Bsides Asheville 2015 Opening Keynote - Marcus J Carey

[Music]

you see that it looks like somewhere we just had a paramedic transferred there that I knew so I was actually publishing circuit actually shut down that's on accident because I pull up the Robert on that side so maybe they were all fine let me call my buddy up a theory put that Robert and uh everything is all good so uh you're doing it top tonight but that's a cybersecurity thing where I started doing contractor or winter her group you know I just employed those innocent about me one of my part-time to happen did you know so tonight the cybersecurity dude at the agency I hope build-up or sock ethnicity and actually build your son yeah well so someone got

to see in the game and just getting into that right print dinner so about five a little numbers needed by my so it was pretty cool because I'm pretty quickly so now we talked to my buddy news and stuff I would be like hey man that's my stuff small room in Rwanda right and my buddy's like is due for my here's composition for me it's a good contractor they've got to be leaving around here or whatever huge contractor and that was an awesome opportunity to continue to support an agency on NSA and immensely hold it up before we start this company so that worked if it's our function and if it's our captioner the vision was

they have two metrics and so they're its optics and the cool thing there I've got a chance to work with like babies hacker Johnny mom and working with Johnny Chernov I think that for Sarah obviously

talked about some of the so they're old think about that was a really talented you might know I got a chance to work with like one of the top of the world

and I get to keep on repeating these people been working with these awesome people so they're the biggest thing that we did there we build a sports qualified Network investigation in that course we build a bit of progress pop up network and initially Johnny was a Houston hacker tiny the phrasing and it's up on another side another we had four acres that we were training at decedent those locations were trying to track down Johnny cool think about it sunny had access the cool stuff but tiny power we could use this malware on the network and imitate the nation states and all that stuff it was absolutely awesome and ain't no giant backpack once you've had

the johnny was going so much maybe somebody to play it's done so that means like Marcus this is raising stuff right so know most famous actors teaching me how to do all that stuff

[Music]

[Laughter]

that's EMS so open it we got a little technical difficulty but you still visiting so in that manner you sure we're there thanks very sensitive of course ridiculous so happy to bid that there are I was like a recommender to do that the program manager well his degree person I would be like the system person for the government contractor happy to do all the recognition people bringing the product this product is the product using my hacker and I will break into a product is for this big enterprise now so other cool stuff well and I got the work of a steam organ music so again a little country boy from Texas this happened to this people not being

working with these influence of people in an industry so I wanted to that the next major thing I did over like to your period what I did is actually write mom tools eventually I got the tips in the mock 37 and this is more my life change and two big wings so yeah there we go unfortunately every time I click like the start or stop the streams at the vines interrupts I'm sorry so a lot of people all the time you don't you need to know the business and it's a lot of interested do focus on the business side a lot of

[Music]

the whole business change my mind I'm not pins so the truth is an ominous I'm a firm believer how did the food is nothing but I believe that information is always instruction policy we also have data of grave damage removal hospital country that's when you don't expire so stuff so some of the thing about that is it's ability for all of their data the problem is this right so if you're finding a

so also another problem that we have is we worry because people are so now and the military so for me it's come up so we did General Quarters on the ship and it was we pretty much have the same standard operating procedures pretty much anything like those prior if there was a you know if whatever was everybody magnetization but and it didn't matter if you focus when you're the type of attack because you give him the missile without the fire you can have somebody if you have a frock-coat you can you know keep doing Friday together so is all of these kind of prices it could happen but in the security role see if I see four are

going towards fun is a program for every attack or detection you're attacking them in awesome where I think this what we should do is rolled it back to later his pump is some things don't change that much this right here the wooden popsicle I can't be laughs this is but everybody looked at us a boxer right

into military so I'm going to go into a couple of thing and how attack the glue and then abundance of business occasion for what that means right from the xp9 perspective so it's a Spangler right so I can put this spring bar here to a defective machine anybody seen that's pretty cool it's so you're going to this bring this and break the machine just won't be reaching up to additional targets throughout for that movement did you detect that missus like meaning feasible they can't detected or dependent so what I like to do is I like to look at I did you put a column on that it's put a column on this I'm getting the rest here on web if you

want to do that of course you're good that would be some kind of product being on or something like that [Music]

exactly detective if it happen all right how many people somebody who has never grown up you should be heaven so just like somebody coming up and this is bull reasoning I would this work back from contents and all that stuff because the funny thing about actors is this and this is kinda funny about computers but attackers don't actually write down stuff they're still you never read it would be nice if they said hey I just 86 is I can still this attack is gonna fit it so the truth is it's a box so most of the time that sometimes when I hear people saying because they don't know if the definitely no because I can tell but if we touch I

don't know right and so can you detect going on yeah I think that's a word so you should be introducing right a lot of people can't do that what's funny about that is it normally it would be contractors of the principle the Chinese Network and it was spending so much data they were happy with congestion problems that's pretty well right so it's so much better interpret it was argument to tell Carter didn't get it somebody came in and look at the bandwidth water box boom today right just one afternoon so actors are taking everything so nervous we must find everything again compressing it person it and send it up you know also they're doing stuff like in a

fountain there being a felon with a records I mean how many buddy in a solid that on an hour could you detect the penis how many

again

yeah yeah you should be able to it all stand up so I like these like there's a lot you sign for across the street like Caitlyn community like totally a hard drive traffic over all right can you detect them can you kid if I have a server right there that it's a bleed or rubber somebody did you learn it's always connected to that server good actually somehow Anthony Swissport down to the people whatever's on your network somehow I'm sure but it's a Macbook viruses so there's a lot of bitter XP posting stuff it's going into the network as well but from the most aggressive because if you do have your network locked up so because you can you somehow monitor

post with words like Twitter girl we hear people posting to bother getting data and posting how can you tell if that was like a crazy game up whole super cuts from to propose extending it right right this decision and also the wind billikin is to be able to you got good walk things you got sits along as well because you just can't go out there you know you know being you back room right so it's a in because we have to be able to actually being someone is deaf people are to open up on to the next up also I'm currently happens if you don't have a full packet capture device early afternoon also be able to

do some time bar charts on this larger Sun encrypted still be able to detect all kind of interesting stuff awesome this is the purple purple girth yet the meeting of the crypto in your organization reach them in your network you procure you can't monitor lights up so I I firmly believe and I like a little bit are kept with your networks to people server available and they're going to be using this itself so the property this is a this whole this whole thing of the data classifications right so NSA anybody ever heard of economic loser tonight I want to see a handful it is tell me if you've heard of it so so have you used it before in your

organization alright so listen this is really this is what the stuff is that and actually they have free training back in today so in essays one of their core mission is to prevent people from doing expertise and intercepting us companies while absolutely boning everybody else - it's an awesome mission right so so the information assessment methodology tells a business to actually use and they actually use the CIA methodology the confidentiality integrity and availability to actually assess your your organization and it may enforce the proper controls I think a big problem with this whole XP knowledge and people will get getting on and getting totally owned is because they don't know what to protect so in a good

example of this is if your medical company that mean if your hospital for instance what's the most important thing of that in a hospital so is it the confidentiality of hospital records is this availability of them or is it integrity of them I would personally say in order to save lives confidentiality probably is not the top priority for a hospital because they need to have the they need to have available you need to have the right data prescriptions or whatever and they need to make sure that those prescriptions don't get changed

thing but the information assessment methodology tells you - okay cool your primary security mission on should be the integrity of the data and availability of the data and you can apply that and it's still out there all the documentation and stuff but I think they discontinued that that training for that reasons but it's it's definitely money because that's actually how you how you kind of like fight this whole you got to fight the battle and you have to have a plan you can't protect everything that's why we're losing so this one it comes down right so an idea this is a two-fold like people talk about intellectual property all the time I'm gonna ask question what what is

intellectual property tear someone in here can you give me an example of it secret sauce secret sauce like what a specific example huh formula two coke you're my code source code oh I like that mergers and acquisition that's a really big one right there

supplementation I love this is a good stuff because a lot of times we don't think about it that business stuff is more important than your actual product idea or whatever and I'm gonna I'm gonna break it down to you in the next couple of slides because actually like all the stuff that you do on your network and protecting your network and all that stuff it's just a speed bump because eventually they're gonna actually get in and ever gonna do something right it's just a speed bump also if somebody anytime we release a product over here this worth anything if they don't if the Chinese main practice or wherever else is coming in right if they don't get the

data they're just going to reverse-engineer it anyway it's a speed bump so maybe they get it you know six months before you release it but after you release it they ship one to China and they reverse engineer the whole thing so it's gonna happen anyway this kind of data like Salesforce data this is the kind of information that I would be after if I was I on an attacker if I was a this is the kind of information if I'm if I my overseas competitor this is what I want I want your sales for data it's gonna have a lot of stuff in there it's gonna have your customers in there right so if I build a similar product to you

I'm gonna be actually looking at okay cool who's their customers right and I'm so you know who's their leads right how are they getting people to the registers and paper stuff right that's actually more important than actual product itself because you don't sell the product who cares so a really awesome story I was in I was in Norway doing a security training thing so this guy comes up to me said he asked me for advice because everybody thinks something like cool or something I guess he asked me for advice I guess he thought I know what was talking about so he's like hey this competitor keeps on undercutting us on bids it's like what do you mean it's like all

right we send them a proposal and some of these proposals are we're like sole-source they didn't ask for any other solicitation and somehow they are some somehow they found out about the bid and they somebody else comes in under cuttable and so every time they did a bit they actually did fake bids on stuff and somebody in that and they they were trying to undercut the fake [ __ ] and it makes like oh snap like what's happened in here and so I thought that was probably insider or something like that it could have been somebody but but but the but the moment there is like dang maybe you should have like and how they

try the custom is date they try to issue fake fake they try to issue their salespeople like all right boom here is this bit here's this bit is that fictitious bids and try to see which one would come back never heard from them but that's absolutely insane so that's actually that's kind of like what this whole expedites thing is really about it's about actually making money it's not so much about the ideas because I to be truth be told there is somebody executing the same idea all over the place there's a million hospitals there's a million startups there's a million all these people doing the same stuff

there's several people run to him what I'm doing yes yeah that's it you gotta do it better than everybody else that's the mitigation technical difficulties am I good alright because it just with the drop myth

we had a little audio clips oh cool huh I lost control what I'm doing over here oh my god yeah totally jacked up PowerPoint you know I'm saying that's like that's like holding water right Mark something Matt alright so that's it like huh like with Salesforce if I get into your Salesforce and people thought about the cloud stuff all the time most the time we talk about cloud as they let's talk about running your software in the cloud and all that stuff I think it's way more important than like like wow somebody get in my source they have all my customers they're gonna have all my potential leads they're gonna know what bids are thinking oh if the leads

hot or cold they're gonna know all this stuff it's so this is stuff I learned trying to sell software right like it's like wow that's a different way to look at it and as I said they're gonna know your financials and all that stuff so if you're probably trading company the cool thing about that is that there's actually a market that will develop if it's not and I'm pretty sure this is going on already they're gonna be able to trade futures stock and all that stuff and even we've said at one point he wants to create a company called troll troll LLC or something we were something about doing that as like overheads for kind of situation for for

when somebody's breached or whatever but the truth is like the people that are actually doing this this really likes corporate espionage type stuff they can actually resell this data and you will never know where the data came from right they just say oh I have a good hunch and once somebody if somebody proves that they have good hunches quote-unquote they're gonna make a killing so that so that legit data dummy that stolen data is going to be in turn used to make money like that's worse that's where it's going and I'm pretty sure that it's already going on if you look at some of the the if anybody that bids on a contract relating to China they get

owned right and in there there's been I've seen an article saying that the China China is using using that information to actually do bit to get people bidding wars and drive the price down but the truth is like if companies pay for leads all the time like leaves in and so how do you know where that data is coming from you fool me how do you know I think there's a definitely a market for launder data bidding information things like this who uses box or or Dropbox anybody use these right so so the problem the problem again is it's not necessarily a software none of that stuff but once they get on here how do you

know when they're logging in you lose some kind of control I'm not saying don't put stuff on box of Dropbox but if one of those companies get owned all your data is all your data is definitely gonna be out there right and so it's just coming to reality like okay cool what then what like what's the worst that's going to happen then github a lot of people write software there's private github people use these things toilet um and some and most of the time people talk about IP they are talking about you know code or whatever right the thing is these people everybody's gonna get owned and when they do get on you're gonna find out so

you can actually do a Google search for who's using Dropbox who's using Dropbox because they like to brag on who's using them you can say who's using github and you'll find a page there's a lot of government agencies that using github but no I mean I don't know what they're using them for what if somebody compromised like you know some government organizations github right change some stuff you know whatever and then we submitted it back to the repo and then next time you do a push boom they push the bad stuff up there stuff like that can definitely happen because it's yes that's the kind of stuff that's like wow this is you're like really getting crazy with all this

outsourcer so it's not going to change the nothing you can do about it just realize that that's the possibility it's probably going to happen in the future anybody use slack so people use like slack again is one of those things slack got compromised a little bit ago and so they're gonna they're gonna have not only you know they compromised you they're gonna have access sometimes your corporate communications and such and the big thing that's coming up I swear is is this is it it's this is laundromat he's so many people being compromised by so many different events now I'm not sure if it matters even if people get compromised again like they opium where I compromise banks and compromised

health care compromised and then every time like oh my god they're gonna get have all this data they already have the data like the only thing that opium probably revealed was stuff like Affairs you know sexual preference stuff like people stuff that can embarrass you but most and other stuff is already out there on internet somebody already has it it's to me it's been too many dang breaches right and uh what what how do we how do we what do we do about it right I think and this is like an international criminal court logo but it's like international law has to kick in at some point and so and I think that the US would be best instead of talking

about cyber war and all that stuff I think we need to pursue these things in international courts because that's the only way you're gonna be frightened for like if you have a patent on something or somebody totally rip you off you're gonna have that's a let's look actually a legal fight so we're gonna have to have countries like China really cooperate with us on things like that and I don't I don't think it has nothing to do with cyber at all I don't think you have to protect as long as you can and then you have to classify data protected as long as you can but the data is definitely going to be compromised at some point I'm not saying

defeatist I'm not saying you know we're InfoSec defeatist or anything the date is going to be compromised and we have to be able to find out okay what's the next business everybody's talking about OPM right now there's like men there's so much owned it's going on bro I like in general it's ridiculous but as a business what we have to do is we have to like think like what's the worst-case scenario let's classify stuff and win it stuff perishable because there's you we have to set personable stuff like for instance like if I have a big marketing campaign kicking off from I'm a software company I want to keep that under wraps but soon as I launch it I don't care

about it no more but what's happening is they launch it and he's still protecting it just like anything like like start like you got it you gotta say okay cool this is not cool this is totally unclassified right now we don't care it's not business confidential anymore so this book is absolutely awesome anybody I've seen this book man this book will change your life it changed my personal life and it changed the way I look at InfoSec because the whole thesis of this book is assume the absolute worst that's gonna happen and then work back from there right I think we have the opposite of it you like the book yes yeah so that's how

I think the security personnel and security groups needs it like look we we we want to protect we want to protect as much as we can but assume the worst you know if we have a total massive breach this is how we're going to respond all right and I'm talking about from a business level down to the PR down to the media down to whatever corporate comms I think you should have a can letter ready to go for for when you get when you don't and by having a good technical controls and technical good technical systems and IDS's IPS and all that stuff you can do a great incident response to get them out of your network and then you have to

start over again like you know in military like we practice on a ship I was on a destroyer we had emergency destruction procedures like if our ship ever you know sunk or something like that alright and I'm and it was actually some shipmates of mine when I was at Fort Meade you remember when the p3 went down and our in a China so so in a military we assume that once a device is in the hands of somebody else it's completely compromised game over and so the same thing with with some something on your network and this is what makes me laugh about us what we call stun hacking it's like if I have a

medical device and I completely control the medical advice of course I should be able to hack it because that's just the way it is and in the military that's how we think it's all over what do we do now do we do we got to issue new crypto we might heck if they get the crypto gear we have to is we have to obsolete their crypto equipment that's all right that's how it goes in the Navy like hardcore drastic like that so this book I highly recommend you can read it it actually to be real on you can actually listen to it on you YouTube you can actually do an audiobook on YouTube just pull it up type that in and you can

listen to the audiobook it's probably highly illegal or something but you need that in your life so it's pronounced elleny may be a misdemeanor but whoever uploaded that's their problem alright so here's a little bit about us B threat I've gauges back in the pink shirt very manly have the pink I can't do it salmon alright yeah all right so beats rent you can you can follow Savi threat markers every threats my email address that's me on Twitter people say I'm hilarious some people hate me on Twitter but I have fun so and also we have a we have a little bitty table back there come back we'll show you what we're doing with our

product that's it hey thanks for listening and we're gonna any questions

[Music] [Music] world where people start developing their own OPSEC and start putting out you know I mean there might be marketplaces for this try to put out information that is incorrect as far as their PII just to see that you see what I'm saying okay I can actually see that maybe being an endgame here that they're actually they're actually starts being you maybe even businesses that will put out incorrect information PII about you to confuse these people

they can try and track down the sources so absolutely is happening yeah so you know another thing is like I always thought like stuff like that if I were like in the Intel can still if I was like feeling kinda intellij see I would totally like pay spend all those different things I would totally own all those I was if I was military I would put that I mean there's so many things I would do if I was still in the Intel game and and stuff like that I love that stuff a couple of years ago I released a tool called handi docks to you know to have the dick huh yeah so honey ducks was

something I built to do call backs people can download a document if somebody breached it you just put on the server and it would it would dial back it would call back home and do geo geo coordinates for anybody to open up the document that's something I did a while ago [Music] no and when I called them on it they're like oh well you know yeah so so like in a in this game like in a security game and like the biggest threat to any business is somebody like I said it's the business process like the like anybody tell you anybody wants to show how the profit anybody watch that show man yeah I love this show like it's on

it's on MSNBC and if you look at that he said that the any business is based on three things he talks about people process and the product like the product anybody can clone your product in no matter but it doesn't matter too much about patents and all that stuff anybody can deliver the product you have like so what you have to do is you have to have the best people and you have to have the best process that's how you have that's how you win a cybersecurity game it's not about that's it and remember that we help it's a business you execute by protecting their data as long as we can and that's what I did in

the military are protected this data as long as I could so troops can get out there and and fight the war so the same thing with information security people protected as protected as long as you can so your company can execute its plans and that's how you that's how you fight cyber espionage that's how you in general that's how you fight to intersect battle any other questions comments

so we talked about like protecting software and platform and hardware but don't you think we should be protecting behavioral patterns of the users themselves more importantly considering that 90% of your breaches originate from people shouldn't be worried about who's using the key rather than what key was used an example snowed in once again compromised a bunch of systems you had legitimate user names and passwords for these users none of the systems would have caught him because he would have fit the profile and said yes he had authentication rights rather than looking at a behavioral pattern that here's somebody using this authentication in their originating from a network segment that it shouldn't been there yes my question is why don't we

focus more on the behavioral processing of the users rather than just the data well let me let me answer that's kind of but it's a trick question because that's what we built yeah yeah so so so on that I see a lot of people there are it's a that's definitely if you need to go to RSA yeah so that's actually a major major movement yeah yeah so that's a major that's a major movement people are doing like behavior analysis and that's right so if somebody has legit credentials they're coming from Hawaii and Snowden's case they're accessing something this is for me something in San Antonio or something in Georgia yeah that's a that should be a red flag right

so yeah so behavioral but again log all the things right you have to have logs you have to be able to to execute you have to have a good process in place right in it's all about process and tools software can definitely make that easier right so yeah just have a good process to do that yeah that's that's basically the same idea the problem is people suck at being consistent you can baseline the living hell out of them and one minute you pay people suck at being consistent you can baseline them to hell and back but will they be consistent about their behavior or will you be chasing false positives all day long so the question is process and

behavior it's not just a behaviors not just a process it's a couple so even like in a snow case Snowden actually if I think about the behavior to myself if I think about it he's in Hawaii that's like a at least probably eight hour time shift from the East Coast or some something ridiculous like that I lived in Hawaii I was stationed for me so I mean I was stationed at Pearl Harbor on the ships so that's an eight-hour time shift right so if he's have using credentials at Fort Meade like it has to be some kind of analysis saying look this person is logging in this person's usually a day worker whatever at support right there longer

their hours are right right here we have somebody that obviously Snowden would have been I don't believe he was that smart to go in on office hours or nothing I don't think he'd have been doing that but there should have been there should have been something I'm there I'm telling you right now I know from experience that there's different ships right so in some of the stuff he would haven't been accessing that stuff that wasn't like 24 hours ship type people like there's only a couple of people at the fort they work all the time those are sock type people and all that stuff rest everybody works the other day all right cool all right we

shall be conversation later so the hard part of this talk was me not I don't sometimes I don't know where I learned certain information from so if I weren't learnt it from my old life that's like I bet not including that stuff it in this talk so yeah so there's a there's a lot of a lot of cool stuff going on at the Fort I believe at the end of the day I think that they're trying to do the right thing but sometimes money gets in the way like contractors and stuff so that's kind of pretty much what I think about for me we're good alright appreciate you guys this coming up

you [Applause]