BSides LV 2023 - Common Ground - Wednesday

[Music] [Music] foreign [Music] foreign [Music] thank you [Music]

[Music] foreign

[Music] foreign [Music] thank you [Music] foreign

[Music] foreign [Music] foreign [Music] [Applause] [Music]

[Music] thank you thank you [Music] [Applause] thank you [Music]

[Music] foreign [Music]

[Music]

[Music] don't leave me alone [Music]

[Music]

giving me Wind and Rain some kind of butterflies [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me [Music] your Channel [Music] don't leave me alone [Music]

fly [Music] baby

[Music]

[Music] oh [Music] my God [Music]

[Music]

[Music] foreign [Music] foreign [Music]

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] come on foreign [Music]

[Music] [Music]

[Music] foreign

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music]

[Music]

[Music] thank you foreign [Music]

right good morning everybody Welcome to day two of besides Las Vegas okay so before getting started I just want to make some announcements make sure your phone is on silent and we'll have q a towards the end so I'll walk around with the mic and yeah let's jump right into it so the title of the talk is cyber crash investigations seizing the opportunity to learn from Fast crisis and our speakers for today are David Stokes and Julia wigton so welcome over to you guys thank you thank you welcome everyone thanks so much for coming along to our talk um yeah cybercrash investigations is what we're talking about today uh we'll do some quick introductions so my name's

Julia I'm a senior manager at PWC Australia um and I've actually had a bit of an unconventional background so before I came into cyber I worked in comms and law but don't hold that against me please I'm on the right path now uh now I focus on incident Readiness response and recovery so what I look at is kind of end-to-end helping organizations prepare for respond to and then recover from cyber incidents doing things like tabletop exercises desktop simulations uh all the way through to kind of post incident reviews and Reporting um and the thing I love most about what we do and what we get to do is the investigative element and I think the

kind of I study journalism as well and the legal element really ties in well so I love trawling through the wreckage of bad things that happen so hopefully we can learn some things today I'll hand you over to my co-pilot Dave big True Crime fan as well I think um so my name is David stocks I work with Julia at PWC Australia my background is a bit more of a traditional technology background Blended in with some international relations and politics it's always sort of been a bit of a side interest to me I've done a few things in security I'm a failed pen tester I tried it for a little bit I wasn't very good didn't I

wasn't very patient I then sort of moved into security strategy before sort of finding my passion in um internet Readiness response and Recovery um the thing that I really enjoy about doing what we do is helping people out during during the middle of a cyber crisis it's really energizing I think to help people through those kind of circumstances particularly when they're sort of fresh for people and they've not been in that sort of situation before over to you Captain thank you thank you all right so before we take off today I'll talk through what we're going to cover um you'll notice there's a strong Aviation theme and the reason for that is we're really quite taken with the way

the aviation industry investigates and reports on crashes that happen um you know understanding what the root cause of a crash might be and then providing some safety recommendations we think that's a pretty good approach and it should probably be taken more for cyber attacks and we know that you've made some inroads here in the US but we're hoping that we'll be able to share some lessons learned and contribute to that through some of the black boxes that we've had the opportunity to open during our work and we have we've had a really good opportunity to investigate some of Australia's most significant cyber attacks in the last few years um for a big range of clients and

organizations across different Industries so public and private sector all kinds of shapes sizes and maturities of organizations and despite all that variety there are a few things that pop up time and time again and we started noticing some themes and we thought it'd be kind of good to shine aloud on some of those themes and maybe it'd make people go away and and look a bit harder into the things that you've got in your organizations or with your clients and you can suggest ways to build resilience that you may not have thought of before uh so yeah that's what we're here to do and what we're going to do is talk through it in three different stages so

how to prevent a cyber crisis or try to do that and that's our kind of pre-flight check before takeoff um when you're in flight and something goes wrong how to do some damage control and minimize the impact if you come up against that and then how you can best respond after the crash so picking up the pieces of the wreckage so if we're all ready for takeoff I'll ask you to fasten your seat belts and I'll hand over to Dave to get started and I forgot to mention these are our views and not those of our employer so thank you thank you for that Captain um you know Keen to get rolling but before we do that we're going to run

some pre-flight checks uh before we take off so we're going to get straight into that and I'll start off with multi-factor authentication and password management and I know what you're thinking you're thinking wrote a security talk we're talking about MFA you know we of course we know we should have MFA everyone knows we should have MFA we've been talking about this for years and years and years and years we have um you know it's not a particularly new thing to say but we're not really saying have MFA we know that everyone either has it or or is trying to to get that I think more what we're saying is that what we've seen in the in this in the

Cyber crashes that we've come across is that it's often inconsistent so it's on some things maybe it's on most things maybe it's on your VPN maybe it's on your you know remote desktop services and all these other remote access mechanisms but it may not be on everything maybe it's not on that one development environment that a third party is logging into or you have one particular service provider that it was really complex and they said it was going to be really hard to try and get MFA working so you've got some sort of exception policy for them and you know it's IP whitelisted or you've got some other control there but it's it's inconsistent um and I think that often causes uh

cyber incidents that's certainly been the experience that of what we've seen the other sort of thing that we've seen in this space is that it's enabled and lots of users use MFA but it's not enforced so there are some users who don't have to use it and those users present a window into an or into an organization um weaknesses in conditional access policies often conditional access policies will be used to try and provide um you know a balance between usability and security and that's a good thing but sometimes we set them up in ways that leave too much room for threat actors to take advantage of so it's not have MFA of course everyone knows that we should

have MFA it's about looking in your organization for what those what what are what are the bounds of your MFA policy you know where are the different environments where you have this where it applies and and what are the weaknesses that someone might be able to exploit on password management uh it's about storing keys and passwords in in plain text that's the sort of thing that we've seen time and time again um causing problems and it's most common um in in code looking and finding sort of clear text apis in code that seems to be a really common thing and it allows threat actors to escalate their privileges gain access to new applications when they break into an

environment and they're rummaging around trying to extend their access um identity and access management um the the sort of key themes here that we seem to see are that there are too many domain administrators doing more than just the main administrator things um I'm sure that's a common sort of thing that a lot of you would have experienced as well but domain admin should really be focused on just doing domain Administration they don't need to be server admins um and when you do that you increase the the risk that someone's able to escalate privileges really easily or quickly when they're hunting around an environment um there's not enough use of the protected User Group Microsoft provides

a lovely way for you to try and protect some of those accounts but we don't see it used enough and that's you know particularly the case in sort of older environments you know that are kind of typical in large organizations where you know you might be running off an older active directory functional level you know this is often still an option that's supported but it's not one that's often sort of taken up or extended or used as much as it could be in it and it really provides some protections there um the last one under this is is around semi-trusted user groups so if you think you're an organization where you have a really large contractor base or you

perhaps you have a vendor with a large pool of users who are providing a service to you um or maybe you're a school and you have a bunch of you know trusted teachers and a bunch of semi-trusted students who are all trying to break into the network I know I was when I was at school um if you have that sort of semi-trusted User Group what we've seen sort of time and time again is they actually have a very similar level of trust as the rest of the employee base or the rest of the user base and maybe one that's not actually appropriate for the level of risk that they present now I know we're

all sort of working towards having no trust whatsoever and strongly authenticating everything but in large organizations you know we're not really there yet um on patching and vulnerability management again it's a similar sort of thing to the uh MFA front we're not saying don't have MF uh we're not saying you need MFA so we've got some fluffy dice we had a an outrageous speaker request for a pair of fuzzy dice no thank you for that that's uh no much appreciated uh thank you and uh we also had a request for some novelty glasses so I mean some audience uh thank you that's uh that's going to make you all far less intimidating that is uh that that's fantastic and I'm

I couldn't be happier I couldn't be happier uh back to petting obviously that was very distracting but but I'm here for it um back to patching I think the the focus is definitely on your riskiest assets we're not saying you know patch everything obviously everyone knows that everything needs to be patched all the time and we do it as much as we can but in any organization it's a question of allocation of resources um we we know that there's only so many people and and uh so many teams available to go and um get things patched so it's about focusing on the most risky assets 48 hours for a critical patch across the board sounds great but like your VPN

needs to be patched within a couple of hours not within not within a couple of days and uh for other services things might be able to wait a little bit longer um don't let over engineered Change Control get in the way you know we've seen cases where there would have been a patch applied but it needed to go through a change approval process that had like 11 approvers on it and the you know the 10th person said nah like or wasn't it wasn't there it was on holiday and the change failed because you had too many approvers so don't let that sort of over engineer Change Control get in a way or if you are finding that it

is the case find out who's the blocker um and and start reporting those names um lots of good work is undone by running end of life platforms and applications um it seems to be a really common theme that uh you're always running into oh yeah but we do have that one Server 2008 server you know that's that's sitting there and you know as best we can but often it can be the thing that gets you you're done over um lastly on this point making responsibility for patching clear clear so often we found that questions about who's patching middleware or who's looking after end user applications on servers they're sort of like middle ground in terms of who's actually

responsible for them within an organization it's not it's not the Intel team and it's not the Unix team and it's not the end user applications team so so who's responsible for those things trying to work that out and make sure that there's clear accountability for it really important um and lastly on the pre-takeoff chats front uh we're going to talk about uh some third-party risk management sort of items that seem to crop up and really that goes to a little bit too much trust with data exchange um you might often know what a third party has in terms of the controls that they have implemented you're often ask in your third party you know Assurance requests

you know what controls you have in place um you know and here are all our controls which of these do you have or maybe they'll produce a third-party report for you that that sort of an industry standard one but you might not understand the processes they use where does data actually go in their organization when it's your data so taking the time to sort of understand that is really important and lastly um making sure that the contractual framework that you have with that third party gives you the room to have good security conversations and and baselines make sure that if you've got a contract that's been going for 10 years has your security risk appetite changed in those

10 years then you probably if it has then you probably need to have another conversation um so with that I'll move into a bit of a case study um after this short water break

so I want to talk about an organization that about a year ago uh experienced an incident and they thought that they had MFA in place but um a threat actor got a hold of some credentials um we don't know how that happened like they could have been sold they could have been reused um they could have been fished or malware on a device or whatever we don't know whether whether threat actor got the credits from but they did um and there was this successful logon um the the threat actor was able to log into an M365 environment they're able to access email SharePoint all that sort of stuff and the organization had set up M365

to enroll users into MFA and but but MFA wasn't strictly enforced so it was enabled but it wasn't enforced and what that meant was um there was a whole group of users executive users all of the IT team who are logging in every day with MFA and there was just this sort of like subtle conscious feeling that everyone had which was oh yeah we've got everything everything in place you know unless you're looking at those actual conditional access policies and actual um and actual MFA enrollment policies then you're not going to know necessarily that well there are some user groups who weren't on that policy and there were some music groups that weren't in this conditional access

policy therefore there's a set of users that actually aren't challenged with MFA at all in any circumstance um and and what that meant was that there were some accounts that were able to log in with that MFA such as this user so the when the threat actor managed to land on this user's credentials they're actually able to get into that environment start accessing email and actually caused a business email compromise so it's really important to try and make sure that you know you look for those gaps in MFA policies you look for where there might be weaknesses where on the surface it looks like there is a policy and with that I think we are ready for

takeoff and I'm going to pass over to my co-captain to get us into the air very funny looking out at those glasses I really appreciate that um okay we're up and we're in the air so let's talk about damage control so if you're in the air and you notice that things are looking a bit dodgy or there's lights going off and you're not quite sure what's happening these are some of the things we see that organizations either do or fail to do that can either increase or mitigate the damage that they face as a result of these cyber attacks that we've responded to so the first one is monitoring and detection um and what we see time and time again

is despite people having kind of all the bells and whistles and the shiny tools that you need and uh Outsource socks that cost a fortune or internal socks that cost a fortune for that matter um there are blind spots and there are overlaps and there are things that just remain unseen until someone gets in and then it's too late um and what we see as well is people are paying an absolute Fortune for all these things and it's like you know front line you all need it but you haven't actually tested uh put it in practice and put it to the test and you know red teaming is such a huge element in that and just

making sure that you've actually put it to the test with some weird and wonderful situations and made sure that it's going to perform for you um the other thing is alert fatigue so I'm sure you've all come across this but we've dealt with organizations who had the alerts they were right in front of them but they were sitting amongst kind of 50 60 70 other alerts that they were getting daily that were false positives and what that meant was they were ignored and unfortunately that the whole thing was ready rendered useless because everyone was a bit complacent at that point and no one picked it up um the other thing is if you do have an

outsourced sock that you're working with we often see that the escalation paths in are unclear especially if that Outsource stock hasn't come up against something that's really caused for concern before um one organization we've helped respond to an incident their outsourced sock escalated a pretty um pretty damaging critical alert through to the service desk instead of the Cyber team so it sat with the service desk for two three days untouched when it should have been kind of picked up and really handled with a great deal of urgency so they're some of the kind of pitfalls we see in the monitoring and detection space data management makes me want to pull my hair out it is the one thing that people

don't tend to like do well until it's really too late um basically what we see is there's always always a whole heap of data that doesn't need to be there that's there and it kind of amplifies the effect of an incident by you know multiple times and I don't know if anyone went to Christine to lose talking yesterday about not actually collecting data that you don't need but I think we're a bit behind the eight ball in that sense and a lot of organizations only just changing their data management strategies to kind of keep up with that with that approach but when we come in after an incident it's amazing how many times organizations don't actually know

what they have so the first time they're doing data Discovery is during an incident response and what that means is your place you've got to like increase your team by a factor of 10 to kind of do all this data analysis and troll through a whole bunch of unstructured data which can go back years and decades even it introduces all these new you know legal and privacy elements that you wouldn't otherwise need to deal with and you know the whole place is crawling with lawyers and no one wants that and it's just a nightmare so um the other thing we see is people using the wrong systems and the wrong applications to store and process data

and a lot of it you wouldn't kind of think about until it's too late but not using file repositories as the dedicated file storage um place is a nightmare because if you're having data passed through things like email email or file servers or things like that and it's not regularly cleaned up that can be absolute chaos if you know one of your mailboxes gets popped and that person has delegated access to someone they shouldn't or someone who's pretty important and yeah it the impacts can be absolutely catastrophic if data management isn't done right um Network segmentation expensive everyone knows you should do it um it doesn't need to be cutting edge like micro segmentation what we see is

that any kind of good controls that separate Edge networks from internal networks are worth their weight in gold um not only for containment obviously so during a response and being able to shut things off without massive Downstream impacts um but also said that the threat actor doesn't have just the easiest time in the world getting across your whole environment getting the keys to the kingdom and being able to do more damage so uh a quick case study we recently looked at an incident that was a double extortion ransomware attack the threat actor had gained access to this organization through a VPN vulnerability and then escalated their privileges through the domain admin so bad time for

all but the threat actor then went looking for data and they found an absolute gold mine in one of the organizations file servers what they found was customer records for customers that hadn't been involved in that Organization for 10 15 years which led to some very awkward conversations and apologies about why they were actually holding on to that data after all this time um lots of identity documents uh I don't know about in the US but in Australia we have a few identity documents where the numbers don't change even if the card changes so some of these were kind of 10 years old had been collecting collected during the kyc process and then just sat

there on this file server for over a decade um and the cost of having to kind of engage ID support and help people replace those documents obviously increases the impact by a lot they also had penetration testing reports in there and all kinds of kind of operationally sensitive documents that might have been useful for the threat actor given the position they were in um and the real doozy unfair dismissal and workplace Behavior complaints which no one wants to see anywhere other than locked up in a safe somewhere um that caused them a lot of grief and and the last thing was a lot of the staff had over the course of their employment um kept backups of their personal files

from their laptop onto this file server and so all of a sudden you're dealing with not just the exposure of your corporate data but a whole bunch of people's personal data so that was a bit of a nightmare and it meant that you know what could it was already a bad time right it's a double extortion rats wear attack but it just increased the scale of the impact just phenomenally and it and it in terms of cost in dollar sense and also the reputational damage it was just wild so um why did they have all this data there they didn't need to they didn't know they did or kind of everyone had dusted their hands and not been looking into

what was there but it caused them real trouble so please avoid that if you can

uh the captain has just walked away and crashed the plane uh so we are going to pick up the pieces um now that that's all happened uh all a bit alarming but we're going to talk about sort of some of those key things that you can do after the plane has crashed after there's a crisis actually happening what is it that we can do to try and minimize the damage as best we can um and uh just sort of pick ourselves back up as quickly as we possibly can um and one of the first things that you can do you know if you have this well in advance is have some sort of containment plan when we talk about when we sort of

go into organizations afterwards and we try and help them respond to a large cyber crisis it seems like a lot of the time there's not that initial containment plan that tells them here are our options to contain an incident at different levels so you know often there'll be some sort of understanding about containing a single endpoint you know the stock will know we can turn off a single workstation most of the time but sometimes it gets a bit fuzzy if it's an executive and they're like oh I'm not sure if I can just go and turn off the CEO's computer like that maybe maybe there's a little bit of hesitation there but it gets a little bit more

complicated when it's like you know a server running an important application for a business or a whole environment or maybe even disconnecting the internet for a whole organization the different containment steps that you can take at each layer um there's not necessarily a good understanding of what the impact of those decisions might be what like what what does that mean for your organization what is disconnecting from the internet mean if an organization doesn't know what that means in advance it means that when they're contemplating the decision they have to think about what all those impacts are and that might slow down their decision making and it's not a hypothetical here it does slow down the decision making and I'll

talk about that in a in a case study in a little bit but um you know the lessons I'd say from from this particular one is have some sort of containment plan that's really clear on who can make these decisions at what level so you know who can isolate a single workstation who can isolate a server that's going to knock out a whole application um what about disconnecting from meter who's the right person for that and they can be different people but don't over escalate it don't make it the CEO for all of these things um because uh it'll just take too long to try and make a speedy decision and sometimes a really quick containment

decision can save a huge amount of pain later on um have enough people who know how to enact your plans it's no good having a containment plan if it relies on you know two key people from it who happen to be away and no one else knows how to you know disconnect the internet in a reliable way and then you have someone running in and pulling random cables or uh or something like that and you end up in a state that you're not expecting so that's containment this is continuity in recovery the number one issue in this space is that organizations when they set up business continuity they're often thinking in terms of well you know I

have this contract with it and it says that the SLA for this application to come back up again sort of have any sort of outage is four hours or maybe it's 24 hours but it it's based on you know the restore time objectives that they've got you know they've got a you know if they're using metal ratings for applications maybe they've got a gold or a silver or a platinum application and everything supporting it will be back up within 24 hours so the business continuity that the business needs to enact only needs to go for that long and time and time again when we go looking at them these business continuity plans only are able to cover that kind of

distance they're not able to do any sort of manual processing after that and what that means is that um when there's a large cyber crisis like a ransomware attack where things might be down for at least a few days and probably weeks sometimes many weeks then organizations aren't actually well set up to do anything about it they're having to invent these processes on the Fly they have to figure out you know at what rate they can do stuff how how they go about doing things manually um there's they're trying to figure out the stuff on the flyer whereas if you can in advance think about and test what your business continuity is that's going to last you a week or two weeks

then you're in a much better place should you actually have to do that you know what you're going to prioritize you know what sort of processes you're going to prioritize you know what rate of efficiency you're going to achieve and therefore what things might have to wait one of our plane is actually shaved off so where were those business continuity plans stored oh that's good that's true if the uh if these plans were up in the cup up in the cockpit we would uh we'd be in real strike in this situation so it's really important to store those business continuity plans um somewhere that you're going to be able to access in the case of an

incident don't just save it on your SharePoint it's got to be in a different platform or print it out and maybe print it out in a couple of places so that it's accessible good point this is why there's two captains um so uh that's that's kind of on the business continuity front they last sort of point there um on the recovery side of things is the capacity to restore things in bulk it's often quite limited um you know we're not necessarily thinking about as organizations how we bring back a lot of things all at once we think about sort of single applications a lot of the time or or a set of infrastructure but not

necessarily how quickly would we be able to restore everything all at once we should at least know that number right if it turns out it's a couple of weeks because that's how fast our backup infrastructure would take to restore everything with everything going well which won't if that's a couple of weeks that's that's a question that should be put to management to make a decision on is that acceptable are we okay with that can we prioritize the stuff that's really important to us in the first half of that and that's going to be okay will that business continuity last that long these are the kind of decisions I think we need to to be making

um and also considering the prioritization in and interdependencies so um you know within within a metal rating within sort of platinum applications and gold applications and silver applications you know you might still have 50 applications so which of those is more important than the others because you will actually have to sequence them if you have to bring them all back at once uh so having some thinking within those groups and also understanding the interdependencies maybe there's some you know bronze rated um Service uh that by itself is bronze but it has interdependencies that are um it's uh it has sort of gold applications that depend on it so we need to sort of think about those kind

of dependencies as well and make sure that we're factoring that into our recovery plans on crisis management um I'd say there's a bit of complacency uh amongst executive teams because of covert you'll often go to organizations and they'll say oh we've run a bunch of we've we're very fresh from running a bunch of Crisis stuff we met regularly during covert and um we're running our crisis management team um and and that's true that some organizations have had the opportunity to sort of go through their crisis management plans a little bit more recently than they they used to before the pandemic but it doesn't necessarily cater to the kinds of people that they would need to draw in if they were

dealing with a cyber incident um or the kind of speed that they might need to move at um so sort of rejecting some of that complacency is um is good you know in a sort of respectful way um considering fatigue is really important during crisis everyone's going to have to work long hours during a cyber crisis um you know we can't sort of stick to that nine to five and that's okay because when your organization goes through something everyone's really committed to try and get that organization through the other side um but that only lasts so long you know you can do that for you know 48 Hours 96 hours but after a week um you know you're going to start to run

into tension with people you know feeling like they're trading off their their families and their and their personal well-being with the organization and you want to avoid getting into that situation one because you care for your employees but also because um people will leave people will switch off or they'll or they'll overload and they'll just crash and they'll eat and they'll be pushed aside at the West moment so having redundancy in people and and alternates that people can go to that's really important in that sort of you know after the first 48 Hours of an incident uh escalating really quickly is important not just to unlock support from an executive management team but also and other parts of the business but

also from insurers and other third parties that you might have available to to help you in a in a crisis situation to mention that escalating not for decision making but just more of a notification so we talked about before not escalating too much but this is escalating to unlock support for a decision you've already made yeah yeah so that's a very very good point um on the privacy and Regulatory side um just to sort of finish off with before I go into a case study Julie mentioned before uh data analysis is really hard the amount of data that people have an unstructured data that people have floating about means that the data analysis task to try and figure

out what was impacted can be so incredibly hard it is it is hard to overstate how much of a difference it can make it can drastically increase the expense time and and sort of external headaches in in a response when you have all of this personal data floating around or just unstructured data that you don't know maybe it has personal data Maybe it doesn't the potential for it means that you're going to spend a huge amount of time sort of focused on this stream that you don't need um or you need less of but because data analysis is really complex um know who's going to do that for you do you have a you know team within your

organization that's going to be able to do that for you is it something that you can rely on parts of the business who are going to understand the data really well to be able to support you with or is there someone that you've got to help you with those kind of things outside your organization does your insurer have someone on tap whatever it might be um knowing your privacy obligations in advance is really important particularly if you're a multinational and you're dealing with different territories around the around the globe all those different privacy obligations you might have knowing what kind of regulators you need to get in contact with with what information and what time frame you need

to give them a heads up on some of those time frames have gotten really short over the last two years as Regulators have tried to sort of get closer to the pulse of these kinds of incidents lastly having a comms plan for those sort of internal and external stakeholders um you know I know from sort of quite personal experience that crafting some of those Communications about what happened in the wake of an incident and everyone feeling really comfortable with the language can take a really long time people will still tweak it even if they've got a template but a template with some agreed language is going to you know give you a massive head start

to sort of getting your your customers your corporate customers or your end consumers some comfort so um I will move on to our final case study um which is about an organization that was in this sort of over escalation situation um what happened was the organizations suck uh identified a suspected intrusion and it was based on an impossible travel alert so that this is for a single user account um a single login but it was this impossible travel situation the organization hadn't blocked that um but they did get alerts about it and their stock was looking at it um the user was a finance executive it wasn't unusual for them to travel um and uh there was some doubt about

whether the alert was legitimate or not um obviously the the time between the two logins made them think well you know maybe this is a legitimate alert but but we're really concerned about the impact of disabling the account if they went ahead and just did it so um the soft sort of looked into it further they identified that the user account had um attempted to log into an application server now that that uh that attempt failed so they weren't able to successfully log into the thing they didn't have the privilege to do so but they saw the attempt and they went okay this is almost certainly um uh suspect well this almost certainly an illegitimate logon there's probably

someone else with these creds and um they they thought they were going to disabled account they went to the side Zone and said hey like we want to go and disable this account uh there's not not a huge organization but like so they're emphasizer we're going to disable this account so as it has a look go through all the data themselves um and and valdex decision yep let's shut it off they shut off the account but in the time that this took the threat actor had gained access to other systems and um and other accounts while they were like in the time this decision making took so um the threat actor had placed uh some

cobot strike beacons on some systems as well the threat the the sock picked up on a malware alert from one of the servers that was impacted by the by the cobot psych Beacon and they also saw some of these other attempts at access to um other systems so they'd look there's they've gone around and they've realized that things are starting to look a bit out of containment they might have something a bit widespread that uh that they aren't truly in um in control of their recommendation was actually to disconnect from internet they didn't know what else they could do in that sort of situation it felt like it had jumped their containment lines and and

in truth it had um so the the they took that to the ciso ciso immediately turns around and takes it to the to the CEO who convened an executive meeting uh 90 minutes later to talk about what the impacts of disconnecting the internet would look like for that organization um and you know they they talk about it for about 45 minutes they made the decision to disconnect the internet but again in that time window show that they took to make that decision uh the um the threat actor had managed to make off with some data so you know we think that they were trying to go through a double extortion ransomware attack and they were going to unleash ransomware so

the the disconnection from the internet and the C2 probably saved them from ransomware but it but it uh if it hadn't been done earlier it might have saved them from some data exfiltration um so it's just a really good example of if you have some of that containment plan in advance you know what the impacts of disconnecting are going to be you have someone empowered like this is so who can say yes we're going to do this you might arrive at sort of a better outcome for your organization um and and with that I'm going to pass over to my co-captain to uh wrap things up thank you for handling the chaos Dave as someone who's flown a long way to be

here I'm quite nervous about my journey home now but thank you um so to wrap up the talk I just wanted to cover off a few key points so you might have noticed that we're not talking about a whole bunch of new tools here and I think the the number one lesson is you don't need all the bells and whistles a lot of the organizations we've worked with who've responded to these cybercrassies the best aren't necessarily the people who've invested the most money in their security you know they're people who have thought about their practices and processes and tested things out and know their organization really well so by no means is this a go out and buy the best EDR

tools or pay a fortune for an outsourced stock if you've got those things great but just make sure they're working for you as best that they can um damage control almost always comes down to data management in our experience so uh yeah like eight times out of ten the organizations we've worked with who've had a horrible time in the months following an incident are dealing with the the data breach element and it's something that you know very few people are specialized in doing that data analysis and yeah as Dave said you can't overstate the amount of time and energy it takes and the complexity of actually going through something like that with a data set that no one's

actually familiar with so uh yeah try and get that under control and you will help yourself in the event that touchwood do you have an incident you don't have an incident um uh BCPS are almost never fit for a cyber crisis purpose so make sure they're not relating to one application that's experiencing One Outage they're actually scalable to something like a ransomware attack and if they're sitting in a drawer Dusty somewhere um make everyone get them out and have a look and kind of look at them collectively and see if they would actually function the way that you intend them to function in an extended outage and Link together and Link together yeah very good point they need to work

together um and finally a little preparation goes a long way so Dave talked about this but any organization you can do beforehand to get some pre-agreement from the people who need to sign off on really key decisions that are going to take them a while in the moment and In the Heat of the Moment can really help out in the long run and any of that kind of pre-agreement on messaging principles if you're talking about public statements or containment actions and people being kind of familiar with the impacts of different containment level decisions goes a long way also practicing and I would say that but making sure you're exercising your executive and exercising your Tech teams and exercising with your

external sock and making sure that everyone's worked together before makes it a lot easier obviously if everything does fall in a big Heap so thank you for flying with us that was the end of our talk um uh we hope you join us again but yeah thank you very much for your time if there are any questions we're happy to take them now um and we've got our LinkedIn links up on the screen so yeah thanks everyone and here we go I I really like planes [Applause] does anyone have any questions I really hope I didn't get dressed up for nothing

of the recording yeah yeah oh there it is I'm in agreement with the preconditioning being able to take down the internet for a predetermined amount of time figuring out which of the critical pieces of the business and how you would still let them through if they weren't part of the scope um it gives us a lot of freedom to do things that we need to do to as you said to protect the organization so that that one's helped a lot so I definitely agree yeah I think another thing we've seen is people expect their executive to make certain decisions because they know them quite well especially in smaller organizations um but when it's a crisis situation

there might be one person who the Heavenly disagrees with the prospect of taking everything offline and shutting down your operations or you know if you're dealing with a ransomware attack um the concept of paying a ransom like people just come out of the woodwork and have these really strong views that they're not willing to be swayed on and it's better to find that out before you're in the absolute yeah we have the same conversation about ransomware if we're going to pay it we have a lot of prep work to do now we're not going to pick great yeah and we'll deal with that and our executive said no we're not going to pay it no we have a new CEO so we have

to go we're gonna open the books again yeah we got to open that same box again yeah have any questions or uh contributions hi thank you for a great talk uh it's more of a comment of the question uh I heard this quote I can't remember unfortunately who said it but sorry oh sorry thank you uh so uh thank you for the talk I I have a more comment than a question I can't remember who said it but there is a saying that uh from attacker standpoint every decision is Technical and from a Defender standpoint every decision is political

when you know you're hearing one of these topics get debated in a in a long meeting when uh when you know a decision should just be made sure um this is a question um what kinds of data management techniques or tools have you seen work well like especially at a relatively small organization that doesn't have a lot of infrastructure uh I I'll kick off and then maybe Julie you can add in but I think um a really Key One is using applications that are meant to do the job um so like don't use SharePoint or email for processing a bunch of personal information um don't sort of flow some of that like don't send notifications with all the

text into email don't don't sort of like have all of these reports on land on SharePoint that have like all of this personal information in it um try and use a tool that's actually meant to capture that information store it securely through its whole life cycle the minute you sort of you know exit outside a Control process I think that's where you know we've seen organizations land into trouble yeah I'd add most of the organizations we've helped through a data breach actually have data retention and destruction policies but no one's seen them for years and no one actually uses them and um again they're Dusty in a drawer somewhere so I think just making sure if

you've got policies and standards like use them they're there for a reason make sure they kind of align with all the regulatory requirements but most of all you them to protect your organization from that kind of catastrophic impact Auto archiving too can like save a huge amount of pain the amount of stuff that just like stays on SharePoint live accessible it doesn't need to be live accessible right like it can it can get archived and you can have a process to go and retrieve that data it just doesn't need to be accessible on the network with a user account or a privileged user account that doesn't need to be there in a way that it is at

almost every organization any other last questions nope all right thank you so much everyone [Applause]

[Music]

[Music] thank you [Music] thank you [Music] thank you [Music]

foreign

[Music]

[Music] foreign [Music] [Music] I don't know [Music] all right [Music]

[Music] thank you [Music] thank you [Music] foreign [Music]

[Music] thank you [Music] foreign [Music]

[Music] [Applause] [Music]

[Music] foreign [Music] thank you [Music] [Applause]

[Music]

[Music] thank you [Music]

baby [Music]

[Music] don't leave me alone [Music]

don't wanna overthink it baby [Music]

giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me five [Music] minutes

[Music] don't leave me alone [Music]

[Music] baby you'll get me [Music] don't leave me

[Music] oh [Music] my God [Music]

[Music] foreign [Music]

[Music]

[Music] okay [Music] 10 minutes I'll just give you like a warning sevens five minutes and that was the joke so if you want to have a fight with your apartment when they start arguing with you hold those signs up with the no stop seriously stop now the security joke

just kidding I could just say okay stop actually a good idea stop this no AI would inside this problem because casual Olympics yesterday

it wouldn't work like a joke stop asking me so many questions

or wine producer now he's one of the cyber security so he was at the pool party last night I met someone who's got an interview lined up for that already

one minute I was here at the 17th of Eastside I had my forensic kid with me went to a mining Village started working on that started talking with Defcon and hear about voting machines and now you know I have a job Twitter wants me to be in charge of election security if they interviewed as well

100 because of voluntary exact location yes yeah it is a good thing thank you I find myself kicking with a bad hood and more I'm sorry

cool before you have a glass of water because this makes everyone real style it's almost time

I'll try it okay the title for the next talk is Conti leagues and Carver analysis for threat Intel analysis and please welcome our speaker will bag it over to you thank you hey thank you for coming to the talk I appreciate it uh these talks are truncated from 55 minutes down to 20. so like Matt Foley I've been in my basement drinking three pots of coffee for the past few hours and I live in a band down by the river and I want to speed through this so compromise Conti chats and Carver methodology first I'm will Baggett uh ccee certified combat collection engineer from the NATO soft days certified products Handler a whole bunch of digital forensics certifications

started off working uh Financial technology was a coat or developer took that off my resume because open floor plans and coding don't work went to CIA for about 20 years did some stuff did some things and that's on another conference we're just talking about networking ended up getting a job for a couple years over in Belgium as NATO's cyber security instructor for the Special Operations troops there which ties into this uh worked digital forensics Insider threat for a large consulting firm with a company that may or may not have reduced vaccines I can't name them but you know who they are and from that I pivoted over to a cyber threat intelligence where I am now

and since they're not paying for the talk they're not paying for me to be here I don't have to get legal involved so I'm not naming them so we're going to cover a few things we're going to talk about the county ransomware group we're going to talk about the Carver methodology The Insider threat overview and then how well the Russia Ukraine situation some of the games they play with each other slides are color coded a little bit if it's a red slide if I had a week-long with you and this is a NATO's classroom we had pivot we'd do online training we'd actually get some Hands-On the yellow slides are things that were discovered after the fact for this leak

months or you know 18 months later which is relevant but it didn't impact what we did when the leak came in so besides you know you can have someone coming straight into cyber security who's never worked in the field or looking to transition out of what they're doing or you might have someone who's legendary like Jack Daniel who helped build the internet down to the ones and zeros for the routers everything so we'll start high level ransomware is basically malware that locks up your computer and for a very small fee of money with six figures seven figures they'll give your data back another variant of that that we've seen now the Russian conflict is wiperwear

for same methodology but instead of locking your data up it just wipes it's like an EMP electric pulse vehicle or a bomb that wipes it out but it's a little more efficient a little cleaner it's cyber warfare it is what it is so Conti's a Russian ransomware group they are first spotted in May 2020 they'll do data extraction first exfiltration they'll name the company like I think it was Uber that was hit Day by clock and they'll shame oh they've been hit we have their data we can sell on the dark web if they don't pay us this amount of money to pressure the company and give up the information one of the things that came out was they

are a fundraising arm for the Russian government and it's not a small business Conti was was past tense the leader in ransomware 180 million dollars in was it 2021 and that's not chump change for a criminal organization their standard methodology they'll they'll Harvest credentials with the spear fishing whatever else they'll get the credentials penetrate the organization make sure it's a valid account and then they'll Spearfish this is also mapped out very well by so many other researchers the malware comes in they get the back door they connect to their C2 command and can command and control server they exfil the data they give the command to lock it up once they're available they have Consultants

to tell the company how much money they can possibly ask for for uh Ransom that's reasonable and also they'll Target the insurance policy so if you have something like an aeon cyber insurance policy they've got the data they know where your policy limit is the last top dollar policy limit just like a car mechanic oh your insurance is going to cover fifty thousand dollars for this repair to your Jeep the Bill's fifty thousand dollars same thing but with ransomware all that said May 2021 the colonial pipeline leaking any of the East Coast people in here are impacted by that few people long story short and we don't need editorial they weren't hiring for their cyber open cyber security positions

they were hit by dark side with ransomware locked up the payment system so Colonial pipeline went dark for about a week seriously impacted the East Coast all it took was just one phishing email to get past the defenses to load the malware all that said I know I'm going past but we have a lot of material to cover a couple of cool things that came out teaching over in NATO soft of for the troops and it's a whole Coalition which is bizarre to have the former Soviet lot troops in a skiff they're now our allies whereas before I couldn't talk to you socially but now you're one of us you're in the skip I'm teaching you

it's bizarre so a couple of cool things that came out cool as in I respect the technique I don't like the conflict but acute dissidents murder them returned back and they would have thoughts on YouTube it was terrible tradecraft they're identified we could go through that leak and find who they were the soldiers would dig into this to find the operations that were leaked where it would Branch out find out who's going to Siberia for for tradecraft we don't have time for that here but that's where we would pivot and go you know a lot of ukrainians are saying I'm telling you right now that muscovite Foreign Service Officer he is not he is not real

okay so I'm working now cyber threat intelligence large infrastructure provider you know who they are can't say them legally but we're concerned that if we're hit with this leadership's concerned ceases concern and sa is concerned that if we're hit a lot of corporations are hit it's going to majorly impact the U.S economy so cesa likes to say we have our Shields up for this Conte sends a message saying we are fully behind Russia we support Russia Hondo p no cap for real for real yeah my son just cringed at that one and then ah we don't really support Russia two hours later we'll support ourselves they're backpedaling well that was kind of vague and unconvincing the internal researcher

who's a Ukrainian working with Russia a couple of days after that announcement sends out an email to bleeping computer if you're cyber threat intelligence basically that's where all of your data comes from saying hey I'm going to leak all this data it's going to come out the next few days here's this unique file name it's going to come out and you're going to like it first and foremost like Clint Eastwood said in the Good and Bad and the Ugly if you want to talk talk if you want to shoot shoot you don't do that so he leaked out six sixty thousand messages several gigabytes of data again we would pivot here and go from who's following this account who opened

the account whose bookmarking this who's quoting that's going to give a lot of information of cyber threat intelligence because the average person's not interested in this the leaks start coming out and as you know this violates Twitter terms of contract where X's terms of contract of what data is actually available English version comes out I don't know how long it's going to be up we're doing shift rotations I'm former CSA CIA my manager is former NSA White House comms it's a heavily military intelligence group themes background groups so we understand we've got to work shifts in this this is a nine to five day work for the first few months it was fun that wasn't fun

so all total this is what came out everything and when they said they weren't actually working with Russia the results determined that that was a lie there are links this came out last oh wow time flies last month of what was actually there very quickly because we have about nine minutes left The Insider threat usually if you think of the data Leak with the dam holding you down a breach is when the Dam breaks data comes forward it's usually an external actor or something like a solar winds Cloud misconfiguration an Insider threat some like Edward Snowden Robert Hansen giving leaking out sensitive data to hostile people nebula bringing the ship in from wherever Thanos was and people do use

science fiction as a reference because that's not copyright it's not an NDA so we can go to that as a common ground so people don't expect this to leak when you've got a breach like clap and move it organizations are still being hit with this finding the weaknesses just like The Shield at scarif was now your traditional modes for Espionage mice money ideal ideology conscience compromise or ego or excitement so this definitely hit ideology conscience and probably a little bit of ego if I link this I can take down the Russian fundraising machine together is Rascals which is exactly what the email phishing does so we have an Insider threat this is a one-time event he's lost his access it's

directly attributable to the only Ukrainian on there the damage is unquantifiable at least 180 a year they were up to 180 million a year before the leak again going back to the class method we would discuss how they staged the data for exfiltration we look at how you can determine it that uses corporate laptop doesn't get a corporate there's a lot of questions to answer but this is raw data that comes in from a battlefield even though it's not traditional finding USB drive in a sensitive site exploitation it's still data from a conflict that leaked to the corporate world we have to determine if it's uh what the impact is if it's disinformation if it's manipulation or

if it's actually true good data we can ingest so who was coffee they're gone now we haven't seen anything on Conti they've been relabeled other things the methodology I I used once I had the data was the Carver method it's from OSS office of special services in World War II it's what we taught the French how to identify the key points for subtle sabotage the longer method I might be able longer time I could talk about some of that but given this is on YouTube and it's teaching people how to do sabotage probably not something I should teach out for the world but this is offensive defense to find the weak point so yeah criticality

accessibility recoverability vulnerability effect and recognizability but out of that you look for the key piece just like the meme of the one Excel spreadsheet supporting the world's Finance system this leaker knew exactly the key thing to take out Conti just like air conditioning runs b-sides and Defcon air condition goes out no one's sticking around for these talks same at Defcon because got the smell but for our purposes with that methodology criticality and effect if these two things go down what would happen so just like the Battle of scarif if the shield goes down they're not expecting the rebel Fleet to actually physically Ram something that's an out of band technique that hadn't been done before

per Star Wars lore that's the key weakness for the empire so we've got a chart and we go through and rate what's the most important thing so a scale of one to five highest score is going to be 30 lower score is going to be six the most important is their source code their core designers and some of the infrastructure credentials or you know dime a dozen the staff they can always get more staff but the core Developers that's their weakness our weakness are crown jewels all the financial information that we hold the personal information the way we handle it our infrastructure the way we process what we do and our reputation if we lose our

reputation it's a major part of the US economy and I think the kids would say it'd be shook but that's how we line it up but very quickly we knew this is what Conti's coming after emails databases source code Insurance there's a screenshot given this is a lot of leaked personal information I share what I can they're going for the banking information how do we Define it as CIA it was foreign of Interest new clandestinely Acquired and authoritative in the Cyber threat intelligence Financial world is a hit financial industry is it of interest is it new is it copied and pasted from leaping computer and is authoritative so we've got to look at the security the

time the imminent threat what's happening with this data it's been leaked we have all these creds out there we're not going to go online and search because this is a traditional Honeypot you wouldn't put your information in one of these you wouldn't search on the dark web this is a common methodology criminal actors use to get the core information of what's of interest you tell me what you're looking for I'll tell you if I've gotten there it's never found but they're building that back-end database so the core of it is are we targeted our core business functions the then there's leak creds and then the CDE iotps and out of that that comes down to this came out last

week roughly 87 percent of ransomware attacks phishing attacks or because of compromised creds so using this method I know that if I can find going like those after like if I can find them if my companies Target our Core Business function is targeted first and foremost if we can find there's creds in there that are leaked and I know what to disable what to turn off and that's going to lower our risk vector a lot of credentials out there I can show you this that's what it looks like it's redacted it's redacted there's a lot of strong passwords they hit password managers it's Sheridan clear text it's leaked skin clear text and just adding a one at

the end still isn't secure so the Conti operator they work off phishing vulnerabilities creds and spear phishing is an inside threat to get their C2 out there that's the methodology yes this is the diamond model I freaking wanted to use that s that you've drawn since elementary school for the first time in my career so there it is that's your diamond model so importing the data I didn't do this on my corporate Network because I like having a job I don't know what Conti has in their chat I can almost 100 guarantee it's going to get me fired if the right filter hit it I did it out of band made copies made backups sort through it to see if we

were listed first and foremost are we hit reports go up saying we use this method we're not listed we're not hit here's the credentials the next key thing for the other 12 percent not only do they document the vulnerabilities going back to 2015 they list this company is vulnerable to the CDE here's exactly how to do it step by step so it's not a oh let's wait for vulnerability management to repatch this months later this is okay a doesn't work they immediately pivot to B the speed of ransomware versus the speed of business now the tertiary analysis as we're starting to wrap up there's a lot of stuff we can find here the after action threats we can find how

to reverse engineer this we can pivot on established usernames for osynth look for the leak Bitcoin wallets using oscent framework.com some film links there but immediately is my organization at risk are we being hit and if I've got that 88 coverage it was 87 89 coverage then the rest of it takes a lot of the pressure off there's tertiary analysis that's great for incident response it's great for the tech teams how they launch their domain controllers but the immediate are we at risk this is great but if I don't have the door lock of managing my Elite credentials because that's the first thing I sorted through it doesn't matter you can see this came out last week they

go for insurance programs for insurance coverage VX underground a year and a few months after the fact all this is out there it's fantastic but back in February of 2022 my concern for my organization is I've made sure this leak isn't Russia's not targeting our financial infrastructure so the tldr secure your own organization first document everything is you find it just like everything else the Carver methodology it's not there is a software program but it's the mindset because tools break tools change prices you lose vendors look at in case of digital forensics they used to be the king of forensics now they're gone so as we're wrapping up if Conti can take care of their own ransomware

operators take a vacation holiday for yourself and you need to take one for your peeing and the next steps I'm going to go back to the room change clothes and start looking for its copy affecting the U.S election because no one else has done this I'm not going to assume it's been covered I'll take care of this myself and I think we're right on time so caffeine

I think we can do like one one or two questions

you you blitzed through that is there a longer version that's recorded somewhere that is posted because that's awesome but I would love to sit through the 55 minute version of that it's that with more examples slower talking and I don't sound like the guy from the Micro Machines commercials from the 80s but is it posted somewhere is it what is it posted somewhere not yet the talks will be on YouTube and um yeah here we go my email is 10x engineer.com yeah like if you go to mail.com they got like 200 domains when you apply for a job it's something unique like at Consultants that at gmail you send it a little bit better and it's free

any other questions so is that data set available yes to everybody yeah and so you're you're sort of advocating like hey it's a good idea for you go to check to see if you're on this list if you're would it hurt yeah thanks I was just kind of okay I mean I no no no I I just want to like because bring the tea leaves a little bit yeah yeah you know kind of over caffeinated this morning thinking I haven't searched that data set for the other thing I'm working on no one else in this group has why not yeah excellent thanks for the help okay yeah thank you thank you well that was great

[Music]

foreign [Music]

foreign

[Music]

foreign [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music]

hello everybody so the next talk the title is vulnerability intelligence for all say goodbye to data keeping without further Ado please welcome our speaker Jerry Gamblin over to you thank you thank you [Applause] no need to clap let's see all right like she said we're gonna talk about vulnerability intelligence for all let's say goodbye to data keeping uh data gatekeeping so a quick agenda here we're going to do a quick introduction uh we're then going to run through the need for vulnerability intelligence I'm going to talk about some of the best open source vulnerability intelligence and then we're gonna go to some consolidating vulnerability intelligence I only have 20 minutes but the good thing is right when you get out of here

you get to go get lunch so nobody's going to get mad if I finish a little bit early today so just to be basically clear here all organizations have a need for vulnerability intelligence very few organizations have a need for threat intelligence everybody you go to will say oh you got to buy a threat intelligence feed you're a small organization a couple hundred people please spend eighty thousand dollars on a threat intelligence feed most organizations don't need that let's break that down what's the difference between a threat intelligence feed and a vulnerability intelligence feed threat intelligence feed gives you all the five why's right the who what when where why and how most organizations don't need to care

about The Who and the why and that's what you're paying for with a threat Intel feed if you're working if you're a college a mid-sized College in the midwest a bank in the midwest something that's not getting attacked every day by an apt do you really care who or why somebody is deploying a cve scan or you know are you gonna be able to do anything about it if you know that this is who so the answer to that to most people is no and when you get to the point to understand I don't need a threatened tell feed I don't need to read about you know what the latest Hackers from the Russian Federation are doing or North Korea or

China or whoever the boogeyman is this year and I just need to work on protecting my network you can really save your organization a bunch of money but let's get in and talk about the need for vulnerability intelligence because this is even a bigger deal I spent the last basically 15 years of my career working on vulnerability vulnerability management for companies and I work with a great company called scientia and we know that no matter what size your company is from 500 people to a Fortune 500 company you can patch about 10 percent of the vulnerabilities on your network a month so you're always you're always behind you're always not able to catch up so

what we want to do is help people pick the right ten percent um I'll put these slides up on on GitHub at the end and you can grab them say I'll have the links the other thing is is that the cve growth is looking like this one of my mini side project is cve.icu if you ever want to see how many cves there are you can go check that out but as of this morning there are 209 169 cves that's 24 cves a day since 1999 when the cve list was created that seems like a lot but if you just look at this year we're at 80 cves unique cves per day when I first started way back there when

there were about 20 cves a day I could sit at my desk and go through bug track and figure out which ones I need to look at and which ones are important to me I can't do that anymore and very few companies have the Staffing to be able to say hey monitor all the cves figure out which ones are important to me and which ones we need to patch so the truth of the matter is at the end of the day less than seven percent of cves ever become exploited so we know that that is grows this number is shrinking but every day people put out cves that are only exploitable you know in proof

of concept and that's about 20 of them and then about 60 percent of all cves are just academic cves is what we call them you have the vulnerabilities there the code is vulnerable but they weren't able to produce and exploit to even put on the cve they said hey we're filing this we think this could happen you know and and the rights in the right circumstances you could patch that so here's what everybody needs to think about when you start building out your cve vulnerability intelligence program I like to build this out it's just a little chart it's the cve in the middle and you know how what when and where around the side and you need that for

every cve that's on your network that you expect to be exploited uh here's one that I did for cve 2023 it was one of the Google Chrome ones it just obviously says what's being impacted Google Chrome it's been exploited in the wild since the middle of April it's a network-based vulnerability so I need to to get on it and it's a type confusion right so you get all that information and that's when you know you need to act if you build those for all the cves you have then you can start prioritizing what on your network needs to be patched first we're going to jump right into open source vulnerability intelligence this is where you can go and get some of the

best open source data on the internet and it's free and every organization should be using it and I will tell a little dark secret here if you're not using this open source data and you're paying somebody to be a threat Intel feed they're taking this open source data and feeding it to you and charging you money for it right most of the times it's like here's 90 open source stuff we'll throw 10 or 15 percent of our our own proprietary data in there but but this is where everybody's getting the data so first we'll start with the high quality data uh sisa known exploited vulnerabilities catalog if you work in the federal government you know about this one as of

this morning it contains 983 cves um The Binding operational directive was 2201 if you're interested in in Reading what they actually have to do the the guts of this is that when a cve is added to this list the federal government has six months from the date it's added to get it remediated off their Network that's a long leash for them and there are very few cves on there um what I like to tell people to do is that this is a good starting point if you don't have a vulnerability intelligence program let's start with the Kev list and make sure that you have all of those removed from your network first and then we can build out a more

substantial list the next one here is going to is going to surprise people a little bit it's Metasploit um it contains over 2 000 cves people ask why do you look at Metasploit and I say Metasploit is the best pin testing framework it has close to 1500 known exploits that that you're paying your pen testers to use against you you know the code is valid so we're going to take those cves that we know that are in Metasploit and we're going to make sure you have those patched right we're using the Reds teams toolkit against themselves before someone's able to charge you ten thousand dollars to tell you to to patch the stuff in Metasploit right so you

might as well just cut out the middleman and get right to Metasploit and Patch those um so the next one here is a something that I'm very familiar with and very passionate about it's called epss it's the exploit prediction scoring system it's through first.org which also runs CVSs for um what it does is it measures the likelihood of every cve being exploited in the next 30 days it's industry supported and backed and if anybody in here is super interested in vulnerability intelligence we have a special interest group that meets twice a month the email at the bottom would love to have more people we have an open Slack too we love to have people join

and to be part of this discussion the people who give their data freely to to epss are Cisco Shadow server gray noise F5 Alien Vault and fortadet so if you know those companies and you talk to them please say thank you for providing this data to to the epss project to help make the internet secure so let's talk about the okay quality vulnerability intelligence sources these are ones that you need to look at and and kind of understand have a little bit deeper of knowledge of what's going on before you add them to your patch list so on the left here is exploitdb how many of you guys were alive in the and working in this industry in the age of

exploit DB is where you went to get to get code right like like that was me um but then about you know in 2020 2019 they kind of fell off the cliff and people stopped putting their code on exploitdb and they started putting their code on GitHub what so we so we just changed where we go to look for for POC code and just for a baseline I put the Metasploit in there because I love talking about Metasploit because you know that that's a solid Baseline and if there's a if there's an exploit it's going to end up in Metasploit at some point if it's network based so GitHub is super high volume it's lower quality though and if anybody

here is interested in building an llm project I would I would ask you to look at doing this is look at scraping GitHub for pocs and running it through an llm to tell you what that POC does because a lot of times in GitHub you'll have something that's labeled a POC and it's really just a script that's just checking to see if it's vulnerable right like it's just pooling it's just pulling a banner and saying yeah you're running Apache 2.43 You Know You're vulnerable and that's not that's not the exploits we're looking for that's just something to tell you and if there are 50 repos with that in there most people don't have the time to go through and pick

that out so so that's something that that we're working on and a bunch I know some companies are looking at that but if you're super interested in large language models GitHub is a great place to scrape and and to feed that data um exploitdb is lower quality older cves it's still data still there if you're just looking for older cves that's kind of the place to go Twitter was great um it had cve trends.org which I loved that was an amazing project chatter and real-time vulnerability until everybody knows what what had happened there right that that's no longer there and we're no longer able to to use that data so um we're looking for more real-time

intelligence too so let's talk about consolidating vulnerability intelligence the goal of consolidating vulnerability intelligence and cve data is pretty simple if you look at the big circle that's all the published cves that's what every security team thinks that they need to patch every day the true thing you need to patch is that seven percent Circle that sits in the middle if you have if you want to have perfect accuracy and not waste Cycles on your security team you need to be patching the stuff that's actually exploitable and after you get all the stuff that's actually exploitable then you can move out to the probable right but we want people working on the stuff that's actually exploitable first and then move

to the probable so Monday I flew out here and I have ADHD if it's not completely obvious so the rest of this talk was supposed to be about how to consolidate this data and build a patch list for you guys to to run and to use on your network um I couldn't do that so I actually just built it for everybody um so I launched patchthys.app this is actually the first time I'm talking about it publicly it's a combined list of cisa Metasploit and first.org that runs on a GitHub action and it's updated every hour and it pushes to a CSV for companies of any size to grab that data and to check it against what's in their vulnerability

management tools to make sure that they're patching everything that we know is vulnerable or is super likely to become vulnerable in the next 30 days um if you look at the the website it completely looks like I built it on a plane in vs code because I built it on a plane in vs code so it has nothing I am going to to get somebody who actually knows how to build web page to build it but it's out there I would really really like if you would share that if you would push it out on your networks we're trying to to get more people to add to it right now I've just added data that I

know is super high quality we're going to go back and start tweaking a little bit and adding some more data because at the end of the day I want everybody to be secure and not everybody has threat intelligence money but everybody should be able to have vulnerability intelligence feeds that are curated and put together this way so that they can go and and help protect their school districts their libraries even even their for-profit organizations um with that I will take some questions and then we can go eat lunch so so thank you very much for for taking time today [Applause]

thank you for the presentation appreciate it and so I was wondering about the Kev catalog and do you put any priority on that the non-exploited um vulnerabilities catalog from CSA do you do you look at it let's let's say first or like like you were saying a little percentage to where it exploited known exploited vulnerabilities do you use that catalog yeah yeah sisa Kev is part of is part of the the new combined list on patcheslist.app I'd like sisa Kev I I will say that that if you want to get in the weeds uh the sisa cab does have a few local exploits where you have to be at the keyboard or you have to be or

even at ship level to make the exploit work um while if you're the federal government you might worry about somebody breaking into your network and soldering a JTAG onto your Snapdragon processors the local bank you know the local high school probably doesn't have to worry about a threat actor going that far but it's a good start right and if you can patch it you can patch it so thank you and also with the with the feed thank you because I just found out for our PCI we've had to pass a part that we were getting a feed somehow no problem

hello hello do you have plans to include a canvas or car impact exploits uh yeah we can look at those um I just want to make sure that everything we add to the list is is actually exportable so I'm going to go through and check it like I said I just built this literally on a plane over the last couple of days so I just added the stuff I know was was highly was highly think so core impact is good and I have to check the license too and that's the other thing like some of the open source tools they have licenses but the licenses for their feed aren't very clear so I do have some

emails out saying hey is it okay if I add the cves that are in your library here because I don't want to get in trouble I don't have lawyers fighting corporations money yeah absolutely because canvas are core impact has probably about explodes yeah yeah just want to make sure that that everything that I share is is truly public any more questions

uh I guess a question on if you you use gitlab's like SAS tool that static application system yeah and do you think that's reliable like a good starting point I don't know if it grabs from scissor or anything else yeah I'm not sure I haven't messed with gitlabs I know GitHub does the same thing like everybody is trying to get into this vulnerability intelligence layer and just say hey here's what you need to patch here's what's in your repo that's an amazingly Good Start um the problem is is that we know that if you can only patch 10 of the stuff on your network you need to know which ten percent of the stuff actually needs to

be acted upon it doesn't do good it locks people up really if I go to a Dev and say Hey you have 45 libraries on your you know in your application that are out of date and have vulnerabilities and they need to be updated they're going to look at me like a deer in a headlight and say we can never do 45 so we're going to do zero instead what what I would prefer to do is to say hey Dev team there are two high priority libraries in your in the application we need you to get these in the next two sprints right and then give them another two and another two instead of just

giving them the list and that's what a vulnerability intelligence list is supposed to be able to do for you is say hey if you're only going to work on one to five things here are the things that you have to work on today that's going to remove the most risk from your environment

um so I guess my key takeaway from your talk is that um you know the proof of exploit is the most important thing to consider and not proof of concept yeah because proof of concept is I don't know I have a 14 year old son who takes Taekwondo and he comes home every you know twice a year and says hey hold your hand just like that and let me show you something really cool yeah and if I hold my hand just like that he can flip me or make my shoulder hurt or whatever I'm like okay what are you gonna do when you get in a fight you're gonna say okay I need you to hold your hand like that right like

it just doesn't work so yeah proof of concept is cool when when you can say hey if I have root on this Linux machine I can run this script and crash it well okay you already have root so it works but it's not an exploit I want to see proof of exploit where somebody can go from nothing or low privileged user and make it work because because that's the biggest step and that's what gets people is because if you look it's not stuffed with just pocs out there that are that are being exploited it's stuff that gets the Poe and I guess the follow-up question is also about like vulnerability scoring would you still prioritize proof of

exploit over like CVSs and stuff like that yeah for sure you have to realize that CVSs is a static score it's ran through a calculator and it stays the same it's whole its whole life so it never goes back and rescored so yeah um cbss4 has an exploitability uh base in it but it's because of the way CVSs works all cves are going to be scored as F and exploit exists the only thing you can do with that that exploit flag is lower the score of a CVSs which makes it a little less useful awesome thank you thank you just want to thank you for your contribution on that that's odd it's really awesome oh no no problem and I'm

looking for people to help so if you can put a GitHub issue or if you use it just just let me know trying to build it out as best I can so thank you guys very very much um I wanted to bring up the scoring system that scissors put up for the um stakeholder specific vulnerability categorization and I haven't dived completely into it I think it has something to do with the criticality you have assets or the workflow or whatnot have you considered that yeah um this is per this is all personal I'm here on my personal time so it doesn't any any scoring method that makes an organization or users sit down and fill

out criticality or asset performance to get a score is going to fail in 99 of of organizations I've been in security long enough to know that people have a hard time having a complete inventory of stuff on their Network let alone telling you what the criticality of of a machine is versus another machine on their Network right I agree I guess [Music] same as others thank you so much for looking into this um and for your contribution the question is for exploitability what is the recommended way of looking at it because as you mentioned you know you can determine that an unprivileged app can get rude right but other than that like what metrics you would look in the

POC to know if it's exploitable or not so after exploitability I look for network connectivity right like if it's a network based exploitable that's super high because 99 of all exploits happen on network based so mostly can go and get rid of everything that's hardware based or local based most of the time because that's not the that's not the vector that most people are dealing with on a daily basis but yeah we look for for proof of exploitability which means that that you have mature enough code that you can basically run it from from no access to to access

all right thank you guys very much foreign

[Music] thank you [Music] foreign foreign [Music] thank you [Music]

[Music]

[Music] foreign [Music]

foreign [Music] foreign [Music]

[Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music]

[Music] thank you foreign [Music] thank you [Music]

[Music] [Applause]

[Music] foreign [Music] [Applause] foreign [Music]

[Music] foreign [Music]

[Music]

I don't wanna overthink it baby [Music]

some kind of butterfly baby [Music] appetite don't leave me [Music] but I don't wanna jinx it baby [Music]

[Music] thank you [Music] baby [Music] don't leave me alone baby you'll get me in the rain [Music]

[Music]

[Music]

oh [Music]

[Music]

yeah

thank you [Music] foreign [Music]

[Music]

[Music]

[Music]

foreign [Music]

[Music]

[Music] thank you [Music] all right [Music]

[Music] [Music]

[Music]

[Music]

[Music]

[Music] thank you [Music]

[Music]

[Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music] oh yeah [Music] foreign [Music] thank you thank you

[Music] foreign foreign

[Music]

thank you [Music] thank you [Music]

[Music] thank you [Music] thank you [Music] thank you [Music] foreign

[Music] thank you [Music] foreign [Music] foreign [Music]

[Music]

[Music]

foreign [Music]

foreign [Music] [Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music] thank you [Music]

[Music] foreign [Music] foreign [Music] thank you [Music] [Applause]

[Music] foreign [Music] assistant

[Music]

[Music] foreign

[Music]

[Music] baby [Music]

[Music] don't wanna overthink it baby [Music]

[Music] baby you look at me you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music]

[Music]

[Music] thank you [Music] baby [Music] foreign [Music]

[Music]

[Music]

oh oh oh [Music] oh [Music]

[Music] thank you foreign

[Music]

thank you [Music]

[Music]

[Music] foreign

[Music]

[Music]

[Music] thank you foreign [Music]

[Music] [Music]

[Music]

move it up

[Music]

[Music]

foreign

[Music] thank you foreign [Music]

[Music]

[Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] [Music]

[Music] foreign [Music]

[Music] thank you [Music] [Music] foreign [Music] thank you [Music] [Music] foreign [Music] foreign

[Music] foreign

[Music]

[Music]

[Music] foreign [Music] [Music] foreign [Music] foreign [Music]

[Music] thank you

[Music] foreign [Music] foreign [Music]

[Music] foreign foreign [Music] foreign [Music] [Applause]

[Music] foreign [Music] questions [Music]

[Music]

[Music]

foreign [Music]

[Music] everything in myself

[Music]

some kind of butterfly baby [Music] oh but I don't wanna jinx it baby [Music]

[Music]

[Music] thank you [Music] baby [Music] a day [Music]

[Music] some kind of butterfly baby

[Music]

[Music] oh oh [Music]

[Music]

[Music] foreign [Music]

foreign [Music]

[Music]

[Music] foreign [Music] foreign [Music]

[Music] foreign [Music]

thank you

[Music]

[Music]

[Music]

[Music]

[Music]

thank you [Music]

[Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music]

[Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]

[Music]

thank you [Music]

[Music] foreign [Music]

thank you [Music] everybody [Music] foreign

[Music] foreign [Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music]

[Music]

[Music]

[Music] thank you [Music] foreign [Music]

[Music] foreign [Music]

[Music] no no no no no no okay [Music]

[Music] foreign [Music] foreign [Music]

[Music] foreign [Music] thank you [Music] foreign [Music] [Applause]

[Music] foreign [Music] this is

[Music] foreign [Music]

[Music] some kind of butterfly baby

[Music] don't leave me alone [Music]

[Music]

giving me some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me prices [Music] don't leave me alone baby

[Music]

[Music]

oh [Music] oh [Music] oh [Music]

[Music]

[Music] hello [Music] everybody [Music] foreign [Music]

[Music]

[Music]

[Music]

move it up

[Music]

[Music] foreign [Music]

[Music] [Music]

[Music]

move it up

moving up

[Music]

[Music]

thank you

[Music] thank you [Music] foreign [Music]

[Music]

[Music] thank you [Music]

thank you foreign [Music] oh yeah [Music] thank you [Music] thank you foreign [Music] foreign foreign

[Music]

[Music] thank you [Music] thank you

[Music] foreign [Music]

no thank you hi everybody welcome I'm sorry that was too loud I hope you had a good uh lunch break uh we'll get started with our next talk uh it is helping your organization build their security brand uh so please welcome our speakers leave Chrysler and Colleen College [Applause] hey everyone uh this is your ad here helping your organization build their security brand I'm Leif I've spent the last decade working in security and besides Las Vegas was actually the first conference that I attended in 2013 uh so it's cool to be back as a speaker I'm currently an engineering manager at semgrupp we're an appsec vendor focused on static analysis and software composition analysis and we have a booth

here at b-sides on the opposite uh end of the the hall so check that out if you want some swag I'm also the co-host of the hit podcast 404 security not found we get about a hundred listeners a month um and we do uh we do news and discussion episodes sometimes we have a special guests but it's pretty fun I've also been a cfp reviewer for apps at California and locomocosec which is probably some of the more relevant experience for this talk and before sem grep I joined segment in 2017 as an appsec engineer and later went on to lead a team focused on building security features as well as internal security tools which is where I met Colleen

and a little bit about me I currently advise startups on security strategy and try to help the First Security hire promote their agenda and like push back on the pushback that they get I've been practicing security for about two decades now working in most of the security domains I've also been a CSO at both private companies that are small and larger public companies and if I'm honest I really really love pre-ipo way more it's just it's just a better experience for me but anywhere I lead security I highly encourage folks to do blogs podcasts talks whenever possible and I lead by example by doing my share of the conference talks Keynotes and podcasts and I've been inspired to do

even more because of people like leave so thank you we've broken up this talk for you into four sections first Leaf is going to start with the benefits of all teams being more engaged with the security Community next I'll cover how to foster a culture of rewards to keep the benefits flowing then leap will show you how to optimize the benefits by amplifying all this good work by your team and last we'll both cover the different ways that you can show up in the community so blogs podcasts and talks and how to prep for them and a quick PSA we've included a link to the slides here so I'll give you a second to take a photo that way you

don't have to take notes you can just absorb and as we're going through this and you're absorbing if you've been putting off your next Community piece of Engagement consider this your friendly nudge from some friends make notes during our presentation you know whether you have an idea for a blog or you think you could get on a podcast or do a talk what could you start working on today and that's exactly how anyone gets started on this step I'll wind down this little intro with a disclaimer while some of the most successful infosec folks that we've ever worked with or we know do periodically share their work they make time for it we know a few people who have had

absolutely Stellar record shattering careers but they never do this maybe they've never written an article maybe they've never set foot on stage they could be highly effective managers or ICS who just maybe haven't had any time or maybe they work for an organization that actively discourages or penalizes sharing information maybe they work for the government so or they could work for Apple not the government but if you've had friends or family who worked at Apple you know you can see that they are definitely not encouraged to share the inside workings of companies security with the rest of the world for obvious reasons and that's okay it's not for everyone I'm gonna start us off today by talking

about the benefits of having your teams more engaged with the security community having a public Persona really really helps with recruiting which helps you build your security Dream Team working with great people makes your job a lot easier it also makes it a lot more enjoyable see a lot of people that we have worked with in the crowd which is great but it also takes a lot of effort because usually these are people that other people also want to work with and so you're competing for the best people uh I think there's a lot of overlap between recruiting and sales and you can think of your blogs and presentations as your marketing department because it

makes better candidates come inbound and it also helps recruiters reach out to people and have them actually respond to their cold emails it's a lot easier if they've like actually heard that your team is good and working on cool stuff then just uh you know the million other emails they're getting and I think that having blogs and Conference presentations go live around the same time that you're trying to post roles is also helpful because the timing just helps Drive traffic to your jobs page and just make people more aware and I think a lot of recruiting is also timing so having someone be aware of your company and having a recruiter Reach Out is a pretty good combo and

with that in mind we have a lot of open roles at sem grep but I wanted to highlight just one which is a security engineering manager for vulnerability research team it's my personal mission to find a great candidate for the hiring manager this week I am convinced that they exist in Vegas um and you should definitely should definitely work for semraf there's a lot of cool people there so FYI um the infosec community is super small and orgs that publish their work come up more frequently in conversations when people are thinking about where to work next I'm sure the Netflix team gets a lot more inbound interest than the NBC Peacock team whenever they open up a

role and you might be thinking well Netflix probably pays twice as much and that's probably true but we didn't pay anywhere near what Netflix paid at segment and we were able to build a pretty awesome team that people from Netflix admired and I attribute a lot of that to our involvement in the community Community involvement shows that your team is working on cool stuff is given time to write and blog about it as well as travel to speak at conferences and that they have at least a decent Learning and Development budget to be able to go and do these things and these are things that a lot of security people probably a lot of you in

this room want from their employer and so showing that you have that is a good way to attract people to join you so here's another benefit it transforms all of us from being like maybe painfully awkward that's how I was and unwilling communicators to being effective and Powerful communicators at our own jobs all companies say security is very important to us but you on the inside know things like how often do Folks at your company actually fall in line instead do they actually admit admit sorry omit security work from their quarterly planning do they ignore your tickets do they get exceptions and otherwise get out of doing the security work while this is likely due to multiple

reasons what you can control is the effectiveness of your messaging security folks tend to be correct right we research things we make sure that it's like all ready to go this piece of information but we can also come across as disgruntled sometimes or we might bury the lead or we avoid giving frequent loud and clear messaging to Eng teams or execs and all of those groups definitely need to be frequently nudged and that hampers us from communicating danger and the need for quick action when something needs to get done so in this section I'll talk about how to shift your culture a bit so that teams improve their communication which will lead to getting more done and team

members getting rewarded so some of you might be thinking sure I can do this it's not a problem but what is my manager doing to start recognizing and rewarding this Behavior this is extra work or maybe you're that manager who isn't supporting this effort on your team to change shame as a CSO I've always emphasized that sharing work internally and externally is a key growth indicator in our job ladders and in our org because it's core to getting stuff done it was a hard requirement at segment and while it was extra work for all of us it definitely provided us with dividends and we also created infrastructure to support it because you have to all right I'll start with leaders

leaders how can you expect your teams to hustle if you're not hustling first internally and externally inside your company never miss a chance to broadcast your team's good work and successes when's the last time you wrote a series of security slacks to your company or got up and spoke in front of engineering or at all hands how often do you do this or do you just sort of pawn it off on your teams and hope they do it unfortunately you're a leader it means you got to go first you like get the Baton go do it hand it off and eventually baton comes back to you and you have to do it again but that's the

way it goes and outside the company if it's been like over a year since you've either blogged or spoke your team needs to see you blogging and or speaking in order to emulate it otherwise they're going to emulate you not doing anything that's bad so then once you're you're doing that they're doing that then you're like shoot we need to like advertise a little bit so once you're doing this do you have a culture to support it and sustain it you know like do you just do it once and then nobody ever gets up and does it again are you in the audience cheering on everybody when they're doing it are you immediately amplifying people's work and slack the company

internet or on LinkedIn or whatever social media are you encouraging others to cheerlead it is an effort I don't know if anyone's ever been to cheerleader before but I think those folks are underpaid it's a lot of work yeah and paperwork sucks and you have a lot of it when you're a leader yeah but you can use it to change elements that positively influence your employees Behavior so if your job letter is something like this fake job ladder um you know there are areas where you can State the different types of comms deliverables that you want to see from each level of employee along with the frequency and the desired impact of that stuff you can think of this as like your

success criteria for the communication and Leadership vertical that you have on your team because then once you start filling us out you can Port over the entire row that your employee belongs to over to a career development plan and it's like a CDP and in the CDP you can sort of collect a personalized checklist of work for this person based on that success criteria and you can use the CDP during your one-on-one see paperwork helps and then you could shade the different areas like red yellow or green depending is the person trending away from this goal are they trending toward the goal yeah it's not so good but what do you do about people who hide from their

responsibilities and they're like no no the rest of you can go and speak and Vlog and I'm just gonna go hide under here and do my job well if you're a leader you have to hold them accountable that's the crap thing about being a leader so I recommend keeping this column red until the employee starts delivering it will hold them back from going to the next level I'm sorry because what you don't want is a situation where you have like two people three people on your team who are carrying the heavy load of the cons and Leadership stuff because it's demoralizing they're working really hard and maybe they're progressing at the same rate that the person who's not

doing it is and once they get demoralized what can they do it's your best employee they can leave you and you don't want that to happen so for folks who do deliver describe this work very detailed and in its impact on their annual review and promo packets you'll see that great cons and Leadership naturally leads to getting stuff done and high impact on the company and remember to go and get praise from other people who've been impacted as well and not everything is promo or money related your folks also want to earn some gold stars from you in your conversations with your employees describe the comms leadership and impact growth that you are seeing in them you

know before they started doing this to where they are today and how they're growing regularly regularly recognize them in slack LinkedIn at your all hands all of that and then teach them how to self-promote that'll help them with their career growth and then when talking about your roadmap link these very effective employees to the overall successes of your program maybe because of them you shaved what one to two years off of your total roadmap that is huge that is a big differentiator for them and that means that your employee who's doing this work is foundational to your org being able to roll out security capabilities they're your stars which means you have to be their hype person

all right now to ICS for I sees many of us the struggle is real maybe you have an underdeveloped comms and Leadership competency I guess you would if you observe the following symptoms in yourself and your experiences maybe product and Engineering don't include your security activities in their planning maybe they don't do any of your tickets maybe they push back maybe they make fun of your training if you're a person who does training or they don't do training without you b-rating them so all this frustrates security people we've all been there so if you're frustrated and you're like I need to go talk to them I'm going to give them a piece of my mind so you go to talk to

them and maybe because of the lack of communication and Leadership experience you have maybe you end up burying the lead focusing on jargon or minutia giving them a super long-winded explanation that only makes sense to security people or you give them 10 10 times the amount of information that they actually need and yet you're still not getting the message clearly across to them so if this hurts a little bit you know maybe this also happens when you talk to senior leadership I have been there if this is you there is hope you're probably already a very good engineer and just a bit frustrated and just know that the gap between where you are and where you need to be is not huge it just

requires some consistent work from you in this area so one thing you can do is really just jointly work with your managers and build yourself that detailed career development plan don't wait for your manager like you can help do some of this and that plan can grow the non-technical aspects of being a great engineer this plan works alongside all of your existing projects anyway that span multiple quarters which means you have multiple opportunities to work your slack and email magic to get up in front of engineering and speak and externally to speak at a Meetup and or write in the company blog so one thing to remember it's like we're all bought into security because we're

security people but everyone else doesn't consistently do security stuff because it's the right thing to do unfortunately we all have to be sold so work on your selling skills writing good plans that folks buy into like and have people read them comment on them bring up the hype verbalize your plans frequently and crisply and just continue to keep that hype level high all right so doing all this work what does it get you um I'll get to that in a minute but like this the true benefit at least from your manager's point of view they'll look at you and they'll see that hey this person's adding power to their messaging this year by regularly speaking and

writing you know and maybe you're like shoot this has been forcing me to continually refine my message and gain confidence and confident messaging is what pushes people to do security work really confident messaging gets people to do almost anything so as people are starting to get security work done for you you document what that work is and why it matters on slack to see so it's another way that you can keep the hype up like thank you for the you know platform team for doing X Y and Z in there so this leads to higher job satisfaction because stuff is finally getting done in your org for us at segment it created a virtuous cycle

within product and engineering because folks actually listen to when our employees spoke and did the requested work instead of just avoiding it over time product and end happily did even more security work it was something that we couldn't believe but then quickly took advantage of and then we spent less time on the basics that we hated things like chasing down old bones that nobody ever wants to fix and we actually got to shift left in that organization so like think about embedding with the engine teams to get projects done getting to set up real preventative measures to avoid tons of new vulnerabilities from being generated in the first place and a few of us got

to teach end how to do their own threat models which is essentially like passing our security curse onto our friends in engineering all right tracking all of this so finally you're doing all this great work but then how do you sort of like put it all together into a package uh well my suggestion for the first couple years that you do this is just keep it really simple just keep make it easier on yourself at segment in the early days with a Security Org That Grew From like two to three people to 35. I just created a Confluence page that had a simple table and we just kept adding our blogs and talks to it just kept growing

and after a year the table was huge it was like a scrolling huge table because the crew there was just self-motivated and didn't need any micromanaging to to present it was sweet as the CSO I didn't have to work as hard and this Confluence page was then visible to all of segment everyone could see it and then we'd hype somebody's latest efforts in the engine security slack Channels with links we just wouldn't let any of that effort go to die at twilio so it's a little bit different there um with the Security Org of about 130 people and a different culture we started using a small company called discernible to help overcome the teams inertia on doing this type of

work so imagine how happy we were to have discernible do all the heavy lifting for us to get folks moving all that nudging that you would need to do as a leader or as a peer like discernible will help with that so basically using their drop-in workflow we could help our teammates through that entire engagement pipeline so from thinking about what to talk about to like getting your cfp together rehearsing and then finally giving the speech and then also metrics highly recommend this it'll take some of the burden off of your shoulders okay imagine now that you've done all this hard work you've set up the framework for it everybody's speaking you're tracking it and the team's

collateral is like now being produced and counted ah what do we do then there's more Leaf will talk about how you can package up this work as an advertisement for how awesome your team is so this is uh some stats from a Blog that I posted earlier this year and as you can see about two-thirds of the people that went to the blog came from social and so I recommend posting on social first and then sending the links to the social stuff to your team so like LinkedIn Twitter whatever instead of having people individually post the underlying article this will help you get some traction online uh if somebody on your team writes something and they ask you to post for

them tell them no we worked with somebody named Pablo at twilio who said he didn't want to make a Twitter and wanted me to post for him and I just told him no I'm not doing that you have to make a Twitter and post yourself and we'll all retweet you um if you have a security twitterati at your company like Clint uh you can try to have them repost your stuff and try to boost boost things there um but uh you can also send this to groups on slack or like send it to people individually just don't make sure or make sure you're not spamming them because one of the goals of this is to

improve your career and people don't want to be spammed by people so make sure it's a good fit for whatever the audience is for me I try to post stuff around 10 uh between two Tuesday and Thursday because most of my network is within the United States there's definitely a bias towards the west coast and so I found that that's a pretty good time where people are online and have you know gotten settled for the day but it's not too late for people on the East Coast so you have plenty of time to get traction this is from a different blog that I posted earlier in the year on the segment site and you can see that after

the initial spike a lot of the like later page views came from getting posted in Daniel mesler's unsupervised learning and Clint's tldrsec both great resources so check those out if you want to stay up to date on security news but if your company has something like Google analytics try to get access to it just so you can see this information it's pretty cool to see like where traffic is coming from and like you know where it might be getting reposted if your company has a slash security page try to post some cool articles uh that talk about your company's security program on there this is a good way to highlight people's work it's also a good

way for potential or current customers to learn about your security program in a positive way versus only hearing about it after a security incident I really like the design here from figma but no surprise that figma has a well-designed site and then you can also do some things like add some pinned tweets or featured media on LinkedIn this makes it easy for somebody who's looking you up maybe you know a recruiter or somebody that wants to work with you to find your best stuff they're not going to reach out and ask hey what's your best conference presentation and so having some stuff highlighted is really nice by now hopefully you're convinced that you and your team need to be doing this

work and you've heard some tips for the ways that you can create an environment to encourage this work and so now let's talk about some practical tips to actually make this stuff happen in my opinion everything starts with having a good outline you can really take an outline anywhere once you have an outline it's a lot easier to start writing your blog this is like writing down a project Plan before you start work for the week or month or quarter Colleen used to have a sticker on her laptop that said weeks of programming Can Save hours of planning and I think that applies to stuff like this as well it's a lot easier just to get the

ordering right then try to move stuff around and have to change all of your Transitions and like I try to avoid that because it sucks um once your blog's out you might get some inbound interest from people that do podcasts and if not that's totally fine you can send it to some people that have podcasts that you think you might be a good fit for most podcast hosts are looking for guests that's something that a lot of people don't realize uh not like Patrick Gray from Risky Business I'm sure he's inundated with people who want to be guests but your average like medium-sized podcaster is looking for good content and so having somebody come inbound is is very nice

um you can also take this outline and turn it into a cfp submission and then you can turn it into a conference presentation assuming that you get accepted similar to writing a Blog with an outline it's a lot easier to write a conference presentation from an outline and so having this outline is just really powerful throughout the whole process naturally when you adapt a Blog to a conference presentation there's going to be stuff that you add or stuff that you admit omit but the general structure is probably going to be the same and it's a lot easier to turn a Blog into slides than turn nothing into slides some of my tips for outlining is write

down everything that you think might be useful don't worry about the structure it can be stats or quotes or just random ideas some parts of it might be really like well written other parts are pretty exploratory and I actually try to write things down as I'm working on them and so sometimes the process of outlining actually takes like weeks or months as a project is going but it's a lot easier to think about this stuff and write it down than to go back and try to remember it um Jerry Kaplan the author of the book startup would make audio recordings every week about what he did and then send them to a transcription service this was in the like late 80s or early

90s so a little bit different time period but this served as like the source material for his book which I thought was pretty cool if your team isn't used to doing this kind of work at all I think you probably need to do a little bit of foundational work and the first step is to get people comfortable writing stuff down if people aren't comfortable writing stuff down it's a lot harder to get them to do outlines and logs and all this stuff and this has a benefit even if nobody writes a Blog on your team getting people in a documentation first culture is really helpful for getting people to agree on ideas outside of meetings and have

people be able to voice their opinions and try to get a consensus before you have to even talk about something and it's also really important especially with so many people working with people that are in different parts of the country or world even writing things down is really helpful it's also helpful looking back because you actually have the documents to show like why we did something or why we didn't do something another thing you can do is get people used to demoing so we do team demos no demo is too small it could be a feature it could be a spreadsheet it could be a document anything can be a team demo hopefully your team has a safe

environment where people feel comfortable speaking and this is a good way to get people used to speaking in front of a larger audience if you're what you're working on is relevant to your whole company maybe you could present it in all hands or maybe if your company's really big you have the concept of an internal conference uh if you or somebody that you know says that you don't know what to write about this is a very common problem um but I think one thing that really helps is having a personal hype list of the stuff that you've been working on um we could do a whole separate conversation about career development but having a list of your

accomplishments has a lot of benefits outside of blogging makes it helpful for when you're coming to like annual review and promo time it's also great if you end up like switching teams or switching managers and you have somebody who's now unfamiliar with your work you can give them a list of the stuff you've been working on but another benefit is that you can use this to come up with what you should be writing or speaking about if you don't have a hype list just kind of think back over the last year go through your jira tickets or linear tickets or your GitHub issues or GitHub pull requests or documents that you've created or even just kind of flip

through your calendar and look at like what meetings you had and things like that I think you can retroactively generate like a pretty decent hype list and then you can use that to come up with stuff that you should be telling the community about another thing that I hear commonly is the stuff I'm working on has already been talked about or blogged about it that does not matter that is not a valid reason um you have a unique experience working on this project and you probably are working or thinking about things in a way that nobody else has thought about and so sharing your unique story might be helpful to somebody else also technology changes pretty quickly even

if the underlying problems often don't and so giving an updated view of something that you know maybe somebody talked about a year or two ago is is very valuable so don't let this hold you back the other thing to keep in mind is a lot of companies end up solving the same problems and so you know that means that these things aren't figured out yet so tell people what you were up to I think the process of actually writing a Blog is pretty author specific so I'm not going to tell you like how to actually write the blog but in my experience helping people write blogs once they have an outline and they're in the right mood I think the contents

start to flow pretty quickly and you can even work with them and say like hey let's just do one section or like let's do the next section for me personally I find it easier to keep going than to get started and so I actually write the majority of a Blog in one sitting so I probably get like 85 percent done um like I get a pretty much a full draft done like it's definitely not a final draft but I have like most of the ideas done but uh that's mostly just because that's the best way for me to work some blog tips um these are some things that we got from somebody that used to work at Y

combinator which runs Hacker News they were giving feedback to somebody that was had written a Blog at segment and I think that these are really helpful to keep in mind the first one is be really intentional about whether it's a story or a tutorial tutorials are great but the audience is generally limited to people that have the same problem a story can appeal to people that are curious readers even if they might never solve that same problem the risk of a story though is if you don't hook somebody early they're probably going to close the tab because they don't have that problem whereas a tutorial they're probably going to keep reading because at the end of the day

they still want to solve that problem a good way to hook the reader early is to get them to feel the pain that you felt when you didn't have this thing that you built or this process what you want to do is you want to get them to put themselves in your shoes if your blog is just fun and hacky and interesting on its own you can take a totally different approach the example that this person gave was building a turing machine out of Legos I don't think you need to get somebody to feel the pain of not having a Lego turing machine you can just tell them about it because it's cool and interesting on its

own but not every security topic is like that another thing is do not take readers on a direct like hey we had this problem and here's how we solved it they actually like a hero's journey and so talking about unexpected challenges setbacks things like that can help you illustrate why you made the decisions that you made it might be really obvious to the reader hey you know like you should have done X is like well I thought that was obvious too and then I tried it it was actually a really bad idea and here's why it didn't work out and here's why we did things a different way and so it can just get ahead of some of those types of

like conversations and questions as well as we transition from blogging to public speaking I'm going to hand things back over to Colleen thank you well I think on stage presentations could be pretty scary whether you're experienced or not and usually all of us need a bit of nudging to get up on stage so you can think about doing a presentation in Easy Mode first to get you warmed up in terms of prep podcasts are much easier in my opinion than writing a blog or giving a presentation so if you've already written something whether it's an article at work or a blog or whatever it is or you've given a talk you can then start there and just

massage the talking points that you already have easy easy but if you don't have that you can just work with the podcaster and create questions and like a desired direction that you want the interview to take then you just start filling in the answers to those questions as we've mentioned before everyone is dying for more content the more content we all get the more we want and podcasters are trying to keep up with that need so you pairing up with the podcaster you're actually helping them and so for you benefit for you is a great practice and like a very low risk environment if you're worried that you're gonna like lose your place you're like shoot what were the answers that I

came up with then you can just have your notes up on screen right next to the podcaster's face and so it looks like you're staring right at them but you're also staring right at your notes hot tip um and podcasting is fun a lot of us in this room have done it a lot of folks that you've talked to at besides probably have done some podcasts you learn something from the podcast host and they learn something from you and you'll at least laugh one time and so with this low barrier entry all you need is a topic a quiet space to talk and then like no unintended weird stuff behind you you can have intended weird

stuff behind you that's fine but no unintended weird stuff and then how do you decide between like a live podcast versus a pre-recorded one each one has different benefits so if you're the person who goes God what if I mess up what if I use too many ums what if I do something wrong then you want to opt for the editable pre-recorded podcast you said you're good but what if you're this person who goes I don't want everyone at my company particularly the legal department crawling through every single minute of my spoken content that's horrible and cringy then live might be better for you so in that case you just basically share the proposed bullet

points with your legal department they do their redlining and stuff like that and then all you need to do is just stick with the the approved bullet points and you're good to go as mentioned as mentioned previously uh Colleen and I both have experience as cfp reviewers and we've distilled down some of our best tips Colleen has been a reviewer for B-side San Francisco and I've been a reviewer for apps at California and locomoco sec you should think of a cfp as having two audiences the reviewers and the attendees of the conference reviewers might be looking at hundreds of cfps so it's important to make yours stand out because if reviewers don't like your cfp

or they think another submitter has a stronger submission your audience will likely never see it once you've made it past that stage you're still competing for attendees time how many tracks are there happening at this conference you need to entice people to come to your event specifically make sure that at least one person reviews the content before you submit it it's good to get some feedback from somebody as you know other than yourself but at the end of the day you're the one who's going to be up on stage and so while you should consider the feedback if you don't agree with it don't do it just because somebody told you because you're the one that has to deliver it

try not to make too many changes after you've been accepted but if you want to make some tweaks to your abstract I think that's usually okay when you're thinking of titles I think a little bit of Click bait is fine there's a reason why articles have clickbait titles it gets people's attention just don't go overboard you want the reviewer and the attendees to actually know what you're going to talk about if you have a bad first impression with the reviewer which is your title it can be hard to come back from that here are some common patterns for titles I think a straightforward and description title is a classic the reviewer and the attendees probably know

if they want to go to that talk just based on the title a fun and descriptive title is kind of just a Twist on that where it's like hey they're probably talking about cores if you care about cores you might be interested in that talk and then you can also do what we did where the first half is just nonsense like that could be anything but it probably got at least some of you interested and then you follow up with what you're actually going to talk about some things to avoid in titles if you have seen a lot of talks that have the same pattern of the title think about how many more a cfp reviewer has seen

considering they see hundreds of talks and then avoid anything that's a sexual pun or innuendo at Loco mocosect We just Auto reject these because we assume the author has bad judgment and is probably not an inclusive attendee and while that's not always the case we just can't afford to take the risk and so we just don't accept them as a speaker if you've never written an about you section take a look at some conference uh bios from previous years don't worry if the people on the schedule seem a lot more experienced than you everybody gave their first talk at some point and some conferences like besides Las Vegas even have a special help for new speakers

some conferences ask for links to past talks it's usually not in the about you section but if you have some really good examples of podcasts or meetups or something try to Showcase your best work for your abstract you want it to be short enough that people actually read it but not so short that they have no idea what you're talking about this can be a really difficult balance but I think that people naturally tend to skim things over a certain size so you you do kind of need to optimize for that and again this isn't just for the cfp reviewers like us it's also for the attendees like yourselves you're competing for people to come to

your talk and sometimes you give a talk that's like two-thirds full sometimes you give a talk that has a line out the door and I've been in both those situations and that's just Showbiz baby um here's a good example of an abstract from Global appsec SF last year in this talk we'll discuss scaling Security Programs through technology and secure by default in an evolving engineering ecosystem we'll share Lessons Learned From Paving roads for security over the years how to find Opportunities create shared accountability with engineering partners and ultimately reduce security risks this was from a keynote um by Anna just go see a talk if it's by Anna you can just skip the abstract but

I think this is does a really good job of illustrating what the talk is about and people should have a pretty good idea if it's going to be useful to them just based on the abstract some conferences require an outline other ones don't as you might have guessed at this point I'm a big fan of having an outline and so even if a conference doesn't require one I recommend making one anyway I think it's going to give you a leg up on people that don't write one because you're going to write a better abstract which helps you write a good title uh outlines are typically not shared with attendees and so this is really just for cfp reviewers you don't have to

worry about that dual audience component the way that you do with everything else but this is really your last impression with the reviewer because um you want to show them hey I've done enough research on this thing that I'm qualified but again you don't want to make it like a whole talk you want them to just be able to see that you're going to talk about some great stuff if your outline is really short it can come across as lazy so make sure that you have like some minimum length similar to blogging or you want to have somebody peer review your cfp submission make sure that you don't hire yes men for this task you want someone who's

actually going to give you real feedback here and again like you don't have to incorporate everything but just try to think if it makes sense to include and then Colleen's going to give you some tips on making the jump to delivering your first talk okay how are we doing on time I think we have five minutes oh all right Speedy okay uh-oh Don't Panic your talk has been accepted but by now you've been making notes on things that you'd like to include in future material right taking notes I see a few of you taking notes which is good um maybe you've even captured some clever turns of phrases and you're like oh that sounds good I gotta write that

down all of that is good motion but here's something to consider throughout this entire section if you can write and deliver a good Meetup or a conference talk you can write and deliver a good keynote you can be tap for all three to me the difference between the talk types is kind of like the difference between a tall a grande and a venti because I am that basic all three talks start with outlines have a beginning a middle and an end they all zoom in and they provide specific examples that illustrate your point they all tell a story or tutorial and they get an important message across in fact content between all different types of

talk formats is very similar what's more is all of Leaf's previous tips and tricks work for them as well and if you've been actually actively using them you're between 50 to 80 done type list the process now is just keep iteratively filling in that outline and then manage the crap out of yourself so your Meetup talk is like a tall size drink maybe even shorter like a short or a demi or whatever it is not that I don't know um if you've been doing security for at least one year you already have a topic that you should be talking about not only that but there's just a meet up just down the street from you and

they're desperate for New Blood because what happens is the same folks rotate in quarter after quarter and they want a new person to show up and that's you and if your company can host the Meetup even better because the host gets a speaking spot which means you can bypass the entire acceptance process which is very easy mode recommend that meetups all have a lower barrier to entry you can even do a short lightning talk five to 15 minutes can be an advertisement for a blog or an article it could be a recap of a project that you just did and some other topic ideas that we've seen could be like security tools that you fill or processes that

you've implemented educational talk based on something you had to learn for work and that you wanted to share like we had to just do a bunch of research on oauth or jwts for an internal project and we're here to share our learnings easy you can give a predictions of the future talk or even an inspirational talk like ours that lightly educates but mostly just pushes people into doing something positive um and for your Meetup or lightning talk keep it on the shorter side and lean into high impact visuals because you just don't have a lot of time visuals matter for the longer and more formal types of talks all the previous topics are still applicable

but just like with your Meetup the work is filling in that outline and you can do that now on paper audio notes or start moving your outline over to some slides and then it becomes really real and for conference talks you can also consider doing like a joint presentation are you finding that you're too busy to really just take this on by yourself maybe you're too unfocused to finish slides that's fine usually and to cut down on the overall amount of work that you need to do and just make it fun consider co-presenting your co-presenter can help you thank you give you content organize it practice it with you and give you a break when you're on stage so

you can reap the benefits of being on a two-person team um if you're doing it by yourself and you're really struggling the key is just keep going just keep pushing yourself and filling in that outline and reward yourself handsomely for every couple of hours of concentrated work that you do you deserve it so your keynote it's 95 similar to any other talk that you would write except the main difference is your Panic level goes through the roof of course you can reuse parts of a previous talk just ensure that the topic is going to be like 80 of your mixed audience like we'll be able to appreciate and understand it um folks that attend your keynote think

about like they're all from every single type of domain every single skill level could be their first day in security they could be 20 years in Security in any domain and when filling in the outline the one extra thing you need to remember for a keynote is you've zoomed all the way in and you've given details but now you need to zoom all the way out and make the connection between at least one of the main drivers of your speech and then one of the main drivers of the conference that's plugging those things in makes the keynote and while you're sweating through it it's normal to go back and forth on wording Graphics ordering all of it you're going to

fiddle with your talk until your deadline hits that is normal if that happens to you you're 100 normal and while you're fiddling with your talk you can like go take a break procrastinate and then go pick out like your version of the Steve Jobs power outfit something to do no matter what size feet you're giving it please practice it at least five times out loud and have an audience for at least one of those even though you want any of your co-workers family or friends creeping on you watching you criticizing you they will pick up on problems and missed opportunities in your speech it's super helpful even though it's cringy just do it they'll point out where am I being

super confusing where am I failing to make a big impact and if it's a keynote they're like hey aren't you supposed to like zoom out and do the thing you're like ah I didn't do it well so 99 of this test feedback is going to be useful to you in some way so before you get up on stage somebody helping you out is a gift take advantage of it I'd say just skip this skip this all right yeah this was just a quick one if you get very nervous here's a link to how to manage adrenaline all right and to wrap up our presentation and to give you some tips to walk away with remember these points

all of this is really important to help you build your dream team and support efforts once they're working with you accounting for and tracking all the things is important always always build and fill in that outline it is key to everything you do click bait works but do not be creepy and remember to use your network to promote your work finally all talks are basically the same and you can learn some calming techniques to help you when your nerves kick in cool so thanks for attending our talk uh we'll be around for the next hour or so we'd love to hear about what you want to speak about and how it helps your security team and if we miss one another

we're in various security Community slacks as well as on Twitter and so I'll be hanging out at the semgrab booth which is again is on the other side but yeah we have a link to the slides I also wrote a couple of blogs about this earlier this year that has this down in like written form so um yeah appreciate everyone uh coming out and supporting us today thanks [Applause]

[Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music] laughs [Music] [Music] thank you [Music] all right foreign [Music]

[Music] foreign [Music]

[Music] foreign [Music] foreign [Music] foreign

[Music] foreign [Music] foreign [Music]

[Music] [Applause]

[Music] thank you foreign [Music] today [Music] [Applause]

[Music]

[Music] thank you [Music]

baby [Music] appetite don't leave me alone [Music]

you're giving me some kind of butterflies [Music] [Music] oh but I've always miss you baby so far

[Music] foreign [Music]

[Music] some kind of butterfly baby

[Music]

oh oh [Music] [Music]

[Music] foreign [Music]

[Music]

[Music]

[Music]

hello everybody can you guys hear me can you hear me now it's really hard

okay hello everybody

can you guys hear me yeah this works okay perfect Hello everybody welcome to this talk the title of this talk is Big Sim energy so without further Ado please welcome our speaker Kenneth K over to you [Applause] hello uh so big Sim energy at microsim cost my name is Kenneth K I'm with Jupiter one we're a startup um I'll tell you all about Jupiter one if you want to hear about it after the presentation but this this is not really about Jupiter one itself it's about something that I discovered while I was working at Jupiter one I'm uh one of the security Architects at Jupiter one uh as a startup we wear many hats so I do more

than just security architecture stuff and one of the things that I did as I'm going through there is how can I get the most bang for our buck well one of the things that a startup is really concerned about is exactly that we don't have a whole lot of funding we don't have like a huge Revenue income yet because we're still trying to build out the business so how can I get all the things that a security team is supposed to be doing without having to pay the kind of money that uh well off well-established companies can afford to do so Sims are expensive we all know that anybody who has dealt with Sims or

Security in general know that these things are not uh cheap there are two general pricing models there's a pricing model by volume meaning gigabytes terabytes petabytes however much data you have and then there's another pricing model that's based on events uh in the a lot of my talk is going to be focused on AWS because my company is very AWS centered so your mileage may vary if you're talking about Azure or gcp but with respect to AWS guard duty is very event centered it counts the number of events that it evaluates and it charges you based on those per million events and then there are these build your own uh solutions they still need to be

hosted somewhere so you're still paying for the compute you're still paying for the storage you're still paying for the networking activity Plus on top of that you have to pay for somebody to go in there and actually build the thing and then maintain it whether you're talking about building detections or if you're talking about actually building the VMS or the containers or whatever you're going to be using to do it somebody's got to do that and if you just hand it off to a member of the security team they've got another job on top of that which is to actually respond to the security incidents to actually secure things and double check stuff so then

you've got a quarter of a person dedicated to maintaining infrastructure that is critical to making sure that you don't miss something and you don't get popped not very not a very good look when you're talking to investors and other companies and saying hey we're a startup we want to go out and IPO and stuff but we can't prove to you that a Sim is working well so matano while it's open source and I love open source not a really good fit for Us in particular simply because we don't have the manpower to do it right so what do we do instead I looked at the documentation rtfm and you'll notice this is a very common

thing with with hackers in general not that I would consider myself among the elite of hackers or anything but I've got the kind of mindset take advantage of things right so if you read the documentation that is presented to you from AWS about all these different Services you find out how their pricing models are they want you to know their pricing models but I'm not sure that they know exactly what their pricing models are themselves like I don't know if there's a lot of crosstalk between the different uh people responsible for the different services in AWS so what I found was that cloudtrail has a certain pricing model eventbridge has a different type of pricing Model S S has

its own pricing model and chatbot which is a fairly recent addition to the AWS service list which is I don't know 286 and growing Services they all have different pricing models and chatbot is free at least right now so if you add these things together you can build yourself a micro SIM now one thing that has always bothered me about Sims I've been doing security for almost 20 years now in various contexts and one thing that's always bothered me about a Sim that you either purchase out of the box and you run it in your own on-premises installation or it's a managed service or something like that is that yes it comes out of the box with

a whole bunch of detections great you don't have to worry about building your own detections but on the other hand it comes out of the box with a whole bunch of detections that may or may not apply to your environment and that's where we get noise and we get analyst fatigue and we get a whole bunch of overhead that you have to staff up and this is where the traditional stock comes from you have 20 people sitting there paying attention to all these alerts and dismissing 99 of them is false positives because they're just noise or they're acceptable within your environment they're normal for your environment so that is very in my opinion that's a

very top-down approach here's all of these rules turn them all on and then filter out the noise well you could also build a bottom up you could take a look at your environment and use a threat modeling approach and owasp has a free version uh threat Dragon Microsoft has a threat modeling program that they give away for free if you're in a Microsoft environment but the whole point is if you do a threat model you can take an you can identify fairly easily in your environment your architecture your processes your applications whatever it is and you can find out these are the critical points that need to be projected Above All Else these are the

actions that we worry about these are the things that keep us up at night and what you can then do is you can build detections around those most critical key components and Implement them first and maybe later on if you're a startup and you get more funding and you get more people on board you can go out and you can buy one of the big Sims that have a thousand and one rules that are going to go off at all times the day and night half of them don't apply to you in the first place or you can start off with just analyzing your environment detecting where the biggest threats are and then custom building a couple of rules that say Hey

this should never happen in our environment and if it does wake somebody up and that way you eliminate all the noise by designing it based on the threats to your environment as opposed to just taking a blank slate of the here's the all of these rules that you should be paying attention to and not to not to denigrate any Sim provider whatsoever but a lot of them are still looking backwards the rule sets that they provide are applied generally speaking to Legacy environments environments that are that are architected in a legacy way for on-premises servers and banks with people maintaining them and installations that have a lot of different aspects associated with like the the CIA Triad

well one of the things that we do at least at Jupiter one is we're a cloud native company and we're following the die Triad I don't know if anybody got to see Sunil use uh keynote this morning I worked at student I worked with Sunil you years ago when he developed the die Triad and then Coincidence of coincidence he got hired at uh Jupiter one about a month before I got hired in Jupiter one which was kind of serendipitous I've always liked working with him and the die Triad that he developed makes so much sense to the cloud native world design your applications design your infrastructure not just your applications but design your infrastructure to be distributed by

default nothing sits on one server everything sits on multiple servers distributed across multiple regions therefore it can't be taken down unless you take all of Amazon down and if you take all of Amazon down we've got bigger problems than worrying about whether or not Jupiter one is available to our customers it has to be immutable now how do you make something immutable well that's really a challenge because there isn't really a way to do that to guarantee immutability within AWS but if you build your CI CD pipeline for development such that the engineers can't actually log into your AWS console and make changes then it has to go through the checks it has to go through the peer reviews and

things like that then what you have is essentially the equivalent of immutable infrastructure and you can buy threat modeling your environment as I was mentioned before mentioning earlier you can say none of these things should change unless they come from our CI CD Pipeline and if you put that monitoring in it's very easy to see if an attacker compromises an account somewhere because they're not going to know that they're going to go in there and try to change a Lambda in place and that's going to set off an alarm and you're going to know about it so distributed immutable and then ephemeral you can't attack something that doesn't exist and lambdas are a great idea are a

great example of that containers less so but a Lambda is not actually out there you can't take advantage of it unless you have called it and if your application like ours is a web-based application and we've got a strict cross-site uh origin policy and we've got content security policies and things like that you can't call our apis unless it's from unless it's going through the Gateway that authorizes those things make sure that you have the correct permission both the auth and and auth Z to do that and so none of this infrastructure exists to be attacked 99 of the time it only exists when it's executing the function the website itself is a combination of 50 different Lambda calls

or so that only are running long enough to return the information back to your browser your browser caches it and displays it to you and it's working but there's nothing on the server side in the cloud that's actually working at the time there's nothing to attack so by following these principles we can design a cloud native application that really makes it easier for us to secure whatever we're doing and it's not necessarily very relevant to Legacy detections created by Sims that have been working for the past you know 20 years and trying to help companies out containers a little bit less so because containers generally live a little bit longer than lambdas do but if you have a

policy in place that causes your containers to be recycled and then rebuild from the static image mitigates most of that too so putting it all together and you'll notice the note up there in the corner this is the the documentation gotcha that I noticed you hit an event it gets sent to cloudtrail of course you have to configure cloudtrail in your environment but all management events the first copy of all management events that go to cloudtrail is free management events contain a whole lot of different things especially as regards the configuration of your assets whether your Lambda is configured configured to run now or it can run for a long time or something like that that's all part of

management events now the actual code that you have in your Lambda that's a data event so you have to you have to enable data events which has an individual cost to it but in this example that I'm going to work through we're talking about management events because the first copy is free and then you can send that to eventbridge now eventbridge as as the comment here says it charges you for every evaluation just like guard due date guard Duty does however it doesn't charge you for default Service events what is that a default service is a service that's turned on for you by default or the full service turn on for you by default it's a default service in

your AWS account something like the login service in order to log into your AWS account the login service has to be running before you log in or else you can't log in it's default and eventbridge doesn't charge you for evaluating events from default Services whatever is turned on by uh By Design By automatic anything that you turn on that is extra so for example cloudtrail is not a default service it's not always turned on you have to turn it on so if there's something that is generated by the cloudtrail service itself that you want to to evaluate then you're going to get charged in eventbridge for it because it's not a default service but the sign in service

is now I've got the dashed line here leading to lambdas because I'm not doing that I'm actually going to do a demo and show you how to do this live and if the if the internet gods are not with me I have a recorded version uh just in case but you could as an output from eventbridge feed that over to a Lambda and let's say you have a very well-known remediation set a set of remediation steps for something that goes wrong on a not uncommon basis in your environment you could have the output of that event Bridge rule say fire off this Lambda to fix the problem because we regularly have sales people that get themselves locked out of their

email accounts for sending too many emails and that's something that we need to just handle automatically I don't want my security people having to deal with that it's not a security event it comes in over the wire but I don't want my people dealing with that and it's a known easy set of remediation steps that I can programmatically access via apis so I might Implement that as a Lambda in this case what a uh I forgot to mention earlier the use case that I'm I'm walking through on this is a root user login and I I specify user because sometimes users and accounts get kind of confusing depending upon which uh Cloud native platform you're working on in AWS

an account is basically a container that holds all of your functions and users and stuff like that the root user is created when you create a new AWS account it has root access to everything in there and best practices state that after you've created your root user you go through and you create an admin user or an admin role that people can assume in that environment and that's how you actually manipulate the environment or the account you should never log in with your root user unless you're doing stuff that requires root user access so it should be very very rare few and far in between and so what we're going to be setting up here is a detection that says

if the root user logs in let me know now what I can do with that is I can go and I can check with the engineering team hey did you guys log in with this is that on purpose where's the documentation do you have a ticket for it do you have authorization Etc and if everybody comes back and says no I don't know what you're talking about I can hit the big red button and we can do something about it it's not it's not something that I can necessarily put a Lambda in to take care of because there's some questionable Parts in there that require a little bit of human interaction but for the most

part it's a fairly simple thing and I can handle that so the output of the event Bridge can go to a Lambda or it can go to an SNS talk it topic it can go to an sqsq depending on how you want to manage things and I'm having it go to an s s Topic in this case and then the SNS topic sends to chatbot chatbot is listening for basically a it's not sending because SNS is is a message queue technology but chatbot is listening to that topic and if and if a message comes up on that topic then chatbot is going to send it to my Slack right now AWS chatbot has two outputs it

has Amazon chime and it has Slack they say in their documentation that they're going to introduce other avenues but who knows for this example I'm using slack because that's what we're using so this is some example code I ran in terraform my environment we use a CI CD pipeline we use infrastructure as code and this is all example code you're not going to see jupyter one code in here but this is an example of the rule in eventbridge that's looking for the root user login and you'll notice that the the condition is Success a successful login by the root user I don't really care too much about failure but I could put that in there if I just wanted to

keep track of it for whatever reason again because we're using the source on here says AWS DOT sign in that is a default AWS service and therefore we don't get charged for event Bridge rules constructed around that so I'm not paying for guard duty to evaluate this and I'm not paying for a vet bridge to evaluate this but it's still getting evaluated now I do have to pay for the SNS topic because that that part is not free but the uh since this is a management event I'm not paying for cloudtrail since this is a default service event I'm not paying for event Bridge I am paying for SNS topics and chatbot is currently free so three out of the

four steps in this I'm not paying anything for and then we've got some more uh terraform configuration infrastructure as code is a really a great way to do something like this especially if you're trying to find follow the die Triad where things once they're in production are immutable because you can't change this stuff without going through the cic pipeline people have to peer review it they have to approve it etc etc and then you need to set up the SNS topic as well and uh then you need to enable chatbot there's one gotcha about the chatbot you can't do it through code entirely because you have to go log in with a user that has permission to

enable that service for the account and that user the person that has that role or that that user account also has to have enough permissions in your slack workspace to connect AWS to your slack workspace so you have to have somebody or two people standing by to to coordinate efforts to get that done but once it's turned on then you can go back to terraform and you can configure everything in code again you don't have to worry about it too much now you'll notice down here at the bottom it says guardrail policies and I chose the guardrail policy AWS deny all the chatbot service is designed to be interactive the AWS concept is that you

can put a chatbot into your slack and then you can interact with AWS and change things by giving commands to the chatbot but the thing is that the chatbot is scoped to the channel that it's in so anybody in the slack Channel where this where the AWS slackbot is sitting can issue any command that that chatbot is authorized to take and it will do it on their behalf and the logs will show just that the chatbot did it so I don't know if Alice did it I don't know if Bob did it I don't know if hacker X did it somebody in that channel did it and sure maybe I have slack logs and I can go back through and

investigate and find out who did what but that's just a really poor practice that I'm not going to do I just want to be notified that something happens I don't want to manage it from slack I have no problem logging into the console and doing what needs to be done and then making the changes in code getting it approved Etc so I put in the AWS denial now anybody who has heard about the Capital One breach a couple of years ago knows that it was a misunderstanding about how the S3 buckets are configured with respect to permissions that allowed that to happen in the first place so when we talk about that the AWS denial isn't

enough you've got to lock that chatbot down which means more more and more there are at least four different ways that I discovered that you can kind of bypass some of the chatbot restrictions if you know what you're doing so I have like four different sections restricting what chatbot can do this is a read-only chatbot it tells me something and that's it won't respond to any questions won't do anything and then once that happens this is what it looks like once I've got that configured once I've got it in place this is what this is the message that I get in slack that says a console login sign-in was detected this is the user this is what happened Etc

and you can use that link to to check it out if you have a role or a user with permission to investigate that sort of thing you could then ingest this you could also ingest this into a different Sim if you wanted to or some sort of Splunk like thing for forensic analysis I mean you can do whatever you want to do on the other end of that but this is basically the beginning and end of everything that that I'm doing in this one this is one rule that I know is important to my environment that I want to be able to monitor that costs me pennies compared to doing the same thing in guard Duty or some

other managed Sim or matano or anything like that now I forgot to mention this at the at the beginning but if anybody has any questions as I'm going along please raise your hand and let me know there's time at the end for questions but I'd rather take them organically as we go along so I'll pause just for a second here does anybody have any questions yeah

um so the question was just in case anybody couldn't hear it does is there a way to allow for persistence with respect to the event Bridge rules and yes you can the eventbridge rule is not smart enough to say wait until this triggers 20 times but you can have an event Bridge rule that says look for this root user login and then put it on this SNS topic and then you can have another event Bridge rule that's looking for that SNS topic and what it's looking for is that SNS topic to fire 20 times in five minutes something like that so by changing chaining the event rules together you can do that and this really starts to

get into building your own SIM from the ground up which may or may not be worth your time and investment yeah you would be you would be charged for the SNS topic from eventbridge rule one two event Bridge rule 2 you would be charged for event Bridge rule to evaluation and then for event Bridge rule two's SNS topic out to your chatbot so it's still cheaper than using guard duty but not you know 75 cheaper like what I'm doing any other questions at this time

yeah um this is just an example of one rule but like I said I was using threat modeling to identify where the weakest points in my infrastructure were the things that were most critical to detect and then I could build rules based off of that and only worry about those which eliminates a whole lot of noise out of my environment and fulfills all the you know we all of our critical and high vulnerability issues that we determined from our threat modeling we can provide Assurance to our customers that yes we are indeed taking care of those and then later on when we have the Staffing for it we'll start you know handling a lot more of the things that are a lot more

fuzzy like maybe they're going to be important maybe they won't any other questions at this time because if not then we're going to get into a demo and I'm going to do it for you live yeah all right so you should be able to see this hopefully that's readable in the back I tested it out earlier it should be good but here's the code just like the code that I was showing you in that screenshot this is it now this is all part of my open source public GitHub repository so you're not going to see anything in here that is specific to Jupiter one or anything like that but this is all in my GitHub

repository there's a link at the end of the of this so you can get access to it and get this presentation too but what you can see is I have this right here cloudtrail this is uh infrastructure setup we've got to set up some infrastructure it's not necessarily part of the demo itself but you got to have cloud trail or else you have no data to feed into the event Bridge uh S3 is where you store your cloudtrail data KMS is so that you can encrypt your cloudtrail data because honestly nobody should be looking at your logs unless it's your security people it shouldn't be accessible to just anybody and then there's the eventbridge rule just like what I was showing in the

in the screen capture here's the definition of the SNS topic and the attachment of the Apollo the policy and here's the chat bot with all of the restrictions that I created for it saying you can't do this you can't do this you can't do this you can't do this all you can do is send a text or a message to Slack and then here what I have is I have just a bunch of code and uh this the My Demo script there just allows me to reset this thing and do it over and over again without screwing myself up it's set right now to run and because this is terraform then all I'm going to

do is I'm going to tell it terraform apply I have a bunch of terraform files in here that I was just showing you and terraform is going to go through and it's going to figure out all the different AWS API calls that it needs to make in order to create all of the resources and configure them in the way that I have specified in my code and it's going to do that analysis and then it's going to come back and ask me are you sure you want to do this so it's telling me that it's going to add 19 resources it's not going to change any and it's not going to destroy any I can also go

back through here scroll through this and see exactly what changes it's going to make and all the way at the top you see those green pluses it has a legend all the way at the top tell you exactly what the symbols mean because they're not always green pluses but you can see green pluses create and then we've got read for data resources stuff like that so you can actually examine every single one of these resources that it's going to create before you give it the go ahead and tell it yes you can do a plan ahead of time instead of an apply and that will give you this without asking you to create it and this

is what it's doing it's going through right now it's making API calls to AWS as we're looking at it creating things this cloudtrail bucket lifecycle thing takes 32 to 42 seconds to do I'm not sure why this one takes so long it's a an interesting thing because it's just a feature of S3 buckets and it takes the longest out of all of the S3 bucket creation steps it's interesting we'll hit 30 seconds elapsed and then it will end shortly after that it might hit 40. oh there we are 32 seconds and here we are 19 resources added zero changed zero destroy okay so what I need to do then is I need to bring up my browser

that has the stuff in it oh it's in this one forgot no why did you log me out I don't want to yes here we are I created a a slack workspace just for this demo it has one channel in it the b-sides demo Channel there's nothing in there right now and here we have the AWS Management console so I'm going to sign in first I'm going to sign in as a user an IAM user that has a [Music] that has uh permissions to doesn't matter what I put in here that has permissions to log in and see things this is an admin user but not a root user

and of course we need multi-factor

okay so I'm logged in now the thing that we're looking for here is no message in the slack Channel but while we're while we're doing there it takes about 15 seconds or so once the event occurs before it gets through the whole system and comes out it's not the best amount but I mean for the price that I'm paying 15 seconds is all right but I can go in here now and I can take a look at all these different aspects and I can see oh look I do have a topic I have an SNS topic called root console logins and if I look at S3 I can see the bucket that was created there the

b-sides Las Vegas 2023 demo cloud trail bucket I can look at eventbridge and I can see the rule that I created down here root console login and the details of that rule just as I just as I configured it in terraform I'll sign out we have no messages in this channel but now I will sign in as the root user

and there I'm signed in as root user I don't need to do anything I don't need to interact with anything I'm just going to sign out right away like I said it takes about 15 seconds but we'll sit over here and uh we can let's see two three four five six there it is and there it is we know the user agent that was used to log in we know that it was successful we know that the the exact account and identity that was logged in we've got a a link to the cloudtrail event itself that could use to that we could use for more further investigation we've got an event ID now if we've got a couple other AWS Services

turned on such as uh cloudtrail insights we can you know form some queries we can do some more investigation but that's beyond the scope of this particular talk and this demo I just wanted to be able to show you whether you use terraform whether you use cloud formation whether you go in there and you hand jam it yourself although I wouldn't recommend that people make too many mistakes however you do it you don't have to go out and buy the big Sim right away if you're doing proper threat modeling and you know what your biggest risks are you can mitigate those risks with a couple of simple rules at 75 off the the list price essentially and then you can have

your security team handling it doing it whatever it is that they need to do and um see nope nope nope ah here we are

these are all the resources that I use to come up with this the documentation on the pricing for all those different Services I did some quick rough math using Google searches on average Sim costs as well as some analysis I did at Jupiter one itself because you know we're trying to get the most bang for our buck and all of this is available on my GitHub repository that you can get from that QR code right there including the presentation and the templates that I made that I showed you about the terraform code your mileage may vary depending on how well you can read terraform so any questions I I left in like 15 minutes worth of questions we've got 13

left um anybody want to talk about something

um I really appreciate your uh your talk today can you tell us about any major limitations that uh this particular model that we should be aware of anything that we're going to have difficulties with probably the biggest limitation that you're going to find with this sort of model is managing the list of rules if you kind of go Hog Wild with it this is really meant for for like if you've done a very good I keep coming back to this but if you've done a very good threat analysis of your environment and you you understand the threats very well you can Target certain things that you need to know about right away and you you don't have a huge

budget once you start getting above I'd say maybe a dozen or two dozen rules you should probably invest in something a little bit more full-featured and maybe tune that down to where you need it to be instead of tuning this this up because the management and the administrative overhead is going to get you yeah anything else yep I like your vest by the way I kind of got two questions so first you're saying like if you're if the number of events or the number of things that you're looking for would increase Pat and kind of get wild how easy do you think it would be to be able to tear out the like cloud trail in a Brent Bridge

section and plug in a larger CM if your company grew to a size where you started to care about that kind of thing I don't think it would be that hard because I'm actually looking at that right now so I've done some I've done some research on that like how could I tear out this minimalist micro SIM and install an actual official like a big boy Sim or something like that it doesn't look like it's going to be that hard because a lot of the Sim vendors if you're talking about Cloud native services or vendors they want to get fed those events directly and then what they'll do is they'll read it from your S3 bucket so

getting those events to them is going to be a fairly simple thing you're just gonna have to deal with whatever their pricing model happens to be and then you're also going to have to look through all of their detections to find out which one fits the use case that you have because obviously your name for your rule is not going to be their name for their detection and the detection name for vendor a is not going to be the detection name for vendor B so you're going to have to spend a little bit of administrative overhead to do that mapping of what you're currently monitoring that you can't lose to what they have in place and then you're going

to have to start filtering out all the noise of the stuff that isn't relevant to you because you designed your architecture using the die Triad you're using Cloud native resources and you don't need to worry about all the Legacy problems that a lot of other companies are trying to track down and then one more if you don't mind yeah uh which would be so on the Lambda side of things of being able to kind of enact remediation steps if you already have them how often would you see people plug in even more complex code like uh python or C plus plus code that would do like Advanced remediation techniques well this is just continuing hand jamming

problems over time I'm not uh I'm not I don't know how familiar you are with with lambdas in general so uh please please take this is I'm not trying to be insulting or anything but lambdas can be written in Python and C plus plus you can write your Lambda in pretty much any language that you want to so it can be as complex or as simple as you want it to be you could write apis that just interface with AWS services or you could have code that goes out to the larger internet and does things like it does a showdance search and ingests the results and then does something with that and goes out and talks to virus total and

comes back and does something else with that it can be as simple as complex as you want it to be that's one of the things that's great about using this sort of thing is that you don't have to worry about buying a store in addition to a SIM for anybody who's not familiar with a store it's basically an automation platform that people generally plug in with a Sim to do this sort of thing but you can do it all in Lambda if you want to and the great thing about the Lambda is that if since it's all contained within the AWS ecosystem you can use your same CI CD pipeline to verify it to do the code

scanning on it to do the peer reviews on it to make sure that everything is as immutable in production as possible as opposed to relying on scans from some third-party vendor and making sure that everybody is syncing properly across multiple different vendors trying to do the same sort of thing but you can make it as complex or as simple as you want and where the limit is for what is too too complex for you is determined by your own organization how many resources you have how much how many F's you have to give about it anybody else yeah have I ever used this in a multi-account scenario and if so how would you would you deploy

the same terraform into each individual account and have them all report back to same slack room separate slack rooms or would you aggregate them at the SNS level or my production environment is a multi AWS account environment so I I can actually speak to this and I will tell you that there is a gotcha associated with this in that the AWS sign in service only operates in us-east-1 only operates there so anytime you sign into AWS it's going through Us East one they have hot failover to another region in case that whole region goes down so you shouldn't have to worry about it too much but what that means is that you have to set up

um every event Bridge installation or instantiation has a default event bus and that's where cloudtrail pushes its events to the default event bus but when you need to cross regions what you have to do is you have to set up a non-default bus you have to customize your own bus and you have to give it permissions you have to give cloudtrail and S3 and whoever else permissions to push events to that non-default bus and then your rule in the same region as that bus can fire on it so it depends on whether or not you want it to be completely distributed or if you want to have some form of consolidation there are a couple of

gotchas in there with that with respect to the services and the way the AWS implements them but it's actually not too difficult once you understand that this service is limited to this one region and then you have to configure the the regions to talk to each other once you've done that then it's easy and basically the code that I deploy to all of my accounts no matter what region that they're in or or anything like that is basically the same I just tell them all go to this same event bus in Us East one because I configured that event bus to be pushed to from any region from any service basically with restrictions I'm not crazy

um and that and that way the the eventbridge rules that I set up in that region will always fire on the the whole of all the data that I need to be monitoring one thing that I didn't mention earlier is that this sort of thing is great for compliance um just in case you're you're a GRC type-minded person if you want to be able to prove unequivocally to an auditor that you are actually monitoring for you root user logins a lot of people will will try and just generate a root user login event that their Sim will catch and then they can show the event and stuff like that but here not only can you generate the event but you can

actually show them the code and say listen this is exactly how it works from beginning to end there's no black box magic with the SIM this is exactly it and anything that your auditor says well I'm not so sure that this evidence supports proving this sort of thing you can do the exact same thing and you can put it in within an hour any more questions any further questions we've got another five minutes

okay thank you thank you

[Music] foreign [Music] foreign [Music] foreign

[Music] foreign [Music]

[Music]

[Music] thank you [Music]

[Music] laughs [Music] thank you [Music]

foreign [Music] foreign

all right [Music]

[Music]

[Music] thank you [Music] foreign [Music] thank you [Music]

[Music] thank you [Music] thank you [Music]

[Music] [Applause]

[Music] foreign [Music]

[Music] thank you [Music] foreign

[Music]

[Music] myself

[Music] don't wanna overthink it baby [Music]

[Music] baby you'll get me foreign

[Music]

[Music] thank you [Music] foreign [Music]

[Music]

[Music]

oh [Music] oh [Music]

foreign [Music]

[Music] all right [Music] everybody [Music]

[Music]

[Music]

[Music] foreign

[Music]

moving on ES

[Music] foreign [Music] [Music]

[Music]

moving up

moving up

[Music]

[Music]

thank you

[Music] thank you foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] oh yeah [Music] foreign [Music] I do [Music]

understand

[Music] foreign [Music] foreign [Music] foreign

[Music] thank you [Music] what's up [Music] foreign [Music]

foreign

[Music] foreign [Music] foreign [Music] [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music] thank you foreign [Music]

foreign [Music] foreign [Music]

[Music] thank you

[Music] thank you foreign [Music] thank you [Music]

[Music] thank you [Music]

[Music] [Applause]

[Music] foreign [Music]

thank you

[Music] foreign

[Music]

[Music] baby [Music]

[Music] baby

[Music] baby you'll get me you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music]

[Music]

[Music] thank you [Music] baby [Music] don't leave me alone [Music]

[Music]

[Music]

oh [Music]

[Music] thank you foreign

[Music] foreign [Music]

[Music]

[Music] foreign

[Music]

[Music]

moving on everyone [Music] foreign [Music]

[Music] [Music]

[Music]

[Music] moving up

[Music]

[Music]

foreign

[Music] thank you [Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign

[Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music]

[Music] foreign foreign [Music]

[Music] foreign [Music] I wonder [Music] foreign [Music]

[Music] thank you foreign [Music] thank you [Music] thank you [Music]

[Music] thank you foreign [Music]

[Music] thank you [Music] [Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] foreign

[Music] foreign [Music] [Applause]

[Music] thank you thank you [Music]

[Music] thank you [Music]

baby [Music] leaving me weird cause I'm gonna butterfly baby

[Music]

I don't wanna overthink it baby [Music]

some kind of butterfly baby

appetite

[Music] but I don't wanna jinx it baby [Music]

[Music]

[Music]

maybe you'll give me [Music] the way [Music] up a day don't leave me alone [Music]

some kind of butterflies

[Music]

[Music] oh oh [Music] [Music]

my God

[Music] foreign [Music] foreign [Music]

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] foreign [Music] [Music]

[Music]

[Music] moving up

[Music]

[Music]

thank you [Music]

[Music] thank you foreign [Music]

[Music]

[Music] thank you

[Music] foreign [Music]

[Music] foreign [Music] thank you [Music] foreign [Music] wow [Music] thank you [Music] thank you

[Music] thank you [Music] foreign [Music] [Music] foreign [Music] thank you [Music]

thank you [Music] foreign [Music] foreign

[Music] foreign [Music]

[Music]

[Music] thank you

[Music] thank you [Music]

[Music] thank you [Music] foreign

[Music]

[Music]

[Music] thank you [Music] welcome so the today's talk is about let business users build their own what could go wrong and uh please welcome our speaker Mike Michael Burgery over to you hi everyone Don't Clap yet I might have a this might be a terrible talk you don't know well uh okay so the the gist of the talk is that everything can go wrong but uh let me prove it to you this is going to be a very uh quick talk so I'm gonna try to skip most of it like to to focus on the areas that matter we also also in kind of an intimate setting so if you have a question just raise your hand or

shout out in the middle I mean we're already at the end of this thing so uh let's make it interactive right okay um I uh I spent my last like the last four or five years uh focused on this area local no good apps figuring out what could go wrong Hacker's perspective blue team's perspective there's a whole bunch of research I put out there uh I'd recommend like I give a talk at Defcon last year which might be interesting if you if you're into this area so check it out and reach out to me if you want to collaborate um that's what we're going to try to do today we're going to start with figuring

out what business users are actually doing what are they building and why are they building it after that we'll try and figure out what goes wrong and I'll give you concrete examples of the things that we see go terribly long and then I'm going to try to finish off with an optimistic message to send you to uh like a how can we be better all right so um local no good this is about like loco knocker is about empowering business users to like do whatever they want to be able to uh to move around without it without waiting for us and I mean I'm sure you've all experienced this sometime when you ask when you when you as a business user in

an Enterprise it's a frustrating experience right you need to wait for some for for people to get approval to give you uh priority and then you need to explain to someone what the hell you want them to build it's it's very difficult and so local no code is the ability of business users to just stop waiting for us and they're actually doing it they're just they're just building their own applications they're not waiting around for it or for security or for any Central team and this puts us in a rough spot because we need to make sure that we remain relevant when the most of the business applications become things that business users are just building now

just to convince you that this thing is actually like happening in every organization right now this video shows just how easy it is to create those applications right now you can basically talk to a chat and you can explain what type of application you'd like to build and the chat will create the right table for you on top of a database with permissions sending it out like you can share this later with people when you finish the conversation with the chat you can drag and drop things to customize it and that's it that the application now is alive so think about what happens where every conversation with chatgpt ends up in with a an app that's a live that has

credentials that has access to things I mean pretty soon you lose control right that's what's what's actually going on right now and so the the last thing I want to talk about in on on this perspective on on what business users are building is just to convince you that this is already huge and so in order to do that to do that I wanted to give us some perspective so you have a number here 5 million that's uh according to Microsoft that's how many.net developers there are today okay okay how many low code no code developers do you think there are on the Microsoft ecosystem alone right now [Laughter] yeah so that's that's the number so

there are eight million about 8 million today I actually went through their earning reports and kind of collected the numbers from all around uh so this is pretty huge when you think about the the amount of security investment we're putting to what.net developers are Building compared to what we're allocating to what business users are building I mean we're clearly not in a good spot um so now we understand what business users are building and why are they building it the next thing is the fun part where we get to uh to watch these things break and I'm going to use uh the owas top 10 framework this is a top 10 that's dedicated to local no code I'm

one of the leaders of that project we are all we are more than um 200 Security Professionals around the world that are part of this group right now uh we've actually had major contributions from people all around the industry if you if you're interested in this space reach out this is this is why I'm doing the talk uh so you reach out of those um so the OS top 10 is based on two things one is the data Community that's around it and two is uh statistics Anonymous statistics that uh some that that we have been that some companies have shared about the applications that uh that that are built with local no code so far we've seen something like a

million apps all right this is this is a lot uh and the the reason why we're seeing so many apps even though this is a relatively new project I mean a couple of years but it's because there are so many apps with local local right and so we we have a very very wide we cast a very wide net um so let's try we're not going to go through the top 10 one by one because that would be boring and you also have it on you you have it on the OS page so let me share a few concrete stories okay and I want you to think when I when I share those stories I'm gonna do two

things first of all I'm going to share like what did the business user try to do and then we're gonna stop and we're going to put on our code review on a reviewer hat or a Red Demon hat and we're going to try and think what could go wrong with this application okay and this this would be best if it's interactive at least interactive in your head okay all right so the first thing is I'm on boarding we know that on boarding an employee into an organization in the world well SAS is is there and I mean it's difficult so many processes lots of them are manual so in many cases we're saying people automate these processes

this specific specific case is automation of uh process for HR so an HR team needs to pick information about needs to collect information about new employees um and and and so let's see how this application gets built so and I'm specifically going to show examples from Microsoft Power Platform which is built into office simply because it's so prolific within the Enterprise and so when I as as the child person and you can see that little icon on the uh on the bottom right side that icon tells you that this is the legitimate user The Trusted user in a second you'll see the other icon of the for the hacker that's kind of taking a deeper mindset okay

because I'm just gonna switch between different accounts so this will help you like uh stay synced so I'm gonna start by creating an app so first of all you'll know that I'm in an environment called the default environment this is where everybody can create applications this is where you can be productive all right and I'm going to start by creating an application that's a simple form so you can see that I'm asking some information about the user about about people that are onboarded into my organization that their name their address their social security numbers things that I need as the HR team right where is this stored so I'm going to choose something called Microsoft

database here to store that information for me and Microsoft database is a cool thing it's it's basically um a managed SQL Server it's a wrapper around SQL Server that's managed for you and it brings with it a bunch of capabilities like call based Access Control uh like logs and monitoring that's it's actually pretty cool um so this is what I'm going to use here and now the other thing that I'm going to do is I'm going to create an automation where every time somebody fills this form the entire HR team gets notified because so so they'll just know what happened all right this was the app that's it what could go along

okay okay

so let's see a couple of things first of all here's the icon here's the hacker icon all right we're logging into the application and the first thing we note is that this was created in a default environment and I told you that the default environment means everybody can create apps so everybody can go to the database and they can just search for the table that sits behind this application and then you can just view this the the the the information like in row text it's just Dell this is a real example these are not real Social Security numbers it's a chat chipity generated but um but it's a real example we've seen with organizations and and just think about

the tough conversation with the auditor that that you're gonna have for this thing right um and so this is so one thing which is pretty obvious is that well this application is allowing is storing data where everybody can access it now we've seen this pattern is actually really common with many different variants where the app itself has role-based access control you can always only see what belongs to you but then the underlying database is available to everyone another another way we we typically see this is with SharePoint lists so people would build an app on top of a SharePoint list but and then they share the SharePoint list with everyone and everyone has access to

everything so that's one thing of course we also saw plain text uh pii and such as Security number so that's bad as well but this doesn't stop here so think about again about uh like as a as a user I I plug in all of my information there and then there's this automation remember the automation this thing about these automations is that by default they log everything that goes through the automation I'm talking about the actual data right not the fact that it's ran but all of the data that was updated on this record and so the social security number the pii everything is just total and everyone that has access to this automation has access to this

information as well all right so this is uh and in this case it's in the entire HR team but you get the point these uh this is basically leaking information to these logs where it could be shared with everyone very easily and so there's another Point here which is about again sensitive data that's that's been relating to logs and other data leakage issue all right so this was okay this was the first story I think we have we probably have time for one more so this the second the second thing is um one of the things that we hate about working at a corporate is security controls I they are really annoying so one of the ways in which we operate with

them is that we try to circumvent it so one thing is that like reading email in an Outlook is not fun and reading that in your Gmail is fun so people are have tried for a long time to move their to Cooper element to their personal email right and we have controls for that we have DLP we have solutions that sit on the email server that's great here's the latest Innovation uh in email exfiltration people are using a low code app to do two things so with one hand the local app signs in to Outlook and with the other it turns into Gmail and then it copies the content it doesn't forward any emails so you

won't find it on the on the email server and you won't find it forward it anywhere I mean good luck with trying to to fight this thing right and so it's pretty obvious what's what's happening here every email I'm going to I'm going to uh every every new email to Outlook I'm going to copy that email to Gmail but unfortunately yeah but and the problem here is pretty obvious unfortunately it doesn't end here because well what about my my the image that I had like yesterday what about creating a full sync of all of the emails that I used to have because I like Google searches it's so fun and so we've actually we've actually seen

people create this type of application this is an application to sync the emails that I already have in Outlook to my Gmail account all right uh and here's how it works it's pretty simple I log in I need to plug in an email address where I will send myself those emails through my Gmail account and how many emails I'd like to sync all right um here's the automation behind the behind this so for every new uh email I'm going to iterate through the email and again copy the content so and one other thing I'm gonna do is I'm going to share this application all right and and this is a pretty nice thing I can share this application with

everyone by the way when I say everyone I mean everyone right I mean everyone in the aad tenant that include that include guests as well so if you're interested in uh what could go wrong when you do that with guests check out my blackhead talk tomorrow you'll find out um everything uh all right you in order to use this application you provide the application you need to provide the application with this access so access to your Outlook account access to your Gmail account so yeah so we talked about sharing with everyone which is obviously bad um you can show you you don't have to share with everyone on the group you can just share with people whoever you'd

like this includes your your personal Gmail account your personal Outlook account whatever um yeah okay and check out the talk now one thing to note is that when when a user logs into the app this is how it looks like all right um and you can see that I'm logged in with the admin account at this Outlook account at Outlook and I am logged into the account I'm going to plug in this Gmail address I want 20 emails and that's fine now remember the logging issue right so the hacker the demolitions user that created this application if they go to the logs they have access to my emails now and they shared with this with the entire home

right so people can now use this application it's a useful application and it's and it's also user useful for the for the malicious user here um and so again the other problem that we have here is is of course again personal data that leaks into logs now before I finish off with this example um one thing that is important here is that this screen this screen right here uh this is not the typical screen you would see when you ask when an application asks for permissions right you expect an oau of consent form you don't get enough from set form because this thing is not always this the way that this thing works is actually there's refresh tokens

that are being copied and reused right so this is a token that is kind of will give you all of the access to everything that this user can do all right and and one of the ways in which this can be exploded is to create a phishing application inside of the organization and kind of check out my token Defcon last year um okay so fine so in terms of the of sync and productivity these are the things that we've discovered you can see that again very small applications can create a lot of a giant mess um I don't think we have time for the last for the uh yeah we don't okay I'm gonna skip but um there are plenty more

problems that we're seeing I mean things like uh injection attacks well people are trusting they think the people are passing information between the app and the underlying application the underlying Automation and then you can just change that like very easily everything supply chain issues so uh lots more let me just skip through here all right so basically we have given business users a lot of power and we have no controls to help them make sure that they're secure and they of course don't have a very high security awareness and so of course things are gonna go terribly long right this is this is this is kind of obvious and so let me let me finish by trying to offer

a better solution and actually I think like the the optimistic message that I do have is that some organizations have already started to take to take ownership of this so some upsec teams have created low code no code Security Programs within their absec program to to bring the business development under their umbrella this is a huge Challenge and let me tell you why when you compare professional like traditional apps and local no code apps you'll find a few things that are completely different one is that uh well the people that are building them are very different and you cannot expect somebody from a child to know how to start credit cards this doesn't make sense

the second thing is that there's no sdlc at all I mean you go to the app you save the app it's deployed that's it yeah forget about like a security reviews forget about Gates this this is not gonna work um your existing controls don't apply and that is because mainly because of user impersonation most of these apps they operate with the Maker's own identity embedded within them and then you cannot distinguish the different users of that application so your existing controls won't help you and the last thing is just the scale I mean you'll find at least 100x application more applications that are built with this thing you can everything manual is out the window don't think

about like a security reviews or anything like that it just won't work and so let me let let me try to push you in a direction that I think would work and this is based on the organizations that are actually pulling this off or starting to pull this of