Cybersecurity Lessons From Jurassic Park - Rohit Satpathy

thank you we'll be talking about a little bit more than uh just D dinosaurs today um there's going to be uh some science some math uh hopefully you're going to enjoy it and I think in general um you're going to see a slightly different theme to this talk I know we're all uh technology enthusiasts you've seen uh several talks today talking about um AI models and you know even Quantum cryptography um things that we should be excited about uh the future of technology but this talk is going to be a little bit of a different theme which is going to be some of the things we can learn from uh things in the past things that people have already um

discovered and what we should be careful about as we're taking these steps forward um so first of all I want a quick show of hands has anybody here not heard about Jurassic Park Okay that's great um I I have to ask this question nowadays because we are getting into a period where um people are more familiar with uh this uh then Jurassic Park a lot of people think of Jurassic world when I'm talking about Jurassic Park no we will not be talking about Velociraptors being trained and you know chasing um uh people on on bikes and stuff not that none of that crazy stuff we'll be talking about the original Jurassic Park but in case um

you want a quick recap of story I have it right on my first slide so um the core story of Jurassic Park is we have a park that's made of genetically engineered dinosaurs brought back through DNA cloning and then um as you can see we have typical malware execution so somebody literally running a piece of code that then results in the park falling apart the fence is failing and then you have the T-Rex running around uh free and that eventually leads to demolishment of the business so we're going to study it as a a case study in cyber security and hopefully we can learn some lessons from it now you might be wondering um why Jurassic Park uh

what's so relevant about Jurassic Park but before I get there I want to play a very quick video um hopefully I can get this to play so I'm not sure if any of you recognize this but this is one of the core themes of Jurassic Park which is the dragon curve um it's a fractal and we'll talk a little bit more about fractals as well so if anybody here is interested in math uh this is going to be super interesting so there are a lot of things in the book in Jurassic Park they're not uh in the movies and this is one of [Music] them so what are we talking about Jurassic Park um the systems of Jurassic

Park were not very different from the systems we see today so as you can tell uh it's a uni system and if any of you are using MacBooks then you are very familiar with uni systems we're still working on the systems that were built um you know back then and this was movie from the '90s and the technology shown here is is pretty contemporary and in fact some of it is still quite futuristic um we have a lot of automation we have um things being controlled uh by computers um and the the systems themselves are are not going to be very I mean in in some sense like the guey that you're looking at here at

the GUI um it is it's actually fancier than I think most file explor guis and the other interesting thing about Jurassic Park is obviously the malware so this is a screen from when Jurassic Park was effectively hacked it was done by an Insider but we have a permission denied screen so basically even the people running the park were not able to access the Jurassic Park systems now what does this remind you of today ransomware so we've had uh several ransomware attacks um that's one of the core um focus these days in in cyber security and we'll look at a a real world demonstration um but ransomware is not very different from the scenario that was showcased in Jurassic Park um

both were done for financial gain both were done um effectively um by getting inside the systems which is commonly how ransomware is deployed and both of them had the same effect of disabling uh the systems and holding them effectively for ransom even though in Jurassic Park is much worse because the person who was shutting down systems ended up getting eaten by dinosaurs so we we'll get to that so let us enter the world of Jurassic Park so before we do that though one one more quick note so this is a you know feature that I'm sure a lot of you are familiar with Microsoft just announced it it's called recall and there's no more perfect way for me to

introduce this quote from Jurassic Park your scientists were so preoccupied with whether or not they could they didn't stop to think if they should so we Microsoft just announced this new feature uh where effectively your computer is going to be taking screenshots of all of your activity every second it's like so that it can visually track all of the data and then you can search it so you can type into your computer like oh what table was there in this graphic I was looking at 10 minutes ago and your computer's going to be able to search that now on the surface that sounds like really exciting technology but seriously when we don't have a working Outlook app which crashes

every 5 minutes and it has a new plastered on it it's literally beta software why are we building this stuff um it's it's something to think about and uh one of the quotes quotes that's uh you know one of the most famous quotes from Jurassic Park from the books is when Malcolm says in the Information Society nobody thinks we expect it to banish paper but we actually banish thought um what he's trying to say here is that with social media and a lot of the modern ways of thinking were used to following Trends more than actually doing the thinking ourselves so if this is the year of AI then everybody's interested in AI we don't ask why should

we use AI in this particular use case is it actually going to be helpful is it a step forward no we just do the AI because that's what everybody else is doing and this is something kryon spoke about quite a quite a bit um in all of his Works uh Jurassic Park is not his only work um it's his most popular but it's far from his only one um and I I think this quote reflects that so we're going to talk a little bit about the Automation in Jurassic Park which I think is also uh quite relevant in terms of some of things we're we're seeing today so the core idea of Jurassic Park was it could run

with minimal staff for a long period of time so up to 3 days as it said in the movie you can run the park with no staff at all um just the computers they could take care of the dinosaurs they could maintain the fence Integrity um they could run the whole thing and that of course extended even to the vehicles now does this seem familiar so we have electric cars running on a track fully automated it so again we talk about self-driving cars we talk about electric cars nowadays Jurassic Park had that vision and of course in the end the visitors who are in the electric cars end up getting stranded um when the park

goes down and then they're res rescued by gas power Jeeps so isn't that ironic um for a movie made in the '90s to be talking about that now of course all of this started um with an Insider threat so Jurassic Park had an external contractor which also is not a a very unusual Threat Vector nowadays so if you've been following let's say um the Las Vegas hack where the the casinos Caesar's Palace they were all infiltrated um a lot of those kinds of incidents start with social engineering and often it's it's not necessarily socially engineering into the highest levels of the company itself but if you can you know get a contractor a third party who is you know much more

susceptible and you end up targeting them and successfully you know getting their credentials now you have the potential the attack surface is is massive and that is what happened in Jurassic Park so you had one disgruntled employee who was annoyed that he was not being paid enough and he basically takes money from a competitor company um we've got the classic screenshot of money Changing Hands here and um basically he gets bribed by a competitor to the the company that built Jurassic Park and as in return he promises to give them the core technology of Jurassic Park now this is also one of um the many things we see in cyber attacks nowadays which is the aspect of a data breach cyber

criminals are more interested in the data that we have rather than necessarily just taking down the system so they want to capture the data they want to be able to send it or sell it or do something with it because the data is more valuable now Jurassic Park mentions that pound-for-pound genetic technology is the most valuable thing out there it's kind of true because you could literally have a single genetically engineered molecule that's worth millions to the right buyer and that was the core concept of Jurassic Park was shipping these embryos was so profitable it would make him 1.5 million 1990s a lot of money and that's what um convinced Dennis nedre who is um the

person in the picture to basically go through and take down the security systems of Jurassic Park

oh I think we have a small technical issue with the changing of the slide so I'll try to kind of resume from here

all right so we'll we'll talk about

um so one of the many things in in Jurassic Park um that was that was very relevant is the the points of failure so we have multiple points of failure U that kind of went wrong but one of things worth analyzing in any modern system is the points of failure like what can go wrong and your business can still function and this is something that's that's quite relevant in in terms of like doing a risk analysis of any kind of complex system is we always like to think about like in security people talk about a layered approach right but cyber criminals don't necessarily follow a layered approach if they can break in through layer three they don't really

care about layer one um and in Jurassic Park for example there there's this really nice quote where um the the problems with the security system were high on the bug list but it was never really a bug because NRI had programmed it that way it was supposed to be a back door essentially so modern malware tries to create this back door here it's a case of the programmer building in a back door as kind of like you know this this was back in '90s so um apparently this was a Temptation that a lot of programmers had to leave a secret entrance I mean typically I mean we we always complain about passwords right like the default passwords on routers

being uh username and password or something you know hardcoded on the box but the reason things get hardcoded on the box are you know quite understandable cuz you give your router to your grandmother and if she's going to change the password month later she's going to say I don't remember what the password was so having a hard-coded password that you could go back to to reset the router was actually quite an important feature especially when people are being introduced to this technology and I think it's still a problem we don't talk about as much today because we like to think that you know we can just introduce more and more technology but if people are not keeping up then

the technology itself becomes the impediment and in Jurassic Park again um there being a back door one of the reasons that was common practice at the time was you know so that if somebody broke the system NRI being an outside contractor he would have a way to get in and fix it but of course he didn't use it just for that so let's get to the fun part so the malware execution so so this is literally the screen where he's making the decision to execute piece of code that's going to take down several systems in Jurassic Park and give him the window off opportunity to be able to go out there and steal the embryos it's

going to shut down the security systems is going to be able to go through the park and deliver those embryos now what the movie didn't show you was the original code of the malware which is actually referenced in the books so this is the code and in the books it's referenced as white rabbit. obj so it was literally an object call That was supposed to disable all of the um security systems and I'm not sure how how accurate this code listing is but basically the thing you're supposed to look at is there's little arrow over there that says on White Rabbit object call security perimeter set to off so that's how Dennis netri basically turns

off the security and this is something they reverse engineer in the books so arold who is the main computer engineer decides to go back review the lines of code and then you know he he finally finds the malware now another thing we don't talk about as much with modern technology is unintended consequences we always think that if we build something like let's say Microsoft recall it's going to have it's only going to have the intended consequence which is that people are going to be able to search through all of their you know history um and that's rarely the case um even in cyber security so I do a lot of testing with EDR and one of things I always find with

EDR Solutions any kind of security Solution that's deployed on a client environment is every time you make a change to the configuration of that system um there's always some unintended consequence involved so a great example is when EDR systems are set up originally they're made to be very aggressive so they block all kinds of malware now that of course is a nightmare if you're in it and you're trying to get your users online and eventually what happens is you make configuration changes and what you don't realize is some of those configuration changes while they allow you to get in nice and easy um they also allow the malware to get in nice and easy so

something very similar in Jurassic Park as you can see Dennis NRI opening the electrified fence no problem with his bare hands um turns out if you can do that the dinosaurs can do that as well so this is the uh screen that's shown in Jurassic Park showing the fen is being unarmed and now I'm going to actually show you I'm actually going to play the clip where all of this happens it's a very short clip but it kind of captures the the essence of the cyber security disaster that happened in Jurassic Park so here we

[Music]

go technology see this is the thing we we have all of this AI sophisticated technology and I'm using PowerPoint I have very powerful system and it just literally froze up when I tried to play the video I mean we're we're having a live Dem you you can't really see this but it literally says Microsoft PowerPoint not responding so we're having a real Jurassic Park moment here so it's it's a very realistic presentation in that sense maybe the video is too large I didn't realize playing 4K video would be such a problem but let's let's see

[Music] [Music]

[Music]

yeah no I my computer literally froze

all right let's try to get it back up and running

[Music]

all right try number two

classic ransomware even ransomware authors haven't gotten this good of a ransom no yet [Music] I hate this hacker

[Music] crap because the phone systems are also controlled by the computers and then of course the question is where did the vehicle stop and turns out as in real life it always happens at the most inopportune moment when you're standing in front of the Tyrannosaur padic just like my computer decides to freeze when I'm giving a live presentation instead of you know when I'm using it because I've done this so many times and you know this is when it decides to freeze up

so so as you just saw this is what happens when U you know you're in front of the Tyrannosaur padic and the fences don't work the dinosaur is uh is not exactly you know very friendly um and this is one of the other core messages of Jurassic Park is um the element of abstraction so abstraction is a very useful Concept in programming I'm sure you've all heard of it at some point it's like when you hide the unnecessary details you make it easier for people to understand you kind of wrap things together into you know packages so people don't need to understand the entire underlying code they can only understand the surface level details relevant to them now the

problem of course with abstraction is that people who are working or creating the technology who are working with it don't really understand what they're working with so this is the kind of dinosaur that for example Dennis NRI was familiar with and not the dinosaur you saw in the previous slide so a lot of the core Engineers of Jurassic Park um including Henry Buu who built the DNA wasn't really familiar with the names of the dinosaurs he was building he didn't do any research because he was working with the DNA he was looking at you know code fragments and that was not you know understanding what a dinosaur is and what it does was not part of his job but

that led to a certain kind of decision making that probably wouldn't have happened if these people understood the real you know dangers of let's say Velociraptors and Tyrannosaurus rex u you know roaming around so another aspect of Jurassic pars that's very relevant to today is uh the complexity of the code base so they're you know couple of different things so in the books it says I think half a million lines of code in the movie they wenton with 4 million lines of code but that's how big the code base for Jurassic Park was and I'm going to read another quote which I think is going to be very um I think it's going to touch the heart of a

lot of programmers here so Arnold was no longer operating the computer he had now gone behind the scenes to look at the code the line byline instructions that told the computer how to behave Arnold was unhappily aware that the complete Jurassic Park program contained more than half a million lines of code most of it undocumented without explanation what are you doing John checking The Code by inspection that'll take forever tell me Arnold said tell me so I think those of you who've jumped into um coding projects uh they're huge and you know join these teams and then you figure out oh like this is what I have to work with well you you know you understand how he feels so now we're

going to get to what nri's original purpose was which was obviously stealing the you know the embryos and he manages to do that successfully thankfully he's not able to deliver them successfully because he runs into dinosaurs um but this leaves the team of Jurassic Park locked out with that nice you know nre's face in the background because they didn't enter the magic word um so obviously this is very similar to ransomware attacks so we're going to talk about recovery procedures cuz this is another thing that uh we see a lot nowadays where people are trying to recover from backup and I'm sure you've seen the meme where it's like oh we have backups where was the backup on the

server that was encrypted so jassic bark had similar issues with their recovery procedures so they had never turned off the system so they didn't know you know what would happen when the systems were turned on and even when they were turned on nobody was familiar with the procedures to get the individual par components back up and running and turns out they had to go into another compound where Ellie Satler is here and you have to turn on the individual systems one by one now the issue with that obviously is uh you know under normal circumstances there's no issue you can just walk across the compound but when you have Velociraptors running around it's not as

simple turns out um again something that you can't really foresee with the level of abstraction that you have uh so when we're Building Systems I think these days it's it's very important to think about these kinds of edge cases and these kinds of um what if scenarios and and building in like backups and not not necessarily just backups but alternate control mechanisms when systems go down I think ransomware is a very you know crucial example in this because a lot of companies struggle with um the they have backups but they have backups in in such a way where it's going to be more expensive to restore from backup than to just pay the Cyber criminals that's why

cyber criminals keep Mak making money um it's because they're able to offer a more competitive price than going to a security alternative like if they went and tried to recover their data they go to an IT company they asked for a quote what is it going to cost for me to get my systems back up and running and the ransomware authors know that so they underbid that and that's how they get paid um so it's really important to think about recovery procedures and practice them u in in the eventuality that um you know some something like this does happen so obviously you know this cyber incident didn't end well that's uh the outcome Jurassic Park was shut down um

and now we're going to talk about a real world demo like I mentioned so how secure do you think our current systems are to you know to threats like ransomware I know a lot of you have heard about sophisticated Solutions um I go to RSA Defcon all the time so I see a lot of demos from vendors um showing how they can detect encryption on the system how they can block it and that's one of things I like to test so we recently ran this test um with a very popular uh vendor unfortunately yeah you can tell which one it is um so let's let's just play it and see what happens again hopefully this video will play just

fine yep so we're literally um executing custom um you know custom code that's designed to emulate um cyber Criminal Behavior we're going to be encrypting the files on the desktop and uh you should be able to see what what happens if my video is going to

play there we

go as you can tell it's it's not it's not going very [Music]

[Music] well and this is like a very expensive EDR solution for those of you who are not familiar with the market um a lot of large corporations would rely on something like this to protect themselves from uh the kind of eventuality we just talked about now I'm not doing this to NE necessarily like bash a particular vendor or say they're crap but as you can tell uh let's let's have a look at our files here so yeah so those are Shakespeare's plays now encrypted obviously so one of things to you know to note from here which is my my point is not to talk about specific vendors but I but I'm going to point out that

this very same code was successfully blocked by bid Defender free edition which is is something anyone can download um so a lot of the times when we're building new technology we're not thinking about if we're improving from past implementations is our technology truly a better solution in terms of what we're doing for for from a user perspective and what's happening on the system and part of that is because of the same abstraction I talked about earlier decision makers are so far from actually the endpoint environment to understand even what what it means for files to get encrypted what kind of Technologies are involved what is you know vsss admin um why do backups get disabled um and the

further away and and we use so many complex terms like I'm sure many of you are familiar with the you know mitro attack framework and again like an average user looking at that is going to say what is that we don't even use words like samples anymore like 10 years ago you would say oh I have a malware sample now you say oh I have 15 ioc's so we have a lot of cyber security jargon we have a lot of terminology and as a result we're quite detached from what's actually happening on the system level and I think it's important to to stay in touch with that because otherwise you end up with situations like this where you can have very

sophisticated defenses very expensive and your file still end up getting encrypted in 2 seconds no problem by a ransomware made in like 10 minutes so why is cyber security so hard um part of it is the detection problem so part of it is a mapping issue so we have um very complex things like you can see the three dimensional object in the foreground and where we're trying to detect is kind of like the 2D thing in the background so that's like our detection mechanism and this is the thing we're actually trying to model now for performance reason obviously you can't take you don't have all the data anytime we build a signature we're trying to detect something we're trying

to simplify what an attacker is is doing and obviously that restricts a lot of the information we can have this the same issue we're going to have with AI models because we're making selection in terms of what information the a is using for its decision- making and that's not necessarily all the information and this is where Chaos Theory one of the Core Concepts of Jurassic Park comes in so one of the main things that Jurassic Park discusses in addition to fractals is chaos theory so there are two two kinds of systems essentially um they're linear systems obviously kind of like a pendulum so if you have a simple pendulum one of the things you can do is you can predict its

future position if you know where it is so you know you know you know at certain point it's going to move a certain direction you know the momentum you know you know the velocity the direction it's very easy to predict the behavior of a simple pendulum now if you attach two pendulums you can no longer predict after a couple oscillations what's going to happen and this is true of all complex systems like a pool table if you have like 15 balls on a pool table and you're trying to take a shot it's very hard for you to predict what's going to happen because it's going to change so much depending on the first ball that

you strike where do you strike it how is it going to move across the table how rough is the table all of these factors come into play another classic example that's used in Jurassic Park is weather systems you know the butterfly flaps its swings and picking and you know you have rain instead of sunshine in New York so weather systems are similar in that they're very complex you have you know so many variables you have the moisture you have you know air molecules moving it's a chaotic system and a lot of you know systems are chaotic and that's what this quote references um straight linearity which we have come to take for granted and everything from physics to

fiction simply does not exist linearity is an artificial way of viewing the world real life isn't a series of interconnected events occurring one after another rather life is a series of Encounters in which one event may change those that follow in a wholly unpredictable way and this is something to keep into mind um keep in mind when you're talking about cyber security as well because we like to think of cyber security as a very linear system the attacker does this the attacker does that but in reality that's not how it works if an attacker is already at a certain stage that not need to go through the rest of the process every single event is kind of independent in

that sense and it can influence everything else so a classic example is you can have the most sophisticated um cyber defense mechanism but if you leave your passwords on the table none of that really matters so we need to think more in terms of like the worst case scenarios um and you know one of the funny things is when I do cyber security tests u a classic defense by most vendors or you know most people who are on the blue team side is they will say well you know this is not a fair test of our system because our system assumes that you're going to go through you know step one two and three you have to send

a fishing email you have to you know then get the user to do this then you have to run the code and if you're not doing all of that then you know it's not an accurate test of system but you know the Cyber criminals don't care um you know they don't have to go through a certain mechanism especially nowadays um they they can literally start anywhere and now we're going to go back to the fractals I showed you earlier so you remember that confusing pattern I just played so every chapter in Jurassic Park has one of these and it shows this fractal developing in different stages so as you can see in the fourth iteration you know Malcolm mentions that

inevitably underlying in instabilities begin to appear and this is the chapter where you know NRI does his thing and then in the sixth iteration when the fences finally fail it's like system recovery may prove impossible so what of the concepts Jurassic Park references in addition to chaos theory is the concept of fractals and fractals are are very interesting concept so it's basically the idea that you can repeat a pattern to get a larger result so think about a mountain right so if we've all seen mountains so if you look at a mountain range it has a certain shape now if you look at a particular peak in that mountain range if you really zoom in

that Peak also looks like a mountain range it has smaller peaks in it so the idea in Jurassic Park is patterns repeat and you you can observe this in in various Trends so for example stock market Behavior if you look at stock market behavior for a day you're going to notice that the behavior is quite similar to you know Behavior over a month so this idea of repeating patterns being able to you know predict events in the future is one of the Concepts that Jurassic Park leans quite heavily into so what can we do about all of this um from a cyber security perspective and you know there's obviously no really simple answers but uh one of the my my

favorite answers is this doing a lot of testing so we we need to be able to tell what is happening at each stage and you know especially at at the endpoint level um you know the kind of situations that we don't really anticipate and you can't really tell that without actually you know doing the tasks so this is obviously a reference to portal for those of you whove played the game um so that's pretty much it uh I hope you enjoyed this uh this talk and um I'll be I'll be doing uh more versions of this in in the future because there's so many Concepts in Jurassic Park that are relevant to cyber security that I think

you know I I could easily fill another couple of hours talking about them but I'm going to leave you with with with time for questions and also want to say uh we will be doing an after event for this particular conference if any of you want to join that check out our Discord that's going to be on screen um and uh yeah with that we'll head off to questions thank you

[Music] oh wow that's that's a difficult one put me on the spot there um I'll probably go with Velociraptors cuz you know in the movies they were they were pretty cool and uh yeah they they're intelligent so they're a lot more interesting than the T-Rex although I'm probably going to offend a lot of Jurassic Park fans with that [Music] answer go ahead

o I was expecting more questions on cyber security now I'm being treated like I'm getting the grand treatment everybody wants to ask me about Jurassic Park like I've actually been there um you know the funny thing is I actually did my research in this and um we actually have the technology so to speak um we've we've extracted like DNA from mammals like you know mammoths for example because they're preserved in perfect conditions in the ice AG um in terms of real dinosaurs I think the real issue is one of the issues that pointed out in the book in the movies which is that it's hard to extract enough DNA now the solution that's provided in the book is very realistic

but I don't think we've done that yet which is extracting you know dinosaur DNA from mosquitoes and Amber um so yeah I think until that happens we we won't have a Jurassic Park but also I think it's worth you know taking the message from the from the movies you know like just because you you can and sounds cool maybe we shouldn't be building a Jurassic

Park questions