You spent $20k & a throw away email can have full recon on your network?

the title of this presentation if you read it probably little confused or curious what it means hopefully I'll explain it here but just I want to everyone to get from this is this is not gonna be a highly technical it's going to be something where it's just a situation that I think a lot of us have been placed in and sometimes creativity can be one of those things a backfire let's start so one of my favorite quotes is absence of evidence is not evidence of absence and I think any of you that work in security will kind of agree with me the principle that you know just because you don't see an entry door you

don't see a flaw on the way you've configured your network or you don't see it doesn't mean that something like that doesn't exist if it didn't none of us would have jobs in here so it's one of those things that I'd love so we try to try to reiterate that with a lot of our clients coming through so Who am I my name is Christopher i'm the founder and CEO of a local security company here in Charleston Phelps interior we've also got offices in San Francisco and Washington DC we handle Incident Response security consulting pretty much every gamut but our big Forte's and kind of hunt team operations or tracking down nation-state threat actors we don't use

the buzzwords like apt and cyber because I may think everyone in here hates those words but our forte is is simply tracking that down and there's a reason why I believe we're better than everyone else with that and I'll explain that here little bit my background so wherever I worked what have I done apologize it looks like the texts in black here so I was in the United States Army where I was the 35 year which is a signal collectors intelligence analyst my job was to break microwave frequencies break satellite communications basically exploit anything that could send a signal I spent a little time there did field operations all over northern Africa your traditional fun places that we've been

in the past few years as well as Eastern Europe and in some Asian countries through that I was attached to the University nine states army intelligence security command which is basically the intelligence component of the army I know that's US Army Intelligence or military intelligence but believe it or not there is some smart work that goes on there i would say probably ten percent of the work we did was smart but we do get a chance to do a lot of fun things but through that i actually got augmented into the National Security Agency that's the one that a lot of you probably hate or you have your own opinions on clothing by the National Security Agency

though is as an army component member of the National Security Agency I'm afforded the rights to do things like computer network exploitation an attack so essentially I get to be a hacker so as a company we use the slogan former hackers fighting hackers we don't mean this in a hacker since that we've kind of tweaked and tooled but we literally mean it that the vast majority of our employees have Awards sitting on their desk from any president two prime ministers from foreign country saying hey thanks for doing computer network attacked and exploitation on our behalf so in the tourists have sense there's not a lot of people who legally say they're hackers and that's what we work

so I need to spend time with the Central Intelligence Agency that's the one I probably will talk to least about skip that I've also got a lot of word with the FBI on tracking down internal and external threats I won't mention any major projects but we did deal with kind of homegrown cyber threats and particularly criminal groups that were using us resources to steal things another fun place I worked out with GCHQ which is essentially the NSA equivalent for the UK spent a lot of time over in England working on some fun projects and definitely would like to go back it's a fun place to live while I was working on the agency though I was getting the

opportunity about a big retire and with some friends we are working on some software and then typical government fashion was uh you know a lot of just build software you gotta let me conveyed on it so our solution was to go back and start a company so bunch of us got together and started a company called 426 building large-scale data analytics platforms so this is a hadoop based platform that was taking computer network operations data so network attack traffic network exploitation traffic and even network defense stuff so taking in threat feeds vulnerability scans and kind of logs from different resources and looking for we're relationships where we really made a breakthrough and that is the biggest

piece of security that's often overlooked in the IT world and particular is the human component from HR perspective the behavioral patterns of the you as a user so one of the things that we looked at was let's not focus just on finding a specific signature let's look for patterns of behavior you know certain users had tools techniques and procedures so we spent time going through and understanding that and trying to correlate those patterns very rudimentary at the time the works there fortunately we were required by CFC fairly fast didn't stay there that long because I'm not a big fan of big scale defense contractors I feel they kind of skinny a little bit of research and I

decided it was time to move out so when I left there actually went to work for another company called alienvault alienvault makes awesome which is a free platform available for system incident event management so much like four to six where I worked at a company we built the products where we gathered gain and kind of correlated it and produce security threats alienvault was doing the same thing essentially it was a network operations center or security operations center in a box the premise being that most firms whether you could afford it or not have a need for network operations and security operations but they simply can't afford to put the staff that were necessary so it's a very

interesting background so it's giving me the experience of both working operationally tactically offensively and defensively and so I think that's helped out quite a bit with where we're at so some of the places that I've worked at and doing consulting and time I've done some pretty big deals with linkedin google facebook apple yahoo 18t Microsoft and Sony I think these are companies that everybody here knows and these are companies that I can I can acknowledge working on things I've done a lot of random things for these different companies everything from general security consulting and kind of going through situation room type planning of hypothetically what could happen here or what could happen there all the way down

to in the case of the lower right to Microsoft and Sony working on how can i exploit you know the platforms they were building at a time so you know prior to the Xbox coming out in the PlayStation coming out there's some very interesting things that I got to work on that plus I got some free hardware I'm at the end of the day who doesn't like free games and consoles so it's been a very very interesting exposure to the big companies the one thing that's been really cool to about working with companies that this scale is I think everyone here will agree the government you know you can have access to some pretty cool big large data sets but

everything is trumped by the commercial providers the amount of data that Yahoo Google Facebook Apple linkedin AT&T are capturing about every one of you right now is insane so you know whereas if I wanted to create threat rules and correlation you know maybe I could generate on a good day a couple hundred gigabytes of data you go into these environments and you literally have access to petabytes of data that's spanning a globe which is which is insane so it was part of the other reason why I was very happy to have to work with these different teams so the title of time you spent twenty thousand dollars so that my throwaway email account can have full recon on

your internal network long-winded i know but i think the twenty-thousand-dollar point is an interesting one so what does this talk about so this talk is essentially a real life example of a creative deployment from one of our clients that was kind of forced out of necessity but it was also forced out of misrepresentation by a sales sales representative I mean someone in security selling security misrepresented their product or told her to do something wrong I mean who figured that would ever happen right so a culmination of the two created a very unique situation for us that we were not even looking for it just happened to come across and in the process of a normal

investigation the big thing I want everyone to remember is that whenever you make a decision for security or concerns there's always a secondary risk right the evidence of the absence of what you think is the risk doesn't mean that there isn't a risk you know so it's always good to have second eyes or kind of an outside perspective on a lot of things that go on one of the big things that we face as as security professionals is a lot of times we have to think about security not only from what we want to do but we got to think of things like a budgetary constraints maybe we have technology deployment constraints and and sometimes we're just

told look make it do something and think outside of the box so I don't fault this particular individual for how this this kind of issue came up but I think as a whole it's kind of systemic across our enterprise simply because we do have to patch things we do have to kind of make things work as we go through so a lot of time just sitting in the boardroom or you're sitting in the meetings and the first thing you hear is a hey guy you know IT guy we need something because we've got some sort of security audit coming up you know we got some PCI audit or some HIPAA compliant something-something business-wise is driving the need for the security to

start looking at things and deploying solutions within the enterprise one of the things maybe security posturing you know some of our clients have been very reactive to some of the recent breaches I mean I think everyone here is heard you know everything from Sonia to anthem to OPM and everything clients are getting smarter and they're starting to ask questions so when the c-suite that knows nothing about technology start and ask you about security all of a sudden you have it I need to start implementing it another one that we've actually seen that's been pretty consistent is people are starting to underwrite insurance policies they need as an IT firm they need to have some sort of cybersecurity

liability insurance and so part of that is is you have to come in and say hey we meet the criteria of a B and C to get the policy so that is underwritten and if anything is consistent the insurance will be changing getting more difficult for everybody because the amount of payouts they're having to pay for for hackers these days as ridiculous so nine times out of ten there's some sort of business neither policy-driven raising us to walk we've done that so working through it there's a lot of questions that are going to pop up right so what are the things we have to consider here's me sit in the middle of my confused face as everybody's yelling at

me things they got to think about or one of the manpower requirements do I have the personnel the staff the people I need to execute whatever this requirement is and in lieu of this assessment what is the time in motion I mean it takes time to Rack equipment deploy it fix permissions and firewalls picked fixed routing so that you prat you know have X access to what you need to maybe out of spans and caps off the network ports and you gotta you know route things for that I mean it takes time I think all of us agree that nothing is plug-and-play despite what they say in the box you know we're always having a tinker and tweak with it

a big one is reporting you know what is the end result who are the stakeholders that have some buy-in is the c-suite need a special type of report does the IT security staff need a special type of report I mean who are the people that looking for for the results for the pretty audits or the assessment or the deployment another thing to think about is what are we testing for are we looking for things like web application vulnerabilities are are we looking to harden the existing systems that we have do we need to do vulnerability assessments on existing servers needless to say the point I'm trying to make is that there's millions of questions you

can ask and every time you answer one there's going to be 10 more subsequent questions that are going to come up from it so as a security analyst or security auditor or as a secure employment ation specialist whatever your title maybe there's a lot of things you have to think about many times they overlooked or you try to find solutions that are going to fix those or make them a little bit faster for us and that's where we're at so all things considered firms tend to purchase ready-made solution so that's where every one of us can write you know python scripts we can come up the creative way of doing something better but just like the old adage of

everybody can always develop software better until you do it it doesn't mean anything and given the time constraints most of us are facing working 60 80 120 hours a week it's not like that we're gonna be able to build our own solutions to solve this so what we do is we go out and we say I'm going to buy this magic box I'm going to buy this you know this network appliance that does everything or I'm going to buy this deployment endpoint monitor that's going to solve this problem so so we look for buying solutions and of course sales loves it because you know you're selling stuff and people r going to buy it a lot of

times these are things that you start adding you know the one thing that we've seen it's been pretty consistent to is there's now line items for security on the budgets of a lot of firms and I don't just mean in you know 10 million hundred million you know 200 billion dollar firms I'm talking companies that are worth half a million dollars or a quarter million dollars are thinking about all right well what kind of security appliance can we buy for 2 grand or five grand to secure us because I think at the end of the day consumers are smarter now and realize that everybody is a threat a good example of that would be you know target getting

breached not through target about through a third party provider I guarantee that heating air conditioning specialist company had no clue about security and had no thought to buy into things now companies like that that generally don't have that exposure are having to think about these questions so automated vulnerability scans is where we're at this is one of the things that a lot of people love because I mean who doesn't love automation if I can throw in a couple IPS or I can click a button in a GUI that says hey scan it all up for me it saves me time I don't have to write Python scripts there's a lot of different ways these technologies

are made available to us you've got hosted deployed internally so you can have a hardware appliance you buy that that automates scans and and kind of assessments inside of your network you've got virtualization solutions so if you deployed VMware vSphere or any one of the open source variants of that you can deploy it but even you know people have got some custom docker containers that you can throw out some of these assessment tools that are out there you kind of have to to to families though of products that are available it kind of the free side and then you've got the paid to play so the benefit of the free side is obviously at is free

the cost there is your time in motion and experience so once again one of the problems trying to solve is improving security with the least amount of time and effort put into it so while open source is great and most of us are champions of it in smaller networks it's just not feasible for big deployments so that's where the paid kind of vendors come in and on the page side you've got some pretty cool products in the case of automated assessments and vulnerability scanning and I'm sure many of you will have tons of products that you've used and prefer but some of the big tier people that are out there providing stuff are tenable provide solutions

obviously for the nessus line I've got everything from cloud hosted internal you've got qualis who's an event sponsor here provide solutions you know web-hosted and also internal solutions then you've got you know you've got some custom third-party roll-your-own distributions that people have written I mean there's a bunch of people who are selling essentially Kali scripts and ability sends you an ISO image of Kali that customized with vulnerability scans that run on run on a boot is that really a paid solution I don't know you know there's not a lot of support and but people are paying for those things some of the other big ones to our people like GFI land guard is a product a lot of

people are deploying to manage automation and right the benefit of some of these things though like GFI and retinas they actually kind of cross over into other needs so not only do we find vulnerabilities and do these assessments and see if we're compliant you know making sure the systems are hardened but some of these actually at ability to go down and force updates and deployments because once again one thing that's not consistent across the board and most networks is is the fact that while we new windows updates individually on a computer a lot of times a policy is not there to enforce users a big example of that is the growing use of Apple laptops

and Linux based distributions in the network people are going to understand update processes to begin with or the repackaging and distribution so anytime there's free tools or even paid tools that can help an IT admin that doesn't have the experience work through that it's a good experience up it at all so these are great solutions each of the pros and cons so to give you give you a little perspective of the story what we're going over here is we've got a client that we worked with that was actually suffering from a breach doing some open source threat intelligence we had tracked down particular evidence that a nation-state threat actor had had breached can compromise the network and

over time we eventually built up enough evidence to find out the origination point including administrator passwords and things that have been leaked out to this third party source so we reached out of course immediately like we're not hacked and about 20 minutes later after a nice PGP encrypted email with a dump of passwords they call us back in okay can you get out here tomorrow so what do we did was fill out in 12 hours i'm going to got their security auditing is fun incident response is eating even more fun because chances are the vast majority people don't realize they've been breached and they've been breached for a sustainable amount of time but one of things that happens is because of an

experience we get into a fight or flight mode and because we want to fight immediately start changing infrastructure and changing things and reconfiguring and that's going to come into play as we talk more about this presentation it's particular threat actor group here that that that we were tracking down is a asian-based threat actor group very low-tech and how they pop and networks to start with they tend to look for vulnerabilities and PHP web vulnerabilities and things like that to pop and they once they've got their stage one implant and they start spreading the network and of course as anyone to hear that does pentesting knows the first thing I would target is if I can find a domain controller I'm

going to whack that because the domain controllers gonna be key to the castle so they've got a pretty consistent tools technique and procedure that they follow it's pretty easy to read so we're very fortunate now we knew how they were kind of propagating inside of the network the one thing that you do run into is many times once they get to that kind of stage 2 or stage 3 they start leveraging existing credentials and it makes a little bit tougher but knowing some of the patterns behaviors of the users and then combining up with patterns behave as a threat actor makes a little bit easier to kind of decipher so here we are so we like free intelligence as

we're sitting there we were talking on the customer and pulling down data and if any of you ever have done a forensic investigation when you use and write blockers small little devices to capture it and duplicate hard drives and data off of the system they take ungodly amounts of time anywhere from eight hours to 20 hours sometimes 48 hours to run so while we're on site rather than just sit there and total our thumbs we're constantly looking for ways to engage the client one of things we spend a lot of time on with incident responses not understanding only the breach and understanding the network but actually understand them in business and they're saying the use cases and the reason

that's important is we get to understand what is what is going on and what's expected behavior and what's not you know while it may seem ridiculous to share a password we all think that's that's foolish finding out there's a business need for there was a reason they did that whether right or wrong is very valuable because it can save us time on kind of our investigation so one thing I love to do is I love to look at qualis free scans amongst a bunch of other ones in this particular instance we had asked the client for a bunch of their internal kind of vulnerability scans they had previous pin tests and let me behold they didn't have them you

know at this day and age you think people would have them but they don't so you have any documentation the ABS kind of some summary reports that they had run from a previous scan and they briefly mentioned that they'd use koalas but they didn't really have the credentials for it somebody wasn't in the office and needless to say there wasn't a whole lot of intelligence so as we're working on the internal network we were curious as have potentially if there were any vulnerabilities or breaches on the outside network so working smarter not harder I said okay why don't we just go ahead and leverage one of these free scanning utilities on the outside so one of the things that we

did if you actually registered an account and just a throwaway account with call us you can't use Google you can't use yahoo but I mean a domain you can get for two bucks sometimes on sale so if you don't have a whole bunch of sync old throwaway domains getting a habit of it because it's great for one-time uses and projects that you need so I went ahead and used a an email address that we had set up for this engagement and created a qualis free scan accountant simple you get 10 free scan to throw in an IP and you're good to go so when we popped in qualis offered us a free free opportunity to do

the vulnerability scan the OWASP software skin patch patch scans obviously and scat compliance part of the nist kind of framework of instruction when we're looking at it you know for us really all we were concerned about ultimately was the vulnerabilities to see if there are any gaping gaping holes that we should look at first and foremost because time is of the essence so we gathered the information for the client we got the front-facing IP of their router from from their provider it was a static IP it was great hadn't changed so there we go so one of things if it is we drop their IP in and immediately got a response right yay no high risks but all of a sudden there's

24 vulnerabilities that's not too uncommon I think most people here know a lot of times the low risk and even the medium risk of vulnerabilities they could be very hypothetical only don't necessarily mean they're actionable there's no way to have zero really at the end of the day and have a truly functional Network there's always going to be concerns but this was kind of a red flag for us because the way it was explained to us with the existing network they had a juniper firewall that SAT between everything between the Gateway and the end users and in that firewall there is only open act s for two to open VPN servers and to proxy servers so curiosity would say if

you've got open VPN servers and proxy servers maybe one of them is pop so let's see if there's a vulnerability that we could find on there nope it wasn't anything to do with openvpn or the proxy service what we found as you can see here is we found WordPress vulnerabilities we found PHP configuration vulnerabilities we had some serious SSL issues internally as well and so the concern started kind of shifting my perspective of hey wait a second you know you guys told me you don't have any of this equipment in here you know this is running on the Gateway can you double check and make sure stuffs not here meanwhile I'm going to run another scan just in case you know

heaven forbid somebody gave me the wrong report and in the platform so we started talking to the administrators and we kind of got a sense that even though their administrators running a virtualized environment affinity we've worked it with esxi or vSphere any of those tools there was a large number of systems that were unaccounted for so the fact that we brought up that we found WordPress and all these documents was immediately discredited so we ran the scan again and got the same results and so in pushing back we actually found out that there was existing development machines so some of the developers had just spun up their own instances so where they gave rights to every user in

here as a user essentially could spin up their own machines in the network they can do whatever they want it that's the security concern obviously if you're if you know if you're a 200 million dollar company or larger and you've got every user can pretty much build whatever they want on the network that's concerning in the investigation we found some really cool things like reverse proxies where people were calling back to their own homes because they wanted to bypass security controls so who care did they have their own proxies like I'll just make it back door myself that's how I get in and the argument was well we didn't know he's he's the you know that

this guy I tease a senior VP or something you know he has the rights to do that you know he's smart great if I could tell you how many smart people I've convinced to click a free ad email and fish them like a smart smart and street smart or two different things and then we found a bunch of boxes sitting around and interesting enough we found probably thirty to forty percent of the stuff that was running in their network one they didn't realize was there and two had no reason to be running these were things that somebody had spun up because they wanted to test something like they were staging a design for a plug-in for the website or

they were staging something internally or working on one of them actually was like something that was an unrelated projects even a company was just some random website the guy was developing you just happened to have a box running inside the network this is a huge concern if the outside of the network is secure no but if I can access these machines from the outside and they're vulnerable because people are not actively maintaining and monitoring them it does open a big gaping hole for us here so working with the client we validated the firewall was in place and functioning so we looked at looked at everything was okay it's there you're sure it's running like it it's good to

go she said all right let's run the other scan let's see what's you know see what's popping up it got the same results so even went further and said okay well let me try to scan up the machine from a host of VPS so I went on digitalocean paid five bucks threw up on a booty machine SSH to it and just said okay let me just start trying to scan it up remotely didn't get the same results so now we're stuck in a dilemma is the qualys free scan that's give me a bad result or is it you know my tool that I'm running into solution give me the bad result given that they're saying the

environment is secure and then we've got these firewalls in place you know I'm leaning to say well the chances of the the Linux scan results being wrong are probably a lot slimmer it could just be a simple miss configuration maybe some table about cross them database and I'm getting someone else's report I don't know if anyone hears worked with juniper equipment before but it's a headache and you probably will touch it once every six years of that and then you go back and look at it and you forget everything and you have to read kind of process through it so that's kind of what we get so we went back and said oh so the

snozberries don't actually taste like snozberries so will the Walker reference fair if you don't get it we took the we take the firewall configs and started walking backwards and rebuilding it trying to figure out what was going on it said okay something's something's in here something you know something just doesn't make sense it was one of those moments where you sit there and you kind of face palm and you're like there's no way this is to be the case like you look at there you see a rule for here will for their they have the right rules in place for the proxies they have the right rules in place for the openvpn s they had one

particular rule that really makes sense we're like okay so why are you white listing this one IP range to have access into the network so that kind of threw us off and that's when it kind of started clicking wait a second you've whitelisted you've whitelisted whole range of ips okay i will keep keep one one partner piece of information is this particular piece of equipment they bought on Craigslist I mean had actually not wiped it they simply modified some of the configurations on it so there was remnants from the previous user so we thought maybe just maybe it just happened to be something left over from previous user but I think anybody in here that does security work knows that

one if you buy something I'm to craigslist be very very cautious and to what are the first thing you do with a new computer or device you wipe it and reinstall the permit they had done neither they'd actually gone one further in that they had a security system made inherited in building that pre-existed prior to them joining in and rather than you know keeping it segmented off the network they secure will just add to active directory it's a windows 2003 box it'll never cause any trouble all right I mean that's a paradise for anybody here is a pin tester it's a great key to the castle you've added me to active directory and now get a bot this is this

is perfect perfect scenario so see the kind of a repeat pattern here we started saying okay well maybe the crazy stuff isn't so crazy let's just really go through this Andrea race we had to the analyst and myself sat down and we kind of went through these these logs and I'll be back in the server room and I was so I was doing some data capture and one of the guys came in and he goes all right I'm gonna show you this and don't laugh me because it's been a long time since I've live at juniper is this an allow all rule for this this range he said yes it is we went back and said

okay this in fact isn't allowed all rule so this this whitelisted rains that they had put in here basically was allow any incoming and outcoming traffic into the router without any authentication the only authentication required was simply that IP was the originating source so everyone gets a trophy here if you can guess where this is going it turns out that the configuration was set up for whitelisting qualis of scam service why would you whitelist the server's of a scan tool in your internal network so it really make sense to me and I started thinking well no actually it makes absolute sense at some point somebody had a budget constraint they're willing to pay for a koala services but maybe

they want to pay for the internal hosted because they didn't have the finance or maybe a creative sales guy in the other side said hey I've got this product here I know you really need internal scanning but check this out if you open up and white list these IPS that I give you I'll give you rather you'll be able to do an internal scan with our external tool and I think in this particular instance that's what's happen so here I am you know you can't really see it's a little blurry here but mr. robot at fsociety dot that that's my that's my email address I'm able to go ahead and sign up and and do my skin so the issue

we run into here is that with qualis a free scan and a paid scan levers the same infrastructure that by in here at nature is not wrong it's a fantastic product they have to have a barrage of servers that they're using to constantly do these vulnerability scans and do 24-7 checks there is nothing wrong with that design in that architecture anybody can sign up for screen free scan there's nothing wrong with that because at the end of the day a koala scan is no different than anything you can do from your own computer if you are touching the wide area network on the Internet you've got to expect you're getting skin I mean how many people are here probably

get popped every 20 seconds looking for random exploits my favorite or are the guys in China that are throwing you know windows exploits had a linux box non-stop not wondering why the not get anywhere I mean you see the stuff all day like so so that's not uncommon scanning is there so once again no false i'm flawless for doing that the other part anybody can scan any IP once again why not an IP is you know into public information you can scan an IP what does koalas have to do to stop you from scanning sure they may stop it our blacklists your IP but no one else can you're just gonna get the full scan so

essentially what happens is in this particular instance because they had white listed the qualys scans network when I went through and created our fake throwie accounts and I scan their IP as a free user I had full recon of their whole network and I had the full vulnerability ad network maps I had all the topology that I could generate from this simple scam because at some point a security analyst said hey I got to save some money I'm gonna open up this white list and because of that as an attacker I know how this whole plethora of information about your network for low low price of free it's pretty pretty big concern so the moral the story is is

that we all have to face security assessments we have to do with security audits and we have to work through a lot of these things often times with no time no funding and no budget but I implore you to get a second opinion and think about this because while this is a very low tech talk in principle I think everyone here once again is a security audit or an analyst is going to agree that the fact that here is a product that's actually being used the right way can be leveraged maliciously is the simple mindset of a hacker to begin with so whitelisting hosted solution on the outside to use it internally it is not

not the best solution so with that is any questions you may have about security incident response consulting or some of our experiences this is a very short talk like to keep it short and sweet because I know how they go in and overwhelm us you might have questions hey so that's why it you brought in originally they have been breached a music that's correct was the thought that attacker that can discover the quality posted through they were using no not that had nothing really to do with anything be at the other day it was simply just a resource so you know incident responses is interesting because everyone's gonna have their own playbook everybody has like an is standard to have a guideline

you can read a report from Mandy and you can report from us you can read a report from just about any firm out there and they're probably all gonna look different about the approach it it's all tools techniques and procedures we all have unique tradecraft we have unique tools that we like to run through in this particular instance we knew that there was an internal compromise we had access to visibility to level two exfiltration level three kind of exfiltration Mac bones that were being leveraged by this thread actor we had visibility into it and so because we could see all this different traffic we didn't always see the origination point because of staging so what I mean by

that is there was always a middleman that we may not have seen so the first IP that exfiltrated data came from which would potentially have logs of the source we didn't have visibility into that so all we actually had were usernames credentials and domain names and things like that but of course through the power of open source intelligence we were able to eventually figure out who the client was notify them but given that we had no idea of how they potentially got breached the most logical was a site of fishing or vulnerabilities of popping it because the threat actor that we did find in there that we are monitoring they have a very specific set of skills a very

specific set of tools I would argue could actually tell which level of operator or exploit exploit for the team is doing the engagement simply based upon the way they move you can tell when they're running scripts versus when they're kind of going on the fly trying to do sequel injection on their own and find vulnerabilities so in this particular instance this was the very early stage evidence that we had of kind of like a spray and pray environment so for us getting on site and having a very limited access to one there was essentially no logging in the environment we had structural changes to the IT staff that didn't really understand the network we had legacy

hardware that have been inherited they had no clue really about and then had devices they had been behind her craigslist they had no clue about given that we had to grasp but whatever intelligence we could find I think in Indian a response world a lot of it is thrown a bunch of hypothesis is on the wall and been working back and kind of through deductive analysis saying okay we found something that would destroy this narrative and destroy this narrative to help kind of hone in otherwise in an environment like this you can go in for instant response and as a lot of a lot of our competitors would do they would go in and say okay

well you've got a corporate network we don't know the level of breach we're going to immediately charged it you know 5,000 hours and it's going to take 48 hours per system well it does take 48 hours per system I mean 5,000 hours work upfront that's not needed as 5,000 hours of work this time eating well importantly who's going to have the time to do all that work most of us are on backlogs I the average instant response to be two to three weeks for some of the firm's before they can get out there simply because of the amount of breaches that are going on so we kind of do a different methodical approach to where

we go and we say we know it was attacked and we kind of build backwards to kind of map out the network particularly once again from our inherent knowledge of having works these threat actor groups this particular group I've been following iterations of it for 12 years all right I could and I won't but I could name particular key individuals who've invested in the people that are doing the attacks particular people who are very complacent with allowing the attacks to happen including the fact that you know the group is run by a cousin of a local kind of dignitary and so that's why they're trying to get me free reign and ignis things so it's

using that information in that kind of historic experiences to try to figure out what can we decipher and in this instance we said look we don't know anything about the external gateway and you can't provide it so simply using a free tool that was there it did something for me that I didn't have the time to do I gave me a little bit more information access so when I say we're tracking nation-state threat actors we're not just tracking anybody in everybody we're tracking the highest of the high so when I work for the national security agency I worked in a division called tailored access operations I'm not going to go into the elaborate of too much

information but basically that was the computer network exploitation attack division within their I focus specifically on counter computer network exploitation so without getting too technical my job was to understand and hack the hackers right it's not always easy to find the victims but if you can attack the attacker and figure out what they're doing you can kind of get an end result so going through that a lot of times we had to qualify and quantify what a threat level is from an attacker right you get your script kiddies I think we've all seen that you've got some simple things that Norton is going to catch or whatever security gateway and you get your persistent attackers

that are going to get in they're going to drop one tool it's going to be memory resident it's not going to stay in the box which is what these guys actually do want to guess wants to get internal access and then they're gonna use your creds they're gonna use your network against you they're doing recon they're pulling down your historic orts that you shared in the documents and drives and they're building a network map so if you talk about nation-state people like that that have the time the expertise and the experiences to look at that right now I'm tracking between 240 and 243 different discernible groups and these are people are well funded and have the

resources many of them are actually next-door neighbors and competing what's interesting is you can find in some of the military kind of organizations that are fighting you've got one unit here that wants to get involved one unit here that wants to get involved the one unit here that wants to get involved and then fight each other you can sometimes see him getting on the boxes and knocking each other's tools out you know and totally destroy restoring the access but that actually doesn't sound all that crazy because if you think about it here even within the us as we stood up Cyber Command you've had components from the army the Air Force the Navy and even the

Marine Corps that the Coast Guard believe it or not even wanting to do these kind of operations they're all competing so it's actually not that crazy so when you look at it I a 243 sounds like a lot when you realize how many countries are out there and how cheap it is for anybody to buy an exploit toolkit I mean just call Boop in and say hey I want to buy a couple zero days and here's hack team they're gonna give you some something structure to call back an excellent boom you gotta see no shop in a box right for a couple hundred thousand dollars but we don't we don't focus on a lot of those

tools why we have the intelligence on that we partner with other people who do we like to consider ourselves to surgeons we're going after the big the big fish and understanding them we spend a lot of time operationally staging ourselves around the globe in between where they're sitting at and partnering with into an intellectual property providers such as ISPs and even companies to say hey you've been breached let's kind of sinkhole this rather than throwing a honey pot you've gotta live network that's been breached let's mitigate it as best we can internally but the intelligence that we're going to you know pull from this is going to be far greater than the risk you have here so we work with them to

kind of coordinate how to get from there because at the end of the day everyone the operations that we work on benefits prior clients we have in current clients we have because the change of techniques and procedures between each operation gives us a new mo to look at and so we can go back historically and say hey this new briefs they use the new tool maybe we can find variants of it that we hadn't realized were there before so answer another one that's a very tough one right so if your insecurity in you call up and say hey you've been hacked the first thing is that we're just trying to sell me security services so

we've got a lot of relationships and partners in industry that we've worked with I can count them on the hand the ones that I trust and I know that sounds bad but in the environment that I've worked in in two places i've been at you know both in the military as well as you know in the NSA it's a very close-knit group of people much like your offices are now I mean you've got security teams of two or three people you guys are in the trenches with each other every day you've got that trust relationship the one thing that we see that's consistent though is that is the vascular dreaded products simply don't work or people

can't figure out how to use them so we don't like to partner with those kind of companies and kind of share information obviously because there's not a lot we're going to get out of it and more importantly we tend to tend to pick up a lot of the heavy weight lifting they want all of our indicators of compromised deploying their product but they don't want to supply us with with the same nine times out of ten they don't have anything to supplies so it's hard to get them to implement it or they want exclusive rights to it which you know if we're going to use it all of our clients have access to all that

information and we're going to propagate it as we can with least amount of risk i would say that some of our partnerships that we have have been very fruitful you know some of the commentary that comes up a lot of times is everyone figures the NSA and what they can and can't collect and i can tell you to do operations i mean amount of legalese that i had to go through just to get permission to click enter on a keyboard for one very simple thing was a lot it was tough it's not it's not spray and pray in the civilian world here in the commercial world you would be surprised what people will sell you access to so

our partners have worked with building Network taps and gateway taps is simply the right price you can get information we find a lot of third world countries corrupt people that are running the malicious software you can turn them just as easily as anyone else I mean a lot of your fishing sites in 10 originated in Africa and in Eastern European regions for reason because there is no rules and controls and so we partner with people who are staged in those countries and kind of have relationships to be able to get that information I don't argue with where it comes from sometimes I just let it be that's just the nature of things but we immediately turn back in access

connection so but we keep everything on the up and up we don't hack anybody I promise now unless you pay us for a pen test or a hunt team operations so any other questions security answers yes I he's the whitest thing to start doing internal chance I'm sorry what about how many beers would it take api please and flawless one you know is so i don't like to sell information i feel like that's a risk I would much rather really make it available to you if you would like talk offline I have made disclosure i have since the proper information out to the people because once again this is initially a falta qualis this is a fault

of the implementation right but it's very very curious to say the least so i wouldn't charge you a beer for that I bet you instead I would just you know say do something cool with it or whatever or maybe no don't tell me so that's kind of questions any other questions about a super sponsors doesn't IP doesn't Paul is published they might actually have a published list you you know like you have an actual engagement you know I believe it's Republican right i think so i think there are the majority of it probably is I didn't actually take the time to go through a lot of it to figure out why this team because at the other day I didn't have

any issue with Wallace whether it was publicly available or not there was no fault on there in it doesn't impact operations whatsoever it would make sense they would have that because potentially somebody else scans your network because they use the free scan you're going to want to know who that Ella came from cause and you can always go back to figure it out but but as a whole that's just an interesting situation to be and I you know I here we are looking for the most complex of complex and it's just a simple thing in front of us like that and of course we found dozens of those things that as we all know that like Lego bricks stacked

together they build a bigger picture when you when you put everything cool I'll hope you enjoyed it and if you have any further questions you can feel free to retest we have a little booth outside we can talk spend a lot of time doing a lot of cool security stuff and I'm sure a lot of you have to one thing I will bring up is as a local charleston-based company we actually started a nonprofit called node SC you'll see on the signs here says no des see that's how we helped get the room any cooperations with visa is one of things that we're doing is we're actually get ready to Oprah I hate the term cyber but it seems to be the term

that that's necessary to get grant funding a cyber security center of operations we're going to have to one gigabyte lines connected to about six million dollars in infrastructure for you to hack and whack and do whatever you want in addition we've got partner groups that we're working with that you're going to be able to go out and you want to play with some skate Oh equipment how many of you have access to you know half a million dollars is skating equipment we've got partner since we're working on to get access to that so if these are the kinds of things you like and you'd like to share the knowledge the way that we improve things

and we mitigate a lot of these threats is by sharing that and I think I think we've got to get over this I'm the coolest guy in the office I'm not going to share my experiences my exposure and instead we have to start talking about it because I think what we're going to find us as we talk more and more is that we're all victims the same kind of tools techniques and patterns and if we collectively you know kind of solidify our techniques of detection will make a little bit harder for the attackers and make them move on to the next guy that's that's one last little plug there then thanks everybody we're also hiring