Bsides Seattle: Secure Your World in 2025

Thank you. Hey everybody, good morning. My name is Alex Salazar. Uh I work for the Cyber Security Infrastructure Security Agency, CISA. Uh we love security so much it's twice in our name. Uh specifically my title, I'm a cyber security adviser signed here in Washington State. With me I have R.J. All right. Hey everybody. Good afternoon. I think someone's a couple hours uh behind us right now. Uh it's all good. Um but uh I am the uh cyber security state coordinator. Uh so uh the difference between mine and Alex's roles is that um you know he's based out of King County and he works with private entities um and uh those who are based out of King County and

Seattle Everett, you know, those localities. But as the state coordinator for Washington, um I work with uh state agencies, uh counties, tribal governments, uh and local governments and all publicly ran um uh critical infrastructure sectors within Washington state. So uh very happy to be here and uh we can move on to our next slide. Yeah, just a quick disclaimer. Uh you know, we're going to mention maybe some products or company names. It's all meant for educational purposes, not meant to show specific government favor or disfavor. Additionally, just because Alex and R.J. say something doesn't mean it's right. Always refer to your organization's information security policies. Uh so what are we going to talk about today? Uh a lot of it is just

uh what is CISA? And you know, you may have seen some uh scoured our our website, but we really want to show you some of the gems that we think uh you may not be completely aware of. There's a lot of projects and initiatives that happen. Uh but before we talk all that, we always give a nice little threat brief uh to, you know, really talk about what we're facing. Uh I like to make this joke, you know, my first year in infosc and then as you can see, I'm completely bald now. Uh I'm also I I recently became a father 10 months ago, so maybe that helped too. Um yeah. Yeah. Perfect. So uh who in

here has never heard of SIZA until today? Okay, perfect. I knew there would be a couple. Awesome. All right. So, uh I'm I'm glad to hear that because um uh I spent uh 20 years in the United States Army, joined in 2003, and retired in 2023. And when I came out to a cyber security summit, uh hosted in Belleview, uh I actually learned about SIZA myself uh as a US Army soldier. Um and I was like how what there's an agency that's responsible for critical infrastructure protection and cyber security in the government and yes it's true it was actually founded in 2018 and and the primary uh purpose of SIZA is critical infrastructure protection and uh cyber

security of the United States right and so the vision is a secure and resilient infrastructure for the American people okay and the way we get after That is by two goals, right? Goal one is to defend today against urgent threats and hazards, right? That is in the short term and then the long term is securing tomorrow, okay? Over months, years, and decades, no matter how long that takes. And so the end the end state is that we don't plan on going anywhere. We want to be there uh for the American people, whether that's private or public industry. Next slide. Okay. So critical infrastructure, I've said that a couple times. What is critical infrastructure? Okay, so critical infrastructure is

anything so important to the life of the United States and its citizens, that if one of those elements was stopped, even for a short period, it would be disastrous to our way of life. Okay? And as you can see here, you look at emergency services, our energy, our water wastewater okay communications information technology. All of these 16 sectors uh are defined as being critical to our way of life, you know, as American citizens. By a show of hands, who works in one of these sectors as defined by the slide? Great news. If you just raised your hand, you are eligible for no cost resources provided by the federal government. Yes, it's true. Next slide. All right, so scissor regions.

It's like, oh man, I didn't know this was going to be a geography lesson, R.J. All right. So the point of this slide is that there is not someone from Washington DC or Virginia where SIZA headquarters are based out of telling you how to improve your cyber security program. Okay? Like I mentioned, you know, Alex lives, you know, out of Everett, right? And R.J. lives out of a small little military veteran uh community called DuPont. If you've never heard of it, it's right outside of Joint Base Lewis McChord, you know, about 30 minutes south of uh Tacoma. But the point is is that our children share the same schools as your children. You know, uh I have a marriage certificate uh out

of Pierce County and I have a vested interest in securing the networks here in Washington State. Right? And that's the point is that the cyber security adviserss and the state coordinators have a vested interest in your cyber security programs. So when you're looking at this, understand that SIZA is in the trenches with you whether you're an IT cyber security or one of the other critical infrastructure sectors. All right next slide. Yeah, and you can't be a cyber brief without a cyber threat portion, right? Um there's a lot of reports out there and I'm sure this briefings you've heard some uh other reporting or you know mandient annual reports or Google uh threat briefing stuff like that. Um a

report I always like to refer to is the uh IC3 report or the internet crime complaint center. Now I know it says 23 23 up there. I checked this earlier this week and unfortunately Thank you. Um, unfortunately, uh, they still haven't published their 2024 slide quite yet, but I imagine it may not, uh, be too different, or if it is, that that'll be interesting. Um, you know, no surprise, fishing in, uh, their most, uh, recent report was the top delivery mechanism for cyber crime to uh, uh, organizations. And actually, I want to take a step back. IC3 is where you know your grandma might go to if she's scammed to where a Fortune 500 company

is going to go report if there's a large scale ransomware attack. So IC3 is kind of this it's an internet crime complaint center that literally that's what it is. So the FBI uses it for everybody. Um and so they they compile all this data and they're able to make some of these uh determinations. Uh they also group it by sectors like we do. healthcare in this report was the most targeted sector. Uh and this is actually before all the change healthcare stuff that you saw. So it'll be interesting what the 24 report looks like. Uh in terms of ransomware variants, they actually started tracking that as well. The FBI has lead on that. They determined that in 2020 lockbit and

ali were some of the most uh top ransomware variants. And uh this isn't a good metric, but we moved up. So in terms of losses, uh Washington state went from number seven in the nation to number five. Meaning if you're a business operating the in Washington state, you're in a higher likelihood of receiving cyber crime uh losses at least according to these metrics. So this is a great place to kind of get understand you know first of all what are some of the top delivery mechanisms but also it's a great place to really see some of the trends that are happening nationwide. Uh FBI also publishes uh these great uh flash reports. If you're an Infrogard

member, you get these emailed. If not, sometimes you have to be on special distros. Usually they're Top Clear or Top Green. Uh this one was specific to Blackcat. And I like to just talk when we start like cyber criminals, you know, somebody who has an objective for a financial gain um or sometimes a motivational gain in your environment. uh you know they're not using sometimes some of the the premier uh zeroday exploits that you might be expecting a well-funded operator to do a lot of the time and I love this bulletin it's really living off the land stuff um this you know this threat continues into today you know along with fishing it's just using your native tools to bypass

whatever you know $2 million contract sock you have or like you know all all of that is great but if some of these living off the land tools aren't hardened or or uh secured you know, you may your your uh attack may happen from this. I like to also put this little uh news blurb uh from for Black Cat. Uh you know, when you're dealing with criminals, uh they have no morals. They have no um you know, they don't owe you anything. If anything, they just robbed you. So, if you're negotiating a ransomware payment with these criminals, you know, and in this case, after they got their payout, they imploded. They started backstabbing each other. Um, so

if you're that organization on the other side that was expecting a decryption key, you know, and it's like it I really like to put this slide up here because, you know, it may be tempting to pay that ransom, but really you have to understand that on the other side of that is somebody that doesn't really have any good intentions. Additionally, uh, so we're moving from cyber crime to nation state. One of our most recent advisories on this that you've probably seen a lot of news about is Volt Typhoon. So, uh, Volta typhoon. This, this is interesting. Uh, when I present this slide, I like to go back to, uh, when I was a a brand new intelligence soldier

in the army. Uh, we would have talks that, uh, the people's republic of China, so not the Chinese people, but the government of China uh, is trying to infiltrate our critical infrastructure in skiffs in these secret areas. We didn't really talk about that on the outside. When this publication was posted, I was shocked. I like I was like, whoa. like we're coming out here and we're we're talking about this now. Like dang. Um for me, what that tells me is like no longer are we keeping these facts and and instances under wraps. Like we're you know it is it is the the the needle has moved. The t the the the environment has changed and as we can

see with the world typhoon advisory, they've been pretty blatant about their infiltration of uh certain critical infrastructure. So we have a whole great advisory that actually has some IoC's um the from MD5 hashes to specific uh attack chains to uh specific uh I mean the IPs are good but you know actors always rolled their IPs anyways uh but there's a really good uh article on that. So what can you do against these cyber criminals in nation states? Well you know CISA that's one of our as a cyber defense agency that's really what we're here for. you know, we'll publish publications like that that that I just showed you, but really our meat and butter is in giving you some of the

latest and greatest cyber initiatives. All right, thank you, Alex. So, secure by design. Okay, so secure by design, secured up by default, it's a key principle in modern uh cyber security, right? And it is intended uh to mean that when when either hardware or software is designed, it's secure from the get-go. you know, it it means that if you're getting a switch or a router, you're not having to close the ports because they're already closed. You you're gonna open them. Uh because that's that's what security looks like. You know, you're not going to have to read, you know, a a guide on how to secure your device. You're going to read what's called a loosening guide. You

know, and the idea is that, you know, security shouldn't be, you know, something you need a PhD to figure out because companies are already paying security engineers to figure this stuff out. So, let's engineer this stuff right from the get-go, you know, and so more and more companies are buying into this concept, you know, and I'll tell you like, uh, not that I favor one or the other because again, I'm a federal employee, but, you know, Microsoft, you know, uh, took it upon itself to stop charging, you know, access to security logs. You know, there was a time when you actually had to pay, you know, certain vendors for access to your own logs, right? And so when you think about

uh your security and future procurement strategies, you should be looking at vendors that have that principle in mind, right? And so um you know, if if that's something you're interested in, we have more information in here. And I to continue the secure by design theme, let's get into the software bill of materials. All right. So, 2011, who was around and remembers the log for shell or log 4J vulnerability. All right. So, I I think I told a few of you, maybe this whole room, that I was a little sheltered in the Department of Defense, right? I was in the United States Army for 20 years and you know being on a closed network in the DoD we

didn't experience a lot of uh disruption uh on DoD networks. However, uh some of our vendors did, you know, because if you were using uh any o open- source software that had log 4j, then you were immediately uh exposed to that vulnerability, right? And so the idea behind, you know, esbomb is that you essentially get a nutrition label of the software. Okay? And that includes the supplier name, component versions, dependency relationships, and much more, right? And so this is this is another big component of so of secure by design, you know, and SIZA is is pushing it. And and honestly uh going back to procurement strategies you know when you know if you're not in that game but you

know the person in your organization who does say like hey look when we're going out and looking for that piece of software you know for this you know department head are we looking at you know the components of that piece of software because the sbomb is important right and again if you'd like to know more about it I'll I'll gladly uh forward you that information. So, next slide. Cloud security. All right. So, who in here does everything on prim? All right. Cool. We got a couple. I love it. Okay. You know, there's nothing wrong with that. You know, you know, you are you if you're doing everything on prim, you completely own, you know, your your uh security for

sure. Uh for those who have transitioned to the cloud, good news. you know, uh, SIZA actually has developed, uh, a couple of configuration, uh, guides, uh, actually, uh, scripts, uh, that can be downloaded. No, again, no cost, uh, whether you're in Azure or CL, uh, Google. Um, and as you can see here, that little bullet right there, that script can be ran in less than 10 minutes. So, no joke, uh, within the last year, one of my peers, boom, this guy here was doing a presentation and a cloud engineer is like, "Okay, let me let me see if this is actually accurate." When it was sitting the back of one of these presentations, downloaded a script, ran the

configuration baseline against his platform, and said, "Huh, no joke. This thing is actually accurate." Because what the script does is it pops out a little output here and then it actually shows you, you know, uh based off of industry guidelines what's what's good, what's not. And this engineer had some questions for Alex after the uh presentation. Uh which was a pretty impressive thing that in less than 10 minutes, you know, you could have some results sec, you know, further securing your uh your cloud um platform. So uh again, this is another no cost resource. And who did I tell you was eligible for no cost resources? Pretty much everybody in this room who raised their hand

already. So, uh, keep that in mind. Um, and, uh, if you're not jumping on scuba now, then, uh, maybe after this presentation, next slide. Uh, one of the next projects that we get is actually a project we inherited from the uh, United Kingdom uh, NCSC, National Site, whatever security cent that they have. Um, or center, but they just spell it sent. Uh, but, uh, logging made easy. Uh, I like to really refer to this slide because it helps you really, you know, you can see this, but you don't really get it. But really with the this slide, it's an elkstack, right? Uh it's an open source project that CIS is maintaining where you have uh a server

that's aggregating and giving you some filtering and some dashboards. Uh you have a process server obviously receiving some of those logs and then you have a clients that you know you're provisioning from your server and you're installing on your machines. Uh and really it's just a homegrown IDS. It's, you know, it's not an IPS, but if you are low on budget, uh if you're, you know, low on resources or if um you're kind of butting heads with uh the budgeting team, you know, this is a no- source solution. The only and the only thing it's really going to cost you is your time of course, which uh you know, if you're a thousand user environment,

that you know, that's probably going to be a time, but if you're like around 120 200 user environment, this might be a little bit manageable. Uh you can download it from our GitHub page which is github.com/sisa govme the next side uh anybody heard of kev ks good good good amount of hands um I'm glad I'm glad about that if you haven't ke known explorer vulnerabilities catalog is a project that uh has been around since at least 2122 I I would say when I was last a cyber defender uh over at the dub we were definitely referring it to it when it when it was getting published um so you have CVES right common uh vulnerabilities

uh exposures common vulnerabilities and exposures and that's the theory of it of what could happen right there's this thing and this is the belief that it could happen uh the KV is this uh data attribute that CIS is maintaining and b we say that hey for this CVE we have received thread intelligence that there is a proof of concept and it's actively being exploited so if you have a whole you know you ran a Nessa scan you got a fat stack of vulnerabilities. The KV helps you kind of bring up those ones that are probably the ones you should be going after. You know, we all have finite time. We all have finite resources, but the KV is just one more

tool for you to prioritize your vulnerabilities. Uh that QR code takes you to our KV site uh for you uh folks that like JSON. We even have a JSON schema. Uh you can configure an API to you know for whatever internal tools that you have. Uh next when it comes to collaboration whenever we have a briefs we get asked like hey well you know is CISA working in a silo uh we're not we're actually uh uh while back all the way back in 2021 we stood up the joint cyber defense collaborative there's a lot of partners to include some of in this campus um that uh signed up with that and really uh it even has now

expanded to international partners it's really become that uh that large uh organization that is compiled ing a lot of the industry best practices or trying to nudge the industry a certain way. Um, I would also say it helps us because, you know, it it it it attaches kind of some of our u more strategic folks at DC to some of the more strategic folks in your organization. So R.J. and and Alex aren't going to be, you know, connecting with uh, you know, the CT CEO of Microsoft to help them enroll in the JCDC. you know, we we give uh some special uh uh uh or there's some uh specific contacts over at the JCDC for

that. Uh lastly, ransomware. Can't have a cyber brief without talking about ransomware. If you haven't heard of it, we have a whole website on it. It's called stopransomware.gov. Um this is a great site because if you haven't uh you know maybe look tailored your incident response plan specific to ransomware, we have a whole uh section where if you know you wake up one morning the encryption events happen. Uh I will always point you to you've been hit by ransomware uh the the the sublink we have because it has a whole step process that really breaks down the pickerole process or whatever process you follow for incident response and uh and helps you contain eradicate and then

uh recover from your ransomware event. Additionally, we're tracking ransomware groups on this site and um and also posting some of the the latest and greatest. All right, that brings us to uh working with SIZA. Okay, so as you can see here, there is a uh nice little uh uh graph or uh bar and uh you can see that 80% of our efforts is in prevention and resiliency. Uh only 20% in response. Uh the reason behind that is because we want to help you secure your environments. We want to help you be resilient. Uh and some of those mechanisms we do that that help uh you get there are through uh assessments and evaluations. Uh some of the assessments

that uh myself, Alex, other CSA, cyber security advisors can perform cyber security performance goals, uh cyber resilience reviews. Um you see vulnerability scanning, cyber hygiene, every single thing listed here is no cost. I think the previous uh speaker spoke to a pentest. Uh did you know that if you are a critical infrastructure sector that you can actually get a nocost pentest through SIZA? Yes, that's true. National asset. There is a little bit of a waiting list but uh it is very possible. Um and then of course you know talked about scuba next next graphic here. Um partnership development. Alex hit up the JCDC uh very cool uh uh big working group uh preparedness activities. So uh we can provide cyber

we can provide uh cyber security training for your organization. Uh the uh the c set tool is um uh is is a is a tool we actually use to do our assessments. Um moving on to strategic messaging. All right, cyber security awareness month. Who participates in that fun 30 days? All right, so we can help your organization. We actually have an entire web page full of resources uh that can help you prepare for that critical month. Okay, now moving on to the 20% response. All right, this is this is the part that I do not like to be in because if we if you are here, you know, typically we're talking about a crime scene, right? So, uh, when this

happens, a lot of the times we are in incident coordination. We're working with Department of Justice, our FBI brothers and sisters. Uh, but I have been, uh, I have done, uh, targeted, uh, incident, uh, notifications before here in the state of Washington. Uh, it's a very unfortunate thing when I have to make a call and say, "Hey, uh, there is unfortunately uh, some indicators of compromise within your network as we speak." Um, but uh with that said, uh I would rather get you guys here in that 80% so we don't have to be there. All right, so um with that said, uh let's get to our contact slide so we can have a minute or two for questions. So here

are the uh contacts uh for the state of Washington. Uh my supervisors at the bottom. We'll just let him read it. Okay, we're out of time. Sure. All right. So uh any questions? Yes. Yep. Yes. Um I'm curious for both of you. How have you seen the impact of the program in Washington state and what are the consequences if that program does not continue? Yeah, that's a that's a great question, right? And I'll take that as the uh the state coordinator. So, uh, as of now, uh the uh this uh SLC yeah the question was, uh, impacts of the, uh, what's going on with the SLCGP, basically impacts to Washington and, you know, you know, consequences of funding

was not to continue. Well, uh, I can only speak on, uh, where the funding status is now. And so, uh, funding from for that program has not stopped, right? And so uh SIZA and our partners right are continuing to operate as if uh we are going to continue to receive funding. And now what I do encourage everybody is that if you have been a recipient of the SLCGP uh or sorry yes slice scoop then please advocate with your state senator your uh representatives because they're the ones in Congress who are advocating for this vital you know dollars and this program. All right.