BSIDES Cape Town 2018 - Making Defence Sexy Again - Cailan Sacks

oh I don't see Darren back in the auditorium I just wanted to tell him the right way to hold a mic is this way sagging the pants hopefully that works for this presentation if nothing else if this doesn't work I'm gonna resort to rapping or I'll make it up I'll make a [Laughter]

little bit also another disclaimer is this is the first time I'm doing this particular talk so it may not be as polished as Terence was but that being said I mean the title of this talk kind of says all that it needs to right the point of this is we have a very red team focused InfoSec space at present I mean you've got the pen tester guys who all like rock stars and these guys are cool they've got O'Day's and t-shirts and all that fun stuff and like nobody wants to be in in the blue team anymore right and I think what I really want to try and achieve in this talk is to kind of

show that you know what blue teaming can kind of be just as sexy as the red team stuff was right anyway so just to give you a little history about myself other than the stuff that's on the screen is I used to be a pain tester right and strangely enough a lot of people actually start off in the blue team and go toward red team type stuff and I was in the red team and I've moved toward blue team type stuff and a lot of this started actually when I just started my red team career I was working for one of the banks and they sent me to a security conference and I met I seen this guy who

was giving a talk this fricking InfoSec quack Haroon something or the other I don't know a guy anyway but if you guys haven't seen any of Haroon stalks he often does this talk about why InfoSec suck right like why we are bad at our jobs we always starts off this thing by saying like okay anyone in the room who thinks that your CEO is unreachable by a targeted attacker put your hand up and then nobody puts their hand up and we're sitting in a room with like usually whereas like all the hackers in any particular business and he says well you guys are so clever then why not right and this was the premise of his talk and

at the time I mean I was I was in the red team I was a pen tester I was like all bright-eyed and bushy-tailed and I thought to myself you know what come on man like the fact that you can get to my CEO has nothing to do with whether I suck it's that guy that freaking dude in the room over there and that dude with white t-shirt like it's his thought he didn't patch the thing you know I found the vulnerability I told him where the problems are they must fix it stay a problem right and and that's why I started off in an info second I actually think that carries on quite far into

like the natural career progression we all start off with blue team people and then as we get better we're like no now I want to be a hacker right and that that's actually what made me decide eventually to leave doing red teaming Blue Team Red Team type stuff and so I used to be a painter after and I decided one day after doing a pen tester at a firm for the third year of finding the same vulnerabilities on the web front-end I thought to myself you know what I could do a better job at this guy's job then he can like and that's what actually led me to start Blue team type stuff and I think just to set the scene for

this particular talk 'let let's talk about like isn't defense sexy already right and so we'll start with the red vs. blue comparison and so the Red Team guys I mean they've got like logos and our designers and vulnerabilities and exploits with cool names and like CVEs and bug bounties that they get paid for and under complete flipside like look at the blue team stuff right we've got like vendor issues we've got some maps with lines that go from one side to the other and every sock is thick peel and actually there is one that makes pew pew sounds so you guys see that cybersecurity map where you've got like you can see a text going

across the world this one specifically with pew pew sounds as the attacks are going across like someone thought this was a cool idea you know and I mean okay look I'm not gonna comment about whether dark Trace is effective or not but it's the only thing I can think of that is pretty have you seen the user interface like I think they spend most of their Indy time on that user interface right totally totally right and I think the sin becomes a thing right I don't think cyber security is actually sexy right I think the industry as a whole I mean were like either to red team or on the blue team side we're like two vendor

okay not not like Finn and cause I mean like like vendor right and I think the thing is if you look at the blue team's generally like if just quick show of hands guys in the blue team quickly okay keep your hands up just keep your hands up for a second put your hands down if your manager is more technical than you right see the problem but and and and this is this is gonna be my second quick story right is that I actually used to report to this guy who set the strategy foot foot for defense and cyber security and at a bank no less and this guy had this freaking dumbest story of her along his whole

cybersecurity strategy was this right nine out of ten times okay wait wait wait ninety percent of the time so I kid you not this is what he said right hackers use Linux and I thought okay cool story bro like where we going with this and and he said so if we use neck and we block Linux on the network 90% of your problems are gone right and I looked I looked at dude square in the eye and I thought to myself you know what guys I'm resigning today that was does literally what happened and and there was the first of two times that I resigned from this organization within a three-month window but we're not gonna go there

right and I think the other thing to remember here is that like these statistics just seem to be made up but you know InfoSec quacks right and this is a problem cybersecurity just isn't sexy right we we're not getting that balance right if we look at our current cybersecurity strategy right we've got a couple of things here right right I mean it's 2018 CLI tools I mean as powerful as they are guys that it is still 2018 right I mean we really can't be affording to bring in trying to attract new talent in and getting them to sit in front of a 3270 terminal bashing away commands in this is why all the mainframe people are like perk past

retirement age right they're the only people who like this user interface like it's 2018 okay actually no it's gonna move forward from this particular point here to too much effort right not fruitful purpose right I don't like guys how many times have you again show of hands your line managers come back from some security conference and he's like guys got your report frickin demo it's amazing we need this thing right and they make that decision based on like dude do we want this thing not does this thing work for us but they saw something on a screen somewhere thought man we need this thing not guy what do we need and then go out and look for

that thing no no no that's not how did these purchasing decisions work and before I get to the next slide I'm going to tell you another quick story before I explain that the next the next slide right is that I work at Investec and this is where I made the third quack right but that this particular guy one Herman Young he said to us guys every particular piece of malware that hits our email gateway I want my incident response team to look at right right so the team at the time we had two incident responders and a new guy I was the new guy and and I was like dude more quack science but but actually that this is

one of those times where I can say like two out of three InfoSec quacks are like dumb and that this guy maybe was onto something and this led us to some of the things that you'll see here a demo that I'll do a little bit later on my foot time we've good okay cool now we've still got plenty of time this is just some screenshots of two of the things that we've bought to try and help us achieve this particular target and this has actually been an amazing journey getting there right the first thing you'll see in the background is actually our malware repo and and investigators both us and we were shared across the

South African banking risk information center t-shirt working group and what that is is where all the bank's get together and wherever we find malware we throw it up here as soon as we upload the file the file goes straight to virus total we get wildfire analysis we get peak apps we get a hybrid analysis report we use another tool called integer which does attribution basically what it does is it disassembles all the code looks at the code that's used in all of the tools and compares them to each other so what you can do is you can say malware sample a shares some genetic Association with malware sample B because there's some code reuse even if

you don't know who the person is who wrote A or B you can tell they're related the other thing that allows you to do is you can say well I've only seen this particular code block in malware so if I see this particular code block somewhere chances are it must be mellower right and what we do from here is all of these reports are automatically generated so we upload these via API they go straight into the sandbox sandbox process him and it outputs some IOC s write any files dropped any hashes domains IP addresses contacted and outputs they're in JSON format within suck that in via Splunk and then we constantly monitor our environment for

them so if we find a particular host that's contacted a domain for example that happens to have appeared on this list we know there must be some Association to a sample which has been uploaded here even if it's the first time we've seen the sample so it could have been a sample that's maybe landed at the standard Bank side and they've uploaded it or malware repo and we've subsequently been hit by it will kind of get the alert right the second thing here is this is a screenshot from telegram this is one of our BOTS and I've just given you kind of a sample of like different things that we can do so commands we can send it when we get

threat intelligence alerts that come out of our threat intelligence sharing platforms we can kind of take that particular IP address out and say the agent IP block out traffic to a particular IP so we stick the IP in and that goes straight to the Palo Alto's and within the next 30 minute window those those updates alive enough eyewall and none of the hosts on the internal network should be able to access that IP right and this whole process of automation is what's actually allowed us to achieve the targets that were set by the third crack in this particular story that I'm sharing and it was actually just two weeks before blackhat when Herman was having this meeting at sbrick

about why the participation is the way it is it's a break and how do we better say information across banks and a lot of the bank said well you guys have the stuff for the last year and some odd and actually we don't have these kind of things we've got different tool sets different tooling different capabilities in our environments and sharing data like this was kind of it's difficult right I mean you guys can look at every malware sample that gets your gateway and see is there targeted action going on at any given moment in time like we're just happy that it got blocked at our gateways right and I I guess from there the Hermann mentioned well it's

two weeks before blackhat besides is coming up why don't we open source something to the community right and why don't we make it such that well everybody can do this right it's not rocket science we've kind of hacked together some code how do we make it so that anybody like small team of two InfoSec people can put something together and they can also have a capability that looks something like this now initially I thought yeah man that's easy I submitted the talk for B side so as I cool no that's easy like I'll do it like the night before besides without just like create a git repo push some code up and we'll be fine

and like three weeks ago I was kind of thinking it through when I was thinking about the structure the presentation I thought well like what if you don't have integer right if you don't have eyebrows analysis or wildfire or like most of our tooling is kind of very specific to us and what we do right like if you're a two-man shop you don't have the budget to buy all the tools and that creates like a whole nother set of problems what do I do for malware analysis what I do for case management what do I do you know like how do I have the same capability associated with a bank that has like lots of money to spend on

InfoSec because they really invested in security is all right and and so what I decided to do was well geez man we're going to rewrite everything from the ground up and we're going to build it on an open source stack right so everything from case management to there should be nothing here that you have to pay you for specifically I made that decision three weeks ago two weeks ago I started building infrastructure Monday Tuesday Wednesday so then Thursday and Friday we Thursday Friday Saturday we were away at an off-site so I lost those days to liquor I think I can't remember and then kind of Monday this week I started writing the code for this

particular project I haven't slept much since then again the polish may not be there there's some bugs but I'm fairly certain I can earn those out before the end of the week and we can like open source something to get Reaper than anybody can download and make some attempt at kind of emulating kind of our incident response lifecycle right so I have brought my son along as ritual sacrifice just in case we don't get on I'm gonna try and do a demo i I thought about recording the demo and then I thought you know what guys come on man it's but we're demoing incident response here it's got to be kind of live demo hopefully please work please so I'm

gonna do this I must say I made code changes last night I don't know so if it doesn't work I'm just gonna retry the command and we'll kind of play around that should fill us up Hoppus cool I got time so I'm sure I can put some code changes in between then let's let's do this I'm gonna try and keep the chat history off-screen here for some of the other conversations because someone's gonna post something with dirty words in I know I know our incident response team they know I'm presenting okay cool so anybody who doesn't know this is a telegram window telegram is like instant messaging kind of environment so I think whatsapp just

Russia I guess and but basically so this telegram chat I'm chatting to a particular bot which hope is still running let me actually just check please be running get disconnected I don't know if it's up but we're gonna make some attempt at making this work so what i'm gonna do is i'm i'm assuming I've got a malware sample in here so I'm just gonna drop it in I don't know if the bots up I don't know if it's gonna respond I may have to reboot it just a second I see my network connectivity died and came back up so I don't know if it's running but while I drop in the file these aren't gonna be malware samples

because this is my personal machine I would like it to not have malware on and also well I think it's just going to be safer so we don't get like AV issues but but please respond I've sent you stuff please respond I see you can look you can also do this from your phone so let's just see no I think it's dad let me just do a quick reboot ok so just one second running in a terminal window and my networks died and I should have run this in screen but you know benefit of hindsight [Music]

I think the networks up let's do a thing senator file please but respond to my files great stop it okay stop it okay cool so the bots will respond and kind of just respond with a file hash acknowledging let us receive the file probably should reply again and just tell me hey I've already seen this file so I'm not going to process it for you so this file has now been indexed it sits within within the database for the bots so it exists that it's readable that's accessible and and now we can kind of do some stuff with it right so what I want to do is I'm going to take this message that it's given me here and

I'm just gonna do a virustotal look up the this version of the boss is quite different to our other one that the one that we're running you have to go command and parameters this one here is context aware so you can reply to other messages and it will kind of tell you hey does this exist it's a context here that I can use it will attempt to figure that context out and kind of present you with something so this is some virustotal data that has managed to find for this particular sample you can see obviously this one's not malicious yeah that that's not a real antivirus so so you can see I've kind of just done some virus or lookups

on that particular hash I've got another option here I can either apply to this particular md5 hash or the particular file so you can do either I'm gonna keep using the hash because I tested that earlier it still works and I'm just gonna sandbox this particular file this one takes a little bit of time while it takes some time to submit to the sandbox and the sandbox to do its own processing so it was submitted ID 22 to the kakou sandbox let me actually see if it's running please be running

let's look pending

please please network P decent

okay cool so we've got the foul up there ID 21 okay that was the last submission and it should still be running let's see sorry the network is not the most amazing thing at present on 3G if there's anyone from cell C here it's your guy's fault right yeah yeah yeah you can see the sample is running on that side hopefully when it's finished processing the bot will send me a message back saying hey Kaku is finished looking at this particular sample we've got some indicators for you that may be of use or not I don't know wait telegram backup we can't reply to messages files or we can actually just send it commands I'm

gonna try another one here so I'm going to ask it to disassemble the file the hash not the one that I've uploaded now just kinda to show you how this works not the first time I've heard that but anyway my presentations tend to go well so again this takes them some time what I'm going to ask it to do here is I'm gonna ask you to go and look up that particular hash somewhere try to find the file pull down the file once you've got the file it's going to disassemble the file using radar I can see it's been disassembled it's gonna turn into a code graph of the disk of the assembly it's gonna convert

it to an image and it's gonna send it back to me right so if you've got malware analysts and your team hopefully you don't these guys don't have many personalities okay so the kaku-san boxing has finished its kind of said okay cool the kaku-san box goes to virus total the one thing that's not an a/v did detect it so I can confirm it looks as we've seen earlier if I click on this document so this is a disassembly graph that the Eider door door people will love plenty and so you can kind of look at the functions that you see in front of you and say okay cool is this damn it yeah my talks

aren't really that good don't know where it goes with your friend so you can kind of look at the disassembly graph and kind of look for things like interesting loops that usually shows them that the crypto stuff cryptolocker type things use you know when you when you encrypt content you just run through a loop of like streaming in bytes encrypt bytes write bytes so you can ID them pretty quickly if you're into this kind of stuff which I'm not no dammit Craigs the other thing of you you can do here is you can I'm just gonna grab some content just placing some content so you can see I've got an IP and I've said it

is an IP and I've put in another IP which is also tagged as data type IP so you can delimit these by comma space carriage return line feeds the bot tries to assume you're not gonna follow instructions so it will it will try and figure out whatever you sent it right so over there I've got some indicators of compromise just two IPS for this particular purpose and I'm gonna ask it to do a threat lookup so what I've done for this rate lookup is in the backend I'm using a service called hippo camp I think and essentially what I'm doing here is I'm just gonna throw those errors and say okay look through all the

open source data feeds that's available at any given time and just give me reputation information for whatever IOC s have sent you so you can do some domain and a domain names I pee all you've got to do is just tag your data should have replied by now something wrong with my indicators no something wrong with your indicators sorry I need to reply to a message yeah it kinda doesn't like my context those no context that it couldn't figure it out thora was stupid so anyway I'm now going to try and look it up ok cool stuff happy days for indicator 1.1.1 I found nothing for indicator 2 2 3 etc I piece of correlate

score and it's actually being tracked on the Phaedo tracker abuse dot CH block list right so if you're doing incident response and like for anybody who does stand by particular stand by incident response what ends up happening is you usually get some alarm that goes off like some stupid hour the morning when you're sleeping and then you've gotta like put your laptop up and then wait for the VPN and the freaking hamsters and their wheels to do a thing and kind of what we've done here is we've allowed our IR teams to be able to do this kind of stuff without getting out of bed and if if an alarm does trigger like for example this

one here hey I found this indicator here assuming this was triggered the original source was something that did detonate your Incident Response guy knows ok now I need to really get out of bed and like open up my laptop screen whereas assuming they found nothing here like he can go straight back to bed and hopefully get some sleep because you want him and work the next morning so you can actually clean up the mess that was made last night when he was sleeping right but let's assume that now your threat analysis looked at this data realized well this is maybe not the best thing in the world that's happened to us let's go back to my messaging platform I

need to get back out of bed so he's going to do that but I actually need to start working on this particular case right so what I'm doing here is I'm using a particular tool also open source called the hive it's case management for security incident response and what I've done is I've just told it hey do some the hive stuff create a case called b-sides new case there's some indicators of compromise when I get to my PC and it boots up and the VPN gods have done their thing which seldom happens anyway like I want to be ready to work on this particular incident right so you can see here it's supposedly done some things which again

praise to the to the demo gods refresh

so it's just wait I think I'm not logged in yeah I'm not logged in if you can see by the last cases that went into this thing here was actually slow debugging code quite late last night so anyway you can see over here we've created a case we've called besides new case something is that the name credit to well you can see over here I'm gonna to go we've created the case we've added the i/o sees everything is kind of context where there we can add tags if we want but I didn't want to test it just in case it failed it's gonna see here we can also add tasks from here so we can kind of

say hey this was a malware sample and we can create predefined malware sample tasks that your IR person will have to complete before that the case is closed in your automation system but if we just go observables these are the IOC s you can see there are two IOC so I'm gonna click on this one and then I'm just gonna tell it to do all the magic things right so what's happened here is in this the hive to what I've done is I've actually connected it to the hippocampus in decay rate lookup thing and it uses another tool called cortex which is responsible for kind of taking out all of the tasks in this particular IOC and

doing some analysis on it so you can see I'm kind of the four tasks that are run here I've got the virustotal report for that IP I've looked it up on alien vaults open thread exchange and I've looked it up within hippo camp and kind of to see what that data returns so far we're still waiting for alien vaults open thread exchange go we've got some stuff and if you look at the top of the screen somewhere up yonder you can see we've got thread scores of 86.0 - in terms of negative we've got some virustotal data and OTA OTA lien vault open rate exchange pulses it's appeared in nine different pulses so this IP has

been tagged by nine different thread actors right so you can pull out that content you can actually look at the reports if you do a thing with reports button I don't know where it is now I can't see the screen anyway you can you can pull down the reports for each of those items you can read them and then you can decide ok cool the fact that AV is blocked us is that good is it bad do I need a neck the machine and and usually what you do is you just isolate that machine so it can talk to anything in the world and then you go back to sleep right because now you've done

something and in the morning you can do something better so essentially what you've done here is you've taken a process of a loss of manual steps right and usually what happens is every time there's an alarm you need to run through like a million different steps right Fire Marshall like call security are we fine can we stay in the conference facility like you know and you don't even know if it's a real alarm yet right whereas what this allows us to do is just kind of click all the buttons wait for some data to come back and say yeah you know what actually I can go back to sleep I don't actually have to disturb

the speaker while he's speaking people in the front just get it okay and and and I think this is one of the things that allowed us to achieve our targets as an incident response team obviously we run something completely different to what appears here but we've open sources so pretty much anybody should be able to achieve something similar so in the interest of time I'm gonna go a little bit quick so automated plenty it doesn't cost all all the monies I want to go back to this thing here because you know it guys product vendors like it doesn't matter right if if you take away one thing from this is that like the R&D time that we put into

red teaming stuff finding exploits finding vulnerabilities logos and cool names for exploits and vulnerabilities and bugs like the blue team need to have the same kind of stuff right and it doesn't matter what product you buy there isn't a product on the market at the moment as far as I'm concerned that you could put down look at the lights on the front panel make sure they all green and then say okay cool I've done my job and go away right the product lifes don't matter it's it's the people's lives that matter it's that it's that it's that it's the time that goes into making all of these things come together more boosters for anybody who's a Kerbal

space program fan like when in doubt more boosters and I guess this one here's another thing I want to emphasize is that you guys have all heard about the defenders dilemma right and the defenders dilemma is that you know what you you can do everything right barring that one thing and that's the thing the attacker finds and exploits and kind of gives your team a bad name right but actually what you can do here is you can turn this into the attackers dilemma now we had a targeted attack simulation that was carried out against us and we managed to find some of the guys that kind of made a slip-up in terms of where they were sending email from they were

sending us mail with malware and malicious payloads and they made a slip-up and how they configured their mail environment so what happens is they didn't know but once we pulled that header we were able to search through all of our mail logs and find infrastructure that they hadn't used yet that they were planning to use much later in their tax simulation but we proactively nuked all the things and we made sure we responded to nothing so when they were kind of figured okay does this exploit land does this bypass AV can we get through the mail gateway like that I our red teaming guys were kind of frustrated at some point and they kind of closed out our engagement with we got

to a point where we weren't sure what was happening like we started this often we were getting responses back and then afterward we kind of got confused because there was stuff that we knew should land but it didn't for a reason we didn't understand and this is the attackers dilemma right because the attacker has to slip up once and if you're smart and you can kind of tie all these things together very quickly what you can do is you can turn that into the attackers dilemma right you can go and look up the history of a particular IP look at the domain name sort of return and go maybe mmmm and then kind of turn off all these

infrastructure and you know like info your the software you build Conner needs to be fit for purpose right that's why you won't see me in skinny jeans right I try to be fit for purpose you know build for the body type can you use this thing today I would highly likely recommend maybe no just give me a week just to sort out the bugs and stuff and the and the things and there are some some fundamental things I'd like to change so like maybe going from a sqlite3 back in to maybe like a [ __ ] database which is better suited for throwing in files and heaps of unstructured data as you can see that the chat integration with the

bots is like lots of unstructured comms so sqlite3 is a little bit painful compared to MongoDB in that regard and then sorry after I've thrown this in there because the the author of our original bot the one we're using on its first iteration before I started looking after it was this guy James but you know I'll let it do its own thing

anyway I've watched that video way too many times but you know like like take on tasks that are outside of your scope you know like outside of your comfort realms like put R and D back into the blue team you know R&D is not just for the red team we don't just need like 30% of red teaming teams doing like they they're working hours devoted to research like why can't the blue team's also have research time you know that I think that's really the critical difference between saying hey we're going to just take all the audit boxes versus you know what we're going to make some attempt at defending our environment yeah and then questions I'm

going to ask you to speak loud because I'm not going to run up and say the mic

yeah so so I think I think for us the trust issues were sorted out relatively quickly because what we did is we said okay guys we're gonna send you a OCS and you're going to block them on the firewall and then we send them lots of them and then we also say also you have a few minutes to get these done and if something goes pear-shaped it's it's you're soft and tenders on the chopping block right now now if you know IT people you know that nobody wants the accountability and the ownership of the problem they all just want the benefit of the doubt that the thing is working so I think the minute you move

accountability to them and they push back on that then I mean kind of your problem solves itself right either they sit to manage this particular task and if they are then you're bought just need to be able to send em work and let them do their work and we started doing that with a lot of the things we all started off with for every component we've built into our bot it started off with emails that go to like a address list hey address list block this thing on my must tell you address list years more stuff and then people kind of realize this is this is more work than I wanted to do you know and that that that's work

for us but I mean again fruitful purpose and what what what works in your team

thanks sorry this is I'm just because I'm curious so I understand that the FinTech companies kind of now share information security information I was just wondering d-did you know what caused the Liberty hack and what they did wrong and you know I'm just curious like yeah if you know anything um I actually can't share it with you but at the moment it could be because of like non-disclosure things and it also could be because Liberty don't earn it could be because they didn't share the information and it could be a lot of things but good question no more questions okay cool this is proof that talking fast Matt the one guy [Applause]

[Applause] so I'm just wondering so it seems si banks or sharing information on malware and all that how's it linking in with the rest of the wall because I'm sure there's large sections of people that is it and what benefit is there to specifically SI banks working together on this has been there for a long time right so that's been an effort on its own and we all kind of like in the same group of people here the other thing is the targets facing South African banks are very much unlike targets facing international banks and that there is mostly because of our customer base right I mean it's not a secret they're in South Africa education levels are

much lower than they are and other developed developed countries and we it also means that we may have a very susceptible population base in terms of the targets the targeted attacks so we get as banks I can tell you that they they exceed what happens globally that's to our customer base as well as attacks that hit our infrastructure so far this year Craig will correct me if I'm wrong but we've seen two attacks hit us that like we were the first people to put this malware sample on virustotal right okay he said more than more than that I only like to listen to them as seldom as I when they complain when they complain that something in the bots not

working all the time yeah okay but very often what happens is we put malware samples on the internet that other organizations globally just haven't seen yet and very often from our some of our third priority providers that give us threat intelligence it can be like three to like five days later we get an email from them saying hey guys look out for this thing that we've seen here's some stuff no clothes until II and I think that's because we respond to every malware sample that hits our email gateway right but but we our landscape is very different from what it is globally also just keep in mind that in the developing countries kind of space so let us just

take BRICS nations is that where you have companies who appear to not be at the top of their game from an InfoSec space and their banks that hold lots of money international fraud syndicates are going to look at you first right you've got two choices I mean you can go after something that's under jurisdiction from the NSA or there's this South Africa that doesn't have crime intelligence in terms of response and prosecution so if you look at global targets where we're like way up there

okay cool so I'm told we have more time for questions I'll do the Jerry Springer thing for you and come on over to the crowd cool so my question is a bit simple correct me if I'm mistaken so I hear that you put more emphasis on emails is there reason why you speaking more emails or yeah we don't put just more emphasis on emails but email tends to be the highest payload delivery mechanism so for example I know and other organizations have worked when antivirus kind of pops up and says hey I've blocked a piece of malware that's kind of the end of the investigation for them it's a handled threat as they regard it for us when

every single AV alert if silence tells us had seen something we're gonna go and look into the bowels of that and determine where did it come from how did how did it get there in the first place and what what control failed to get us to that point to give you an idea CSV sandboxing in mime cost wasn't a thing for almost three months after we'd like kinda said guys look look at the things that are landing no sorry like three weeks not three months on the mime car side the mime cost R&D guys like I must say that they came to the party but they had to figure out how do we sandbox a

plain text file right which is a little bit more complicated than it would first seem iqy file types like when those became a thing image settings there doc - configs and like all bunch of different file types that people have used for delivering payloads like we will look at it and decide how did this piece of malware get here in the first place we have EDR which is endpoint detection response we look at the full command line history that's appeared on that particular machine process is created and the whole stack and determine how did this piece of malware get here and what do we do to make sure that control doesn't fail next time so it's not just email

but for the purposes of the demo it's kind of easier to show it in the form of email I think it's important to note that obviously it happens like now email is the most common attack vector and that's why we spend a lot of time on that but I mean in six months time but my changing marker somewhere else and that's obviously we will focus most of our energy but I'm at the current moment most of our time is emo because that's the most easiest way to get into the bank could we take one more question do you think we'll have time okay you'll find me in the hallway and we can ask lots of questions

thank you very much killing that wasn't very good sorry about the alarm first construction there was construction on the first floor they kicked it off let's get the building manager set it off I mean turn it off we're taking a ten-minute break next talk starting at our posts see you then