I've seen you get hacked! (AI Real-Time Attack Simulation) - Nithen

[Music] hi guys um my name is Nathan Naidu um I'm from snowe for those of you who don't know who snow is uh Snow's uh sa bolt homegrown technology were deployed across six continents and we defend about 8 million devices if you don't know who I am um South African born and bread uh big protagonist for South African innovation um and I'm lucky enough to to have two South African Innovation Awards uh with a few others right so thank you thank you um okay so um you know my mom never always used to tell me you'll never learn anything from watching TV uh absolutely not true so I was watching Mr Robot and there's this episode where

Elliot is essentially in this alternate universe and he's the CEO of all safe right and he speaking to uh I think this guy's name is Terell but he's the dude with the really really hot wife who like you know and um hard to forget that actually but um what he says is basically I've seen you get hacked right he said I've seen the worst that can happen and know how stop it and gu's like what do you mean did I get hack and it's like no no no no no I ran some simulations so the first thing I go through my head is like how cool would that be but not like running a simulation like a desktop exercise right

imagine if we could run hundreds or thousands simulations every second right so as soon as vulnerability landscape changes or the threat landscape changes or your asset landscape changes immediately it runs a simulation almost like detection as simulation right here's the problem right now it's 3:00 in the morning it's about a a year ago um looking at this client data um and I'm thinking about this episode of Mr Robot and I'm looking at the client data and I see 78 vulnerabilities you know I look at the threat data and I see 78 sort of threats actively it's just information right I mean I love the platform we built it it's great lots of people love it and

and use it but it's not intelligence not quite right I mean you've got 78 vulnerabilities so what now what a lot of you are sitting with thousands of vulnerabilities right where do you go from there what's the very first thing you need are they all really high risk right so the kind of idea is on simulation is sure I could do a physical simulation like a pen test right problem is it's vulnerability Centric it's expensive things can go wrong things can go down and um uh but it's very high fidelity right the other thing is point in time I can do emulation you know going to lab blow up some malware see what happens great really expensive exercise time

consuming or I can do this desktop simulation right where I get somebody like from some R's team they come down they sit problem with the desktop simulation is a few things it's the lowest Fidelity of the three also risk is kind of in the eye of the beholder right so you get like the legal guy he's going to come and tell you a different story um you know you get a painti he's going to come tell you a different story you get me and Jason and and Jordan and will'll tell you look your biggest threat is actually criminal syndicates paying people internally to get into your database right so risk is in the eye of the beholder so here's the

research question that we come up with right is how do I essentially change this into a datadriven exercise how do I increase the Fidelity on that kind of modeling exercise and how do I run thousands of these modeling exercises per second in real time on real- time data internal to organization and outside right so the first thing is let's take the vulnerability information right the vulnerability information by itself it lacks context right vulnerability on what asset right agreed not all assets are created equal then that will give me the impact if I take the threat intelligence that comes with that well that gives me the likelihood right so what vulnerability data is missing is it's missing the other two

components right so is there a way that we can marry these components right so if you're going to automate anything well just like this is in my experience you got to be able to do it properly manually first right then once you've perfected it manually is then go ahead and automate so I'm a big fan of taking the manual process that you've been using for years like for example threat hunting and then trying to automate that right so design the threat procedure of like all the active threats let's say human operated ransomware groups um black bastter Locker Etc mapping their kill chains Etc looking at what vulnerabilities they're using then map those vulnerabilities to my

environment right and then start drawing successful attack parts right and um like any p tester where will I draw my successful attack path to active directory right which is not always in truth the mass the biggest risk in the business I'll come back to that and then prioritizing the risks on the most critical assets and then regenerating that process a thousand times maybe even more than a thousand times per second right makes sense everybody's following me so when you change this into a to a machined exercise right you're looking at a couple of modules number one is correlation right because you got to correlate the threat intelligence to the vulnerability data to the assets right but

now a lot of you guys would know the asset landscape changes so fast you know with internet of things your shoes is connecting to the network your watch is connecting to the network pretty hard for us to explicitly go and Define every asset right so you need a classification module something like beijan classification right which is looking at the data and automatically classifying oh this is your Erp oh this is potian this is an ATM this is scada this is a historian right and telling you and understanding the context of that asset and the criticality to your business then being able to go through news articles white papers research all of those things and saying hm this is a

threat actor they're attacking 40 gate um sslvpn maybe they're using compromise credentials maybe there's a a zero day vulnerability and then understanding that context because sometimes that's just enough context like compromise credentials you don't need a vulnerability to be sitting on the VPN right for it to come up on your vulnerability scan for that thing to be an issue right maybe you just don't have multiactor authentication so let's take a look at it so this was actually the diagram that came from the first time I ran the thing right but I ran it pretty simply I ran in map I took a port scan I ran it through the classifier and then you kind of get the idea right Port 53 ah DNA

server right oh this is sap okay it's an Erp oh and this is the criticality of these systems then it goes on to the internet goes on to you know collect some RSS feeds and it understands okay these are the issues ETC and then I threw it into a client environment as a matter of fact I threw it into the same client environment with those 78 vulnerabilities 78 active threats right which is kind of interesting and then I didn't quite understand the results right we're talking about explainable AI right so I started trying to reverse engineer what actually do these models produce when you go and you take a look at it essentially it's saying Hey listen

you've got a an asset that's exposed to the internet this thing is being exploited by a threat actor and you've got a application and behind that application you've got a database and this is your most critical asset I was like okay but I know this client right I know this environment why is this a critical asset turns out the database is an atime database application isn't an application that we would think it is it's ussd Gateway and the only thing it actually got wrong was the VPN part because it was a point to-point VPN it wasn't a actual sort of user VPN right but I didn't know any of those things if you know anything about atime right

there can be like 16 million R worth of atime sitting in an atime database this is was at the time was one of the largest mvnos in the country there was probably more than 60 million sitting there how did the application know that that's when we realized okay now we're on to something so I write really really bubblegum sort of code come up with really crazy ideas and then I've got a team of like 49 people actually the man who built the rest of it is sitting right there I've got a team of 49 people and their job is making my crazy ideas that I get at 3:00 a.m. come to life all right and uh so

these guys go out and they build this thing for me and actually what I want to do is I want to show you what it looks like today right keep in mind right guys this is this is research right we don't know what we don't know otherwise it wouldn't be research if we knew the answers to everything and it's pretty interesting how it looks right so this is ultimately asset cartography it's going to show you a map of the entire client's environment in real time this includes Shadow it things we don't know about about all of those kinds of things and now showing you the links of communications that happen between them right now keep in mind it's not

necessarily A vulnerability on a server right it can be a browser vulnerability so these inbound connections you can see that Green Dot is a firewall right um so firewall is talking the red dots those are vulnerable assets we we find them at about L3 and every L2 is some sort of path between it right and when you look there can you see those red lines those are Act truly the most critical attack parts and now you answer the question I've got 78 vulnerabilities I've got 78 active threats so what now what when I leave this conversation what is the first thing I need to fix and you know exactly what's the first thing you need to fix go back

to that presentation very

quickly and I show you the this asset one A1 V1 they on the left hand side that is actually the problem you fix that and it breaks the chain so if you're wondering oh well okay but I saw like six red lines no six red lines may be attributed to one problem you fix one problem you solve various other problems right so the your ability to prioritize your data um and understand risk that's highly likely and high impact now can be done pretty much through AI so this platform I want to leave a few minutes for questions I got three minutes this is actually going into beta into Snow's products now for our clients when does it go into beta is

it it's already live on two clients so it's pretty much in beta already yeah okay so it's it's already live on two clients and two people are using it um just word of caution I was speaking to the t space guys I didn't know this but apparently there's another company somewhere in the world that's doing this exactly similar sort of concept so um I'm not saying necessarily we're the first but it's pretty fun stuff okay so I'm sure some of you guys may have questions I just want to Feld questions I think we've got two minutes maybe I can take two questions

no

sure yeah yeah no um okay great question if you want to get your hands on the tech 100% contact node we put a sens in your environment e drops and everything collects the data and it just produces this result it's like installed we say in 4 hours but actually it's installed in a couple of minutes so easy to access Tech that goes was it agent based no it's not agent based I deliberately didn't want to make snowe agent based because I see a future where you know think about industrial iot smart Edge all of those kinds of things you can't put an antivirus you know on on an iot sensor like you can't put it on

watch or the shoes that we were talking about right so snow operates in the network space but it has the ability to to look at data even Cipher data I don't know if you guys know this but we've got a patent for being able to detect ATT tax in encrypted Communications meaning we don't do deep packet inspection you do not have to sacrifice your secrets for us to protect you um I'm not saying we're like the first to come up with it the first to come up with it is Cisco but you can't buy it from Cisco we're the only company that I know of that does that so no it operates on the network layer and it

doesn't need like SSL certificates also ssl's interception by the way I'm sorry I know this is not the point of the conversation it you can't decrypt all the outbound SSL right you can just couple of servers coming in it's not really the answer so you're missing with so much of our traffic I think Google's transparency report will tell you like 98% of the traffic is is encrypted really signature based detection threat detection it's not the answer guys and you're missing about 70% of the picture because you're either relying on SSL interception and you can't get the the private keys for like you you can't decrypt a lot of your encrypted traffic so I don't think SSL

interception is the answer either signature based detection those still there's a place for it SSL interception there's a place for it but it's definitely not the answer going forward okay I'm out of time any more questions I'll take one last question if there is one yeah gentleman in the

back even if it's encrypted you can detect it uh you said that's your uh that's no can detect payloads and um malicious uh packets through the global patent patent pending in the US but then at the same time you said that you don't have to sacrifice your privacy so can it see the payload through the encryption or how is that how do so then how do you not sacrifice your privacy uh it doesn't do signature based detection to understand the payload it looks at the metadata not the actual packet data right the metadata around the packet that's where it's snowed comes into play we look at the metadata around the packet not the data inside the packet

so do you okay thank you okay and um um and and I mean that's kind of the the beauty that's why snows across six continents also just our interest I know we we out of time if I I I don't mind if anybody wants to go out to the break they can't for 40 years are you the next speaker I'm done sorry guys I didn't know I thought it was a break thank you