"That's Not How This Works" - Sharrow

but shower here who will be presenting on that's not how this works so anyway that interesting I'm doing UNIX system administration for 15 years now first thing to be any fun to a little bit we had a little bit of Solaris

going on seven related joins to heaven conventions on the ground something generally more interesting about how a routine would operate and so what I've been trying to do recently is bring with that and all those back the way we operate there's a blue team so this is a generic system and here's something like this once you become aware in your environment you are aware of how I'm sorry but not actually sorry enough to know the atrocious it is your loving tail and absolutely uncatchable the stuff that you can't get rid of it actually reasonable not to any point of time I went for an accompanying that I will [Music] they have also kept illogical early

adopters so it's not like they think orchestration promotes a coal I think puppets go and then they think as well as just slow down a little bit great I mean also bring your own device we hopefully every so often back in the day you used to get our internal network taken down someone would bring an apple in and the Apple device would just say that it was going to DHCP everything because they know wouldn't you that kind of thing and then you're like oh these things are really terrible I know they're terrible because I go to hacking conventions and I do that a lot because I recognize my environment in them and it's like well maybe you guys could just

burn them and that way I would get some recognition and I can fix them except you don't um so it's fine we can totally do this ourselves like we don't need you none of us even lift really so I just didn't play the pudding in the rain but then you get high on the on call which is I think most people here will be familiar with it's in response to Aurora Google started rolling out is there a trust network solution and then you may have devices that have a little of past users it had a level of trust but that is to me every day when it gets hostile and it's really awesome that documents

on the net come about it's it's really awesome and then you rate things like you consider your actual resources and the stuff you have to actually do for your date that did a job without actually get to unify a new way to do perimeter access much less ignoring and then you consider this bet which is a Google even Google required a very public owning by a nation-state it was China trying to go all the way into Google's desktops before they did this and it took them years and the documents say that it was very complicated and then you realize that you actually made the internet some interesting twist it up you a throne taken from my quick is a loss then oh

maybe I though there this is more of us

so this toy is stuff that we can actually achieve most of the stuff that I'm only mentioning here is not stuff that requires much buy-in from management stakeholders it's stuff that you can do SSS admin on the down low if you need to but even Google needing to end up by a nation-state before if they were willing to do this and it needed by and you may not get that but you can definitely do some things that will help your environment because even though phishing is a really good way to get credentials and own stuff I'm not going to be mentioning it in this talk because it is a thing that I would feel immensely

uncomfortable to inflict on the rest of my company without getting going here [Music] right so this thing it would be yes right just always vent I find out what information your company is leaking on the internet what is publicly available I mean we started doing it because we like what the [ __ ] are you putting on github this is this is an internal project like how would the PN's tearing documentation with the clients and it was like the answer was a Google Doc and you just like please don't do that so there are yeah the real number of different ways to do that we were just great paste burns for a bunch of keywords and our network basis as well

just lets my PA range is that I'm turning up one tune in we've got a few things that way and you just sort of like with the elbow and you're like well what were you even thinking could you don't do that we have an eternal ice but you could use that it's imprinted the also we look over you is this is not your perimeter your perimeter is basically undefinable your perimeter is somebody plugging in their foreign to charge it in a conference room you cannot control it you don't know what it is it's kind of it's a lot more permeable than a traditional source and under like to ignite so the number one thing that I'd

like you to take away from this to it is you know you've set up this you know your environment and if you don't you're really shitty subscribe manage to go back to Java

you know we a weak point so and you know where the weak points are that you can't easily fix like there might be you might be able to just upgrade a box in place the application on that will actually work with the latest version and there might be stuff that it's business-critical that you've actually found to the touch but you know where it is you can sandbox it you can segregate it off and the other thing is so if someone is attacking those things how do you make that more visible to you as it's a seven be the change you want to see on your network most of what a gecko will try and do is get create some own

stuff so the crews might be attained right fishing they might be bad password management we use they could get possibly Active Directory and crack that and what still kept those local trying and riff around and start to network or use the creates break out of this break out of the sandbox I would like to think you can stop it completely but I don't have that much sustain then that and our ability to see that complex things in a way that is pretty foolproof so what I would like to do is slow them down and then once it's slowed down hopefully they'll have to take risks and then you've got more time to detect a breach and there's more

chance both in making a screw-up it'll become visible to you so we're actually getting kind of good at this better hardening targets there's a lot of like appliance level things that you can put it in some lots of concepts like please privilege defense-in-depth we've got the CIA triad confidentially confidentiality integrity availability authorization verses of education is well known context but it's the thing that we're not actually that good at yet and that I think we need to get a lot better at is you need to harden your targets but you also need to look for evidence that someone is trying to hack them and that's not a thing that I think we good at that yeah I mean we've got some

scenes but most scenes I've had occasion to look at and not actually tuned that well there's just too much information going into them a lot of it but not enough of it is useful it's a way of increasing the situational awareness in your environment when it comes to discovery this will take it from the Verizon report it still takes people about a month to notice the average breach and there you can see like at least nearly a third of all breaches are sorta taken by third parties probably noticing there's a problem with the citizens you know that's not right you should have one of three breaches shouldn't be detected by somebody else using new stuff you should be able to

figure that out yourself it in New Zealand now that we - should we go on it's pretty great instead of putting the information on New Zealand specific reaches which is very cold by a quarterly report you should be reading it I believe like horizon has been doing this ages and yeah you should be reading therefore every year it's really good but it would be nice to have so much fun with anything but particularly susceptible check so the whole evidence of absence it's not the corollary to that is even if you've got the locks nobody reads the lungs it's I think it might piss my opinions an engine that comes in through an automated email is it's more that's

useless unless you have like that one guy but actually says seven goes through my check every day if you actually have that guy raised until they can leave so their way is as much as you can I don't really care how you do it you can get someone if you want just by an officer or by an options a shell thing there's a bunch of foster things free and open source things to do as well I'm gonna be mentioning a fair amount of products here that I feel the agnostic I don't really care what you use as long as he uses something so agree log to you can customize your an elk stack we we have

managed to get extreme for our sock and then sometimes you put a kid in live stream on it it's not what it's for but it's pretty great visualize as much as you can't that's how it's a lot easier for humans to just looking too much of any other information like that I you have a thousand ban logs for instance which is a really handy thing that if someone's trying to very foolish nice association they don't just bounce them automatically so you hit that or you have that one of those is a lot easier for us to pass which is why visualize your logs as much as you can it's very I think it's a waste of your

time just to go through every single email every day so one of the things that you should be looking for is like abnormal behavior on your network this is the sorts of dos if you put a single site just put on that plate that's fine I hear or any kind of testing environment and you need to take care of something before it takes out malicious at the sites on your network and your network itself yeah you should I mean this is really really obvious when you make it a visual representation of inbound outbound national and international it's yeah it was really the sort of thing I have on a dashboard sort of like takes over and you media

spike you like wait what I mean we've got what have made it so simple as follow it up say what kind of traffic it is is it like a syn flood or whatever and it's us tracked it down as fast as we can without having to TCP dump on particular interfaces at 3:00 in the morning which makes you really proud shape there and I think there are other things you can do too much in it websites it's broke ideas is pretty good it's open-source unix-based it's just best betting port with packet capture but everything will help if you know that you have an incident and you turn it twice a baby there's even things services that will monitor your BGP

products for you and send you an alert on your big TV break exchanges like in my experience is mostly because I'm unscrewed it up on our front end but it's still pretty handy to know where and so you can just miss fix it as fast as possible I don't identifying the weakest number of your targets we have my speaker notes not tuning up anymore I just gonna be making [ __ ] up from now hey just keeping your my running Indian terrain oh you have one thing that does that it's really useful that we're trying to integrate wait we're doing things as they make a distinction between the device which is like the physical hardware and the host which is

the operating system and the software that runs on it so they might know that this is my laptop but there was her care in a separate students whether the last meaning the last time also I patched this laptop which so we try to put that out into two different kinds of inventories one of the other things but it really usually that is we get metrics on how fast we catch things like we put a list of service and absolutely critical only front element puts it on the engineer and we do them as fast as possible every game but we can track how fast we're getting at them and make sure that maybe you can also attract your longtail

problem clients that don't like to schedule an outage one day because they really super important and also they never tested the idea so they kind of fell over to make sure that they have continuous up time there is something like that it just relentlessly had to patch through some that fall through the cracks this is he stuff we use at work that grab stuff fire always query which is pretty cool but just get it started as well which is the sort of thing that I was talking about with the difference between person and device I noticed that you personally have got devices pretty handy but it assumes that uses it's sort of user directed and it seems that they

will be catching this stuff which is not actually an assumption that I feel safe tonight remember and the requires that I kick around out there what kept them and still got running Gingerbread Oh something like I wish I was - Chet ops is really really good at making server events personal to you we're using matrix because it's over token sorts of federated if you don't want to use regular you just you can use swag or HipChat or whatever there are lots out there them through the most everything and they're really easy to program but you also have some political diets that will be like IRC until I [ __ ] die but I see it easy to write

botsko and anyway they can suck it chat ups with me and I like it so again there's also this which is why I personally don't like slack and why we're using my tricks with federated servers distributed geographically so if you can't think to one what we want me to start with it at all but using something that's better than nothing to give it'll quite the same thing they can be really really simple like Def Con has got a personal event scripting thing where you can just you can hook anything this will just tell you will store the thing the last IP that you came in from and if you come in from so many different I don't tell

administrator you can just push them to a channel when your light won't that that's such monies I pay I don't understand why you would be coming in from there it's a push notification start with wait for yourself to read the logs because you'd like that's a month the average rate protection takes you need to know as soon as possible if you want to limit their access to your network make more complicated and another third-party thing there's your which will again do you IP locking if you know expecting someone to be logging in from some other thing they don't get to look in I mean it's actually very relatively and relatively easy to sit up but it can make a big difference to how

complicated it can be to gain access multi-factor authentication I mean most people I know have it somewhere but it's kind of it's pretty hard to use and therefore had to roll out to an entire environment we but wait sorry at work we ended at home there's no myself like shooting argument about whether or not you could use one on trt paid was good enough or whether you should go fully beekeeping anything but like Google indicate on your phone it's better than nothing it's free just use it it will send to almost everything right now

and if you can't multi-vector or everything something something is better than nothing if you know if you can't forget if we want on a service they make sure that any most privileged users are forced to do it so this is a this is about honey touch mints I just thought this was the perfect slide for it and we honey tokens things that you put on in your environment that when they use they set up an alert so the belly doesn't use my and they use but they're in their abuse their own like a canary value or a honeypot but they can be something like [Music] putting a file in the root if you ship one directory this is database passwords

or something so it opens it tries one of those you get an alert because no one gentleman would bother do that

[Laughter] does anyone want to argue with the slide yeah it is anybody but anybody like to argue whether and actually can't yeah so yeah a tech is like to get creates annoying stuff so you can use this against them I knew this cloud trail is a really cool thing that you don't like compliance auditing of your AWS account than when you can monitor and retain the accounting activity for it and spacecrafts lets you I don't know paste AWS tokens into IRC and then see which one of your friends was an [ __ ] enough to try them example may be taken from the place use their own tools against them which is another pretty nice excuse to go to a hacker convention

because you're learning new things that you can use to secure in their wigs although I'm actually an open-source person I don't really want to talk about seven active directory because it's horrible so we're just gonna talk about active directory space you also did but bloodhound is a really cool thing that you can use to users graph theory to men about the relationship between an account that they might have access to and to get into my net worth and that begin graphically you can use this on your Active Directory there's nothing stopping you there figuring out what an attack you might do and they just be like it never sucks to be different one of those accounts could invite be a

canary or something that says let's just the waited to make this as would be the shortest possible to maintain Minh someone tries to actually access something using that account it alert you and you have visibility of somebody doing something dodgy on their network so a big idea if you know what they might be doing and you should have a pretty good idea by now could you tell if they were doing it can you make it as it is easy to tell if someone is doing something dodgy in your environment Plus this means you can keep going to hectic conventions so how to do these things to scan as real fish your eye is entering an alert like assuming it's only it's

like grass the grass might be look nice but if they don't just buy anything as useful for you it's worse than useless is taking out space that you could have dedicated to something that you actually need to care about on your environment I guess they would if you just use it to like have a nice dashboard that's not there when management comes through that's different but like you could have oh I don't know external sign up I'm just like sorry sign up to see your external get lab something taken from the news that might be the thing that you really really care about like who actually has access to the repos and have your dense lockdown with every part

well enough that kind of thing and a little not push the alerts don't rely on yourself to email there are files because you weren't I daren't their feet that's pretty boring the other thing about this is when you're tuning it is I found that false positives are actually really really useful most of the weird stuff on your network will be gifts because that's what they do well most of the activity on your environment will be idea of doing something or a subset meandering something there's like just statistics but if you find it positive you could treat it it's real and go into ends like if this was an actual intrusion would I be able to trace it back to the source

what information is missing what extra logs do I need to hand then or visualize what was being a nice choke point I mean it would stop them so you can figure to use them to figure out the limitations I guess system before it gets real the other thing is using yourself as a test case we do that at work all the time partly because as a systems administrator I'd agree on about 3000 boxes give or take a survey would be a high-value target and seeing me because if I want to and I really do want to roll this out there is different company I need to have I need to make it as seamless as possible to as many people

as possible so if I start doing it just to myself I can then make it easier for myself because I would like that and they make it easier for them to use as well when I can get that little bit forward like most of those 2/7 indicates that we thought ourselves but people are now interested and not affected all that's thing now we have horse way the people that don't actually need to so again access to the systems that have just installed Google on their phone and a unit every single time so you lower the barrier to entry for people that aren't as technically literate as you so they would just disrupt the productivity of the company

as little as possible when you do get to push out the barriers a little bit further I wish there's other stuff as well I would seek regard ourselves opportunity for appeal and all this sort of stuff that just makes it harder for somebody else to gain access to us to other than easier for us to tell if they are in fact I checked they use the tools against them it can be like just in men the bloodhound you know anything like that you know what they would be using so use it first and then fix it like this yeah the other concept as it appears to be for people that I ran that was talk against other things no I said

many things

there's a kind of thing that I was kind of hoping people would laugh at I'm kind of hoping that you wouldn't think I didn't want it to be normal but yeah it works it works okay that is pretty much it thanks to some people and yes very middle stone was my conflict of interests which brings me to my actual ending slide like dirt dissing

[Applause]

yeah I gotta say I like that enough slide I did he write with quietly first just to catch on that no I don't do any questions from the audience

okay so we asked at the beginning I said conversations with management like this is the sort of thing you need this is the kind of thing you need to enforce with him that it was a lot easier to go to the inland had already used those houses case cases saying well this is the things that we could because the miserable things that they did and we've already tried it but a present for thinking teams and they found that it was very useful to them but not very hard to use so you see ourselves as guinea pigs as much as possible there was the way you say you can be physically present with them after you

[ __ ] up a walk as saying if you look a lot better

okay thank you very much

you