BSidesSLC Live Stream
Show transcript [en]
e
e e
for all right we're going to get started in just a second they're finishing up putting in some stream keys right now so any second here we're kicking off just giving you an
update e
you know okay now you can hear me sweet welcome to besides cash um we're excited to be here this is our first first ever besides cash rock on um my name is Ivon bonov I'll talk about me in a second but this is the first time we've ever anybody has ever done an infos SEC event in Cash Valley we're really excited for that we're glad to see a lot of people here as well um we have I think over 175 registered we still have more people trickling in and a few who haven't found the building yet apologize if that was unclear um but we're grateful for every everybody being here our tagline for all sides is a
cyber security conference for the people or by the people for the people so I'm glad that you guys are here we appreciate the support from Community Partners everybody who who has come and we'll talk a little bit more about them uh my name is Ivon I'm the department head of IT instruction here at bch so that's my role um and like I said I do it instruction I love network security Hardware All That Jazz and CIS admin I've done those kinds of things in the past that's my specialty and um part of bsides cash which we're obviously here and DC 435 which is our local Defcon group I'm going to put a plugin for them later who all right um
and also cash Tech Community which is a new Tech Community that's starting up in a little bit um and we'll mention those in a sec so I did my undergraduate University of Minnesota I did my Ms at BYU I'm sorry I have to say that in Logan and then um I did my PhD at University of Minnesota or sorry University of Hawaii at monoa and so I am glad to be here in little Logan it's been fun I've been here for about a year and a half and I love it and my handle on pretty much everything is bovc if you care if you don't just ignore this site and we'll keep going so all right let's
get a real quick I want to just ask a couple questions I promise this is the only audience participation of the day um how many of us have been to a bsides conference before okay and then I probably should ask the other way around how many of us is this our first bides conference ever this is way cool rockon yeah right that's sweet um how many is this our first ever info set conference we just haven't been able to go to one sweet that's also decent we have quite a few and then a last one is how many of us are students either currently okay awesome so we have a good we have a good number
so thank you for being here and I'm going to Quick go over what is bsides just so you have an idea we've pulled like some slide or just some sentences from the official bsides website and so I'll put them up like this one it's a community-driven frame work for building events for End by information security community members what does that actually mean these are now my inserts um basically this is made by the community it's sponsored by the community it's built by the community you guys are all here and it's meant to be something for local people here it's not meant to be all around right it's it's something that we can we can gather
and build the the it community infoset community here um and on top of that it's a conference format that's worked in the past so we just keep doing it and then here's another from the official bside summary the goal is to expand the spectrum of conversation beyond the traditional confines of space and okay basically what that's saying is we want to make sure that we can talk about things that you may not learn about otherwise in your work or whatever School settings we want to talk about some of those things and because it's a community we want to keep talking about this after this conference is over and we want to keep up infos instruction
infoset learning that Community after this event so we don't want this to be like a once a year you just show up and then you forget about it and come back again next year maybe right so with that we have Discord we get on X Twitter whatever LinkedIn Community groups I use this as a place where you can connect with others and I want to take two seconds to highlight a couple of Our Community Partners that we have as part of this event um we have high school groups and college groups whatever so the first one we have is it STEM Academy um the second is the cash Tech Community which is just starting up we have our I
guess the first meeting for the cash Tech Community on September 21st at Logan Library at 1:30 if that's of interest to you look it up um we have the Utah State University student Organization for cyber security which is also cool some of us are here from that woo um we also have hack USU the student organization and we're SP we're we're supported as well by the College of Agriculture and applied scien Sciences at uh Utah state which runs their their um computer and or technology systems and uh technology systems major I also want to highlight real quick DC 435 they've been a huge help for this conference kind of one of the ones that helped get it rolling and so DC 435
meets every first Thursday of the month in that building over there uh like right next door so here at BC and I encourage you to check out the DC 435 org it's also another uh community that we have here so between cash community and DC 435 you really have an opportunity to keep this conversation going after the conference is over all right the other thing that I really want to highlight if you care or want to I'd recommend you scan this one uh this is the bsides cash or sorry the bsides Utah Discord you can either go to bitly besides Utah or you can just scan that right now I promise it's not malware um yeah we'll anyway uh so if if you'd
like to join the bsides Utah Discord scan this and and you can you can connect with all of us there we all have an act active presence those of us who are who are organizing and running the conferences there's a second conference that happens it's going to happen in a couple of months down in Red Rock So St George area we have a conference going down there and then every year we also have one in Salt Lake and that's usually the largest one that we have here in Utah so feel free to attend those get get in contact with others and use this as a way to connect again all that aside I got to get back to what bsides is
sorry for that t um here's another sentence from the bsides website it creates opportunities for individuals to both present and participate in Intimate atmosphere and encourages collaboration basically what this is saying is this is not Defcon we don't have 25,000 people here it's not meant to be somewhere where you go and listen and then leave and never see the presenter again this is meant to be a place where we can talk with each other so please meet the people next to you um our goal for this this conference was to make people sit next to each other which is good I think we by by the time everybody gets here we're going to fill in enough seats that it's required for
you to sit meet someone next to you or or or scooch closer that's fine too right so talk with others get to know each other network connect and we hope that something good comes of this Beyond just again the conference and the last thing is that this is event where we're going to have discussions demos and interaction from participants that's all the interaction I'm going to do but uh as you go around we're going to have workshops we'll we'll we'll have presentations where you can listen to people if you're at a workshop we want you to participate CTF try something new if you don't don't know ask we're willing to teach it's not like this is a
place again where someone just sits up here spews information and then you go home right we want we want you guys to feel like this is a community all right enough of that let's go through some of the things I have to go through housekeeping and venue real quick our website has the most up-to-date schedule so please go to bides cash.org and then click on this little schedule button right there if you can that's helpful or you can type a couple extra characters and go to bides cash.org sch-1 that's fine you'll see the whole updated schedule there and keep track of that that's where we have all of our events where they are in which room and
you can see the the schedule and how that works so just throwing that out there please keep track of the schedule there we don't have booklets or pass out schedules so we're good there we're currently in this room and this will also be track one this is a map now in case we missed that right of our building that we're in this is track one this is where we'll have our first set of speakers um going from 9 till 3:30ish back here is track two so that's that glass room that's right across the hall here so everything will be pretty close either here or there that's track two and that's where we'll have our second round or second group of speakers
also speaking continuously from 9 till 3 um if we go in front here right where we came in you'll see that there are sponsors those are those blue boxes please please visit our sponsors that's where they'll be located I'll talk about each of them in a second and then in the back we have a little open area this is underneath the staircase and that's a place where you can Network talk with people if you want to sit down chat there's spaces there tables there please use that space as well beyond that um we have an elevator there and stairs to go up if you go up the stairs that's where we're going to have our workshops so I'm
taking us up the stairs that red star is where you get when you get to the top of the stairs right in front of you is room 2200 and that's where we'll be having our our workshops where there will be open about two hours each um and you can go and visit those you'll see where those are up at the top of the stairs on the room bordering the back side of that that's where we're going to be having the keep the keep is sort of like an introduction to CTF and and network security network hecking so if you don't know much about that it's a great place to go encourage you guys to visit the
keep it's also a student um student from weer State and I think from SU together collaborate to make it it's a really cool event go up there have some fun try something new that you may not have done before and then behind that so in room 2228 is where our CTF base is going to be we have a CTF that I'll talk about in another second uh but if you need a place where you can kind of go and be have it be quiet you can go up to the CTF base up there there won't be much going on other than there'll be a moderator there to help us out Chandler if he's here I don't know if he's here
yet but yes he'll be up there and um we'll have some spare computers if you need them if you don't don't have your own so leave that that that's the venue in the back oh just kidding in the back so at the top of the stairs and turn right behind you um there's a conference room there and that's where after lunch we're going to have the opportunity to get a critique on your resumés so Brandon's here and he'll be going over rums if you want to bring in a copy of resume just get some feedback he's done a lot of hiring he knows what's up and so he can give you some feedback regardless of where you are in the
application process or in your job right couple of rules please don't bring food or drink in the lecture hall that's okay if you have this is me telling you officially so there we are please don't bring food or drink in the lecture hall um water over the carpet is okay but other drinks are not again just it just be telling you we're very grateful for bch giving us this space and the ability to be here uh we just want to try and keep it as as good as we can we're the first person to do streaming from this building ever we're one of the first conferences ever to be here so we want to take as good care of this venue as we
can please use a screw top cap or lid if you're carrying other drinks so it's okay if you have something else and that has a screw top that's cool we're okay with that and then um food and other drinks are okay in public areas with epoxy floors so once we get to lunch and stuff like that if you want to go anywhere with epoxy floors you're fine to do that that's my have to do um also we need to announce this real quick Wi-Fi access our SS ID is btech public and our password is is red Twizzlers so if you need access to Wi-Fi there we are um and then I'm just putting out the
mandatory please be responsible both on the consumer end and on the other end so however we do that please be responsible I think that's that another two seconds for people are taking pictures okay on to the next one we have lunch lunch is from 12:00 to 1 um you can eat across the sidewalk at the bch cafe so we're currently in this little red space there right and it's right across this sidewalk there's a cafe down there it's right through the doors on your right side if you want to go there you can get lunch there they'll have some grab and go things there's also like a little cafe they've never handled 160 people at
the same time before so it might be a little bit of a line you can also go down Main Street which is just take 1400 North to Main Street and there are tons of options there for food as well throwing that out okay two more things we have events and contests the first one the first thing that I need to mention is we need to thank our sponsors um for these events and sponsorship we wouldn't be able to do this at all without our sponsors and on top of that we have some prizes and things that we're going to hand out which would not be available to us without sponsors either so please visit them um we have I
want to start real quick with bridgland Technical College again they gave us this space woo thanks um they gave us this space and for free which is awesome and we're here uh we're very grateful for them bch is a Hands-On compe based school where learning is fostered through curriculum that's helped students Master technical skills um I'm grateful for all the things that that bch does and we really have a a pretty decent it program so I'll throw that out I have to say that from for me too um we our second sponsor is comp unit CompuNet provides seamless audio and visual solutions to facilitate efficient meetings and Communications so you can stop by if that's of interest to you
stop by their table checkpoint software um checkpoint software Technologies is a leading provider of Cyber secur Solutions to corporate Enterprises and governments globally big company and we keep their threat tracker map on our screens in our in our classroom sometimes so we we love checkpoint Firefly automatics has been transforming technology for Turf Equipment since 2010 with electric hybrid automated and fully autonomous Solutions so we'll talk about them in a second as well and then the last one that we have is Utah State and Utah State University is Utah's only land grant institution serving over 28,000 students in Logan and across the state at their state white campuses so mandatory and I appreciate if we can all
give a hand for our sponsors for making this happen so thank you awesome appreciate everybody and please stop by and see them visit them this is part of the contest now we have a raffle at the conclusion of the conference everybody should have received a little raffle ticket that looks like this please get one if um when you checked in and so what you do is you fill out your info on the back just your name that you want announced that's we don't need your real name doesn't matter to me as long as it's Unique um and then you can when you speak with four more sponsors you can I guess for each sponsor you speak to you
get a little proof of speaking with them right and once you once you fill out your raffle ticket with all four at least four stamps um then you can turn in your ticket at the registration desk and we'll have a raffle during closing ceremonies oops and so let's talk real quick about what that will entail we have three prizes for our raffle at the end we have an apple homepod as one of our deals we have a Star Wars Millennium Falcon Lego set should be decent um and we also have an iFixit toolkit Pro so it's first come first serve I don't know which will go first um I but yeah so that's that's what we
have for for our raffle so stick around to the end um and we'll talk about the terms and conditions in a second Capture the Flag we also have two divisions for our CTF which is upstairs we can either do individ ual or groups up to four doesn't matter either or and CTF closes officially at 2:30 and the rewards for those are Amazon gift cards so we get 100 bucks for the first place 75 for the second and 50 for the third and then our top group division gets 200 bucks as well so if that's of interest to you you can't lose I mean you could get fourth but anyway so you might find also greater success using hotspot we've try
we're trying to do everything on our end to make sure that all of our ports are open everything's available for CTF but if you have a Hotpot that might also help our third competition that we have is moer Mayhem this is the one that's sponsored by Firefly automatics um they brought one of their am autonomous Ms which looks like that um and this is a new product that's coming out soon and they have um provided a bounty program for us so just by attending and going over to their uh to their station which is just by the glass kind of the door where we came in um you can mess around with their online interface and you can
also see if we can do anything to break it or expose a bug and if you do that's great you'll get an entry just for trying you'll get additional um rewards for successful Bounty identification so talk to them they'll give you more details about that but their first P first prize winner is a flipper zero their second is a Raspberry Pi 5 and then they have I think six ESP 32 Dev boards to give out so we'll get more information on that during closing ceremonies Tom all here are General guidelines you have to be here at 310 when we announce the winners to get your prizes so just be aware of that um if you are not we um we may give your gift
to another person who is here so we just kind of do the raffle things um and you must be present at this time in location and persons who are judging or creating content are not eligible for prizes so I felt bad having to buy and now give away a Lego set all right last thing and I'm done this is the second one um is our additional thanks um we want to really recognize our the UCS Utah cyber security Society um a couple of them are here today and we're grateful for them uh Tyler Ash Ryan Kirsten and Bryce for those of you who don't know uh the UCS is a 591 5013 or C3 I I don't know where the nine
came from and they run all the bsides events here in Utah and you can visit them at UT cybercity society.com is it.com or.org man I feel bad is it it's. I think it's that's what I copy I think I copied I think it's Doom okay UT secur society.com might be.org that's on me again I feel terrible either way but check them out they're they're super helpful and Bryce is in the back there talk to him too he's cool um we should be good okay uh also our working group we have tons of people that we need to thank here for our bsides cash working group they really are a bunch and I can't we can't really recognize them all
but um many of these are here Brandon Chris Greg Margie we're really grateful the Margie Margie can you can you all give a round of applause for Margie you don't know her yet but Margie is mar Margie's our event manager and so she's done a lot of the coordinating here we're really grateful for all the work she's done um we're yeah she's great so if you see any of these people again say hi I know Trey's here as well Brandon is doing the the thing up upstairs the resume workshop so we should be good and also all of our volunteers who are here we have Ben bra raen Chris Connor Gabby Jolene Matt those for sure and also we
have tons of others so thanks also to our volunteers and I'll be done all right so I get to introduce our keynote speaker real quick before we get rolling and this is going to be a little different than before but I want to talk real quick about Neil Wier he's our keynote for today um also known as grifter and he's an information security engineer and researcher in Salt Lake um he's currently with cfire as the vice president of defensive services and he's spent over 20 years as a security professional and he's done vulnerability assessment pen testing physical security incident response he's done a bunch um he's also spoken at pretty much anywhere you can speak if you're an infos SEC guy
um black hat Defcon RSA and not only is he spoken there but he's also um a staff member and he's on the review board for Defcon and for black hat so I mean ior staff at Defcon he's Department lead for contests events Villages parties and the demo Labs there's a whole bunch of other stuff that I can talk about he's also been interviewed for online things print things film and television uh yeah if there's if there's something to do in it he's done it and on top of that he's an author um his handle on X is grifter 801 and that's where I'm going to cut out we're going to turn the time over to
grifter and Pope who will talk or we'll take the rest from here but let's give it a hand for for [Applause]
grifter real real quick last shout out for Avon who did a ton of work to make this conference happen
breaker breaker technology is hard AV is hard um hi pop hey what's up man welcome to Cash Valley we'll uh maybe we'll we'll adopt you to grifter 435 uh in the future but uh somebody's somebody's getting that right now on on X Twitter who's got it go so I wanted to take this opportunity to ask you a bunch of questions enumerate if we will and uh you know pull on some of these threads and strings and a learn a little bit more about you and B uh some takeaways and things we can learn from cyber security sounds good let's go so let's start about how how did you get into hacking and I know that's a vague term and there's probably
a delineation between hacking and infos there but uh how did you get into this um yeah so I started out as a kid basically um I um I'm old right I'm 45 so um I grew up in the time where we actually like dialed into bulletin board systems like in the late 80s early 90s um and my uncle was a computer tech and he um he had a computer right so that mean I had access to something that not everybody had access to and I love video games like most kids do and he basically set me up with the ability to get on a pirate bulletin board system to download video games so um that's how
I learned like how big a bite and a kilobyte and a megabyte was and how that related to B and the amount of time that it would take me to get games and things like that is because I needed to know like oh I'm going to tie up the phone line for the next six hours like when do I want to download this um and then after being on that BBs for probably about two years or three years um I loved it because nobody knew that at the time I was like 9 10 11 years old and I would post stuff on it and people would just respond to it like I was a normal human being and not a child right
because they had no idea um and eventually somebody said hey just based on your post I think you really like this this other BBS and it was a hacker bulletin board and I like dove in and I just read every file including like the weird ones that were like conspiracy stuff and aliens and stuff like that um I just all of it and I read everything consumed it all and that was it I was Off to the Races um but yeah it started out in that like pure kind of exploration type of thing that you hear that's a little bit cliche about hackers where it was like oh I want to learn about new systems and at that time again
like early 90s it was like if you wanted to like access a Unix system you had to break into a university or a government facility to do that um you don't have to do that anymore um you still can maybe not here but um but yeah you didn't have to but at the time it was like oh you want access to this like do crime um and I did that like I did exploration for a while and then eventually realized that I had certain material needs um and then I actually did crime um for most of my teenage years like fraud essentially and other stuff um and then I went into the military and they sent me to Utah and I
stopped breaking into things so I wouldn't go to federal prison um actually that's not entirely true that's a different story I won't say it since we're streaming but if somebody wants the rest of that story we can talk about that um but yeah so when I got out of the military I only knew how to do two things fix f-16s and break into computers and so I went back to break into computers that people knew I was coming this time and your handle is grifter is this from the doe crime or is this how how did that come to be yeah so that's a little embarrassing um It's Not In This Crowd it's not uh I used to
read the dictionary yeah where my dictionary readers at uh and so I was looking for cool words and I came across a definition that said a person at a circus or Carnival who runs freak shows or games of chance um and I was like oo that's cool or um a con artist and I was like oh I really like that and so I started using it again on video games and eventually when I entered the like the hacker scene I started using that as my handle I have had other ones that nobody knows about when the crime was like taking place but um the one that I 43 yes grifter 435 yeah yeah um but but yeah it just it's
been my name since I was eight years old right so almost my entire life more people know me as grifter than know me as Neil um and some people refuse to call me Neil and just call me grifter so I I actually did not believe that your first name was Neil when you when somebody said it I was like nah yeah that doesn't fit but it does it does not yeah does not I didn't care for it so I got to I got to pick my own I recommend do what you want if uh you go back and watch an old Defcon documentary you pop up in those uh a what was the first Defcon you
went to and then how did you get involved with Defcon um first Defcon so this year was Defcon 32 my first Defcon was Defcon 8 um I knew about Defcon from its Beginnings from Defcon 1 but I was an incredibly poor kid growing up in a very rough part of New York um and had no means to get to Las Vegas I was also a child um right at the time that Defcon the first Defcon kicked off I was 14 and so there was no scenario where my parents were going to be like let's go to Vegas so you can hang out with hackers um but then when I again when I got out here and got stationed here I even
avoided it for a couple years there because I didn't think the overlap would be good military hacker scene um and then when I was separating I was like I'm going to go like I'm I'm going I'm not going to miss another one um and so I started to attend the 2600 meetings that took place in Salt Lake and um and eventually and very rapidly I should say took those over and helped grow those and then we decided to do a road trip to Defcon and a bunch of us all like met up at like D's down on 21st South in Salt Lake and at like 1 in the morning and then road trip to Vegas so um so that
started my like going to Defcon and I knew immediately when I had gone that like these were my people right like I had found my people and I would always attend like I do whatever was necessary to be there and and um and I did like and then like anything else that I do I will immediately turn something I love into work and so I started volunteering oh you know all about that um so I started volunteering and I've been uh Defcon staff for this year was 23 years so two decades of Defcon Staffing I'm old gross a long time and then how does that pivot so you're in Vegas how does that pivot into black black hat and
there's probably a few different questions I have on the black hat but let's start with that how how do you get from defc con to black hat so I was one of the Defcon set up some forums you know remember web forums where you know was like V bulletin is the best thing ever right the Defcon set up forums and for people to chat when it wasn't the con now everybody has a Discord and you have another one that you just were asked to join but at the time um it was just these forums and I became one of the administrators on the Defcon Forum so it was myself and another guy nlon and I was complaining
about how much black hat costs because it's an incredibly expensive conference to go to it was expensive back then it's even more expensive now um and I was just saying like as somebody who is working for themselves and is you know 23 years old spending 2500 to $3,000 to go to Black at just was wasn't a thing that I could do and somebody um a friend from Defcon said hey you could you could volunteer I know someone I'll have them reach out to you and I was like yes absolutely that sounds great and um and so I was expecting to go out to the US show that year this was in like January early February and I was expecting to go
out to the US show to help volunteer and then um this woman who ran blackout at the time reached out and said one of our volunteers for our window show they used to do a show just in Seattle um centered around windows like in Microsoft's backyard um and they were like one of our volunteers dropped out can you be in Seattle in two weeks and I was like absolutely right and I went out and I volunteered and it was a great experience and they liked me and then they went off to Europe for the Europe show and um the guy who ran the network for black hat at the time um packed up all the equipment for black hat for
Europe but then he left it on the loading dock in Seattle and they flew off to Amsterdam without any equipment for the network um and and so then he didn't do that job anymore um and and DT um dark tangent Jeff Moss he who was the owner and founder of black hat and Defcon um has since sold black hat but at the time he called me up and said we really like you seem sharp you want to run the network for us and we'll take you to all the shows and we'll pay you and you can bring a team of people and you can do all that and I was like absolutely yeah like that
sounds amazing Let's Do It um and so I went out for the US show and I brought two friends with me um one um was a guy named deadhead who um came out to the the 2600 meetings and the other one was comp who if you know comp anybody who knows comp he's part of like crew at St con stuff DJs does all kinds of stuff like that old school 2600 and and dc801 and that was not enough people um three people trying to run the network for at that time 1,200 to 1500 people was still not enough um but the black hat network was crippled most of the show usually like it was down over 50%
of the time and at that show it went down for only 15 minutes um for one period for 15 minutes and I walked around and was talking to the trainers saying like hey sorry about the network whatever and one of the um train his name is Greg hogland he said oh yeah I have a zero day for those access points that you're using and so I just showed the class and I was like thanks bro but yeah so they were super happy with me obviously and the network and they were like oh yeah you're definitely like you're in you're coming forever so now at the time again 1,200 attendees 15 training classes uh this year 255,000 attendees
90 plus training classes um but they handed that network over to a 23-year-old kid right which I don't think they would do now maybe they should like I don't know you'd have to get out of the way we don't know what we're doing yeah so would you so yeah and so then that expanded review boards all the other stuff you're doing black hat yeah how did that pivot to and and maybe we're jumping back in time a little bit but suddenly you're like I'd like to author books and then produce books what's take me through that how how how does one author a book pre pre Amazon books where you could just go throw up your own publishing
yeah this was like an actual publisher and it just it was a so this is like kind of like a life lesson um thing where I am what I term a high functioning introvert like by Nature I am introverted I can be extroverted um but after a period of extroversion I will then go sit in my hotel room and live literally just like rock um until I can like soothe myself back into going back downstairs um and so uh in this case I had just spent a very long day at at black hat and I and there was a Galla reception that they were doing a whole bunch of all the speakers would come out everybody would
have food and drinks and I just didn't want to go like I was like oh my gosh I like my social battery was at zero I was like but I just told myself like you have have to like you have to go and go meet people and and network right we do networking but people networking is is as important if not more important honestly than than the actual technological part of it um and so I forced myself to go back downstairs I walked into the reception and and in a very short time I like heard somebody talking about a book and I was like oh I read that book it sucks right cuz autism is the Spectrum um but um so
I I was like I just start ripping this book apart right and they're like oh well why and this and I'm like well this is outdated this is whatever the structure of the book is done like this they really should have put this chapter before this it would have built on this better but it got confusing because d d d and then like oh well have you read this and I'm like and at the time I read every security book you could back then to read every security book in like 2003 um because they there weren't a ton of them so as they would come out I would just read everything and um and so
I'm just running through these books with these two guys and they like what about this I'm like that one's great because it covered this and it covered this and it did this really well and the author did this and they actually worked with that so you could tell D D D D D we spent 45 minutes talking about books and then I'm like oh I'm just talking to these guys I should probably go wander around so I say hey it was a pleasure and I go to walk away and one of the guys goes wait let me give you my card love to keep in touch and he hands me his card and it says Andrew Williams
vice president sress publishing and I was like no like this is i' just been ripping apart this publisher books right I was like the editing sucks on this one because BL right and he was like ah and I'm like ah right so um so he was like look man I really enjoyed like you know your cander um I'd like to put you on a list where we're just going to send you whatever books we publish security books we publish and um and I'm like oh hell yeah like let do that cuz I am poor so I was like yes please send me your books and and I didn't think he'd actually do it he said you know send me an email or
whatever and then two weeks after the show a giant box well two giant boxes show up and it is their entire security library and then from that point forward um every time they published a security book I got one and he would just reach out to me and be like what did you think what did you think oh we're and then he started saying like we're thinking about doing a book like this do you think we should is it the right time to do it and I'd be like yeah that would be great BL who do you think should write that maybe so and so and he would and then it would come out like nine months later and I
was like oo I'm having like an effect on what security stuff is going to be I thought that was cool and then at a black hat I said to him like hey um he was like what do you think what's the next topic and I was like oh you should do a book about this and to me it was it was um Strike Back type of stuff like aggressive like Network self-defense um and and um and he was like yeah we should do that and I was like what do you mean we he was like I've been giving you free books for years now it's time you make me some money and so um and I
was like oh fair enough but I was like I don't know how to do that and he was like we'll help you he's like you can do it with other like co-author it a couple other authors um write a few chapters they write a few chapters you'll be the technical editor that'll oversee like the flow and the feel of everything and I said okay great I'll do that and he was like okay who do you want to do it I said a bunch of names who were all friends from black hat and he's like those are all really Heavy Hitters and I was like I call them friends and then we did the book right so that's how I did
the first one and then and I've done two other ones I did them also rapidly and then I was like this is hard and I stopped like like doing a book is great um because it looks great on a resume you do not make money um you are not Stephen King when you're writing a security book you're going to get you know some money my royalty checks would come after the first like year or two years then the royalty checks would come every quarter and it would be like 75 bucks and I would go we go in a Sizzler and then we would actually go like because I thought that was funny I just thought it was funny to go to Sizzler
with your royalty check so um but yeah so that's how I ended up writing books so go to the party like fight the introversion go to the party say hi to the people insult their work um and maybe it will work for you how did you go about starting your own third place so you you briefly mentioned it going to 2600 then you said you took it over how did that turn into def Kong groups um so yeah so I again I grew up in New York which is where 2600 is from right like that's where it's based it's published there that's where I guess the flagship like meeting would be in Manhattan so I grew up with those
meetings and I came out to Utah again getting stationed here and the first meeting that I went to was at the zcmi food court if anybody is old enough to remember that um at the mall and um when I got there there were six other people so seven including me and I was like this is not a lot of people like coming from New York I was just like this is not a lot of people so I approached the guy Kenny who ran the the meeting at the time and said like would you mind if I like put fers and magazines and I like did a bunch of stuff just to try to drum up attendance
and this was at the first meeting this is just the kind of glutton for punishment I am and he was like you can take it over and I was like not what I intended but I guess okay right and I so I took over the meetings in Salt Lake and in short order we were salt like as as you can see like Utah has a really strong security Community like really strong like look at St KH look at bside Salt Lake look at this um like there are bsides that have been running for multiple years that have less people than that are in this room right now and so I don't know why that is I don't I
don't know what causes that but it is has been true for 20 years and so we had 50 60 people showing up in a food court giving talks to each other and um and messing with the pay phone right um and but 20 600 started getting political like they were literally like in the editorials they would say like you should vote like this because this bill is coming out and this person would make it better for hackers and stuff and I don't care if it makes it better or worse for hackers or whatever what I do care about is someone telling you how you should vote right I was like I don't think that that is a good way of using
that influence or whatever let people decide for themselves um and so I was like there's no alternative to 2600 though so I was like where else could do this and the only thing I could think of was Defcon and so I called DT and said hey man like here's the situation with 2600 what would you think if we started doing Defcon meetings and he was like yeah that sounds great like call Russ Rogers right and so Russ is really really well known in the community um and like I call him the head vampire of of hackers cuz he would like he's the one who said hey do you want to volunteer black hat I know
somebody who's really well connected um so I called Russ we chatted about it came up with the structure for what would become Defcon groups and then we started dc801 and DC 719 which is Colorado Springs where Russ lived and we ran those meetings for about six months before we announced that Defcon groups was going to be a thing at Defcon so the very first Defcon groups are dc801 and DC 719 so at the time 801 it was all of Utah right so um so yeah so grats you're your OG um so now they're everywhere all over the world right but um but it started here like with Utah folk so I think we got a pretty good on
a good handle of your background how you got into this I kind of want to pick your brain a little bit now of like you've been doing this for a minute right right you've been in cyber security you've been doing that as a day job doing different tasks I know we threat hunted at multiple orgs for multiple years when we both worked at RSA and I'm I'm kind of want to just pull some of that out of you like of of the engagements that you were on what would what was your favorite offensive engagement that you ever dealt with oh offensive okay um so yeah so I did um pentesting red team stuff or whatever for years and
years I was very much offensive focused and then switched sides and went to The Blue Team side of the house but during that I never really you never really give up that love of breaking into stuff right like and I honestly believe even as a blue team person you should have those skills like so if you're not working on those skills compete in ctfs do those things because like knowing how an attacker is going to Target you will help you a better Defender right so um so I still did contract work um on the side doing um red team stuff and physical pen testing and so probably one of my favorite was um I had been I was on
vacation with my family in La uh with the kids we're doing all kinds of touristy stuff and at one point we were like we're going to go up near the Hollywood Sign we go up by the Hollywood sign and we're trying to find good place to take pictures of it and stuff at one point we went down some Road and there was a very small Reservoir and a dam but it was it was like Fort Knox like there were like multiple fences that had razor wire on the top of it like electronic locks on the gates like all kinds of interesting stuff and I'm staring at it like the number of cameras was just unhinged and
I'm like why does this little spot have so much security I'm staring at it and staring at at it and my wife said are you casing that right now like and I was like yeah I was like look at it like why like why is there so much there and I'm like trying to figure out like well where would I get in right I think most of us probably can relate with that like when you're into security like you start looking at you start looking at the brand of locks you start looking at where the cameras are pointed you just it just becomes part of you and so I was doing that and I was like
man that's cool um and then we left our vacation and went home and um then at a certain point a year two years later or something a friend who I did some contract stuff for called me and said hey need you to fly out to LA we're going to do a physical um come and come and take a look at uh what we're we're up against we're going to go do you know reconnaissance on this place and I said great um let's let's go we go out and we're driving around and we're getting up into the hills and I was like wait a minute I was like is this what I think it is and then sure enough we pull up at
that that that facility and I was like the universe has provided right and and I got I got to break into the place that I was casing you know a year or two years prior and so I just thought that was great and it was such a ridiculous um operation where it was like we literally were you know uh dressed all in black climbing over barbwire fences after already having broken in and taken over the surveillance cameras move them so that we could get over the fence in a certain spot like we're on radios back to like the man in the chair you know saying like Okay we'd already cloned badges but we were like we're at door two because
we'd also taken over all the locks and he's like opening door two and it was like beep and it went like green and I'm like that actually worked like it was the most Hollywood style physical I've ever been on and it was under the Hollywood sign and I was just like this is baller as hell so so yeah that was and eventually like we did like run away um because like we finished and then security was moving around and we were like we got to get out of here and we had to like go over a fence and then run up a Hillside and then we were running through the backyards of like2 million houses trying
to get away and the guys who were supposed to pick us up weren't responding because the cell coverage was terrible up there um and so and I love this um so I called an Uber and we gotten an Uber and ubered back from from our op it was fun uh what about defensive uh defensive was with you like we went out to go um to do a hunt for a company that was a it's an incredibly large Financial organization all of you would know the name of it if we said it but we won't um hundreds of people on their security team in this particular office that we went into there were I think 39
people that were in their sock actively at that time um where in to do this hunt because they're saying we want to get do more threat hunting we sit down um with their sock director and he says well kind of show me what your Technique is like and what what you guys are going to do and and Pope is like okay well what we look for is like outlier stuff this is a game of outliers we're going to go in there and we're going to look for things that just you know stick out to us make the hair stand up on the back of our neck that kind of thing but it's easier if you go backwards from the
lowest number of sessions protocols that are outliers that aren't used a lot so we're going to take a look at let's say um and he's looking through the the metadata for all this traffic that's going through this site and he goes let's take a look at FTP because there's a really low number of sessions of that and this guy goes oh we don't use FTP then Pope says okay well I can see that there's FTP traffic here so this is perfect right so if you're saying this shouldn't be here then this is a perfect thing to go and and check out um and he's like no you don't understand we don't allow FTP and so again Pope is
[Music] like great but it's here right so it's it's not a lot of sessions we'll just it'll it'll be really quick we'll click through see what it is and so we look at it and it is the most blatant like and who knows if it was you know somebody just trying to be overt about whatever but one it's FTP so it's clear text um the files that were being sent were zip files so those were also non-encrypted um the uh the host that it was uploading it the FTP server ended in Ru like not even trying to hide right um and we're like this is crazy we look at the time stamp and it's like 1:00 a.m.
and then he's like so should this what is this like should this be going out and the guy's like uh no um uh and and he's like well what is that file and and Pope's like well this is your file so if you want to open the file you can open the file but I can't open your file so the guy's like yes I want to open the file so he sits down extract the file he opens it up he's opens up a spreadsheet that's just a bunch of columns all kinds of stuff whatever and then he goes he made a sound that sounded like the wind got knocked over like somebody had punched him he made this
like and then he closed it really quickly and and we're looking at each other like what was that right and then um and he goes you didn't see that and I was like out of curiosity what did we not see and he goes that is every um every financial transaction and trade that we have made in the last 24 hours and we were like so bad bad um and then Pope again goes like do you want me to see if that has happened before and he's like yes and so he starts filtering stuff and and filters on the data that we have metadata wise I think we had 6 months of metadata in there and it was every day
at 1:00 a.m. for 6 months as far back as we could go so we don't know how long that was going out but it was every day 1:00 a.m. to an FTP server in Russia um every financial transaction and trade that they had made um for for half a year at the very least and who knows how much longer than that and that happened within five minutes of him sitting down and I was like some threat right um we we lost him he was our liaison and then yeah then he was gone he he left and we didn't see him for the next 3 days that we were there like he just was gone and we're like oh he's
dealing with that um but it's one of those things where I think it is a lesson in like you cannot just say like oh well we don't do that or we don't allow that and then expect that that is just happening you have to assume that that you compromised you have to assume that things that shouldn't be there are there and go look for those things because approaching it with the attitude of like well yeah but that's not we don't allow that so so we don't look right was just it was wild to me and in this case it bit them incredibly hard yeah I just love that story because it was it was minutes it
was literal five minute sit down and you've spent last decade doing threat hunting what would you what do you think is so important about threat hunting like why why a decade on it um I like it because again the mix of I feel like you kind of have to have some some uh red team SL pentesting offensive uh capabilities like skills to understand like here's what I'm going to go look for like I like going into an organization and saying to them like okay um tell me all about your environment tell me the Ingress and egress points of the network tell me the technology you're using tell me all about it and then I sit there and go um
all right and we would discuss well if it was us where would we hit them like if we were going to exfiltrate data from this organization where would we steal the data from we look through all their stuff and we're like probably here and then we go look there and I mean we always found things like always like and so um for me we spend a lot of time on defense trying to keep attackers out and we're constantly doing this block and tackle like keep them out keep them out keep them out right um really uh crunchy outside um but often ignoring the chewy Center because we're so focused on keeping attackers out we don't really
take the time to ask the question what if they're already here right and as somebody who who I sound self serving as someone who was focused for a decade on threat hunting but I believe that that is one of if not the most important question that you can answer about your environment is am I already owned um because if you are then it doesn't matter what other Technologies you deploy um you're deploying them in an environment that an attacker is watching you do it so they can move and shift and and mitigate around the things that you're deploying because they're watching you do Do It um but also um if you say oh we're going to hire a company
to come and do a pen test for us and you have an attacker that's in the environment they can sit there and watch you but watch the pentesters and maybe they're they're stuck maybe their skill level they've reached the limit of their skill and they're caught into one segment of the network but you hire a pentester and they come in and they're just like PE Pew PE and they kicking indoors and stuff and they're really good at it right um you know now that attacker just watched them kick open a door that they didn't know they could get through and they just go oh that's how I get through there they follow you through right and so so if
you're already owned you can deploy all the things in the world you can do all the services you want but you might just be enabling and teaching an attacker so so being able to to set a Baseline and go we're not compromised let's build from there that's why I think hunting is incredibly important how does that lead you to Twitter pictures of you at say White House or NATO um I don't know if I put them on Twitter um so yeah on was the grifter picks one um freaking lean um but yeah so so like yeah I have been to the White House to talk to them about like hackers and hacker culture and things like that um that actually was
more from um so I help found the hacker space in Salt Lake 801 labs and had been doing that for years and then the White House um had this initiative where they were trying to get to know hackers and makers and stuff like that and so they invited a bunch of people from different hacker spaces like to come out and have that conversation with them and like meet with the like you know different Representatives the National Science Foundation all different stuff to to talk talk to them about like what are hackers are they friends right like and so so that was really cool to get to go out and like represent like Utah and that and then um NATO was just somebody
saw me speak at a conference on threat hunting and they were like we want that guy to come and so they knew I worked at RSA and so they contacted someone at RSA and said we want grifter to come out and assess our threat hunting program um for NATO and my boss called me one day and said hey NATO called um they want you to come to Belgium and meet with their cyber command and assess their threat hunting program to tell them if they're doing it right and I was like whoa and he and I was like so what what are you asking and he's like can I come I was like yeah you can come and
we're going to Belgium so we did like and we went out and that's probably the craziest physical security on any place I've ever seen but yeah better than the dam uh way better than I would not have been able to get into this place um well maybe I get in but I wouldn't leave alive um so what's your uh thoughts on thread in toe is it just Twitter yes uh Twitter is threat intelligence I know we joke about stuff like that and I know we both agree that that when something pops off getting on Twitter and watching all researchers like talking about stuff and sharing information like like I was doing that when when the crowd strike thing kicked
off is it was like I was chatting with friends in different slack groups and doing whatever and I'm like tweeting out like here's the here's the workaround right like do this change this do whatever um so so I know we joke about it but it actually there is value in Twitter for sure but but to me um I guess to a lot of people threat intelligence is like a bunch of feeds that they either purchase or are open source and a lot of it is like IP addresses and file hashes and host names and those things are valuable for in my opinion a very short amount of time and this is just like The Gospel According
to grifter but um but they're High Fidelity and very useful for a short window but those things are really low on the Pyramid of pain right like an attacker can change those things very easily the things that are valuable to the type of threat intelligence that is valuable is um our ttps so tactics techniques and procedures and these are the ways that like attackers conduct business and in in some cases it is legitimately business right we're talking organized crime that kind of thing um or nation state and so being able to understand like this is how this attacker or this attack group is going to come at me and these are very very skilled groups um means that you should
be able to say like okay I work in healthcare and I know that the five groups that are most likely to Target Healthcare are these five groups I know that they have they use these types of techniques and these types of attacks and they use these tools to do it those tools Leave Behind These artifacts right that's real threat intelligence like an IP address is fine like you should still ingest those things but knowing this is how they're going to hit me because I'm in health care or this is how they're going to hit me because I'm in manufacturing it's going to be one of these five groups being able to take that kind of intelligence like map it to
something like miter and say like here's all the data on on this group and then go in and make sure that you're covered like you have visibility into all those attacks um to me that is where you end up like actually reducing risk for the environment because if you can go to your board or sea level folks and say I have gone and looked for the evidence of these types of attacks which are done by the five most likely groups to Target us and you can confidently say we can detect those attacks everything they throw from those five groups again Gospel According to gri grifter but if you can cover the top groups to Target your vertical your
business vertical or your industry everything that's in the OAS top 10 and everything that's in the latest version of met exploit your risk level is phenomenally lower than most organizations out there and I say that confidently having consulted some of the largest organizations that exist that that they're trying but they're often trying to do this giant sweeping thing and they're not focused on their direct threats right and so um spending the time to figure out based on like really high quality threat intelligence who is it who's most likely to come for us well let's make sure we're covered there first we can worry about the kid in their parents basement in Wyoming later but let's make sure that like you know
angry panda snake of Doom or whatever isn't coming for us so uh pentest red team purple team I got budget for one what do we do um purple team like I I feel like um pen testing pentesting is great and it makes you feel good to be like I hit you in all these plac places and I I found all these vulnerabilities and I exploited all these things cuz there is a difference between pent testing and red teaming right pen testing is a numbers game you're going in for as many things as you can get you're kicking in as many doors as you can get you're exploiting as many things as you can get um and
there is value in that um red teaming is is going in with a specific goal like we're going to go and we're going to get domain creds and we're going to do it while emulating the attacks of this group let's see if we can do that right those are they're wildly different things so don't let people tell you they're the same um but they're adversarial in nature like if you hire a company to come in and do that for you your blue team is going to be sad because what you're doing is putting them in a position where an outsider is coming to tell them where they screwed up right or where they're blind and that doesn't feel good
for anybody again I've been on the blue team side of the house now for um you know over a decade and I know what that's like to have like an outsider come in and be like you did this wrong and you're like yeah well we don't have a budget right so um I know it's wrong but I asked for this and they didn't give it to me um but if you do a purple team where you're literally like you get a an offensive group and have them sit down with your defensive folks and they say here's what we're going to emulate today I'm going to aunch that attack now tell me if you see it and then they push
a button and then they go did you see that and you're like I didn't see it and they're like okay let's figure out why like that's collaborative right it's not aggressive it allows you to build a relationship with that group um so that later when they come back to do a pentest or or red team you you don't feel like you're being abused or or panted in front of everybody you're like oh you know that's Kevin like he he helped us with the purple team stuff and now he's coming to kick our teeth in but I like Kevin um you know he's got two dogs and he went to Hawaii last year like you know who's coming for you and
it makes it less aggressive right uh back to black hat a little bit you've done a lot of years on that Network defending it watching these attacks what's the craziest thing you've seen at the blackout Network you um Helga um honestly uh probably there's a lot of stuff we see a lot of stuff and we see things that we're just like whoa like really um including what we saw in Singapore this year um which we can talk about later but that's not the craziest thing the craziest thing was probably that one US show where we where we started seeing like data come across in the clear that was like it looked like pictures of a guy's house and then like
license plates and the cars um the corporate Espionage one the the yeah the wife and kids and stuff and then it was like this is where he goes to get coffee like it was all this stuff that was really deeply personal about this individual and we honestly were like this person is in danger right like there is enough data here that and there and this person's here at black hat right now who has all this information about this individual and they live in Spain so is there a hit on this guy like what is going on because the level of of private information that that somebody else was sending back to a different organization we were just like this guy
might might physically be in danger and so we did spin up our our connections with um MGM who owns Mandalay Bay where black Hat's at and um and law enforcement and say like we need to make sure that this guy is safe right and ultimately um some of you can probably guess what it was and it was a private investigator and so what we ended up finding out in the postmortem from that was that this individual worked for a pharmaceutical company in security had left and then went to work for a different pharmaceutical company and there were original employer thought maybe they had stolen a bunch of data and were going to give that to or use
that at the new company and so they had a private investigator like tailing this guy everywhere for months at this point but um but again I think that was one of those ones where we were like whoa like someone GNA die like so it just it made it made it very real right but you know lucky for us that that private investigator just didn't encrypt R anything and so we saw it all so yeah getting a black badge at Defcon seems trivial and easy right it's uh anybody can do it just walk up cold did you what was your first time ever attempting to go after any one of those contests or challenges at Defcon um so I guess as
for a point of clarity for those who don't know um Defcon there are many contests at Defcon um only a few of them get a each year get a black badge and black badge is if you win that contest you get free entry to Defcon for life um and so it's highly sought after um we started doing it at Defcon 10 and um and we we actually give away um 16 to 18 every year but eight of them go to the CTF like the main CTF just because it's the CTF right so so um so of the this year there were 70 plus um contests there are eight to 10 that are are given out to those other other 70 um to split
and they're it's randomized like each year basically the contest is supposed to be so difficult that it's worth free entry to Defcon for life um I I have won three um and I did that with a contest called the mystery Challenge and the Mystery challenge was um something that a guy named lost if anybody knows who lost C is put on eventually he ended up making the badges for Defcon for many years but um but it was to me the most complete hacker challenge that I had had seen you in order to even begin playing you had to um do a bunch of logic puzzles break a bunch of different ciphers or decode a bunch of different ciphers um uh jump
through a bunch of like mini games basically and then you would get to a point where you would be given what we called the mystery box and that was different every year like one year it was like quarter inch plate steel with a bunch of like bars across it and locks and it had um like a display on the top of it that if you tried to tilt it it would start counting down until you like don't tilt it right we're like what is happening um but when you'd get inside that box there would be more puzzles um uh schematics that you'd have to put together circuits like there was phone freaking aspects to it there were all
these different things like we had to build and then code a um a circuit that had a laser diode that had to pulse at a certain thing on a table which would set off a projector in another room that would flash a bunch of things that you had to hold up a cipher in front of that would light up certain things on that Cipher and then to code that it was wild like my favorite thing from that challenge was one year um like loss gave us a book and he said this is a library book don't damage the book like everything about the contest was you had to do it with finesse and so long story
short on this book was it had all these beautiful pictures but inside were all these things that basically came out to x marks the spot and in the cover of the book in the very cover it said ex libris Lost Boy on a little sticker a golden sticker and I was like from That's from the library of Lost Boy and I was like ex librus is that mean that there is something under this and I'm like we're not supposed to damage the book so I'm in the bathroom with a blow dryer heating up the sticker sliding a knife under it like trying to lift it up without damaging it doing whatever and I'm there's nothing under it and I'm
like and I start like rubbing on it to see is there something heat ink heat sensitive ink or whatever and I can feel a bump of some kind and I'm like what is that and I start scratching it and my fingernail goes through and I start to kind of rip along it and it peels back and there is a Micro SD card embedded in the cover of this book and then on that SD card were a bunch of mp3s and inside the mp3s were things that were encoded that you could only look at in a spectrum analyzer that actually like showed and it's wild like the most insane Challenge and I loved it because I was like it consumed me I would just
do that all weekend um but it made me learn new things right like I would come up against things that I didn't know and I would be like I have to learn that before next year right and in one case I traded information about this box to another team and because I couldn't pick locks and there were these locks on the box and I couldn't pick locks at the time and I traded them this information so they could get the box and they were supposed to pick their locks and mine and the locks were really difficult and they couldn't do it and we ended up cutting them off with a grinder and I was really upset about that because I
was like I gave away this information helping accelerate this other team I still beat them in the end but um but I was annoyed by that so when I left Defcon I bought a few hundred worth of locks and picks and practice sets and stuff and I spent the next year sitting on my couch watching TV and picking locks so when the next year came um you know we got the that Year's box and I dropped those locks off in like 30 seconds and I was like I learn I like I learned something because that contest forced me to do it right so I I love that about the contests at Defcon or places like like bsides where it's like
go compete in something find the places where you're weak and fix it right learn something new and now I have a lock problem like I own far too many locks like so um yeah like it's a it's a problem yeah so that's probably a a great place for us to end um with that Sage advice learn something new here at this conference you know something maybe a presenter or try a CTF or other all the advice that he's instilling upon us go into the networking Lounge go to the resume go meet somebody break your comfort zone a little bit and learn something new thanks Neil no worries thanks thanks for having me
all right thank you so much uh we have a couple of gifts for our two speakers here we're grateful for them and all that they've done thanks again for everything um and we'll go from there we're obviously a little bit behind since we started a little bit late so what we're doing is we're moving or we've adjusted the schedule online but all the track two presentations are going to be 30 minutes back so everything's still going to be there and then Pope's next right here so he's volunteered to eat that time so we should be good otherwise um we'll be back on track and everything on the schedule online is up to date and current so we'll go from there we should
get rolling with our next things in about five
minutes assuming it
e
e
e
e
e
e
e
e
e e
I was leading a training for a large US organization on threat hunting with network traffic and I come up with queries and ideas right here's a hypothesis let's go look for that result let's go look for evidence of that thing and one of those was looking at um user agents let's go look at user agents and I like to flip things from top to least and we flipped it to least and at the bottom of the call we're seeing a bunch of these windows 2005 long string user agent now I'm not the smartest person but didn't remember a Windows 2005 so it caught my attention I was like that's interesting super weird um also want to mention if you're just
trying to do like user agents across the entire or you're going to have a bad day but when you're narrowed on critical asset or a certain subnet this is where we were at and we do some investigation on that and we see that it's going to a Russian speaking of Russian a second ago going to a Russian IP address okay interesting but it could be nothing maybe it wasn't a successful connection maybe it was just hitting a web app server and it was blocking it right you can see that traffic but maybe we're not seeing the other side where we getting a 200 what was it to what extent if somebody's just browsing a website with
a weird user agent who cares type of thing right so we pivot off of that and we see a whole bunch of other logs connected to it like encrypted and unencrypted logs and one of those with the small count was SSH and I was like that's interesting is that something that got blocked and we're seeing you know depends where you're tapping is if your Taps pre firewall maybe I can see it and it didn't actually connect sure enough success equals true authentication it was connected and uh even inferring through SSH traffic I was able to infer that there was traffic on SSH with keystrokes in the last 10 minutes of time carving and so that was a training class I think it
was like 20 25 people and I lost two-thirds of them in that class as well they had something more important to deal with and couldn't sit there and listen to me training anymore um full IR engagement so this is me uh you heard a little bit of uh if you were here at the beginning but this is my day job this who lets me come here uh for free and uh you know not have to take PTO so I work for corite and I am one of the sock leads at black hat knock thus some of the black hat Stories We were talking about a second ago I'm on the committee and help run besides cash here although
ion and Margie doing most of the real work uh but i' I've wanted this idea to turn this into fruition and so we finally pulled it off so I'm I'm super excited about it I help run Salt Lake as well and St con I get our uh Keynotes there and I'm super stoked about that one also DC 435 I'm a big proponent of I'm here at bridgerland usually every first Thursday so if you want to find your third place like-minded people pass this conference show up to that I sit on our OS Champions team so that's what we're going to be talking today is all the open source stuff um this is the team that I've made here at corite
called the con team and then the other various things that I'm a part of enough about me what I want to talk about is this leveraging network traffic to provide value to organizations right and something that you could just go home and do at your house something that you could do at a business organization no skew required no purchase required that's the beauty of Open Source so what does a business really want a business doesn't doesn't want security they could car about security right nobody actually wants security right and I know that's funny we're all in security but nobody wants security what do they want to do they just want to sell their Wares and I understand
that that's a depending on your industry maybe it's a service maybe it's a Wares but regardless they just want to operate their business they're not interested in security and uh for this hypothesis I came up I like dinosaurs so I came up with a dinosaur name and I had jat gbt said you know make me a dinosaur SAS product and this is what it does not that it matters or cares but this is our organization that's just trying to make money let's just say it's a 50 million ARS Company very successful dinosaur company and it just wants to sell his wees it could care less about security right oh yeah and we got a you know a
worshipping dinosaur future Overlord scenario thing happening there so they just want to sell their wees so why does security get involved in this situation at all well there's a few buckets and I'm not going to say this is a comprehensive list but a they want to keep their customers secure you don't want to transact your wares and then every time that happens uh I steal your credit card or your pii right you don't want you don't want your customers to get compromised through the operation of that business brand brand reputation if you get known as being compromised a lot does that negatively impact depends on how big of an organization you are unfortunately some it doesn't some it
does you uh don't want to get your stuff shut down and this can happen either intentional or not uh sometimes through security you end up with services and servers that go offline not unintentionally it wasn't necessarily a Dos against it but it did denial of service it right take away the first D had a denial of service against it so they can lose the uptime of the critical web server that's transacting a million dollars of credit cards uh every minute and thus lose Revenue business wants Revenue right that's what business wants they don't want security but security can help enable that we all get that I just want to level set the very beginning how to get back here so yeah
and they don't want their systems be used to attack others and uh sometimes they have to compliance is a real thing if you want to operate in certain countries or States you need to and it that depends on the type of data how big of a business you are California has $50 million limits so our company maybe we 49 million to not have to comply with that but we do have to comply with these other other options of it so when we look at um ways that we could accomplish some of those how do we turn these toolings into something that can be useful for an organization we have some options and I'm here talking about network uh
visibility and security but EDR is super critical to an organization and if I'm starting a sock today I'm starting with EDR right I'm going to throw up a CIS log server and start dumping a bunch of other stuff as well but you pretty much have to have an EDR so I'm even saying before you go Docker up Zeke you should probably have EDR there's lots of different logging that's available uh applications there's a ton these are just some ideas to get your brand going that literally can be an infinite number of things for application logging uh host logging ways to gather those collect those are things on the host that you might want uh networking equipment from firewalls to
switches identity logging Cloud logging and then the one we're going to focus on today which is network and then I'm there's another bucket because I know you can log anything so if your organizations that I've run into have have different buckets of what like even say compliance means right so our is this an organization is our dinosaur organization one that their only objective is to check a box right and if your objective is to check a box they can probably figure that out and you can spend this type of dollars a check a box or sometimes you can do those with free tools sometimes you find if you buy the name Brown tool it's easier to check a
box because the person doesn't ask questions I'm not saying if that's a good or bad thing but if your goal is a check a box you can probably figure that out the next here is you have those logs and you're creating alerts off of them right so you're logging a thing and that thing is whether it's in some sort of a Playbook or a Sim or something else that is I saw this type of log this type of log potentially is bad therefore ticketing system right goes in here we worked at Q even better you have those logs and you're using them to validate or invalidate those alerts so not just that I got an alert but can I prove that that
is a real thing or not is this a real Attack that Russia want do do I know that it got stopped at the firewall or that they connected past right validate or invalidate that and then better yet is a lot what Neil was talking about a minute ago and that is beyond the alerts going and looking so hunting being proactive outside of just that que that big uh company was talking about that you know we walked past 36 sock analysts on shift at that time found a compromise in under 10 minutes something blatant easy they should have caught but they are doing a good job they are working their queue everything in their queue they're doing
right I come in I look at my P10s to p7s I get those I start moving down to my mediums they're working through that but they're missing things that aren't being alerted on that could be a detection or in some scenarios can't be yeah do are your logs just in a a random bucket with logs or are you doing something with those logs okay so for EDR here's some challenges of er I'm I already told you I'd start there but there are some legit challenges with EDR the issues with it is you can tamper with it and there's various ways you can do that I'll drop a few here uh people can just disable them
especially if you got access or can privilege escalate with it you get system access if you got system access you can just turn it off uh a lot of times people are just syn calling them right they're just saying like oh the Telemetry reaches out to insert vender name.com I'm just going to null that traffic so it can't go out so even though the EDR is doing its job it's reporting on it nothing or some of them can't even report on it because they're using machine learning in the cloud that actually does all the processing and they're literally just a like a log stash push can be disabled can be tampered can be syn hold and there's a new form of
these VM attacks uh where they're just spinning up a Linux subsystem on top or Android subsystem on top and weirdly enough EDR doesn't have context even though it's this host and it's a sub host they lose some state of that so sometimes people are finding they'll just spin up a something that's already enabled especially on developers and security tools WSL things like that and then it's if you don't have EDR or sorry if there are plenty of Hosting systems where you cannot install EDR on them right and to name a few here is this is the top one I run into in threat hunting hosts that the org doesn't even know exists I was telling an extreme
story earlier a second ago of uh one where they lost an entire building you can ask me about that later it's a little bit longer of a story but 250 plus hosts the security team didn't even know existed right let alone things like icot every org has this and sorry I understand there's a lot of intro people but IC industrial control systems and then you know the OT uh operational these are the things that are not like a you know projector that maybe has a data pulled in maybe you're running a a big manufacturing floor and you got all these really expensive robots to automation machines anywhere in between industrial Control Systems runs our power grids runs our water treatment
plants runs things like that Legacy systems there's some still out there that have systems that are sold that they can't put EDR on them weirdly enough I run into this more than you would think organizations that won't let Security install them on it because it's too critical that seems weird in my head from a security standpoint and risk but sure that credit card server that's doing a million dollars per every minute we will not put a single agent on it because every compute equals x dollar well spec your servers higher but this happens they even know it exists they have a profile but they're they can't install an agent on it this one is more than you would think
think too you think at an organization they own those assets they can go install an agent on it plenty of times they do not they have Acquisitions they have subcompanies they have we're the security team that does this for this and especially when you get into our government and the agencies and all the sub parts of that there's plenty of situations where they do not own that agent that host and they cannot install an agent on it so what do you what can you get beyond that right this is where networ becomes super powerful so as much as I would say if I'm starting a stock I'm starting ADR it's not a a perfect Silver Bullet
there's uh other reasons you want to have additional Telemetry around that and weirdly enough this works too for way too many edrs you just reboot it in safe mode it loses all of its hooks it doesn't report back sometimes doesn't even engage hopefully that's not your EDR but try it you're in security you're running an EDR team reboot your uh host in safe mode from a user standpoint and see if it works a lot of those now work better than they did before and an incident that happened that forced everybody to reboot into safe mode and turn off all their uh encryption keys so uh anyway it can be tampered okay so we got logs what can we do with those to prove
that we have the right visibility in the right places so I'm a big fan of breach assessment simulation this is you running an attack whether that's through an open source tools there's plenty of those that exist there's paid ones as well you can even run your own build your own little campaigns but launching an attack and seeing where you have that visibility and does answer the questions right if you were to try to investigate that do you really have the logs you think you have and unfortunately a lot of ORS do not have the logs they think they have they're like yes we got this we got this we got this okay I ran that
attack I didn't see any of it okay you're not logging something correctly something's not in the right spot so same's true if you got cyber Rangers that you can mock up your environment those are great pent tests obviously great red teaming is great purple teaming is great these are great opportunities to improve those detections and also improve those visibility gaps and remove or validate those assumptions there's plenty of times that we we believe something to be true we don't allow FTP in this organization well go look do you because here it is exfilling your data to Russia every
day Okay so what's number one on every compliance every single one is like what what assets know all the Assets in your environment and then number two is typically like no the software that's on your assets type of thing it's hard because I've yet to meet an order that's done this right or have done sections of this right and hopefully you're doing that on your critical assets first versus something else like guess Wi-Fi or something else but knowing your assets super critical there are systems out there whether it's assets management cmdbs other ways sometimes it's just an Excel spreadsheet that people are using and uh one of the first things that I run into in a threat
Hunt is what is this asset and how critical is it and unfortunately that takes a lot of socks way too long to answer that question because they're like we don't know there's no EDR on it if there's no EDR on it therefore it does not exist right and you're like well I mean I'm watching the network traffic right now it clearly exists so is it up to date um does it have things that you don't know about on it Network we already kind of covered that sometimes people are reaching in pulling things from DHCP leases but is that true if it's a static IP a lot of times the source of Truth organizations turns to be their vul
scanner which is wild because it's actually scanning across but I run into a lot of scenarios at orgs where that even has some limitations because there's different network segmentations they have different pieces that are or are not deployed for visibility sometimes we we see firewall policy issues where a vul scan can do this but can't go there or we we don't scan our production because we're scared it will knock it over even though every attacker can do it but we don't do our own so we intentionally block those and uh I used to run a ven scanning program at an org um and I ran into this more time than I'd like to think but you have uh
sometimes the the stakeholder of your vulnerability Report absec Team or whoever will sometimes intentionally work against you they will go put IP tables or other things to get off your list but solve nothing and so then the source of truth becomes less and less useful each each piece of this right Network that's my favorite it's like this is the source of Truth like this is what's happening when they say we don't own that host it's like how do I have a feed from your network traffic like it's you're not tapping the internet uh and if you are that's even on off your firewall but you know you're not Sentry Link or L3 or luming like you don't have
that ability to go see somebody else's businesses traffic this is your source of Truth this is what's happening in your network sometimes you are I have absolutely worked with security teams on hunts where they've had to go into switch switches to figure out what hosts are okay so we're going to focus on network there's ways you can start this right you don't know anything about this free tool TCP dump go on your Linux machine just run TCP dump there's a lot of flags we're not going to get into that today just start with that TCP dump pick your interface name ask chat GPT how do I do a TCP dump just Google it here's a result run it you're going to
see this thing just start spitting out stuff and if it doesn't you did it wrong or you're on the wrong interface because if you have anything connected to the internet that thing's going to start just dumping I'm not as smart as Elden and I can't cat and rejects everything from memory and so this is useful for me I use this a lot for troubleshooting things especially when they're like this thing connected to this or is it getting this feed I'll TCP dump that but it becomes problematic at scale uh wire shark I'm a huge fan of another open source tool get wire shark grab a pcap off the internet ma trffic analysis. net go grab one put it in there go look at
it figure out the filters wi shark 101 I think it's a great thing I run into issues with large files I got a N9 gig pcap there are ways to figure out why you're try but it's hard and most time it'll just crash and every time I figured it out then the next time I try it again I don't remember how to do it um the next is like that question is like okay I got this peap was somebody communicating to Russia yesterday were they communicating 30 days ago 60 days ago 90 days ago becomes very hard with pcap right and then storage of that peap uh PCR producer consumer ratio I wish I had
time to get into that that's one of my favorite things to do it's kind of kind of like your own little free version of a ubaa that you can go and Baseline things for free so if you're using a Sim we're going to show some stuff in Splunk you can do PCR and those some have Enterprise things with elastic or Splunk that you can pay more money and it does fancier stuff for you so then there's net flow and firewall if you got nothing that use that right the issue I have with those is I'm missing so much context to answer the question as fast as possible so if I got nothing uh these are usually your five tupal and like a
service right Source desk Port how many bytes are sent maybe I know it's SSH there's different versions netflow V5 and E9 we're not going to get into the differences of that different firewalls have different things like app ID Etc but they they typically run out of uh the contexts I need quick and I got to go to other sources to go pull stuff in but you got nothing else go go grab your netf flow pcap this is a source of Truth we love peap problem is stupid expensive and every time I freaking ever had it installed somewhere and needed it it was already rolled off and gone every time in a compelling event I'm like yes
we got full peap we're going to that full peap oh that was only seven days of full peap pedabytes of storage for full peap there are ways to do pcap uh with a little more thought process about doing around critical assets and things like that but whole org wide terrible idea you're going to have a bad time um you could do it to check a box like yes we got peap boom yes I compliance if you just want to check a box and you have something that says peap that has actually changed cuz people didn't really understand what that meant um it's leaning more and more Ian everybody's getting to metadata metadata of that pcap so instead of let's just
say instead of a a gig you're at anywhere depending on how much metadata you're collecting 3 to 12% of that right so you're logging it into um action things without the full data I'd love to have full peap on everything every single time that'd be amazing with something that let me query it to narrow it down if you ever try to just go full like wi shark nine Giga data you need something that you can query get to the thing you care about but metadata is where it's at for Network traffic and metadata right master of packets okay so we want to get that traffic how do we get it in whether we're doing full peap
or metadata metadata is consuming a full peap and then it's converting it into metadata so Zeke or cot we're going to talk about that's what they're doing they're consuming a peap and we're creating metadata off that pcap so it comes through a span so if you got nothing else uh if you're doing this at your home go grab a old Cisco switch I think Brig was selling some I saw on Discord for like five 10 bucks those would work you can easily create a span you can get some nicer ones that are supported not end of life uh there's pretty cheap ones eBay you can L just Google like cheap switch that gives me span Port uh I don't like spans in big
organizations because uh switches primary job is to switch and what happens is that's the thing it stops doing when it hits some Peak so you go and look for a compelling event and of course that's the time you had a burst and that's the time that it didn't get uh logged because the switch wants to switch you you want it to be available first then secure second so switch is primary job switching secondary create that span or mirror of that traffic uh there are some better ones or not black hat we use a risus tap bag switch it actually works really good has a lot of back plane stuff that takes nicer that I'm not here to sell that or other just
maybe all switches aren't created equal in that scenario uh mirrors this was you know SP span SL mirror but uh fiber now is legit mirrors you get this you get this card it's glass it's mirrors it's taking your light and it's splitting it taps uh at my house I run a tap and it's a one gig in two gig out one of those feeds my sensor right I think the one gig version at the time was like 160 bucks I think I just saw the other day the exact same one's like 230 but you can get you can easily your house get some switches for the same price or way cheaper cocket Brokers is what big
Enterprises are doing we don't spend a lot of time in there but they deploy these and let them Route traffic in very specific ways from an operation standpoint and also consuming a packet to be sent somewhere else TLS decryptors uh we do use a version of this at black hat for all our registration Network we decrypt everything and then you can decide where you want to send that I caveat this one it's not really the discussion for today but there's a lot of things you got to think through when you're talking about decryption such as what privilege information is there how are you sanitizing it what things are now in scope if you were say in a PCI scope and
you're decrypting and you have credit cards is that Sim in scope you're sending it to is a data Lake in scope you're sending it to should you have a separate one now could you off youate it before it goes there yes is that sensor in scope there's a lot of things that orgs don't think about until I'm like they're pointing at it like well like I don't know if everybody should see everybody's keros tickets you know and they're like oh what could you do with that everything everything with that uh also this includes virtual and Cloud uh VMS I run uh I probably should switch at this point but a vs spere uh cluster at my
house and I have a virtual tap that also feeds a sensor same with Cloud lots of cloud sensors placement absolutely does matter this is lot like the firewall policies if you put it here do you have visibility there packet Brokers those play nice but you got to make sure they're deployed in the right places the reason people use switches a lot is because they're everywhere right you can just turn on this send it somewhere um and so I always like to tell people be strategic start with what critical assets first maybe switching is fine for out here maybe it's even fine running net flow out there for for a while until you you're finding that it's being
frustrating in an investigation and yeah east west traffic North traffic should you be seeing dcpc going out your north south you shouldn't but sometimes it happens and yeah match your risk profile I was like to start with critical assets okay so I hear this a lot hey like uh the all the network traffic's encrypted so there's no point in this right and uh the best conference that we did at black hat the highest was 80% and this is not Enterprise this is people with their laptops going to the internet right there's nothing local so you would think that should be like super high best one 80% weirdly enough it's decreasing again we saw this increase and by the way the most
encrypted one is Asia Asia has the most encrypted of all the black has shows us is the worst we tried to figure out what that was one guy was saying he doesn't trust our government and I was like maybe we shouldn't either but um Enterprises that I go and do threat hunts big Enterprises there's a tier of that what Enterprise means and I understand that's a vague term but I'm best case they're in the high 60s this is the biggest issue and the whole reason we even do any of this at black at well it should be encrypted but there's plenty of things that aren't misconfigured other I mean one organization we went in and everything
GitHub to their jira to everything was unencrypted how do you un encrypt GitHub you got to try hard but they did it Keys everything you needed you got on that Network you an attacker there and you just started TCP dump or grabbing that you would have access to everything in that entire organization if you didn't go look you would believe we're good yub's good Confluence is good jir is good nope all of them in the clear if you don't look you don't know and this one is this one trips me out I don't understand how cloud is as bad as it is you would think cloud would be better like oh we've took the things we
did and we moved it to Cloud it should be better I don't know if it's just lack of training people don't understand vpcs and how to make them talk well to each other they just like it's like I went back in time 10 years it's like we have this hard perimeter and then once you get inside of it it is one giant gushy mess at Cloud I'm not saying this is every or but it's every or I've threat hund in and they're big Enterprise and Cloud clouds are bad and they think they're great oh we moved it to the cloud no you lift and shifted this box here made it a flat Network in the cloud
and let it talk to on Prim with a VPN and it's like cool good job so got to go look okay so where do you send these logs we're collecting these logs and they pretty much come down to a push or pull system I'm not going to say this is all inclusive here's what I'm seeing orgs do most top is still a Sim of the Sims that exist out there Splunk is still the number one this CIS Cisco acquisition happened I don't know how much that changes or how fast that changes this is still the number one second is data Lake and by the way this doesn't mean it's only one of these orgs weirdly enough have two sims plenty of
orgs network team has this security has this and sometimes they're not even the same product but another is a data Lake think like snowflake or something else where you're just taking all your logs sending them there they're running some sort of a weird bi thing on top of it some are home brew some have other this is business intelligence where they're dumping all the logs and running some query against them and then the the third option that I'm actually starting to see Trend up a bit more is a sore option where it's pulling it right so these are separate tools with their logs in their own places and the sores reaching in and pulling those out where
the other ones are more of a push this is sending the logs to a data Lake sending the logs to a Sim like uh Splunk okay so Network there's two big ones out here uh that I want to cover Zeke and serotta the in quotes is what's taken directly from the website so you go to z.org you go to cot. it's not.org um that site's for sale and I wouldn't go there it doesn't look super good but this is this is uh you know my opinion Zeke started out as a visibility product and has started building in detections sirotta started out as an IDs uh off of snort and is building in more visibility so what I primarily like to use them for
is both I combine it I want visibility I want my detections I want them together and that doesn't necessarily mean it's true for you if you're running them at your house try one see what you like better they're both free they're both open um you can customize them extend them there's pretty active communities on both and I would say if you took these two products this is in like I don't know the exact number this is in most organizations in in the world they have some version of this whether they know it or not a lot of times they have a commercial product and in the back end of that commercial product one of these
two things you go to AWS there's a way to put in Sy signatures in AWS right so you're like well AWS isn't cot no they built in cot's built in AWS right so if you're new to this or you want to play around these are one of the two I'd pick here's an example of a certica rule it's a single line this is how it looks we're not in a a rule reading class right now to get into the detail but it's just one single line and it's just going to say this Source this desk this is the parer you narrow down into to match on a thing this is what Zeke looks like uh
this is just the single con log and it's like uh people compare this to like the net flow or the um firewall log this has that five tupal with a bunch additional context and then you can extend it and add your own things so this is just the default what's built into there Zeke then takes those and turns them into I think the last I checked was 137 different logs and then of course every org has their own little customized version of them but the top ones would be the connection log that we just showed you DNS log and HTTP are usually the top ones and then files is probably the next one after that real fast so if
you you started testing with I just wanted to show you the uid is how you Stitch these together so you had something in the connection that uid is what's going to show the other logs associated with that session the metadata of that session all right so what does this look like I started putting arrows on this and then I realized I didn't want to make a Bryce [ __ ] slide so I did not put the arrows on it if you ever seen his he's got arrows everywhere it's actually better that you're here to say that okay so this is an example of combining the two we have a surra cotta hit right uh looks like a
sliver session and we have some information about a source desk we know it's come from HTTP and then that's uid so you find something and you want to validate or invalidate it you go to that uid you pivot on it you see the additional logs that are associated we have htttp files log the cotta log and our connection log pivoting into one of those you can quickly see the files log Associated to it with the same uid it came from HTTP and you immediately will have a Shawan md5 or Shaw 256 if you're enriching your thread Intel you might already know the answer you go put it in virus total and you can go quickly from detection to
somebody's already reported bad or maybe somebody packages their own version of sliver and it's not you don't know right this could go to virus total and have zero hitss depends on if I paded or off you skated it but this is a way you can take from an alert to answer those questions with your other logs quickly all right so if you want to do a hunt uh Frameworks are your friend the goal of a hunt is to look for the unknown thing so like sakata that's a known thing this is an alert is it is it a good alert does it need tuning good question but that's a known thing in a hunt you're looking for the unknown
things so I like Frameworks there's a miter attack and defend I'm leaning a lot more lately to the defend side because you can pick a type of service like Network or EDR or other and you go look for that and pivot back into the um attack side there's an open source threat hunting framework that's out there on GitHub I have links to all this at the very end I'm happy to post these on uh our Discord here in a minute the peak framework from uh Splunk is a great place to start this is what defend looks like we're just time so we're going to cruise okay so you need to know about your environment to make a hunt
successful for you what does normal look like what is your Ingress what's your egress where's traffic coming in where's it coming out what applications are normal what services ports a lot of things that we don't have time to go into all the detail can you do this across your whole work no this is hella hard right but can I do this to my critical servers absolutely I got six critical servers doing this thing ah I want to know this I want to know what that PC are my producer consumer ratio of those servers are I want to know exactly what vlans are I want to know if my development can talk to QA can talk
to prod because people will say no on the checkbox let's go look oh it actually does it goes the front door is nice and secured but once you're in there I can talk to any of them I want go look you got to know it's normal for your environment because you'll start squirreling a lot of stuff on a hunt Okay so this is an example of one that was a full compromise that I found with an organization um real quick this is the syntax up there we're looking at RDP logs we're looking at inbound from the internet and we're looking at the cookie if you don't know inside of RDP the cookie is typically the username if
that is logged so in this case we're looking for people going against administrator account and unfortunately there was some and it was true a don't have RDP open in the Internet it's 2024 that's gross stop it but if you don't know you even have RDP go look do you have inbound RDP I don't know go check your firewall check somewhere um weirdly enough I don't know why this is the thing but uh ntlm okay so in this example we're looking at ntl log and it looks like a you know one 2 to a 104 address and username is uh vagrant so cool it's coming to our wind domain and it's going on our domain controller so talking
about that context there's a difference between I know Source desk bytes and I know this is my domain controller this is somebody logging success equals true all sorry somebody ntlm logging in success true and even the username pivot on that same uid and I see dce RPC logs these are like Windows command and uh I won't you know the operation there you can get the list of all the operations but that one's a bad one unless you're another domain controller it's called a DC sync attack and unfortunately that was a compromise that organization dumped their entire domain controller that's a normal thing from domain controller to domain controller but if I say I'm a domain controller
could you please bind with me and give me that and you do old domain controller compromise right so instead of just having Source desk bytes I'm able to go oh crap host isolate write to EDR other right Packers other tools together okay pitfalls here's where I see people messing up a lot when it comes to hunting slow queries I I assume your sim was speced correctly at one point um but that day is passed you've added more logs you didn't increase it uh I love to carve on 24 hours unfortunately some mors I get into I have to carve to five minutes five minutes is useful for some things but becomes you lose State you don't want to just do a star
carve across your high entire org that's a bad day your Splunk admin's going to you know punch you he's going to hate you uh you're going to stack up jobs narrow it to the thing you care about Source Des inbound outbound service pick one of those things I said know your network narrow down once you've narrowed it down then expand your search I like to start 24 hours this is uh same ntp I had this problem I call it the spreadsheet of hell if you're trying to do a compelling event compromise and you're trying to line up logs and the times that they originated you think you found something it's nothing you miss something that was
super critical this is uh some sore some Sims will do a better job normalizing that based on right time Etc but if you're doing a poll especially on the sore route and you have three different log sources your EDR here your networks here and this and they have different ntps or time zon or other just pick UT UTC is always the answer just use UTC but that will turn into a problem also depending on how you're sending in logs are is your thing ingesting them getting behind it's cashing and things are falling off also batching or you just sending them to like an S3 bucket and they're batching every blank uh that's useful but if you're batching every 24
hours and something's happening now that story of key strokes on SSH that are happening the last 10 minutes you wouldn't know that for a day right if you're your uh your batching is too long I already mentioned this it's just worth repeating what is this host and how critical is it trying to answer those questions I like Zeke for the input framework uh we use it at black app we tag every classroom we put you know a v lens in there I know the classroom I know the trainer so if I see web fuzzing attacks web fuzzing class okay it's probably fine right you can answer those questions substantially faster with context if I know this was uh on Prem
Exchange servers credit card server or other try to enrich that data you can do it in the Sim as well feel free to enrich it there and yeah it's not don't treat something like guest Wi-Fi at the same importance as your critical assets if you don't know where to start it looks overwhelming what's the thing that's most important to your company if somebody compromised this thing you would have a bad day for a while or a bad week start with that thing yeah Ma Asset Management uh vul scanners you will spend a lot of time finding something that's super compelling and interesting and then it's just your V scanner because that's what it looks like so got to know what those
are and I ALS I have to put this I I wish I could just say V scanners but I got to say Network and application because plenty of orgs I'm like you know check the network ones and then they don't tell me about the application ones and then I'm like what is this Shady looking thing like oh that's our application V scanner it's like okay I need both of them uh Neil talked about this a second ago but yeah you don't want to Baseline the baddies right if you're doing like something like PCR or using a fancy ubaa product or some something like that you don't want to uh say hey this is good I
put in this tool I'm pcing it to this level and that includes the C2 Beacon right you don't want to do that and then being too rigid I was mentioning this just a minute ago too and if you I one org had this giant built out beautiful hunting framework and it was the org that had inbound RDP right if you're not looking for the other things that's in your stock list or to-do being too rigid you're going to miss some blatantly stupid stuff like fdp to Russia so yeah don't Baseline your C2 all right quick pointers um this is the first thing I would do if I put in network is I would just run a quick
query and say show me all the things in this entire corporate and again if that's too much start with your critical subnet start with your exec team start with something all the things in here that do not have my EDR on it and then I'd ask this followup question what hosts can or should have EDR on there because there's a lot of them that can or should that you just don't know about or you don't go look at so what is that list and then get that documented yeah start with critical assets if you found something I have to tell people like don't panic don't freak out a lot of times people get squired very fast like I saw this thing and it's
like well it was it wasn't success equal true yeah you saw ntlm trying to hit your site from Russia that sket but it wasn't success equals true so who cares your firewall blocked it something did what it supposed to be maybe you want to change that alert or change the visibility to not even see it if you don't care about it if it's not true but don't panic validate it before you get spun up and you know quit eating and lose a bunch of weight and start freaking out and putting pillows on your feet because atams don't touch right like don't panic I had one guy tell me like quit telling quit telling my people to do a
hunt on a Friday because unfortunately it turns into IR a lot of times and they don't want to work through the weekend I was like all right your call I'd rather know but your call um also if you find something can you make a rule from it right talk about unknown versus known once it's known quit looking for it right now there's some harder things with living off the land stuff that I would want to do a report on and then review that every period of time but if you found it can you go write a cotta rule that long string I showed you could you go write one of those not everybody can some can
there's some easier some things that make that easier uh but maybe you have a SIM and you can do a search based alert maybe you can say this query in the Sim of something I found I want that to alert me blank interval detection engineering is what we call it it's a whole filled in our infosec industry people who are good at it make a lot of money because no sock manager wants to deal with giant stacks of alerts that don't have validity whoever can tune those and make those not the false positive but the true positives and the other six categories that we're going to skip on for now all right uh and then
yeah I mentioned this too one of the easy go-tos that weirdly enough finds a ton of compromises and is not that hard find a thing you narrow in on look at the most results you're going to find your dgas your malwares your things that are beaconing out flip it and then look at the rare right that user agent to Windows 2005 it was just in the rare it was literally nothing more than user agents nared on a network sort top sort bottom these of these five in the bottom seems fine see what the freak is that thing what is Windows 2005 right compromis in an organization of just flipping to rare look at your top flip
it pair two things together these two host together flip them flip them what's normal for that you got six similar critical assets look at them together these are all the same now I flip it one of them has a different user agent python something the rest don't okay did you find it or security or did you find compromise or just a weird app that doesn't match your profile okay uh this is my forward linking forward looking final V5 and uh the robots are coming I don't know the impact yet of those robots but I can tell you what I've seen so far and what I think is coming and uh you know it'll probably change five times from now I
think absolutely AI is helping level up stock users right I've t surot rule reading and Rule writing and I still use this so a I'm trying to I'm I'm here to teach those people and I'm using things like this so that is taking a surot rule like that long string I was showing you and saying with the right prompt engineering it works really well with open sourcing like Cott and Zeke because guess where the repository is on the internet that's what they use for their um training but explain it to you and instead of me trying to say okay this is an alert for HTTP from the home net to external that's looking in bite size 150
it's just going to say home net to an external network looking at htttp get this is absolutely leveling up sock people today this is where it's headed this is called Google SE Ops used to be called Chronicle I guess you know they're making it better and um leveraging something like to take the query language that's a barrier to dat data lakes and Sims for a lot of sock analysts right you know do you no sequel do you know the weird nuances of this thing and being able to say something like show me all the zek logs that have inbound SSH and it's like blah and then run that search that's coming it's not great it's not perfect
yet there's still issues with that if you don't have uh some sort of udm or ECS mapping it doesn't know that actually vendor named Zeke is incorrectly it's going into network. something right it still has some issues that you have to know enough to change it to make it work but that will get solved and this will lower that threshold of people running these queries right all these examples of knowing the ANS the ORS and going from SIM to sim or tool to Tool it should get better and better okay with that we're pretty much out of time here's a bunch of links I'll dump that stuff uh to everybody and I'll fix that URL because
it's not.org and then um I don't know if we have any time for questions feel free to hit me up in the hall or anything and then when I P uh put that deck out I just put a few examples of things that I have found compromises with and so there's a whole bunch here and it'll be in that same deck go look for some of these things in your organization thank
you
e e
yeah who am I waiting for so while we're waiting for that this is by far like Pope talked about not exposing RDP to the internet oh where did it go so it disappear I blame John oh man hold on is up bash I think you've seen this before oh there you go you're back I'm back just let me know when I'm ready but while they're getting things set up I uh was investigating talking about RDP on the internet I was investigating a host and uh we told the team he they called us they said we've got ransomware and they're like okay well all we did was reimage the host and then the very next day uh they called and said okay we
got Ransom word again and this just shows that hackers have a sense of humor because they changed their ransomware message to include that Top Line that says welcome again and I was like very well done very well done so no we didn't pay um it was a it was some type of server they didn't have any data on it and so they're like we don't care about the data I'm like well let's at least go secure and get like RDP off the internet and they're like all we did was rebuild it that should be fine right and I was like no no and so the very next day they called and said so you were right we were wrong um okay what do
we have to do so my name's Brandon Benson um I've been in cyber security for go 18 plus years I started a little encryption company called pgp I actually came from the Telecom space right and so I worked uh for AT&T I worked for centry link I worked for Quest for a really long time um and then got involved with um engineering and then got went down the whole Rabbit Hole of security and kind of fell into it um I've worked with companies across the globe for like securing their environments which is great I've been into some pretty sketchy places um which is also fun uh over the last decade or so I've managed a sock
team and I've managed a security engineering team and I've done some other stuff uh that's what kind of we're going to talk about so about a month and a half ago about a month ago I started thinking about this topic a little bit more uh when I was in London and then I couldn't get home uh because the airlines all of a sudden all crashed and like we couldn't get tickets because an EDR vendor accidentally pushed an update that like caused everything to go down right and then I started saying okay well it's probably worth like bringing this up again talking about Supply chains right in many of our companies either we do it or we
don't um but companies are there to make money right and as companies make money A lot of times I'm not going to read any of my notes from the slid so you guys can read I'm going to tell stories so um part of what they do is they facilitate their ability to make money and do business by Contracting or acqu iring third party Services contractors or vendors so that they can actually do business more efficiently the problem with that is is we put our security organizations and our security teams in place so that we can go through and make sure that we monitor our Network traffic and we monitor for alerts we monitor for other things but what we're seeing over
the last few years is that they attackers are not just attacking the companies themselves but they're also attacking the vendors and the products that these companies are using and sometimes it's pretty easy because you can go to any company website or you go to like these common vendor website these these HVAC or these uh vendors that offer services I was on one can't remember uh I was on one the other day and I was like at the bottom of their page it's like here's all our customers right and so I'm like okay well I know what um companies actually use this product and because I know that if I can find a vulnerability and the product of
this company then what I can do is I can actually go through and just wait for the company to download the latest patch or download the latest version and then I can just compromise that and that's what we're going to talk about right so if you think about attacker methodology um I'm going to pull out a few examples in 2014 I was doing PCI stuff and I was auditing people and Target got attacked right and they're like okay well how did Target lose all their credit card data and then like later that year or the next year Home Depot got attacked right how did that happen well um somebody figured out that Target was using an
HVAC vendor right and that HVAC they didn't have proper segmentation in place and so the hackers attacked or compromised the HVAC vendor and then from there they were able to get access to the service or the server that sat inside Target and be able to from there pivot and then reach out to the CR the payment C processing system and then steal all the credit card data the interesting thing about that is they waited right so they had access uh and many attackers I've seen do this they had access they came in and then they said okay we're going to see if we can like push updates and they did and they didn't get caught we're going to push a
few more and they did and they didn't get caught and then they're like okay November's here what happens for retail businesses in November well that's the beginning of their shopping season right so they're like we're in a change freeze we're not going to do anything they're like great that's when we're going to push our malware and so they pushed this malware it hit I think on the 18th of November and the company saw it they're like dude we got to tear down all our payment systems they're like no black Freddy's like tomorrow what are you going to do and they couldn't do a whole lot like they were stuck in this conundrum of the business
wants to make money and they have to but they know they have an act active compromise happening and that caused like 14 million credit card uh credit cards to be stolen right um so you get attackers that are really good at that they're able to go through and say how can I exploit how can I go through and um you know I do my reconnaissance I do my homework and I can figure things out and then you move into uh the timing piece of this the execution can I take from where I am and what can I pivot to talked to about that for a minute as well where it's you know it's surprising how many times attackers
not um I've seen situations where attackers will come in and they'll place a piece of code right and it just sits there and it just sits there and it just sits there and then when they time it then they'll launch the attack and I've seen it happen in a couple of um aspects in a payment card processing I did PCI audits for a long time and so I got to see a lot of this but there is one case we were looking at this compromise we were working with the company and we're like okay the compromise came because somebody had inserted a header or a footer into the payment processing page of the website and when we started
looking at it we're like well how long has this code been there and what would happen with JavaScript it was reach out to the internet and it would say the internet would then run JavaScript that would scrape the page well we started looking back and we're like wait a minute the S it reached out to was dead right up and until like a week before we found it and so what attackers had done is they had placed this key or this token and had let it sit on this site for three months nobody discovered it and then when they were ready to actually launch the attack and steal the credit card data then they actually put
Javascript on the back end of the URL that was actually reaching out to nothing and then the attack happened and so we see things like that happened and that was just a supply chain thing you're like wait a minute how did this code get here oh well we hired a contractor and they had done this thing and they had lost their access and this code had been put there and so you end up seeing ex execution that happens either through side Channel attacks or you see execution that happens through you know a lost credentials and stuff like that and of course you go into your exploit where we're trying to steal as much data as we can and then once all
the data is gone um sometimes attackers aren't done there so quick other story because I I'm just going to tell stories so we had one where we saw all the data was lost um and the compromise that actually come from like Korea or Asia or somewhere like that and um in many cases when you get some of these embargoed countries you know companies will just block you know I'm not going to let anything from North Korea access any of my systems because there's no business need to do it I'm not going to let anything from I don't Singapore or Iran or wherever access any of my systems and so we had ended up having one of those companies like com
compromis a server and we were investigating it like okay they took all the crown jewels they took everything they need to but they're still active on the system we couldn't figure it out until we started watching the network traffic and we're like wait a minute they actually have decided to use this system to host attacks to attack other companies in the US right and then pretty soon like a week after that we started getting these calls from like law enforcement saying hey you're attacking our servers or you compromised our servers you stole all of our information like what's going on then the FBI got involved and stuff like that it was like not pleasant for the company
but many times once the attack happens and all the data is gone it's not uncommon to see those servers still be useful for something they can be used to like host botnets they can be used to then turn around and pivot and attack somebody else and then you get these chain events happen we see it happen a lot with company is like I why would anybody want to attack me or why would anybody want to do anything bad to me and that's why is because if I can log in or compromise your system and then use your system to compromise or host malware for somebody else then great then it's harder for people to catch me
as an attacker and figure out what's going on and then of course you get your exfiltration they steal all your data um let's talk about a couple of case studies or things we should be aware of with regards to uh supply chain so a month and a half ago Crow strike accidentally they're an EDR inpoint detection response vendor they accidentally pushed a file that hadn't been tested correctly and like brought down a whole bunch of companies and laptops and servers and stuff it wasn't malware but it's the same concept right and they caused like a huge Global outage on Airlines and Banks and people are having to get like paper written tickets to be able to fly home and uh
you know flights were cancelled and stuff like that but it's the same thing you would look at if you were looking at some type of a supply chain so let's go through a couple of different Supply chains that you might run into as you are working um if you end up in a security job or working for a company that you should be aware of so the first case study is U ticketing systems right or third party software where people can interact act it could be a Blog it could be a ticketing system it could be some type of input hey you need help go ahead and like fill out this form and then somebody will get
back with you um and it's not uncommon for those ticketing systems to be exposed to the internet well if I know that I can just like and I know that you're using that ticketing system either because I visited your site and I saw what was on the back end or you have it listed on your website as a vendor then what I can do is I can start looking for vulnerabilities in that software that you are using it could be any third party software not just ticketing so we did investigate one once that was a ticketing system and uh they came out with this critical vulnerability and it was posted on the internet I was like well that's going to
be bad because I think we use that software I think this company I'm working with uses that software and so we started looking at we're like yep yep we have it and it's it's exposed and we're actually vulnerable to it and so we actually spun up our our response procedures and V management said you guys have to go patch this or at least put in firewall rules to mitigate it and so we did which was for us a win but then like a week later we heard of like 130 companies that hadn't patched right and they ended up being compromised well what can you get in ticketing systems so you can get customer names sometimes you
can get login IP addresses if you can get back access which is remote control those ticketing systems connect to other systems inside the corporate Network and I can use that as a pivot point to actually go after other information or data I want to steal or deface or things like that and so it's paying attention to the vendors you use or vendors we you use that are facing the internet um to make sure that they're actually patched on their vulnerabilities and making sure those are taken care of is actually pretty important we've seen lots of attacks not just ticketing systems but other things um that have caused attacks to happen um and they can cause a lot of damage
so [Music] uh sl's not working so what do you do right um if you're a defender or if you're working in security uh of an organization what should you do well one is know the third party Services you're using right um know which ones are publicly accessible and which ones are not um limit those public services to only what you need right don't put RDP on the internet for example um and then you monitor those vendors for critical vulnerabilities so anytime you have a third party system I always go or I always recommend the companies I work with go go and actually subscribe to the alerts or the patch updates to those vendors like man we're
using like 50 vendors and I'm like you're getting 50 emails like every week you should probably read them right and figure out which ones you need to go and patch and then what you need to do um and then mitigate and Patch as soon as possible uh I say mitigating patch as soon as possible uh if you see it posted on Twitter attackers saw it posted on Twitter too uh if you see it posted on Reddit attackers just saw it posted on Reddit too right it doesn't matter we've seen systems where things um we've seen systems deployed like a little tangent that have had critical vulnerabilities that are known maybe they've only been known for
3 weeks and they've been compromised within 6 minutes right or 15 minutes like it's not very long somebody stood up a system like wait we just got like we put our sock on it or that and said hey monitor for this wait we just got popped wait I thought we had everything like mitigated oh yeah some intern or some new developer decided to deploy a system with the compromise or the vulnerable version of software and uh that's been up for 15 minutes and we're compromised right compromises happen that quick especially for really well-known known vulnerabilities blog for G was a critical one in 2021 right uh a lot of us didn't get a lot of sleep
that month it was December I can remember it was a Sunday night 7 o'clock to get this phone call hey go look at Twitter what happened on Twitter oh yeah somebody just posted this like critical vulnerability for L for J okay that's problematic yeah it's problematic because it's Sunday at 7:00 and everybody wants to be off and we're about ready to enter like holiday shut down and Christmas break yeah that's also problematic right I don't think we slept for two weeks right we're we had to be on top of it and had to figure out what was going on had to go through and like make sure our systems were patched so um so that's one case be aware of
your third party your third party software you have companies use third party software it's cheaper most of the time to buy third party software then to pull developers in to create software even though it's open source to maintain it and keep it up and running so it happens a lot every company I know uses it so with that said a lot of companies also let vendors log in and access their systems right or they'll get contractors or Contracting companies that come in and do certain like Key Elementary functions right I don't need to pay somebody a whole lot of money if I can pay a vendor or fraction of that to be able to log in and like check my logs or
log in and make sure my system's up to date and so you get these companies that actually offer these Services we're going to offer services to like maintain your systems or we're going to offer services to like maintain your HVAC the problem with that is is those companies their business is to get as many customers to use their services as possible right so one of the things we found um I was in Mexico doing a uh engagement for a company and we started looking at kind of vendor supply chain we're doing a risk analysis and we started talking uh we were interviewing the vendor and we're like okay so tell me about this and how do you SE segregate or separate
your customers from us from your different customers and they're like well we have the same technical people do it I'm like great so who controls the usernames and passwords and they're like well we create our own usernames and passwords she just gave us access because it's our application we log into I said that's fantastic how do you protect the password you use for my company from the password you use from somebody else and they're like we don't and I said what what what do you mean you don't and they're like no we just have our help desk technicians we don't pay them very much and we don't want to make it hard for them and so they use
the same password to access your company that they use to access all of our other customers and I was like well that's problematic and they're like well why is that problematic I said it's not for you but it is for us CU now it creates a risk for us right and the risk it created was if another company got compromised and they saw that username and password then they would not stop anybody from taking that same username and password from company X and using it for company y to be able to access their systems and cause harm it's the same concept of don't use the same password on your email as you do for your bank
account and get a password manager and so that was a finding we actually worked with um for that company and said if you're going to do business with us we need an attestation and guarant from you that your agents I don't care if it causes you more um challenge in managing that we use different passwords for us than they will for other companies they agreed right but it is a risk that you can run into and you end up running into a lot of you can run into a lot of inadvertent exposure that way uh we I can't tell that story I can tell this one though so were working um was in Ukraine like a decade
ago um and I was working with a company who was doing some work and uh we started looking at their using logins because we wanted to see if they had stale passwords and stuff like that and what we were starting to see is we started to see that they were they had passwords but they had logins from Ukraine and then they had vendors in Singapore and London and the US in Mexico and we started looking at the logins we're like hey this user is logging in from Mexico and then 15 minutes later they're logging in from uh Ukraine where's this user at they're like oh that user is in Ukraine right I was like great and then we look at other
logs we're like wait a minute we also see that user in Singapore do they travel like no they don't even have a Visa they can't leave the country I'm like so how is it that we're seeing the same login for this user in several different countries and so we went and interviewed and it was a contracting company right so we went and interviewed the contracting company they were like well getting users onto this syst system is really hard and so what we do is we actually just take the same username we know is there and then in our internal slack we just share those credentials so as we get new people coming in before they get credentials they can just use
this other set of credentials to log in and access our systems I'm like well that sucks right don't do that anymore like yeah but our people can't work and I'm like we'll take the extra day and figure out a process to make it smoother but things like that happen as well so as you're doing your monitoring or as you're actually doing your vendor reviews that's also something to look at is to look at and say hey are you like sharing your credentials with other comp customers but are you also sharing your credentials with people inside your company right because the problem with that is is something bad happens if somebody decides to steal information how can I attribute it back to that
actual individual to say this person in your contracting company is causing you harm right and I can't if that is in a Wiki or it's in a slack message somewhere where everybody can get to so that's the second place we've seen Supply chains where it's like vendors or contractors that companies hire that cause issue so but we can't go go further without talking about um popular software libraries right anybody familiar with log for J somebody a couple people anybody have to investigate log for J when it came out depending but is what it was log for G is a logging platform that's used to many popular web or Java applications that allows you and it's both for
internal and external servers to actually take in format logs and then send them into the backend logging server the problem with log for J is that when it came out the vulnerability came out um it allowed somebody who figured out the vulnerability to actually um craft and it's usually a for field or something like that and say I'm going to actually put this in like a first name field or last name field is going to get logged into the backend server and what it did is it called another function that was part of the library that allowed a remote desktop or remote connection to made to the be made to that back-end server which caused a
whole bunch of servers to be compromised so any company which was a lot of them most of the internet actually that used log forj that allowed logging and had form fields on their website which is a good number of them could actually have an attack happen where I just have to to send a crafted message and that was going to be logged in the back end and then all of a sudden I have remote access to um your back-end server right and so third party software is super handy for developers because they're like I need to do something with colors or I need to do something with log formatting and this one's been popular it's been downloaded like 100 150 time
million times and so if I can actually take over that Library that's open source and then inject my own malicious code or I can find a vulnerability in that then I can actually compromise that that's what happened with lford J it was nasty also another one that keep kept us up um a lot right and so this is another one where as a Defender as a security team not only should we monitor our vendors we should monitor access and we should monitor our socks for alerts and bad things are happening but we should also be aware of what's in our stack they call an es bomb or a software build of materials right is the term they're
using now or do am I aware enough of the libraries that developers are using or the software that's being being used that I can actually look for disclosures of critical things or if I'm not aware of it am I aware of like the recent or most recent news so I can query my environment to find that software to see where I might be impacting this is probably one of the ones that scares me the most uh from a Defender standpoint because developers use share libraries all the time right it makes development faster and we have this really rapid development agile cycle developers there companies are there to make money so I need to get my products up and out as
quick as possible I need to get new features developed as quick as possible and quick as possible does not equate go write this library from scratch and make sure it's Totally Secure quick as possible means what can I find in stack exchange and what can I find on GitHub that somebody's already created that may be I may be able to use that will actually satisfy my requirements for this feature that's what happens right so lck for de was a bad one um some of these are called dll sidelong attacks for Windows there's another story there was another U parser it was UA parser it's also JavaScript in 2021 that had 1.5 million downloads what happened was
the developer it was an open source and the developer posted on Twitter one morning saying I just lost access to my git other words somebody compromised my get my get credentials an attacking group had figured out it had been downloaded a lot they had come in and taken over this account and then they injected malware into the package and at 1.5 million or billion downloads that was a pretty good package to take over and they injected malware so anybody who downloaded and ran the package um then got malare that that caused a whole big mess I don't have a lot of time um but I did want to say um this is why we like
security like these things like are presented to us and we're like that was a very clever attack or that was very clever now how can I actually take and learn from this or how can I keep up on news to make sure that I can stay um you know relevant right and there's always something to learn what time is it 10 minutes over I'll take it because I don't know who's next um I don't see anyone waving flags so I'm going to pause for any questions okay you lost about half my slides I'll get them posted Discord so thank you
everybody
e e
you listen
Okay alrighty so today we going to be talking about graph Neal networks and how we can use them to detect DS attacks and by the way I'm karthic a Sharma or you can call me cart and I work as a senior associate information security engineer at eunex it's a data center company based in Redwood City California um so like anyone heard of graft networks over here so it's I mean they're not super new right now but they're kind of trendy and they could help with a lot of to solve a lot of different problems so so let's just start with just just talk about what are they so it's they're nothing special they're just built on
top of normal neural artworks but they they are built in a way so they can work on connected or graph data so again a lot of lot of people think they are like super hard to work with or like it's super hard to understand understand but they're not very very hard to understand so for example in a graph or in a graph networks a node can represent an antiy maybe like packets in terms of network traffic or you know other objects flow Network flow or edges can represent relationships between packets or um other kind of connections between Network flows or you know two IPS connected together by a network um so that's how the graph is built so the
question the main thing in a graph real network is how they learn the embeddings or what we call the node embeddings or Edge embeddings so again a lot of people get confused over here but it's super easy they learn it through passing messages and over here the messages are nothing other than the features of a node or Edge again features could be anything for example for a packet a feature could be like uh a protocol or like the timing like anything there is could be a feature so again uh so what I did to make it make so help you all better understand graph real Network I actually developed a little um website I show you all second
so so over over here you can see a graph and it has couple features to it you know you can see these numerical features because oh it's not
okay great so this is a graph over here and it has features to it you can see those numerical features over there so what happens in message passing is the messages or the features of a state a state is a number for example first time a graph starts with their initial feature so at that time all the nodes or all the neighbors of a node passes their features to that to their neighbors or neighboring node and after they get the features they simply aggregated so on the right hand side you can see the aggregation there are different kind of aggregation I mean over here I'm showing like mean aggregation where all the features get added together and the mean is taken off
them and the mean the mean features becomes the new feature of that node like it could be that simple but again new architectures have came in and they have changed the aggregation methods so there could be a lot of different aggregation methods uh in literature there are a lot so this is a very very simple way to show how message passing or how a graph newal networks learn embeddings again once a graph newal networks learn and embedding once the nodes embedding get you know uh updated and then it becomes like a normal neural network problem where you just pass it through a fully connected layer or like sometimes you can pass it through a different architecture Transformer
architecture or lstm and get your predictions that way so yeah so now I'm just going to go back to my presentation going to go present over here oops sorry um yeah and GNN have like a lot of applications right now social networks analysis I mean Facebook does their all like all of their ad recommendation or Amazon does their all of their you know product recommendation using a GNN um U you know it's used in biology and medical Sciences a lot right now to predict drugs or you know molecular uh properties um knowledge graphs is a big one again as I talked about recommend recommender systems they are like pretty huge in that too IMDb uh do a lot of
stuff with graph networks Pinterest all these uh you know social networking websites um so yeah so again the big question would be like how a GNN is different from a traditional neural network or some people call it like artificial neural network so basically a traditional neural network cannot work with like graph like input but a graph real Network can so that input input structure could be a graph you can throw in a graph and get a prediction out of it or predict all the different nodes in a graph if a node is malicious or not if the whole graph is malicious or not um you can model relationship in a graph neural network but you cannot do that in
a normal uh neural network because you just throw in a grid-like data in a normal Neal Network um again node level task you can do node level prediction in a graph Network but Inn or artificial neur you cannot do that um again no Edge level predictions in uh a&n but you can do it in GNN again graph level prediction I mean that's kind of similar in a&n too where you can classify all the data you're putting in same in GNN where you can classify the whole graph maybe the results could be better depending on your problem because it can learn from the neighbors um again this is pretty big one permutation invariance if you change the structure of a graph
it will still give you the same results but in a normal Ann if you change the structure of the data it might not give you the same results uh for example lstm is a big one because lstm works on uh sequential data but if you change the sequence it might not give you the results like the same results that it gave you before so that's a pretty pretty big one and the last one is you again like a lot of people say that a neural network is a blackbox you don't know what's going in and you know you know what's going in but you don't you have no idea what's going inside a newal network but but in uh in GNN you can you
can probably see what nodes are more influential or what edges are more influential so there I mean still it's kind of a blackbox still but still you can uh interpret GNN better than Ann right now so because I I'm pretty sure you all heard about Chad GPT like he people have no idea what's going on in the architecture like what's going on in the data inside uh the Transformer architecture you're just seeing the input and the output uh so so uh GNN could help a little bit with that um so yeah so evolution of GNN is like in 2005 they have initial Concepts then they have spectral approaches which is like uh working with igen vectors I mean then
in 2016 they started working with spatial method which is actually like learning features or doing message passing and in 2017 this paper came out graph convolutional Network and it changed GNN forever because that's where they actually learned uh message P or did the message passing and learned the new features that way and so that was a pretty influential paper and it's been a lot of companies are using it and making money out of it now just because of that technology ology and after that graph attention Network came in uh and that was pretty big one too uh and then people started to build more scalable GNN and now they they are been used in different applications a lot of
different applications um so yeah you can see the growth over here the Publications are become huge over the years and if you see the Publications in uh important conferences they are going up every year too so so GNN are becoming an important architecture in neural networks um so now I will talk a little bit about dos attacks what they are and how GNN can help you detect with with DOs attacks so again dos attacks main uh main task or Main goal is just overwhelm and Target like a network or a website you know or a server um there are three different kinds of um targets there three different uh types of dasas attacks one is volume based
attacks uh which is the main goal is to uh overwhelm the network the other is protocol attack the main goal is to overwhelm a server or a fireball uh and then the application layer attacks the main goal is to you know overwhelm or to attack a service like a website so so right now what approaches are being used in D DS detection filtering techniques are a big one I I'm sure like rules tuning is like still pretty huge because they're super fast uh statistical analysis uh you know detecting anomalies uh using statistics and simple machine learning methods like kous neighbors and you know simple neural networks uh to detect um doos and they are pretty huge too right
now so the what are the advantages of using traditional approaches it's simple and the computational overhead is low um and they are effective against known attacks if you know attack they'll be effective um and there you can easily interpret them compared to neural networks much easier but now what are the disadvantages they they can't adapt to the new attacks that's like the biggest disadvantage for them um complex relationship you can't uh model complex relationship with the traditional methods um High false positive rates they will say a lot of time you know there's a d attacks going going on but it's not and that that costs a lot of money for a company um and low volume
attacks are hard to detect sometimes because they might because the firewall might not be tuned that way um so the GNN approach what's the GNN approach simple you represent a graph a network as a graph node features could be anything you know IP address port or traffic statistics um Edge features could be like bandwidth uh latency and you just have to use some kind of GNN architecture to learn node and Edge embeddings um and then you can classify a node if it's malicious or not or you can classify the whole graph if it's malicious or not and there you go you can predict D do attack that way so I really abstracted it over here but now
we're going to talk about the advantages of GNN approach and then we're going to talk about two different architectures we can use uh to detect dos with GNN so first of all you can you know the advantageous is like you can model complex relationship between different objects in a network um you can Auto like you can do automated feature learning again using gnns and it can generalize to unseen data which is pretty big one which you just really hard to do with traditional approaches um so this Advantage going to be like computational complexity like it's a pretty big one and it's with every neural network um again could be hard to interpret too because of course
still a neural network but you can see which nodes or which edges are influential but it's still could be very hard to interpret um okay so I'm going to talk about two different approaches right now to detect do do attacks the first one is where you can use packets as nodes in an Network graph so in this approach packets are grouped by source and destination IPS so all the packets between two uh you know two IPS are grouped as a graph um so how the node creation happens packet becomes nodes um and they're limited by predefined numbers so for example if there are like 30 packets uh if there's like 100 packets in a between two different IPS
you can make five different graphs out of it if you predefine the number as 20 um and you can use different features protocol type or other features in in a packet um so the edge type over here but would be you know uh if there's the same direction going on uh between um packets you can make an edge between those packets for example if a packet is going from one IP to another IP IP so you can create like an edge between the packet which is going which is going in One Direction and the packet which is come in or from a different direction so you can create an edge between that and um also you can create an edge between
packets in a group which means if there's a 10 if there are 10 packets sent at the same time uh you can create edges between all all those packets and if the if the server replies with six different packets at the same time you can create edges between all those packets so that's how a graph will be created and once the graph will be created uh so I mean you can see the graph over here too like it's probably easier too you know there's a TCP packet going in and there's a TCP packet probably coming back in the direction there's a edge between them and those TCB packet maybe going forward you can see the edges between those and one Edge
between the TCP and HTTP packet um so this is how a graph would look like in this situation so now after that it will become you know it will become a graph Neal Network problem but then after learning embedding it just becomes a normal neural network problem so how the architecture works here it's not that not super hard so over here once the graphs are formed each graphs learn their node embeddings using G gin which is graph I isopor ISO formis Network and this network is proven uh uh really good for discriminating between graphs so it is a really good graph classification algorithm so you learn your node embeddings using gin once you learn your
node embeddings you read all the nodes in the graph and once you get all the nodes you know after you learn the node embeddings you get all the nodes out of the graph you just pass it through a normal fully connected layer and use an activation function of your choice I mean um whatever is the best in that situation and you get your prediction so so the main thing over here is like how you create a graph and what algorithm or architecture you would be using using to learn the node embeddings and once you learn the node embeddings most of the time you just pass it through a fully connected layer and predicted so it's not super it's like
super different from a normal new network so this was a paper which had a accuracy of 99.59% on one data set and 97.5% on the other data set which is pretty high and you can see the Precision and recall are pretty high too which which is really really important in in DS attacks um and the F1 scores Prett like of course it's going to be pretty good because pre precision and recall are super high um so but in the second uh in in the second data set you do not really see that high of accuracy because that was more comprehensive data set but still an accuracy of 97% or 97.5% is still really good for a Doos
attack detection um so yeah so let's talk about a different kind of network again as I said before the most important thing in GNN is how you model the graph how you model in a network or any relationship so over here there this is a heterogeneous graph heterogeneous graph means they're not going to be one kind of nodes but like multiple kind of nodes so in this situation what you do is you create create different kind of nodes one is host nodes which represent source and destination IPS and the other is flow nodes which represent the individual flow between two IP addresses um so the features in this situation There Was 80 different features extracted from the data set in flow
nodes and the whole host nodes were just like initialized with all ones so there was not really any features over there so they just initialized everything with with Once because in a again in a any neural network problem you have to have the same number of features uh uh to get any kind of inerals out of it so yeah and the edge types are pretty simple too there was an edge from source to flow and then there was an edge from flow to um you know destination so for example if a flow is between two different sources you know two different IP addresses there will be an edge from that IP to that flow and you know from
that floor to the destination IP so it was pretty straightforward too um so over here you can see the graph which is again uh you can see the host there's a host IP over there and there's flow and from flow there's uh Edge going to the second host and you can uh See Clearly how the graph is built over here and again it's hetrogeneous because two different kind of no are over here so so that was the import important thing because it's a heterogeneous uh Network or graph we need to do like a little bit different things over here uh so what we do over here is we will have different functions for message passing
so for Edge going from Source host to the flow uh or from flow to the host the learning function for message going to be Sigma St and going from flow to host they're going to be a different functions so two different functions for different kind of edges and when you do aggregation or update the functions again for different nodes going to be different for host nodes there's going to be a different function and for um for flow nodes the function is going to be different so VC or over here there are four different kind of functions two different kind of functions for different kind of edges and two different kind of functions for different kind of uh nodes so that was
the different thing over here uh done because it was again heterogeneous uh Network um and once you have embeddings once you have graph embeddings out there you just pass it through like a fully connected layer over here you pass it through you know three different layers and three different fully connected layers use uh re uh activation functions and you get your uh predictions so um and in this case the results were pretty good too uh on this CICS 2017 data set uh you get 99.59 of accuracy on dos golden eye attack or you got pretty high accuracy 99.65 in DOS Hulk uh you got 99.53%
can ask me all the questions um about it if you have any questions um but that was the end of my
presentation Al righty um I think yeah no one's behind me I guess right now it's probably lunchtime so
out
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
oh all right are we is this live can you hear me all right we're going to get going here here um if you guys don't know bash ninja you probably should he's a good guy to talk to uh come find him after the class and he'll hang out with you for a bit um anyway he is a he he's done a lot with the infoset community within Utah with between 801 labs in the hacker space downtown he's heavily involved in that but he's also been participant in a lot of other uh Community programs and conferences around whether that's bside St con um do you even do hack West for a little bit yeah uh he's he's been involved in a lot
of those and so like I said if you don't know him you should get to know him he's a good guy to do or to know and he will um chances are if you have an A hairbrain project or idea he will probably get excited about that and help you make it better than you originally thought it would be um anyway today he's going to talk about a purely fictional company having a purely fictional uh experience about a purely fictional everything about it nothing real right nothing nothing real is going to be discussed
today he does incident response work for day job smart dude knows a lot about it uh if you want to pick his brain about fun stories or projects or conferen whatever he's a good guy to do that too so anyway I'm going to stop talking uh yeah don't don't hesitate to come talk to him after is my big Point talk to bash all right thanks Matt um yeah my name is Mike I can you you can hear me all right right all right I'm going to wander because when I get nervous or when I get bored I wander so it drives my wife crazy because I'm sitting pacing my office when I'm taking Zoom calls am
I the only one that does that no probably you do it too you're laughing yeah I Pace during Zoom calls I also get excited and I scream at my computer sometimes like yes I did that I hacked that machine get really passionate um so if the wandering drives you nuts just you know raise your hand and say just hold still please um I am a senior seeser responder that's the new title that my organization decided to pick this year we change titles large companies seem to do that a lot I'm not sure why um but the gist of it is is uh I was I was looking at my LinkedIn this week because who doesn't want to look at their
LinkedIn super exciting platform right um and I came up with a tagline and this is my best way to describe what I do I make security nightmares less chaotic being when you're hacked you got to deal with it and it's really hard and it's frustrating and people are terrified and so the job of an instant responder is to go in just like a firefighter put the fire out deal with it make it go away and it's really exciting if if I have lots of new people come to me when I'm met places like the hackers space um or at conferences and they say well why do you like security and for me I like security because it's something new
every single day like I I'm dealing with a new problem I'm trying to put out new fire that I've never seen before and I love it I love learning I love doing that stuff so well here's the slide I've been working in security for eight years uh it's not a long time like I saw people up here with 20 plus years that's I got ways um yes respond I am a board member for the the hacker space in Salt Lake this is the dc801 um 801 Labs hacker space I'm going to plug not dc801 or 801 Labs I want to plug 435 um it's a Meetup that they do here in Logan once a month it's the first
Thursday of the month I think yesterday did did you go yesterday yeah what do you talk about
yeah so going and learning about mesh tastic which is a lovely platform I love it putting those on the esp32s and the the other the other antennas the what is the high-tech ones I think that's the board that I bought super cool go if you want to learn and get into security you've not done it before go to DC 435 learn the things meet the people and just get started super important um I love I'm married I have two kids and I have three and a half horses I have four horses in this picture one of them's gone and I switched it for a pony so that's the half I always get asked that but I don't count her as a full
full horse um I love home Labs home Labs is my favorite hobby um and I love teaching so and mostly I love teaching not in a presentation format but sitting down with people and just talking and learning and experiencing computers together and so that's a bit about me oh yeah I do like H laabs that's a bit about me so I'm going to put the slides away for a second and I want to talk to you about security and I have a specific phrase let's see did I put it up here yeah specific phrase that I'm going to bring up a couple of times in this presentation because the stories that I'm going to the story I'm going to
tell revolves around this super hard so not keeping work and personal devices separate leads to disaster we're all really bad at it all of us like how many of you have logged into your email account on your work laptop your personal Gmail or whatever account how many people logged into it on your life how many did it when you were using the Chrome browser yeah right um I have a story for you about logging into your email account on the Chrome browser and it leading to a huge disaster so without this separation between home and office it's really hard to stop doing it so I put this picture I found this on on on a
stock website and I loved it made me laugh because it made me think of my kids um here is someone um I would assume it's a father working while their little kid is here doing homework or drawing or he's trying to keep them from bothering him keeping that home life and that personal life separate is so hard especially from most of us work from home or some of us workart from home or some of us don't at all and it's still hard to keep that personal life out from coming into your work and the honest truth is is you can't you can't keep your home and personal life separate it's it's not like to boxes like it's in
this picture you are you and you're in both worlds so what do I mean when keep them separate I mean keep them separate on your the laptop don't log into your email account and so I'm going to talk about a story um purely fictional like zodiac said uh no relation to anything I've ever experienced before um and it starts with a big alert so uh I'm working incident response and I worked at a company and we got our sock our security Operation Center these are the analysts who are getting alerts they get an alert and they come to me and they say we have a problem and the problem is is that one of our employees had their credentials
posted on the dark web like great how did you find that oh somebody on uh hacker one sent us a thing said hey look what we found pay us money like all right well pay them the money really quick um you know because it's a bug Bounty program and then let's deal with this problem and so how do you go about answering the question of there's an employee whose credentials active working credentials are on the dark web how do you figure that out this is this isn't for you to answer I I'll answer it for you uh you go ask the employee and you ask them you know what happened what are you doing what
what's going on and so you'll ask the employee and you can and we did that I sat down and I I called this employee and I talked to him and said hey we uh found your credentials on the dark web and he freaked out like really bad can you imagine getting that phone he's a an engineer so developer and he had access to some pretty production environments and he was not happy with it he was like I don't know I don't know how this happened I don't know this is my real password like well we see here that there was a two-factor notification that was pushed to you and you accepted it but the notification
came to a cell phone in Chicago and web prompt was over in Romania so that's weird and the the VPN I the IP came from a protonvpn do you use protonvpn like no I I don't use Pro yeah this is a problem can you imagine that being used oh man I can't so um this is what that looked like we we we found it it was on uh this one was specifically on paast bin and this is a sample of what it looked like on pbin not great this is just a few entries um obviously with a few things redacted and I changed the password don't try logging in it's not going to work um geez can you imagine what would
happen if you see your passwords on pacin like that so what did we do we into the box we we have EDR so this is a you know endpoint agent installed on the machine that logs lots of lots of things that are happening on the box from processes to um network connections and and me and my team we spent like like two days digging through this guy's MacBook could not find a thing just couldn't find anything I was pissed off I was just I think yeah I got this video this this was me for two days just like really pissed because I spent hours trying to figure out what to do with his box because he's leaked the credentials
are on his machine he's using them for work these are work credentials and he has one MacBook and I couldn't find anything frustrating um until I went back and looked at this I was like this is let's let's dig into this a little bit and let's let's research this and so um this is kind of a fun pattern and this is a hint uh where comes from so let's see I'll ask the audience why do you think where do you think these password come from chrome right Google Chrome it's right there and the thing is is Google Chrome let's see oh we'll dig into that later um so I took this specific phrase and I Googled
it and I found more leaks you can actually so I took this picture um yesterday when I was making slides so uh don't click any of those links it looks like they had passwords on there um but it didn't help me it just looked like there were other other other things that somebody had collected that were being put on Google Search and that wasn't great so not so helpful until I went and did the same search in bing who would have thought Bing gave me better results than Google right um which led me to this awesome blog um and they had at the end of the blog they had an appendix talking about this password.txt
file with stuff that's sorry I not it's right down at the bottom with a pattern of passwords that have been leaked in the exact same format as our paste bin okay we're getting somewhere so um I dug into it it looks like this is a Redline Steeler now this was kind of the beginning of my career I didn't really know much about Redline it is actually really common I should have recognized it now I would recognize it second um but this is a malare that gets installed on a device and it harvests tons of things it'll Harvest your Google Chrome credentials it'll Harvest your last P credentials your bit Warden credentials it'll Harvest uh your sessions in your
browser it'll pull files off it's just Harvest everything that it can um but it's so common that most of your your your edrs and your malware software will pick up on it and there was no evidence of this on my box kind of weird couldn't find it till I figured Doug thought a little bit more and I remembered so I don't use Chrome I don't know about you guys I like Firefox Firefox is amazing and I use a a password manager um I don't use the built-in password managers Chrome has a built-in password manager and let's do back this when I dug into the red line is telling you what application it pulled those passwords from this is
pulling it from the co Google Chrome browser the saved passwords this is those passwords that if you go to your your mom's or your your grandmother's computer and she doesn't know the password just autofills it in the browser yeah that's that's what is and so what I had found is that the employee had logged into g into Gmail and it popped up and said hey do you want to sync and he like sure why not I'll click the sync button button and it syncs his passwords across all of his devices has more than just a Macbook he only has one work MacBook but he has other devices at home and and there's that's kind of what
that prompt looks like and you know he he didn't really know he used it is didn't pay attention tons of people just hit that save button to make it go away because there's no easy like the x is kind of up there hidden the UI isn't great there's no easy way to just say I don't want to save these at all they just keep prompting I hit the never and then on another website it pops up they just hit the save and goes away and so we I find out he's got these passwords synced and I go to one of his other devices in his home and I find his kid's computer I find his kids's computer and
I ask him can we please install some monitoring software on there so we can dig into it and I do and on his kid's computer in the browser are history I find this link about the time of the password link on the website some kids looking up a Roblox hacking software on YouTube is a software you can pay for and he says I want the crack for it because I want to pay for the hacks and then he downloads it from some Google Drive link that was on the description of the YouTube video and then he extracts it and runs it yeah you see where this is going so this is a device oh oh this this
happened the next day then I see malare bites installed on the computer um free malware removal so the story of what happens here is the dad finds his finds this computer Ransom word and this is an actual document I pulled from again totally fictional um this is the actual document that I pulled from the machine like don't worry you can return all your files pay us money it's a kids computer you just remove install malware bys and don't worry about your lost files who cares it's just Roblox well it wasn't just Roblox right so I dug into this malware a little bit and um specifically researching these email addresses to see if these um these TT the the these items
help me figure it out and I find yes there is a uh a a variant of some virus that is just installed in cracks and that disables uh Windows Defender and does things like stealing browser say passwords so what do you think you ever logged into your email on your work computer yeah it could be bad and this is one of those things that translates not just um not just logging your email or doing personal stuff on devices this we all make this mistake how many of you have a password manager right how many of you have a password man manager that's that's different than two password managers one for your work stuff and one for your personal
stuff yeah so why do we do that because we don't want this to happen to us so hard yet most people don't most people don't most people have if they have a password manager at all they just have one they'll go by their last pass or their one pass or they'll get a bit Warden account and they'll just put everything into the same password manager and call it good um and then when they log into another device our corporate monitoring software isn't there right and so there's a lot of ways I want to oh I only have a few minutes but there's a lot of ways we can think about this we can think how do we
fix it right that's the most important question how do we fix this problem well we can fix it by going in and making rules and you know take tweak settings to make it so this isn't possible for example see yeah I don't have a picture on that but for example Google Chrome if you go into on on Windows you can set a gpio policy say I don't want to allow users to sync things to their Google Chrome and at the top of the box it'll say you know some of these settings are managed by your organization maybe you've seen that before on a corporate device you can enable a feature to disable that the problem is is that's one program and
that's one vector of attack it's not all of them and we're not going to be able to stop all of these different ways unless we could go into some very Draconian monitoring practices and in some organizations that's important right in the the dod you have completely separate networks for the level of um classif the different classified materials you have those different networks we could do that it's just not really feasible and so we have to learn how to separate our home and our personal life um I wanted to talk about the last pass pack happened a little bit ago as a real example the other one was totally fictional a real example of what happens
if we don't so I just searched um the last pass hack and these are just the headlines that came up so I did a Google Search and talk about it um but what happened to last pass was that an engineer had a Plex server running on their machine and they forgot to update it and it got hacked and this is on a personal device he signed he's a last pass engineer so of course he's got last pass usand his machine he didn't separate and have two last pass accounts o right um not great and and it actually ended up into bad so there are two problems here one obviously they had some sort of issue they had a
three-year-old vul he could have patched Plex fix it um but two and this is the real one his home computer is the vector for attack and so as as security people as employees or as people who make policy in decisions we need to think and realize that our home devices and our home personal are a huge Vector for attack that cause big big problems um here's another one that was really fun this was uh 2022 uh this was the uh the Uber breach this one was one of us this breach this was a breach of a um instant responder makes me me sweat a little bit when I think about it because I'm an incident responder right and uh
they got access to their EDR software um if you recognize this this is the the login page for set no1 u which is basically keys to the kingdom because they have remote uh management capabilities you can send commands to almost any machine within the entire company but definitely any machine that has this installed so that's great yeah I I I blurred out the name just just to be nice but he is on the the IR team which means that he's going to have full Privileges and so we have to be careful we have to be super careful in what we do in as the security team in keeping these things separate um y thanks yeah that's all I had I wanted
to tell you my story I wanted to tell you about this this incident that I had and I wanted you to think a little bit about that if I could give you have one takeaway for you guys to take home and say this is what I'm going to do it would be to log out of all the personal stuff on your work laptop please just do that and come up with a way to separate the two um some of you are good at it and don't don't need that problem um if you're good at it in that way maybe go even farther and create a separate network if you work from home that that's a separate VLAN for your work
devices and for your home devices because I I can guarantee you that we're going to see at some point somebody's uh IP camera it's going to cause another breach we're going to find that out and it's going to be sad um but yeah thank you so
much e
see better that
way e
right
e
e
e e
hey is this working yeah all right everybody thanks for coming out um this is preparing for the incident that everybody is ignoring and a little bit tongue and cheek here but it can feel this way sometimes when you're staring down at something and and waiting for a rough ride to happen uh my name is Jason wood I'm a security researcher on a large threat hunting team uh full-time um want to be clear that everything I say here is my own thoughts and opinions and stuff like that so I'm not representing my employer at all no okay we're good um so yeah this is that's this is all just me not my not where I work
um so I don't know if anybody's had this experience you are looking at uh something in your organization and you're like crap we've got to uh we've got to resolve this we got to do something to address this we think it's going to be very likely this is going to get exploited and I really don't want to experience that so let's I'm going to use an example of single single Factor authentication it's popular one um we decideed we need to do something about it to address the use of single Factor authentication so the right thing to do of course is to turn around and write this up to our employer and try and get some support because
obviously we're going to need a little budget to get multiactor authentication in or or whatever it is we're recommending so weent we we communicate the risk and the potential impact to the organization and you know maybe we says something like this adversaries and I you know try to make this real as possible adversaries are actively ex compromising accounts taking advantage of single Factor authentication to gain access to companies and then it spread internally going on they they're tax result in intellectual property theft Extortion data encryption and the cost can run into the hundreds of thousands of dollars or more and um small organizations doesn't matter you get hit with ransomware or some kind of dat of extortion it becomes
nightmarish I took two trips um for work I'm sitting in the airport talking to somebody they find out that I do security both of them told me about their companies being ransomed one guy's like yeah had to pay $100,000 to get it back next dude looks at me says well bless you in your work we got hit we paid over a million dollars to get our company back so uh yeah that's a bad day right so this is real and we can find examples of this all over the place in the news now so we make it real to our management so we need to implement ma multiactor authentication to reduce the risk of this type of attack and the associated
Financial losses and our management looks at it and they come back and say no now there may be a lot of reasons why they say no there may be other things going on inside the business that they just can't do it right now you may agree with it you may not if they tell you about it it may be something just absurd where no we really don't care we need to you're here to do security but we really don't want to give you much in the way of resources we're just doing the bare minimum right and with this is keep get pissed off about password stuff too you know uh boy you can really cause some
friction that way so what are we going to do we've got a few options first one is we can quit just rage quit on the spot screw it I'm out of here um or you know maybe we actually were candidly looking at it and going well is it the right place for me this is the fifth time that we've tried to do something to improve things that are not very serious about it that's an option maybe not the best option particularly the rage quitting that makes paying the rent really difficult um and it leaves the problem hanging out there we could go to another option which is do nothing hey I did the best I
could I brought it up they said no moving on we go along naively at that point or we become more bitter about it and get upset and that's miserable to do for work that sucks um but for our purposes what are we G to do you know to to mitigate this as much as we can well best option that was put to me one time when I asked about this type of scenario is look go ahead and create what you can of a plan so that if and when it hits the fan you're the person who is prepared for this so that's what we're going to talk about today and we're going to be moving
pretty quick uh for 25 minutes so put this into a little bit of a framework to call it that uh we're going to plan and document we're going to come up with our plan make sure it's documented as well as we can we're probably going to do this you know a bit at a time as we go because they probably want us to do other things that they're they have going on we're going to mitigate what we can so we'll talk about that uh there's still things we can do in this situation of of single Factor authentication and then we're going to communicate that plan to our management because if they don't know we have
it then it's of no use to anybody uh we want to spread the word around a little bit so that they know what's going on so if I'm starting out on this I'm going to start to identify different problems things I can that we can do in response to this and document it now if we're new the company is new to incident response they don't have any kind of incident response plan at all first starting point is like hey who's part of incident response identify who the heck that should be and there going to be people in here that you may not think of when we think of dealing with an incident some kind of intrusion we think of
Technology people but you're probably going to have somebody from legal who needs to be involved possibly HR uh PR public relations because maybe we're dealing with customer data and things like that so we have to identify who these positions are as well as all the technical people that would be involved in this I'd recommend identifying them by position not name because somebody might change jobs um so we document that how do adversaries a compromise accounts well let me start brainstorming this you know look at the news well we have fishing that happens right uh either somebody enters their credentials into a malicious website or they download an executable and they give the bad guy remote access to the environment they're
now running as my credentials right and writing my privileges wherever I go uh what else uh they brute forcing uh Pope was in here talking about not hanging RDP out on the internet uh or vpns with single Factor authentication it happens a lot actually and the bad guys who here has hung an SSH server out on the internet on Port 22 how soon did The Brute Force attacks commence yeah it was like now you enable the port go so yeah they're going to Brute Force at it there could be other things that they'll do um what are the likely points of initial access well it could be that remote access because somebody executed a binary that then
dialed back and and did C2 or or whatnot and gave them access it could be a VPN could be an SSH host that's hanging out out there uh heaven forbid it could be RDP hanging out on the Internet or whatever where are these points we're just going to try to identify some of this stuff remember we're also doing this we're this doesn't have to be perfect right we're building a plan so we're going to iterate over this and then start thinking about from there now that we've identified how they could be compromised where they'll come in at what are they going to do when they do come in what are the likely actions that they're going to
take so I'm going to pick on maybe rant somewhere because I see that an awful lot where I work they come in they drop tools to discover additional host to get additional credentials they move laterally throughout the environment they'll try and kill security tools they'll drop typical binaries that you'll see related to that and you can read all about those and various reports that are out there um and then they'll try and detonate either copy data out so they can extort you for it or they'll detonate some kind of ransomware to lock it up and then they'll start making their demands so what do we need to do now to detect a compromised account and we
start thinking down that path and you know what's the logging that we need to have in place what are the things that going to allow us to see when something starts behaving abnormally like somebody rdpd in from um what's Jerry over here doing logging in from Russia or something like that or somewhere in the Middle East I know where he lives it's not there right um so we you know we start heading down that path through each of this we're documenting each of the things that we're finding out the different things that we're discovering how are we going to to go about this what are some procedures to detect that compromised account document those procedures and make sure we're building
this body of work all right we're going to continue on here so now we've got okay we've got develop some capability to detect an account or a compromise how are we going to contain them so you start thinking down that process again documenting it as a go um well I could disable the account for a period of time we could disable the ability of them to this account to log in remotely I don't know whatever it is that you're doing that's appropriate for your organization what tools are you going to need to do that with by the way um so yeah what are what are the tools we're going to use what are the procedures for this write all of
that up once we've got the adversary contained are we going to get rid of them because when something happens somebody calls you up and says hey I've got something weird happening in my account or we've detected this unusual VPN uh connection um that launches us into incident response we're up here on contain trying to slow them down just long enough for us to figure out what's going on now we've got to move into the eradication let's get them out of the environment um and how are we going to do that so we're going to have to collect information to figure out the scope analyze it uh probably going to have to preserve that for some kind of
after action or maybe even legal review or whatnot um and then what are the steps we going to take to actually get them out of there and then finally we start to do the recovery which could include things like resetting accounts setting up new accounts uh rebuilding systems totally restoring data what else is appropriate for your environment right and so we keep building out this plan and so then we finally get down to okay what's a good idea here how do we do the lessons learned from this um because we've just gone if we go through an intrusion like this we're going through an incredible learning experience really painful learning experience but if we're paying attention
we'll learn something about things uh how we could do things better and where we fell down so don't let it go to waste so this is the high level building of our plan and you may start this out as an outline and then start filling in different bits and pieces as you go um and it's going to take time like I said your your employer is probably going to want you doing other things so this is not something where you're going to come up and say okay in a week I'm going to get this work you know I'm work all week on this and get this done that's not likely you're probably going to spend
months working on this fortunately we're we're doing preparation here right and then now um this leads to the thought where are we going to store this plan what makes the most sense to to have an incident response plan plan now I worked at a place that they literally had a binder like a huge binder for incident response and Disaster Recovery we had a customer uh and that was back at our parent company we were subsidiary the we had a customer that wanted to see the plan the ciso got on a plane with the binder flew it out to show them the plan you know but it was it was that type of thing uh but really
how useful or scalable is that particularly you know how many people have co-workers that are in different locations I've got lots um so we're going to have to have some kind of electric documentation but we also need to be aware this could be compromised the bad guy could find it they might deny us access to it uh they might do it accidentally they Ransom the SharePoint server that we had it on oh crap now what uh so we have to do some preparation for that but we also want to think about some of the risks and uh and rewards here okay just check in time uh risk versus rewards right that that binder that our C so like to carry
didn't like to carry around but ended up carrying around was not the most scalable thing in the world it definitely wouldn't work very well in a distributed team um so obviously we're going to have to do some stuff in in an electronic format put it in something like a Wiki put it in SharePoint or some kind of knowledge base so other people can see it and act access it um we're going to want to lock that down appropriately don't Grant access to the entire company uh make sure only a few folks have access to this and protect it as best we can this gives us the advantage of we can share it out and this is a fun one
frequently it has authors who wrote this when did they write this and what is the version history behind this who here has read somewhere where an incident starts happening and they start one of the questions that gets asked is who did this whose fault is this they're going to start looking for somebody to blame this is an intense emotional experience that people are going through and the it's looking for somebody to blame for it and make an example of as a human tendency so this protects us so everything we've been documenting and collecting we can show we've been working on this and preparing for a while um yeah so we've talked about all of that
oh yeah and maybe print a backup periodically dump it to a PDF print it off just in case the wiki gets knocked down mitigate this is do what we can you know there's we can't Implement multiactor authentication in our situation we've been denied that we don't have the budget for that okay but let me go and check some things let's verify our audit logging is actually happening because if an account gets compromised this is going to be one of the key places to find that information uh where's the log where are the logs going are they going to a centralized place um is it happening across all systems um I again Pope earlier today was like talking about systems that are
nobody knows about I can't tell you how many times I've done pen tests compromise a system and they're like what system is that oh crap I didn't even know that existed well it was my foothold and away we go um practice using the tools and the procedures we documented in fact have other people practice it you've documented it who here has written a document and then you go back and you read it later and you're like oh did I skip words I knew what I meant to write um I skipped entire steps so You' hand it off to somebody you're working with and say Hey try this out and they come back say dude you're
instruction suck you missed this oh I can fix that right so that's what we're doing here and we're getting experience it's a whole lot better to get that experience while things are normal operating Tempo rather than everybody's hair is on fire and then maybe start to remind some people about hey here's how you report problems this is more the corporate you know cross a company type of thing if you see something weird here is how you respond to this you contact help desk SC whatever it is this is obviously not an entire list this is just a few things whatever is appropriate for your environment you're going to have to spend time digging into that and finding
all of these different steps and then you know we've started finding mechanisms to detect when an account gets compromised don't wait for something to turn red go out and actively look for it you might be surprised at what you find um you think things are locked down and you find out no they're not um I remember an application we set up one time off the side of this but when I was assist admin security engineer we set up a web application it was handling all kinds of uh identifiable information the company did mortgage fraud or detection right so everything needed for a mortgage which is all of its confidential and they're uploading stuff to this web application that we
controlled and we processed I stand up snort and my session data and looking at packet captures and I'm like oh crap this is all in clear text what's going on was a misconfiguration on the web server and everybody was going to Port 80 so you discover things this way so go go digging you will find things and you'll find how your environment works and then finally communicate this one we want to do perhaps a little carefully the last last thing I want to do I may be really pissed off because you told me no this is a real problem I don't want to send an email to my boss saying hey you know how you told
me we couldn't do that this thing well here's the documentation on what we're going to do in case it happens and your boss is like screw you you're a jerk um so that's not going to work out real well so maybe we come into say Hey you know we talked about doing this I was thinking about it here's some i' I documented a plan to how we would deal with this and and how could we respond if something happened and here's what I've just been building this over the last few months can you take a look at it and give me some feedback there's two reasons for getting feedback from them one we'll get some improvements
potentially but two even if they only give it a cursory look they now have more awareness that it's there because how many people get emails and don't really read them so we're getting a little bit more awareness out there and kind of mve somebody into seeing that oh we did something good I would recommend communicating in email why because emails tend to hang around chat does not I don't know how about you know it Scrolls off we can't find things very well maybe it has dates and times on it whatever uh in an email if it happens they come back to us and they say why didn't you take care of this you go I did see here's the plan
here's where I emailed it to here's where you replied um I've been been through that one and boy was that a Saving Grace so we communicated out now we've got some awareness now there are a few possible outcomes to all of our work that we've done the first off is nothing happens a breach never occurs that's
Related talks
56:25
28:38
41:28
1:00:45
55:42
53:47