BSides PDX 2023 - LAPSUS$ is winning (Jason Craig)

[Music] so first of all thanks to bsides for having the event and for and you all should take a moment thank an organizer uh thank it uh thank a sponsor and thank a volunteer because without them the event wouldn't happen so thank you to them first of

all so this this talk is not a thread Intel talk so let's get that out of the way first and foremost there's a lot of those there's a great one in labson I recommend you go check out a few weeks ago it's pretty great I'm not going to do a thread Intel talk so if that's what you're here for I don't know why you're clapping but I'm happy that's good so um so anyways um this is not a thread Intel talk you might not like this talk at all because I'm going to say some some things that might be inflammatory or like piss you off a little bit that's kind of the point uh this talk is a little bit about

tough love it's a little bit about like getting us to do better and a call to arms as a community so uh with that let's get started um this meme never gets old in this case I think it's hugely appropriate and I challenge any of you to change my mind I'm going to walk through a few things uh that will uh maybe give you a little Hope by the end but but we'll see you can give me feedback on that later so when it comes to team goals who's killing it these days you probably have okrs if you're part of an engineering team uh what do you think laps has what are their goals so uh they want to get

money they want to grief people and troll people maybe SWAT you uh they want to have some LOLs and maybe they want some open source NVIDIA drivers right so if you track lapsis like you get that last part if you haven't that's okay you can read about it I don't recommend you necessarily waste your time but they're crushing their goals like I would promote every single person on this team if I was their manager like they're redefining expectations right yeah cool so uh your company your organization your ceso you uh your CFO your CEO your board of directors uh what do they want what are their goals make money but also like not get wrecked how are we doing

there not so good right so they're kicking our butts and they're continuing to kick our butts so we should probably do something about that um yeah I'll say more about that in a minute so who's winning obviously lapsis is winning like I'm not going to go through victimology uh list either because I don't have enough slides for that in time and if you want to study lapsis victimology it's a very very long list of very Marquee names that we should all be very concerned about so here's the agenda who am I that's the least important thing uh who relapses much more important uh how are they winning and let's talk about some mitigations uh more mitigations and why are they

winning probably because of some of the mitigations and I'll talk about some key takeaways uh have some suggestions and then maybe time for Q&A I don't know so we'll see how this goes it it all depends on uh how how many how many questions you all uh choose to ask or not so who am I like I said least important slide here uh I've done offensive security I've led to response done thread Intel and infrastructure and Enterprise security and a few places you probably heard of maybe a few of the things on your phone um now I'm a director of threat detection response at remitly we're a Seattle based consumer to Consumer remittances company and

we're hiring so who are they who are lapsis you notice I put an asterisk earlier uh for the rest of this talk and just lazy web style I'm always going to say lapsis because it's easy nobody's gonna talk about Dev or storm or whatever I'll walk through that in a second but let's just call them lapsis even though they're sort of not the same group anymore so uh they're called Octopus by some they're called scattered spider Unk 3944 muddled Libra storm 0875 and lr3 like this is part of our problem in nomenclature but that's a different talk um it doesn't really matter who they are we'll just call them lapses it's a it's a large amorphous

group that change over time uh their objectives are mostly uh consistent but also evolving too um so we'll just call them lapses so uh so some of you uh recognize this picture and does anybody want to yell out who who they think this is yeah that guy his real name is Aran kaj and I think it was 16 at the time this picture was taken this is when he was doing dirty like getting people swatted uh breaking into places Sim swapping crypto people maybe involved with other large scale incidents so he got arrested uh because he's a minor you won't find this picture in a lot of places uh he's an adult now um but this

is the face of lapsis and this is who our adversary is um and sort of like this face I have a problem with because uh it it's a broad brush that gets applied as like oh they're just teenagers which is another problem we have don't trivialize them I think when we call them teenagers we're trivializing them and I don't think they're all teenagers I think there's evidence to back that up and even if they are teenagers they're kicking our butts so it doesn't really matter how old they are so let's talk about how they're winning um they have a lot of skills they are excellent social Engineers a lot of them came out of the

video game community and uh there is a rich history a video game Community internal abuse player

onplayerstatechange need excuse me you don't need to necessarily um sit back and say well we can't possibly know these things they know them and they know them very well they have and use dump data so every time there's a data breach um they're pretty quick studies on those they look for things like uh your email address which may be a primary key in a database of theirs that you might want to construct a few of them so maybe a personal email your first and last name maybe your home address maybe all your phone numbers and certainly where you work at the time and I've noticed um through Target selection they are usually faster at updating their lists of people to

organizations and jobs than direct sales people are or direct sales platforms are so that's scary but also good takeaway again teenagers right they're outperforming Salesforce that way they are extremely proficient at Sim swapping SIM swapping if you don't know is the act of migrating one's uh cellular phone number to another device usually without your knowledge they're very very good at that and they've uh used that prolifically as as have a few others they also buy credentials uh you can buy creds in a lot of places you can buy creds you can buy cookies and they're very very cheap allegedly the slack token that was the sort of like entry point to the Uber incident with them was

$8 no exploitation no malware just take some BTC eight bucks who wouldn't want to pay that super cheap um they have a very high operational Tempo and I would argue they have a higher operational Tempo than what sock teams and I say that because you can see them stand up infrastructure um do initial test and whale their targets within hours now so their their time to Target selection when they stand up infrastructure and deploy is just a few hours so it's becoming very very challenging to track them and disrupt them um or protect against them they have demonstrated experience with idps and ssos if you haven't read it I highly encourage you to read octa's recent blog

post on this topic um and again coming back to like people being dismissive of them as teenagers that are unskilled that's complete BS they're very good at understanding idps and ssos and you should read that OCTA article if you haven't it's very informative uh they're trained on the platform and OCTA has hypothesized and maybe they have some other data that uh the lapsis actors behind some of these incidents have actually taken training interesting they are also skilled with traditional lateral movement tools um you might there's another slide on ttps next um some of those map to another group you may have heard of apt28 so again if we're dismissive of them as as teenagers they're bringing

the same tools and techniques that some other much more advanced adversaries have been playing for years so let's talk about their ttps uh they SMS invoice fish people on personal lines almost exclusively on personal lines where you have no visibility for corporate devices very intentional and deliberate um they use legitimate remote access tools where they socially engineer employees to try and install their tools and give them remote Hands-On keyboard to their corporate devices they uh are very proficient at multiple fishing tool kits uh they can be deployed to real-time intercept uh OTP and or uh do push verifications like evil gen X2 has been around for a while they're on that they're on some other

things they're very very good at that um they also are really good at getting people uh to accept pushes when they shouldn't be accepting pushes so what we discovered in the last couple years is that people uh just like um security people get alert fatigue people get push fatigue and eventually they want to go to sleep and so they just click yes and they don't understand why um excuse me they're ALS so um prolific with using commercial vpns and proxies in the last 12 months or so they've evolved to uh attack third party providers that may be entry points into other organizations for example um you may have read about the retool incident a few weeks ago I'm not saying lapsis

did that but look at go look at the rol customer list on their homepage you might have some insights as to who they're going after um Insider recruiting if you made Millions off of cryptocurrency theft you can pay someone $20,000 to just give you access like go to a T-Mobile store the people there probably aren't making that much and again back to the open source tools that they use or public domain tools I impacket mini dump Powershell I mean regge query like pretty basic L bins these are the same stuff apt28 has been using for a long time in addition to responder so again this is approximately their their their class of ttps let's talk about

mitigations um these are not computor mitigations right uh these are just like General Good Life Health advice right so let's apply this this is not a bad metaphor let's apply it to our domain so what's the equivalent of like eating your vegetables what's the equivalent of taking a walk and not smoking two packs of cigarettes a day like chances are if you eat bacon three meals a day and smoke two packs of cigarettes a day you're going to have heart disease or heart attack and probably cancer like that's predictable so again same metaphor applies to infosec so we have two large categories of problems one corporate account takeover employees reuse passwords they show up in dumps and even if they don't

reuse the same exact password if I have three of your passwords over time I might be able to construct a pattern that's easily extrapolatable fishing MFA abuse and then the other bucket is malware and rats on computers so there's malware from initial access Brokers there's malware that they might trick you to deploy and then there remote access tools it might be legit remote access tools it might not be those are large like two categories of problems um category two they seal cookies and creds and they have reverse proxies so um bring your own desktop I I think should be redefined to bring your own disaster if you are trying to defend against lapsis or any threat actor like

them you are blind and you can't hear highly highly discourage BYOD unless you have full control over endpoints which you almost never do so um Microsoft issued their 2023 digital defense report uh just recently it's long but it's Rich encourage you to take a look um it's not an easy URL to remember but that's okay um just highly encourage you to take a look at that especially as it regards BYOD if you need ammo it's all in there so and if you have BYOD and you're not you don't have full admin on the box you don't have agents you don't have the ability to do things like issue and revoke Sears get EDR data Etc bad

day so we have to solve corporate account takeovers we have to solve endpoint malware and we have to detect these things really quickly so super easy right like we'll be done by Tuesday that's it just those things so how do we impose costs coming back to the health metaphor we need prevention and we need hygiene and we need detection so uh this is like very basic and I'm sorry if you think this is very basic but somebody needs to hear it because we don't do it password managers work I don't re I mean the last year I wouldn't recommend one of them but I think you know use the one that can't recover your your pass phrases um it works and on top

of that it will mitigate fishing if people know how it works have a sensible password policy and hopefully make it unique to your SSO again if you can get employee dumps you can know their passwords and and you can tell them their passwords which they will be shocked to hear but that's what the attackers have so why can't we um just listen to nist nist has really good guidance on this it's not crazy it's like use a multi-word passphrase that you can remember uh don't require silly combos there's no computational advantage to this like Stanford University has a great write up on the time it takes to crack different kinds of passwords and it confirms what NIS is

saying because NIS also has the same research uh Don't force people to change them that's not helpful and then monitor for your employees and dos now even better let's talk about PH2 and webat then uh F2 or webn uh is usually associated with yubik keys uh I'm not a brand person but I have friends that work there full disclosure I think they're great uh but who cares like you can get any kind of security key you want uh this F2 compliance uh good day like get faton get Titan get whatever floats your boat like just get one and even better if you can use it in webo end mode because webo end means you don't need passwords

anymore so uh since Google has gone to security keys and they're very open and transparent about this they talked about it publicly they've had exactly zero corporate account takeovers since they have globally enforced those and they're a huge Target exactly zero so I won't say it's impossible but it's kind of impossible today and even better if you don't have passwords your employees will know they don't have a password so when somebody calls them on the phone and says type your password into this thing I just texted you they're going to know it's it's Shenanigans right very very easy to figure that out so uh push is also like I I have a be in my Bonnet about push um

if you've ever done offense uh I if even if you hav it I'd encourage you to go uh take whatever SSO or IDP you have at work create yourself an integration and start sending name it whatever you want it won't actually matter that much and just start randomly pushing your employees this is the month for it right the security Awareness Month like get after it do this and you will get security keys because I've done this and the floor best case is 20% accept rates Z worst is over 30 so one and three I don't know like we we know this let's do something about it if you back to BYOD uh if you can't control uh device

and user Sears for machines that are connecting to your infrastructure that's a bad day I recommend you have the ability to do uh both an authentication and access time enforcement for certificates and do Mutual s even better but if you don't have that capability you should try and get it it's integrated into a lot of platforms uh not going to throw anybody under the bus there's just like disparity in feature sets between idps Microsoft ironically does a great job at this OCTA does not you can't do this with OCTA sad um another topic compartmented admin access are any of you like like OG actor director people like that's how I first started like way back in the day uh

anybody heard of red Forest this is not a new idea right um compartment your admin access so what this means in practice is you have an admin account and you have an admin device so uh Jason Craig at remitly doesn't do admin work like that's the one I use for everything else and if I have admin work and if I have admin privileges I don't use that my regular account for that and it's much much easier easier to harden that account than it is to harden my regular account it's browsing the web reading email clicking on random crap um definitely recommend that in admin devices like I have Chromebook it's pain for presenters works really

well um Enclave your infrastructure and your management tools where possible like everybody forgets about the stuff that manages your laptops they do a lot of hygiene on admin accounts admin privileges uh whether it's ad whether it's Oto whether it's Azure ad and they forget about the things that like actually manage your laptops so if you can take those over Andor exploit a path via a trust model from an account to those management tools you're going to have a bad day so try and minimize that where possible um similarly uh if you're using um if you're using oath grants try and lock those down because if you uh have hardened uh password password less authentication via security key and if

you have a hardened device your tax space is roughly oo Integrations and Chrome extensions if you browser extensions generally those are much more solvable for admin accounts than for like everybody so uh one of the things that makes me really sad every year to be in this industry is to go walk around the RSA show floor every year and ask vendors what their products do um and not like trolling them but I'll ask vendors like what does your product do and zero trust has been a buzzword for the last few years and I challenge you to find two people at the same vendor that have the same definition of what their zero trust tool does uh now go

talk to 10 vendors you're probably going to have 50 answers right so I don't mean like the Vendor model I mean like doing this for real when I say that I mean like you ensure that you have a managed healthy device and it's up to date for whatever your standard of managed healthy device is and you you can know that from Telemetry that you get uh trustworthy agents there are commercial ones you can build your own uh my old team at Pinterest built one called Zuul it's from Ghostbusters as you might imagine it's the gatekeeper and it's great um we buildt a custom IDP because we didn't like what we saw in the market uh I don't recommend you do

that do not recommend like I would buy today uh versus building ourselves but what we did then uh we didn't have available in the Market at the time so uh these types of agents at uh whether it's OCTA Azure whatever at authentication and access time uh your agent will talk to the service and the service will do some backend work querry a bunch of other disperate systems like is my EDR running right now uh do I have logs within a specific time bucket and are these specific desired State configurations in their desired State and if no then they get a warning to say go away like call it or they get a get a hard block that says go away come back

later um not super hard in practice for the technical bits a little bit harder for the social bits um and they basically just ask each other are you good and the device will say yeah I'm good and then you double check uh you don't trust the device on its own so coming back to a more uh more hygiene and hardening um binary allow listing agents are really really good uh I saw some statistic uh recently that uh Mac OS is about 30% of all Fortune 500 compute devices for end users today so it's about one3 we can't really leave max out of like traditional Blue Chip like Fortune 100 companies um so there's there's an option for that uh I read

this morning like Santa has a a new release this week uh Santa's great it's authored by Google it's performant it's reliable and it works there are many options for Windows like a lot more actually than than Mac OS not going to recommend any of them but Sansa is great for for Mac um coming back to uh the threat landscape you have to deal with for ooth Grants or browser extensions look for browser extensions this actually easier today than it was uh 10 years ago we have tools osquery has been around for 10 years but not publicly um osquery can allow you to collect browser extension data for almost every browser extension you could possibly want almost every

browser you could possibly want Edge being chromium based now it's even easier um it's a good tool get after it um and then you can do things like explicit allow list like I don't recommend you do a band list uh or I don't I don't recommend you only do a band list because you're going to be playing wacka all day day and that's not a a race you want to you want to compete in because you're going to lose like one day you will lose so if you have an explicit allow list that's even easier uh so even better than binary allow listing uh for your general purpose device like get a Chromebook they work well enough for

most most use cases I've been using one personally for a long time and you can do one with some kinds of engineering work but not all but like most office users you you can kind of get by so coming back to like my first love detection um highly recommend you build reporting flows if you don't have them yet and your reporting flow should accommodate the model that lapsis and and friends are using which again is like SMS and voice fishing so voice fishing they can't just email you they can't take a screenshot and forward it but if they get an SMS they can screenshot that and they can send it to you and if you have

pipeline built that says okay I'm going to OCR that and extract the URL and then I'm going to go throw that in my retro hunt systems and or block list like it's super good but build a reporting flow and start tracking those things voice fishing is a little bit harder but it's still still doable um alert for new domains for you and for your infrastructure like you probably have third party providers like there are a lot of it third party outsourcers in the world they've been getting wailed too uh if you use them you should probably have them in your envelope of stuff to monitor so if you don't remember this domain does anybody remember this domain

it's like way back do you remember what it's

from yep exactly July 2020 Twitter breach like this is the domain they registered and uh so alert for Brands uh alert for your brand alert for things in in your portfolio of services uh certificate transparency logs are amazing also uh it's like one of my favorite techniques to do threat hunting or at least proactively and to discover attacker infrastructure that you may not know about through other means um so if your Twitter uh like literally there their OCTA instance was twitter. o.com I don't know what their VPN instance was but um VPN Twitter VPN twitter.com was an OCTA Twitter fishing page it was just a clone like a super lazy web clone like exactly the same um

so if you're doing certificate transparency log parsing for your brand and for your your portfolio Brands within your envelope uh you might note that VPN twitter.com is from cloudflare cloud flare provides three-month free shts for anybody who wants to generate them so you see a lot of people using them both for for fund and profit and also for real work so the thing to note is that vpn.com is signed by various sign and those things don't have a high degree of overlap so this should automatically be super sus these two things together like new domain plus uh the CTL uh gap between the two uh Casa should be super super high alert uh this a URL scan uh I'll click on this it'll

probably screw up the whole presentation we'll see yeah that's that's the Twitter fishing page that got them wed at VPN twitter. the copy of VPN so cool um Ur scan is great it's incredibly low cost uh highly recommend you use it at work um you almost could like credit card this yourself and try and expense it um I have an account just for funsies but not for work so coming back to SSO and IDP logs um the log output you get from from 0365 Azure ad OCTA whatever else you're using Duo G Suite um has pretty good data but it doesn't have certain things that you might want to care about so if we talked

earlier about uh OCTA or excuse me lapsis ttps where they use uh commercial vpns they use proxies and that's where they hop to you from or that's where they try to wail your employees from and pass credentials from so the way this would manifest is I'm on uh I don't know nordvpn as lapsis and I get your employees username and password and I type that into let's not typing because it's automation but your your exit Noe is an uh a VPN exit as the attacker and that's what authenticates to OCTA or Azure ad so you're on these known VPN networks so this is a pain to do yourself uh spur is a great service that's really low cost

highly recommend um they do this for you and you can basically just ingest the data and cross correlate with your OCTA or Azure logs and you can say okay well like Jason logged in from this place today and I know that's this hotel or I know this is PSU and I know Jason's in Portland so it's fine um I know that Jason is not in Helsinki on nordvpn today adding a second adding an additional two-factor method so things like that are really really powerful to cross correlate um most log sources for ssos don't give you that data so you want to enrich and provide that context for analytics um this comes back to behavioral analysis so um I worked a lot of

unfortunate incidents in my career and I've seen a commonality um whether it's SS or browsers uh user agents and SSH client strings are different for attackers almost always than actual employees almost always the SSH thing is a whole another thing I won't get down because that's that's not this talk but um user agents session IDs IPS and behavior you you can do for your employees it's not super hard you can do cohort analysis for yourself over time and build analytics to do that it's not that difficult and it's incredibly powerful and the obvious outcome of that is like hey you did something dodgy I'm going to I'm going to go talk to you and or disable your account or reset your

account so yeah you can you can uh also cross correlate with other log sources so for example uh if I'm on a work laptop and I'm doing work things the OCTA event is mapped to me hitting remit le. o.com on a browser on my work machine so you can cross correlate these things so the more data sources you get together the easier outliers are to spot so um I I've been I've been preaching this for a long time uh I think they call this xdr I don't know you you don't need a fancy product for it just like do it um so deceptions a whole another category uh you should go see Sasha Levy talk

about this at 12:30 in the main track she's right here if you want to say hi afterwards Sasha and I work on the same team um so coming back to mitigations um you know nobody wants to eat broccoli three times a day 10,000 steps is actually hard that takes effort every single

day this is awkward this is real awkward how many of your CEOs read uh read the New York Times The Wall Street Journal and maybe Bloomberg or Forbes every day like all of them right your boards do um how many of them mentally don't connect that like we're next it's hard right it's super hard so whether it's executive funding Security Programs exe executive deciding to not support security ini that might be less palatable in some Orcs um it's it's a hard problem but it's part of our challenge with respect to lapsis and other attackers and the more we can inform and do our due diligence to educate people as to the concerns that we see in a language that's relatable to

Executives and your board the better off we all be and hopefully they'll fund programs and they'll fund projects and they will support initiatives that will cause change uh another not so fun topic topic to talk about uh what's reality of business today right um so MGM is an exceptional outlier exceptional outlier uh one of the thanks SEC for all these new filings that publicly traded companies must submit to it's kind of a nightmare if you're one of them uh one of the things that came out this week is MGM lost approximately $100 million in Revenue due to their recent incident in profit oh in profit yeah oh thank you that's an important detail that's even much worse then that's much

worse that's so much worse that's so bad and so I think they also said uh please correct me if I'm wrong I think they also said the the incident cost him about 10 to 15 million in cost to do the incident so that's just lost Revenue so um if you work in this field I encourage you to go read your cyber insurance policy seriously I'm not not kidding go read it I I inserted myself into this process where I've worked a few times now and it's eye opening you probably will not have a policy that big the reality is again mgm's an outlier it's spectacularly bad but they're not the reality the reality is it costs like 2

to 5 million per per publicly traded company that has an incident and insurance pays for it it sucks uh it's painful it costs the company a lot of money to do things and then sometimes they get reimbursed partially or majority or all through Insurance um that's good because you can buy insurance that will defer your risk or it will it will con it will transfer your risk to someone else so that's great we all should want that we all want insurance for ourselves um for companies the vast majority of them are not MGM they're smaller and so the cost of doing things in Executives Minds might come back to might might come back to the cost of this breach is less than

what I have to spend to do all the security Shenanigans that's crappy but that's business in some places hopefully it's not where you work but if you can translate those dollar costs to things that uh don't map to like seven figure breaches in your organization they're much more palatable so uh culture culture is an interesting one uh culture is just people right and culture changes it's just a collection of people and their behaviors and Norms U but culture is a challenge in every organization I've worked in I've worked in very large uh we'll say uh nonprofits governmental entities I've worked in very small tech companies they all have their distinct cultures if you work at maybe uh City

Bank your culture is probably going to be very different than if you work at Intel you're going to treat your machine differently people will treat things differently in those organizations and if you're at some 50 person startup somewhere else different still there's a there's a um a notion in everyone's mind this is my computer it is not your computer it's your corporation's computer that's the reality people treat it like their own they expect it to be treated like their own and I just encourage us to think a little bit differently about this so what if your computer was a work truck and it had the logo of your company on the side it's easy mental

shift to make right take your laptop home you're going to watch YouTube maybe Netflix maybe something else you're going to do random Google searches if that was a work truck you wouldn't do that because your logo would be displayed on the side and You' be driving it around at 3 in the morning doing random stuff so think of it that way it's it's a mind shift that's hard to make for most people and so they just treat their computers like their computers um and especially Engineers Engineers are the hardest to monitor we're catered to because we're special and we make stuff happen um and we get to do kind of whatever we want and we do the most

Shady things we do the most Shady things whether it's endpoint whether it's AWS whatever like we do sus stuff like constantly and that's just normal so that's part of our challenge um applicational low listing um I don't know like I don't want to do that myself I want somebody to do it but I don't want to run in front of that because it can be challenging you need good Engineers you need good coms peoples you need good project managers but especially good engineers and if you're doing like click offs you're going to have a bad time so uh coming up with like a phase a phase roll out plan that makes a lot of sense uh doing appropriate testing and

qualification not everyone does and again back to my MacBook I do what I want especially if I'm an engineer and same for browser extensions like how dare you I want um I don't know I'm trying to think of like a very popular uh overtime back door Chrome extension but there's so many I have to choose from it's hard to pick one

right um so people have uh people have a conception that Chrome is for kids in schools Chrome OS is is for kids in schools I have $1,200 Chromebook it's awesome it has a beautiful screen uh great interface great Hardware I love it it's old I'm not getting rid of it it still works well it's really well supported but there is a perception especially in recent day recent years amongst parents that have their kids like $350 Dell Chromebook come back home and it's garbage and they don't like it sir you have a question I mean security key you're um you're actually reading ahead thank you s no it's great I I I'm happy thank you uh so pass off is super hard uh back

to that gentleman's Point um you can't do this with everything it's a real problem like I've had a security key for a long time since 20 3 at work you can't use it for everything in webn mode PH2 mode is also challenging so you have a conflation of different uh you have an infrastructure you're authenticating to like like Microsoft or OCTA then you have your operating system and then you have the app itself so uh the classic example is um OCTA plus Mac OS plus office you can't do PH2 because Microsoft publishes some little special bespoke browser that requires you to authenticate to 0365 to get your license that doesn't support that like how hard is this not hard but

nobody's doing it's not like on a product manager's road map to actually care about unfortunately so yeah uh there's a website ph. fail it's pretty like Bare Bones um but you should all contribute to it because PH2 doesn't work everywhere and it's really painful um zero trust Beyond Court model not trivial to do well either um it actually takes good engineers and forethought and a long time like there's no Flag Day where you're just like we're behind everything now unless you want to like get fired that's not going to go well so phase roll outs are the way to go and it can be a long taale so you have to start with criticality or critical Services

first and and roll those in and also mobile like what the heck do you do for EDR mobile like who wants to put your Android in supervised mode give me access to it I don't want that but if you want to support IOS and Android this is a problem you have to deal with and IOS and Android might just be a user agent so if you can just set your user agent to iOS or Android and authenticate to OCTA maybe you get different controls applied to you at access time and that's a real problem for us we don't have good answers yet uh detection response challenges um I've been in the detection engineering space for for a while and I've built a

few teams that a few different places and I will see I will tell you there's one commonality amonges all of them um this takes a lot of knowledge to even know how to do you need tooling and then you need a bunch of really smart incredibly expensive and high demand meat bags to go do that work for you right so is anyone like oh yeah there's a there's a surplus of detection engineering skill set in the world let me go like lowball this candidate has that ever happened to you no I don't see that changing anytime soon either so this challenge around knowledge tools and meat bags is not going away like it's hard to build it and it's really

hard to buy it I would articulate it's harder to buy it I would articulate you can't buy it I would articulate it's a failure of the market because we can't go buy this so maybe there's a good startup idea for somebody not me so some key takeaways uh social engineering will always work you're never at zero% like what year is this we shouldn't be doing fishing tests we shouldn't be making people change pass words like social engineering will always work and if you start from this premise that that's always going to work for some percentage it's higher than zero where zero is your acceptable rate uh you need a plan for it so please like

accommodate social engineering as a known viable model for attackers in whatever authentication platforms you deploy and configurations you deploy so all all 2fa is fishable all of it like I stand by this like again like like lapsis is winning prove me wrong b 2 is the way to go by far you can do like Step Up challenges that might be F2 maybe that helps I don't know in practice that gets real muddy but if you're doing things like nobody should be doing telephony like SMS or calls that's just bad for corporate accounts it's fine for your bank like lapsis is not coming for you and your bank account that's okay but we we have to disambiguate like the advice we give

to people at work with the advice we give to people at home like if you want to get SMS for your bank totally fine I actually challenge you to find more than three banks in the US that will support PH2 security Keys USAA is like the only one that comes to mind maybe that's my sample bias I don't know um but I challenge you to like find that it's hard to find but that aside you know that you're going to get wailed at work so you have to design a process that accommodates that um malware happens like driveby downloads happen type of squatting happens uh malicious malicious search results happen we know these things we

need to plan for them and we can accommodate them they're kind of solvable um the zero trust Beyond Corp style model yeah it's challenging but it's worth it and it's doable and I say that because I've worked on really small teams that have done it like we don't have 30 person teams we have like six so it's doable uh detective controls are great if you are very very very fast in your detection Loop and I'll also note when I say this I'm including response like if it if it takes me if my log pipeline takes an hour to do an analytic event where it says I'm going to page somebody and then it Pages me at 3 in

the morning and I get to a computer and then I get the sleep out of my eyes and I turn my lights on and I log in an hour to two have already gone by for the attacker um I won't tell you the answer but I'll challenge you go do S3 copy op operations uh for buckets and see how much data you can steal in an hour Pro tip be in the same availability Zone if you're in US West 2 attacker infra needs to be in US West 2 as well but still you can steal a lot of stuff so an hour is not good two hours is even worse I want automation as much as

possible and also note prevention's better it's much more efficacious and it will raise the noise floor for your alerts significantly and it will make it much much harder on lap and friends and all the other attacker classes that you're going to be threatened by and it will raise uh it will raise cost on them significantly so suggestions uh coming back to Executive psychology and internal work culture and funding and priorities um we got into this game because we're hackers culture is the biggest lever you can have deploy preventive controls insur rapid detection and response make friends if you are in a vertical that makes I don't know um widgets Acme widgets like befriend your colleagues in that vertical talk to them

see what's on their radar see who's attacking them and trade data like you may think H lawyers won't let us do that yeah they will they totally will and sharing is

caring w