Using Hackers' Own Methods & Tools to Defeat Persistent Adversaries Michael Davis BSides Boston 2014

okay everybody um east side of boston is uh really uh happy to have mike davis he's gonna give us some a talk about using hackers or methods and tools to defeat persistent adversaries and uh take it away great thank you everybody can hear me okay yeah okay i'm gonna walk a little bit i don't like standing behind the podium so uh i know i'm standing between you guys and beer so i'll try to keep this short but no uh i like to interactive so if you got questions you say mike i know what you're talking about there mike you're crazy raise your hand i'll call out repeat the question and you know we'll go ahead and

go from there so a little bit more background on me most well known for two books that i wrote hacking exposed malware root kits and then the original hacking exposed today hopefully you're not too upset i normally do a pretty deep technical talk but there's been something bugging me over the past week and a half that kind of started spurring some things i'm going to talk about a little bit so hopefully you guys don't get too excited about that but uh please ask me any questions if you like i do have a little bit of a interesting background i've been in security for a long time but i went on both sides of the fence so for a

while it was the consulting phase sold that company and then it became a cso working at a large energy company and i have to actually take my own advice which is kind of you know difficult so i've been telling people this is how you do things go ahead and do it and then all of a sudden you do it for six thousand seven thousand employees so i changed things a little bit so i've got both sides of the fence um it kind of gives me a unique view on things all right so go ahead and ask me questions if you like so we're going to talk a little bit about why i think attackers are winning

and it's a little bit different than what you traditionally will think why they're winning um and then really i want to dive into what i think is a new approach something you should be thinking about when it comes to actually taking what attackers do and leveraging the way you make better decisions okay and uh see if that can actually help improve where we are from the defense position in terms of defenders so let's start here i think we all have seen these before right this is a great interface i figured this is dirt jumper i think which one command control uh back end this is but the whole point of this is that the attackers are really

out of the game we know this but code quality has gotten better um highly highly modular now they're using much more capabilities to make sure that they can extend the lifetime of their own tools right so if i want to be able to extend a piece of malware and all of a sudden add dns flux capabilities to it or dns changing i want to add new operating system support new exploit whatever it may be they have that capability right in addition to that i want to start collecting data so i know what are my rates of infection which machines do i have full control over where am i getting this control is it in so emea is a quick simple interface of

that as you can see here you have a nice grid on the bottom uh the modules are listed here right now we got the uh dns changer module loaded the remote ie module and module t100 you can only know what t100 means but these modules here long you can interact of course you can buy these do other types of stuff the great outboards aren't enabled but the goal here is that hey they got a bunch of machines under control they're adding more and more to this command and control network to this bot network and they're taking an opportunistic approach to how they go ahead and affect things they don't know just get it out there spray them out as much as possible

let me get access as many things as possible and then i'll see what i get see what's interesting right so start learning some of this data you can see here there's a couple different telecoms here um interesting companies that may be of value for somebody else some people sell those whatever right so the attackers have changed the way they're doing things it's not the old approach okay i'm not gonna talk too much about apts the zero day thing because i think there's a lot of you know fluff on that we all understand what the problem is right i want to talk more about how they actually make decisions how they actually attack and choose machines they

break into once they've gotten into a network all right so i'm going to start with a question so you guys can draw the answer what's different between these two photos give me a couple seconds to take a look and we got ideas drawing answers

wow you guys really are struggling in that beard are you going now okay to the depth of field all right i'm giving you the answer this is nothing different all right you called it right there good job what else is different is the oncoming driver in the left photo is a woman who's picked up her kids they're at a soccer game she's driving home i mean this would be great the gentleman driving this car on this floor i actually just had a couple of few at happy hour a little drunk it's going to pawn into this car and kill everybody in it the difference between two photos the intent of the oncoming driver now we as humans have a unique ability

that we've honed over centuries and centuries of evolution and during the year potentially to understand physical changes around us to react to things that are potentially dangerous this is a common thing you see when you walk into a bad alley and all of a sudden you know something bad could go wrong right you just give it to eb whatever you want to call it bad feeling we've learned to analyze the intent of physical things but in the cyber world this is the equivalent of somebody looking at a webcam with a blue link i have no clue what the intent of the view the company that has hosted that page or the end user that has that page

is wanting to do they just click that link they have no way to determine the intent same they have a way to turn the intention of email attachment and have a way to determine the intent of a file that they run so any users have absolutely no way of determining intent and evolution has screwed us of all these great degrees we've learned from a physical perspective don't translate into the cyber world right there's all kinds of unique things around facial expressions and movements that we've learned as humans that you just don't have inside the world right so what do you do they trust they click the link next to you know you have problems right

phishing is still a huge issue big major issue and the reasons that would continue to be an issue is because we know compromising the user is easier than compromising technology if you're an attacker why do i need to hack your firewalls worry about whatever maybe your systems whatever control defenses you have worry about sandboxing so i'll just ask the user to run something that's all i'm doing right it was asking them to run a program you ask them to run programs all the time their job all days they're on different programs to do their job right so attackers have really the entry point is no longer where i care i don't focus any of my research or effort down

the entry point in the networks it almost doesn't matter all right they're going to get in because they just asked to come in the same reason physical buildings have different problems right so we have a situation where we're trying to prevent everything from coming into our castle and most syndrome as i call it we can't build a castle put a motor on it and have a drawbridge right there and monitor everything that comes in and out just doesn't work byod you name it right now how many people are actually security professionals have to defend their network every day all right good how many people here are breaking numbers

as a defender though this is the struggle they have right you're never going to prevent them in my mind from getting in it's what happens after they get in that you have complete control over and you have full control over how you make decisions in regards to these attacks you also have complete control over how you analyze the research attackers and what they're doing i believe the next few years you're going to see a lot of trends moving away from just talking about how the tools and techniques of attackers you know using sql injection or this or that it's not going to be about anything we're talking about psychology methods tactics that we use at ttps right keep hearing about

them we're going to start using the things that we learned from hundreds of years of law enforcement and military led stuff applying it to the side world because that's what it is right so let's talk about this a little bit deeper we know this is a target breach i'm not ready to talk about target i like the picture to locate my point the efficient email that gets the attacker in is not the actual breach right it's a multi-step process they get into one machine and move to another and they move to another all right i heard conjecture i don't know if it's true of the rsa bridge apparently they hacked 27 machines before they got to the database they

wanted to right i've been able to verify that anybody rsa but the point is they go from both the machines we know this right yet we look at this problem in a very similar way right so we're talking either about the phishing attack we're talking either about the stolen credential we're talking about the rams trading all right we look at things in a singular type of way okay but these are multi-stage attacks there's exfiltration all that you everybody is about to kill chain right those trains you want to be depressed now uh kill train is a great example of how it's multi-faced all right we know this well i went out and i asked i waited for

information week and dark reading you guys probably see those publications every year i can do a unique thing to ask all the readers about security i've been doing it for about five six years and every year is pretty much the same then a couple of years ago it changed i actually don't have the latest numbers for this year because the report's coming out next week but uh i share them next week if these signs was a week later but uh i can't share them yet but the whole point here is that almost every single year for the past three years either number one number two has been managing the complexity of security right and so as a defender you've got a

problem attackers have a singular goal of normally they've got time and resources they can focus on what they want do reconnaissance spend all this time and yet you've got this right okay this sucks right i mean look at this you got all over the top you have your service the way these are all the providers you know all you have is the hardware itself having problems the security programs you purchase they have problems too right so you have all this you got to deal with the attackers have to find one spot right now at one spot they get in they have to move around do different things et cetera they become optimistic we know this right but dealing with this while

also having to focus on plugging all the holes in the dam from the attacker is very difficult the way we've approached it in history and up to actually the past you know a year or two we're just starting to talk about new methods i have been the same right so how do we do this well if i was in your shoes and i was for a while i started asking myself i've got a team of people that are struggling with this i've got a cio that doesn't understand i've got an executive team that doesn't care at the same time i can't go to bed at night knowing that heck the the gas pipeline that i'm

securing so that energy company could blow up if somebody doesn't want that so what do you do so i said i started thinking about it i ended up drinking with a friend and then it happened right a little bit and we started talking and we got some stories and then you know i was asking his advice and things like that so i realized i just need to start making better decisions i realize that you know what you boil down to looking at the past a lot of times we just made stupid stupid decisions in terms of how we're going to defend again through the tax and the attackers they have the opportunity to enable luck they can make a stupid

decision and we may not even know it they just go to another machine and try that again right they have the opportunity to fail iterative process and still attack us in the end so they can fail 22 times the 23rd time they get it right we don't have that luxury a lot of times in the enterprise if you fail two security problems in a row you're probably going to be fired right because you interrupted it or something like that i started doing some research and found out that we're literally going to look at this problem too about not just security in general why do we suck so much at managing i.t related projects and getting things done the right way so

a couple interesting things here 67 of the 200 companies that were interviewed this was at the uh this is a harvard business review so a business magazine did this study with the berlin university looking at 200 big companies have said let's look at all your ic products and security projects let's talk about 67 failed to terminate unsuccessful products so they knew they were not going to succeed we're going to give them the college try anyway all right let's see what happens 61 had major conflicts they probably had the same product i walked into an organization they had two products and the exact same thing they bought within a year of each other because divisions were talking to each other okay so

conflicting projects 34 percent weren't allowed to strategy because some guy probably just wanted to push through so it's really a strategy thing right and 32 percent just flounder doesn't work we did this already irs is a great example that they spent millions of millions of systems and threw it away after didn't work so well for ic changes so the big thing i thought though is that there's a cost over there one six products at a cost why am i talking about all this stuff it's supposedly a technical hacker the real reason is it's not about the tools anymore it's not about the technologies a lot of times what's weakening us flat out bad decision making and then we

get hamstrung because of those bad decisions by management and we need to leave or we get stuck in a sign loss right so the cost of runs are the big thing here because one six had a cost over 200 that gets on somebody's radar right whether it's a cfo or somebody else and in the real world we can all go out and revolution vulnerabilities and cool new research reports but the real world we wake up we go to work we have a budget we have x number of dollars

i know i've made some bad decisions in the past predecessors made a bad decision they got a lot of technical debt what do i do all those other stuff and so i started doing everything right let's do a risk asset let's find out where our problems are right most security engineers if you're in a large corporation you're involved in risk assessments probably throughout the whole year all the time right maybe it's in every single project maybe it's a big audit that happens once a year but you're probably doing a risk assessment so i asked a lot of people with information leading to dark reading how many people are doing risk assessments how everybody's doing how are your

but they suck okay they somewhat were effective thirty percent say very three percent not at all right we're actually diving deeper as i called it people from the survey it was these numbers were a little disputed because somewhat effective means add helping to get some more budget or helped me get something that i wanted but did it really reduce your risk not really right so these business systems kind of suck everybody agree with them can i know they do much this isn't that lesson i'll talk about right this is what you guys live in right and this is it's the color code system we've got a red green and yellow we've got an excel spreadsheet for tracking or

if we've got a lot of money by archer or you know something else like that track this for us next fancy web interface to it but in the end it's a row with some numbers a color and to be fixed again right this is the life of a real security engineer if you show this to somebody in the university they would not be going into security because this is really what we're doing is defenders we again report all the fancy selling bottles that we want to do the cool new products and out there this is really what it ended up being about right we got to justify why we're making these decisions to get the budget to go

ahead and solve the problems okay so these risk assessments as i mentioned earlier everybody says the kind of stuff right so i've got it i think a very different way i'm not the only person to be talking about this there's a couple other folks and i'll give you some links at the end of this presentation where you can learn more about the other things that are going on but we've got some precedence on how to solve this problem a lot of questions actually and some really cool things right um like these things anybody ever heard of a building falling down

there's a reason why because for hundreds and hundreds of years the way they approach building buildings is very different the way we approach building i.t systems they approach buildings because in a different way they approach it they don't know what the potential stresses are going to be they're going to build this for 100 years 200 years who knows as long as they can possibly stand they don't know what's going to happen so they designed it to focus on the integrity of the entire system so when i mentioned i had turned to the front of mine he was actually the idea of a large construction company he's would have got me turned onto this about three years ago

and he's like you know we do these huge buildings all the time we spend so much time going talking about possible failures and ways in which the system can adapt if a failure occurs but he's like we don't talk about the failures themselves we don't talk about a big gust of wind coming or something like that we just talk about how does the system fail in a way that we can manage we can monitor it we can detect it because we can detect it manage management monitoring we can respond to it in an effective way so the last major building collapse was actually in bangalore it was a mall slash and our bank a factory a shop like a clothing store all

around this this is in uh 2001. building collapsed the middle of the day and 400 people died it was a horrible tragedy it was the worst building collapsed in modern history why did it happen that happened because the building fell apart because of some structural issues they had known about it for years there were cracks all over the place they brought in teams because they saw their cracks they saw the fracture they saw the stresses that were going on and they called down the building they did anybody but they knew about it for years so it didn't just fall until they notified they were just neglecting it right that was the last one in human history that

had a major impact right so this stuff is working and if you go back even you know 1800 1700s you get this whole process that was created called failure mode effects analysis anybody familiar with this maybe you got an engineering degree in chemical or mechanical engineering okay mechanical engineering chemical engineering guys this is what they do almost all the time yet on the iet side of things we never talk about this and usually it's never taught either which is a different problem okay so what is failure remote effect analysis it's very simply it's a tool for identifying the risk of being system of a system with the intent of mitigating those with the design the

architecture of whatever that system is so you're going through you're basically saying hey how can this fail and if it fails what happens and that's it you document that now we're going to walk through this i'm going to give you a real-world case of how this actually works and how you can apply it to iot it's actually super simple and when you walk away you're going to say holy crap that actually is very easy and why aren't we doing that okay so let me walk through it okay let me use the background on this because you know i didn't create this um what's happening though is there's some academic uh academias modifying this for iet so if you do some research on google

you'll read about this stuff you can add i.t to your search terms you'll start seeing people talking about as an information technology this is first used in 60s for space missions right because when something's in space and it fails what the heck are you going to do right i have a really cool story i'm sure that i'm going to talk here about how this saved our nasa space operations a couple years ago in the 70s and 70s and they developed a specific standard on how to use this all right i said how do you go about using it how do you integrate it into what you're doing a day-to-day perspective then kind of swept and went

into all over the place academia et cetera but there's traces of this type of approach all the way back into the 1400s and building the cathedrals and things like that all right so yeah that took it over all right let me give you a great analogy of where i think we're headed in terms of iot security if you get into an accident with a car now the designers of that car purposely make something called a crumple zone it is meant to fail so the integrity of the system stays together how do people in trouble zones and network no way who thinks like that who thinks of what network segment is perfectly okay to fail 100 i will give it to the attacker

to save this everything nobody sounds like that

inside of the system that they're protecting you potentially have to lose certain things and you're okay with that loss okay that's part of failure analysis as well and lately i'm going to show you saw this for using it as a tool to reduce quality as well i'm not going to talk about quality here but a lot of that research i mentioned that's going on is talking about using this to improve i.t delivery ie devops i.e cloud is one of the things you can do with that now everything develops in the cloud with available analysis is really freaking cool stuff netflix i see those guys are doing some crazy stuff around this in an iterative constant 24x7 approach all right so you

can do this in that area too so this stuff's been here for a while and here let's talk about a real case of how this actually works let's say you want to make them all copy on blob building

cocktail what do we need okay we need a bottle we need some alcohol we need a rag we need a match we need a windows throw

we also need oxygen right because if there's no oxygen the mass strike there's no fire so there's a fire the lag the rack doesn't get lit in fire and we can't throw it it won't blow up right so a failure analysis is analyzing the conditions that have to exist for a failure to occur i.e if a failure was an explosion the explosion can't happen if there's no oily rag if there's no oxygen there's no mash if there's no open fire and if these three things don't happen at the same point in time at the whole time problem too right so we can have oil in

right so you need all these conditions to exist at the right point in time at the right instance and everything happens okay so failure analysis is basically taking these conditions and looking for them all the time that's what building inspectors do okay that's what architects when we design these things they're looking for these are making sure that we can easily identify the conditions that lead to a failure so let's actually apply this to our world of things okay first realize that this goes on forever okay so once you have a condition like an early rag you don't have to say okay well what about the oily rag how does that come into existence what's the effect of

having an oily rag or not bad boy in the real world you can go on forever and there's computer simulation to do this for building design and stuff like that but in our world in security usually you have to go more than two levels right for this be a factor so this is not something that's fancy this is not a big excel spreadsheet with monte carlo simulations and all sort of stuff all right this is just something that's easy to do and we'll walk through it okay here's an example of you to teach this all right will the stage make it from hanging hill to place or gulch we're over here we need to come all the way

over here lots of bad stuff along the way right we've got uh all kinds of bad things we have robbers roost we got the ford buffalo we've got all kinds of things you got some information on how you're going to get there that's how they talk failure analysis is you gotta go from there to there what's the probability of these things causing you problems and if it causes your problems how's this going to impact your ability to where you're going all right let's change this up let's say that's a bad hacker number one and this is my file server let's walk through that exercise what does the attacker have to do to get through all these different systems to

get the wi-fi server by critical data let's map that out you can use a kill chain to do it you can do it just by a whiteboard with a network diagram it's usually my favorite thing and then walk through this right and start listing the things that have to happen for them to get from stage one to station three to et cetera right so listen to conditions that can exist but they're not gonna be able to do that that's the key here what are the things that have to fail to allow them to move we make the assumption that they're never going to get to this file server that's the assumption we make so really be able to

move from station 1 to station 2 something had to offend a control a technology a person was corrupted whatever it may be right so this is an interesting story that i want to mention to you uh the mars rover if it wasn't for failure analysis it would have lost it the whole issue wasn't scratched so what's interesting about this is actually a guy was doing failure analysis it wasn't part of their process and they determined that hey there's an opportunity that maybe the flash will get corrupted on this thing so let's add capability called init crippled so somehow the flash is corrupted it goes to a secondary kind of system waiting for commands so the rover is millions of miles away

the flash is corrupted and guess what they fixed it because they put it

okay so a pretty cool real world example of how this is all remotely from earth right millions of miles away sitting on mars and they rebooted it back off right pretty cool use of this type thing so i thought you know be real role so the key here is be prepared for a low probability of that with a huge consequence my hypothesis here with all this stuff is that we talk about a lot of those risk assessments and we got our high means and lows we talk about sql injection being the number one worst thing in the world right we read the verizon database report where it says if you fix these nine things you'll solve 92 percent of

the vulnerabilities in your environment right you've got these big numbers like that and it seems so easy if i just fix these nine things right fix sql injection in my environment yeah if you have 4 22 app servers i'm going to fix sql in touch on all those things right it's just there's a problem with scale there's a problem with complexity it's not as easy as just saying nine things we can fix right so what happens if you start diving into the details of those nine things you realize those nine things connect to another nine things because they use sql injection to get in and they use one of those nine things like privilege escalation to get the

next machine and these one of those nine things like i don't know pass the hash to go to another machine right so they're using the same things they're moving across the network and what becomes a low probability event when changing a couple high probability low impact events become a massive breach so it's the chain that you have to look at not those individual rows that's not an excel spreadsheet anymore right those rows are sitting in the new cell spreadsheet are just one of many of those points we go back to our picture which is one of the stations all right sql ejection is one stop on the way we're going to hop on a train

you go to private destination town we're going to stop there and we're going to go to abuse administrative privileges down right as well stops on the way to the bridge and yeah so if we go back to the next uh piece here how do we actually do this i'm gonna walk you through this first you start with an attack pick one what i'm normally doing this process is very simply throw up your number diagram a high level one on the whiteboard get a couple people around some pizza and ever never buy your systems people's in there if they pick one attack say they started here and let's play the game how do they get to our file server

how do they get to this whatever you consider your high-risk assets okay for each of the failures these are the spots whether it's a server it could be a network segment it could be whatever you choose determine the effects of what happens if they go so if they get there what happens they've now made it to station two okay so what failed to make that mutation to what could have failed right and if it did fail how do we detect that failure right so identify the type of causes so first is okay they're gonna use proven distillation to get here that's what caused that well it was sql injection they use a weak hash and they

cracked the password to get that privilege and you write these down these are the conditions that we mentioned before right they gave us an asteroid so this is equal to running down oxygen or writing around you know alcohol or rag right near the bottom what are the current controls we have to supposedly prevent this probably a web location firewall we have this we have that right you write those down okay the next step is you can't really know this is getting fancy a first priority number slow down it's not that bad i'll play with it in a second but really the next step is what matters looking at the frequency of these things so how many times do you people in sql

check how many times do you see the word privilege escalation how many times do you see the word xyz right these are the recurring severities that you're seeing of actual techniques tactics the tool the attackers using to go ahead and actually execute their breach all right that frequency is important then you start developing ways to fix those guess what it's very simple the frequency normally matches the risk priority numbers because of the next slide showing up but basically this gives you a way hello way better a lot better way to prioritize the items you need to actually fix right so that big business up issue that's 15 pages in excel it's mostly red which one do i start with they call the

needle in the needlesnap problem all the needles are there if someone's going to give you a pin printer the one's going to stab me in the heart and kill me today which one am i worried about i need to know which needle matters in my organization because that may be a web-based company that has a bunch of servers on the internet well web-based things may be worse to me than you know something else in the background first so here's what you boil down to you have an rpn is made up of these three things severity we all understand that that's your cia confidentiality availability what's the severity of the ship in the fan here occurrence is it likely or not

all right you can choose this okay you can pick one of the occurrences but here's the one that is never calculated only in risk what is our ability to detect it this is the differentiator when it comes to failure analysis first traditional risk impact models and things like that are ability detected maybe you don't have a control at all you cannot detect ever when this actual threat occurs well guess what it's going to be a tent not easy to attack there's nothing going to shoot through the roof that's the one that you're really really going to screw you because you're never going to know what happens so you're never going to know when that failure in

the system occurs so you're not going to see the crap in the building that leads to 400 people dying you see them getting in here so the whole point of this process is making sure that we're looking at the things that we don't know about and also making sure we're spending the time in the things that if we do address them cause the biggest risk reduction that we can get all right now there's easy ways to solve this too i'm not going to go into a whole fancy way of just you go off and fix these if this is a 10 in terms of amount needs to detect you can lower that right so you don't have to fix it but if you can

put a control in place and detect it you can now manage that risk which is a much different game than just eliminating it all right so not even in fact if i can go ahead and put in xyz control to make that a i've gained something right because now if the attacker brings up my network use a sql injection it gets to the spot i mean i think you know about it right because you've made it a lot better you look at the data breach reporting verizon months right if i can use that 12 times an attacker on my network today's that may change everything maybe you'll get access to 2 000 customer records instead of a million

right could completely change the way we respond now i'm not going to there's a different discussion go back to the whole building thing there's a second thing that construction does that we don't do which is communication i'm not going to talk about that today they have a very very structured communication plan in building buildings so that the person who's a carpenter who walks up can see a bad weld and he can report to somebody and get fixed right that's a completely different discussion but it's also needed to really really embrace this that's why devops kicks ass normally when you do this because it's so easy to iterate on fixes in a devops related world all right

so i'm not the one talking about this there's a risk fish okay the risk fish is basically taking the idea of the fish and applying agent attribute impact asset action and controls around security events it allows you to understand the real risk of an issue the wrist fish is good it helps you along this route the only thing it doesn't do is it's still on a singular event okay so a lot of times they see this as additive items you can use the risk fish itself to understand the you know severity and terms and detection of a specific issue but you still need to change it right it's the chain that matters in the end

okay now i mentioned doing this in a room throwing up on a whiteboard that really is the process that i've done for many many large organizations with this to see and then you go off and start fixing some certain things you'll end up finding it's the little things that have massive improvements not enterprise-wide massive projects that fail with a 200 cost overrun it's the little things that end up causing a huge huge impact we give an example energy company was that the number one thing that was not easy to detect had massive massive severity for us lm1 ashes we had lm ashes so any attacker anywhere they could just pass hashes control all user accounts no problem

very easy high likelihood high severity we couldn't detect it and it was almost in every single attack chain that we built that's what the gpo fix was fantastic it took one month and a half but it significantly changed this we now knew that we had a big risk reduction because those things and we had a way to detect it now the stuff that we put in place all right so this real station uses as well if you go to this slide right here there's actually a talk about another method that you occasionally see with cellular analysis um called the bowtie all right and what was that doing today but you can look at that as well so this

is stuff you'll be seeing coming out um something i want to discuss so that's all i have right now i want to open up for questions or so um i'd like to get a mic here we'll walk around do we have any questions about raise your hand that's like bothering amaze everybody and we're all ready to go go ahead um so i'm familiar with the risk fish i mean how do you tie that in with doing your network drawings and all that stuff are you doing you know a risk fish at each juncture in action and have you found it useful i guess maybe that's even the thing so question was familiar with risk fish uh how do you do that you do that

each juncture how do you integrate in this process if you do age juncture you're never going to finish this process i would say you're doing it for the higher level big big owners so if you see an attack trend that's coming you may want to do a risk fish specifically on that attack trying to understand the rest of the impact in fixing it or the rest of the risk impacting the organization outside of the actual attack chain itself the one negative of this whole process that is focused on the security folks right this is about solving vulnerabilities and reducing risk it has nothing to do with business impact i didn't talk about anything about cost control or any of that stuff

right risk fish takes that into account normally right so usually you're going to use that as an additive to this as an additional component maybe take one of those items blow it out with a full risk fish type of approach so and if you found it valuable i find it valuable for large organizations where you have many big divisions or silos in which you have to understand how this is going to fall over and cause other areas where you get more input then that's where i find it valuable if you're small enough the team know that you can make recommendations and make them somewhat impactful right away it slows it down great question here go ahead

connection i think this microphone works yeah go ahead what's your what's your best methodology for trying to determine the likelihood of the occurrence of some kind of value

so the question is how do i determine likelihood it's actually a really simple process first question i ask is does that display do it yes if it doesn't is there a public script available yes if there is a script available can i download it and compile it myself with no knowledge or is it indisputable yes if it's not okay then i start looking into a deeper but if it's gotten through those first three it's probably much more lower likely doesn't mean it's zero but less likely right um but usually it's those first three they're going to be in automated tools they're going to be done by an attacker you look at any of the data breach

report information they're not using any custom advanced persistent address my ass right i mean i call them crap continuously reoccurring annoying programs they're the same thing over and over again it's just a new method whatever it is very rarely very rarely type situation with a zero day it happens but that's really not what you're dealing with every day that's not again the pinpricks um you can die by a death of a thousand cups right and that's the thing is you gotta do something the surface area is too big so start with that area and then go forward if you're at the point where you've gotten all those gone then anywhere it's actually a real likelihood

analysis for your organization that's a different discussion but there's some models for that out there too something

this is the easiest simplest one unless you build it yourself so some question here go ahead hey people sorry uh you briefly mentioned uh devops you know relating to dev um what are you seeing in the way of um sec ops relating to security yeah and other ways to actually implement your your decisions and actually great question so the question was around devops and what do i do with security and writing event so i actually even talked at interop which is an it conference a couple weeks ago in vegas around security ops right my whole thing was security option the better the devops and there's been some post recently i think uh rachel and securityos has said that you know

there's no such thing as sex devops right my view of this though is that it's a great great tool for you to integrate to look for those conditions we talked about every time an automated system in a devops environment is happening you can build it to run scripts to look for those conditions so think of it as your building inspector right and it's constantly inspecting the building every single time it runs you looking at an organization like etsy or netflix that's a thousand times a day you're getting re-verification that right now this is happening the reason it's so important in the end is if you recall the last thing i talked about with conditions was

that a magic thing called time right so the problem we have with this approach is great is that you probably do this then you wait three months to do it again or you wait a year or maybe you never do it again right when you use something like devops you're building programmatic condition checking constantly and it gets done within probably 15 20 times in an hour sometimes and so you're getting that spot where you're shortening the time interval so that those conditions are much less likely to be missed right i think you're going to see a lot more devops talk but the problem is no legacy enterprise can do devops right now okay so if you are an older organization that

has had a mainframe you can't do that no they ain't gonna happen right devops is really for those companies that have been able to start from it fresh um or companies that have an innovative way to deal with things it's so hard for legacy companies to deal with that stuff i mean it's just it's not gonna take a long long time so that's the problem i think with the devops thing right now is it's not usable for the companies that really have the big risk

we look at it a little bit different way um especially for threat modeling when you throw the network diagram up on the wall we kind of look at it from a data center we include that in the likelihood because if you find out you have data in you know say a dmz or something that nature of a sensitive nature and you lose the likelihood of losing your control yeah let's say your lap gets knocked over or your load bouncer gets knocked over and now you're at the full run of the internet because you love 8443 to come in the wall now you've got a data breach possible of that asset behind there because there was an army

in your methodology how do you factor in the likelihood of control loss and how that impacts the next control and then that's control and the next control in you know in your likelihood analysis or in the threat model of saying we just knocked over your waff now we're blowing past your firewall now we're going to do a connection you know flood on your load bouncer so we affected your availability so much that you're offline and losing millions of dollars i didn't want your data i just wanted to affect your stock price guess what i bet against the market i'm making those right how do you so a great question so it's much more advanced than

i think a traditional issue and i'll summarize what you're saying is um majority of this approach helps when you don't have to worry about all those additional probabilities which most organizations are still have today okay when you do get to the point we have to deal with those probabilities then rpm that i mentioned you can't use that process okay it's too simplified um when you are looking at okay i want to understand the probability of my control being lost right now i really tell customers it's a binary in the beginning either you lose it or you don't okay and you know that because it exists or it doesn't so if you're doing for example hashing you know the l in half

or example either you have it or you don't right but in your case we talk about a lab that is purely based on your organization so if you actually really go deep into the family or analysis you realize one thing we didn't talk about which is you have to track the table over time you have to use historical understanding so you would be taking your i.t department you say okay how often does this come down how often do we make changes how often do we do these things with this device and that's going to help you compute a score right for that you can get really in depth on that but i find in general that it's much easier

for you to come up with a consensus of what that probability is they're trying to do some fancy model and so i most people i know you guys are probably the same spot if i came to you and you know the laugh team are a bunch of idiots and it's always going down you get a big gut you just tell me what's the problem isn't going down you go probably look pretty high

right so precision is not as important good question though but i think we have uh you got any more questions good questions stop the heat go ahead just just a real quick one um yeah right um when you're doing threat modeling you uh use the stride methodology at all just sort of standard not really clear not really um i think every model has its own limitations and i think for me stride again is all too focused like risk fish is two's into one specific item yeah this is kind of getting you outside your picture right that's just my experience do you find it too constrained yes exactly yeah thank you because this is all about risk prioritization in

the end right versus threat modeling is a little bit different i really want you to focus on the right thing so you stop making bad decisions and that's really what it boils down to i'll give you a great example of a story that really exemplifies why this works organization large bank get a call from the cso talk with encryption blah blah blah cost us this amount of money i'm like i don't i thought you just told me you guys are like me you never missed a laptop he's like oh yeah he just goes you know 675 thousand dollars we're pushing it out i'm like but you use citrix all of your people use citrix and access

everything you don't have any data on the laptop itself and like why the hell did you just do why did you make that decision here's the real reason he lost his laptop a couple months ago in new york so to him it was a real threat right now that's called confirmation bias he took a look at risk there was a risk it was on there it was somewhere down the bottom you know but it wasn't the risk they actually should have been focused on right so they spent all this money and effort they really changed the profile of the organization right so a lot of bad decisions get made like that there's actually i did a

report uh two years ago on confirmation bias if you guys are interested in certain information for that learn about how you just you know it's a copyright device it's a very simple psychological event where you go out to buy a car you're looking for a toyota all of a sudden you see toyota's everywhere it's a confirmation bias it's your brain giving you information it thinks it's relevant and so you assume it is relevant but it's not any questions at all hopefully you guys were disappointed it wasn't a deep technical into the malware analysis i normally talk about all right i appreciate it's time

you