Defending Beyond Defense

all right it is 105 so I'm going to get started first of all I want to thank you all for coming not only to hear me speak but in particular for supporting besides b-sides is uh something that I'm very passionate about for those of you who don't know I run besides Rochester which has been around for 13 years so I'm I'm always excited to be able to present at a besides I don't usually present it my b-sides but I like to support the other ones so we're going to be talking about the fence I'm sure you're shocked if you don't want to talk about defense maybe you shouldn't be here this is our overall agenda I'll tell you

a little bit about me for those of you who don't believe me um we'll talk about some background in history and why it is I'm giving this talk um because this didn't this wasn't just hey I did a thing and out of the blue came this idea it was something that sort of coalesced over time in talking to people and my journey into this field that will lead to discussions about Defender assumptions of which there are many but you'll start to see some themes and from there we'll transition to immersion and offensive security and you'll see why we wind up going in that direction and then we'll do a summary and then you know there should be some

time for Q a speaking of q a what I will tell you is welcome to ask questions I'm one of these people that inevitably thinks of something hold it in my brain and then the minute they say anybody have questions I forget so don't feel like you gotta wait to the end just jump in and ask questions as we're gone all right so this is a little bit about me um up in this corner here I have flash flash is My adoptive sloth at the Buffalo Zoo um he is my buddy um I haven't seen him in a while but uh yeah I love slots you will see that as they theme later I do a lot of things in

a lot of places I've been at the University of Buffalo for a very long time like I said I'm on staff with a bunch of conferences I volunteer with yet additional conferences I've spoken at a few things and as I mentioned I love slots all right so how did I get here I asked this a lot by students um you know how did you get to to where you are and first of all getting to where I am in terms of my day job is very different from how did I get here so what I'm going to talk about when I say how did I get here I'm talking about how did I get here not how did I get to

the job that I do day to day because that's a very different story um so basically I had started in the security office at the University of Buffalo in 2009 full-time and I was doing forensics work which I very much enjoy I I built their forensics for compliance program and I was doing what I would consider sort of traditional security stuff right so because the university has three campuses and a lot of people there is no way the at the time three of us so we're talking like 35 40 000 students 10 000 faculty staff three campuses and three people to do security so we can't possibly truly secure all the things that's not possible so what we really do is we act

more as consultants and we talk to folks about you know hear recommendations your your guidance documents if you have a question they call and say you're seeing this what do we do you know I can tell you about the very first phone call I got about ransomware and this was the early days so you know ransomware wasn't oh my goodness they're attacking our entire domain it was this machine got hit with ransomware so this is really early days this is the sort of con you know conversation I would have I manage abuse at Buffalo edu so if somebody were to send us something I was dealing with that so I'd come out of this admin role

I had done desktop support I had done server support and I knew the security stuff sort of associated with that and because of the non-traditional way I came into the business I was always interested in in probably being more secure than your average this admin um and that isn't to say we don't have some phenomenal sis admins but it is true I have found that Moses atoms that's not their first Focus their first focus is operations which I completely understand but is problematic and we'll see why um so I got involved with a class called net deaf which is really more of a independent study uh that UB started to offer and it became a thing because one

of our former students really wanted to participate in something called CCDC who's heard of CCDC anybody a couple people yeah so for those of you who have never heard of it CCDC is the Collegiate defense competition that occurs with cyber defense competition that occurs uh regionally and nationally throughout the year and essentially you get a group of students to compete and they act as Defenders and then there are other folks who act as attackers their job is that they're Consultants they come in to help manage a network and to keep it running and to secure it and while they're doing that they get what are called injects which are tasks so they have to do all of these things

that a CIS admin would have to do and as a potential security team would have to do and worry about being attacked at the same time and so they get these little surprises along the way so he Chris the student who'd heard about this thought it was you know this fabulous idea and he really really wanted to bring a TV so net death was born of this and we had all of these neat contributors who decided to join us to teach students how to defend systems some of the people that we got involved were in offensive security now at this point I'd never heard of offensive security I knew about defending and I knew about security that's what I knew

and that's fine so I started hearing these words offensive security and I'm like I'm like cool I want to know more about it so uh one of the guys who was involved in that his name was Justin and he he now works for Dave Kennedy and trusted SEC if you've heard of trusted sex and he said to me I said I want to learn about this because he was I think at the time I think he was a pen tester and I said where do I go to learn about this and he said you should go to b-sides and I said what the heck is the b-sides never heard of it right and I was like all right I Google B-side

I find b-sides Rochester I show up at my first midsize I had absolutely no idea what I was walking into now the first besides Rochester that I attended was at the German house which is this very weird space um the weirdest besides that was that was our first one yeah but but I'm tired but it was meat I mean it was a meat space but it was weird it was um I don't know what the building was originally but at Media School it had a stage it was it was an auditorium was it yeah so it had a stage and and there were talks there was space where you could sit and you could chit chat with

people and there were things on the tables you could play with and then there were talks upstairs and downstairs it was a really easy really weird yeah that's the one someone gave the wet cloth uh I just remember the talks in the basement of those big comments around and see the screen but it was you know it was a unique environment and um even though I didn't know anybody personally I mean I literally went there knowing nobody I felt very comfortable and very welcome and some folks started working on some of the ctfs and I'm sitting at the table with some folks who were doing this and I said what what are you doing and they said oh

you know we're playing the CTF and I was like what's a CT I mean I literally am not into this and they were really excited to show me and I thought wow this is amazing like like a place where I know nobody now granted I'm not going if you hadn't guessed I'm an extrovert I had no problems talking to people but even kids go to conferences where you sit down and you say hello to the person next to you and they sort of grunted you and that's the entire conversation and these folks were very willing to share what they knew and that was exciting and I was so uh tickled by that that I decided I wanted to come back that I

wanted to volunteer and of course as you know now fast forward a bunch of years I volunteered and then ultimately I wound up on staff so that's kind of beginnings of how I got to this point the more I learn about offensive security from attending first besides then I went to my first deck on that was insane and I went to several other hacker conferences it was very eye-opening so I know this movie's really old but who's seen The Matrix okay at least most of it yeah so I I'm telling you so I used to teach uh some philosophy classes and I would use the Matrix in them and and at one point I would use the Matrix and I had students

who had no idea what I was talking about they've never seen The Matrix and I thought good Lord I'm old [Laughter] um but if you remember in The Matrix you know you got you got the blue pill and red pill and these different sides and what I realized was that there's two sides to security there's what we sort of typically know as as Defenders patch the things and scan the things but there's a whole other side of this and I realized that I really hadn't been known about any of this until I started going to these cons so the fact that you're all here thumbs up because you're learning about that stuff and really to

be a better Defender as you'll see this is really what it takes so before I get too deeply into this I want to tell you what I mean when I say defensive security professional offensive so I'll give you just a second to read this because I don't need to read a tune you're all very capable of doing that um it's more or less what you would expect but I just want to make sure we're all on the same page

we good [Music] this is what I mean by offensive Security Professionals and I'm purposely not using terms like renting pen test because there's a lot of conflict about what those words mean in the real world I see Giggles so I I know you all know what I'm talking about um so that's why I sort of put it in these two buckets at a very high level because that's all that really matters for what I'm going to talk about

are we good with that one so what I want to do is talk about point of view when I say there's sort of two sides to this what I'm trying to get across is that from a traditional defender's point of view we're going to build a web server right we're going to install the operating system we're going to do all Best Practices so if there's a best practice that's not listed here just assume it's there we patch the thing we configure it correctly we add the firewall we do long scanning we document everything when we are done with all of these tasks until they're saying a new patch or something that comes out we go we're

done that's what we do and there's no reason in general most people ever think beyond that however this is what on offensive security person sees for the same thing they go huh what can I do with that open Fork because I've I've done best practices right I've locked everything down except the ports that absolutely need to be open but I have an open port because otherwise the product isn't functional but your offensive security professional looks then goes they look for things like input fields are they sanitized now as a Defender if we're not doing act security we don't think anything about that but it matters because this is what your attacker is looking for which is of course why

offensive security folks are doing that too so these are just some other things hidden Fields any way that it's interesting um can we you know Traverse the directory and in my opinion the most important question what is its relationship to other systems now how many of you think about this question when you stand up a new system a couple of you and that's awesome but it also tells me most of you don't think about that and that's okay that's why I'm teaching you about this because offensive Security Professionals look at relationships and so I really love this quote um so John Lambert coined this statement other people have said similar things like he personally gave me permission to

use it so I use it all the time and it's the idea that Defenders are thinking and lists we get things done we check a box and we're good but we need to think beyond that that's half the story into the other half of the story attackers thinking graphs and what he means by this and I've had a couple discussions with people like oh it's not really Junior it's my grass yeah okay so the representation maybe isn't correct the important part is that it's a relationship between whatever they can get access to and whatever else it can be there so at the end of the day I think this is a really accurate statement so this is what we're talking about with

relationships this is a screenshot from bloodhound um that Andy Robbins whose handle is Waldo on Twitter and I think he's on some of the other social media sites too now um he provided this graphical image from a product called bloodhound Bloodhound is amazing if you're not familiar with it it can show you paths from one entity to another and what offensive security folks often do with this is they go huh if I have access here how can I get to domain element and I can tell you right now there is probably nothing in your network that stops an attacker from getting on a box with the user has no rights in getting his picture could you need very very few permissions

to be able to see this if you have more permissions you can see it even even more in detail right but this is the kind of thing we're talking about these relationships all right so where do Defender assumptions come in well we're going to cease into something some additional assumptions that are part of the same idea how many times have you been told the Cyber kill chain just break the chain if we break the chain we're good anybody heard that yeah I'm seeing head nods so yeah you've heard that right what if I told you that somebody in offensive security and likewise an attacker finds that amusing because they're like oh oh you broke the chain

here okay well what about if I come in over here because see I know there's a relationship over here instead of over here so this is great in theory but if you break the chain and then stop and don't go all right if they got it over here how else could they have gotten in or how could they get in you've made a huge assumption and not a good one what about this one we're running EDR we're running antivirus we're good another really common assumption now to our credit as Defenders I don't think there's anybody who really thinks if we're running these products we're okay but what I do think and have had experience with are

people who think my EDR caught Mimi cats therefore Mimi cats didn't run and we're good that's not wrong but guess what there's lots of other ways to get passwords that don't involve many cats so just because I'm trying as an attacker to capture maybe capture your password is there anybody who doesn't know what Mimi cats is okay so for for anybody who doesn't know what mini cats is mini cats is this awesome tool that lets you capture passwords and it can pull them out of uh something called lsas in memory so it's it's really useful as an attacker you get on someone's box it doesn't have any permissions and you capture say the admin stuff

that's flying back and forth in ethers right and maybe cats is a tool that most EDR and AV products will catch but attackers will sometimes try mean cats and then when it doesn't work they'll try something else because there's lots of other ways so if you make the assumption that your EDR and your AV caught whatever this Badness is and you stop that's a bad assumption lots of ways to get around it um you know so who tell me in here who who is an offensive security because I know there's a couple in here yeah so so for those of you who are in offensive security do you agree with us like we just kind of get around it you either

like complete you find ways to either stop it because if you stop it now you're good worry about it or you just bypass it because as many EDR and AV companies as there are somebody has been able to sit down for each one of those and figure it out apply customer whether or not they're legit entities because they exist every time the wind spins up or any change happens somebody figures out how to get around it and it's all readily available and all that information is out there and this was a huge surprise to me as somebody in defense like sure I knew there were things you could do but like companies that do that for a living like

I didn't know that but there are there are organizations that's what they do for a living it's figuring out these bypasses because then they can sell them and then attackers go oh it's 10 bucks cool now I know how to get around Illinois

um anybody not familiar with wolvins okay so mold ins are living off the land binaries great examples of that are basically any application or dll on a system that can be used for things other than what it was attended it is called a woven we're living off land binary because it is part of the operating system attackers know it's there they know how to use it for Badness and check it out now they're not installing a new tool so what's the chances that your ABR whatever you're going to find it like they're not right um so I mean these are just some of these examples that can happen C2 uh if you're not familiar C2 callbacks are hidden typically

their command and control that's what C2 stands for and they're typically hidden from AV because they're using ports that you wouldn't expect or that other things use and it it's all basically built into look like traditional traffic that you would expect um and there's lots of ways to use active directory that has zero to do with any AV you're running the way active directory is by its nature set up there's all kinds of cool things you can do to attack it if nobody's bothered to actually secure it because it isn't secure by default okay so let's just say we had lots of phenomenal EDR AV whatever pick your choice of tool of the day and we say

cool we can detect you know these particular tactics right so um who has seen that the chart that's on the right well probably you're left but my right you right so this is this is the attack Matrix and what this is supposed to show is categorization of different kinds of ways in so this is It's hard to see but it says initial access execution persistence these are the stages of an attack and what these things say are supposed to stand for are the different ways you can do those things the Green in theory is meant to say we have something that will detect that technique and the red presumably is that we haven't found any we don't have a

detection in place for that and the others maybe we're working on it the problem is these are these heat Maps which is what this is called companies will build their infrastructure around these heat Maps look we can detect this we're good except that attackers use different not just different techniques but what are called different procedures the difference between a technique and a procedure a technique is a way in which you can execute whatever it is you're trying to do right so steal passwords I'm going to steal passwords through lsas memory but check it out there are a billion ways to do that do them even knowing you're using LSS memory maybe cash is one there are tons of others those are

procedures how the threat actor actually does those things that's a procedure and even if you have something that can detect a tactic which is what most of this refers to you don't necessarily have every procedure that the threat actor is doing so what does green really mean here like it doesn't mean anything well it means you have something in place but it doesn't really tell the story it's missing half the story right so this is what's called a TTP pyramid and this is what breaks down tactics techniques and procedures Christopher peacock is the gentleman who built this he works for a company called scythe and he gave me permission to use this and he's he's awesome I got to meet

him uh at this year so um it's really important to understand that it's not just about how you know what what way in which they're going to try to do something generally but how it specifically procedurally it's being done okay so let's assume our tools work is designed can we even do that who who has had any fun enjoy with the Microsoft cloud products just any any you know somebody tell you from a Defender perspective they change the freaking back end of that thing every time you turn around so when you assume it works as design well who's designing it this week right it's it's crazy so one of the researchers I think this is a

fabulous example there's a researcher named will Dorman who um he started doing some research because Microsoft claims that if you use certain settings you can automatically block dangerous drivers so drivers that they've determined have flaws in them and so folks shouldn't be using them well the way that they are supposed to block them is they're supposed to be a blacklist and what will discovered was check it out initially he discovered the block list wasn't enabled at all despite the fact that Microsoft was like look we have a Bluetooth Milwaukee doesn't exist now that because of his research they've implemented a block list but it's not updated very often so if you have a driver that is bad

you don't know when that bad driver is going to wind up on the block list so there's some manual ways you can update it but it's it's problematic um so the in theory this hdci having that enabled was supposed to to solve this problem what it didn't and then we had another feature called attack surface reduction uh and it wasn't able to block things either so he did a bunch of research so if you assume that your tools work as designed and you don't test them or you don't meet up on the research about them again you're you're making a huge assumption because let me tell you both attackers and offensive security folks they know what

doesn't work as design because that's what they're taking advantage of that's exactly the point so this was some research by Olaf hartam he determined that um Defender for endpoint even though it is supposed to detect certain things it turns out that the Telemetry that would need to be captured to determine whether or not a bad thing was detected was it turned on in certain cases so here's yet another situation where you're assuming that these entries are going to be caught but hello the Deep you know by default it's not set up to actually catch those things um you have to turn logging on on workstations for certain events that aren't there by default and if you as a

Defender don't know that well then you're never going to turn them on and all bets are off what it's not well documented no it's horribly not well documented but uh Olaf's work he's done a lot of work in this area and he's got um the the link that I have here um is a video where he kind of go walks through and shows like how he discovered this and what he discovered and he continues to do research so if it's something you're interested in you can follow his work all right we have MFA we're good we are not fishable and and I I mean I laugh when I hear this I'm hearing some of you

laugh to hear this what there are organizations out there that think because they have MFA they're good and guess what not so much because there's ways around everything including MFA uh certainly fatigue right push push push push push push push push if I'm an attacker and I want to get in I just keep pushing and eventually they're gonna go oh I'm so tired of this click okay right or users go live I can't remember did I do okay great and we see that um Legacy protocols don't care about MFA typically and a lot of people don't realize that so even if you think you've locked everything down and you have MFA turned on and you've had Legacy

protocols enabled all that's wrong um unexpired passports is another one I find a lot of people don't know about so with most MFA uh types one option is to print out a bunch of passcodes so if you screw up and you lose your information or whatever you have a way to get back in the problem is they don't expire unless you generate a new set yes so that's a problem because they're good forever and if they're good forever and I'm an attacker and I get a hold of them because you've saved it in a documented your documents folder or you've left it on your desk or you've done something with it such as the last password

if you put in your wallet and you lose your wallet I mean there's a million a million options but the point is that passcodes don't expire by default there are some links in some products where you can change that but it is the default not to change and then there's also straight up attacks so uh I don't like man in the middle I think that is now Antiquated so this is attacker in the middle for those of you who are not familiar so there are attacks you can do past the cookie so there's a lot of social engineering's attacks you can do to get around there okay um so um if you Google Dave Kennedy

um and then uh bypass MFA he's got actually a couple of great things that he's done around this subject but you know there are lots of attacks that can do this so again we can't just rely on it I told you I'd bring back this Loft so because we as Defenders wind up seeing all of this stuff in a very traditional defense light which is that cat story ultimately my argument is you need to understand the other half of the story which means turning ideas on their heads and looking at the world in a different way enter offense and secure now I'm not saying you all need to become offensive Security Professionals I'm not an

offensive security professional nor will I ever be an offensive security professional it's not something that that I choose to want to pursue but if you start to understand the way they think and the way they act at the end of the day you're learning the other half of that story so for anyone who's not familiar this is essentially what the path looks like for them for those of you who are in offensive security would you agree that this more or less what you do when you go after an orator a person or whatever you're attacking yeah I mean it's a very general but these are the questions they're asking they're saying all right who are

we going to attack and the reasons vary um how are we going to get in and then once we're in how do we stay in without being noticed uh and then expansion right this is that relationship thing I was talking about depending on the type of Engagement offensive security and or an attacker is doing there's an end game the end game with attackers most of the time has is money driven so what is it they're trying to get at that's going to get that money is it just a set of creds is it company Secrets is it you know whatever is it IP yes absolutely so it could be any one of those things but this is the key is expansion because

once they get in they're like this is what I want how do I get there and this is where those relationships become just incredibly important so if you're just looking at your perimeter or you're just looking at certain systems and you think I've done all the things I'm good now you have to take that step back and say all right if I'm an attacker and I'm going through these steps and I get in because they're going to get it the question is depending on where they land what steps do they then have to take to get to wherever that Crown Jewel or important piece of information is that's what you have to think about that's the other half of the story which

you don't know if all you've ever been taught is past the thing and scan the thing and whatever right so the way you start to learn to think about that and I like this idea of immersion into the offensive security mindset which is really a hacker mindset and because many of you are here you're learning a lot of this now you need to find offset professionals to hang out with well lucky you because there's some right in this room so that's awesome obviously you can find them at security designs you've done that but there's other security conferences there's other places you can go um 2600 which Matt mentioned um has a chapter in Rochester a bunch of

folks hang out there obviously other local security meetups 70.716 that Matt has here um there are Defcon groups online community I mean there's a zillion ways to meet other offenses of security folks and the more folks you kind of start to get to know and more conversation you have the better and then if you want training there's lots of choices there too different conferences have training classes and you know you don't have to be like well I'm going to become an offensive security professional so I'm going to take this training you can be I'm a Defender and I want to understand more about what they do which makes me better at what I do and start thinking that way

go to conference trainings there are security companies I love mentioning anti-siphon anti-siphon the folks who are doing our CTF they make a bunch of the stuff for anti-sizing so there's fabulous training there Black Hills has training if you're not familiar with black hills and they're amazing they have a bunch of paint as you can so literally if you can't afford it it's free um you know there's there are other companies trusted Sac offensive security is a company and of course Sans is like the creme de La Creme like 10 billion dollars for training but I mentioned because it is an option and there are some ways to get Sam's training that's a little a little more tolerable

um they have a a work study program that makes classes I think like twenty five hundred dollars instead of like 10 grand so you know it's a something um there's online stuff if you're not familiar these these uh hack the Box try Hackney there's CTS YouTube and even higher education we've got classes uh you know a variety of schools have these things so there's lots of options uh for for training one of the other things that offensive security folks tend to know about is they know about tradecraft so tradecraft what I mean by that here is is literally the craft of doing the offensive security how they do it what kinds of techniques and procedures they're doing

well if you read about attackers and you read how they did stuff which is what these first two will teach you they are researchers who research this stuff and you can learn how those folks did those attacks which is really cool there's also Discord slack Twitter Mastodon you know any one of a number of other social media places that you can go and the more folks you get to know again you begin to find out about tradecraft Intel and how books we really do there's also organizational Intel and there was a fabulous talk this morning that touched a little bit on on this subject because the more you can find out about your own organization and what

attackers could use against you the better off you are so you know make no mistake uh anytime you put up a LinkedIn profile and you put in stuff about the tools you're using you just broadcast to the universe hey we use these tools in our organization and now any attacker and anybody who you know wants to come after you whether it's legitimate because they're offset folk and they're being hired to do it or they're you know bad folk who are after you they can see that information too so be aware that you know like if you look at my LinkedIn profile you will see stuff from many years ago because no one cares that you

know I ran an nt40 Network you know 20 years ago because it's gone so you can come after it but you won't find it

[Music] if attackers can get in and you have an internal Wiki it's another great spot to find stuff have I been home can be used by attackers as well as as Defenders so you know be aware that there's these different kinds of intelligence there's organizational Intel and then there's trade craft as well and both of those things are important to understand I am not going to spend a lot of time on this this is a humongous list I encourage you to take a picture if you're if you've never heard of some of these things these are very common tools attackers use and offensive security folks also use you'll see a couple of that we've already touched on so Bloodhound we

talked about sharp pound is the thing that does the data collection Azure Hound is the same thing for the Azure environment instead of their traditional AV environment but all of these tools can be used for good or for ill it's just that most Defenders don't know they exist because they're only focused on defense and not exactly what they're defending against again missing that other half of the story everybody get the pictures they want so at the end of the day realize the most important thing that you get out of this is to understand that what we learn as defenders in terms of being CIS admins and doing General Security is only half a story you're really really really need to

understand the other half which again does not mean you have to become an offensive security professional it means you need to spend time with them you need to start understanding how they think about things and the more you are around that and the more you spend time in that space the more you will start thinking in the same way the better defendant will be be aware of assumptions folks make assumptions about controls in particular all the time Microsoft says if I check this box that no one can do fill in the blank let me tell you there's almost always a way around that almost always um you know and so it's great to put controls in place but if you stop there

and you don't think about well what does this control failed again you're missing the other half of the story so jump into that other half get to know some more opsec folks there's a bunch here and you learn what they know both about their trade craft and their tools because again it will make you a better Defender if you like what I had to say here I have to shill my book um so this is called the active Defender it will be out July 25th it is currently in pre-sale um Wiley's my publisher I'm I'm very excited about this for those of you who are familiar with some of the the larger names in this space Jake Williams was my

technical editor and I'm honored to have had him on board for this I also talk to a ton of other people that are fairly well known in this space um and this idea was born because I realized hey there's this other half of the story right and more people need to know about it so this goes into sort of all this stuff and much more detail so if you found this interesting you'll like so once you get it uh I will be I I am at lots of conferences uh if you come to Vegas for summer camp I'll be there I'll be at info Booth um at peace signs Vegas and at Pakistan hackingvillage at Defcon

um I am you know I come to infosec uh in-person meetups when I can you know if you want to arrange something I'm on the infosec 716 Discord um you know I'm I'm very happy to sign copies if it's just that like during summer camp you have to come to me because I won't have time to come find you but yes I'm more than happy to do that was there another question yes maybe an obvious question it's a pre-order on Amazon Amazon Barnes Noble Wiley's website yep all three on Craigslist so probably not quite yet so make sure that your signature and your autograph are two different images oh yeah um so I like to end with this quote from

Douglas Adams because as I mentioned the story of how I got into I.T is a very different story from Hollywood within security but needless to say in both cases I did not intend to wind up here this is not where I was going to wind up but it is clearly where I needed to be so I'm very glad to have you all here and with that I'll take any questions you have thank you [Applause] so as a pro-services engineer I find one of the biggest assumptions is that if people think they have good technical security that they're going to meet Regulatory Compliance and that is a huge assumption that it's often very wrong and vice versa right if you have

compliance it doesn't mean you're secure if you're scared doesn't mean you made a compliance exactly so yeah yeah you got to map those technical controls to the components then yeah absolutely yes um what do you think of purple teaming and is that similar to like what I mean it might be a stupid question but is that similar to what we were talking about you were talking about today so so purple teaming is awesome I talk about it uh more in the book um okay purple teaming is is this idea that um somebody who works in offensive security and people who work in defensive security ultimately work together so offensive Security will attack something defense will look to

see you know what the visibility was can they see what the attackers did and if they can't why not and what has to be built to see that attack and then if they got in what what can they do to have prevented it so it is an ongoing conversation that happens during that engagement um and there are people who will Define this differently but in my opinion for a true purple team that's what has to happen it's not well we did stuff and then we did stuff it's literally almost a side-by-side engagement working together uh in concert and I think it's super awesome um it is definitely one of the best ways to get a big picture of what's going on

many companies aren't there yet like that's that that tends to be something that's a little more advanced which doesn't mean you can't do it earlier it just means it depends on the company do you find that I mean I don't know how many different companies you see but it seems to me that just about every company has blue team yep and maybe fifth of them I'm just kind of can also have right yeah so very few companies have their own offensive security teams some larger companies do yeah but yeah it's far less common but it's also not the same if you just hire a pen test for once a year well and this is where we get into the

distinction between a pen tester and a red team and that's that's a whole Rabbit Hole uh the very short version of that is if you're hiring a third party consultant think about what you want to get out of that Consulting gig don't worry about what it's called again I have a whole section in the book that talks about that subject because I find that people get really wrapped up in the words and the words aren't important what is important is I want to know this Cisco for the engagement yes absolutely I work for the feds I was um federal information security management um and it was denigrated as a paperwork exercise which in some cases is kind of true

however paperwork is the air that they live and breathe in Washington DC and before they enforce wisdom they were totally unprotected and nobody wanted to do anything so it's kind of easy to dump on defensive security but it's the point you're making I think is that that's only halfway there yeah only halfway there but we had to get there before it started to make it yeah yeah so so for those of you who couldn't hear the comments so basically the gist of it is a lot of defense was born from kind of a need for for even the basic patching and the things we're doing and and in in a fisma situation we weren't even

necessarily doing those things until those compliances you know requirements came around and that's very true but I think we're now at a point where there's enough regulatory stuff out there people know generally speaking at this point the patching the things they're supposed to be doing in that very basic level but they're not they're not really thinking about what they're defending against they're just defending and that's that other half of the story so yes as a red teamer I love that you mentioned Bloodhound um I'm not surprised but saddened by how many blue teamers and I.T folks this adminster candidates don't know about it because there's we often find some really really weird stuff from there you

were testing something out 10 years ago and you gave domain users right privileges to domain controllers through pods you forgot about it it has been 10 years yeah so I'm glad you mentioned that and it's one of the good knowledge that yeah well thank you very much yeah it's uh Bloodhound is a great tool it can show you a lot of things you know I I mentioned the tool set that I have up here be aware that you need to ask for permission before you do the schools and then and ask permission before you visit places like show Dad because some places filter on that yeah the point is if you know these tools are

out there and you understand what they do then when somebody says to you well you can come back to work can this bad thing happen and you're like oh no we're protected from this but then you understand how these kids get around those protections I was going to say if you're going to do a showdown survey do it at home and take some results yeah so I mean that that's really why I show those tools because a lot of people don't know they exist they don't know what they're capable of doing I do spend a bunch of time talking about some of those tools in the book and saying like here's what they can do and as a

Defender he you know here's a sort essentially what you'll have to do to deal with them but if you're not even aware of them and they're running in your org the one sorry I was gonna say the one thing I would add to that the tools is make a map of your network most people don't have a business map of their Network to show how the devices are connected um make that as a starting point that will give you the starting point map that you need to start looking at relationships with things because there's the the data path of the stuff and then there's how the different devices have their permissions to talk to each other and

share permissions and a whole bunches of other things but the basic map of your network layout is the thing that'll get you started in looking at what talks to what and where the data blooms and if you don't think you can do that because you're like oh my God that sounds overwhelming anytime an offensive security team comes in and starts looking it's one of the first things they do yeah it doesn't take as long as you think it does it's free tools and it's really fast good question yes similar to the question about purple TV and also and I was a talk on this later but where do you think uh so so thread cutting is something that

what I would call the active Defender which takes a whole lot of more time than I have to to describe but I think hunting is important really really important and I think it can happen much earlier than a lot of people realize because all you really need is you know some kind of log and some threat to look for so what I find that people think oh you have to have this really mature environment to start bread hunting no you have to have a hypothesis about something bad that can happen and you have to know what logs and what you do have access to and given what you have access to what indicators might be in those lots

and go look for it it doesn't need to be complicated so it's definitely something that um that Defenders should be doing but the way to do that well is to understand what attackers are doing and threat funding is really very difficult to do if you don't understand that side and I if anybody else has questions I'll be outside but there is somebody else coming in here and so again thank you so very much for coming okay