SecBiz Keynote: House of Cards - How Not to Collapse When Bad Things Happen

host away all right good afternoon morning what time is it it's two o'clock in beautiful Detroit sunny land of automobiles are you guys doing wow you guys all sound stupid enthusiastic etre it again good morning sorry good afternoon how you guys doing wow this side of the room made no noise you guys just sounded disturbing awesome so I wanted the title of this talk is called the house of card it's got three very important questions going to ask up front and question number one is your enterprise resilient question number two is how do you know in question number three is how can you be sure I'm going to start off by taking a taking a quick

dose of cold water at you because I really want to start thinking about enterprise resiliency and ability to be sustainable through disasters and bad things so is your enterprise resilient how many people here understand what that actually means who wants to own up to guessing what that means great zero Dave's raising his hand in his mind so I think most of you guys if you have if you had do this raise your hand policies security policies beautiful security procedures good procedures well done the rest of you don't really wow okay controls good controls reasonable control some controls lots of technology who's got the shiny blinky box syndrome everybody yes even my buddy back there all right so a lot of a lot of these

organizations I talk to have a lot of this going on all joking aside and you feel very very resilient resilient means the ability to withstand stand stand back up and recover quickly okay hi welcome we've started have a seat so a quick show of hands as we go through here I want you guys to think about the company you work for where you work right now and if you're unemployed I apologize and as we go through try to figure out what you're prepared for so ready are you preparing for synthetic risks who is who knows what are synthetic risk is Dave details of the synthetic risk is are you eating sorry sorry so synthetic chris how do you guys heard of the the

DHS exercise recently that basically had them have a massive cyber attack on paper remember that the Washington did okay that's a synthetic risk that never happened it was all on paper right that's a synthetic risk we can prepare for how many of you guys prepare for compliance audits everybody's not raising your hand you're only lying to yourself folks how about staged attacks what's a staged attack who knows what a pen test is it does a difference between a pen test and a red team okay suck come on you guys awake or what all right preparing for a stage attack a stage attack is a penetration test and I don't mean to hate on pen testers or pen test

but a pen test essentially to most organizations means we're going to give you a time box between Sunday night between 9pm and say Monday morning for a.m. when we tell you we're ready here's three IP as you want you to go attack sound familiar we're all prepared for that how about hackers and be ready for hackers the bad guys no those are the Amish you confuse yourself sir how about who's ready for any kind of real risks who do you think who's ready for some kind of real risks here how about things like natural disasters couple of us okay very good how about real hackers or how about some like real hackers what's a real hacker they have purple hair says

the man over there real incidents anybody have a real incident too willing to own up with I don't need to know details just who survived a real incident when bad things happen hoop hit the fan if you're not allowed to talk about it you just say I'm just who has survived something they're not allowed to talk about a much bigger show of hands all right how many of you guys have survived a failure in security here's the question that I that are more or less not really a question but more or less of a problem that I'd seen happen so a lot of us are out there talking about how security the security team if and

here's a statement we pose right dear mr. senior leadership if you give me ten million dollars I will make us secure right that's what they hear from us okay stop familiar what happens when that is a false statement what happens so there's two scenarios out of that either we don't get any money and nothing bad happens and then we're Chicken Little or something worse happens and then we get the money we put all our shiny boxes in place we do all these magical synthetic attacks preparations policies procedures and bad things happen and then they go but I thought you said if I gave you X amount of money this wouldn't happen right somebody has a resume generating

event that's well way great way to put it so what happens when everything fails has anybody ever had a situation where you like everything has failed I worked at a job a while back where the previous life will call it see somebody here in this room is that was work I don't think was there at the same time but it's in the same organization at least now so you know what I'm talking about we had a phenomenal set of policies procedures everything was digitized we had just moved our incident response ticket tracking everything was digitized on a web-based platform and then sequel slammer hit and the internet became unavailable so Incident Response step one go to the central web page for

incident response and distributed a notification what if that doesn't work then you've got 12 people on office staring each other going now what well we didn't plan for this hey guess what things that you didn't plan for will happen so this is one like everything fails alright so people and processes fail to and they probably fail more often than technology but that also fails but it's easy to feel safe right you walk into your CISOs office or if you're the sea so you sit in your office your feet up on your desk you have a really thick binder of incident response stuff you've had 12 pen tests done in the last year you've got all those

beautiful reports taking up space on your nas you've got people staring at dashboard single panes of glass am I getting this right so far lots of folks that are doing lots of really cool interesting things lots of blinking lights at all all green and then you get hacked I don't mean like you know somebody to face as a web page I mean like your corporate database where all your public records are becomes part of WikiLeaks and then we have is we just heard a resume generating event right so it's easy not to feel just safe but i would say how about we feel complacent anybody feel like we feel complacent I've been there one guy's honest the

rest of you are lying to yourselves

interesting that's a good way to put it so a lot of us that are feeling safe or otherwise known as complacent have this great feeling but I'm kind of curious what it's based on where's your evidence right and oftentimes that evidence is sitting up on shelves but honestly I think if we run tested and this is that this is a statement I'll make if we run tested our defenses are untested we are absolutely unprepared so what I'm here to tell you to do is validate your defenses and validating your defenses doesn't mean on paper synthetically pretend like you've been hacked I sit around a war room and talk about what would happen I'm talking about on

Christmas Eve sorry Dave unless deal this is a great idea on Christmas Eve pay of third-party somebody nobody else knows about except for you to break into your organization and cause havoc and see what happens this is how it's not going to be this is a way that that's not going to be a resume generating an event for you and I'll show you how so you're going to want to validate not only your defenses right because everybody knows we want to validate our defenses but we also want to validate our responses right does the product is that there's a three-step process detect a turn respond can we detect it tutor it long enough to make a

response and can we detect deter and respond in any meaningful time frame meaningful means to depending on where you work could mean seconds milliseconds or days in certain companies right you also want to validate your technology because if many of you guys have already admitted to you we have blinky box syndrome we have a box for this the box without a box for dlp a box for apt ALM HTTP FTP VCR and tcp/ip and the DVI so you can play it all back to you once you've been fired but how much of this technology actually works so we just an odd question how many of you guys have endpoint protection on all of your workstations how many of you guys know

that it works or whether it works or not I'm kind of disturbed by the fact that half of you guys have just whispered it doesn't so you've sort of done this for me but so I really but you still buy it okay so go attack yourself right this is an important thing to go do I don't mean go pen test yourself I mean actually go attack yourself so go find somebody that can do this if you can't often time it's not really a great idea to do it internally because you know you're coming yeah you know you're coming fair warning unless you work in a really large corporation in which case your red team is probably not part of your

security team Oh or if you have multiple personalities I Love You Man so I'm going to get caveat this without restrictions part is important no restrictions right note so this isn't like pen test us between three and four on these two IPS when we're ready screw that here's the goal here's a letter that says signed by my chief legal counsel or chief risk officer that says break into me causing the least amount of havoc you can obviously for smart reasons but we will not sue you if you break something in a process of go get this piece of data out of my CEOs mailbox go but i want to do i do want to caution you against these resume

generating events i like this this could be potentially disastrous for your health and your organization because randomly breaking stuff causes things to fail in ways most of us are not ready for and the problem with causing a catastrophic failure the first time around is you don't get a second right we only get one shot at this if we really really really screw the pooch so this is where red teams are brilliant now one more time difference between a red team indepent ask anybody pen test is limited red teams are not use whatever tools are at your disposal whatever means necessary to achieve your goal debut agree awesome thank you and we're going to try to take baby steps into this baby steps

are important because you don't want to cause that catastrophic failure their first time around you like I said you only get one chance at this if you screw it up if you do it right and you screw it up a little bit you might get on their chance to screw to bigger and bigger and bigger and screwing it up doesn't necessarily mean a bad thing all right breaking stuff is not bad so it'll be okay with that gets a little afraid of that right now I am I kind of can be right so here this is going to be a multi-step journey when take our take a slow walk through this it's very uncomfortable to have a conversation

with a group of folks in security and tell them that you're going to advocate them go break the organization because what's the first reaction from everybody that's not in security two words right you're fired we're here to make the company secure aren't we not to break stuff so if we break stuff that's bad or it could be so now what so I don't know where does that put us it's kind of in a weird spot where i know i've got this false sense of security I know the organization has this crazy notion that were magically secured cuz they bought all the pixie dust they could write I can't possibly cram another box into my wiring closet I've got 37 single panes

of glass and two people looking at them now what bye-bye more racks beautiful anyway it's easy to go out there and feel like a deer in the headlights it really is i'll be honest it's it's not it's not easy right it's this is not an easy concept to discuss this is not an easy concept to really make your peace with this is not an easy concept to sell to anybody this is kind of in the introduction to this talk is basically the chief Kaos officer right if you've this is like having somebody whose job it is to cause chaos but the nice thing about causing chaos is eventually chaos becomes the steady state right there's

this great paper somebody pointed me to yesterday about the fact that stability is actually bad for you just think about that for a second a stable environment is bad why we get us we get it could we get complacent and what happens when we're not reacting all the time we forget and then when slightly so the longer we get stability the less likely we are to be able to respond to a minor change so the longer that stability goes the smaller the IMP dia of variation we're able to take think about that for a second as we go through the rest of this so if you've ever been stuck in analysis paralysis this is a this is

something my old my old job was really good at where we would sit around in a room and we say we have to do this task we're going to get a read we're going to get a team of 28 people we're all going to decide on how to do this when it's spend six months analyzing the problem coming up with a plan and in in 12 months what will be almost ready to go if you're if you're in this predicament of you probably have to take some time to plan so I'm about to tell you but if you take and sit and keep thinking about it the world will leave you and you will be the last guy sitting at the train

station after the lights have gone out right so there's a plan have a plan for you I have a plan now nobody got that night so there's four key phases here of this thing the first phase is very simple to an assessment okay we're going to go back through and figure out what in God's name were working with how bad is it how good is it do we know what it is what in the hell is it right so the phase one assessment is looking at on paper so if you've never done this you will be shocked amazed and perhaps a little horrified at what you find find the red book that's the incident response manual

if there's dust on it this is a bad thing if it's still written in calligraphy on stone tablets also probably a bad thing right so on paper figure out what your defenses are but like really what are your defense is what does the company expect with these what does the organization expect to protect it and defenses can be technology defenses can be people's offenses can be outside parties defenses can be that MSSP you're overpaying it can be a lot of other things right but defenses are a holistic capability what are your defenses so how prepared are you how prepared are you for all those things we talked about that are real not synthetic this conversation makes a lot

of people nervous because it doesn't sell anything given the fact that i work for a vendor i'm sure i'm making a lot of people nervous right now so how prepared are you the question becomes what could possibly break this is not the question of what's going to get hacked are we clear this is a question of what could break in the process of breaking in crap breaks now when that crap breaks usually it's that one box that the entire organization pivots on some of you are laughing because you're there that was built as a demo that all the sudden sprouted legs and became the one production system and then the guy quit the company so we're all like don't

breathe around it that's the box that'll break I promise the next question is how about how bad is it going to be like are we talking like air raid sirens bad are we talking like fire and brimstone bad are we talking like hey somebody may notice there might be a red light that goes off in the knock let me give you a story of bad in the process this is ten years ago in the process remember when we had nt4 around some of you still do so when empty for windows finally sit Microsoft finally said look we're really really serious about getting rid of nt4 you can no longer pay us to keep maintenance on empty for my organization

all right fine we'll find the 2,700 bucks as we still think we have left hey Raph why don't you go out and run an nmap scan for all of them all right how hard could that be so apparently I didn't know this but VMs vax boxes don't like Christmas scans particularly ones that are attached to things like nuclear facilities you laugh but when you get that call and it sounds like Jack Bauer on the other line and you hear nah hello we had an intrusion event registered from your IP address on at your desktop huh I'm scanning for IP just what we talked about and the mics okay what's your point I'm thinking myself why is

there a klaxon going off in the background the guy identifies where he's from also not a good thing because then he says he's from a place in Nevada and I know we have a nuclear facility there and he says that the boxes the two twin boxes that take up half of a room about this size that manage the temperature control rods into cooling towers don't actually manage them going up or down or anything they manage the outbreed out system right so what happens when you're no longer able to monitor the temperature and one of those things you have to assume things failed right so when I kicked over that box and I mean like kicked it over as in like a

core dump and it takes 28 minutes or so to reboot I broke stuff how bad would it be that bad that was that close from becoming a resume generating event folks it was bad so do you have any artifacts from the past wonder artifacts well gave a pen test report from the past that tells you how bad it was five years ago can you compare it to the one you did yesterday are the things on there pretty much the same are they worse so artifacts right we want to know what kind of evidence we have what can we physically tangibly get our hands on or look grubby little paws on that gives us some clue on how bad things could

possibly be how bad things really are and do we have any any at all empirical evidence anything at all have we seen a catastrophic failure before have we seen any document or response times do we know how long critical systems take to kick over do we know how long it takes for a response team to show up at a facility that's about to go nuclear evidence is important all right we take all that and we stare at it we pour over it we make sense of it and then we go into Phase two which was planning so planning is critical because if if you go fire ready aim it doesn't work in that order really well found that out as

well so planning let's find out what's in scope right your vendors are in scope your partners are in scope folks this is not a pen test isn't that five eye peas on Sunday afternoon your partner's your vendors you're in scope I'm not talking about you as in like the company I mean like you your house you write the fact that you play what's the popular game people play nowadays we diablos getting hacked right now is that the big hack going on right now the fact if you play diablo and you can get to you that way you know world of warcraft hacks you know how do we get to you right as the Big Cheese of the security organization

here's why because bad doesn't discriminate when bad things happen bad people those that would seek to do us harm for whatever reason don't go oh well you know what if I click on that or if I if I execute that script in the process of extracting that database I may kill 20 people or thousand people I shouldn't do that they're not there right there's not a whole lot of conscience that converts over the Internet attack surface so here's a here's a little secret good guys follow the rules good guys yall white we follow the rules when we do pen tests when we do our own vulnerability assessments and threat assessments bad guys no such thing right rules of engagement only

whatever you're into men rules of engagement only applied to the to the side that's good enough to follow them generally these aren't the attackers gosh if they would only follow the rules if I could only if that old you know that that what do you get the robot stop text file that said please don't hack this part of the website if only that worked so this gets overwhelming really fast because there's a lot of attack service I mean everyone once everything is in scope once everything is breakable very few of us live in organizations that are small very few of us live in organizations that are self-contained we have lots of partners we have partners

that have partners I'm going to make Dave's head explode by saying those of you that are consuming cloud services right now odds are you have a SAS vendor who has a past vendor is an IAS vendor somewhere along the line somebody's not doing their job I promised right because it's early on in this prosperity process what happens when things go sideways who do you call yes ghostbusters so the strategies here need to be in pieces right you're not going to boil ocean paying attention anymore so you're not going to get everything done in a single swap right you're not going to get everything done all at once so really you want to start with the

smallest parts is anybody actually here work in a self-contained unit where it's you know you are the IT team or IT security team for the entire company that's it just you or just your team won okay the rest of you too the rest of you guys probably have other business units who have business units who have partners who have business units who have corporate units right really intricate tangled detailed and crazy relationships going on there right sound about good so you start with the smallest possible parts so start with something that if you completely break it to hell it doesn't require you to update your résumé right off the bat how about a single standalone app right when

you're gonna go after this your first chunk at this you can go off and pay some red team they go absolutely demolish the goal I very strongly urge you to get all right look I know if I told you to go for the entire attack surface you'd come back in 30 seconds and go everything fell over high wind so here's some data in this database that actually this small business unit did generate a little bit of revenue and they they think they're secure if we break them and I know their cio i can probably smooth things over right go get that i'm not telling anybody but you go get that work to the bigger units right

and then build upon that so you find that they break that one app and then you work on to those apps and you work on that be you and then you work your way up and up and up and eventually you go to the entire be business unit the entire line of business and eventually you get to go all in this is the this is a great poker face right here folks you get to go completely all in on this it takes a lot of time this takes a lot of effort and this right here takes a tremendous amount of you know to say everything's in scope I know perhaps some other person knows go right that takes a

tremendous amount of something because when everything is in scope this is just like the real bad guys this is just like the real attackers no matter what you call them no matter what they are the real bad guys show up like that right let me let me mention one thing first who do we tell about this because if you're the only person that knows about this you're fired I don't care how awesome you think your cloud is in the organization I don't care how big your internal cloud score is okay you're still fired you're just a guy with a big cloud scored it got fired so who do you tell it's let's be kind of realistic

about this who would you tell chief counsel I like chief counsel CFO I'm not going to repeat that as few as possible right the idea is you tell as few people as possible chief counsel CFO Chief Risk Officer somebody that has ability to accept risk on behalf of that business unit that business that has enough brain cells to understand what you're doing and also maybe is just a little bit nuts just like you that to try this you gotta cover your assets folks right see why it is important here I don't want anybody here getting fired after you try this i do want to eventually have you guys try some of this is pretty cool but i don't

want anybody to have their job you have to be able to have somebody entrusted senior leadership there's got to be somebody you trust legal counsel is a great person to trust because as we discussed in my workshop they're the hot knife that goes through the butter bit of the business right generally what legal counsel says goes if you can convince them this is a good idea and the let them do this because I'll tell you why in a little bit they will be your ally so here's phase three we're going to do some action action is fun right Simon Says and we get to ready some ninjas here we're going to get to go and actually break stuff you get to

unfortunately usually watch or or pay attention and watch the havoc so what generally ends up happening is you write a quiet s 0 W sign a document and sometime in the next couple days couple hours few minutes I don't know bad things start happening and you have to pretend you're surprised he's got a good poker face here who can act really oh no wait that doesn't that's not going to work that you have to act really surprised when things go bad because you can't tell your team if you tell your team this kind of invalidates this whole process you can't prepare for an attack this does not how life works so ready the ninjas and do some validation in

phases this is kind of fun everybody know everybody familiar with how red team's do phase attacks step 1 recon know your adversary know what's out there they're going to do some recon on you all right so you're going to if you're on the defensive side of this cuz I'm hoping you guys are thinking little bit defensively here how would you prepare for this if you're on this side of it you know what's going to save your butt to hear them coming you got to have a really really well oiled well served I'm going to say it single pane of glass for your for all your centralized intelligence right if you haven't done that yet if you've got a logging server

that's a great way to start there's got to be a single central place that knows about all the crap that happens in your organization I mean from the bad types at your front door to every time somebody logs in and fail or fails a password on the VPN all that you got to be able to know that that's happening correlate those things in some meaningful kind of flexible way that you get to predefine right because this is going to be continually evolving this is not something set and forget it set for getting fired unfortunately so recon Target to target acquisition they're going to find the weakest link and bye-bye right you're getting there going to zero in on the weak link now who runs

a honeypot here your honey pot will probably catch something unless it's too obvious your honey pot may catch something that's going to be of interest to you this could be a great early warning sign right people are going to attackers are generally looking for high-value low risk targets whether you're talking military espionage James Bond or IT high-value low-risk you want maximum pay back with a minimum amount amount of I'm going to get caught go to jail kind of thing step next infiltration right we want to make that strategic strike get in what do you do after you get in there make a lot of noise I hope not all right silver bracelets for you establish a beachhead

so get in there find a nice quiet place you can build camp and launch other attacks from this is not new but this is what's going to happen after they've established a beach oh they can do more recon again we need to be able to tell that these weird things are going on how do you know what's out of pattern how do you know what a pattern is do we all have bass lines here anybody have a baseline here too I expected you guys three after you've gotten that secondary recon you're going to reevaluate those targets are those really the soft targets you are those really the droids you thought you were looking for maybe

maybe not right maybe there was a honeypot you thought you were attacking that you've now broken into you okay time to burn this VPN and start again exfiltration is next quite simple take it and run all right you get your stuff take everything sometimes they take everything sometimes they take the one thing they're paid to take and the rest of everything else you tell them not to and the really cool part is the really so there's a there's a great quote and I don't know who to attribute it to you so I'll tribute to somebody other than me the route the good hackers everybody knows the really good ones nobody's ever heard of because why they leave

absolutely zero trace I mean they're a line item in a log someplace but you'll never associate it with anything fantastic story about leaving no trace and talk about this whole enterprise resiliency and bringing things together great example the Acme widget Corp completely made this up but if you know any any relevance to any real news or story or a real event is completely coincidental and stuff so imagine in a company completely highly digital organization has a ton of good stuff they have IPS is they have log centralized logging they have operations management they have database monitoring application system servers all that cool stuff transactional monitoring guess what all of it's done in absolute silence means when the database performs

poorly this dashboard shows it when the IPS goes wonky this dashboard shows it when the cpu spike on no app servers this dashboard shows it great useful but they're all there right because then the manager is like talking to each other so on a Wednesday evening a series of strange package crosses the IPS border the ipss hey these are kind of suspicious don't match any patterns I know but they look kind of suspicious somebody might want to look at these all right trivia question what happens to things that get mark suspicious they fall into that bucket of not a damn thing right the other four billion suspicious packets across the wire every minute so happens the network team also notices

this really weird spike from a bunch of IPs that are in this gray area list they're not blacklisted but they're kind of on the watch list but small spike in traffic nothing really happens Hey look routers are still up bandwidth is good all proper now interestingly enough on the app's I'd a couple of the apps River see a huge CPU spike but like for three minutes right if you're a good at monitoring employee what do you say hey it fixed itself going back to playing tetris or solitaire or surfing discover channel whatever right so no big deal right spike in CPU hey the app did something weird but is it still available yes it is great moving on no

big deal incident marked as viewed done here's a part that somebody should have noticed for those of you guys in the room shout out when you know what this is the database well their typical packet are sorry database return query size is somewhere around one to ten rows that spikes up to about a thousand for a sustained period of about four minutes anybody hi yes I'm single injection nice to meet you right but individually database may have hey are the index is still good yep database still consistent yep is it up yep don't care agreed right so absolutely no trace of any attack until you go back and you link the security stuff with all the operation

stuff and the operations piece goes um excuse me um there's a sequin attack walking through your network right now and you want me to do anything about that that's because you've linked this crap together right more than one person needs to stare at this stuff this is where this whole enterprise resiliency thing really comes to detect deter respond detect found it deter hey I can while you're sitting there making that decision quick think faster I'm going to slow down on the outbound side I want to slow down the responses I'm going to give it every 30 seconds begin between responses I'm going to annoy the hell out of that guy is trying to steal those packets

he's going to wait 30 seconds meanwhile i'm giving you time to go Hey look that's an attack I should stop that please block right meanwhile has a pop up on your screen says I should block this can I please block this can I please block this can I please block this can I please block this eventually the shot caller activates but you know but the idea is you've got time to detect deter and then respond all right yet nobody wants to get caught they're going to try not to get caught if they get caught bad things right they're going to keep great you ask them to keep awesome fantastic stupendous tremendous voluminous notes I'll tell you why in a

minute so analysis part here I'm going to give you a prediction stuff's going to break stuff I mean everything stuff app servers networks applications people are going to lose their minds all sorts of fun things what broken wide that's a question you can have to go back and answer for yourself what broke not what got hacked but what broke why did it break right so this is a system resiliency failure has nothing to do with security but it is a resiliency failure system is not resilient do a root cause analysis everybody familiar with root cause analyses who's done one here go at least somebody so root cause analysis get to the root of what happens

sometimes there's multiple things that happen sometimes it's a chain of events that happened but you have to know what happened in order to be able to fix it did the attack succeed anybody that's the wrong question of course it was successful the question isn't whether it was successful or not because I promise you if you pay a red team enough they'll break in I don't care if they have to you know drive a semi truck through your front door they'll succeed the question is how successful was it because attackers were in attacks rarely fail and we know that from experience those of us that have been through this there's three key measures of how bad it

was for first one is time how long did it take how long did that take them to break in see the question is and is not whether the system is secure or not anybody want a fireproof safe here okay does your fireproof safes a fireproof what does it say but yes your fireproof safe is rated to an X amount of time for X amount of temperature this is what security should be like resilient we are like UL ratings right how much attack can it withstand before it breaks and for how long this is what we're measuring boys and girls if you don't if you can't get on board with this and you're still stuck in is it secure or

not the answer is no move on I promise you you'll lose your job because it will get broken into it's a question of how long and how hard do they have to try can you tell them a little passionate about that so how much damage is the next thing how much damage can they do how long did it take how much damage can they do was I able that was the dread team able to transfer you know funds between the CEOs account in the corporate account the answer is yes the answer to damage is bad like somebody easy to get fired bad how extensive was the hack how bad was it how do you define bad I don't know are you in a

financial vertical you in health care did somebody die how bad is it measure bad have a KPI for bad KPI stands for key performance indicator how the hell bad it was it and then the last one is how critical was the thing that got popped yeah you popped my marketing box and put a shell on it cool guess what anybody with metasploit can do that so what critical was the box that you pop what did you get out of it and how bad was it how critical is the asset see this is a level of awareness that we need to have if you're still looking at once it's secure or not you don't get any of this

what did they get out of that now comes the hard part remember I told you make sure everybody takes really fantastic notes this is why we're gonna do a full RCA on all the events that happened you're going to rewind the clock back to the start when they said they started they said it started 1201 p.m. on tuesday and you're going to go back through and go right well they walk through our IPS they got through the auth system sequel injected f database geez nothing worked all right what's the first thing that failed well our IPS didn't detect anything right why oh look we haven't updated our IPS signatures in seven months failure number one let's

try again what's next all right follow the attack path follow the attack path make sure they keep great notes where did security actually fail it failed I promise you but where where did things actually go wrong did it fail a detection did it fail at analysis was that one giant cluster of boxes that's supposed to tell you hey this thing over here and this thing over here are doing something wonky holy crap if I put those two together you're getting sequel injected did that fail to make the connection I mean it's very realistically possible right was the protection to failure there's all that really cool blinky lights endpoint protection stuff just not work that's a

whole different question in it is it a question of policy do we have it open do we have an IDs in 2012 still was it a people failure anybody here work for emc RSA i right that's the kind of thing that happens right pizza people's the people failure there's nothing to do with technology we hacked they hacked the person the technology was a secondary vehicle for the hack and I want to pick on them everybody is susceptible to this if you think that your organization isn't susceptible to a people failure you are absolutely delusional try it send your CEO and email find their Facebook page find out what groups save join takes like four seconds send them a note that says hey

I've got the same car as you do here check out this cool schematic I just got open this PDF who thinks their CEO wouldn't open that would call the security team first uh-huh he was in a process failure like mine where step one doesn't work and then you all just sort of go now what did things just so what step one doesn't work we're going to go ahead and got this thing again technology failure which is the whole holistic tech failure was an enterprise intelligence failure were you just not able to connect the dots like I said earlier whats the remedy oftentimes its defense 101 it's not something ultra super complex defense 101 detect deter

respond deploy countermeasures when you're responding right you have to do something to counteract that negative action the really cool thing is you once you're doing this RC and you're trying to figure out how they got in and why they got in and you're going to try to make things better you want to try to have minimum change to make this stuff happen with maximum impact because the goals are deter the casual hacker slow down the attacker detect and react quickly to everybody else fortify your deficiencies optimize defenses because remember that your red team can never actually rest there never done the business is fluid business change priorities change Technologies change attackers change and threats evolve so

you have to keep testing your defenses using real life attack and not during the catastrophe so who's ready for a chief Kaos officer is a great idea yet because you want to fail at your own hands folks not at your enemies I promise you this is not the way to fail fail at your own hands at the chief Kaos officer not at your enemies and I'm done thank you for paying attention not sleeping or at least not snoring loudly enough and if anybody is interested in more on this I've got some forms folks to point you to in some great information thank you

you