Hacking Demos, Dirty Secrets, Dangerous Lies, and Asset Intelligence

all right so it looks like that's most of us going to be here today this morning Welcome to our first talk we've got Brian Kos and he's going to be speaking on hacking demos Dirty Secrets dangerous lies and asset intelligence welcome Brian thank you thank you thank you can you hear me testing yep all right all right you guys ready to rock right you wanted the best they got stuck at Atlanta so you got me so let's uh Jump Right In um you know a little bit of background about me so I've been in cyber for about 25 years and I'm like oh Brian you look so young and not out all overweight or anything how can that be no it's true 25 years uh I've been building startups for most of the time I started my career with daa down in Fort watuka in Arizona and then I went to Bell Labs I moved to Brazil for a few years uh but when I came back to the US I just started building security companies so riptech arite impera salara silence a whole bunch of companies I've had let's see two IPOs and eight Acquisitions or as my wife measures it about five pounds per company um jokes on her it's closer to six and a half pounds um I wrote my last book with uh Bill croll he was the former director of the NSA uh dozens of people read it uh it was very verbose it could stop a lowc caliber bullet and I recently did a documentary on HBO and cyber war with General Michael Hayden from the CIA and the NSA that was such a hit that the producers didn't even renew the domain name for $10 so that's a little bit about me so we'll start where any presentation about cyber should start which is the Greek Empire so you know at the time the from a technology perspective the Greeks man they were the bees knes nobody had anything on them they were so Advanced So Sophisticated in fact it's been postulated that had they not been sacked that by 1492 they would have had a man expedition to Mars now my dad told me that he's from Greece so consider the source but they were still pretty Advanced they ruled the modern world and they pretty much ruled the modern world with irons iron and bronze and they had a failinks unit right did anybody here see the movie 300 so they had iron bronze and they had abs of steel as All Greek people like me have I just have a protective layer of karate fat as well um but they were very successful until the robans came along and they had this new thing called steel it was low carbon steel but it was still Steel and they had this sword design called the Gladius sword which was actually taken from a Spanish model and by today's standard it's not super technically sophisticated but back then that allowed them to completely change their tactics so they didn't have to fight in a straight line they could flank they could fight in the Hills through the trees it wasn't just one giant unit you were going against so it really allowed them to gain advantage and we see that with all sorts of Technology now we jump forward quite a bit to Turkey the Ottoman Empire 15th century now the Ottoman Empire did not invent gunpowder or the musket and they weren't even the first military to use the musket but they were the first one to embrace it in force and these weren't very good muskets they weren't even rifled so when you would fire bullet maybe it would kind of go the general direction where you thought it was going but if you have a thousand people statistically someone's probably going to hit somebody else charging at them now there was a lot of complacency on the other end the people fighting them said we don't need to use these muskets we'll use long bows and Spears and swords things like we've been using tried and truee tested Solutions well the problem with that is when you bring a sword to a gunpowder fight it doesn't really end well so that complacency on the other side really took effect in a couple reasons one they were outmatched but two you can treat teach somebody to use a musket pretty successfully they might not be the best Marksman but they know how to use it in a week or two to be really effective with a longbow could take years meaning that if you kill somebody with a long that fires a long bow it's going to take a lot longer to replenish that than it does somebody from a using a musket just from an nutrition perspective so on the other side of this we have World War II but before we get into World War II let's talk about World War I during World War I the British and the French each had about 3 4,000 tanks each how many t tanks do you think Germany had at the beginning of World War I you can just yell it out Z zero pretty pretty good actually they had 20 they had 20 tanks and they were shitty they used communication with carrier pigeon not very good not very effective especially in the middle of a battlefield and they essentially would hold somebody in place long enough to get blown up that's what they were good at but somebody was in that war named raml later on he was given the name the desert fox raml said this is the new new if we ever have a war again we want to build tanks so after the Treaty of Versailles the world said you know what Germany you tried to take over the world we're not going to allow you to build tanks Germany said okay fine we're going to build tractors and this Farm is going to build a tractor and that Farm's going to build a tractor oh look if we plug them together they're not a tractor anymore they're a tank so when they entered World War II how many tanks do you think Germany had 2,000 160,000 tanks and other armored vehicles or a ton of Tanks so they're literally they're 54 tons each and they held five people and has anybody here seen the movie Fury the Panther and the tiger completely outclassed Us Sherman tanks they were really spectacular on paper they were like a fine tuned clock which is great if you're a clock it's not particularly good if you're driving through mud and over rocks and being shot at all the time so it became really problematic because these things would start to break and when they broke this is really the failure they assumed that if they built this massive tank Arsenal that they would have the supply chains to support them well when a Us Sherman Tank got blown up or broken or something happened they could fix it in the field and if you could drive a car you could drive a tank they're very simple to use not so with the German tanks with the German tanks when something broke they had to dependent on a supply chain that wasn't there so it would break if somebody got killed in the tank it would take a long time to replace those individuals so the assumptions that they relied on that hey we're going to build this and we're going to have the infrastructure to support it was wrong and that's largely why those tanks were ineffective because they were way way better than the tanks we had or the tanks Russia had but they didn't have the infrastructure to support them so they had assumption based failures so change is pretty constant I kind of went for a post World War II perspective but after the transistor in 1947 we kind of start developing all the technology that we in this field depend on everything from tcpip to the internet computers so on and so forth and there's me standing next to a mobile phone mobile because you could stick it on a ship or the back of a truck so that made it mobile and you're probably saying Brian where do I get an awesome shirt like that well you can't it's vintage you can't find it anymore sorry but with constant change on the good side you have constant change on the bad can't have a front without a back light without dark so on and so forth who here has heard of Mari okay good good percentage of you Mari is like the grandfather of attacks on iot systems is definitely the old school Legacy approach to attacks and what Mari was it says these hackers said look let's start targeting iot devices particularly let's start targeting security cameras and they created this attack which was very simple it logged into these cameras that were internet accessible using telet oo Port 23 okay and then it tried to log into those cameras with well-known default passwords and about 8 to 10 Common passwords that's it that was the extent of this attack it was very successful though logging into cameras with default passwords over telet adding the malware to the camera created a botn net that was larger than Google and Amazon on combined in terms of processing power and network bandwidth and it was able to take out PayPal Reddit telecom companies Netflix people that have pretty big infrastructures right so it's highly highly effective but it didn't stop there because what they found out was there's so much white labeling and there's so many shared libraries that are used in the iot space and even res sharing of passwords that the same attack was able to take out Voiceover IP phones printers digital door locks through the same hack tetting into the device and typing in the default password that you could look up so we go into organizations today we still find devices that are vulnerable to this this is a 2016 attack they're still vulnerable furthermore we still find devices that are still infected with marai because nobody ever bothers to update the firmware or check the capabilities of their printers their Voiceover IP phones their security cameras so so this is actually still out there even though it started back in 2016 so as a foundation to what we're talking about today I want to just talk a little bit about asset intelligence because it actually you know applies some some things that I think will be uh beneficial throughout the entirety of the presentation the first one is when you think about asset intelligence this notion of looking across my Enterprise and understanding where are my devices where are my users where are my applications where are my vulnerabilities all these things that play a role in assets think of it like this four dimensions length bread height and time so length these are asset types when I'm talking about asset intelligence and while in this presentation we're going to focus on just a portion of that think of it in a large ecosystem of types my laptop my virtual machine the applications it runs the vulnerabilities it has and the users that interact with it breath asset locations I care about stuff that's on Prem I care about stuff that's in remote offices I care about stuff that's in the cloud I care about stuff that's work from home BYOD devices Enterprise devices I want all of that hyp this is where it gets really interesting I want all the details in particular I want to know about presence and state I want to know you're running automo for patch management I want to know you're running crowd strike for your EDR I want to know you're in Microsoft actor directory that's presence but what's the state maybe I'm running n minus 3 I've got a version of crowd strike that's three generations too old or my automox hasn't communicated with the patch Management console in over a year or I'm simply not even in Act of directory that state so having presence and state is the height and finally time yes I want real-time information about my assets and I also want forensics data because forensically I need to know that 10.1.1.1 belonged to Bob 3 months ago when that device accessed this application well now it belongs to Sheila and it doesn't matter what the real- time data is so having all those capabilities so think about that as we're going through today's presentation we see a lot of failures in a lot of ways people look at assets a lot of folks still try to track it with spreadsheets right that didn't work then it certainly doesn't work today especially Cloud assets that are can be spun up and spun down in in seconds but what we find is most organizations have way more assets than they think they're supposed to have especially if you look at SAS applications we find out license are both Under and Over purchased I bought 10,000 licenses but I've only deployed it on 8,000 devices or I've got 6,000 devices that aren't even running the products that they're supposed to be running and what this leads to is assumption-based asset intelligence just like we talked about with the German tanks they assumed the infrastructure was there to support them I assume that my EDR is deployed I assume my patch management is up to date I assume active directory is accurate I assume what's coming in the cloud I'm hoping I'm I'm praying and it simply doesn't work it doesn't scale the flip side of this is evidence-based I want to know if I log into crowd strike crowd strike can tell me everything I need to know from a crowd strike perspective it doesn't know anything about automo or active directory or Google or anything else so we all know the the story of the elephant and the Blind Men oh it's a snake no it's a tree no it's a side of a 10 until they take all that information and correlate it then they can determine what it really is is and just like the Sim Space right where we took IPS data and firewall data and CIS log information and endpoint data and we correlated all this information so it was better than some of its parts we can do the same thing with asset intelligence and have a very rich integrated picture of what we're actually trying to protect now if you look at nist you look at PCI you look at CIS you look at any regulatory mandate or framework it always talks about having this capability but we've always jumped over it in security because it's just such a pain in the butt to do and we had to do it manually so that's it on that so keep that in mind as we go through these so let's talk about X iot or extended internet of things and there's really three areas that this includes the first one is Enterprise iot this is what we usually think about when we think about iot printers cameras um voice over IP digital door locks HVAC lights out management uh UPS systems things we you know think we're going to find the Enterprise the other side is network devices these are wireless access points Nas load balancers right and the last group are OT scate devices PLC seens Honeywell digital devices that control physics flow temperature um position and we're actually going to hack some robots later which is kind of cool I wish I could bring it but the thing that we're using is like uh 800 lb so I couldn't check it um so we'll talk about that so what these things all have in common are one they're Network connected almost all of them there's some old monolithic stuff on the ska side that might not be but for the main part everything's Network connected the other thing is they run specialized firmware your printer is usually not your camera and the thing that's controlling a turbine is usually not a digital door lock it has they have very specific use cases right and finally you can't really secure these things in a traditional way even though they're usually running Linux uh Android Linux derivative busy box auntu on the OT side something like VX Works which is a real-time operating system you're not putting EDR patch management or local IPS or local firewalls and any of these devices right so by and large they're pretty vulnerable now let's look at the volume of these think about this characterization so there's about 10 million servers in the cloud not virtual machines actual physical servers you can touch I tried to make the analogy to to horses here there's about 60 million horses um if we look at the number of devices like a laptop that have a keyboard connected to it that number keeps on going down every year but there's about 5 billion so I said roughly the number of people people are about 8 billion right let's look at the number of xot devices there's about 50 billion or about the number of birds that's a lot that's a Target Rich environment if I'm a nation state if I'm a cyber criminal I'm going to go after this this is a great place for me to start my attack so I did this uh very non-scientific search um who here has you Showdown okay I don't have to give any background then it's like Googling what's what's online and connected to the Internet so I typed in things like camera you know printer things like this to see what's internet accessible remember we talked about marai that used the the big tnet to Port 23 and type in a password hack right almost 5 million devices and every if you do this tomorrow or you do this next week that number will change a little bit but that's quite a bit but look at the one at the far end UPS systems uninterrupted power supply what's the use case for having a UPS system internet accessible like that and let's say some of those are honeypots but even if they are maybe 5% at most right that's a lot of UPS systems right and we talked about some of the default passwords the shared libraries the white labeling that make these things so vulnerable what do you guys think is the most common UPS system out there this APC very good so I said well I bet almost all of those are APC UPS systems and I wonder how hard it would be to figure out what the default password is so I used this hacking tool called Google and I said default password for APC UPS and I said oh Brian the default password is APC the default username is APC we have a running joke in our company if we ever come across a UPS system that's not APC or is not running the default passwords APC APC everybody in the company gets a steak dinner we've eaten a lot of chicken I've yet to ever see anybody ever anywhere change this password and generally speaking if you have a UPS system you probably have something kind of important plugged into it or else you wouldn't have a UPS system and now I can just log on to it you can go to showan and find not that you should but you could find 13 ,000 of these devices and wreak some Havoc so here's some other stats just on volume there's about three to five exiot devices per person in a company so a company of 10,000 people has 30 to 50,000 xot devices now there's a bit of a bell curve to this like law firms will have a little bit less healthc care and critical infrastructure have a little bit more but on average three to five that's three that's 30 to 50,000 xot servers in a company of 10,000 people these are all Linux pretty much all Linux servers generally speaking pretty insecure and when you ask companies when you go in you say how many of these devices do you think they have almost to the decimal point they're off by 50% oh I guess we have 20,000 oh you have 40 in fact when somebody tells me they have 50 I know they have a 100 because they go oh I forgot about Voiceover IP phones oh I forgot about lights out management oh I forgot about this you know idra ipmi things like that so there's a lot of these devices out there so a little bit more audience participation what do you think the percentage is not on UPS systems because we know that's 100% but what do you think the percentage is of default passwords generally speaking on xot devices just yell it out I heard 90 such pessimists in this group it's about 50% 50% let's go back to that previous step 30 to 50,000 devices let's say 30 I've got 15,000 Linux servers with a default password that I can Google well that's not good is it that's a problem and the other 50% generally speaking the password was changed once because at the time of implementation it had to be changed and think of the people installing these like security cameras they're rolling up in a van with some boxes and a drill and some fiber optic cable and bolting them they're not thinking about security development life cycle they're not thinking about best practices and uppercase lowercase special characters they're thinking I want to bolt this in and not electrocute myself and hit a wire right so it's a different perspective okay end of life firmware what percentage of these devices do you think is running EOL okay about a quarter and the ones that