Breakdown of Network IDS/IPS Choices

alright welcome everybody so yeah yeah yeahs seems fine so good to talk today a little bit about operation center is somewhere I've worked good part of my career involved in as a vendor as a analyst as an engineer kind of built one or two to kind of had some problems along the way and fun lessons to share with you so a lot of choices of ids and IPS type technologies and kind of causes some issues so want to start off with fun details of why the sock is so important because even when you have security folks and you put out a tweet like this people still click the link so this is about as sketchy as I could make it

including ending in the shockwave extension I still had 47 people click this I'm not quite sure what to say it's a completely made-up thing x uy y X 0 is something that you know pretty much made up that the URL is completely made up although kind of made me want to buy the domain just for fun but uh yeah so people will click on links no matter what no matter how sketch you make them even when you're intentionally trying to make them sketchy still 47 people click this link I do not understand that but that is why the sock will always be necessary until we can completely remove the user's ability to cause an issue realistically

probably not anytime soon so a little bit history kind of started here so slightly jaded on the ids side sourcefire makes snort on the primary IDs is available so slight Jade towards that realm of things so do a lot of stuff right now I run another b-sides Charm City or Baltimore still trying to figure out exactly what the charming part is but you know that that's not here nor there unallocated space nestled hackerspace down near bwi airport and we did a CTF and made a funny logo how many people remember what that's from so anyway so one of the fun exercises we did was building one of the rare things to combine these two does

anyone know what the left is or what its best represent ish anyone bueller yeah industrial control systems is actually a couple plcs connect together so the idea was we were actually taking an industrial control network and trying to apply security to it and monitoring surprisingly this is not very often done by people who have a lot of security experience kind of a weird situation when you're like wait no one does this how does our critical infrastructure get protected and there's a lot of praying involved which scares the crap out of me but that's kind of the world that is it's growing quickly said the number of people that have gotten interested in industrial control system monitoring is

increased dramatically but trying to put snort on it a little bit tougher little complex so now I'm actually doing a lot of sock and snort training and free stuff with an allocated because that's what we're all about so network security monitoring because I'm definitely stealing Rob's awesome kids comics thank you rob so as we're looking at stuff on the network we're trying to identify what's bad what's not and deal with it so typically that involves do we need to send this over to instant response to handle a problem or not pretty simple yes or no but it never is it's always questionable because we never have enough information more the time to do the full research to guarantee oh

totally isn't malware or this you can generally figure out if it definitely is malware because you know the bad things that happen callbacks but not always so probably the most important component of the sock is its ability to do this and we so tuning this is actually one of the most common problems with a security operation center is you get a ton of tickets more than that team can ever poke the handle in any given day throughout a given day so you're forever falling behind well that doesn't work you're going to miss stuff it's a guarantee by design so tuning is actually a lot of people consider turning off noisy rules no that's removing visibility from the

environment that while it definitely reduces the workload you also might miss stuff so the hard part is actually making that judgment call how to adjust the tools that you're using for monitoring to remove the noise without losing visibility of threats ideally threats legitimate to your environment so adjust but if you have no linux in your environment is a linux exploit going across the wire really of huge importance well maybe but usually not unless you're trying for more threat Intel given the current world of the security operations center where you're struggling to keep up with tickets you don't have time for you really don't have time to mess around with things that you are not vulnerable to unless

you're trying to identify specific attackers we're going to ignore the whole discussion of the government side of things where they do have to be concerned about nation-states because the average business that gets breached not necessarily by a nation-state so one of the fun things everyone likes a model and it levels and fun things like that so sock maturity is one of the things that try to put model to so reason being current it's kind of that flail scenario kind of sounds bad but when we have more tickets coming in then the amount we can process on any given day and we're guaranteed to miss stuff kind bad and kinda like we're accepting that we're flailing but that's the

reality today a lot of security operation centers really don't have visibility into their environment if you say okay we have SQL injection that would work on ms SQL and you have to ask do we have any ms SQL no one knows that really sucks makes the job incredibly hard so visibility into what's going on in your environment is really important and this is not just an asset list that you make once a year because let's face it how often do people stand up things without letting you know insecurity and if it's not daily you're probably disillusioned in some cases unless you're in a small work so level one and level two arguably are interchangeable visibility into what's going on in your

environment what should be there what is there ideally the difference and detection of known threats so what I mean by that is there are certain threats for example certain exploit kits certain exploits certain indicators did every time a security operation under sees that they know this is bad there's nothing that we know of that's a false positive against this we have almost a hundred percent accuracy on these specific rules things that are have matured over years and all false positives have been mostly removed or identified at least then we can say okay that's almost a guaranteed win the combination of these two is kind of the basic level that most socks should be targeting right now unfortunately a lot

of them are stuck on number four it's kind of little early for that so once you have things that you know you can detect accurately blocking them in certain orgs especially industrial control systems moving to block things can be really hard in industrial control systems if you block the wrong thing people might die so there's a huge risk associated fat so most of those words in those control networks you will struggle to ever get that agreement that Hawaii dia of getting business involved and working with the security processes pretty much getting that prevention inside the control system Network probably never going to happen just a reality of your of the culture right now so kind of hard in that

scenario in other corporate scenarios the first time you block a sea levels email were website they want to visit questionable decision or not right that always becomes a problem in a discussion that falls down hill and generally turns out badly sometimes ending up with a separate internet connection for the sea levels iPad that has happened and a whole security stack to go with it so once you've moved in that prevention mode then we can start okay once we're preventing our easel easy wins then we can start to look at threat indicators this is not a popular opinion among companies that sell threat intelligence for obvious reasons basically saying hey if your sock can't prevent things you

know about do you really need to have more information you can handle when you already can't handle the almost guaranteed threats for some reason this is not that common today of an idea I haven't heard that from practically anyone everyone's scrounging to throw money at threat Intel feeds it's definitely not wasted money but the value you're getting when you can't handle the known threats is secure is seriously diminished so once you're able to look at things that might be bad such as threat Intel indicators hunting and actively searching for threats or things that might be wrong in your network is a great thing typically in a lot of saw organizations executives are pushing for this because they heard about it on

insert podcast here see whatever RSA or some other buzz being game you will hear you know they hear these things and they demand we must have this thing and it's really hard to push back and say here's proof that we need to do XY and z before we're here stating we can't do this and we can do that is very dangerous at times with certain executives and explaining the reality of where things are currently at where capabilities exist and even evaluating that in a lot of cases is hard the difference between one analyst and another may be dramatic so that kind of puts it in a very difficult scenario to have this discussion so come to some stories

so I've had a lot of breaches lately this is why I say that the sock world is struggling and were failing anyone who you ask so funny thing example on the left actually had some members of target in the audience the last time I did this half version his presentation that was really interesting so apparently there's a lot of misinformation out there not surprising but there's a lot of information about that particular breach and OPM obviously had a good bit of information which is a little more disturbing even but there are some similarities and some recommendations that they made that are ironically pretty globally appropriate so recommendations this is the one that scared the crap out

of me the most establish a sock apparently that was not something OPM had from reading the recommendation report that's kind of disturbing for that size organization again with the possible misinformation on that but that was the interpretation from the report granted 240 you something pages it's a little hard to read but segmenting between trust owns so there's a lot of its kind of buzz where D to me but actually having proper segmentation so that well your height you're high protected zones such as your control system or finances or other critical thing that makes you special so the Koch formula that's in the vaults that's something you want to have behind additional protections right seems reasonable ironically sometimes those

are just lumped in with every other server sometimes in the same subnet as workstations this seems like an easy separation hey surfers are here maybe even the more secure servers are in one spot other servers or in another segmentation is huge and today it's really easy for small networks you can literally set a simple cheap pizza box as a firewall if you need to or a very inexpensive firewall to separate these things and you lose a lot of your issues where one data separation for compliance and other issues but also actually protecting it so that if the web server is infected or the email server having that not be right next to your critical components

kind of important but a lot of times this segmentation doesn't happen additionally with the workstations same idea finance should probably be in a slightly more protected area than sales because sales is going to click on everything finance they're just going to click on everything from financi things incident response team so a lot of organizations have this idea of a great document that's written that shows who's going to be involved when it breach happens or any type of emergency scenario but actually walking through it it's kind of a you know thing that doesn't happen often and tabletop is good but obviously when you have a you know fake piece of malware that's calling out to a server you own

such as from a red team or thread emulation team that's even better but not many organizations are testing that database encryption for OPM kind of out there the system was ancient and they said they couldn't do encryption on it encrypting your critical data seems very reasonable it can be very expensive and hard but if it's that critical you should probably figure out a way to make it happen so before we condemn them too badly all right how many organizations are really that different how many organizations have proper tuning of their tool set so that they're not getting more tickets than they can handle I'm still looking great segmentation where you know different workstations are in separate

groups with firewalls in between them and detection of threats in between them usually not to factor in all remote and high priority on remote this has become a lot more common on high priority not as much but in some ideas ticket time so from one of the fun details that I had heard that I not sure if the accuracy of and doubt at this point based on things were said was one of the breaches it was three days from where the initial entry point to when they actually exfil data so I've heard all kinds of numbers a day five days depending on the complexity environment the attacker how lucky they are how much design they find all kinds of things but

the reality is right now mandiant their guesstimate based on their research was something like a hundred forty days the attackers don't need that long if we can't get the amount of time it takes to determine if something is an actual issue dramatically reduced we still can't win because if we can identify things a hundred days later well that we're wasted anyway they've already gotten all the data they need yes

certainly it was a year and a half at one point may have been hired different points but the reality is it needs to be in days not months or years so it is getting better but it still is not near what it needs to be application whitelisting becoming much more common still has its issues but it defeats a lot of the simpler attackers most of the things that people are actually being breached by today aren't necessarily incredibly sophisticated except for the fact they did good research and planned customization of tools isn't typically happening in a lot of scenarios for regular commercial breaches its commodity tools its commodity equipment so can't really condemn these organizations to too much OPM maybe but some other

ones we really aren't that much different we're just really lucky we haven't been that guy yet or we don't know where that guy yet a lot of organizations are experiencing the reality of finding breaches and I question that 10 years ago how many more were being breached and didn't know it and never found out that they got owned because they reimaged or replaced hardware before they ever were able to detect it do you think if the same level of sophistication of some of these tax G is your organization really prepared to deal with these attacks if there were an someone on keyboard and they were able to get let's say a common exploit kit and then use metasploit to move around

your network would you be able to detect it within a couple days most organizations I've talked to lately the answers now so again kind of a dark turn but that's kind of the way things are so IDs wise the four most common that I've found snorts ercot up bro fireeye there are others these are probably the 4 most popular that I've run into snort obviously now seems the most popular open source for you too if you know how to implement it that can be kind of tough although it's gotten easier over the years corporate support is through Sourcefire again where I got started so obviously someone of my favorite signature-based started off in 1998 so that's a good

amount of history lot of implementations today all the way up to they have a 40 gig a second box so at least from the corporate perspective if you're talking huge networks it can handle it if you have the money to support it or resources there's a next we have sir kata so cercado was actually snort project forked back in 2010 by the primary group seems to be ysf also signature-based took a slightly different approach on things I'll get back to that later so kind of diverging paths a lot of people have questioned and said they're pretty much the same thing and ninety percent they are but you know really when it comes down the engineering of

these things they're kind of complex so when configuring snort a lot of people look at the roughly 30,000 rules or so that are publicly available and that's what they see as far as configuration and that's a lot of stuff to configure completely understand and there's categories and things to make that easier but it's still kind of painful a lot of work depending on how much time you expect to spend it can be a significant undertaking what most people don't look at is the actual configuration of store which is another two thousand lines of configuration that directly affects how it interprets those rules this is an incredible amount of data and the documentation does an excellent job

of explaining what a component are what the options are in components but it's kind of hard when you don't really have diagrams of like what's going on and how it works and how it affects the whole deal so kind of complex so just for firewall wise at dinner the other night zero chaos and the wireless village was talking about a problem he was playing with where he was noticing differences between what he was getting from I Wireshark with what some firewall rules he was implementing so this is actually the diagram sorry it's a little small of at what layers different components of IP tables and EB tables are actually working at he was using this to try to

figure out where his problems were happening because the path of how the windows or sorry the Linux libraries are actually interpreting traffic kind of complicated as you can see and trying to figure out a we where does live pcap grab stuff fun question no one really has put out that information so apparently the tool that actually grabs out rules and was showing the actual where rules are catching with some of this was knit filter kind of an interesting tool to play with pulling out where roles they're triggering so that was kind of fun playing around troubleshooting iptables maybe tables rules so anyway sorry for the tangent so snort inside this is actually the components that are going on and the breakdown of

them this document surprisingly did not come from anywhere at sourcefire and nowhere official for that matter it actually comes from my buddy's blog they have no document similar in turn we at least when I worked there and from the engineers and programmers who I talk to or still there they still don't have anything that explains how traffic flows within snort kind of worries me blind seeker calm is the website for this Pickler document you know just to break it down how traffic is acquired within snort and at what happens when certain issues take place if the interface is busy she's never inspected by snort the acquisition libraries berkeley packet filter again there's a lot of things if you don't know what

they are google them if you're interested or come talk to me after preprocessors this is kind of the bread and butter of how snort does its initial analysis and protocol breakdown where it will actually normalize a lot of things so that the rules can be more have better coverage with a single rule so for example the HTTP processor differentiates between if you have apache or if you have I is it will apply the same rule but with slightly different analysis based on the actual web server you're running this comes back to why it's important to configure stuff because that's definable by you but most people don't define it kind of a makes it complex for it to do its job

there's also preprocessor rules that identify protocol issues so this can sometimes be helpful a lot of times this is primary source of noise because I think there's even an ICMP detected in other words a ping detected rule somewhere in there so if you turn it on you get a few you get a few alerts on some environments millions a day or an hour so then we actually come to where it processes rules this is probably the most simple portion of it but not really there's a thing called fast pattern matcher that makes the rules more efficient in how they're analyzed based on the exact traffic each packet or stream only gets the rules that are

applicable to it it gets kind of complex from there so we leave that one alone but it only applies the rules that are applicable based on couple things it's kind of a little bit more than just oh it looks at traffic and identifies patterns not quite there's a little more to it that's why there's a little config row IDs which another awesome tool I'm a big fan of kind of a different design than snore dubrow or torn or cerca de that look for explicit things explicit signatures bro is more designed to analyze traffic and give you an idea of what's going on so I started actually a lot earlier than some of the other projects

over 20 years old at this point which kind of funny considering how much network security monitoring was happening at that point initially start at one the National Labs and yo e project because they wanted the ability to analyze odd traffic that was not standard such as industrial control systems that don't like to follow any standards even the ones that are specific to that industry they just don't follow a lot of them sometimes they do sometimes not so it outputs by default a whole bunch of different types of logs this is what I consider the go-to ones there is a 60 or 70 different log types that broke an output depending on what it sees some of the data can

actually be converted into flow data directly so kind of that network metadata of what connects to what and how much of it doesn't seem that important to the sock until you start to think about wait is that server supposed to be communicating over S&T I'm sorry is that workstation supposed to be connecting over SMB to this other workstation why is that happening start to look at flow you start to see interesting things that should or shouldn't happen in the organization or hey why are we suddenly seeing 50 gigs of traffic leaving over an encrypted channel that we normally use is that intentional should that be happening maybe flow can be a really good indicator of major traffic changes or

unusual protocols that you don't see on your network bro similarly does very similar types of things you can also identify things using non-standard ports handshake certificates all kinds of interesting metadata about your network traffic this can be really helpful when you're looking for large trends or just understanding what's going on in your network how things are communicating sometimes it's different than what you expect there's sorry was over 50 law 50 log types or so ten of which your self diagnostics literally what's going on within bro this is a understanding how your tools are working kind of affects how you interpret the data kind of an important bit I'll share out the slides later that actually has the link to the breakdown

of all the different log types because there's a lot of history wise for bro said risley started 95 about 2,000 for it got d ue funding and really took off and grew dramatically and has become hugely beneficial especially in industrial control systems where a lot of standard tools don't really do as much because the protocols are pretty specific sometimes you're asking questions that really you don't want to write a signature for if this happens why does it happen when does it happen that kind of thing so kind of becomes important but it also is huge for just general understanding of what's going on your network and ability to ask a question do we have anything that's

using ntlm v1 write a signature or sorry it's a under bro's terminology a script to look for that specific traffic behavior and identify it and then associate it with a particular packet which can be really helpful you look back if you have full packet capture not always available but if you have that the ability to look back and say oh here's the source destination and get all the information to figure out how to make that not happen anymore kind of an important bit when you're researching or asking questions and try and solve problems fireeye for everything I can tell very customized snort and coo coo combined in a cool way it's really nice pretty interface very scalable close source

but over ten years old my only problem with it is that you can't see the secret sauce as an sm guy I want to know when you alert on something why how how do i prevent that from happening is that a false positive well I can't really look if I can't tell why it alerted on that traffic unless I reverse engineer something of theirs and try and do that and that's not encouraged and probably violates some rules and things agreements probably bad don't recommend it realistically though you can talk to them and they can help you but having to send every questionable thing from fire I to fire i'd say hey why'd you alert on

this it's pain the ass and realistically it's not going to happen again we have that time first value battle really hard to win for our signature based tools norton suricata we have to roll sets competitors there's a few others other than these two I have found kind of a difference in their focuses this is actually what I got some argument on in the past after I did the first iteration in this talk so far Sourcefire seems to be a little more focused on these are things I know are bad seems reasonable emerging threats has those and but they focus a little more on the threat Intel side so things they see IP addresses user agents things that aren't

necessarily they might be bad that threaten tell side of things Proofpoint emerging threats kind of focus a little more than that search fire definitely has some of that so slight variation and there's actually a bit of preference with this source fire as you amazingly might guess works a little bit better with snort that does miss our kata and vice versa emerging threats works a little bit better with suricata than with snort especially when it comes to ip-based rules now based on the engineering alone I have not done the actual timing testing of this but emerging threat suricata actually analyzes IP address based roles the IP address portion is analyzed almost first within a role whereas snort

says well I know how to make a firewall role I don't need an IDs to make a firewall role and basically if you have an IP address based rule that's a firewall rule not an IDs role again some people non definite indicators it's a point of contention I have not proven either because it's a lot of work to do that test to the cerca de developer who responded on Twitter they analyzed IP address paid our IP addresses first Senora pretty much last other sources digital bond has some nice stuff rice yes FBI throws out some stuff especially through the ice a community so specific sector information so if there's a threat against energy or financial or whatever they tend to share

that information through these organizations there's a few other paid sharing groups or opt-in sharing groups especially government stuff there's a whole bunch of threat groups that share data that way for signatures some of them are good some of them are bad or i should say well written and not well written and then there's the threat intelligence groups that you can buy the feed to and see what fire or what IP addresses do you think are bad today so deployment is always a a complex issue with this a lot of people struggle with actually like how do i set up these tools so one of the more popular versions is the security onion distribution very nice package

comes with pretty much all these tools already set up in about six or seven gooeys for it if you use the I so it's great for a lab environment but you have a lot of stuff you're not going to use so please turn it off or them I found the more efficient way would be to actually take the cert security onion package and deploy that method there's a package deployment grouping that you can use for security onion other options rock and SM is kind of a neat little other tool similar idea to distribution except there's one tool for visibility and then they have in that same box everything as well and they actually added a full pack

capture tool which kind of neat but takes a crap ton of resources to run Rock n sm box more than security onion because you're doing full pack capture auto snort is one of my buddies projects da he actually put together a tool that is a bash script it will install and configure snort and a GUI and even does some of the painful things with like selinux with some of those gooeys that don't play nicely with selinux very painful so if you ever looked at 1500 lines of bash I call that a program wireless etle he says not anyway other fun discussions kind of a neat way because you can apply your corporate security policy to a

image that you create and then add snort and a configured GUI on top without having the struggle of like trying to implement XYZ requirements on to an art existing iso or package so kind of the other one the other painful things is training within the sock world how do you take a say high school student with no experience make them a stock analyst who is beneficial and prepared so not very solid way right now a lot of it is like networking background and get a degree and maybe couple sans courses that are pretty new I know it's kind of an expensive option but realistically vendor trainings as well here here's how to push the buttons in this tool how do

you learn how like was the question lady asked me when I did a variation of this in Augusta lady asked well how do I teach someone how to identify the bad things on a network crap that sucks that's a hard problem what do we do today well we kind of hire people that might have an idea and throw them in the river and watch them drown kind of people pull them up when they have time and over time in the pain of how I screwed this up and this was malware and I thought it wasn't or vice versa false positives false negatives you start to improve realistically we need a better method or at least a way to simulate that you're

not doing that with like live malware on the network because when you say light malware in the network is not a problem that's kind of bad or vice versa you're creating more work for organization that has a struggle with time management and not having enough time to do its job this is a really really complicated problem there isn't really a lot of solutions out there on the good side there's more companies popping up that are trying to work on this sans is trying to work on this they made a new class specifically to target continuous monitoring about a year ago so still out of beta but not quite as mature as I'd like to see hey we're all

dreamers right it's developing a course for this is kind of hard there's a lot of problems and a lot of understanding a lot of tools that you need to know how to take a BC and get them to work together and that's really complicated because you need to learn all the tools and understand how to put them together what's the prereqs for that class and then how do you start right like that's not easy so kind of a hard problem so some steps forward kind of that tuning thing of like hey what's our biggest thing that's alerting us right let's large start to look at that and start to identify how can we not lose visibility and actual threats

and start to filter that out so if we don't have Linux do we really need the thousands of Linux rules and alerts that we're getting every day maybe not similar with database architectures or other things you can start to turn off things or filter down so that SQL injection for example you have matched the correct database type with correct database server again details thing lots of complex and depth time researching your network and asking questions hence why for I typically recommend a signature based IDs and something like bro to learn about your network the two combined actually work really well and are powerful furthermore you can pump snort into bro to actually get like connection IDs for alerts that's really

nifty and helpful password vaults and thats everywhere instead of focusing on closing tickets and trying to close the most number you can in a day reducing the volume of tickets if I can take close a hundred tickets or I can take out a category of tickets from happening again I will win much faster by actually removing the category and reducing noise for the future then that needs to be the way we start to adjust tuning and for some organizations tuning needs to start happening not just turning off roles or not just ignoring stored alerts I actually had an organization that was getting it was 2,000 emails a day of about 50 alerts of pop for two guys and

we didn't get the option to actually adjust the tools filtering out the things that we didn't care about was probably the only way we could ever hope to catch up zolina it was only eight hundred machines so there's no way that number of attacks was going on or bad things it was all false positives pretty much mostly from the same things there were certain top rules if you look up there's performance tools for all these component or performance components to all these tools or you can actually look at what's taking up most resources that's generally what's the highest number of alerts you can also pull that in your sim and start to look some of

the statistical data and remove your most alerting rules not remove them but actually solve the problem that's causing them as well because again turning off rules verse solving the problem it may be something in the network is misconfigured and you tell the network admin hey go fix your crap you need to turn off this thing that you didn't know is on that you don't know what it does and it's causing noise or figure out how to configure it correctly again complicated problems as a sock improves have a pen test focus on testing the sock emulate a new threat and figure out how long it takes to deal with that know how good or bad you are that way you can

gauge improvement it may not be perfect but if you can simulate a threat once a month and have your senior guy say okay we're to customize whatever and on the nifty things about Cobalt strike yeah Raphael Mudge's plug anyway he built in a way so that the implant that you use you can actually customize to look like a specific piece of malware so if i want to send out something to make the call back look like a particular piece of malware that I know my sock has detected that is a hugely beneficial way to test how do they respond we're not pentesting the sock today for the most part almost no pen testers I talked to have ever done that they've

never tested with the intention of getting caught that is a reality that we need to figure out how we doing if we know we can detect something how long is before sent to remediation this is a really tough issue pentesting the sock is not common but it needs to be so lots of information lots of stuff I'm trying to work on this myself with some lovely classes starting a training business called forgotten security and when you know I already have the handle for last few years anyway yeah i'll be doing a beta in the next couple months locally and in maryland hackerspace fun times are there any questions a lot of information but hopefully not too many confused stares

yeah

so again it depends on the maturity of the team right I've got known definite indicators that are I can fix this I can solve this problem it is a nearly guaranteed win or I can submit a false positive and have them actually adjust the role to fix that or make the adjustment myself that's solvable when I have something that might be bad it's really beneficial for mature sock for a sock that's struggling to deal with known threats they're not ready for it it's a progression and while we need to protect organization as best we can focusing on things that aren't cost-effective in time is not the best use of our time again not a popular view but

the best chance of stopping today's commodity attacks is to focus on the commodity identification that we have as the tools get better so all shocked as we solve the easy wins that aren't so easy right now we can start to look towards that more complex threat or just something different new variants if I can't stop five years ago does the attacker need to make a new thing this is the joke right now with a PT all right well what's apt well if they can use commodity tools and win they're not going to burn something vits custom I can win with metasploit why am I going to burn a custom thing and make the world aware of its existence

I'm going to use the cheapest tool that I don't expect to get caught unless some money deems it necessary to use a customized thing right now the crime groups and the crypto group or the all the fun stuff that we're having right we're not really seeing that much custom work we're seeing mostly commodity stuff working and it's causing our problems when we can stop commodity let's start to focus on threat Intel we're not ready that's kind of a bad unhappy view but that's reality other questions okay thank you I'd love to talk more come up with any [Applause]