Impose Cost: Our defences eventually fail & we need to take the the fight to the criminals | Keynote

hello everybody and welcome to bides thank you so much for coming thank you to the organizers I can't find Charles in here he's probably stress sweating upstairs but thank you to the organizers for bringing us all together and for making it so much bigger um it's it's it's quite amazing thank you to all of the volunteers for all of your efforts and to my fellow speakers for making a what's hopefully going to be an amazing day what will be an amazing day so I want to talk to you today about something very simple Toco asked me outside what you talk about and I said it's about arresting criminals he's like cool I don't need to attend now so if if

you want to know what the takeaway is that's it and you can leave now um so I want to do two things in the talk today the first is to convince you that what we're doing from a defensive point of view right now has diminishing returns and we're leaning a little too hard into increasingly diminishing returns um and so that's there's some subtlety there I'm not saying let's stop defending that would be dumb um or we must stop everything we're doing today I'm not saying that but I'm saying it's some point you're going too far down that road and the returns aren't worth it for how much effort you're putting into it and we should do something else and the

thing I'm proposing that is something else is is create law enforcement outcomes on criminals now there's some complexity there because you go well we live in South Africa and police and so I want to try and convince you that that's actually something we can do and the problem with this talk is this isn't a well trodden thing I don't have a product to sell you I can't point to 12 organizations that are doing this success sucessfully this is an idea that I think's really important that I want to try and convince you of and enlist you into there's no Club en list you're thinking into this you don't have to tell me that you were sold on it what I

would love is that the ideal outcome is we start uh reducing the pool of criminals in the country and and so the problem with this is this is like the most nervous I've been for a talk in a long time for I think for two reasons one because this is this is our community and it and it matters and the second is because that that point really matters to me I'm really passionate about it and I think it's super important for where we are in cyber security and where we are in South Africa okay my name is Dominic white and I put a picture of myself up there so I'd remember what I look like um if you

want to say something nice if you can do it publicly and if you want to say something mean just email me I okay so 10 years ago a colleague of mine named Panda some of you might know him from capy Tech where he stopped being called Panda his name was Jeremy who knew um he and I gave a talk at it web like just over 10 years ago called offense oriented defense and it was born of being a pentester at that point for about four or five years where I was like sort of shocked that we kept being successful against organizations that had very large security budgets and spent a lot of time doing security and I

didn't understand why I'm like I mean we're not that good at this why do we keep successfully breaking into organizations so my thought at the time was I think people aren't responsive to the actual attacks that they face they're doing defense stuff that isn't the same as what the offense stuff is so there was this kind of mismanagement talk about it later with the falling pianos problem if you want to remember that point and 10 years later I think what's changed if I could go back to myself from 10 years ago or at least what's Chang in my thinking is that I no longer think that we can lean harder into what we're doing defensively right

now that we can just magically do it better and everything will be okay but that we actually need something new and that something new is to address the root cause of this which is criminals and criminality so the weird thing about cyber security is that if you look at the history of competitive Endeavors in the world of which cyber security is one right it's Defenders versus attackers nobody will ever win by playing Just defense if the spring box only played defense they wouldn't have won the Rugby World Cup they probably wouldn't have even been in the top 10 you can't defend your way because at some point somebody's going to score a goal you'll make a mistake and then how do you ret

retake the advant vage if you have no offense we've got this idea that if we can just wrap our users on networks and systems in enough padding we can send them out into a world where people have guns and are shooting at them and that somehow they're going to be okay but if you know a bullet gets through we just add more layers of padding on this it's weird why do we think that defense is the only thing we can do against attackers who are attacking us and then as cyber Defenders were like you know what the people who know what's going on will give them radios and they can use those against people who have of guns

the the the greatest consequence we in this room can leverage against Real adversaries attacking our systems is to merely evict them from our networks that is not really a consequence because then they can just come back and attack again maybe we can take down some of their toys some of their servers they put them up again attackers retain the asymmetry because they have the ability to keep reusing their attacks and Defenders have no ability to scale their defensive efforts you have to rebuild the defensive effort at every company and with every individual that we bring into society so we've got this problem where we can never win in a war because we have no ability to engage an offense

there's a common saying peacekeepers have guns because we acknowledge at some point to create a peaceful environment you have to be able to engage in an offensive war against the people who are disrupting that piece so we need offense the easy answer is oh well that's hack back that's vigilantism I'm not talking about that I want to use law enforcement I'll get to that I'll get to that later okay but we do have to defend right it's all really easy to say great we'll go arrest some criminals and we'll be done but unfortunately this entire industry exists around actually defending things and so I want to give some examples of defensive models that we've used that are currently in use

that kind of follow what I've observed um in the industry in the last couple of years and what I want to do with these next things is convince you that we're leaning too hard into some of the defense so that's not the same as throw the baby out with the bath water what I'm saying is at some point diminishing returns kick in you need to stop and do something else you've done enough of this thing maybe keep doing it maintain it but don't take it further let's do something else okay so in my time in cyber security which is starting to be long uh I've seen a couple of things happen when I first started firewalls were not

ubiquitous the idea of putting machines on the internet was how we did it and then a bunch of worms came along and took out uh large parts of the incident and then we put firewalls in place uh and then at some point like bug track was the Forefront of the information security industry we kind of lorded bugs vulnerability focus and vulnerab vulnerability centrism was a big part of it and then I remember having this argument with Rob as a I was still with deoe and you were with invest DEC and internal audit about how we could like prioritize and defend our machines I think there was dueling blog posts even back in the day when blog posts were a

thing that you know can we meaningfully protect the crown Jews with some kind of security nihilism in place knowing we can't protect anything uh and then more recently I think we've moved onto what I was talking about in 2013 is understanding what the attackers are doing looking at their attacks and defending against that but all of these models have some kind of diminishing returns I want to go through a couple of them okay so the perimeter approach is oh too many slides is born of this castal thinking if any of you have sat down with a security architect or maybe you are a security architect yourself or you've thought about security models it's often related truthfully to the

ideas from the 9th and 13th century of castles concentric layers of Defense defense in depth U not saying these are bad things but this is how we think about security so when we draw networks you know here's the DMZ and here's the the inside of the network uh when we draw applications we go you know here's the outer authentication layer pre-authentication and internal we have all of these conceptual models we use to understand what our systems are doing but the problem with this is that we don't have conceptual models for the way people actually use this I mean what is where does a VPN fit in here do they teleport to the center is that is that

how this works how do you how do I how do I draw this so the the truth of this is that the concentric model defense is a convenient lie that I think we tell ourselves a lot of the time and back in 2008 with the Jericho Forum uh they they made this point they said the perimeter is dead we need to stop doing this and the Jericho Forum uh was based on this idea I'm sure all of you read your Bible this morning that they walked around the walls of Jericho and then God made the walls fall down but what organizations like BP was saying and investing a lot of money into is that the perimeters of

dead we need to uh defend differently and zero trust takes its its birth from these these kind of ideas so this this perimeter model is not just from a network security point of view that it's firewalls on the Internet it's talking more widely about these concentric ideas that we have and the problem with that is that those concentric models don't map to reality so if we think about physical locations as this slide implies we've got people working at home and coffee shops and we've got branches and we've got head offices there's a lot of physical locations how does that fit into a concentric model so we go okay cool everywhere that's not the organization is outside and this is

inside um and hackers will know that's very convenient for them because the second you're past that crunchy a of shell you kind of have unfettered movement but then if you look at a network level how does a Wi-Fi a VPN how does a third party VPN side to side VPN fit into our concentric models and then more importantly when we real users operate across those concentric models so if you think about a third party using their sight toight VPN to log into a software as a service uh tool that your organization is running which concentric model are we on are we on physical are we on network are we on authentication and the concentric models

we always forget to write down are the authentication ones hackers know that you can steal creds from a thirdparty marketing site because that credential has been conveniently synchronized manually with the actual uh credentials people use to log into the organization and there's a link there it's not a link any organization is aware of and you only Discover it when you try and do it but these these models are too complex so the perimeters that we keep creating are kind of falsehoods that don't don't work for us so our response as an industry has just been to make the endpoint the new perimeter let's just keep stuffing enough things into the laptop and our users until eventually

they will be perfectly secure everywhere they go some of you might be experiencing the slowness that comes with in tune and multiactor Authentication posture checkings on your laptop right now we've kind of given up on this idea that uh there there is a a meaningful perimeter so let's just stick it all stick it all on the laptop uh but the the problem with this idea is is first off uh Hardware Key loggers still work like this ancient attack that you can plug something in between a keyboard and the computer and record those keyock we still don't have a meaningful defense against a commonly used real attack from actual attackers that happens all the time uh so have we meaningfully defended

our Endo um and then the other thing is we seem to be sort of under the idea that we can sort of fish users into never trusting what they read on the screen and somehow conmen will stop existing in the history of the world conmen have always been successful because at some point Humanity needs to be able to trust another human being and we're not going to fish our users into breaking the social contract such that nobody can ever con someone again um so we've got it isn't really a meaningful perimeter and just throwing more technology at it isn't going to fix some of those core problems now again I'm not saying don't patch your machine don't

have multiactor authentication those are all useful things but at some point you're not going to multiactor posture check patch your machine into somebody um no longer trusting other human beings okay so then we had this this vulnerability point of view and what I don't want to do here is try and convince you that patching eventually fails or that you can't bug hunt your way to to security because I think you know that and there's lots of places uh where people have said the same thing instead I want to kind of look at the theories underpinning that what's the thinking that we bring into this and how does it create the asymmetry people talk about in the

organization so back in 2013 you introduce this idea of your defenses are a wall okay every new layer of security that you build in is a new layer of the wall that you build you have to build this wall it's expensive you have to maintain this wall but we knew it was a dumb idea when Donald Trump said it because an attacker can go build a 50 go buy a $50 ladder and what I was talking about earlier is the scalability of your attacks versus the static of defenses you have to keep building the wall at every organization the attackers get to reuse their ladder against every organization there's an ability always to scale the attacks and the asymmetry

is built in there so when you say how do you make it cost an attacker more than it costs a Defender to defend what is the cost of employing a ciso all of the political stuff they have to go to to justify the budget all of the very expensive tools that they need to install not to mention the scar skill resources that you have to find train and retain if anyone wants to know where the is real expense comes from people in this industry um with all of that attackers get to do the fun smart technical work of making something that works and then reusing it which is why ransomware is such a problem because

attackers have an ability to just scale their attacks across an organization and it's a game of numbers if it doesn't work there then we we apply it there in the meantime we keep building this wall what's worse is that the surface area just stays constant and this is there's some Nuance at this point so when I first started getting interested security one of the founders of our company ruof taming wrote this uh this white paper called breaking into computers over the Internet it's amazing read but it highlighted that at the time it was possible to meaningfully compromise organizations is that meaningfully compromise organizations based on vulnerabilities in their infrastructure over the internet now that's no longer the case

unless your Citrix F5 foret yeah Cisco anyway um it's no longer trivially the the case should we say that you can compromise machines over the internet at an infrastructure level so what happened is the attacks moved to an application layer so then we were compromising organizations over the internet using things like SQL injection and then after that stuff got locked down as the Frameworks improved we moved to fishing attack and so while the overall surface area seems to be reducing because we are making meaningful improvements in those layers the usable popular surface area Remains the Same as a new attacker coming into this industry you can learn what the popular attacks are and use the

popular maintained toolkits right now and be almost as successful as you could 20 years ago when pent testers were getting into it even though those attacks have shifted so cool the surface area is reducing even though the usable surface area Remains the Same does that mean we're eventually going to be secure haven't seen it yet I'd love to believe that we can be and then we keep introducing new technology into it if we start talking about the cloud there's whole new levels of surface area which will continue to provide vulnerabilities for us so your wall has a lot of holes in that are very difficult to stop caring about because attacks keep finding new areas that have holes in not

that the overall holes are getting less if that makes sense I'm maybe stretching this wall analogy the other problem is you have to maintain the wall any homeowners here particularly down in the cape probably know that that's difficult um and the the the maintenance analogy here is that defenses atropy over time so what that means is in the beginning there'll be a defense which is really effective but as attackers get more and more comfortable with bypassing that defense then the defenses drop off you still need to maintain them they don't get cheaper your license fee doesn't get reduced because now attackers have a solid understanding of how your defense works so this is my unscientific attempt at

science you know just drew graphs over time so the problem here is as a as a Defender you invest in some security technology it's effective you continue to invest in it you have to keep building the wall you have to maintain the wall as attackers you're attack only get more effective against aging technology not aging technology aging technology ideas um and this leads to the the asymmetry that everyone talks about Defenders have to keep defending harder attackers get to scale their attacks in in different ways okay so then then we hit security nihilism we went you know what you can't defend everything let's at least defend the crown jewels and maybe you're in here going look I know that's not going

to work but I tell you the whole internal and external audit return is built on this very idea their audit plan every year is what are your critical systems and let's go and audit those the problem with this of course is that crown jewels don't exist in isolation they're connected to networks and they have systems they're connected to and the complexity of those graphs we're talking about is really high so if anyone's looked at a blood hound report and map that to their understanding of what active directory looks like in that organization they'll see there's almost no overlap those graphs are infinitely complex and don't seem to relate to our conceptual understanding of those things

so so systems exist within uh with within networks I've seen examples of somebody's installed a server under their desk to monitor some critical system somewhere and then you compromise the server under the desk which happens to have credentials to get into that system so now do we have to include our sap server our Mainframe and the server under the desk or more differently how do we meaningfully enumerate all those things so we tend to forget about the server under the desk by the way my daughter insisted I put that animation in I was very impressed and we've seen it in the Swift environment so if you look at what happened with swift where you had these

Bangladeshi Bank heists the North Korean Lazarus group stole Millions abusing this interbanking system so the response from Swift was to add these additional controls that you have to attest to every year uh around the Swift around the Swift systems now Swift is an interbanking Network so it provides you the core Swift Alliance kit in a financial organization provides you access to that Network so the problem is you secure the crown jewels meanwhile there's 40 to 100 different systems which can initiate Swift transactions that get sent there so there's an ecosystem every time you look at something uh with security that just gets really complex so the crown jewels end up not working we also seem to lean into this

idea that we can keep enumerating and detecting enough Badness to find our way out of this problem years ago it was with antivirus where they would write signatures for everything they saw but modern I mean we have a managed uh security detection response service you know we're just as much part of this problem seams and xdr are all more attempts at enumerating Badness but people who pentest networks will tell you that maybe you do a lot of that stuff in the beginning but trendy Concepts like living off the land are because at some point you're getting detected and you need to look like a legitimate user and by the time you get to the core systems you do look like a

legitimate user when you're initiating transactions on sap to exfiltrate money out of the business as a supplier you're doing that as the head of finance using their legitimate access in a legitimate way even if at some point it started with a kerb roast so by that point if we're just focusing on our crown jewels you miss the very important context which would tell you that this is an attacker but we tend not to look at those campaigns okay but the response that we got to with this is that if we just find enough stormy teacups and jaunty crickets and bears wearing jackets this is a threat Intel joke it's not Landing quite as well as I

hoped uh then we'll know about the attacks against organization and we can defend against those great this is kind of what I was talking about in 2013 uh and I call it the falling pianos problem and I keep thinking people have seen the slide for me so many times it's boring but uh I think it's a useful one so the falling pianos problem is what I what I I use to describe the problems we have in information security and cyber security where we keep worrying about the wrong attacks we're worried about an AP meanwhile there's a a low-level ransomware group that's going after us and the idea is if you have to meet someone in a dark alley in a bad

neighborhood in the middle of the night and your first concern is that a piano could fall on your head you're doing it wrong you've misunderstood the attacks that you're about to face and you're defending against the wrong attack if you understand that a mugging is the more likely outcome you can do something about that you can wear a stab proof vest you can bring ol along he's a badass uh you can meet in a different neighborhood at a different time of day then you are defending against the actual attacks you might face and you're not misallocating the funds right and the way we do that in cyber security is is through threat intelligence and the

idea is that if people publish enough information about I'm trying to think of Microsoft's names Pew PW teacup I don't know anyway these names uh and if you can buy enough commercial threat intelligence then these will overlap with the kind of attacks you're about to face uh then you will be well prepared for those attacks and you will be able to counter them now we're not naive we know that there isn't perfect alignment between these things but we expect that there's some kind of of meaningful overlap and particularly that that overlap is on the most critical most prolific most dangerous threat actors but when you look into this stuff when we have used threat Intel for our own purposes to try and

understand how do we defend organizations in South Africa it looks a lot like this a lot of the time there is zero overlap between the commercial and public threat Intel that we're seeing Chinese actors going after US National Assets unfortunately don't do a lot in South Africa and even when they do we don't necessarily have the visibility and instrumentation to find out in the first place so we've got this problem where the threat Intel doesn't necessarily align with the actual attacks we're facing then we've got another problem when we do have perfect knowledge we still get it wrong so this is a screenshot from the miter attack evaluations so if you don't know miter attack evaluations

happen once a year they do a call for threat intelligence and they say hey uh what what kind of attacks can we use to emulate for our xdr and EDR vendors to try and detect if you want to know more about this my colleague Leon Jacobs is doing a fantastic talk about work he did on this later today so with these miter attack evaluations this year they called for turler was turler 2016 this no no what what when did the bad person actually do their bad things 2018 after okay so they're a Russian threat threat actor that hacked a bunch of stuff and they had this really interesting set of attacks that they did which Leon will tell you more about and

uh M then goes and implements all of these attacks so the EDR vendors know exactly what attacks are going to be implemented and what they need to detect so this is should be the case where they get a perfect score right this is a known attack they're doing things they were told about they should be able to detect it so this is screenshots I took off um from the miter attack evol's website after I didn't believe a marketing post I saw from pal Alto uh turns out it was true so pal ala of course got everything there so it's great marketing for pal Alto but that is the Baseline if we're paying all this money to tools to detect known things

that we've seen before before and they can't detect known things we've seen before then what what so the the problem we face is that even when we have perfect knowledge about the attacks we end up with a performance issue and that's before we end up with coverage and skills and all of the uh complexity required to actually run these in an organization and I want to make a car analogy because famously the best way to be wrong in cyber security is to talk about cars so in a with a car we create safety by having a bunch of systems right so we've got airbags and seat belts and I'm not a car person roll cages crumple zones assist of braking I

think those are all things that are in cars uh so we do those to create safety but safety is not a result of those things being present safety is a result of those things functioning together in a dynamic situation to create safety so safety is an emergent property of the controls functioning in a live situation and that's a lot like security we're not going to audit our way to compliance and security by checking that all of these things exist we need to understand that in a dynamic situation that they can function together and sometimes in a car they don't function you know if you get hit the wrong way maybe people are going to die and sometimes in security that

might be the case too and with a car you're going up against inanimate objects sometimes the inanimate objects are steered by a person but in cyber security we're going up against creative deliberate adaptive adversaries so Brian Snow the ex- head of information assurance the NSA in response to a question about whether they could use a risk-based prioritization approach defending the nuclear stockpile in America said no because adversaries will not follow your risk checklist and we need to understand what a creative uh deliberate adversary looks like and so when we're talking about attacks that we know that we can't defend against what does it look like with creative deliberate adversaries who aren't using the attacks that you've seen before

because a lot of the reason why pentesters continue to be employed is the requirement is for them to invent new ways of doing this the whole time if we could just reuse the toolkit well that's what attack simulations are for okay we're now halfway into this and I'm going to talk about what I actually wanted to talk to you about so remember I wanted to do two things the first was to convince you that at some point we're leaning too hard into our defenses and we get diminishing returns from them we need to do something different and in particular what I think we need to do different is impose direct cost on the criminals because there are fewer

criminals than there attacks okay so the way I'm going to do that oh supposed to be on slide way I'm going to do that is a controversial example so I want to First prove to you prove that there aren't that many criminals and the way I want to do it is to look at the number of incarcerated Americans now this this like sits in the heart of American culture wars there's 500 Fox News pieces about this I'm not trying to make a political Point here what I want to use is this data to try and make a point there aren't that many criminals so if you look at the top 10 countries in the world for number of

incarcerated people the only one that has a decent due process in rule of law you can argue about that but I'm talking about the difference between say a dictatorship and a a developed country has a well staffed well-funded police force is the US so if you look at the the us as an example within that top 10 this is the number of incarcerated people now that it's problematic right they're arresting too many people I'm not trying to make that point within the us right now there's 531 people in prison for every 100,000 people in the US so those of you who are fast with your maths will know that that's 0.5% of the population so what

that means is there's 99.5% of the population that aren't in prison now how does that map to the actual criminals within the US I don't know I think there's people in prison who are innocent and there's people who are not in prison who uh who are guilty but even if you had to double that number at 1% and that would be huge that would put them at like the most number of incarcerated people ever in the history of the world by orders of magnitude that would still be 1% versus 99% there are far more people who aren't criminals than there are of criminal then if we boil it down to the number of people engaging in cyber crime which is

our interest here that's an even smaller number so I don't think that there's a lot of criminals now the differences matter the US is a large place I'm sure there's different levels of criminality in different parts of the country or different kinds of crime I'm sure New York has a higher proportion of white collar crime than say Georgia the other problem is the more criminality there is or the fewer consequences there are the more criminality continues so South Africa has a problem where there isn't much visible Justice and the criminality is increasing we have a problem where we got gry listed because some of our financial controls so we have a problem where organized crime is flourishing

within South Africa we've got a dramatic increase of organized crime in South Africa such that other law enforcement agencies from around the world are starting to get involved to protect their citizens based on the criminality that's growing in this country so we also need to do something about this to prevent more criminals from deciding that this is a life that's going to work from them uh and South Africa has an urgent and pressing need to do that okay what should we do now anyone who's been in this industry long enough will know at some point they've had the hack back debate and the hack back debate is I know how to penetrate systems why don't

I just penetrate criminal systems like they're hacking Us Hack onto them as they hack onto us if you've watched hackers the problem with that is it's illegal and you would be a vigilante and the problem with vigilante ism is you're denying people their due process and the problem with that is you might violate people's human rights and human rights are a pretty important part of how we structure our societies and look after each other so there is risk to yourself in engaging in illegal hack back because you are conducting a crime which now limits potentially your future career prospects if you get caught there is risk to bystanders if you hack a server that you

believe is conducting ATT tax against you and you take it down and it turns out that that was an innocent third party who had some vulnerabilities the attacker had used as a jump box you have now created worse consequences for that innocent B standard than the attacker had CU at least the attacker had an interest in keeping that box up it's an overly simplistic example so I'm not encouraging vigilante ISM the the the tools and methods we have available to us are different okay so who wants to complete the saying for me the best defense is a good offense yes I'm not saying that I'm saying the specific offense I want to talk about is a good

arrest I want to affect law enforcement outcomes okay so before we get into the detail of how I think we can do that this is a still from Ted lasso if anyone's watched it you'll know the power of this sign is I want you to believe that this is possible because if we give up on law enforcement if we go that's not going to happen in South Africa then it becomes a self-fulfilling prophecy or it is sustained as a self-fulfilling prophecy if we do not believe we can meaningfully impact criminals if we do not believe we can deal with a root cause problem in cyber security then what are we doing we got into this to deal with hard problems

hard problems are a fun challenge for a lot of us let's focus the hard problem on the place where we're going to have the greatest impact so I need you to believe first off before we get into the detail okay so what what's in law enforcement's tool belt Beyond an arrest so the first thing is they can detain people not just after they've been successfully charged they can detain people for questioning they can get warrants to access their devices those devices can give you information that can point to other criminals and criminality there's a whole bunch of freedoms that they can limit during an investigation against a criminal then they can also arrest people put them in

prison limit their economic activity their travel opportunities their ability to see their children you can charge people once there are charges you need to face those charges in a court of law once again law enforcement has an ability to detain people if they believe that they're going to be a Flight Risk they have an ability to seize assets that might be used in further criming criming by the way was coined by Shifty Mike you can see his talk later today too governments can put sanctions on countries but they can also put them on individuals the US loves doing this they keep putting sanctions on Russians and Chinese actors that have been involved in nation state criming but most

countries have an ability to put sanctions on an individual those sanctions can all have different effects they can prevent people from opening bank accounts from transacting with your business they can prevent people from flying and getting on planes there's a lot of stuff that you can do to threat actors uh through that way and then the most important one is you can seize assets you can seize the toys that they're to attack you you can seize the profits that they uh they gain from that crime you can seize the car that they bought with the money that they stole from the tan down the road this is a very powerful way to deprive criminals of their um of their benefits and this

happens right so black axe is a prolific organized crime syndicate operating in South Africa between the Hawks between the saps between Interpol between uh the US Secret Service there've been numerous arrests and the nice thing about these arrest arrests is they lead to more arrests as they get more information and this is a link from interpol's website the quote in there kind of goes without saying but I think sometimes people forget after they arrested them there was a significant drop in the number of attacks they did shock and awe maybe we can have more impact on reducing the total attacks we Face by arresting the criminals who are conducting those attacks here's an example where the FBI

and European Partners took down qub the really interesting thing Beyond denying them of their toys they also uninstalled quack bot across a whole bunch of infected machines those are really powerful things that you can do and nobody did anything illegal this was all due process nobody's going to prison for doing it within South Africa we have very strong asset seizure uh laws in place and it's active and it's happening so in 2022 they did nearly 6 billion um frozen assets uh and they recovered nearly 300 million rans worth of of thefts those are actual things happening right now powerful consequences that we can put on criminals acting acting within South Africa okay so next question is how can

we help and the first thing that I think we can do is realize that attribution matters so what that means is not that you know it is Bob in the basement at his mother's house on whatever Road it's that you start identifying the criminal groups or the campaigns or the attacks and lumping them together and the reason we're doing this is for the second part that we want to quantify the losses law enforcement acts on certain Financial threat holds so if you can go they stole 10,000 Rand from the tiny down the road but they also stole a total of 100 million Rand from this group of people law enforcement has now exceeded their threshold for action and are not quite

forced to act but very interested in acting and then you also as a Defender are very interested in this um in this being resolved so it's a way for us to prioritize which groups we're going after and making sure we're not wasting our time on small fry we also need to and this is the hard part share across Industries and across organizations we've seen numerous threat actors in South Africa who operate against a bank and a retail company because they know there's no collaboration between those two or they'll operate that if they're going to go across a bunch of banks they know at some point it's going to be brought up in sabric and they're going to have a

bad time it's easier to work across industry to avoid consequences how do we encourage collaboration at that level it's very difficult we want to link the activity so that we quantify the losses and then after that we have a referral that we can give to law enforcement and they take that intelligence and they turn it into evidence that's their job so you can give them a whole dossier a whole bunch of facts and point this gun where it needs to they don't necessarily know where they need to go they need people to report crimes so that they know who to go after it's it's not their job to just stand around waiting for a crime to happen and go do that as

Citizens you need to report the crime as organizations with large security budgets and skilled uh skilled people what information can we give them to make it more successful and so if you look at the loed Martin defending along the killchain paper oh am I out of time no okay good my timer ran out um they they talked about these different stages of an attack and the way that you can cluster different intrusions together so you can go this one threat actor engaged in all of this activity we were able to Cluster this activity together and the last part action on objectives is what they're actually there to do as an attack and I think what this is missing is the follow the

money part you know how do we understand what the actual losses are and I don't mean hypothetical losses not like it cost us 7 round for each email we sent to sell someone that their password has been breached I mean the actual money that they stole the actual assets that they they compromised if we can start to put that in there then we can exceed the financial thresholds that help law enforcement know to act I don't know how to do this cross company sharing thing there was a whole cyber policy framework put out by the government uh which was supposed to enable sectoral certs so that would all talk to each other it would all be

centralized by the cyber crime Hub on Private Industry that would all make it to the Cyber Response Center it was magnificent I don't know where that implementation is it's slow South Africa has other priorities Beyond building um these giant things so we need to do them ourselves and right now a lot of these industry things exist but they're coffee meetups and people are defensive about the information they share we don't meaningfully share hey this crime group is criming in this way at this level I don't have all of the information have you seen any of this criming maybe go look here's some ioc's that we were able to extract from the criming we saw on

their system let's go speak to other people in the industry because we happen to see that that C2 was talking to something else this needs a technical sharing response based on meaningful trusted individuals and the industry situation we have right now is there's there's more competitive uh there's more competition between members of that organization then there is Meaningful sharing about that so the criminals get to exist between the gaps of our distrust okay then I also think we can impose private cost we don't only need to rely on law enforcement and there are things we can do which are legal that won't get you put in prison so the one is infrastructure takedowns all right if

you say hey this was used in a fishing kit uh these servers are hosting malware those sorts of things those things do get reasonably responded to a lot of the time and you can make it more frustrating for a threat factor to continue to operate you can exploit their attack tooling hang on I don't mean conduct crimes there are lots of vulnerabilities in attacka tools I know because any attacka tool I've ever written has been the most vulnerable piece of software anyone has ever written there are lots of vulnerability in attacker tools that can be used to gain information about what that attack tool is doing look for vulnerabilities and attack tools that give us an information advantage that

allow you to extract the information we need to Cluster intrusions together to link activities to threat actors don't exploit your remote code execution vulnerability on a server now you're crossing the line there's lots of information gathering opportunities the trace Labs people are here uh I think there's a lot of Open Source intelligence that can be used against threat actors I think they are used you've got smart people who do aen stuff within your organization use it against the threat actors to build that intelligence dossier that you're going to give to law enforcement I think we can do more to support law enforcement I think we can give them discounts if we have commercial commercial things to help the security

Community I think you can make it easier for them to interact with your organization where there isn't risk of a privacy violation enforcing that they require onerous mandates and warrants when they're trying to get information in pursuit of a threat actor sometimes introduces more friction I'm not saying avoid due process but how can you support law enforcement when they come to you how can you meet law enforcement so they know they can come to you uh then I also think we should allocate some budget towards this I think within organizations that have security budgets part of your budget should be how do I infect affect a law enforcement outcome how do I reduce the amount of crime happening in this

country and what portion of my budget is associated with that so I want to give you an example of the kind of information gathering I'm talking about from when we talk about exploiting attack tooling so this is some research from checkpoint but if you look at unit 42's research from Palo Alto uh if you look at Fox it uh in the nether like there's lots of public examples where people were exploiting attack tooling to gain information so here they were able to Cluster attacks together because this one was using the same encryption key as this one this one had the same um yeah identifier in there I don't want to get too much into the

detail afre Forum controversial organization again I'm not making a political Point afre Forum has a private prosecution unit fascinating the idea is if the NPA refuses to prosecute a case they can choose to prosecute the case there's two potential advantages that come out of it the one obvious thing is they successfully prosecute the case and the person Goes to Jail the other is that the NPA goes wow that's a winnable case I'm going to take it back in which case they've served as a pressure group to pressure the NPA into taking that back on is it time we create a cyber private prosecution unit doesn't make sense to create it now because we still need to do all of the work to get the

investigation uh evidence Gathering prosecution part stuff that's needed to support the prosecution part but I think in time this might be worthwhile and this is one of the ways that we can operate cross industry and cross cross country so my my call to action for those of you who do have budget is think how can I allocate part of that budget to supporting law enforcement so that we can affect law enforcement outcomes but really what I'm trying to tell you today is I want the criminals I want the criminals to find out I want it to be visible public Justice such that when a criminal engages in crime they have a bad time and other potential criminals go that

looks like a bad way to live my life I'm not going to do that and because they are the root cause of this problem it is the place where our efforts will have the highest reward and so let's stop leaning into defensive methods that will give us no further Advantage if we do more of them harder again I'm not saying don't do the basics don't patch don't look after vulnerabilities but at some point when does it make sense not to make every vulnerability your organization might face your strategic plan at some point where does it make sense to go how do we identify the criminals attacking us and make sure that they can't continue doing that because doing so

will reduce the amount of attacks we see but also the amount of crime in the country reduce further criminals it's the right way to go so that is my proposal to you today how do you take this thinking into what you do if you're a developer if if you're um a Defender if you're on the network side if you're on the corporate side I don't quite know how this applies to you so like I said I don't have a polished do this answer and everything will be magical I also am under No Illusion that tomorrow suddenly everything will be good but how do we make sure that 10 years from now when one of you gives a talk we can reflect

on the meaningful impact we've had on the amount of crime and criminals that we face in our community thank you very much for your

time