it on it'll start keeping track of time but obviously time will be off so you set the time via an NFC uh endf tag and um you just can
format it like I did there just say date semi date colon and then the date you want and the next time it reads that NFC or the next time the badge is actually on if you just press a button it'll turn on or it'll just turn on the next minute but as soon as it turns on it'll read that and set the time appropriately um I wanted to give a special thanks to the bside staff uh they've been really great trying to do the best they can with all of this they really I'm really appreciate being able to make these badges it's a lot of stress but I do kind of enjoy it and obviously I con kid
Mike I mentioned him before but he helped me a lot at least with all the hardware getting it soldered down and I think I bounced a question or two off of Hardware design with him and I really appreciate his help on the matter so with that I'm sure there's items questions I missed um if you have any go ahead and throw them in the Q&A I see I see one now um says if I didn't buy a badge with my ticket are those extras that will be for sale I'm not sure the answer that I believe the answer is yes that's a question for Bryce so I will I will poke him afterward to see where ticket sales is
at and um maybe he can I can have him make a comment in the uh a slack page on that one um any other questions there's one in the chat um it says are we going to get an email or something notifying us when you post it to the URL when you make your geub public um I guess that's possible I I I don't have access to that email list but I could definitely paste that link on to the staff and the staff could probably do that um Wayan it's it's Bryce so yes he can answer those questions yeah we can we can push out an email um another thing that I just want to you know we
always push out the content on Twitter and the slack Channel as well um so the Twitter and Slack are usually the best places to get updates right and then I'm happy to push out an email um whenever that codes online so and then if we have extra badges we definitely want to get rid of them um so you know we'll we'll talk about what that means um I'm hope I'm hopeful we can have a meet up later in the year um and you know if we do that then we'll figure out how many we have working and sell off the rest of them um but we definitely want to make sure that the people have already
purchased them get them first right so all right cool um seeing if there's any I think that's it right we've hit everything okay well I appreciate your time I'm really curious to see what you think if we should just stick with more of a traditional badge or you think this was a cool idea um yeah thank you guys very much for attending appreciate it thanks Wayan yeah I know we've kicked around some ideas about next year's badge or what what we want to change in the future for 2021 and things like that um anyways so let's uh will are you uh are you on the zoom yes can you hear me yep I can hear
you uh when whenever you're ready share your screen and uh you can kick off whenever you want okay cool oh on intro so Will's gonna be speaking next going to say his talk is entitled it is the year 2 thou 200 we are robots which I believe is like a Flight of the Concords reference yeah so it's actually uh it's the year 2000 2000 I um I type with that my apologies so uh all right whenever you ready Bill all right let's
see um can you can you see at the screen yep we can see it awesome um okay so yeah thanks Bryce for the intro um I'm will pierce I work at soundbreak security um and as I was you know building the talk obviously you have to submit and then when you're building the slides um you know it gets you maybe take it in different directions so this um you know we're going to talk about fishing and sort of the applications of um AI um to fishing and kind of where that's at and the the work that we're doing um but so some previous work um we've done some talks in um at besides Las Vegas as well which is besides has
been one of my favorite venues to give talks at um sorry as a chat um and we gave a talk at derbycon about kind of similar things uh we have um some public projects already out there so opot um which uses reinforcement learning to sort of find administrative privileges um proof putting um was sort of our adversarial attack against proof Point um we get to drive by them on 15 every day and so this was their kind of on our our Hit List um command recommendations with rnns um and deep drop which I just rewrote um so deep drop is just a Sandbox classification model um and I just rewrote it to give back a score so
it used to do the whole dropper thing um but I tore out the all of the dropper bit and now it's just an API um we were scheduled to give some talks but thanks to Corona um they're here so we'll have to save them for our course in black hat
but um so the first question when you're looking at machine learning says is machine learning right for you um and you know really machine learning is there is a lot of hype around it and that's you know with good reason it it can be really effective um but ultimately you know you're just trying to Model A a problem mathematically um you know there's not much magic to it um you can use it to predict without explicit programming um but you yourself are still going to need to know how to program so you can't just throw data in and expect something useful out there's going to be um a very heavy workload up front in terms of
collecting data um parsing data and making it um transforming it into a format that's going to be useful um that's even that's before you even get to the the piece like you know Feature Feature engineering where you're you're using your knowledge to um lead the model in a particular way ultimately you know it allows us to be more productive um you know we can do things like automate decision decisions you know we just we want to offload that um more manual work to to an algorithm so if there are simple things um that you can automate you know decisions that you can automate um you know like deep drop for example uh that's you know you can be
more productive and you can focus on different things um the industry is growing super fast um computing power um you know there's some stat that goes around once every once in a while it's like computing power doubles every you know 50 days or something um and so you know there's a lot there's a lot out there and there's a lot to be done um we kind of think that you know some basic knowledge of machine learning will be required going into the future uh it's still magic every time you know it every time I go through and I explain a neural network to to one of my colleagues um it's still a little bit magic but it is
it is mostly math in fact it's only math um which is you know I wouldn't be afraid of the math piece the math you know the Math's kind of already done for us um you know I like to say algorithms are empty and so the math we don't have to to struggle with the math um it's done for us on the right uh this is a little excerpt from talk to transform forer so I just actually there's a talk to transformer.com and it's just uh the gpt2 model which is Big language model hooked up and I simply just asked it is machine learning right for you and uh this this is what it came up with so
in some ways it can it can be coherent and in other ways it um you know it can kind of talk around the subject um offensive machine learning so this is kind of I've kind of stopped no I have stopped doing Ops at silent Break um for now and I focus mainly on you know building tools and research that help support our Ops Team um and offensive machine learning is just simply the application of machine learning to offensive security problems so whatever that may be whether it's you know generating fishing emails whether it's you know Finding administrative access faster um whatever that may be um we're just using that as a blanket term to kind of separate but it helps us
reduce cost so you know we hunting for admin access or hunting for information in in really large networks is very costly um and can you know take quite a long time especially if you're if you're going through potentially a thousand file shares it'd be really nice to have some sort of intelligent um system by which you could go through uh automate decisions you know just offload those simple decisions we can scale operations so on the defensive side machine learning is you know not being looked at as a replacement um for human interaction um but you know in order to scale or at least that'll be the first step is to scale uh we can dig through our data and
we can create advantages so red teams I think traditionally haven't collected or even cared about what data they're looking at or collecting um but you know digging through the data we can create our own advantages especially as networks get um Tighter and you know more products sort of land on the Endo uh and you know there's obviously the adversarial piece um and we we count the adversarial machine learning under um offensive machine learning as it just helps us further our you know more nefarious goals so and whe if we can bypass proof points model with an adversarial model then you know that to us that helps us further our our offensive um objectives and you know machine learning
is awesome um digging into it if you're if you're into Data or if you know even if you have you know that little that little spark or that that love for you know just numbers or or data even if you're not into math um you know it's I like to say it's not a math problem anymore the Math's done for us it's it's an engineering problem now um and so you know most of my work is actually you know a lot of some people make the um the analogy that data is oil and if this were the analogy were true then I'm building the drill so we have a lot of data here uh that we you know can't
keep on to so I have to you know build some sort of drill that we can transform it before it gets deleted and the Math's taken care of so it's not it's not a math problem so if you're interested in it I you know I'd highly recommend you know digging into it because it's not as as complicated as you you would think but you know we're able to model complex relationships so you know if we're looking through active directory you know I can find you know little nugget of information way faster with some sort of similarity algorithm than I could um scrolling up and down in a text file looking through information obviously with the Computing
you can just Crush huge amounts of data uh there's no there's almost no limit to it and the data we have we're not saving you know billions of of data points we have you know maybe 300,000 so it's not it's not a ton um you can make it as complex or as simple as you want so anything from binary classification to uh enormous language models to reinforcement learning to combining all of those together into one um sort of coherent model and you know really it's about bringing out those operator suc senses so you know we obviously have a lot of experience and so it's really about finding um out about how it's about modeling those operator decisions like
why did you look in that file share why did you um um you know why did you run a sequence in this particular a sequence of commands in this particular way uh why did you you know do this so it's we're trying to encode our um our experience and our knowledge into these algorithms in some some coherent fashion and not only um are we looking for it to to support our operations um you know a lot of other companies are are doing the same and so you're going to have to have some kind of knowledge um otherwise you know you'll be operate operating on a network and something's going to break and you're gonna you're not really going to
be sure why um and you're not going to be sure you're not be able to explain it um and you're not going to be able to have really any recourse in terms of troubleshooting and as networks get tighter those opportunities get are are getting much um we're losing access more often than than we were in the past and so unless we can explain why we can't go back and fix our tools and so we need to to have some sort of knowledge so we can go back um and reintegrate or you know do some research and figure out what's going on but you know everybody's jumping on the bandwagon um I remember or I'm sure
a lot of you remember application white listing you know three two three years ago black hat it was everything was application whitelisting um and then you had the L bins project and um you know as it turns out there's actually a lot of stuff that can execute things so vendors have kind of stopped talking about that and now now machine learning is kind of the way um climate change it's killing all the fish so this talk is really about fishing um and over the course of maybe three years we've seen a significant increase in the amount of effort required to fish um and this is just a generic chart with numbers that I made up but what it really shows is the
number of interactions that we're having to do is going up um the number of platforms that we're having to use so whether it's hosting documents on S3 Azure um any other you know Dropbox we're having to use a number of different platforms um the number of techniques we're having to use so we used to be able to just send in you know simple macro and it would work but now we're having you know a macro an HTA you know an lnk file and an lnk file wrapped in an ISO wrapped in a zip file um so just the number of emails generally are going up and the number of um interactions with targets and the number
of techniques they have to send to the targets but 100% of emails are being inspected whether it's you know through a spam filter or um you know whether it's third party or on site everything's being inspected would say probably 10 % of our payloads are are being sandboxed so it's still not a huge huge number um 80% of our emails are received so you know the payloads do get delivered um and we do get a 60% click rate uh the issue is you know the endpoint protection that we're generally up against it's there's several of them so it's not any one product um you know you're having to balance bypassing you know two or three
different endpoint products so that means you know everything's our effort's going up but through Ops there's kind of this this um process where we have you know a comfort level you know Ops are going smoothly everything's working fine work's getting done project manager is Happy everyone's happy um and then you know there's some sort of change and people start Implement new te to new technology or or whatever it might be and there's some discomfort um Ops are taking longer to complete tools work but you know they have some challenges U maybe some techniques have um fallen off in their usefulness or techniques are getting caught or you know we can't use one of our favorite techniques for
whatever reason and ultimately just leads to work taking longer and um so we need to do something so now we're going to adjust um and and this is works on hold as we you know rewrite our tools um we have to test you know I have to make sure everything works and then you know and we can start pushing things out but there's definitely a delay um in work and I'd say in terms of the the fishing um the fishing piece or the initial access piece we're definitely at that point of discomfort and and adjustment so my this talk obviously I think is a a representation of that and the research that I do um is a
representation of the adjustment that that we're having to make as a result of um you know just some light discomfort in in regards to to fishing um but you know we've red teams have had it or attackers have had it easy for a very long time and so a lot of people will maybe complain that it's difficult I mean all of the teams we talked to um say it's getting more difficult you know you're seeing a rise in sort of assume breach model testing um but you know I think we're just in sort of a balancing phase where defenses are getting better and and attackers are going to have to raise their game a little bit
um so we're going to go through a little um exercise and sort of talk about how we do things uh and so firstly when we're fishing we start with a Persona so this can this is a fake person um and they have work experience you know they went to a school um they're just a regular person and they represent um kind of our team on the internet and I would say probably each of our operators um handles maybe four to six person owners that they're responsible for and you know thanks to sort of machine learning you know these faces that you see on the left are all fake they're they're not real people um so if i' actually we used you know you
can just go on Google and and and Google for a person and you go to like the the 15th page and you steal a profile picture um you don't have to do that anymore you can just generate a fake person um so maybe maybe deep fakes are actually good for the general population in this way um but this is you know I think it's this is not a person.com um and so you can go or this person does not exist.com so you can go you can generate a face um and you can throw it up on LinkedIn and and fill out you know all the all the requisite information there and then you have some sort of
presence you have an email address you know you can you can push out all the social media um build all the social media accounts you need and so on and so forth um but really you know when you're looking at uh fishing you want to get the right combination um of things so you need a Persona you obviously need a pretext and you need some sort of Target so one of you know our our favorite um our probably most successful fish come from our personas that are young women um and the my two favorite pretexts are are just an executive recruiter or a new college graduate uh and my targets are men age 45 to 60 um vice presidents
directors uh sea level you know those kind of people um or similar age women in similar positions I tend to find that um if I'm fishing from a a young women's Persona that older women are less um interested in helping me out um where you know man AG this you know anecdotal but manage 4 six year generally um extremely responsive um they're more ambitious and they're generally more aggressive with following up uh with you know with my emails and so they they make a very nice um Target as you know they're they're more involved potentially in their careers um you know or they're you know they're they're always looking for the next you know best thing kind of um although you
know Executives at for example Fortune 1 or you know top are fortune five let's say are you know the recruiting process is a little different and so we I tend to maybe stay away from um Executives at really really big companies um if I'm you know posing as a young man I like the you know job advice like hey here's my resume could you you know take a look at it or you know I'm thinking about you know you look like you took a similar career path to me just wondering how it worked out for you you know would you be interested you know looking at my resume or you know having a talk um and the target can be
really men age you any age um in any position effectively you know a lot of um people are really they want to share their opinion and they want to um you know they want to interact with you so if you're asking someone about their opinion you know they're more likely to to come back to you um you know as as the time goes on you say oh you know do you want to get on the phone you know here's my calendar calendar is just an HTA that you know you send through a link um on S3 and get execution that way um again so young women pretext job advice or life advice kind of the similar thing
and then you know older women in any position so if you're asking for advice versus offering a position um I tend to find that you know older women are more inclined to help you out or um take a look than if you are trying to if you meet them in a business fashion um but you know techniques to tal your targets so you want to be professional upfront you want to build a relationship um you know we you want to make sure that you're following up with your targets you know don't just shoot off a fishing email and then come back uh or not come back with anything you want to make sure that you're following
up um if you found someone who's going to execute your fish you know send them multiple payloads so use them to troubleshoot on the network um and if you're recruiting you know salaries should be competitive they shouldn't be egregious you know they shouldn't be ridiculously out but you know and in L you can use stock options so IPO anything with tech you know fintech's very popular at the moment so it's like hey you know we're to start up IPO you know do you have your fishing accountant you know do you have IPO experience and they're going to know exactly what that means um for their paycheck um but ultimately you want to play to your strengths and you want to play to
you know your targets wants needs and expectations um of your persona so you know if if if you're fishing someone in in Australia for example you want to make sure that you put the 's in in the right places for the the different spelling um 10 targets so Executives we like these we like going after Executives but they're they're high risk um High sometimes and the the reward is not always there um because you know they don't always have access to the information we want interns we love fishing interns you know they're new they're fresh they don't want to mess up they um you know they're looking for a new job that pays more so These Guys
these folks are always good marketing you know they're pretty Hit or Miss um sales are really good they'll click on anything that says RFP or here's the invoice or so on so forth HR used to be our favorite not so much anymore they're just used to dealing with people they have processes um for shifting your document somewhere and so you know they're kind of not a favorite mine project managers um you know they're also favorite they're used to receiving documents from the external it folks high-risk again highrisk High reward um I would recommend you know LinkedIn premium pays for itself um you know you can find go and get do a Google dork for some Doc on their site pull the email of
that poison the dock and send it back in um but then when you start chatting with people you know this is the kind I pulled these messages out of our our LinkedIn chats um and some some of them are kind of funny um but I I think you're beautiful is you know it's not an appropriate place for LinkedIn but you know you should use that to your advantage if you're trying to fish this person um so unstructured text is a really painful so we have kind of two scenarios when we're we're chatting with targets we have you know are you interested and he's like no I'm not interested I'm happy I am cool thank you
you now move on to the next one then you have the other scenario where they are interested um and you can start to converse with the target um when you're conversing with a Target you know you want to give yourself options and so hey that link didn't work for me apologize we're on a new system you know here's another one still couldn't open it here's an HDA so oftentimes you know if you find this this Target that is willing to give you um feedback then you should definitely definitely um push the m envelope until you get caught um but we want to turn this into a you know machine learning problem so how can we do this well you
know we can use word embeddings um and these word embeddings are just machine learnable representations so you know given given input y what's the probability of X so given a conversation um where this person is interested in a job and there's this conversation going on what's the probability um that you know the model should output this text versus the other text um and you know it's really it's it's a joint probability problem so when you're looking at training so we gather your email logs um you want to recreate the conversations in sort of input output um you'll want to you know turn all those create a vocabulary turn all those words into numbers and then you'll want to throw it
into sort of a a recurrent neural network an lstm um or you could even you know some of the larger gpt2 which is a really large um language model um there's a I'm sure a lot of you have heard AI dungeon which I think came out of a student at BYU here in Utah um you know but it's looking at the probabilities of what the next word is in a given context and so when you're running through this you know you can see see what comes out um and this is our email so H this is we gave it a context hyim graduate looking for a job and the the model just finished it for us including the many
thanks including the name um C it's not great but you know you can emails can be corrected and the emails are guaranteed to be different so this is you know another email so this is useful in in the sense where um you know a blue team is looking for similarity against our uh on our email so let's say we F we fire off five templated emails one of them gets caught um these language models ensure that all of our emails are different and so they're not as likely to get found um but you know from a cost perspective rewriting five fresh emails uh before fishing is can be you know it's costly it's timely um and we want to make you know we want
to scale operations so if we can generate emails even if they have to be corrected then you know that's awesome aome um and you can just generate texts almost infinitely um and in my testing generally about 30% of them are useful 100% of them need some sort of tweaking um and you know you can go kind of go from there but you know it's coherent but it's still sounds kind of odd um and we can do the same with chatbots so actually when I started first started researching this like oh um look for a chat bot that does recruiting or you know we's some example code and as it turns out there's just legitimate companies that do this um
which I'm surprised that I was surprised to find that um be it's the same thing so gather chat logs you know recreate the conversation um train you know your model and then kind of see what comes out um our generally our issue generally is that we don't have you know a ton of these conversations so a chatbot might you know a chatbot at a recruiting company might have you know millions of examples we probably have maybe let's see 2500 so you know comparatively our models are going to be worse um but this link in the bottom you know you can go to LinkedIn you can pull out your your messages but so this is kind of an
example of a conversation um from from our from our chat B bot um and this this you know High Sal you interested in job I am interested what is it um and then response is is doesn't make sense in the context um and so these are kind of difficult to to get away with but I would say you know it's mostly the issue that we have is we hindered by the amount of data we have so you know we just can't keep data for the sake of machine learning our clients you know it's unpopular um for us to keep data even though you know clients will ship um you know they'll ship all their logs off to
carbon black in the cloud you know but we're not allowed to it's obviously different kind of information but I'm wondering if that will change in the future um things like adversary simulation products for example if they they're going to start to implement AI some at some point and they're going to have to keep data um you know temp I would say generally templates are easier to write they're easier to send you know you're in control of everything and they're still not getting caught but they will get you caught you know if if some blue teams find finds one email they will likely find the rest of them um but chatbots and and Ai and language
models um are just going to get better from here so you know we're kind of at the beginning of it which is um exciting but also scary there's you know there's a ton of work to be done in in organizations everywhere um and there are just new risks presented so you know the whole adversarial piece um is another one um I after I'm I'll be on the bid slack um and Twitter and then I'll put these slides up on on the um on this on this GitHub link here sorry I kind of talk kind of fast okay so we have um couple minute or two minutes for
questions are there any questions
can people hear me yeah we can we can hear you I don't see any questions in the Q&A or in the chat anybody has anything but we just got one um they said I have no experience in ml where should I start um I would start with so binary classification um definitely start there there's a great book called make your own neural network by Tariq Rasheed um and it breaks down um a neural network just the simplest components and it is dead simple to understand uh do I do you have any AI tool or research references um yeah I would say so there's Defcon um AI slack um and if you're interested I would definitely recommend joining um that
slack in addition um you know to sort of no Googling I think there's there's a lot of um research that's done in Labs that isn't very practical for our use cases so there's there's going to be a lot of effort that's going to have to go through and pick out this academic research and apply it to us to the offensive use case um another question so if attacks are moving this way from a blue team perspective how do we go about combating this um I think a lot of the tools don't really exist yet and or they they're starting to be built in but the the maturity isn't there so you know even though you know we're doing this
research um on networks we're generally not having issues with machine learning products that we know of yeah I'd say proof point is an exception to that but you know they're they're they were pretty good at what they do um and so yeah I would I would I would just say hang on it's going to be you know a year two three before um these products are really going to be useful for you um in the meantime though if you're if you have your own data then you can go through and um you know build your own own model so you're looking for cosign similarity um similarity scores for for malicious events um things like that um then so we're out of time but
there is one project that I wanted to highlight for the defensive side it's a project called cyber cyb r t um and it was put out by um not sure it was put out by but they're looking at at this kind of stuff so there's definitely a gold mine there for the defensive side excellent that's it for me if you guys have questions um I'll be in the bside slack uh and if you just want to talk machine learning I'll be there as well thank you guys thanks will appreciate it great talk so um okay up next we got Adam fiser he's gonna be talking about OAS API top 10 um so whenever you're ready
Adam feel free to take it away thanks awesome guys great stuff glad to be here on a Saturday uh Saturday morning and uh yeah excited to talk about uh uh apis API security here so um excellent it's going to get started a little bit more about myself um I've been in security now for about 15 years and I always say that I got uh my start with uh wind nuke 95 and I know that starts to that's starting to age me a little bit but those were fun times with uh some early operating systems originally from Pennsylvania been in Salt Lake City since 2001 so uh easily uh over half my life and now live in
Lehi I've traveled significantly for work cover now most of the Southwest areas deying Security Solutions in those in those regions and those cities but uh most of the time most Saturdays uh most weekend nights and week nights you'll see me on a soccer field or at least carpooling soccer kids around the valley so it's um I always say that's my real job but let's go ahead and let's get into it I'm excited to really highlight here some of um the new things that we're seeing uh with apis and and a new really a new attack surface that more and more Enterprises uh are leveraging and it's really been um a good a good you know
change of pace I've I've spent 10 years in application security uh specifically dealing with uh web application firewalls uh application attacks um securing login pages and dealing with the ever increasing attack surface that we have with uh credentials stuffing and account takeover and uh you know breaches with uh you know uh in that in that sense right so securing login pages and things has been something I've been doing a lot with lately um but you know apis are causing a change in how applications um are secured should be secured uh and how we're uh you know businesses are really implementing uh web pages going forward and so when you think about tradition application security the solutions out
there that most of us are familiar with or at least a pretty common uh in Industry are or like a wa so web application firewall you're going to have something of Palo Alta which is like a Next Generation firewall um things like that that are looking to um secure uh applications from the common attacks that we have uh the OAS foundation for a couple years now has been releasing uh their top 10 of applic ation security attacks and we're and those are pretty well familiar um but they don't cover the change that we see with apis um the attack vectors that face um apid driven websites are different than the attack vectors that would come
against a traditional web application and so to give a little bit of history on apis and kind of how we got here is when you think back to what was one of the very first um really large popular econ sites that we had in eBay and now I don't shop too much on eBay anymore but you know we go back to uh the beginnings of eBay you would sit there uh you have this auction site you're you're watching your bid to see if someone's going to out bid you in that in that last 60 seconds or 30 seconds of a bid and eBay needed a way that they could communicate that realtime auction those bid numbers as
they changed uh quickly you know rapidly and they couldn't refresh the entire web page and expect that that bid or your screen to have the new information right away and so eBay came out with really the first web API where uh the API would just request and it would just update the price what the bid what the new bid is on that web page and it wouldn't reload all of the HTML and process the entire page and now we can continue to see that today a PO a popular example for me is on our is on the ESPN sites where if you're following a play byplay of a basketball game or a football score uh ESPN is not refreshing
the entire page all the time it's just that simple play-by-play information that the API is processing and so those are the differences that's how we see web applications moving now uh we're getting away from uh you know the traditional website where it's a a massive request you have a a large we web server that is processing that and feeding that out um each time to where now it's more real-time data and it's just the data that's important to the web page um and we kind of refer these you can refer these as single page applications another good example is is Netflix where you can almost endlessly scroll and then Netflix will display the new recommendations whenever that comes
into your field of view and so to do this right now uh we Mo moving on to what we refer to as a microarchitecture with apis where each API micros service will just reply to that specific API call that's being requested so this could just be the authentication page to your application it could just be the Real Time game score and Netflix's world that could just be you know the top 10 recommendations it could be your action movie movie recommendations but each microservice handles a different part of the web page so this allows to have faster real-time responses to the content that the users are are are looking for are expecting to see in the
in their browser window in their application um and it also obviously then allows the service in a microservice world to expand more rapidly if a certain aspect of the web page is busier than than the other then that microservice can expand or Shrink in your Cloud availability set to cope for the load of just that particular aspect of your web page and you're not duplicating the entire site they handle just a small aspect of your web page so that's what's bringing us up to date here with uh apis and so now when we look at the different architectures the different requirements around API security uh the OAS Foundation came together and created a specific top 10
list of vulnerabilities um that we see specifically on API end points in API applications and so when we look at these we see here some clean to distinctions between uh the traditional vulnerabilities on application security we do see a few holdovers down here at the bottom around 7 to 10 um those we've seen before in the past and and are common across applications and we'll speak to that um but the top six here are very unique and we'll get into some of the uniqueness of these but ultimately it comes down to the fact that we're getting away from what we refer to in the industry as signature protection or attack signatures uh in a web application
firewall space and one thing I became very familiar with in the beginning of my career was the concept of a tax signature and the common example of that will be if I'm running a web server an Apache web server and the Apache web server has a vulnerability then anybody running that version of Apache is going to can potentially be vulnerable and so an attacker can create a common attack string if you will that would um exploit the Apache vulnerability and so from a security solution perspective I would just need to write a specific signature that looked for that attack string I could push it across my Solutions I could create it once and uh you know then the
in all intensive purposes that attack would be mtig ated and from an attacker perspective it was also pretty easy he could craft that specific attack string blast it out across the internet anybody running that version of Apache or that version of the web server could potentially be vulnerable and I would have my attack and I could attack anybody running that string and and I'm successful in the API World these apis um one are more customized uh there's no such thing as a common API implementation every business uh every website is going to have some type of a implementation specific to their needs and to their development to the devops practices and their developers how they coded their
API so there isn't necessarily a common uh signature that I can just blast out and that everything would um then work there has to be a level of Recon that an attacker does to discover these vulnerabilities to profile the apis and so that that entails as well a different type of security we can't just put an API endpoint behind a wff an application firewall and expect all of those signatures to take effect or to have um you know the type of security that we're used to uh oftentimes apis as well we can assume that these API are going to be accessed uh through a browser so things like browser security as well doesn't necessarily apply um in
my experience as soon as you know one of my customers put uh an API endpoint behind an application firewall I quickly saw that nearly you know 20 to 30% of the security policies um or features would apply they would lose 70% of the value that a WTH could do because bot detection um you know browser Telemetry uh you know the things that a wa would do to run run inside the browser to detect and identify the attacker can't happen because the API is either it's a business you know it's a machine to machine communication or it's a native mobile application where we can't run those things inside a browser because the browser doesn't exist exist and so you
lose those protections and the top six here that we see broken object level authorization broken authentication all the way down here to mass assignment these are things that um are not going to be covered with those traditional Solutions and so let's look at why that is and we'll dive into a little bit deeper on these here so the first one the most common one being a broken object level authorization attack I'm going to highlight two specific attacks um where this affected some very large customers and really what it boils down to is once I am authenticated as a legitimate user what does that authorization what does my authentication allow me to do and in often cases what we're going to
see here is that allows me then to to access data of another user so there's I'm authenticated and the API is doing the authentic a check but it's not checking what I'm authorized to see whether or not I have permissions to see this data I'm authenticated to the system and once I'm authenticated I can get whatever I want and this is a very difficult from a devops perspective because you have to do this check basically on every request that the authenticated user uh is making so look here here's one example this is from last July as when it was detected but specifically uh was disclosed around November where an attacker once he was authenticated to um you know the Verizon
basically customer portal here he was uh able to access then or just enumerate all the contract IDs as part of that API request and returned roughly 2 million um contracts or account uh account agreements here uh from the Verizon um system here and uh pretty obviously pretty uh significant um and it really wasn't that difficult here so what all the main thing here is we'll get into how somebody like this can get um this information the steps that an attacker would do uh if he wants to begin to attack some of these apis um but wasn't that difficult from his persp perspective and and an attacker one of their first things they will do is they will go through any type
of a user creation process and get a valid account and from that perspective once they have a valid account they get some more information and they can begin to um see what that um what their authentication gives them what their account permissions allow them to do and in this case he was able to return multiple agreements um another scenario here and this was a little bit er a little bit um about two years ago now in 2018 but this was when the United States Postal Service First pushed out there you know track your package um they referred to as their informed visibility system this is a terrible roll out gave out tons of uh this wasn't the only vulnerability that
was detected against this application when it was first released but in this case here is very simple the flaw allowed any user logged in to the system to use an API to see Account Details for other users and um so very simple here and as you as we can see or as we will see when we get into this um this isn't a this isn't a situation where we're looking at I'll come back to the screen here this isn't a situation where we're looking at um a traditional attack signature there's no um there's no malicious content here from a traditional persp perspective that would say the attack uh request is incorrect or is bad it's not
malformed it's a valid uh API request um everything there's no parameters that were inserted here um but it's down to the actual value level of the parameters that is the mistake here and so this would easily bypass any type of application firewall rule um you know there's other Solutions out there that are you know doing some like blacklisting and white listing of um of traffic of of API requests but there's nothing wrong here in the request um you have to compare um the actual value that is in um the cookie or is in the token um against what is being requested and and so is the user ID here that is in the request does that match
the user ID that's in the response uh and if it doesn't then that's something that we have to look at and so it's down to the actual parameter value level of how we would have to compare multiple values in the request and in the response from a security perspective and so very difficult uh difficult one to uh to remediate okay so the next one we have here was on A2 um broken authentication broken authentication can really highlight any type of credential stuffing or account takeover um issue here against um any type of API login endpoint uh I see my time so I'm going to go a little bit faster here but what we have here is uh
you know basically uh Java web uh Java web tokens are becoming more and more popular if not the one of the main ways that apis handle the authentic be aware um it's not necessarily um super secure there's there's definitely vulnerabilities out there and how that is handled um you it's not difficult for an attacker to um decrypt or to open up what's inside that token and look for a sensitive data or vulnerabilities as to how they could then um break an authentication uh the one thing as well is oftentimes businesses will have um their standard form based authentication in their traditional application and then they're going to have multiple possibly multiple API endpoints that handle authentication and so as
businesses move away from you know one form of authentication to another there is multiple ways no or multiple doors now where authentication takes place and so um the API endpoints may not always follow um in the same VIs ility or it may not be integrated into additional Security Solutions like the traditional um login pages are in the beginning so be aware of that now this is a good one here excessive data exposure I don't know if it's any attack is good but plenty of good examples of how this happens and when we think of uh data exposure right away we think of you know a database breach where somebody exfiltrated Millions of rows from um a
database through a traditional maybe application SQL injection they got inside the business uh whatever it is but in the API world this really has a different connotation it's a different meaning it's not about getting data from the database but it's about exposing sensitive data where it wasn't required and this is an example that the OAS uh gave which isn't good there's plenty of dating apps out there there um and this was a case where uh just through a simple request um you know even if I turned in this example here even if I turned my privacy settings on meaning that I don't want my location to be shared in the application all that privacy setting did
was remove those fields from the user interface from the application it did not prevent the server the server from responding with that data so in this case here I simply would you know if I I put my privacy settings on okay great my data is not shared well that's not the case if we actually look at what is included in the response my latitude and longitude is still there even if I wanted to hide my Photo I don't want to share my photo that's okay either because the actual URI the URL to my photo is included in the response still so it's it's just hidden in the interface it's not you know preventing that data from being
returned and so you can kind of refer to this as client side filtering which is not actually preventing my data from being exfiltrated and so this is an example of what in the API World excessive data exposure means and from an attacker perspective if I wanted to take this a step further and just you know continue to friend people find their location we even saw here during this attack you know they were able to get down to and say hey there's even people using this application you know supposedly in the white house now somebody could be spoofing this location or whatever but you get the idea all right so in this scenario um so from a remediation
perspective you also want to have something that is investigating the response uh data in apis we can see the difference here um from a traditional perspective the traditional security tools like a wff are only inspecting uh on the request and not inspecting the response when you look at API security you have to look at the response as well as of what you're sending out uh resources and rate limiting this is another one here so we have things like um you know this isn't about networking when I came into the API space I had to kind of change my thinking a little bit where you know in the you think about the network requesting or limiting the
requests uh coming from the network side from the IP side here again this is more about the response how much data am I trying to return from these microservices you will see very commonly we have you know a page size we're only going to return 250 items remember these microservices are usually a lot smaller implementations a lot smaller servers where it could be very you know it's very possible to overload those um so you're not going to cause you know lot looking to take down the entire website you're just looking to cause the micros service to return too much data to where it can't handle processing all of the data that's being returned so we have to do checks here on
exactly you know what the page size value should be and again notice here it's it's a completely legitimate request the attack here is that I'm increasing this value to a size where the microservice can't hand handle it I'm going to crash it uh the other thing here broken function level authorization now what we're talking about is changing uh you know the actual method calls so the post you know I'm supposed to this API endpoint expects maybe a post to be received from an attacker perspective what if I change that to delete what if I change from a you know post to a put um is there checking in involved there that the server will either as well process an
incorrect method call to that endpoint um and this is very common I see this is a first level from an attacker perspective as they're as they're looking through the API end points what what can they what can they access what can they hit next is mass assignment can I change you know the um my permission level by including additional Fields all right so maybe I'm authenticated as a user I'm going to go through create my user account I now have a just a basic user account and now I want to elevate my privileges on the API you know can I do that and this is a very common I see this a lot as well you know if is admin
equals true change my role to administrator all trying to find elevated privileges that then gives them access to additional additional endpoints or additional permissions to request data um this was an example that I saw here uh just recently where um during the registration process you know uh they can detect here in the beginning I'm trying to register my email the response is nope email is not verified that's an incorrect email we changed that so the attacker just saw that response and said oh well I wonder if in my response I tell it that it's verified he did that came back now the email is verified um so this is an example here of doing that mass assignment it's not
so much on the roles but we can still get through here basically what you can do is include the parameter or insert additional parameters that aren't in um the standard request that we see but just modified a little bit and you get what you want uh security misconfiguration Now now we're getting into some of the ones from the traditional OAS top 10 but here this is simply when we we can cause an error or in the response uh you're basically leaking um data that helps the helps the attacker understand what the process is or understand what you know services are running and then they can maybe craft specific attacks against that uh we still have injection attacks
here and what's interesting and what I've seen is that um just because the traditional application has you know all your traditional applications are behind a w you know the SQL injection and the cross-site scripting attacks aren't as prevalent but how about your API endpoints because you know those are created maybe ad hoc maybe they're in different environments um they're created more you know frequently there's rapid development in the API space so those API endpoints aren't behind uh this traditional Security Solutions that we have leaves them available for these injection attacks and maybe you know from a cross-site script perspective you're inserting something that then has takes a hold on on the website side as well I've seen it
as well so it's like you know the website's more secure but the API endpoint that's on that website is not and so I can access that and have almost like a side loading to um the website uh now improper asset management and the last ones here as I'm running at a time are all about the traditional approaches we still see these a lot but basically uh you know the apis are are definitely a newer space security teams don't have the same amount of visibility or just having been provided that in the business and so for the security team to disc cover and identify these apis uh is more difficult and so you need something outside of just you know
good um documentation practices to discover and identify your API landscape and how you know how big that grows um the other thing I've noticed um and I'm sure we've seen this as well is apis have versions so you'll push out a new version of your API one 1 2 3 4 uh there was a time I was working um you know integrating with Salesforce I think at that time they own version like 38 or 39 of their API but the version I needed was version 27 because that's one that was compatible with the solution I was deploying and I could go back and just change the version number in the UR and get back to version
27 and that's what we see here as well so improper asset management you're promoting these apis and the old ones are not getting deed and so you still have exposure uh to those apis that haven't been updated so I'm going to pause there um answer any questions that might be out
there no worries so good um
cool well guys I hope that was been official um I want to give time to rotate onto the next one my time is about up uh you can find me out there on slack and anywhere else and I'll answer any questions you have appreciate your time and look forward to uh the rest of the conference thanks Adam that was awesome so I I learned some some stuff about API Security in that session so uh up next we got krie Roberts Darren Roberts and Cameron Roberts uh they're going to be talking about doing domain password a audit tools so uh I'm going to turn it over to you Carrie so feel free to start presenting when whenever you're ready
thanks
all right here we go how does it sound sounds good looks good okay uh let's see all right I'm Carrie Roberts uh or one equals one on Twitter we also have with me here in the house Darren Roberts my husband he's Mr or1 equals one I helped him with that idea and we also have Cameron junior or one equals one and here we're supporting our nerd glasses and to introduce ourselves we even have some little Junior hackers in the house that we're training up back here that help us out uh we're kind of a family of hackers and it's fun this is our first presentation as a family at anything and this is a presentation on
the domain password audit tool watch how the kids help out when when we're taking drinks of our sodas here okay so we're presenting on the domain password audit tool which is a tool I wrote originally but since then Darren and Cameron have maintained and added features to as part of their uh mentoring into infoset and we're going to start off this presentation with a little cheerleading episode about getting into infosec presented by me and then I'll turn it over to Cameron who will give us some history on uh how passwords work how to crack password hashes how where how hashes are obtained from computers etc so bear it with me while I do the little cheerleading
section here and introduction so I started out as a mechanical engineer working for HP building automation equipment it was awesome but there came a time I worried about job security at the company so I went back to school and learned computering and I came back in 2007 again to HP and started programming writing PC applications and mobile applications ultimately became a web application developer that was super fun uh I got to develop a brand new web app and I was the main developer and I was a new web app developer really and one day uh while I was happily developing about to release our web app my boss walked by with a notepad of paper dropped it on my
desk it was a report and he pointed at the report and he said fix this stuff and I had no idea what he was talking about um I just saw a lot of red on the paper so I started reading and I realized that management had had a security test done on my application before we released it and it turns out it was vulnerable to some big security vulnerabilities uh one of the main vulnerabilities was SQL injection where the report said we could read modify or delete any data that you have and store in your database and all we have to do is type in something like or 1 equals one into one of your input fields and I
was like no way this can't be I was like in shock and disbelief so I go to my develop machine and I type in their example payload and you know the database my development database goes away and so I'm just completely in shock um also learned about cross-site scripting which I'd never heard of before and that my app was vulnerable to that in a lot of places as well so that was my introduction to information security so I went home that night very discouraged like oh my goodness I've just been destroyed my application's terrible uh I didn't know even know this was possible and kind of shrugged my shoulders and powdered my way home talked to my husband and and told my
husband I just can't be a good de developer or programmer if I don't know anything about security but he encouraged me to go ahead and just Embrace security instead of kind of like be scared of it and worried that I didn't know anything to embrace it and learn about it so I inquired around with co-workers what would be a good way for me to learn about security and in 2010 I took my first security class from Sans and I became certified at in information security fundamentals so I took their 301 class it was a really good class I enjoyed it I took a few more classes over the next year and that's where I learned about pen testing so it hadn't
really occurred to me that uh this pen testing you know trying to break into applications or computer systems and make them not make them do things they weren't supposed to do or steal information would be a really fun job so um when I learned about that uh I realized that I really wanted to be a pentester this would be a really cool job instead of trying to make things work try to make them break and try to break and and steal things and even sometimes physically get permission to physically break in and learn to pick locks and jump through windows so I thought this this is definitely the job for me so it became my goal to become a
pentester it reminded me of that sneakers movie uh where uh ex uh convicts kind of they get together and prove that they can steal money from a bank but it wasn't all an improved activity so when they're done with that job and the lady's typing out the check she's asking them so people hire you to break into their places to make sure no one can break into their places and and that's exactly what it is and he replies it's a living and so I like that movie so in 2014 I reached my goal and I became I finished my I went for the master's degree in information security from C and completed that and became a a
penetration tester for Black Hills information security I love that but I moved on in 2017 to the Walmart red team and did that for a couple years and then I moved to the blue team which is the n network Defender so instead of breaking in it's back to keeping people from breaking in and I did that really with the goal to become a better red teamer not necessarily that I will go back to red team but I wanted to understand both sides and everything about everything because I like to learn a lot it's one of my main goals so I'm over on Blue Team now so I was having so much fun at this time Darren was a high school math
teacher online and he saw me and I'm just having so much fun in my room like look at this I'm breaking into this and doing this and I'm making good money um compared to a teacher especially sorry to say and um and I had a flexible schedule where I work from so home so it was great and Darren started saying I wish I could be a pentester and I'd say I'd put on my cheerleading outfit yeah yeah do it do it you should do it totally do it and he'd be he'd say no I'm too old you know he he was 40 something 40 early 40s he's like ah it's probably too late for me I can't do it
so we wouldn't talk about it for a while and then he would again he would see me having way too much fun making good money and having a flexible schedule and he would say again I should uh I I wish I could be a pentester I should be a pentester and I would cheer for him yeah yeah yeah yeah yeah but he would say he was too old and then ultimately he agreed and he went back to school and got a Bachelor's and computer Information Technology he went to school online and finished that and while he was doing that he also went and got certified after taking some s classes so he got three certifications in those
topics listed there and in 2017 he became a pentester for black hills and and then as a recent contributor to The Domain password audit tool which we are talking about today and lastly we have Cameron he's my son he's 17 uh I put him on summer coding programs to keep him from playing his computer too much which annoys me and so he's gotten really good at python he's also taking some high school programming classes and he's been contributing to DAP by fixing bugs and adding features so if you end up going and looking at our code you'll see the features he's added there and with that so the moral of this little cheerleading story is
that you're never too old you can get into infosec and be rewarded if you're old or young male or free wise or otherwise you can do it so with that oh you just need to be willing to take that first step and then you take one more and one more and eventually you're going to get there so I'm going to turn this over to camon who will um give us some background on passwords and how they're stored and how attackers steal them and how they try to crack them to get your original password back
so I'm Kim Roberts at Junior or1 equals 1 so I'm going to be talking about passwords and password hashes so computers will normally store the hash of your password instead of like the actual text of your password so they'll take the text and then put it through this hashing algorithm and then they'll output this long Rand ROM string of numbers and letters so the hashing algorithm encodes data into a small fixed size and will'll always give the same hash for the same password and it doesn't really matter how long the password is or how short the password is it'll always be this same length um hashing algorithms are one way meaning that you can't take the hash and
reverse engineering the algorithm to get the password back and you can only put them in and get the hash out so password cracking is where you have this hash that you don't know the password for so you would guess a password such as password one and put it into the algorithm and get the hash so in this case the hash is not the correct hash so you would guess a different password such as password two and put that in it's still the wrong one and then you'd guess password three and then that's suddenly the right password so now you know password three is the password for the hash um Windows stores two different types of password hashes there's land
manager and new technology LM hashes and um the LM hash is older and is where they split the password into to two sections of up to seven characters each and they take each section and convert through put it through that hashing algorithm then put the two hashes together to make this one longer hash and they convert the password into uppercase letters so there's so that there's less options on the different hashes that you can have so in this example there's B being baby where only certain letters are capitalized and it's the same hash as the B being baby where more letters are capitalized and where all the letters are capitalized um so the LM hash is pretty
weak because the time to crack a seven letter password is the same to crack an eight-letter password which is the same to crack a 14l password um so an LM hash can only have uppercase letters numbers and special characters which and it splits it in half so there's only up to like a basically seven letter password so that gives a total of one trillion different combinations which is a relatively small amount for how fast computers are today and a uh ntlm hash can have uppercase letters lowercase letters numbers and special characters and it doesn't split it in half so like however long you put in your password there's actually that many letters that it uses so all of that
makes it so that there's one octillion different combinations of hashes which is way more secure um on my computer it would take an average of about 8 minutes to crack any given 14 character password hash while it would take 4.3 billion years to crack any 14 character password nlm hash so how does a bad guy get your hash is a pretty big question because if they don't have your hash they can't crack the hash um so they can get it access to your computer by like a fishing email or some other form of hacking and or they can get access to a different computer that would store your hash such as a domain controller on an Enterprise
environment so an Enterprise environment is where there's the computers on the domain that have all their own stuff and then they all connect to this domain controller that stores their hashes and all their other information to authenticate the users that are using the computer so the domain controller would store in this example it would store Larry's hash Curly's hash and Mo's hash but on more recent versions of Windows the the machine will not store the LM hash because it's so weak and replace it with this aad hash which is the hash for a blank password so access to the domain controller is really good for any hacker because of all the information that it has on hashes and all the users on the
domain so I'm going to turn it over over to Darren
now hello everybody this is uh Darren Roberts and um I'm Mr or1 equals one I am going to be talking about the domain password audit tool but I want to point out some a few things about what Cameron said um the one of the things that we do at my work I work for Black Hills information security um we recommend passwords of 15 characters or more um the reason why we do that is specifically for that LM hash it's uh amazing how many times you're on a test and you get access to the um you get access to the hashes and you crack them and you do find out that there are LM hashes on the environment
even though people uh as you talk to the people they swear up and down that there aren't LM hashes um you still find them out there so with the 15 character password it does break that um POS the possibility of even storing the LM hash so there are older um older systems out there that do uh save LM hashes so uh we encourage you to have your passwords of 15 characters or more but anyway onto the domain password audit tool so uh what you can get it here at the at the repo clr2 of8 um dpat uh there is a great read me that explains all that she needs to know about it um it has a lot
of great information and explains um what it is and how to use it but we're going to go through and uh look at it so one of the things that you need are the um hashes from the domain controller and again Cameron explained what that is but you there's a command to get the do the hashes off of the domain controller and you can see here it's also in the read me but what this is going to do is it g to it's going to dump the hashes into a file that's called an ntds.dit file and this file is not very uh readable in terms of humans or um and so we need actually need to change this
file the way we do that is use secret stump and again this command you can see it it's on the um dpat repo but what the secret stump does is it's going to take that ntds.dit file and it's going to convert it into this more usable format and we're going to get three for three files out one is the customer. ncds file and uh you can name that whatever it is what whatever you want but this ntds file is going to have the um the username and it's going to have the LM hash as well as the ntlm hash and as you're looking through this hopefully um if you do this on your own environment
you will see all blank LM hashes because if you don't have blank LM hashes then those uh hashes will be cracked um when you send them through a cracker the other thing that you can notice on this is there's a history for each of these users um the way that you get that is you add this um uh flag at the end- history and this history is going to Output um all of the history password history stored for the users so you can see we have user Harry um and then the previous password the last password password that he used is going to be stored as the history zero and and so on and so forth that goes back through the
history of the passwords that he's used by default the active directory is going to store 24 of these um 24 of the passwords and you can adjust that you can change it if you want uh but by default it's set to 24 uh this is this has some great information not only for um domain domain admins to look through also for hackers it's kind of uh gives a lot of information for uh what we can use but after you get this NDS file you need you then will need to send it through some kind of a cracker hashcat and John the rip are very popular ones uh but you can send this through the cracker and then try to crack all of the
passwords and again depending on the length of the password will depend on um how easy it's cracked the another thing that is important I don't not know how I just got there sorry but one of the things that uh you need to look at is the word list so the more complete your word list the more more complete uh your cracking will be you can see some of these passwords that got cracked on the side over here of course this was just a example and we could put in whatever we want into the word list some of these probably would not be cracked um by a regular cracking machine but if you put them in a word list then
for sure they will be cracked so even though you have a long password you need to make sure that the long password is something that is not in any word list um otherwise it'll probably be cracked rather quickly so again after we have the output from our uh cracking machine um hashcat saves this as a A.P a pot file so we then are going to go to our dpat tool so after we have the d-at tool um again you can see uh the this is what the repo looks like you can see um how to clone it so you just would clone that into uh your machine and then run the file um so running the file is going to look
something like this with this file um we're giving it our customer. ntds file we're giving it our pot file and then we're also giving it some of our admins information because this again this is just going to let us look at some of the groups that maybe we want to um look at to see how their passwords faed so you can actually give it group files and um and look at specific users and how their passwords were and another thing that it's the tool is going to do um is try and crack the NT hashes based on the LM hash so we know that LM hashes when you send it through hash cat or whatever LM hashes are going to be
cracked uh but that doesn't necessarily mean you have the NC password so what this dpat tool does it's going to compare these hashes and it's going to try to finish cracking them based on our the output for the LM hash like Cameron said the LM hash is all uppercase so the LM hash is going to be all uppercase that is probably not the way that I user would store their password so the dad tool is going to look at the LM hash look at analyze all of the uppercase letters and then go through lower casing or whatever to to these cracked LM hashes to see if they can get the correct NT hash after we go through that we are
going to then open the report and it's going to look like this so again um we get great output from this uh if we click on the details for the password hash we get this output and we see the username the password the password length and nty hash so uh and then again if it's if the LM password has been cracked now again look at these things some of these passwords that were cracked um I doubt that this one up here this top one was really cracked um but un except if it was in the word list so if it was in the word list that was used obviously it would be cracked I don't think that a password
length of 39 would be cracked if it wasn't in the word list so again training users on not using common passwords if they're in a word list make sure that that's the case so again you can look through these um passwords and uh check how secure your passwords are in your environment uh when we do this for customers on tests this is uh they really like seeing this kind of information uh it does give them insight as to what's going on with the users how they're storing passwords how they're choosing passwords gives uh the administrators more leverage as to training maybe creating a p stronger password policy uh so this is something that everybody can use uh we uh again
when we crack passwords and run it through this this is something that uh our customers at Black Hills really like to see they love to see this kind of information um so the this is a list of the passwords that were cracked via the LM hash um again these are not necessarily weak passwords but uh because they were stored as an LM hash they were able to be cracked very easily and you would want to look through this again as an administrator uh find out why these are stored in LM hashes um if it's uh if there is some kind of a tool on your network assist on your network that requires the LM hash look to upgrade
that so that you can get rid of these LM hashes some way but um LM hashes basically shouldn't be there it's they're still found on environments it's not it's really not uncommon for us to see them and but if you can get rid of them it's obviously the best thing you can we also have an output of password link statistics so again this is only based on the passwords that were cracked um if a password is not cracked there's essentially no way to know exactly how long the password was but out of the ones that are cracked you can see the details on how um on how long the passwords are again this gives you great detail as far
as uh an administrator so that you can again offer more training and more opportunity to help your um employees and uh co-workers to improve their password policy we can look at the password reuse stats this is great information here um for example let's say you find a password of Welcome 123 that is just all throughout your environment this could be your it support people giving out a password to set up a new account or to reset a password and then the people just never changing their password after that happens so you can look through common password reuses to find out information patterns that are going on with users in your network um we uh as when we try to
crack passwords or guess passwords the season and year is a very common uh it's a very common password and you'll probably see that all through throughout your network depending on your password policy so again look through password re reuse stats it helps um with help helping training now if you try and get that password history this is going to uh you might get this output so what this is saying is when you ran the secret stump. py you didn't use that flag of history that I talked about so You' need to go back run the secret stump. py with that flag of History and then again try to crack those passwords if you do that you'll get an
output like this that talks about um then you can see here we have the list of the users and their current password and all of the previous passwords so you might again see some significant patterns that might help you again train users so as most of you know when you're required to get a new password you can't use either one of the similar last five passwords that you use or whatever it is so users will typically just change one character maybe a number maybe the season and the number so you can look through this and see um patterns for example Mo um we see that he's using signs of the zodiac so we might be able
to guess actually what this password is for history 1 we can even probably guess his current password because we know his previous passwords so that's one way that this password history can be used um and for uh hackers we like to see as many passwords as we can because it gives us great information on what is common and what we should guess next so um that's pretty much what we have hopefully that was useful um if you are if you do have any questions or comments we'd love to hear from them you can hit us up on Twitter or whatever and um anyway thank you thank you Carrie Darren and Cameron that was that was awesome that was a
great session so um okay so we're gonna oh there is a couple questions um if you guys want to answer them you you're welcome to we can move so sure right on the Q&A the first one is what's your perspective on bug bounties like hacker one have you ever considered joining um we all to speak for everyone we don't know a lot about the bug Bounty programs other than the basic description what they are I've I've been tempted to look into it but I just haven't had the time but I think it's a cool thing and I have considered joining but I don't think it's going to happen anytime soon because it is going to take
time that I don't have right now okay great um and the next one is do you agree with nist and now Microsoft's current guidelines on passwords for example focus on length and not frequency of rotation changing so Darren they're asking if we agree with the Mist in Microsoft who's focusing more on length and not frequency of rotation so I I think we together we would all all agree that that length is really important I I like to use a sentence like with actual spaces and so it's not like did I did I put a space did I put a capital I just use like actual phrases and they're long and um yeah so we think that's a good
idea okay cool and then the last one says are there any plans to build in Dr D drsr or gathering of passwords like did you ever get caught reading NTS NT ntds.dit yeah um yeah we have been caught on domain controller be before um I'm not sure what the drsr stands for well are you are you here man do you what's the drsr stand for oh DCC yeah we've used that before um I would say it's kind of Hit and Miss which techniques are going to get noticed and which won't um but DC sync is a good option it's where you pretend like you're a domain controller and just have the other domain controllers uh get
you caught up with the current information on the domain it's a cool idea we've used it before um but I can't speak to which is least like likely to get caught okay great thank you guys so much again so uh at this point in time we're going to take a short break for um until 1 pm mountain time and um Chris will be kicking it off at 1M mountain time uh so we will uh we'll get back to it then I just want to take a moment to thank the sponsors really appreciate all that they've done uh to make this event possible and all the speakers and and um Pope and the media team for making this
platform um virtual in a very short amount of time so thank you guys and and we'll see you back here on the zoom at 1
pm
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
for
e
e
e
e
e
[Music]
for
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
can everyone see me y fantastic all right well I will uh wait till the time comes and we'll get
started e
alrighty welcome everyone um my name is Chris Hansen uh this talk is from mattress salesman to infos seex Soldier um if you didn't read anything online about what this is going to be about it's going to be on um ways that people can transition into this industry um a lot of us didn't really start in infosec a lot of us kind of started in one thing and then kind of transitioned into it and I'm going to get into that a little bit and why that works and explain some of the reasons that that honestly is one of the best reasons that we want people to do that um but first thing um a little bit about
me um my name's Chris Hansen not that Chris Hansen unfortunately Everyone likes to comment on that of course um I'm a Twitter fanatic my my handle is Senpai 99 so feel free to follow me um if you have questions comments concerns jokes hit me up whenever I'm happy to talk and we can you know help you guys out we can figure things out uh get you started on your career moving forward with a lot of this stuff um and that being said if you do end up following me um you'll find out very quickly that I am a Avid hockey Watcher and uh you're just gonna have to deal with it so let's move forward um so what's this all about why
why is this talk important why is it um even relevant to the the field of infosec compared to some of these other talks that are um highly technical a lot more focused um a lot more um what what you think the industry would need um really it's about you um something that is super big in the industry right now is we're lacking a lot of people comparative to other Industries the infoset community just doesn't have the Manpower right now we're we're lacking we're struggling and that you can you can tell you can feel it in the industry um and it is really a rapid growing industry uh and needs all the help you it can get um but above all this it's
really just what makes you happy you know if you're not into this if you don't want to follow this don't feel like you have to there's no point um really most of the people that succeed really well in cyber security have passion for it they have a drive for it um the ones who just kind of show up nine to-5 uh try to get a paycheck and don't really do anything else they they don't tend to last as long in the industry unfortunately so if you have the passion if you have the drive if you really want to move forward this is a perfect talk for you um but really it applies to anyone who's looking for a change um so if
you're if you feel like you're stuck your CIS admin that's been there somewhere uh for 10 years 15 years maybe even a year and a half you know you're feeling like you're not progressing you're not doing anything maybe it's a good time for a change maybe it's something new something fresh that you've been feeling it's just a good step forward um it's really for anyone who loves a challenge um a lot of people who transition into this come from like a an engineering background or an engineer mindset um so if you like solving puzzles solving problems reverse engineering things creating new and unique ideas uh if you really like to innovate this this is the perfect field
for you uh there's so much that needs to be done so many innovators are needed this is a perfect place to get started um people who love Safety and Security so if you love having security and safety in your life this is the perfect place for you uh but really it applies to everyone because we all need Security in our uh Fields so basically my story goes like this um oh I moved to a new city and I was looking for a job that made tons of money uh you know I'm a poor college student just getting fed up of eating Ramen every day getting tired of it and realized that I needed something that
was exciting for me something that would work in my use case and and I could afford all the fun little things that I wanted to do fun little Hobbies um you know some of the things that the mattress place was looking for I'm not going to say their name but you could look them up under mattress company conspiracies and you might just be able to find them they were recently in the news um but they were looking for social skills someone that could talk to people someone that could work with people understand uh work on needs you know uh when a customer comes in you need to be able to help them with whatever happens um they wanted people
with managerial skills uh you had frequently people who would come to work and just I mean it's a mattress store what do you want to do sleep all day you know people just don't want to work they don't want to do anything so someone who could motivate those people and get them up and running and and doing things instead of just sitting around lazily um and what I ended up with was a whole lot of time on my hands I worked 60 70 weeks uh I was working from 10 o'clock in the morning till 8 o'clock at night um I'd get off work I'd go do my own thing and wake up and start all over it
was very much like a rough schedule but if you've never done the 10 to 10 to eight schedule that's a rough schedule for me um so I had a whole lot of time on my hands uh 10 hours of work at you know while I'm at work um and like a lot of people um you know when I'm sitting at work or when I'm doing things I like to have like an audio book or a podcast something that is always just kind of helping me out I'm listening to something helping me um so I'd listen to a lot of little podcasts and get some ideas and uh listen to YouTube videos or conference talks and that goes down the
path of uh what to do in this you know when you're transitioning but you know that kind of filters into why I transition I as well um cash out big time I made a lot of money doing mattress sales I know that sounds dumb because You' think it's like oh it's a used car salesperson they don't make a lot of make a lot of money making doing mattress sales um the work hours were horrible you worked every holiday you had no weekends off but you made good money so you know kind of counteracts It kind of balances it but after a long time I had the sobering realization that I don't want to do this the rest of my life
um sales is terrible sales is life sucking it's you know if it's for you if you love it if you're great at it awesome good for you but it was not for me and so what I came to the conclusion of is I love specs I love information and like the data sets so when you're talking mattresses with people you know you've got firm medium soft you know you've heard all that stuff um but really when it gets down to it the nitty-gritty you get multiple different kinds of Foams you get cooling foes you get hard Foams you get soft Foams um you get um coil density coil wrapping you get Triple braided coils you get all
these fun little things and over time it adds up and you've just got this whole useless data set that you can't talk about at the dinner table with friends because they're just sitting there looking at you like you're insane so I really enjoyed data I enjoyed specs I enjoyed things like that so I was like well where can I use this and so I found that I really wanted to change and move forward um it's a great quote I love it uh we generally change ourselves for the one of two reasons inspiration or desperation and I think my change was a little bit of both and I think most of yours will be as well or if you have
gone through this it was you know pretty much one of these two um you're you're trying to find something you're trying to feel better you're trying to transition into this industry and really what happens is you find inspiration here um and I think that's kind of a beautiful thing why does all this matter why does my story matter at all to anyone um most of you probably were not mattress salese um and that's fine you know whatever Walk of Life you come from it doesn't matter we need you here in this industry um I've talked to you know past nurses I've talked to um people who coded video games I've talked to people who are pilots or Aviation
technicians um I've talked to salese mattress sales people of course um I've talked to a bunch of different walks of life and what it comes down to is all these different people can bring these skill sets that you normally wouldn't understand you know for me when I was doing sales you know I started understanding like what the company would have to do for inventory management and things like that now on the security side I know how to defend against some of those things because my brain knows what the end user would use you know medical it's the same thing you if you know what a nurse is going to do on a day-to-day basis you
can adjust your security strategies to help pivot and protect against those things it eventually broadens our scope of what we cover in the industry and helps us really diversify who can talk to who and make sense of all of it so it's definitely a good thing to be able to transition but um my big takeaways that I want you guys to understand are you know don't settle if you feel like you're stuck no matter where you are even if you're you know a network architect for some awesome company if you feel like you're stagnant if you feel like things aren't going anywhere if you feel like they're not invested in you find the people that will be there's
always a company out there that will treat you right they will take care of you and they will train you you need to be constantly moving forward this is not a stagnant field you know sales is a very stagnant field people will be like oh sales is super Innovative it's been the same forever you there's there's a couple steps you just follow the cycle and you know it's whatever but technology isn't it's always changing in the past 10 years we've seen so many drastic changes in my lifetime I've seen so many dra drastic changes um I mean Palm Pilots those don't exist anymore you know but they kind of do with smartphones so just things like that
innovation in different ways um but always seek for answers you know um if you feel like you're the kind of person that is always striving to know everything if you want to be if you have that inquisitive mindset this is a perfect place for you um I just want you all to realize that if you're stuck if you feel like you can't do this the change starts with you and there's plenty of people in the infoset community to help you out um I'll get into that in a little bit um with resources so this is my biggest area of talk because I dedicated a lot of time and energy into resources as I said I worked at
uh you know this company working SE 60 70 hour weeks and I had weeks where not even a single person would come into my store other than myself you know my my co-workers would take the week off and it would be like well I literally sat around for 60 hours cleaning and sanitizing and doing inventory but I didn't see anyone for like 60 70 hours and so for me these resources were one of the biggest things that helped me um conference talks you know just like bsides um you know this is the second year I've talked at bsides and both years I'm a huge advocate for it they do some really cool stuff definitely check out their past
conference talks because they're still good they're still relevant Defcon Defcon has some phenomenal talks and I'll be honest when I first started listening to defon talks I had no idea what I was listening to I was just listening to it because I was like you know what eventually I want to be able understand these Concepts these ideologies and I want to be able to apply them somehow in my life you know in the infoset community and we're getting there uh black hat you know same thing um and I'll go or I'll talk a little bit about black hat as well but St con uh St con has some really good stuff they always have definitely check them out
Open West right got to do a plug for Open West uh I'm on the board for Open West we're not doing it this year unfortunately but next year we're going to be back and better than ever and we're going to be revamping everything so definitely support your open source community help everyone out uh make sure you show up to the conferences and uh you know follow what they've got YouTube YouTube has so much going on all of these conference talks that I kind of talked about they are all on YouTube um so if you're feeling like you know maybe those are a little bit heavy you don't understand what some of those are talking about like I said with
Defcon I didn't understand like 99% of what I was listening to but I thought it was cool I was like you know what I'm just gonna listen to YouTube and so I started listening to certain people uh DC cyers SEC is one that's really good um the Cyber Mentor uh he's fantastic if you want to learn pen testing or penetration testing offensive security you know hacking he's got a lot of stuff DC cyers SEC is more on the the defensive side but he does a little bit of both um and syonic is fantastic definitely recommend him as well um they all do news as well so if you want quick updates on what's happening in the world
of you know hacking and malware and ransomware all that fun stuff it's all there uh there's podcasts know Dark Net diary social engineering a bunch of fun ones um and networking talk to me like I'm happy to network you guys with people um I'm happy to get you guys you know connected to the right people if I know them big things that I would recommend uh 801 Labs not a lot of people go but everyone knows about it so definitely go to 801 Labs you know spend time you know spend that energy going every Tuesday we do Hardware night or Linux night rotates every week uh Thursdays we always have something going on Thursday night or if you can't make
it to one you should just try for Thursday nights that definitely has the most going on um 801 Labs is great some of the colleges have some courses um that you can take but they've got clubs as well definitely show up to those those will help you out a lot um really what it comes down to is there are a lot of people in this industry a lot of people around and we're willing to help we're willing to show you what we know and we've all been there before none of us started out as brilliant Geniuses in this industry we had to learn somewhere we had to start somewhere so that's some of the big
things that I just wanted to convey um and QA I know a lot of you guys are going to ask questions so I kind of want to get to that so feel free for um you know answering all of this stuff because that's really you know I want to get around to answering what you guys have and feel free to send me stuff on Twitter um you can send me DMS I'm happy to answer anything I want to answer all your questions so start start filling these up let's go over some of them um I've been in it for 22 years and have been interested in cyber security it seems more like employers are only
interested in hiring candidates with college degrees top level Surs like cisb G G and there are a lot of associated experience what would you recommend for obtaining lowcost credibility while still keeping your day jw it's a great question um this is what I had to go through when I was with mattress for Mattress Company um one of the things I'd recommend um study up uh follow some you know do if you don't have your Security Plus if you don't have your um pent Test Plus um some of the other ones that are coming out security blue team has aert coming out right now that I think is really fantastic I would definitely recommend them they have a
whole beginner howto from uh incident response threat hunting ENT it covers the whole range of things um it's more of a purple team concept but definitely recommend that um it's about 60 pounds so that's six modules definitely worth it though um some of the other ones if you can get into Sands if you can convince your employer to do Sands definitely do Sands there's a lot there that you can learn from that um I mean it it's one of those things where you can just try and do as many Sears as available but likely you'll end up doing what I had to do and take a pay cut to get some experience at first and then
over the course of a year or two years you'll work back up to where you're making if not around the same more money so it it's worth the risk in in taking that leap of faith and knowing that the the company will eventually take care of you um and I definitely would go for that um I've noticed that in security industry there are very entrylevel positions or senior positions where they want you yeah they do um I haven't found any midlevel positions yet um if you have a lot of experience it security emphasis Master Security Plus making a lot of money already it's hard to take a pay cut and move into security how do
you overcome this if I want to move into implic yeah I mean honestly like I said taking that pay cut unfortunately is one of the things that you might just have to do uh it's kind of sad but it is it's almost a necessary evil uh most security companies have a lot that they need to teach you that are outside of the realm of what you're normally used to and so taking that pay cut of you know however much um is worth it in the long run because once you learn those skills they outweigh drastically and you will move up back into again that same money or more money relatively quickly um you're right though there aren't a lot
of mid entry or mid-level positions and that's kind of because that's where most of the people are in the industry um we're kind of seeing like we have some really good people who are experienced and have been there forever and then we've got a lot of people who are kind of just in the middle they know a lot of stuff but not everything it's just this weird transition time and that's why it's a good time to get you know started with an entry level um but definitely definitely go that route um I I think you'll be I think you'll be more prepared if you take the the pay cut and just eventually build back up and I know
that's not the answer people want to hear but it it's the truth um I got two and also malicious Life podcast yes hands down fantastic dark neck Diaries yep fantastic um so yeah I you know taking the pay cut kind of sucks but it'll definitely work out for you um how can I be contacted just Twitter 801 lab some meetings I'm on a lot of things um I'm in the 801 slack I'm in IRC I'm in you know Discord I you know I'm Twitter is really the best way to get a hold of me um I'm happy to you know put my number out there for people who want to contact me if they hit me up on Twitter um but
if you're not on Twitter anyways you should be there's a huge security um a huge security scene on Twitter and not a lot of people like it but honestly that it's a good place for networking whether you like their opinions or not um it it's a good place to be around people who are extremely influential who do amazing work um and do amazing things you know and some of them don't like CS some of them do some don't like educa you know it's whatever everyone has opinions on everything of course but what it comes down to is you'll at least be able to network a little bit better from both of those um so yeah
um let me I'm G to type the answer there
yeah and that's that's my big one any other questions if not I can kind of cover some other things that I think would be mildly important but I think the big thing for a lot of people is even if you're in this industry and you're trying to transition like that person said trying to transition into a mid uh level position you can find something here that will help you you know if you if you practice a little bit of pen testing maybe that'll help you move into a mid-range position if you practice more blue teaming if you know whatever you're not skilled or versed in definitely focus on it um I'm not a huge Linux
person as all of my friends know I am getting better in it I've been focusing on I'm in it every day at work now but it's one of those things where I definitely struggled and I'm trying to get better at it and I dedicate time to practicing Linux when I'm at home you know some of the sacrifices that you're going to have to take are just got to do some of this stuff at home unfortunately uh if you're not willing to do that you might want to you know re-evaluate the industry again as well um a lot of us do extracurriculars outside of our regular jobs you know we volunteer at conferences I go to black
hat every year I go to Defcon every year um you know sa con Open West bsides um I go to a lot of conferences I volunteer as much as I can I try to get out there um and that definitely would help you uh good question what programming languages would you recommend to Learn Python is fantastic um so I've been learning python um at this job and it has been extremely extremely beneficial um JavaScript is good um I think python uh
SQL um a lot of people use Curl as well um those are kind of the ones that I would recommend for starting um I definitely think Python's The the number one though right now if if you have no experience it's a great starting point it's got a lot of resources out there it's got a lot of people who are using it every day um and it's it's really not too bad um yeah any other questions
just grab a Mountain de real
quick all right well if you have any other questions uh hit me up on Twitter at Senpai 99 or Senpai 99 uh I can connect you on any of my other things um oh let's we got two more if you're already working in it and also see if you're employer will let you cross train and take some security related responsibilities and learn it might not access quickly absolutely yeah if you're already in the industry talk to your employer about cross training um and explain to them number one if they're not cross trainining they should be anyways everyone in the industry should have a security mindset you know if help desk isn't learning about security best security practices that's
a whole you know problem that needs to be addressed as well but definitely CR train see if your employer will work with you on it and explain the the benefits to it because yeah that could definitely help you move up um so yeah fantastic Point thank you for that um but yeah if you you have questions hit me up um I'm happy to answer anything uh if you want different ways of contacting me um you know I I will be posting a lot of this stuff on my Facebook and other things um yes good question do you if 801 Labs is going virtual for future meetings we are we actually had a hangout on Thursday um
so um their their Twitter um go check it out because they posted a Discord Channel where we're all meeting uh we might even have an after party tonight for after bsides where we just kind of hang out and talk and you know I can answer questions it's a great place for hanging out um and it's a good good little you know uh environment but yeah we might I think we're going to be doing virtual meetings up until around the 15th is when we're gon to um re-evaluate if we're gonna um start meeting again or we're going to keep doing virtual for a little bit longer so yeah join us there I'll be on there tonight so if you have
questions you know if you want to talk in Discord instead of uh messaging me on uh Twitter or whatever um I'm I'm available I'm happy to answer questions um but yeah thanks for coming I appreciate it they are on IRC so feel free to join that it's uh the 801 uh it's DC 801 uh they are on there 247 I'm sure they're on there right now um we are available by any means so um with that I will pass over the time thank you very much thanks Chris that was awesome so it's really good intro and you know how how to get more involved in the community which you know I think all of us could
could could do a bit more there so so uh up next we got uh show me the money uh getting business buy in for you know cyber security purposes uh soita you're here I'm gonna turn it over to you now so all right yeah I always have to figure out how to present these things I never do this anymore hi I'm carot uh is my video even on boy I'm very unprepared you're you're on and it sounds good and on your top right there's a share and just to the left of its present no not share the present one present present there we go all right show me the money getting business buying to secure your
organization um I uh want to take a moment to say oh who I am I'm her lot of sage I've worked in a lot of very large companies Netgear Netflix Facebook and most recently several years ago firey I took a six-week contract at firey in 2013 when there were 300 people and four and a half years later I was like wow that was a wild ride the company is great but I really love the industry so big shout out to my Draper Utah guys at fire ey um I miss you but uh I'm happy to be here with you today uh you can reach me on Twitter and Linkedin um and I wanted to thank Chris I think the the
talk that he gave is really important and you I do want to touch real quick on a question that somebody had asked because if you're later in your career you know taking the pay cuts brutal and and I agree um there was a point at fari where I had to decide if I wanted to move to the Intel team and take a 35% pay cut or if I wanted to move out of the company and um I ended up moving out of the company I still took a pay cut because I started my own company but um it I don't regret it at all so I know it's hard to take that pay cut um but
your other option is to find a role that is if you're for example a program manager an ops manager at a large company that makes you very qualified to be a CIO at a small company so that may be another route that you want to look at is taking that CIO role and growing the security team and becoming a ceso that way so I have actually become a virtual ceso doing that uh originally when I started my company I was Consulting into security groups and security uh startups doing what's called knowledge strategy and that's basically um uh where Tech process business process and people meet that's kind of my special squishy area so that's what
this talk is going to be about if you are in a small org I hope to give you some really good uh info for for growing Security in your organization um if you aren a larger or or at a vendor the the worksheets that I give you at the end should still help you facilitate conversations which is really very helpful so a quick moment to say thank you thank you besides Salt Lake City I'm glad to be here and thank you to all of the sponsors um and to turn it around and make it a virtual con conference so quickly very impressed so thank you for the conord uh team as well but to give you context around this
whole thing that I'm talking about you know we in security and having worked for a vendor I know this is true we mostly hear from vendors and those really big organizations that they're selling to so I want to give you the context of that black line that's you that's who we're hearing from and we need to hear from them because they have a greater need they have more money they can drive Innovation they can drive conversations but the majority of us live in this green area you know in the United States alone 99.7% of businesses are less than 500 employees um the orgs that I've been working with have usually been less than a 100 employees uh and
some of those uh companies need more security than others you know some of those uh companies can just get Google mail or 03 0365 and that's going to cover the majority of their needs right um but there's a lot of businesses in there that need more and we need to be having more conversations around that so if you are in that smaller space and you're having trouble you're you're the IT person you're having trouble really getting people to buy into security what I really need you to understand is that this is not about you and it's not about the technology because you are the security expert in that smaller org um and it's a little bit of like black
magic for those folks that you're trying to get get on board with security Concepts they're like okay you're kind of like chicken little running around you know saying the sky is falling down and you're starting you know the fear is putting them off the pressure uh some of that negativity is putting them off um so what I need you to really practice I need you to practice well sorry um what I need you to understand is that the data you're securing is not just about the technology that you are driving or using every business process every person in your org have their fingers in that data in some way and you have to think systematically right you have to think
of the whole big picture um so with that you need to start practicing your social engineering right there's if you know more about mandiant apt29 and you're in a small or then you know about your Executives and your internal customers I'm going to ask you to assess your priorities either you need to really start looking for uh a vendor to work for a very large organization to work for or you need to commit to being that security architect that security generalist that eventual ciso and you need to really start working on your soft skills and I know that is never anything anyone in Tech wants to hear but it makes your role and getting security Buy in so much easier
so all of those you know OSN things that you hear about and that you see conferences on all of those things can be applied internally right you have to meet your internal audience where they are your Executives you know their personal life they've got the home the spouse the pets the Hobbies maybe they have a yacht right um and they care about that and in the business life they care about risk and operational costs and there are other things that they care about but you need to figure out what those are and risk is anything that puts pressure on a business right uh right now Corona virus nobody this has F all to do with technology it has all
nothing to do with business but the impact that we're feeling from it it that was a huge risk and I personally know CI cesos who have in their business continuity plans they have plans for pandemics they have plans for uh zombie apocalypse like what do we do if people physically cannot get into work what do we do do if there is civil unrest in one of our Global centers you know um when I worked I believe at Netgear there was a major issue in a major unrest in Egypt and literally we opened the call center for that crew to come in and shelter in place there because it was so dicey where they were you have to consider all
all of those pieces you can't just look at the technology um and this is where if this is the route that you want to go and a lot of people and Chris um previously just also talked about it some people care about searchs some people don't if you're looking at this more General Security architect or ceso eventually will uh the cisp actually is very good because it gives you really good insight into business continuity dis recovery that kind of thing if you are 100% Technical and you want to be a a seeso one day you really need to start looking at that and even if you don't get the CT the pieces that they cover on the
business side are going to be critical for you to understand and be successful but mostly those soft skills that nobody ever wants to talk about and nobody you know if if you're putting soft skills off as a oh you know can have somebody else do that um you're frankly you're doing it wrong because getting people invested in your success as an it or security person is going to be critical for making your job a lot easier easier especially in a smaller work you know so for those internal customers they're looking to optimize their work they want to put as little and all of us do this right we want to put as little effort in
and get the most effort out that we can um and that means that any friction that we introduce to their business process or to their work life becomes an obstacle this is where really understanding the business process is becomes important sit down you know with your or virtually at this point right with your internal customers and say walk me through your typical day show me the systems that you use and then really think about how what you are going asking them to do from a security perspective think about how that impacts them because they are not Security Experts they will probably never be Security Experts they will probably be one or two people who really love what you do and
are really curious and become you know you become their inspiration um but the majority of them are very happy doing what they're doing I hope uh and they're not going to they're just not going to ever be that bought in you have to make it personal in a lot of ways you have to make sure that they feel like they're heard and even if they're heard and you still have to do it this way anyhow and here's why that at least gives them context they feel like they've had a say uh one of those pieces that that I love to do is okay I know multiactor and DPN is real pain in your butt but it's really
important here's why here are the statistics on this and I know it doesn't matter to you personally but it makes our company and our customers a lot more secure um on that side recognition works better than shaming uh take on a Friday hit your slack Channel and say hey thanks to these three people this week that made my life a little bit easier right that gets you visibility people understand that you're really trying to connect to them and they respond better to that and then you know success how do you become a part of their success how do they become a part of yours it's a it's a psychology thing it's a social engineering thing it's a piece that you
really need to start looking at it just Smooths a lot of things over so but going back to those those risk and those operational costs what the business knows is coming and what they can plan for is a very different thing you as a security person have a much bigger per picture of what's going on in the landscape and you have to distill that in a way that you can warn your your exet board or your exet team uh what's coming down the pipe or what's being seen and it's got to be sound bite like you Twitter is great because if you learn to write uh a concept in two or three tweets that is fantastic for
learning to deal with Executives because they don't have a lot of time to dive into details you need to have those details prepared if they ask for it but at the same time that's what they really want is that bottom line how does this impact us what are you talking about why is this important uh you need to figure out where they are has your leadership and how you can make what you need them to agree to the easiest and simplest and least fearful thing operating on fear doesn't work it it does sometimes but it it doesn't always because after a while you really do sound like chicken mle um those are the two big pieces I think on your exec
team and your internal customers if you have um people are going to say when you talk about security but we use Google we use Microsoft you know we use uh we use Azure we use AWS and they're secure so that means we're secure and the simplest way I have found to tell people no that's you're thinking of this wrong uh is to say yes they are secure and they're a part of our tool set but our security is about securing our relationship with the customer we don't want Google we don't want ews we don't micro want Microsoft to own our customer relationship because they'll put us out of business a and when you say it like that your exact
suddenly understand okay now they're thinking about technology has a tool in their set rather than has a solution for security itself so if you have any questions if you are running into very common push back um people don't want VPN people don't want multiactor authentication you know feel free to toss that in the questions and we'll address and get some verbage for you for that but um really when it comes down to it it is about the money and money for business execs talks um if you're in a very small word your margins tend to be very thin so I'm going to share and walk you through two worksheets that will help you frame those conversations I'm going to preface
this by saying when you're putting together worksheets and talking about numbers uh there are people who are going to push back on that they're going to say oh these numbers aren't real blah blah blah blah that's fine if they disagree with it give them the worksheet and tell them you tell me which numbers are correct uh really it's about starting that conversation and getting that moving so I'm going to walk you through two things and um if I can let me see if I can I'm going to toss these links into the chat so in the zoom chat you know I have a couple of links um one of them should be oops my zoom is all out of the out
of okay one of them should be a simple knowledge strategy Roi and what this does and I've done this two ways in here um one of the things that your operations team is concerned about is what they're paying people and what they're getting for that money and anytime that you can say we can make people more efficient and free them up especially if people are really fighting for headcount we if we buy this service or do this project here is how we make people more efficient and therefore actually save the company money we get that investment back so you can say anything from uh if your it group is having to provision a lot of laptops
because you keep getting owned and here's how much money software to solve that you know is going to cost us here's how much we're spending in terms of Labor this gives you a chance to actually start that conversation in a place where um your operations team actually will listen because now you're actually talking about money um when it comes to larger organizations especially supporter it groups where you have kind of a tiered level of here's what we pay the lower level here's what we pay level two here's what we pay level three people you can get more complicated uh with this tier deficiency piece and it was again how these pieces affect your team as a whole are really great you can
also do this if you're in a support or an IT Help Desk role you can do that Roi by case deflection which I have found to be very effective um the bigger your group is the better the scales uh it and it just helps make sure that people understand there is a price to productivity here and we can quantify that and we can quantify that in ways that are meaningful to you that way can either be by case or by actual like hourly labor and the other piece that I've put together um oops sorry Jason thank you I'm going to put those links in again uh apparently I was only sending them to the panelists so the other piece
I've put together and this is a piece that takes a little bit longer to go through is a risk and Recovery estimate and this I've divided up into four separate pieces four separate um sections the first one is infrastructure if all you're doing is securing an infrastructure here is how you estimate productivity loss you know incident response and Recovery and Recovery costs are going to include anything that is not already planned in your operational budget so if you have to go out and hire mandian to come in and do an incident response that wasn't planned here it goes It goes into your recovery cost so if you've ever wondered where those numbers have come from where people are
like well we think this incident has cost this company this they're probably working off of something very similar to this I know Adrian cabria has put out a simple incident calculator which I've linked to in The Helpful sources tab on this uh sheet as well and I tried to go through and actually give context and that's really important when you're talking to your teams giving context of why we're we're setting this up and all of this is just example numbers U actually they're they're example numbers from a from one of the clients in a VC so for so they're real numbers um but they're replaceable anything in green you can put that you can plug that in
your your yellow and red numbers will calculate so in terms of securing your infrastructure this can give them you know okay I'm not too worried about losing $3,000 in productivity I'm not too worried about losing you know $3,000 on an incident response um you this probably somebody has clicked a a fish link um but when you start looking at recovery costs then those can really add up I know that one of my clients actually had to completely migrate out of a platform in probably about two weeks because they had a website to basement and that cost them not just the loss of of credibility and there's a lot of intangibles that I talk about in
these context right productivity loss um uh being kind of intangible but when we get to Service delivery and application you start getting a lot more credibility brand you know reputation hits that you can't quantify as easily you can quantify them if you're losing money uh that's a lot easier to quantify but until you actually lose that money um it's a best guess right so so that's for securing your infrastructure Your Service delivery and again these are actual numbers from uh an unnamed client on or very similar rounded numbers from an unnamed client where this is how much they lose per day if they have a denial of service or some some sort of interruption to their
service and that's not again this is just the money that we're losing in terms of the service we should be delivering if they have a service level agreement that says after three hours you start paying us then you have to add that money in right that becomes extra cost to the business um and again your support impact cases um I'm G actually change this to say help desk or well I'm not going to do it right now uh but it's basically your help desk and your support impact um you can for example if your support team usually gets 500 uh tickets in a month and suddenly they get 500 tickets in a week then you can say
you can actually put a number to that impact of that incident uh it's really great when you can do that because it it makes your board pay attention and again those incident respon C response costs uh in terms of brand loss you there's all kinds of of studies out there you can of course there been huge retail shops hit um Target Home Depot all of those kinds of things they're big enough that they've recovered because they can spend that money on marketing to to keep that brand going so they're you're going to see a big dip for for them and their value but they're going to be able to turn that around because they've got the money to
do that smaller shops probably not as easily there are I think there was a recent example in my helpful resources that I've linked to of a smaller company of less than 300 people that Ransom were took them out they just they couldn't recover they did not have good business continuity they did not have good Disaster Recovery getting the basics of it correct get you a lot in security they really do I can't stress that enough if you can get the basics down make sure your backups are working make sure your business continuity is actually comprehensive and understandable comprehendable right uh that becomes very important and on application risk estimates I'm still trying to come up
with context for that but it it's a little more straightforward because you need to confirm the vulnerability that someone has reported to you you have to develop or redevelop around it and then you have to test it so those costs can be a little more easy again for a very big company there aren't there's a there are small shops that are developing but a lot of this is really geared more towards a large your company with a very large um very complex system you can still use it for a smaller shop it's just your impact's going to be smaller but at the same time you at least know what that impact is uh I keep a running I've started
keeping a running log of malware Ransom demand estimates and business email compromise estimates and I give my sources on who they are and I try to give a lot of context again you should be able to hand this sheet to a finance person and they can read through the context and then they can come back to you and they can say this makes sense this doesn't and at least again facilitating that conversation trying to meet your your team where they are and make security accessible and less black magic to them if you really want to get your Finance person on board you can tell them that sock two compliance one of the industry the industry standard
was developed by the American Association of CPAs it's the finance guys that were driving that security standard so ideally if you're having a lot of trouble talk to your Finance to your head Finance person and say how do I make this meaningful to you and your team and and if you bring this worksheet to them you're gonna at least have a conversation and hopefully that conversation will be productive for you some of that may be you know it's a lot cheaper to send a couple of our people to conferences and maybe an extra training or pay for aert to help us out than paying ransomware and of course we never recommend paying the ransomware because less than half the time it
actually works there's also what I like about secure world and and the FBI is they've started putting together those pieces of uh sure this is what they're asking for and whether or not that works you're still having to pay for Recovery because once they've compromised your system now you have to bring somebody in figure it out undo the damage lock it down so there are costs associated oh that 5,000 may not look like it's very big but there's a much bigger cost behind it and part of this is just to make people aware of that so with that my last tab here are actually they're helpful resources um these are places where you can get shared de decryption keys from
the no more ransomware project there's um FBI field offices if you are hit by malware even if you pay it and it goes away that's great you'd be very lucky if that's true still encourage you to report that to the FBI because because it makes their numbers more meaningful they're the best thing we have right now for looking at the country as a whole in terms of security and how the impact you impact on business on American businesses so um their internet crime complaint center could use some updating um but I think Adrian sria again big shout out thank you has begun keeping a spreadsheet of businesses that have reported themselves closed has a consequence a breach so those are great
there's other cost calculators out there I I really like uh this sample data breach cost calculator because it actually asks you a series of questions I don't know I don't have insight to the assumptions they're making or how accurate their calculation is but just kind of looking at what the FBI puts out versus what they're calculating it seems to be pretty reasonable I don't see it to be I don't see it as being really outscaled um and then an incident cost calculator again from Adrian sarria that's that's a much more that's looking at the incident rather than the impact across an organization and then in terms of how do I get security or at least started get
my my my start with security tools when I can't buy anything uh great there are some fantastic resources out there um security onion is a big one I did not realize that that was created by some of the X mandiant folks that I used to work with I ran into them at besides a Augusta last year and got to say hi to them and uh I had worked with them primarily virtually so it was really nice to get to meet them and realize they were behind this really fantastic open source software mandant had a a very big ethos around sharing their tools and fire ey has fortunately kept some of those tools if you go to fire
eyes um website you can find and I'll I'll update the links in here you can find a Redline and some uh analyst tools triage tools mapping tools there's some really great ones there I know NOA has some fantastic open- Source tools as well if you know of a vendor or you work with a vendor or you are a vendor who does some open source tools for folks would love to hear from you I'd love to add you to the list I know the security onion folks um have a conference every year I've put their 2019 conference videos and watch them if you're in a small shop this is a really fantastic way to get started on network monitoring
so that's that's what I have right now um let me switch to Q&A and Kingbird has asked it seems like small businesses lately are really caught in an unfair situation most don't have the funds for the more expensive effective Solutions nor the funds to cover an incident like breaches and ransomware attacks what lowcost options exist that's a really great question kingb bird I hope the security onion piece has given you a start um there are a lot more out there um I personally have the most experience with security onion and with the Manda fire eye red line product um has I hear I know that some of the one of the um really fantastic security guy Paul
melson at Target um has put out uh he's got a a scraper for Pace bin that had some really interesting information that um it's he just puts it out there on Twitter it's free there's a lot of free content on Twitter um there's a lot of Open Source software out there I think security onion so far to me has been the most comprehensive U and part of the ethos that that team went into it with was exactly this we're protecting the wrong people like the big guys can afford that protection and the small businesses are having are really struggling with that I think we're going to see a shift in the market as well um
um because you know there's a thousand forun 1,000 companies there's 5.6 million small businesses now even if only 10% of that 5.6 million can afford anything that's still a much bigger Market than your your fortune 500 so I would like to see and I believe I'm already starting to see that shift towards addressing addressing the down Market the mid-market and eventually the smaller Market I think Google's tools for example um have done a really good job like nobody you don't even think about it anymore if you're if you've got a friend who's an artist or starting a website or something it's like hey you know for six bucks a month you can have a Google
business account that gives your email and drive and all these other things so does that does that answer your question
Kingbird okay any other questions I know we're right up on the line great thanks camper that was a really great question and again I encourage you um hit me up on Twitter if you find a tool if you have an open source tool that you're using in a smaller org I would love to hear about it and hear about your experience walk me through it I'm not going to put every link on this page I'm going to put links that I have laid eyes on or laid hands on um and we'll go from there so thanks guys and gals thanks folks thank you that was awesome so super useful information okay great so uh yeah I
think that's something there we could all take back to our companies you know come Monday so um up next is Dale row he's going to be talking about how he how can I get started in cyber security so if you're ready Dale whenever you're ready just feel free to take it over all right thanks thanks Bryce can uh can you hear me sound great okay let me get the screen share
going it's going to bug the call hang on I will be right
back e
uh Dale are you doing
okay okay can you hear me now yes you're good sorry my Mac had a bit of a hot ATT attack when I asked to share the screen May me quick
Zoom okay and you should not be able to see my screen correct yep cool thank you sorry about that okay um so I did a little title Amendment uh in this I'm going to be sharing a resource list at the end of the talk which hopefully will be uh quite useful it's one of the questions I've been asked uh the most by people starting out at cyers security is where do I start how do I how do I begin or how do I take what I know so far and kind of turn in something uh it might be people in Industry um who have been in it support systems Administration um Chris and car did a
great job just now of talking about kind of coming from different fields and and some of the ways to communicate in cyber security effectively with different groups so uh it's kind of been a great lead in for this um start off with a little kind of background on me I I started breaking things when I was a few years old um I was about 14 when I became a systems administrator uh for a local startup and took that from two employees up to about 40 employees in the space of five six years and I've kind of just been dabbling since then uh I had a weird urge in my early 20s to do a PhD and that almost sucked
10 years of my life out um I ended up spending about a year on it while going and working elsewhere and then uh eventually kind of came back and finished that off several years later it's let into a 10e stent at BYU as a professor in cyber security um where I created the cyber security program and several of the courses that are currently running there and late last year decided to move back into industry uh I done some Consulting uh while at BYU and kind of thought it was the time to make the move back and have been loving that since then so I really enjoy uh the opportunity to Mentor new people uh and uh kind of new
talent in cyber security um I find it very eye openening to kind of watch them go through the process where they go from asking the questions that there are answers for to the questions that there are not answers for and helping figure out how to how to answer some of those tougher questions um involving different aspects of security so that's really kind of what led to the rename of the slide um in the kind of Shifting of the target audience from the pure Noob uh to what something I think will be helpful for all levels um we you know have the kind a first time is in Cy security who have you know they might have been uh in
the Equifax breach or or some other kind of information leak they may have just heard about it from a friend they might just be watching the news um but there's a lot of people out there who are kind of hearing about this new cyber security thing and and start to do a bit of research and like hey this can make a ton of money sounds interesting and they start to move in we have the the novice who has a lot of energy just doesn't really know sometimes what to do with it but it will'll eventually figure out how to how to get good um the student who is great at self-learning their disciplines they kind of can pick up books and
understand them but they don't have much experience and then we have um a lot of individuals who I've worked with professionally uh I would put into this kind of the experienced category of they they've been in it devop systems engineering uh for many years they have a lot of experience uh and they actually know a lot about security often without knowing that they do they're often quite not aware that the way they do things is is you know a fundamental part of of security and they they've got some good habits and sometimes some bad habits but a lot of experience which can be very valuable um you have the wizard which is the the individual everyone goes to when
they have a question you know they're normally known because they don't get much done themselves but they answer everyone else's questions and if any organization of any significant size has several people like that there and then you have Master which is kind of what we aspire to be this unachievable kind of U movie theatri sized hacker who can who can break into anything who can investigate anything who can answer any question and and and know and sees all knows all um and does everything so I've broken this down before I kind of go through the resource list into five key things how to get started how to stay uh how to search how to organize and then why a little
discussion on relationships and and how that works so one of the biggest challenges in getting started in cyber is is the confusion about where to go you know interested in cyber security where do where do we go from here and so people jump on they start looking at jobs and opportunities and they see all these different job roles out there um penetration tester forensic analyst red teamer compliance officer um and often it's kind of well how do we even get started in that I'm going to step back from this a little bit and talk something about something that uh carota just mentioned uh which is about risk um everything here is about risk um and if you think
you know when you got out of bed this morning probably most of us are stuck at home because of this covid-19 stuff and and trying to do the social distancing so it may not be that everyone here has brushed their teeth yet uh but at some point today uh hopefully uh we're all going to do that and why do we do that spend a few minutes brushing our teeth because we want to avoid tooth decay we want to avoid smelling bad to people around us uh this is risk management uh the the threat is tooth decay the threat is people not wanting to be near us not because of covid-19 but because of our breath smells like a sewage
plant and so we brush our teeth we spend a few minutes doing this and it takes some time out where we could be doing other potentially more productive or more fun or interesting things but we stand in front of the mirror and we brush our teeth a few times each morning and each evening sometimes more this is this is a basic step to to mitigating the risk of tooth mitigating the risk of um um bad breath and we we do this every day without really thinking about it because it's become habitual and so a lot of security is about realizing the the good habits and the bad habits and becoming aware of those and then looking at the technical
connections that we're passionate about or we're interested in in those um if you think about your life when you go out when you get in the car you know driver's insurance it's it's risk you offsetting the risk of having a wreck or someone hit you to to another company that's going to pay for that and pay for any expenses and medical costs that will involve so all these things are are related to that thank you um so we we naturally as human beings you know the fal flight re reflex we have a tendency or kind of natural ability to identify risks without even being aware that they are actually called risk risks and deal with those in
our daily lives and everything in security is about relating or quantifying those risks to different aspects of maybe our personal lives or a business that we're involved in or a startup or charity work whatever we're doing it it it relates to that so step one I think is is realize that everything we do does pertain to security and some way and then that makes it very easy to think about okay what are you passionate about in your life what are the things that really excite will drive you to to discover to learn to become better at something and how do we evolve those so finding our passion um or or kind of what interests Us and how that relates to security
tends to become something that we do more naturally and the career that we want uh will align with that and and the exciting thing about this is there's just on the latest stats there was a report last year um it's in the slide notes which I'll push out afterwards there's over four million unfilled cybercity positions right now today or three months ago probably more now there's next to zero unemployment and if you have an interest in cyber security and willing to put in the time to learn and develop that into a skill set that's sailable the jobs will come um it is almost unheard of to be unemployed in cyber security it it really is once you find what you're
passionate about and people who are interviewing you will see that the jobs will just flow and if you're not a security professional but this is just kind of a sideline interest whatever you learn in this actually adds a lot of value to your your other technical careers um systems administrators uh software Engineers Etc all benefit from having this managers directors um CEOs they benefit from this this skill set um as a as a kind of complimentary uh
skill okay so what are the biggest obstacles to getting into cyber security and I I seem to have left an arrow there as a spoiler but so the biggest obstacles I see and and I've seen this unfortunately far too many times is people say okay this is this is good I'm interested in cyber security I learn something I practice I fail that learns from how practice I fail and if I follow a guide that says step- byep okay do this click here do this do this do this Etc it works but otherwise it's a lot of failures and a lot of frustration and some people get really you know bothered about this and they they walk away and find find a
different career the uh the the trick of this and what the chart should look like is something more like this we learn we practice we fail if we fail we normally go back and we look at the scope and have a look and say okay what are we trying to learn is that too much for where I'm at do I need to take smaller steps do I need to go find a mentor and I'll talk about that in just a minute but how how can we make that scope something um and I didn't put a diagram out of this but if you kind of think of yourself standing in the middle of a circle which is your comfort zone
the idea any kind of learning or any kind of skill development is we're pushing that comfort zone a little bit by each thing we learn sometimes we get a little too ambitious and we're like I want to learn all the things and we rush out there and we're like okay take a step back let's think what where are we at and where do we want to go once we once we figure that out it becomes a lot more uh natural that we'll start going on this kind of learn practice fail succeed path um we'll have our failures we'll adjust the scope a little bit and we'll get someone we have a success the big thing here is really
take some sense of accomplishment in those success um we do learn from our failures and that's fine but the successes are important to to teach us and this isn't just cyers this is kind of General Life philosophy those successes help us realize that we we can move past failure and over with time and and experience the failures become less and the successes become more um and the the confidence that kind of grows with that makes us uh really able to to to take on some challenging things and show some real value now we don't at least I have never gotten to a point where it's all successes and no failures I still fail far more than I succeed but I know that
if I persist long enough I can succeed and that's what I mean by confidence is yes I can I can go at this and it's GNA I'm going to fail a lot of times um but eventually I I will find a way to to get to where I'm where I want to be or or accomplish what need's doing and and when I say confidence it's not that the confidence that you'll get it right first time every time if that happens to you great please contact me and tell me how you did it cuz i' would like to to steal that from you but really it's about how do we measure uh those those small successes and how do we progress
from that failure to success and do we have the confidence that if we give ourselves enough time and persistence that we will get there and that I found in in people starting out to sub security is one of the hardest things to really get to get down so hang in there uh you got this okay third thing um become a Google master so many things are findable and discoverable in cyber security by what I would call search refinement okay you go out and you search how do I become a penetration tester that's great you'll get some good articles giving some good resources and start um but as um as time goes on um and you start
to look for things very specifically uh let me try and think of an example of this I did have a couple when I was making this slide let's say you are performing a sec security assessment of a uh Network file server and you scan the server and you see that it's serving up um Windows File shares SMB file shares so you go and search for exploits Windows File shares and you come up with a massive number of of um vulnerabilities and exploits and CV reports and everything and that just becomes an overwhelming amount of information so how do you then tune that down and find what is actually going to be successful we start to put in a okay
what else is in there um maybe I'm actually looking for a published vulnerability on this so let's let's put in CV as a keyword um let's put in a couple of logical operators and connect those with things that our M map scan or or whatever we would we did before to discover that service is there as well and we we refine and narrow the search down um there's a few examples of this in the in the resource list I'll give out um at the end but uh this 99% of of what we will be looking for will be out there somewhere it's just having the persistence and the uh kind of practice with Google um to
actually drill down and find what we're after and if it's not that's what we create and get ourselves known for in the community okay if there's if there's if you get right to the point and no one has actually done this in a way that works for your system and your platform in this particular way there's your research project go share what you did come to bsid next year and tell us about it this one I I was going to start off with four things I added it to five because this this is this is the bane of my existence I am Organization for me is one of the biggest challenges of my professional and personal
life um physical digital whatever whatever works uh the fewer of these you have the better when I say here that I have used um all apart from two of these I currently use so this is this is something that I I I talk the talk but I definitely don't walk the walk yet um I tend to grab whatever is nearest to me at the time um I I've spent I've used Macs and Windows systems in the past I spent the last half know five six years pretty much exclusively on Windows systems I'm now at a company where we're a Mac shop so I'm back onto Mac U my home PC is Windows so now I'm like you know I'm
used to shortcuts to run up pull up notepad and and and other systems that I use on my home system and now I'm having to find the equivalence on Mac which is a challenge so my notes right now are just all over the place but find a way to organize the information you find because there is a fire hose of secur information out there uh and and come up with a structured way of organizing that you will if you get into that habit early it will make your life so much easier and lastly but definitely not least is is a mentor um because this is such a small community and because the knowledge is so fresh and so new and coming out so
quickly um effective mentors and peer mentoring are critical parts of of being successful um you don't have to find someone who has the skills you want necessarily but someone who has the same goals or ideas deals um or or learning methods that you find useful um someone you can relate to in terms of of what those are if you can't find a mentor then learn what you can and become a mentor uh and and and develop a peer mentoring relationship where you learn together and and share what you've learned um small study groups are great for this uh slack is free go go make a little slack server and invite your colleagues co-workers friends whoever
else is interested and just form a little self-study group you each do your own thing and you you kind of share your findings or what you're doing on there it can be very motivational to to actually want to spend the time doing this especially when you start coming into those failure scenarios where you need you know a good friend or a good Mentor to give you a kick at the backside and and you know help you reaffirm yourself so I said I get to the Q&A and resource list and I want to spend kind of the majority of the time doing this because I I think it'd be a lot more interesting to share this and and have
some feedback on it so I will drop this link into chat right now um let me just grab this this is going to come out in right
here okay um so you now have access to this this yeah I see people joining great so this I put together a few years ago um I started this actually several years ago um mainly for freshman students when they come in I want to learn about cyber security and at the time the program I was in the IT program we didn't really do much in security until the junior year and that was way too late for people who came in wanting to learn it and so this was a a kind of resource I put together I've since used it at uh summer camps for um youth I've used it um for experienced professionals who are looking to find new resources or
or something to to expand their knowledge into um if you're using Google Docs you you definitely want to blow up this kind of index side at the left here there should be a little button here which will help you navigate through this is by no means complete so there's a lot of information that is not that is out there is not listed here um I'd very much appreciate feedback um anything you'd like to share on there I think yeah I will is shared off my other account so I'll have to do that later I tried to log in here and I I couldn't find my my tofa key but I will share this this out for comments um update the
sharing so it has comments from Anonymous users later and people can give feedback on it or other suggestions so let me pull up the uh the Q&A okay what do we have current trends show attackers are breaching networks and stay in undetected sometimes for months what areas of sub security are best for learning how to detect intrusion other Sears careers or parts of study that specialize in the yes yes absolutely there are um so uh this is this is a one of these areas that a lot like a lot of security takes multiple skill sets right um network engineering um systems Administration uh the big thing here is visibility right getting visibility into your network and there platforms like
Splunk um elastic search uh log stash uh kabana um Sumo data um there's a lot of companies out there now that are doing these basically log aggregation platforms and what they do is they bring in um loog uh computer logs from you know login events from using wireless networks um yes I'll post these in the chat um they're bring all these events from all these different types of systems across the network and they ingest those and allow you to see those centrally um and then perform correlations and events through there so that gives you the visibility to be able to see if if people in your network after that it's it's investigative skills forensics instant
response reverse engineering which is this this top setup here um are very useful uh kind of platforms and tools to start looking at some of those things um but I will I post some resources in the chat uh I will do that after the oh if there's no other questions actually I'll do right
now how do you go about finding asking someone to be a mentor um Twitter was mentioned as a great way of connecting so this doesn't have to be someone you actually know personally this can be someone you kind of reach out and ask some questions to or just start connecting with um LinkedIn uh is a great place to to find people um you know grow your network there um local groups organizations oos chapters um the the uh uh bsides um Defcon um a lot of these groups have local local chapters um that will have kind of periodic events or monthly get togethers and you know people just meet and and give workshops or kind of share things
with each other um I will update hang on let me just make sure I grab these questions because these may disappear after the after the session ends in fact what I'll do is I'll do better I'll actually answer these in the document uh the Google Doc that is being shared so they'll be there after this ends for for you as
well uh once you found someone uh a lot of most subsc people we're all incredibly busy uh so you you don't be afraid of persistence uh most of us will tell you if you're being overly assertive or or kind of a little uh too uh um too pushy but uh a little bit of push never hurts in this and I I've frequently told people hey if I don't get back to you quickly you know I I'm not going to be annoyed if you start kind of poking me and if I if you're doing it too much obviously I'll say something and be like hey just give me some give me a minute I'm in the middle
of something here but ask someone you know hey I'm getting started in this have you got anything you advise any recommendations I'm looking for a mentor or someone to kind of help me help me get through this or help me understand this um and most most of us are pretty willing to do that uh if we have capacity to do do that okay uh next question if you have a passion for information security and experience in it but you are not interested in programming and scripting even though you have that knowledge on how it works what paths and roles in security do you recommend for this situation um any we need so many people it really
doesn't matter that much I mean obviously not probably not software you know security engineer or or software security software engineer uh if you're not interested in a day job of programming and scripting um a lot of the other roles would would work just fine um I I'm kind of in that boat I have spent a lot of time programming in the past I can program in a lot of different languages but it's not what I want to spend my life doing that being said I I enjoy doing you know kind of going in deep a few days here and there and and building out some some systems or helping helping solve some interesting problems um if you really
just want to stay completely away that away from that uh forensics instant response um would be great uh areas to look at um right at the top here there is actually a link this cyber seek this cyber pathway um let me show you this one this this is actually a really good answer to I think so this actually and again this is not exhaustive but this is one organization's kind of take on the different careers that are out there and uh you can go down and kind of say what your background is okay so not software engineering that say you want to do you know networking or secur uh systems engineering you can go through and it
kind of highlights which ones would work for that um um but I would say almost all the roles apart from the ones that specifically are software engineering developer roles would would work well with that does that answer your
question okay great um we have another 3 minutes probably before we need to get start getting ready for the next speaker so if there's any other question questions why be a good security position for someone who can spot patterns um I mean there's a lot in Big Data uh the uh security analyst positions um people who are going through looking at the logs aggregating that information figuring out what information is relevant correlating that together um that would definitely be uh there um intrusion detection systems um working on IDs platforms um bro sakuta or now Zeke I guess is is the platform um is a great U tool for monitoring Network traffic and and kind of spotting things that are going on and
trying to find patterns but there's a you know big data/ security roles um not necessarily so the question was what would scripting be recommended for this um I mean scripting would definitely be useful um query languages would be a lot better so both uh tools such as Splunk and elastic search they have their own quer query languages where you can write um correlations or queries across data uh machine learning platforms um R studio um that kind of that kind of platform would be useful so i' would say more queries than scripting but don't definitely don't dismiss scripting it would it would be helpful uh I'm going to take that question and and put some more
information in the document about that after after the session
any other
questions great well thank you um got a few minutes before the next speaker um I will make some updates to the document and answer some of these questions with some of the other links and resources there and um I'll add the permissions to comment and and check back on that now and again to see if there's any things to add to it I'm sure there will
be okay awesome thanks Dale so much I didn't I didn't know about that cyber seek tool and that's that seems pretty slick as well as uh you know I'm interested in checking out more of that document that you put together checking out what resources are there and all that so so thank thanks for sharing that with the whole community so I I know I um I'm GNA I appreciate it I didn't mention there as well but Bryce also has his reading list of book list and a bunch of other resources in there as well so I'm highlighting it but now can see now there's Bryce's book list in there go take a look at that thanks for
putting that together yeah that's that's pretty old but hopefully it helps people as well right so um okay awesome so we got Jason um AKA nibble he's up next so whenever you're ready um nibble just feel free to get started um and uh yeah yeah that's a good one he's he's I was talking to nibble at RSA like a month or two ago and uh really excited for this talk so thanks so much Bryce just give me a second here to share out my screen
all right can everybody see that looks great sounds good okay perfect all right so yeah thank you Bryce appreciate that um my name is Jason riveri AKA Nimble and we're going to talk about mind M today uh really just want to give a shout out to all the uh bsides sponsors and the the bsides organ organizers you know just fantastic job switching this over to Virtual you know I'm going to miss seeing everybody this year but uh great that we can still get together virtually and and have these good conversation so it's it's been a great con so far and I've really enjoyed it um so this is me this is how to get in
touch with me uh I've been a consultant for a long time recently moved over to uh technical marketing engineer position within pal Alto networks uh I do want to mention that uh while I am a big fan of Al the networks and obviously an employee uh the views expressed here are my own and not that directly of my employer then I'm here just as a as an Enthusiast a security practitioner and not directly representing them so um you know I've been around a while member of dc01 I love cryptography and privacy I'm a bit of an Enthusiast there not an expert an Enthusiast so um so mind meld solves some interesting problems and I want to talk
about what we're trying to do with it um you know there's a lot of really good resources out there on the internet uh whether they're threat intelligence or or lists of data that can be leveraged by uh security appliances by endpoint security products by uh Sims you name it right um but the problem is is while we have kind of an established format um with stick taxi uh a lot of these tools don't natively uh digest that that format so the problem that mindmeld is trying to solve is essentially to normalize that data into a format that these other tools can can handle uh you know there's some really interesting use cases that you can uh
you can use that for right so you can take these threat intelligence feeds whether they're public open- Source threat intelligence feeds like one of my the sand D Shield top 20 you can also digest private feeds there's some uh you know full threat intelligence platforms that you can pull that data in and what mind meld will do like I said will kind of normalize that data to be digested by these other systems Downstream uh it will also help maybe uh uh duplicate that data as it's being normalized so that if for some reason the platform that you're you're using to as an enforcement point for instance can has a hard limit on the number of uh data
points it can pull in mind meld can help reduce that uh those number of data points as they're being pulled in uh so so very very helpful uh especially if you know the the platform has any kind of limitations around that um there's also some interesting use cases about pulling in uh feeds for positive enforcement not just for uh you know understanding uh threats or or that sort of thing but uh in a dynamic uh Cloud environment for instance you your your resources are going to be uh spun up and tore down on a regular basis and those uh say IP addresses or fqdn will constantly be changing and it's a very Dynamic list right and so understanding
uh Network traffic flows to uh say Microsoft 0365 Microsoft 0365 sorry um you know can be a very uh cumbersome task without being able to digest Microsoft's published list of resources that are out there and so a tool like mind melt helps helps really uh pull that into uh your tool set and uh uh understand where that traffic is going so you're interested right I hope uh you know how can you do more how can you digest this tool so uh the current two best options for installation are spinning up the docker image or compiling directly from source using ansible uh when my meld was first released uh you know was released as a a VM on an OVA um that sort of
thing you know really it seems like the docker way is is is probably the best easiest way right now uh so I've got here the full URLs but I created some some bitly shortened URLs for everybody uh to use if you're interested in the docker image it's there if you want to compile direct from Source on anible it's there uh and I'll I'll post the slides to slack after this minus the copyrighted materials so okay so I'm going to show you today uh pulling and leveraging mind meld from the docker image uh but I want to show you a couple things that I did ahead of time before we dive directly into the demo so uh I my Linux dis drove choic is
auntu so I spun up a new auntu server and basically the first thing you want to do is just make sure that there's no uh Legacy or or pre-installed Docker packages you then pull down some prerequisites for Docker and then also the docker uh gpg key and then update your uh repos itory with the official Docker repository fortu and then install Docker and if you think I went through that a little to oh what one one other thing I don't like running Docker images as root so I then add my user to the docker group just kind of security best practice I guess um and if you think I went through that a little too quick this is all very well
documented on the docker website and you know I don't want to turn this into an exercise on how to run Docker um I want to focus on my mouth so there's a link to doing that all right so let's switch out of the slides and get right to business here everybody still see the screen
okay we can still see the screen okay perfect okay thank you very much so um in the interest of time and going to copy and paste these commands but again if you go to that that Docker link um this is all very well documented there so I'm going to pull the docker image from the the official uh Docker
repository and I'm going to going to create a volume for the Mind meld logs and for my mindmeld uh uh local configuration and then we're going to spin up the docker image and again that's kind of a long command I just copied and pasted and and cheated um but again I didn't want to be sitting here fumbling around on the keyboard while everybody's watching so so and then if you look at the logs you can see um what we're looking for here is is the successful start of the Mind meld uh web service so then we should be able to Pivot over to the Mind M instance [Music]
and all right and the default credentials here are admin mind mod you see here we've already uh on the dashboard view uh the docker image comes pre-compiled and set up with uh four minors a processor and three outputs I'll go into those in a minute but uh you know again this is a security conference we're all security people so first thing we're going to do is go in and change that admin password so I'm going to uh clicked admin and I'm going to click password there and I'll give it a stronger password all right the other thing that I want to do is maybe I don't want to use the default admin username maybe I want to uh create
an additional user that's done with this plus right here add me as a user this guy super secret password all right and now I've got a non-admin user and then I can go in and delete that admin uh uh user if I wanted to so let's uh look across the top here at the the different tabs um first one I want to show you is the system tab this is kind of your highlevel view of what uh mind meld is up to you know are the services running you know how much CPU utilization is happening here memory utilization that sort of thing we already touched on the admin tab uh we looked at the dashboard but um
what I really want to show you here is the noes right so this is this is the meat of what my melt is doing we've got these three different node types within my M you have your miners which are essentially the sources for data out on the internet uh or you know maybe on private systems what have you then you have an aggregator that those miners are connected to that um aggregator or processor takes that data and as I mentioned U normalizes it and duplicates it and then feeds it to an output an easier way to sometimes look at this is if we click on the minor you can uh and then click on the
connection graph we can see here on the on the left side you know all these miners reaching out going into an aggregator and then feeding into these output Feeds out on the right so pretty straightforward uh from from a a graphical representation standpoint the other thing that you can do is uh look at the statistics of these miners uh how much data is it pulling in right um you know the dshield block list is always going to be 20 uh the top 20 class C's that you should just uh generally block on your network or watch uh for uh traffic that's egressing your network that you know or Communications happening to these so so one of the key
things here is you know being able to understand the relationship that your your your endpoints or your network traffic is having to these known bad uh networks right or these know known bad uh data points so let's see let's say um you know you want to add some more data uh to come in here right so um first thing I like I like to point out is the pre-built white list uh for ipv4 right so so here we've got um a static list that we can add so um say um you leverage Google DNS heavily and you never want Google DNS to be included on one of those uh one of those output feeds that you're leveraging in your
your security Appliance we can come in here and add that to the white list and then if we look at that that relationship we can see now that the white list has one indicator IP so if uh quad8 uh Google gns wherever to show up on say the the spam house uh drop or E drop list or D Shield or any of those um it would always be whitelisted because it's part of this this minor that will be pulled into the aggregator and will override the output but let's say uh you want to add another uh minor right you've got your favorite source of of data that uh you know is really really uh High Fidelity
that you want to pull in and leverage within the network um so how you do that is you click on configuration here and then down here this little hamburger looking icon is where you can look at the prototypes so these prototypes are uh either miners or AG aggregators or output prototypes uh one of my favorites is the uh etop blocklist so emerging threats really good group uh does some good work so if we search for etop we see that you know that that uh list is maintained here as a pre-built uh prototype click on that then we click clone a new node from this prototype and give it a normalized
name all right so now we have it listed here but notice it's not connected to the processor this is a slightly counterintuitive piece to my melt that uh sometimes we trip Folks up when I've when I've helped people put this in in their networks you have to click over here on inputs if you remember the relationship diagram that I showed you earlier uh you know your miners were on the left they feed into processors or the processor says input from those Miners and then the processor then pushes to the output or the output you know hasn't um pulls from the processor so we have to add that new node or minor excuse me to the the processor and we do
that by clicking over here on the right hand side and when we click in here we'll see yes look ET open is now in there let click okay we see it here but you're not done you have to commit those changes so uh you commit that configuration and it restarts the the Mind M engine um gives you lots of good statistical graphic representation of what it's doing in the top right there give it a second to run
all right so now we're running so now if we click on the nodes and look at the etop block list we can see that there are 1,834 indicators and it is directly feeding into that aggregator so what's this data look like if we actually you know were to to try and pull it into one of these systems and leverage it within a system um how you can view that is looking if you click on the output note uh you can see here the feed base URL I open that up there's your data right so so this is IP range format uh to to view uh or you know to be ingested into one of your
your control systems right again whether it's a Sim or a network Appliance or or an endpoint management system um let's say the system that you're leveraging uh does not understand this format right this this IP range format uh you can uh change your outputs right uh so we do one okay so um if we just append TR equals or question mark TR equals 1 to the output uh uh feed URL we see that now it gives it to us uh in cider format which is another very common format that that a a security Appliance or or Sim might be able to injust so let's uh talk about maybe some some uh more advanced use cases right
let's say you've got a favorite uh threat feed that is you know again you you feel is is really high fidelity but when you go into the prototypes it's not listed there so some a lot of folks out there like the TS group right they do good work um and they publish a really nice uh IP list right their IP Blacklist but if we search for prototypes the Talos group is not there so let's go look at their their IP Blacklist really quick and it's just an output of IP addresses right so individual IP addresses um pretty common format so I know that other prototypes leverage that same thing um specifically the ET open Blacklist right so this is again my my
friends at uh at emerging threats and instead of cloning this one we're going to create a new prototype from this this minor we can come in and we can modify this we can say this is the
right and notice down here we've got a really simple way of building out a miner um you know it basically uh asks for your confidence level in this Source uh you know and then give it a name and then a URL where we're pulling that information from so let's put in that TS IP Blacklist let's change this to Blacklist
okay so I've I've uh modified it so that it's consistent for TS and now when I search for TS I have a mind melt local TS Blacklist same same workflow I can clone it give it a common name and then that that tricky thing to remember is adding it to this IP aggregator right now got T we commit that let it run through its course and I'll show you that uh it's pulling in that data uh there 's obviously a lot more different types of data sources out there uh Beyond ipv4 addresses right and you know there's there's a lot of uh debate on how valuable this information can be but for me my thought is just
reduce your attack surface as much as possible Right take out these known bads and uh you know if you can block them on a network level great you know if if the security Appliance you're you're leveraging allows you to to block them it just reduces that that attack surface you know they're not these hot ioc's or whatever that some of these these different groups will will claim that they've got you know the best the best lists right no but um I again you know it can be debated as much as we want but it's it's a it's really just about reducing that attack surface right um and just take the gnome bads out so so that we can
really focus on on what matters and and looking at the the the more advanced type threat data but we can see now that uh uh tallos Blacklist has pulled in 1,266 uh indicators and our outbound feeds now are are incrementing up uh one one nice view on the dashboard that I I kind of didn't touch on earlier is if you look here um you can change the time frame I just click that gear on the right right you can CH change the the time range uh so as your your mind melt instance is running for for days and weeks you'll have nice statistical graphs here that will show you as indicators have been pulled in from Miners and what your
total number of indicators are from your outputs so you can see as I added ET threat feeds and and the Tallow threat feeds we've had a significant increase in the in the number of of indicator across all the notes so uh I've got a little bit of time I can show you a couple more uh Advanced use cases here and this is the Mind M instance that I run for my
house oh yes that my password sorry there we go and one thing that's interesting is um if you notice I've got some other um some other aggregators here right not just IP aggregators aggregators but domain and URL aggregators as well that are feeding out to different types of lists uh so again you know uh uh thread indicators are not always going to be IPS right they're U there are uh free lists out there that will give you other interesting things like malware domain link things like that right and if we look at what those outputs and we can see here these are um you know full Uris right uh and if we look at say this one oops
s
sorry so instead of full Uris you know here I've got uh just malicious domains no malicious domains um so you can see how maybe that that might be interesting on integrating it to uh say a threat hunting feed within a Sim or uh you know some kind of EDR tool set something like that no questions so I'll just do one more thing really quick and show you guys how um again how you would pull this into uh my favorite security appointments anybody who knows me knows that I've been a a fan of this for a very long time so
all right so um external Dynamic lists are generally how uh uh the palto network security platform digests mindmeld data and so we can see here you know I've got these uh Dynamic IP lists these are pointing directly to those those uh sources on my mind M instance I've also got these domains and URLs that I just showed you guys there so these uh Dynamic IP lists are essentially IP groups that
Related talks
56:25
41:28
1:00:45
53:47
55:42
46:57