Cybersecurity Lessons From Jurassic Park - Rohit Satpathy

so uh today we'll be talking about cyber security lessons from uh Jurassic Park um I'm I'm not sure if everybody's familiar with the movie but I just want to clarify that we'll be talking about Jurassic Park and not Jurassic world or the million other versions that we have um so far um I'm going to start off with a quote from Michael Kon who is the author of Jurassic Park Jurassic Park's based on novel uh for those of you who are not familiar and uh this is one of his most popular quotes in the Information Society nobody thinks we expect it to banished paper but we actually banished thought we'll talk about what this means in the context of

Jurassic Park and also modern incidents in cyber security first a little bit about me um so just like Michael kryon big fan of dinosaurs you can see me uh with TX and uh UC Berkeley there um I also enjoy you know flying planes it's been kind of difficult to just even explain what I do these days I guess I would call myself a cyber security researcher and YouTuber so some of you may know me from the PC security Channel which is now like one of the most popular cyber security channels on YouTube so if you enjoy like uh content on you know testing different cyber security products um following the latest threats stuff like that you can find it on there

um but now we're going to enter the world of Jurassic Park and um we'll be talking about this as I mentioned and not whatever this is so um Jurassic Park at its core is a is a story of systems analysis and it's actually a story about malware uh many of you may not be familiar with what I'm talking about if you haven't seen in a long time like it's about dinosaurs right well the dinosaurs only become relevant when the malware is executed and there's very clear execute button there so I'm going to play a brief clip from the movie just to remind you um what this is like hopefully we can we can get some

audio access R program access Mo security access program

ahh ah you didn't say the magic word God damn it take this hack of CRA callone that people okay bit phones are out too where did the vehicle stop to the most convenient location right in front of St

so hopefully that you know gave you a bit of nostalgia but as you can tell like what does that remind you of what does the main uh malware screen in Jurassic Park the the main prompt remind you of well modern ransomware it's literally the the same kind of message it's like well you can't access your systems and of course in Jurassic Park it was deployed by an Ider threat um modern Ransom War typically um hackers deploying it within your network but it's the same fact and we're going to talk about the systems of Jurassic Park and how similar they were to the systems um that we were going to look at which which are modern systems and the

movie was ahead of its time as well as the novel in more ways than one I mean obviously visual effects and all that but also in terms of the problems we're dealing with today so at its core Jurassic Park is about complexity and control so one of the Core Concepts of Jurassic Park is chaos theory there are two main scientific you know underpinnings of Jurassic Park one is chaos theory and the other is the idea of fractals um so we're going to talk a little bit about Chaos Theory um chaos theory is this idea that complex systems are inherently unpredictable so we have um this quote from the book itself Chaos Theory teaches us that straight linearity which

we take for granted in everything from physics to fiction simply does not exist linearity is an artificial way of viewing the world real life isn't a series of interconnected events occurring one after another it's a series of Encounters in which one event may change all the others that follow in a unpredictable way um and this applies to a lot of incidents uh we we like to think of things as like you know a chain it's like one thing happens and another thing follows and then the thing follows from that but in reality these are complex systems which are interacting and one interaction can affect everything else and there's no better example of that than uh the latest crowd

strike incident um so here we have uh this is actually the thumbnail of my video but as you can tell like we have you know two sides that's basically planes taking off from the United States you know one before the update and one after the update you can see how the planes just stopped taking off they're no planes in the air um after the cloud crowd strike update goes live um now I'm pretty sure when you're going to the airport you're not thinking about well you know whether or not I'm going to take my flight let me check what updates crowd strike has released and the stability of fat it's like no you you don't think that that's part of the

system you know we we just take it for granted but in reality that's what chaos theory means there could be something within the whole system that you may not be aware of even exist but these you know interconnections lead to unpredictable events so the other concept that Jurassic Park covers is fractals so here we have an example of the Dragon curve which is you know fractal geometry now you may have heard of fractals in in the context of video games so games like Minecraft where everything is generated from the concept of block stacking together here's an example of a mountain now the idea of fractals is that everything you know the world is made up

of repeating patterns so for example if you look at a mountain range like from a distance it has a particular shape now you zoom into that range you look at a particular Mountain you see well it's the same thing and the more you zoom in you realize well it's it's the same thing right like you look at one part of the range and you could repeat that and get a bigger mountain range and in Jurassic Park it's implied that this kind of sameness or repeatability applies also to in time so in terms of failures in Jurassic Park they stack up it's a repeating pattern and in the book this is mentioned in iterations so for example in the initial

iterations we have quotes uh from Ian Malcolm who is one of the main characters saying you know instabilities begin to appear and then once the pattern is really complex it says system recovery may not prove possible so now we're going to delve into the fun part comparing Jurassic Park to systems we work with today and we're going to start off with the concept of automation now automation is great we all love it means we have to do less stuff but Jurassic Park is a case study of how automation can go wrong so Jurassic Park decided on this state-of-the-art technology of you know who needs drivers right driverless cars isn't that great we talk about that a lot today decided

we're going to have all of our parkage tractions on this main track where these electric cars totally non-polluting Top ofth Line spared no expense as Hammond says in the movie um they go on this track and um basically you you don't need to drive them because why would you I mean that's all well and good um and of course you know they they look fancy um spared no expense but and you have a T-Rex chasing you and the power goes out well guess what you need gasoline power Power Jeep that's how they get out in the end so here's the funny thing Jurassic Park um you know this is another case study of how to invest your

resources so Hammond he he talks about you know sparing no expense when he talks about like the the chef uh in Jurassic Park when he talks about the voiceover effects but the one place he did actually decide to save money was on the one developer who made the whole system so um if you saw if you seen the movie you might think of NRI U the main developer of Jurassic Park as this evil character who takes money from a competitor um to run this malware but if you go through the book there's a bit more of a background to it so apparently NRI was uh you know quite annoyed with the project because late in the schedule

they wanted extensive modifications and didn't want to pay for it and they wanted it to be included as part of the original contract they threatened lawsuits and implied he was unreliable and in the end he had to basically pay that out of pocket and this is one of the main reasons NRI decides to go ahead and work with a competitor to make a ton of money and become an Insider threat um now nri's example may not be um very common in our current world of cyber security but what is quite common is the idea of an Insider threat or even an outside contractor like NRE who is you know in a uh not necessarily fully part

of the organization but you hire a contractor to do certain things now if they get compromised that can obviously lead to unwanted consequences um now here's funny thing so problems in the security systems of Jurassic parking this a quote from the from the book um they were high on the bug list but uh it wasn't a bug he had programmed it that way it's uh what you would call A Classic trapo uh and and this is quite common right it's like the the router having the admin password at the back part partly it's like you know he wanted to have a a way of getting into the systems if something got messed up and he had to come in and reset them but of

course of course he used it for other reasons as as you can see uh now one of the main things about the idea of Jurassic Park um is the concept of unintended consequences and we'll we'll get to that malware code we actually have a snippet from the actual code that was used in the book but the main idea here is um when we take certain actions you know especially uh when we're deploying systems in the real world we often think that whatever you know program we're running whatever um procedure or process we're deploying it's going to only have the consequences that we anticipate and this is a very common way of thinking especially if you're a software

developer you're like oh I I wrote this code to do this and then you run it in something completely unexpected happens because again um it's the law of unintended consequences so NRI never intended for the dinosaurs to get out uh he obviously just wanted to quickly go to the dock drop off the embryos and as a result um gain a few million dollars but the unintended consequence was that the entire park systems you know when you disable the fences all the animals can get out basically and now we're going to talk a little bit about the the complexity of Jurassic Park and how that's relevant so uh when they're trying to diagnose um what's going on

with the systems Jurassic Park had 4 million lines of code and when they're trying to go through it say what are you doing checking The Code by inspection that'll take forever tell me Arnold said tell me and I think we've all been there where you know you have poorly documented code that's scattered across an organization and it's in the moment of Crisis that you actually have to figure out what this does and that's exactly what happens in Jurassic Park now this the actual code that's referenced in the in the books and as you can see um it takes them quite a while to discover that at the end of day this wasn't really a case of

uh the code malfunctioning there's a very specific object call that link the security and perimeter fences and set them to off that's the one that's indicated by the arrows um what's quite interesting as well is the notion of objects and object-oriented programming considering how old the movie is um so I highly recommend for those of you who are interested in explanations of these things like go read the book it's it's got some some really high high level details on it so obviously all of this leads to the fun part which is the T-Rex breaks out and uh you know the the park starts falling apart now another core concept of Jurassic Park is the notion

that the the system was inherently simple and controllable after all it's just a zoo it's just a bunch of animals why can't we control it but you know this quote kind of goes into detail as to why that's a problem so you look at that that's your simple idea you create new life forms which you know nothing about Dr Woo doesn't even know the names of the things he's creating he cannot be bothered with such details as what the thing is called let alone what it is you never learn anything about them yet you expect them to do your bidding and you forget how little you know about them and how incompetent you are to do the

thing that you so frivolously call simple and the reason you have a situation like that and it's quite common these days is because of the nature of abstraction so abstraction we we are told is a good thing right like when you're writing programs you want to abstract it as much as possible because that means the decision maker doesn't need to know exactly how the code functions right um so we have people with different levels of knowledge each of them can focus on their own thing without understanding anything else now that's well and good until you have a situation where you need broader context so another quote from Jurassic Park that talks about this is when when he's talking about the

scientists of Jurassic Park because you know it suggests that they're so smart but Malcolm says well they're smart but they're technicians they don't have intelligence they have what I like to call thin intelligence they see the immediate situation then they think narrowly and call it being focused but they don't see the suround they don't don't see the consequences that's how you get an island like this from thin intelligent thinking now when you think about the crowd strike update again uh very strong parallels um I'm pretty sure the developer who was working on the behavioral detection rules that were deployed was just thinking about what the detection rules would do they're not worried about well what if this affects

the driver in some strange way and causes instability and then he wasn't thinking about well there's so many systems that are running our software if you know this causes a system crash what's going to be the consequence of that um the developer wasn't thinking about any of those things and we're building a world where more and more people are really involved in their own problems and don't really have a reason to look at the broader context or surround we have experts in their particular domains but they don't necessarily understand how their work connects to everything else so for example many of you may remember Jano the moment he saw the dinosaurs his mind went we're going to make a fortune with this

place and then you have this this classic situation of um so what is a raptor what is a dinosaur really and you know ham to Hammond who is an entrepreneur it's like well it's a money printer um and to woo it's like this is version 4.4 of the genetic code he's he's hyperfocus he's like this version one version two we CH made these changes to jees and the only one person who knew anything about dinosaurs on the island was Alan Grant who was the paleontologist and he's like the moment he saw the Raptors he was quite concerned because he knew what a raptor is and you know what these things are so he's thinking at a at a deeper level

about what the what this creature is what it represents what it means to have a raptor alongside humans whereas everybody else was just focused on you know what it meant for their part of the problem now here's another recent incident I want to talk about so just a few days ago um lonus Tech one of the largest YouTube channels um his his Twitter got hacked and it started promoting these um you know like fake giveaways and and stuff um happens a lot these days uh and I made a video about it on my channel it's quite popular um trying to talk about target attacks now purposefully made this thumbnail um some people were like is this K it's a little

bit mean I was like well the the reason for making the thumbnail this was I knew a lot of people would be feeling this way they would want to blame lonus they would want to say well he's an idiot like how can you be the like one of the largest tech YouTubers and not understand how to protect your own systems um and of course in the video I go into details about all the fishing campaigns that I receive including you know the kind of you know campaigns that have been attacking political figures in the United States and how sophisticated they are a lot of attacks today are targeted uh so for example I set up a

newsletter and then few days later I get an alert saying oh your mail gun account um is compromised you need to reset your password so it's not a case of these attackers just spamming their generic campaigns to everyone we have a situation where uh they're they're following you individually if you're a popular YouTuber if you're um an important person in an organization somebody's out there looking for you looking at your behavior looking at what you're posting on social media and using that information to create an attack that's that you're likely to fall for and attacks like that are very difficult to avoid because um it's not just a question of following General practices because they may not apply because this

is a psychological war between you and this other person that's trying to get the better of you and I talked about this in great detail in the video I showed them a lot of different you know emails I received this is one where you know we're getting emails about uh bidding for you know some kind of contract in in inside C security so these are not generic emails now I know the keynote spoke about the Nigerian prince emails but that's you know that's the point these emails are targeted so I'm not going to get the Nigerian prince email as a YouTuber I will get emails asking for people to sponsor my Channel or I'll get you know mail Gun security

alerts or I'm going to get um you know as a company emails that are asking us for our services you might get different emails but of course these were the comments on the on the video so most people ignored the point and you know looked at the title and said yes lonus is stupid I'm I'm smart I could never fall for this he's he's an amateur he doesn't know anything about technology I do and this is also very reminiscent of the kind of problem we're talking about in Jurassic Park which is this idea that until it happens to you I this could never happen to us right like and this was very common notion um every

time Malcolm would bring up how these systems are uh unstable they'd be like oh of course that system was unstable but you know not ours because we have all of these control mechanisms and we have our special recovery procedures which brings us to that recovery procedures so again this is a great example of chaos theory if you remember when they're trying to get the power back and turn on the electric fences in Jurassic Park one of things that happens is the visitors who actually you know Grant and the kids are trying to get over this fence which leads to another you know Chase sequence where they're trying to get around the fence and that's when the power is being turned on

so the the very thing that they're trying to do to recover the systems is the thing that's endangering the people they're trying to save um and again it's a great example of how things may not have the intended effect right when you're doing something it it doesn't necessarily imply it the outcome is going to be exactly what you what you expect because you don't know the full situation so obviously the outcome of Jurassic Park cyber security incident was um you know the demolishment of the business which is what happens unfortunately in a lot of you know ransomware attacks um victims are locked out you have data breach again Jurassic Park exact same situation you have your

you know critical business assets stolen by a competitor or you know what happens these days is they're just leaked so how do we you know how do we deal with all of these problems now one of the ways I like to think about it is you know you don't know anything until you you test it so how does Modern cyber security stack up I mean surely we' fixed all these problems by now but you know I I'll show you instead of just talking about it so couple weeks ago we did a test of um all the major EDR providers against fairly realistic basic ransomware simulation and I'm just going to play the video and you can see what happen so

basically so you understand the context of the test we're trying to see if our data would be encrypted in in around someware incident so I'm just going to play the video and we have Microsoft Bit Defender sel1 crowd strike and sofos so probably heard these names so we're going to start off with Microsoft soft um and as you can see our data gets encrypted nothing really happens Tri bid Defender to its credit it does you know block it it you know detects the attack senel one very popular EDR solution many of you may have it in your environment did not block it at all crowd strike this the one you know after the update was

fixed and again our data was encrypted now just to be clear I don't work for any of these companies so SOS did block it so again a lot of major EDR Solutions did not block basic ransomware behavior um and if you if you want to watch the whole video by the way it's it's on my channel and so what am I trying to get at with with all of this um one of the things like how do we approach fixing the mindset of Jurassic Park here's here's the quote from the book about what the reaction when the state was presented when Malcolm presented his his papers so Malcolm's models they have a ledge sharp incline um where there's a speeding up

movement like you know a drop of water over your hand as as he does the demonstration in the in the movie um and it suggests the whole system could suddenly collapse and that is what he said about Jurassic Park the system had inherent instability and what did you do when you get this report janera said we disagreed with it and ignored it of course was that wise so the common reaction um when data is presented that we don't like is exactly that you may think well not really I mean I'm I like to listen to feedback um we like to listen to feedback but when the feedback fundamentally is is something you don't you're not prepared to accept for

example the video I just posted I mean almost everybody like was using crowd strike or senel one responded saying it was misconfigured now I mean I've been testing these products for a long time and it wasn't just configured by me there are like you know several professionals who went through the configurations before we ran these tests and but the initial reaction that everybody who's invested in such an expensive solution and is running it is going to be there has to be something wrong this can't be right um and the easiest thing to do is to you know say there must be something wrong with the test um so I I want to give them some

credit though so cyber security is a really hard problem as was Jurassic Park um and why is it hard well part of it is because we're always trying to simplify so we have something called detection problem so you have thread actors which are complex you know things like they deploy different techniques like malware fishing email social engineering and we're often trying to simplify it into a behavior that we can map and we can detect so it's like trying to take a you know a three-dimensional model that's continuously evolving and you're trying to map it into this 2D space um and you're you're always going to miss some context and another you know take away from Jurassic part is just the amount of

change that we can adapt and and keep up with uh one of my favorite quotes from Jurassic Park during the dinner scene is from Alan Grant who said the world is changing so radically and we're all just running to catch up great example Microsoft recall it's like we're not really prepared for the cyber security consequences of storing screenshots of every single thing you do on your computer um of course Microsoft backtracked this after the feedback and everybody panicked it's like what are we doing we're literally building a key into our systems um but so how do we come up with features like somebody worked on this for 6 months to a year um and this

brings us to another quote from Jurassic Park your scientists were so preoccupied with whether or not they could they didn't stop to think if they should so this is very relevant in the world of AI we're often talking about problems in terms of what can we solve not necessarily does this actually help anybody like okay we have this technology now what um a lot of generative AI like like oh there's generative Val let me make a version of this for our app let me make an app out of this and we're of often doing these things Without Really asking the question if does this help us and I think it's it's very important in the

field of cyber security to think the same ways like if you're implementing a tool or a control or you're introducing something new to the system how does this actually help you protect the systems do the test figure out is this going to stop a ransomware attack is this actually going to make my organization more secure rather than just add a bunch of bells and whistles because well they have it and they have it and everybody's doing this thing so we got to do this EDR that's not enough we need xdr now um one of the funny things in the previous test I showed you is the version of bid Defender bid Defender I tested there wasn't even the

EDR version it was just the free antivirus that's been around forever and it blocked the ransomware and the sophisticated EDR Solutions didn't now even if you know I I buy the criticism of well I didn't configure them well enough well we had a solution that didn't to be configured you could just double click and install and it could block the thing and now we have a solution that you need hundreds of experts to configure apparently and it still doesn't block the thing so is that really an upgrade now of course I'm not suggesting a unidimensional analysis of it but you know this is this is a core argument in in Jurassic Park right like's like I

don't get this Lite attitude especially from a scientist um and this again a very common response that I get when I suggest well you know you're a cyber security person you should you know you should be um you know talking about latest tools and you know telling everybody to adopt them as fast as possible here's another quote from you know from kryon so in one of the uh discussions you know Malcolm the main philosophical character says um the you know what advances the number of hours devoted to housework has not changed since 1930 with all the vacuum cleaners washer dryers trash compactors um when does it still take as long to clean the house as

it did in 1930 because there haven't been any advances and of course that doesn't mean there haven't been any advances at all but what we have a tendency of doing is going around in circles and changing the problems so maybe we had different problems before now we've got a bunch of tools that translate them into other problems but the fundamental issue Remains the Same and I think that's something to think about whenever you're trying to make progress in in in cyber security uh instead of just making changes and and you know we need to get the right metrics in terms of what progress actually means uh what are the key metrics uh in terms of protecting your

business does it mean you know blocking unauthorized access does it mean preventing a certain type of incident or making it less likely and actually measuring that as opposed to well we've changed this statistic from this to this and um I did spend some time in in Bristol and I think nowhere is that more apparent that uh you know change isn't always progress you you can tell me your opinions on this um you know after the talk I'd love to hear them but thank you all for listening I want to keep it you know uh on time so I really appreciate you guys tuning in and if you have any questions do feel free to ask um I think

we have few few few minutes for question question and uh also for those of you who are interested um we have a pretty nice uh Discord community of cyber security professional so if you'd like to join uh the link is on the

screen are there any questions from anyone come on t do you have any general Insight when it comes to purple teaming purple team exercise comp so for example my place my company we have team they don't have really good name fortunately there is a bunch of products in the market that try to F for example s they are basically gu on

basically they let you create an executable from a of and they Market this as well you can now without any coding knowledge H try to emulate AP Behavior right and I have seen those examples and they AR very good at all yeah so the question I guess here is any experience with that so I think you are working with some other we work with our own tool so yeah not aware of like the third party tools that you may use to autom I'm talking about the approach not the tools so for what languages are because in our experience we using the fender the for whatever reason theend relies a bit to have St Anis so we are see very different

results it's basically the same behavior of a example is made in C C+ so you like take that into consideration what do you use for your yes um but again I would I would turn the question around I would say if it's if the way to get your malware to bypass uh one of the most popular EDR Solutions is just to code it in different language is that really good EDR protection right that's AB um so I I think it's important to to I mean to answer your question yes like we do know that there are certain languages that are easier to detect and one of the things we like to do when we're doing our tests is to make it as

difficult for them to detect things statically because static detections are you know they're they're unreliable at best like no day Zero malware because the tests we're doing are also the tests that cyber criminals will do so if you're going to deploy a major you know ransomware at an organization you're not going to the Cyber criminals also have access to vars total they're going to upload their to virus tot and if it's detected by Defender they're not going to use that sample they'll obfuscate it they'll increase the size they'll do something in order to get it to be undetected on virus total and then they'll do the attack so sure it's great that we're able to classify millions of

existing malware using static techniques in known languages and things like that but doesn't really work very well when it comes to preventing real world attacks today you know what what Microsoft support said raise the issue them they said that well we the considered this not mal because it was compiled on the machine it was R interesting so I mean that's a different issue though that's an issue of like trust right like if you're like do you trust something that was compiled on your computer versus a different computer um and some of that I mean again like these these are complex questions in terms of what should be detected cuz you don't want false positives either um but the the example

I showed for example there's no such thing it was compiled on a different system we brought the Mal sample in purely tested the behavior so there's no case of like oh maybe this should not have been considered as malicious encryption Behavior okay I'm really sorry we're going to have to finish that there because we need to get out the room get it ready for the next one in five minutes so there's two exits thank you so much for coming and thank you thank you