Disruptive Security Chaos ... for Good

um so uh I'm here uh I have this fire this idea and it seemed like it would be a good idea to present it as a fire talk uh the whole goal is to um you know basically get some explain what my idea is and then try to uh get some feedback in terms of of how it could actually work um so just a quick question with any like What attracted you to come to this particular talk any volunteers the word disruptive disruptive okay cool awesome chaos good okay all right chaos cool um anyway I I I should have spelled it with a K like like the old school chaos but anyway so my name is uh just quick

intro here my name's gra I'm on Twitter this is me this is where I'm from I started out doing security back in the early 2000 doing kind of uh web app testing uh it was an awesome job I loved it unfortunately for career reasons I had to move on um so I got into doing fun things like security engineering creating mounds of documentation that kind of led into doing fsma CNA type stuff for the government uh unfortunately I had to go in and you know even got into into doing props and things like that so those are uh pretty in insane if you've never worked on one but the whole thing is I was producing tons of this right I I

mean I felt that I really wasn't making an improvement in security I was just creating mounds of paper so there were there was all this cool [ __ ] that was going on back in the mid ear early to mid 2000s and it was just frustrating that that I was you know creating this and all this cool stuff was going on it made me want to do this um so I did this for a little bit right now I'm in a pretty cool position where we bring in a a a lot of security CS tools and really set them up and and learn them so at least I'm you know getting at least a little bit away from

the paper and and more into doing some of the Hands-On stuff learning some of the different security tools out there um so I still produce some of this you know but not as much and it and it makes me want to drink this you know the good stuff ver versus the cheap stuff um in the evenings I like to do more Hands-On stuff so I just kind of play you know I go to things like this or go to meetups and and go to different hacker spaces and and try to get some Hands-On stuff um which I try to then I try to document them on this website that I run that is uh sort of like a Metro DC portal um

just it started out as being in Nova in Northern Virginia so that's why the name started with Nova we recently had a name change so I I just wanted to make it shorter um so anyway so I'm a happy P Anda now so that's a little bit about me um so the over over view of the talk that we're going to be doing is we have you know just look at maybe some Foundation stuff and then get into you know what what relate security to to a life cycle in terms of of business growth uh come up with well an experiment what if we go against what everyone says we should do you know what

are the benefits associated with that and then also looking at further research um so just some foundational stuff and and and and I'll reference this later in the presentation I mean I'm pretty sure you all know this but you know you have you know what is security the CIA confidentiality Integrity availability and and then the other aspects that I usually refer to are authent the 3 a you know authentication authorization and audit and there's a nice picture that's short of so shows that in the wiki IIA article um so some other information in terms of forming a foundation uh so bug you know years ago um there were these horror stories of people submitting bugs to uh security

companies and and this and those companies turning around and suing folks you know so uh it's nice that they've gone from that to more of a companies like Google and and Facebook where they actually offer you money to uh turn reports or turn vulnerabilities into them if you disclose it to them responsibly um another idea that I thought was just cool as hell is um I learned about this thing called chaos monkeys who's heard of it does anyone know all right so chaos monkeys is a concept that Netflix came up where they have their Cloud infrastructure uh serving movies right and so what they did to make it more resilient is they have these you know

the these agents that basically go and just randomly shut down stuff you know and and so what that forced them they had they designed the system so that um the system as a whole if if a certain like if this server just shuts down you know the systems built to build around that um and so they have it's open source now actually I think it's up on Google code but they have like eight or 10 different agents and it's basically these you know things they take in some random uh information and then they just go wreak havoc and then the whole goal is to uh augment your network so that it can um you know be resilient and work

all around all this chaos that's going on um so so one thing that I wanted to touch on is you know what what is a life cycle it this is going back to um so there there's some foundational stuff and then what I want to do now is look at hey this is the life cycle of what a t of what a typical company does I work for like a huge do con contractor um you know but if you're just starting out in terms of just a small company uh usually you know as the graph says there you know you're very agile Innovative you take a lot more risk you you do you're you're more

offensively trying to attack the market but as you get more successful you you tend to pull back and um cuz you want to protect your success right well that puts you at an immediate um disadvantage because you're more kind of in a defensive posture rather than an offensive posture at some point um there's uh you um it it does stable I I mean so at your most successful Point as you start to protect your success more and more um You probably lose growth uh and and then the the the bigger you get you know the more Bureau rtic this is the the thing where hey I want the hammer you know and and it and you got to go through all

these purchasing processes and workflows and and you you know that hammer if you added you know the workflow and everybody's time and all everybody bidding on it that's your like $50,000 Hammer you know and so it's kind of dumb but um but the whole point of this is that you know is is that you start out with this with this slope that just shoots up and but once you get to the S successful point you you start to pull back so your growth uh stagnates um and that's be in terms of turning this back to I guess you know in infos you have risk you know vulnerability threats impact um so your risk increases and so in order to

control that risk you come up with these strict uh policies

um so some of those policies you know there's standard things like you know just General Corporate it responsibilities uh you know you you have defined security groups that that'll you know push out patches and things like that um these policies just say that that has to go on um you know but one of the policy is policies is that there's usually a sign ific restriction on what users can and cannot do on that Network um so you the two things that come to mind or at least with a company that I work out is that you know you are not allowed to have hacking tools on your computer at all like that's and if you run like an end

map scan there's this myth that they're going to like they can detect it like that and they're going to come and take your com your computer out and you know you'll go through some process of getting punished so in instead of like hacking all the things you know these policies are kind of pushing folks to not hack all the hack all the things so um and and this and this makes sense I'm not necessarily against this there's a compromise in there somewhere um so what I'm proposing is this experiment where we try to put less focus on the protection of our success you know so you don't pull back uh you you stay more offensive you know and one of the things

that at least from a security perspective is trying to relax these very strict policies um so you know hey it's it's okay to have hacking tools uh it's okay to you know use nmap to scan the internet fine you know let employees in this case be the chaos monies yes servers may go down down sensitive in information may get you know an employee who shouldn't have access to financial records might have access to Fe Financial records but would you rather have your employees find that out or would you rather have a malicious person who hacks in and gets it right if you're employees find that out and we reward them by doing bug bounties and things

like that that um you know we actually sort of like the Netflix chaos monkeys we strengthen our system we we build it to be more resilient so that whenever the bad guys get in they're not going to it's all that lwh hanging fruit is going to be gone even if they aren't employees why not basically just reward the buck b like independent researchers who happen to find something on their own oh yeah yeah yep well that's a thing I I mean and I'm looking at this you know they'll hire me to like be an an an SAA right but I have some downtime I'm curious right as most hackers are you know so hey well let's you know try to hack our

or let's download a John and and just try to hack the Unix uh admin hashes you know and so you know following strict policy you know they have like the average person couldn't do that or if you wanted to do it you would have to there's some huge process and you got to get like all these approvals and everybody's going to be like eh screw it you know let them be you know I'm not going to tell them um but yeah there was another question yeah what you say about just on workers and stuff like that like just on workers oh yeah well that's the thing too I mean if if you have if you have an Insider you know um

one of the theories is you know if you have the non disgruntled workers find and and re report these problems then the disgruntled worker will be very limited in what they can take so now of course you have that theory where what if the person that's you know doing these escapades is a disgruntled work or and I'm and I'm not saying this is per perfect I'm just saying it's you know let's flip our traditional ideals on their head you know in the end would it would is there a chance that we could be more secure by not following the rules in instead of following the rules um a few more slides here so and it's

basically um I've I think talked through most of this you know there are no rules right um you could use basic or Advanced packing techniques um you could you know scope it to a certain degree and the thing too is is the persistence you know this is something that you like you can just do it whenever so you could be Saturday night and and you log in uvpn into your network just because you're curious or you want to learn some new tool that came out so you actually download this tool and run it on your Corporal corporate intrnet to just to see what it what it finds um you know and and being the depending on the

person these could be targeted a tax you know say for a particular Department like Finance or it could be uh targets of opportunity too you know what could happen you know would I mean what do you all think do you think security would be better or worse be better it's going to be found somewhere yep or you're going to find it what open source was all about I think Firefox and Google did it once but they basically opened up everybody so everybody can see the code and then y cut down the loopholes pretty quickly because everybody was you going to have probably like 8% of them good yeah 20% bad 80% CL yeah exactly can't do on top of that Google

offers like the big uh pum bounties so there's basically incentive for the real good developers come in and say okay this is a prom this is prom this is a prom they actually have the S to go digg for yeah exactly I I mean but what if I I mean theoretically you could take a big DOD contractor and and and offer that too out at least in this case since I was looking at it from a policy perspective and the policy says no you can't hack you know all right well what if we turn it on its head and say you can hack what would happen so but but this the same thing you you still get the bug downies you

know whether whether it's you know five bucks 500 bucks or a th000 you know question I have to ask I mean like with like a DOD contract for instance how do you handle the fact that there's likely classified information on mm yeah but what if there's classified information on the network like is it worth it for that classified information to be discovered in then and fixed or is it worth it to just let it sit there with the door being unlocked so that question is how would you handle the fact that person finding the vulnerability might come across the information yeah how do you handle like Nas and things like that about information secret yeah well

that's I mean really you shouldn't have the if you have secret if you have classified or first of all you should not have classified information on your corporate unclassified Network and what it will show is hey there's a flaw there we need to protect it so instead of it being a huge spill maybe one person found it they closed it you know versus everybody finding out and I'm guessing because people get high her clearances they have access to the various networks are allowed to and they looking on those networks well now I'm not saying to obviously this is like I'm not saying whatever Network you're on and and and I mean just because your corporation says

you can hack our intranet doesn't mean that you know you can attack the customers's internet so there is you know you can't just the M thing I'm worried about is like in a classified setting how would this um well in the classified setting you have a network say the whole thing's secret right yeah everybody that's on that Network should at least have a secret clearance right so um so kind of what I was looking at is you know maybe see the red is I guess the risk didn't so you have like corporate growth and the blue line and then you have red so before you know our risk basically stayed the same but by you know crowdsourcing

security dis discovering the bad things before the bad guys do are attack surface decreases and not only that but from an availability perspective our networks get more resilient and they're hardened um so you're actually decreasing your risk so this is kind of like hiring a pentest other yeah I mean this is essentially you know having a pentest come in and just say hey no rules just pentest us and whenever whenever you find something wrong let us know so we can fix it or have the cuz employees you know let them be like hey your job is you know if you spend five minutes here 10 minutes there to do a quick Ed map scan or you know maybe you

find something in interesting you know and and then maybe there would be a way to um you know request funding to like if it's a very Advanced thing sort of what I'm proposing we you have your two extremes um so benefits kind of basically says employees become the chaos monkeys you're forcing this res this resilient self-healing Network um you know in instead of saying no you can't say yes you can and actually pay people for it um and actually in most cases because you tell them you can do it most people probably won't cuz they want to do the stuff that they're not allowed to do like my son um you know but this these examples here

just look at confidentiality integrity and availability you know from a chaos monkey perspective availability is big like you know they're oh we have this production system don't scan it right so all right if I scan it and the system Falls right well that isn't my problem your system is kind of uh definitely needs more resiliency there um so I look at it as a good thing so that whenever the bad guys do get in they can't knock your network over um so as in anything I'm sure and by compromise I don't mean you compromise the host I'm saying you actually agree somewhere in the middle so you have your you know free-for-all which I described on the right hand side

and then you have your traditional bureaucracy on the left hand side and to maybe someplace in the Middle where people could go through like a vetting process where you know oh well you know in order to get access in in order to do this maybe you fill out in app and and and there's some terms of service and you know some legal things but you know you know but you know so maybe there's some limitations maybe there it's not but but just anybody that wants to join it you know have it be a pretty low bar and you know and hey well we're not paying you but you know if you come across a new tool or if you're

interested in learning to hack um you know we we give you live Network to actually do it on and you're helping us and we're helping you learn um so you know but the big thing about this is you know how do we prove this you know and basically that what that's what the slide looks for and I'm trying to get the word out you know are there any existing examples of companies that already do this you know how do we measure it you know like how do you measure something a network is more secure versus less secure um looking for maybe smaller organizations that would want to volunteer uh and maybe outliers um you know how do we deal with that like what

if the bad guy gets hired and be and becomes part of this program you know what happens there uh and then so there's surveys and and I had just put together some quick questions on just demographics policy testing overall and I was thinking like all right a survey is one way that you could prove something but you're not really proving it you're proving the way people think not necessarily what's going on um but anyway so this is my closing slide which they say you should always have this slide so I put it there it's basically an exact repeat of the intro slide but it's at the end so um anyway if there are any question questions

that's how to my Twitter my website it's how to contact me you can also just do GRE NOA info.com that's my email um but anyway that's it are there any questions yes about five slides back and have that graph yep yeah there you go okay um if you notice the the Delta between the growth and the risk is the high in the end difference between risk continuously Goes Down And as you stabiliz yeah um it just seems although being part this this this graphic wasn't like I didn't pull this from a textbook or anything this was me just drawing lines on this is what I think would happen I'm I thought I'm like I've never

seen that specific thing before but the reason why I'm I'm if if that is true yeah um that's actually a a disincentive because the the differential you're getting the most bang for your buff right if you're able to stabilize and your risk is continuously going down by doing essentially the same thing yeah right um or or doing very peace meal not like a hybrid solution which you're referring to a hybrid solution where um where like the chaos monkey is it's a it's almost a uh it's almost they can find Space even though they're doing it on a live Network yeah um they're like okay we have to know that the chaos monkey actually hit this not like the

cast monkey just broke anything oh yeah yeah you know maybe they in the cast monkey isoke into this particular area yeah exactly but it could be anything well I mean yeah there's re well in this case the chaos monkey are your employees and you know they may as part of that agreement you I'm I mean although I would like to just have it be open-ended cuz cuz that's where I think you'd get the most benefit but you can say oh you can only attack like this I IP Ranger or something but I'm just saying like if you're going to use that graph yeah from you know because the differential is so big it it that's it just keeps getting

bigger and bigger from essentially doing the same well this well this I mean if this would continue on I imagine you would get down to some minimum risk but it would kind of curve but sure but the problem is essent you know from I'm just like you know because once you reach that stabilization point it means sit sit on it you know essentially just do what you're doing because hey R to keep going down well I wouldn't say necessarily sit on it because a corporation you know they set up systems it isn't like they set up systems and they turn it on and everything stays that way I mean new systems are constantly being added codes being

updated so there's that risk it essentially would stabilize but there are Point points where it could you know theoretically it could go up you know and and risk is is a strange Beast cuz it's you know how do you there's these very high level there's these mathematical models for calculating it but everything's based on like estimates so it's all it's it's Quan excuse meita not Quan yeah yeah yeah so that make sense that the risk is going to drop some because once you get stabilized in your policy or the company people are sure what they should be doing what they shouldn't be doing how systems work how security works so things are going the RIS is going to

drop because now you have a set policy while you're changing it are you see but if that PO if that policy says you can't hack right then essentially you're going to have this huge attack surface right where if the policy says you can hack then PE people would find those vulnerabilities and we could close them so your attack surface would be less no I definitely think allowing un hacking works but I think what this kind of is more indicating it's more like when just generic structure of the company stabilizes yeah risk goes down because you know you're s better than when you're starting out or when you're growing yeah well this is and I had a hard time and if anybody could

help me a better way show this cuz you know risk you know there's kind of like business risk but then you have like security risk and and then growth cuz theoretically depending on the company I mean growth could rise or fall or whatever but I'm um but yeah there's I was I I guess I wish there is a difference between business risk and security risk and I think here um when I put this together it was more of security risk although um but then I do realize that I um fact it's still yeah I'm sorry but the way I look at the graph looks a little confusing because I mean with the previous graph basically

the same thing yeah it was showing that stabilize and then just straight line there because it was all stable risk was also the same so I would think there would be some sort of difference in the stabilized line if the risk was also going down because for the growth or for the risk for the uh growth because well the growth is stable right that you're basically not doing the same thing so w't there be like where you not going well in this case growth is you know maybe you know you could measure you could Revenue profit things like that or you could also look at it as employees I mean that's a thing like I had a hard

time trying to create something and and I know this isn't perfect um but all right I was just miss oh no that's yeah well it's it's a very confusing graph I guess cuz things aren't clearly defined but I like I know there are little intricacies that probably don't make sense but at at least in this case to simplify it I just sort of glossed over it and I'm sure I mean cuz really there are different types of of uh different ways that you could measure growth you know and so you could have a graph for like each one of those you know so um but yeah any yep but it has nothing to do with graph but when you're

talking about a free-for-all with your employees on the network yeah would you would you f their tools that they're using because someone who doesn't really know what they're doing goes and gets a script Kitty y we all know those come from legitimate sources and have no back doors into them and they may not be able to find something but they may just launched an opening oh what some type of opening for an outside attacker to come in yeah this is true I mean that's another aspect to it but then but then also that that that could be like a that could be a security test too you know maybe your sock or whatever should be

detecting that so it's it's also not only hardening your network but it's also keeping your security team uh um on their to practiced on their toes so um and then maybe you know I mean I'm sure there's ways that I had I mentioned the com like the compromise you know not necessarily and I mean that's what would probably be the best option you know somewhere in the middle and maybe some of those rules are oh if you're going to use a tool you just have to let us know and where and where you downloaded it from if you can bet tools say yeah okay that's a clean tool we we we trust that results and uh instead of doing a

freefor all saying here's a block of like ranges you can go test yeah at your free will to let us know if you find something because if you have a going back to the business aspect of if you have a server that's making you $100,000 an hour take it down for three hours because they're they're scanning it yeah you're out of money well no I I mean but that sure that server should be built to be resilient enough but in the end that makes you know in the end it will make it more make it more secure so that whenever the bad guy gets in and you know he doesn't do something even worse I would think

that's going to take it down forever that's where I would think on that aspect someone's going have to going to test that server or try to compromise that server you at least want to know about it so if something does go down you can get that back up as fast as possible POS fix that problem fix it get it back up because that's yeah I mean there are ways that you know maybe there's some reporting mechanism where you keep a log or or or you say oh well you know my the fun that I'm going to have today is I'm going to download this tool I'm I'm going to run it and on you know this IP

block of range and then you submit that and then that's what you do or more likely it's going to be like oh well over the next month I'm going to run end map on our entire IP range and and uh see what happens or something you know or just hire people to to be chaos monkeys for your company because that cost money it's overhead employes do it so if you have curious you're giving them a a a live Network to basically learn on right so you're kind of crowd sourcing it you know the paying a pentest team you know there's you're I mean you're paying it there's a limited number there's you know most cases at

least the way they do pen testing now it comes in or the rules of engagements are very narrow you can only test from like midnight to 3: in the morning you can't hit these servers you know and it's like oh well that's nice but a bad guys is not going to follow those rules the bad guys's going to get in and [ __ ] the system up or hack what is it hack all the things you know whatever to keep your systems up and be able to find the r patch yeah so just say I'm sure the right I mean obviously this is where we are you know and there's this this is kind of this

Utopia type thing that probably will'll never get to cuz corporations like control their stuff so maybe the solution is somewhere in the middle and some of the ideas you know maybe there are rules that could um could be put in place um that could help mitigate huge risks like that whole IDE is using fre resources that you have available H using free resources you have available you already have employees there they're already curious yep you don't have to pay him to do it yeah I mean yeah so I mean obviously you would still have to meet an accomplish I mean this you know you couldn't spend four hours a day this is like oh I'm going to

work my eight hours and oh in in the morning I spent five minutes and I kicked this end map scan off I'm going to at the end of the day when I worked my eight hours I'm going to you know go and look at the scan results or whatever so trust me even employees are not like working 100% they're like hey I'm going to work an hour then I'm going to go BS about the football game for an hour then I'm going to go outside and have a smoke for 15

minutes you really want to have fun bring program next Yeah couple hours of thinking about how to solve a problem just chatting it up and then oh 15 minutes of cing yeah exactly then again that is kind of the workflow of programming in general you don't want someone just haming well yeah I mean I I I I mean and I agree because there's this mental like I'm trying to solve a problem you know like I can't just stare at the computer screen for eight hours mentally you need to get away from it let some fresh ideas flow in and then you're more productive but I would think from a programming perspective that would be more out of

the box thinking instead of saying here someone your HR Group and well I've always wanted to play around with something I'm going to go download this program whereas your programmers see the problem and think out of the box and try to try to break it try to get into it that would give you a better perspective of okay well bring cuz the bad guys aren't going to be using just the the script kitties they're going to throw the chaff out for you to be running around yeah looking at where they're coming in different nice and SL they're they're going to be like and then and then you're going to go in yeah so anyway but that's the whole I

mean I'm sorry this was more than 15 minutes or 20 minutes but I enjoyed the discussion and um if you have any suggestions for me in terms of you know that last slide kind of the further research you know how do we prove or how can we at least show that the like I'm making an assumption that hey you do way with security policy and your network becomes more secure you know like how do we prove that bring like the chromium for the ponum uh results from the vulnerabilities found during the ponum for example and just start listing results from these big bug b competition yeah uh if you start doing that it's like oh well if

you put the bounty on it people tend to be inclined to start looking for stuff start find this do and this yeah so there you know and then you could have you know kind of like a leaderboard like Facebook and Google do where oh this is the person that's like you know made the most and yeah fun stuff like that anyway it's just a thought did did the gentleman in the back left I I saw you raise your hand um well yeah a bit um little story I don't know if you know about what's going on with Uber the uh taxi cab company Yeah well yeah there's a big like a loss like they're trying to

get it so that you can't well specifically talk about the thing with New York City yeah yeah with the com like you know it's almost the same problem you know um it's the compromise there they um they're pushing the idea that they they can uh uh they can change everything yeah immediately yep while actually having you know uh having registered tax ta cabs in the city want basically they just want anyone to go out there and be a taxi provider yeah um where there have been instances in the past where that's been very dangerous exactly yeah but it has worked in other places yeah so they're thinking well maybe it'll maybe because it worked there it'll work in New York City yeah

so you know but that's changing the bureaucracy to the point where you can actually uh well they're thinking maybe work want to do that they want yeah they want well they want to protect their business their Monopoly or it's more of a fight that has to happen constantly it's like living documents you just have to continuously like break against that wall yeah um that's really what you're talking about as a never ending battle Yeah so keep doing it yeah ponum you know contest yet great but it's like these things have to continue they have to be more of them the ethos has to continue it has to be almost a me like a virus yeah

you anyway just a thought thank

you