APTeen: Ultimate Insider Threat or A Series of Teachable Moments

so if the audio cuts out on me all right so once again so Diamond uh my name is George Sanford uh quick background uh spent a lot of years in it and in security for the last 15 or so primarily on the vendor side working with uh NSM that type of stuff everybody know what ND are nsmr anybody not know excellent anybody want to ask me what ndr NSM is excellent excellent ndr is Network detection response NSM is network security monitoring thank you for asking we'll get back to that so uh apologies again um this talk was initially intended to be presented with a co-presenter and I'll tell you a little bit more about her uh she is not here today we were

alternates and uh through the course of of uh events was asked to present last minute which is phenomenal um really uh appreciate uh besides Augusta for the opportunity to be presenting uh and especially last minute um but unfortunately you don't get to see my co-presenter and uh she's the funny one so apologies there uh she's spending her day unfortunately recovering from getting her flu shot and is miserable that she's a not here and B that she got the flu shot so um couple of things going in uh first off uh we're going to be talking about a a bunch of different things and I want to throw out like a trigger warning in advance we're going to be talking about

uh some trauma we're going to be talking about uh some pretty scary things some impostor syndrome and we're going to talk a little bit and a lot about fear so apologies in advance if any of these areas are icky if you need to leave or if you need to talk a little bit later about things definitely here and open to that I am not not by profession a lawyer or a mental health professional but if you can gauge the uh experiences in your life if you will on the amount of money and time that you spend in those areas I think I probably have invested a lot in both of those and I'll tell you a little

bit about those um this talk and uh I don't know if anybody caught um Mark's talk earlier on taken anybody upstairs for that so there may be a little bit of overlap I caught the first couple of minutes and honestly when we submitted our talk and then saw the announcement um my co-presenter my daughter and I was just like wow that sounds really cool and really scary and it's just like yeah definitely a little bit scarier than ours so I didn't get a chance to catch out the whole talk so I'm looking forward to seeing it but there may be a little bit of overlap so um another thing I just want to acknowledge we're going to talk a little

bit about security and physical security and some of that and I understand and and it's always struck me um when you stand up in in rooms like this and and you know have a little bit of a platform want to acknowledge that some of the stuff that I'm going to talk about comes from my background and obviously especially in physical security stuff um 62 Caucasian male I understand that that's not everybody's Journey not everybody's experience and some of the things I'm going to say about my experience in this particular Journey don't apply to everybody and I want to acknowledge that right out of the gate because not everybody's had the opportunities that I've had and I want

to make sure that um appreciative of those and hopefully the intent of this talk is to share some of this experience hopefully it resonates with you Sparks some ideas and ultimately part of what I'm looking for here is not only feedback but other ideas so because at the end of this I still don't have great answers for everything and I'm looking for some of those so okay so um my co-presenter this fabulous young human being here is my 14-year-old daughter Nia um I'll talk to you a little bit about Nia's background in a second after we talk a little bit about obsc but um again ni can't be here but I do have her permission this is not a extension of if

you include puppies and cats in your presentation it kind of goes over well so I'm am not uh should we say uh utilizing this child to get a speaking spot so we talked about um a good extension of how do we share our experience with other people so I have her permission to share what I'm going to share um I hope you will also understand that some of the stuff I'm sharing is again going to be be sensitive and from an opsc perspective uh this is putting ourselves out there a lot more than I typically would like to you know I'm on social media a little bit I'm on LinkedIn a little bit professional networks but this is a

little bit of exposure so I appreciate the opportunity but what I'm going to ask you to do is at least adhere to basic chatam house rules so if you want to talk about stuff that's great but if you have criticism more than willing to listen to it if if you have feedback more than willing to listen to it uh parenting is always an interesting and challenging thing to talk about so if you got feedback please come and see me about it but please don't put me or especially her on blast anywhere on social media all right that's kind of the caveat that I'll ask you to do if you can't retain from that so again talk

to me directly so first rule please don't put her on blast on this so all right so a little bit of background uh first thing that you're going to have to understand is philosophy of parenting uh anybody ever see the movie Searching for Bobby fiser okay excellent so Bobby fiser uh Searching for Bobby Fisher is a story of a chess Prodigy that uh stumbles upon chess in Washington Square Park in New York which if you've never been is a wonderfully colorful and interesting place there's a lot of different things going on there and this chess Prodigy's parents start doing some formal training including training with Ben Kingsley who is a Grandmaster in chess to train the

kid and at one point the kid said uh the Ben Kingsley says hey can you stop him from playing in Washington Square Park because it makes my job harder mom's response is well then your job's harder from a philosophy of parenting this is probably the best explanation I come from a punk background I come from again typically tend a little more towards the blue side of things and law enforcement and atically good Etc but I believe that properly preparing kids for the world of today and tomorrow is giving them all of the tools they need so one of the things that Nia got probably four or five years ago was lockpicks from here um constantly giving her Tools in

different ways and different things to prepare her for who knows what's coming down the road okay so does that make our job harder yeah um it's a little more challenging but I think this is the only way that you can really prepare for God knows what comes down the road so a little bit of background now further background um both Nia and I have been uh consumers of uh therapy and counseling for most of our Lives um both Nia and I are uh uh adopted children so not that that necessarily needs but there are anybody that's adopted so there are questions of grief there's a little bit of trauma there's a bunch of things that you want

to process there additionally in those times uh both nine and I have a little bit of trauma and victimization in our backgrounds and have been working through that at various points in our lives um this gives us the opportunity of being you know adherence to therapy and mental health skill sets and tools within there so we have lots of good conversations and we've had to have some really icky conversations already at very young ages okay so for example uh H how old are most people when they have the talk anybody not know what I mean by the talk all right so most people are you know you're approaching adolescence somewhere within there we had to have

those talks much much younger so which again sets us up for open conversation which I am a huge fan of obviously so having some of that background having some of that skill set we're already set to have good conversations and have some tools that make uh those conversation a little more adult than typically you'll have with kids so the other thing to remember there is understanding through those processes especially dealing with trauma especially dealing with grief um um you start understanding how your brain works a little bit more and you have to kind of dive in and and understand what drives and motivates some of your actions we'll talk a little bit about that so I'll take you

to uh December 22nd of last year um this was probably one of the hardest professional days of my life uh found out right around that time that the organization I was working for was being sold off to partially sold off to another organization found out that a large percentage of our team was being Rift um I lead that team so I had to have those calls which again sorry if it triggers I know a lot of people are in that boat or have been in that boat uh some of my folks are here in the room um it was a really no good horrible nasty day um and really kind of painful and you you

kind of have to dive in and it sucked and there was a lot of unknown so in the midst of that day and trying to figure out what the future holds and how to take care of my people Etc all through Zoom um I get this alert so and it's pretty standard you know it's just a hey you've got a charge on an account what was interesting was this is uh an account that we typically don't use on a credit card that we typically don't use in fact it lives in a drawer but I did what I had to do at this point and I put it in the drawer and I'm like I'll come back to it later went about

the day that day lasted till probably at 10 o'clock east coast time and then I got back to this and I started digging in and one thing became uh very clear uh with this a is that there was some kind of fraud you know card I hadn't used Etc and I'm like okay this is pretty bad so like all of us would do I started investigating a little bit now just to let you know some of the tools that I had at hand so uh I utilize security onion at home highly recommend that you do it's phenomenal uh it's a great place to train because it's a network that you presumably know um we utilize open DNS I've got you know

standard ubiquity stuff kind of deployed because I got lazy after a period of time and it works really well uh Google family link we got we got credit card notifications we've got some identity lock stuff um as well as given our background some periodic social media review I've got some specific blocks I've got some monitoring that comes from the school so not bad um so there's kind of the the the basic skill set in what I'm starting to work with so this came through specific threat and I'm like okay and I expected it was just kind of you know regular potential malicious fraud but it was fairly decent charge and again something that we don't

use so when I started digging in popped up security onion went looking for that particular vendor just to see if there was something going on and sure enough it pops up and I'm like oh yeah here's here's DNS query here's https out to this particular vendor and it's like oh which device is it coming from and it's coming from my daughter's phone I was like oh well that's challenging so what would be my first thought now I have to have a conversation with her but because this is what we do for a living and I kind of feel bad for her in some ways this is what I do I can't leave myself there so I do five minutes before

and five minutes after so and I start finding other stuff now already no sleep already kind of frazzled already kind of fried I dig in and do what I assume a lot of us would probably probably do is I dig in like I'm going to work so down the rabbit hole so and I start digging for substantial amount of time and this is what I find so what she had access to and getting a cell phone at 12 was a hard one fight and it was lots of no social media I thought it was really interesting that i' called out that Tik Tok was probably the most Insidious tool that got because I agree uh one of the

painful things that ni was subjected to is I made her initially read the Ula for Tik Tok which tells you basically you're getting screwed by these people because all of your data belongs to them in perpetuity and she understood it intellectually but still come on everybody's got Tik Tok so what she had permission to use was you know basic Android phone she had a Gmail account for school and a Gmail account for home with strict instructions that you don't have social media don't have all these other things so what she had done in a short period of time and this is about a 72-hour period of time overall is she had set up multiple sock puppet Gmail

accounts um where she failed and she's going to listen to this eventually is she nested them all so different passwords for all of them but they were all nested and I could see looking up the logs all of the how do you set up Gmail without a a phone and she followed down and it was fascinating because she's back and forth trying to figure out how to get past everything so on one level I'm just like wow that's really good and on another level I'm son of a so she had set up all these nested accounts and she was using those accounts that then register for other things so in the space of about 72 hours she not only had set up

uh Tik Tok she had gotten into some pretty scary areas of YouTube she had done this Etsy order she had done order off of ooze which is a vape site um she had gotten out on Instagram and connected with lots of her friends she had gotten out on Snapchat and created multiple Snapchat accounts that she was using to triangulate different pieces she had gotten into some of these scarier areas of Discord and this is where things get a little icky so some very scary areas of Discord um and some other sites that I'm not going to mention here here but the kind of thing that as a as a parent you're like what the hell okay so I had a pretty good idea of

where some of these were she also and the reason I've separated these she also had tried to set up Paypal and they had eventually shut her down she had tried to apply for a credit card on Capital One and they eventually shut her down she had set up lift and Uber accounts which she couldn't fully set up because she didn't have a credit card but she got way closer than she should have for a 14-year-old that doesn't understand how some of these things work now what she had done which was great was she was constantly looking so she'd run into a block and she'd go and look stuff up and find things and then dig deeper and dig

deeper and dig deeper but by this point I'm far down the rabbit hole it's about 4 o'clock in the morning I am freaking out and what I'm doing how I'm proceeding is investigating like you would if you were trying to prepare a case to go present to somebody I'm doing screen captures I'm capturing stuff and I'm trying to clean some of these things up so I start reaching out to abuse at some of these sites like hey this is a this is a 14-year-old kid you need to take this information down and some of them I got a really great email from one that was basically like f you so um so overall though where do you think my

head was all I wanted to do was just I wanted to beat the hell out of the phone I wanted to destroy every piece of technology I was honestly embarrassed and ashamed that she had circumvented all of this stuff and I was angry and terrified it's interesting in that the the when you get into that state the part of your brain that's actually working and you think that you're thinking but you're really not thinking you're reacting especially with trauma response so the cortisol the adrenaline all of that is what's feeding me at this point and and I was livid and shaking and didn't know what to do and of course it's in the middle of the morning

right um so I sat there in my office and I was just overwhelmed and and I'm like I I I don't know what to do and I don't know where to go and I rely on my team quite a bit most of the time U Paul mentioned in his talk you know like your your professional networks's not but I'm like I can't go to people with this I can't go out to my friends I can't go out to my C col it's like I don't know who to call I don't know what to do I'm far down this Rabbit Hole I've got threat actors identified I've got adults that are talking to a kid all of this stuff

and but I'm not thinking at this point and I sat there and I've got a sign up on my desk that says everybody you meet is fighting a battle you know nothing about be kind and I sat back and I realized that my enemy here my opposition was not my daughter as angry as I was as disappointed as terrified as I was as much fear that I had all of that energy that I was putting out potentially towards her that stack of papers that I had the notes the the the screenshots all of this to prove to her you've done wrong and I realized that if my headspace is here where the hell must hers

be what what is the reaction of of a kid in a Discord room where they're hitting you with rice Purity tests and all sorts of nastiness and terribleness and I realized that my approach to this and the training that I've had and the way that I approach these things professionally might be wrong because I'm reacting I'm not thinking and I'm not thinking about the people involved I'm thinking about the technology so I sat back and and and had a couple of minutes and still was really really scared on a lot of levels and one of the things that I kind of lean back on and we talk a lot about in team building and working is creating spaces uh that are

psychologically safe anybody familiar with the concept psychological safety so the idea is basically you create a space where you know you'll hear the phrase hey there no dumb questions so kind of back to the point of we try to create spaces where it's okay to not know the answer it's okay to say what's that act it's okay to say I don't know but I can find out it's okay to say hey I got a crazy idea can we dig into this sometimes it's a little slower and it's a little bit challenging but especially working with stronger efficient diverse teams it's almost necessary you know it's the first thing that you've got to do is build that

psychological safety and what I had done and what unintentionally had done and what I was driving towards here was not that what I was building was a high High adversarial environment which was not great so thinking about safety and and unfortunately you know what especially dealing with kids we have to have conversations about Safety and Security that are new and challenging you know we started out very young with the the when you see a dog as much as you want to pet it what do you do ask permission you know it's like that's pretty basic we had to have conversation around safe and unsafe behavior in adults you know not an evolution of stranger danger but really

it's just like hey you know what some adults some adults are responsible some adults are not so we had to have conversations around hide run fight if you had told me when I was 16 years old that I'd be having a conversation with my kids about good cover in schools and how to identify adults that are reacting and collapsing so we have those conversations we have lots of those conversations and and unfortunately it's a much scarier world than I think it really should be or it needs to be we'll get to that but one of the things I realized in this process was not only am I pumping all this cortisol and and adrenaline to my head

but what happens when you do an investigation what happens when you drive down that rabbit hole why is it that we we get fed into that there's dopamine resp response that happens we're finding something unique and creative and new which drives us but that that questing it's why so many video games and are popular that way is that it drives us you know it's great we all get that rush so the same Rush that I'm experiencing trying to investigate she's experiencing as she's drooling into all of those things so as she's exploring doing YouTube digging into these spots so she's getting that rush and that reinforcement albeit in some very negative ways but reinforcing sometimes

is the endgame and it doesn't matter where you get it from so drilling into those points and and um understanding that we're not using our higher brain function we're not really thinking at that point we're reacting especially when we talk about PTSD and Trauma I was stuck in that cycle and I think she was as well so having an understanding of hey this is how I have to approach this in the morning is to have a conversation and it's like Hey where's your head at you know not what did you do but hey are you okay so and opening that space which again professionally is not the way that we typically approach things so thinking about that that Rush

thinking about that engagement and then one of the things that I've been kind of on about for quite a while is social media is prettyy much proven I think at this point to be harmful especially to adolescent women uh targeting adolescent women um in some pretty profound and horrible ways so we know that it's toxic we know that that this is but we continue to allow these things to exist and I mean they do and they're multi-billion dollar businesses so it makes a little bit of sense but living in the world that we do how do you protect your kid when this is where all the kids are you know how do you how do you

create a space where they're targeted not targeted by this and you look at the algorithms and this is this is work that we do so understanding that even if she intellectually understands that this is bad for you she's still going to do it because everybody else is doing it and it's not a peer pressure thing it is this is what it's designed to do it's designed to keep you engaged it's designed to get you to drive and drive at those things and targeted directly at that age group so we ended up sitting down and having a conversation and this is an ongoing conversation and I'll be honest uh this has been since this time last year or since

December of last year and there are good days and bad days uh there's still a pressure of hey I want to be on Snapchat because that's where my friends are and it's like no but understanding that no and just taking the device away or eliminating the device does not actually fit with that ethos and does not prepare her properly so we have to have those conversations and sometimes it's a lot of repetition and driving some of that awareness you know talking about how influencers work you know and the fact that you know hey they're talking about this great product that they love but they're getting compensated for it and it's just another form of advertising so

appealing to the intellect but also understanding that hey this is somebody that's navigating and trying to carve their space in the world so one of the things that we did is I sat down with her and I asked her I'm like what are you worried about you know what are the things that are in your mind and and this is directly from her and and I think she captured it pretty well um and again 14-year-old uh worry about life and future body and how I look intelligence worry about my grades mental health parents money death getting jumped worry about going to school worry about her sexuality worry about myself that's a lot if you ask most cisos it's like hey what

are the the things that you're most concerned about in the next 18 months you're going to get a much shorter list and a much easier list to combat and I asked her what does security mean to you what does safety mean to you and she came back with this comfortable in your own space able to let yourself go in your space you know security professional I'm like you know what this this to me really kind of put me back on my heels cuz I'm I'm like I'm like do we build systems for this have I as a parent done this as I have as a professional done this where people are free to do the

stuff that they need to do and feel secure and safe so so kind of next steps it's an ongoing conversation like I said there are good days and bad days we've had a couple of stumbles in different points uh because this is recorded and publicly available I'm not going to tell you about some of the deeper and some of the follow-up stuff I ended up with lots of what the hell do I do with this you know I am not underresourced it's not like I don't know folks um I'm really interested to hear Mark's talk because I'd like to figure out like find out how he investigated and what he was able to do but there was a lot of this where I'm

like I'm talking to vendors that could care less that did nothing to to protect uh keeping a kid out of their systems um and I kind of took away and came away with a bunch of things one having the conversation having committing to that conversation and understanding it's not as simple as here's a fishing campaign or hey I told you that Tik Tok was bad don't use Tik Tok having that conversation back and forth again yeah it's a little bit harder but it's totally worth it um and ongoing and I think the only rational way to approach something that changes almost every day um I think our understanding and what we talk about as threats and I know this may be

challenging our understanding of threats is not just a is not just Bad actors I think there are some things that we have created that are existential threats to our existence um I don't mean to trash anybody or come down on anybody that works for any of these ORS but I think as professionals that live and work in security and safety and understand threats and see the impact that that had on real human beings I think we maybe need to hold our employers and vendors that we work with developers of these things to hire standards you know all about making money but not off the backs of exploiting people and there's in my mind very little difference between some

of the exploitation that we see built in by algorithm and actual exploitation and trafficking so I think that as we do that we need to build into some of that technology understanding uh uh ways that we can develop empathy transparency and communication in that Tech um I've been looking for technology that gives me the opportunity to do responsible monitoring without having to see all of the icky icky stuff don't get me wrong I don't shy away from iy I don't recommend that you do conversations that are uncomfortable I think are necessary uh especially as parents if you can't have those conversations the really complex stuff it's really hard to have a conversation so you've got to embrace it

and dive in but it'd be great if there was software if there was Tech that allowed us to do some of the things that we need to do without me having to dive into the really nasty stuff um I think we need to go beyond awareness I think we've been doing the same kind of security awareness training for years um I think most of us probably have to do it as part of our work how many people go through at 2X and click through it don't really pay attention to it it's not awareness training it's the same kind of thing I used to teach uh self-defense for people and it was always the hey I want to do a Saturday

seminar it's like great you're going to retain almost nothing I can teach you some techniques but really this has to be changing your life situational awareness takes a while to develop response takes a while to develop so that training that we need to develop where we say everybody security is everybody's job needs to evolve so so and I think we need to build community beyond our boundaries I think a lot of these conversations and I I love security conferences but taking those outside into other areas talking about this at our experience level I've been to a a uh uh education conference with teachers and the existential threat for them is vaping and it's like understand

that's a problem but there's so much more so it's great that we talk to each other but I think we need to do a better job of expending that community and then I guess the last thing here next steps is I'm looking for help so I'd like to get some feedback I love feedback not only in the talk but on response on how to do some of this better I've got some ideas I might uh like Paul had mentioned it's like you know I have I have my toolbox of things so if the world comes down to my abilities scripting things have gone drastically wrong um so I can't go out and build the software but I have some

ideas on how to do some stuff but I'd love to hear other ideas and if you know of some things let me know but the other big piece is um this Shameless plug um I come back to the conversation piece and making it and normalizing it okay to ask for help part of what I realized my problem here was had it been in the middle of the afternoon and I had my people around me that would have been my first call if it hadn't been a really horrible day um that would have been my first call and I probably would have gotten to better Solutions faster and I probably would not have ended up down

that rabbit hole in in a really rough place that I've been digging myself back out of so not only um and feel free to hit the QR code shamess plugged their swag I got some stickers over here as well but asking for help here tremendously important so I've talked to mental health folks about this I've talked to Educators about this school counselors Tech folks Etc and that's made this burden a lot easier so one more thing just in the naming of things I'm just going to throw this in here because how we talk about things matters you know and I use this phrase in talking to my daughter about a zero trust environment and her reaction

anybody want to guess what her reaction have been hearing zero trust what was the what was the thing that she said you don't trust me and I'm like son of a we talk about it and I'm like what does this mean to the people the users that we are are are protecting supposedly it's like it makes sense to us but in communicating to them it's like oh we've got a zero trust initiative and it's like well wait a minute we're on opposite sides of that so I don't know maybe maybe we can name it something better because I think it's a horrible mindset to instill and that's it

questions yeah yeah just just in the naming so thank you questions thanks I I do have a couple of giveaways uh