BSidesATL 2020 - Connect: Realigning From Chaotic Evil

good afternoon my name is Joe shopman this is the talk realigning from chaotic evil just a little bit about me I'm a senior security analyst for truest formerly BB&T I'm a geek I was a wizard who was killed by a rat I'll get back to that a little bit later I've done a little just at everything at some point or other NIT done application security pen testing blue team red team purple team I our DevOps operations I wrote web applications for university and was also sysadmin so that's given me a kind of wide perspective on the number of different things within both computer i.t i.t and security overall the obligatory disclaimer I am NOT speaking on behalf

of truest BB&T or any other entity all opinions expressed are my own all the images are Bleakley be believed to be public domain creative commons used with permission or created by me for this presentation an additional is claimer I am NOT just talking about my employers in this talk so if you hear me saying bad things about companies don't look at my LinkedIn and say well gosh I'll never work for any of those companies because these are stories gathered from a lot of my friends and peers within a lot of different groups a lot of the really big names of security I'm in Raleigh North Carolina and there's quite a few companies here that specialize in

security and what other disclaimer I'm not actually a D&D guru I'm gonna miss you some terms so if you're really devout geek you're probably gonna get a little bit upset with me so I threw in this extra slide to let you know that I'm tensional II miss using things here so why am I giving this talk there is a growing force that I wanted to make sure that everyone's aware of in 2020 and that's works if you look here at this Gandalf Magic Quadrant you'll see that there's a number of things there's the old undead players that Windows XP and Kobol are still lurking around there's advanced persistent dragons coming up the gelatinous cube is the visionaries but

they're not quite and fully to operations but in that upper right-hand corner definitely it works so seriously why am I giving this talk if you're wondering if you should watch this talk or bail the things I'm going to talk about are trying to give some insight on how to align your security processes with the incentives that drive other people they reminder on how others perceive security groups and suggestions on how to better work to improve security so I could have done this as a really dry thing you know more proper slide title might have been rely on the corporate security objectives to synergize efficiencies and I think that's at least 180 drinkable offenses for giving talks of its security

conferences but if you don't like the D&D theme you can also think of this in part as had a social engineering way to security success so going back to what I was saying corporations don't often align incentives with increasing security the stock doesn't attempt to get people on board with being aware of the problems and then trying to help fix it when I first started an IT I talked to a lot with a good friend and he was working at a really big company that does routers and he was very upset because he had a co-worker that would only go after the targets after the projects that the management was highly incentivizing so if was something that

he knew he was going to get rewarded for either financially or with face time with the bigwigs he would do it and it was something that he figured out that management didn't care that much about he basically would put no effort in on it and my friend was very upset about this and thought it was unjust and unfair and to an extent he's right taken to an extreme that's a true that's a valid complaint but at the core of the problem if management is incentivizing the correct things and desperate were doing the things that keeps the business functioning that's actually a management problem not necessarily problems of the individual in general what I found is

people will do what they're incentivized to do the big incentives the corporations and bigger groups or work type groups is what their bonuses are based on what the performance reviews are based on that sort of thing but there's also other incentives like what they ascend buys themselves to do so during this talk keep in mind both the things that they're gonna be written up for if they don't do or get dinged for or the things that leak getting larger but honest because of but also there's the internal incentives so there's things like what they get inside a lot of internal satisfaction from there's people that will have pet projects that may or may not make sense to put a lot

of effort into but because they really love the technology stack or they've invested a lot of time into it they may be motivated internally to keep putting a lot of effort into it so to go back to the theme of this if you're completely unaware of what D&D or a D&D is it's a fantasy role-playing game that's basically a form of collaborative storytelling and it's mediated by the help of dice so you get together in a group and you tell a story together there's a person called the dungeon master who's leading the plot who figures out what's going to happen and then different players react to what the dungeon master is describing as things happening you roll dice and that

determines whether you're successful or not it was inspired by Tolkien's Lord of the Ring mythos so it lies heavily on elves and wasn't that sort of thing it was also a pipe used heavily in the stranger things TV series so it's had a resurgence of popularity because of that as I mentioned earlier I was a wizard killed by a rat this was my first exposure to D&D I think I was third or fourth grade and it was a party of one maybe it was just me and the dungeon master and I wanted to play something really cool so I picked a wizard and within about an hour of gameplay a rat bit me once and I died so that was kind

of not cool kind of not fun the indie has this core concept of alignment which is what is the character that you're playing nature what sort of things do they indulge in what sort of things motivate them to do things this is a fun kick comic I found from a gentleman tinker tanner as a note if you're easily offended this is on the not very offensive scale of his sort of humor so if you don't enjoy crass humor do not look up his Instagram but if you do he's got a number of things both the indie and non D&D a themed normally and they talk where I'm face-to-face I'd be waiting to be showing the entire comic

with the punchline and waiting to hear laughs so I'm going to give a moment to read it and hopefully at least slightly amuse and there's a chocolate chip out there in the audience so there's two basic sides of alignment within D&D and in some ways they align with what you see in corporations there's the good altruistic side their respect for law dignity and tends to make personal sacrifices to help out evil is more pretty self-explanatory it's harming killing others lack of compassion etc etc there's also a sort of middle ground called neutral and as you can imagine it's neutral then each one of those has categories where there can be lawful or chaotic sides within each of them so

that there is lawful where they do the good things they follow the rules and this gets a little bit closer to what we see in some of the corporate line meant that when you're a lawful player within the blue team you may have to rely on tradition there may be a lack of it adaptability and on the other opposite side there's chaos that's completely unbridled they don't care about anything there's no rule following an example I use here you can be lawful and evil at the same time so if you're working for a foreign governments apt or even our governments apt and you're going at you may be doing things they're illicit you may be hacking other company countries

and companies but you're still following by the rules there's probably some kind of HR guidebook that you have to follow if you don't if you step outside there it's rules you may be fired or more severely disciplined then there's the complete chaos the script kiddies who are just out for the lols the people who want to just boss things have a good time make a lot of money that's more the chaotic evil side of things putting together group for a D&D you want to have similar alignments in this illustration that I found on Flickr if you have a bunch of good characters and you have a bunch of evil characters and you try to put them in the same group

the story that you tell is not going to have good synergy it's going to be at a conflict between the two sets of players back and forth rather than between the what the dungeon master the game master is trying to set up and the players working together as a team you get the necromancers together and the clerics together and they're just going to fight offensive security application security red teaming often is you're getting to play that you're evil it's the fun part it's a glamorous part of the job when I say red team in the context of this talk I'm just using it as offensive security in general true red teaming is more adversary emulation

but the industry is kind of adopted the term red for offensive and blue for defensive so I'm using that within the talk you get a lot of the glamour you get a lot of the good pay you get to go to the fun conferences and this can lead to some the blue team the defensive side can feel like you're actually there the adversary rather than just emulating it you're causing them problems at the end of the day if you're making their lives harder there's not that much difference between in how they perceive you between you and an actual legal person about to get money or disrupted to business there's some common red team incentives that I've seen it can be objective based

so it can be hack the box kit she'll get rootkit domain admin it could be to generate scare reports that can be handed off to auditors or off to management that says we got into the systems and we got no leads or credit card information x' and red ceos private emails work simply be quantitative like do n number test within a given quarter going back to the blue team and I gotta use blue as a generic term for good a lot of the time people think of the blue team is jesting the sake analysts but it as also has threatened Intel and things like forensics and malware analysts to an extent the developers the DevOps the

operations teams also function as the blue team because they're doing things actually tighten down the security and do the things that can help detect or detect ongoing risk that the sock is missing the blue team is a lot more restrained than the red team so the red team often gets to go out and choose what they want to attack how they're gonna do it when they're going to do it that sort of thing the blue team and especially the sock is often the entry point into the security group there's often specifically to the sock long shifts there's not necessarily well a lot of training given and again I'm not just talking about my companies but

across the industry this is one of the big complaints there's a common refrain that people management will worry that if we give the blue team training that they're going to go find a better job and the fact is if we don't give them training and let them advance the good sake analysts are going to leave and get better jobs anyway there's problems with lack of advancement there's not necessarily a clear way to go from a junior sock analyst position moving up into either offensive security or into a more advanced talk at opportunity there's not necessarily a lot of opportunities to learn an experiment you may be on a really walk down work station there may be a small number of

tools I got into a discussion on a sans mailing group a couple years ago where people were advocating letting the sock analyst have any sort of tool that they wanted in their specific instance in their specific workstation and have different ways of working I argued back hard that you do need to lock sock staff down to your standard set of tools because especially at the enterprise scale they need to be under changeable if someone is out you need to be able to have someone else swap in and work and if you're using different tool sets and different methods that just doesn't work and because it's not the glamorous part of the job there's often not a lot of

funding both for things like tools for the salaries themselves and for the fun trips to Vegas that sort of thing so the blue team is differently aligned they may actually fall under completely different management than the red team so smaller companies may both the blue team of the red team well there may be no differentiation between the two teams or they may both report the same manager but at the enterprise scale they may have completely different management chains recording to the scissor and that can lead to conflicts because that those management chains can have different opinions on what needs to be done they can have completely different metrics in the sentence the blue team metrics are

often things like the number of tickets closed and that can be problematic because that creates an incentive if you don't create that many tickets you can have a really high percentage closed rate that could be the reaction time to alerts and the most important one probably for the blue team is not appearing in their newspapers ahead as having been owned so these two sets of alignments and interests and can lead to problems the blue team can see the red team is a force of chaotic evil the red team can see the blue team is not being flexible being too tied down to lawful order and not being able or willing to adapt to changes some other groups

within IT have their own incentives developers aren't generally not incentivized for security their bonuses generally are dependent on things like is the system stable or is there new features at a previous company we had an interesting experience where we had the Operations Group just on call and the programmers had little responsibility for dealing with problems so they would add new feature after new feature after new feature and the people who were on night duty would you be paged sometimes dozens of times in the night it was really terrible so as an example of realigning sentence what we did was we made the developers also be on the knife pager duty so that they were also

getting woken up every time the system crashed and would you believe that the system stability went up dramatically and that's not just they win for the people who want to sleep at night on the operations team it was to win for the customers who needed stable secure stable software at the same time the Operations Group are often incentivized by uptime or speed a deployment rather than security so there's often conflict in security when you say that you know we need to get this patch pushed and it's going to take five six hours for whatever reason to do that update and the Operations Group they can't afford that six hours of downtime in their performance review so they're going to

push it back and say well can we defer that for a month or q and do two months worth of patches at the same time management particularly management outside of security is often sent advise not to hear from security at all especially if you're in a regulated environment there's a regulatory risk if you know about a security problem and don't fix it that can actually be worse for you than not knowing about it at all so sometimes management just doesn't want to hear from security or if they hear from it they're going to push back and say what's the minimum that we can do so an example of a perverse incentive these by the way are some of the dice for my

misspent days and seven to eighth grades playing way too many role-playing games that one on the left is a rare xxx cider that I had to trade some pretty dear things to get and was the crown jewel of my dice collection as a young teenager so if you're not familiar with it in systems operations 9s refers to the percentage of uptime so two 9s is 99 percent uptime which allows a substantial amount of downtime over the course of a year three nines is 99.9 four nines 90 99.99 etc and one of the mythical goals in operations is five nines which is something like a few minutes of downtime a month at most a company was working for decided that

they needed have five nines of uptime for the storage array so they bought some very very nice very expensive very redundant storage and it was capable of delivering the five nines uptime ability of the system to run however because it was so expensive the operations group didn't have enough space to offer the developers and administrators enough space to work with so in practice we had about 95 percent uptime because periodically someone would fill up the entire to disk array doing something and no one would be able to get work done until we figured out who had created the disks denial of service tracked them down and get things deleted however initially the Operations Group didn't

fix it because the metric they were judged on was based on the NAS uptime rather than the actual availability changing that so that both they got the funding to have of the proper amount of space but also that it was based on functional up time rather than just system uptime was an example of realigning things to make things actually work so a lot of this is way beyond our ability to change the security practitioners if I could wave a magic wand and say that you know obviously we need to do things differently at my corporation there's a few things I might change here and there but I don't have that power you probably don't have that power I'm offering this

in hopes that you know you can bring this up and your individual performance reviews you can talk with your peers about it and that over time we can start to affect change moving away from incentives that look good on paper or easy to quantify but don't necessarily increase security that's not a big win for the organization and that should be our actual goal one way to do this is to learn to good tell us tell a good story think about what incentivize people especially if you're working on the offensive side of things if you go to someone say you have to do this change if you have to fix this vulnerability that's taking away from the things

they're probably incentivized to do you like that uptime like adding new features so tell them a compelling story about why it's important security consideration make sure that you're not just dogmatically following well this vulnerability of scanner says it's important look at it in the context so you can say this is how a attacker would realistically exploit things make it understandable to them on how it's going to affect their ability to do other things because they may have to drop everything and write an emergency patch if you get exploited or if assistant does get compromised that system may be off for a week or two in the worst case if they have to pull it down do a lot of

friends analysis if you get how the attacker got it rather than simply saying as a security practitioner you have to do this make it a compelling story with that collaboration back and forth with them at the same time if you're on the defensive side if someone comes and says you have to fix things if you have a valid up reason why that you can't fix it right away let them know rather than just saying no if we can increase the dialogue back and forth we can increase security for everyone so a lot of the commenter's in D&D start in the tavern one thing I've got a lot of mileage out of in my career is I'll

have lunches with different groups this doesn't necessarily doesn't work so well with distributed groups but I know people especially in the current days they're actually doing casual lunch meetings I resumed and talked about non work things if you meet with other people who do other aspects of security than what you do you'll start to learn more about the industry you learn what about what motivates them what their problems are and I'll have you know reach a few people who do things like accounting just so I can better understand what are the problems they deal with what do they care about what motivates them and building a professional rapport by doing this sort of thing also helps when you go and say

okay I really need you to stop what you're doing because some important security thing that you may not understand the importance of but if you have that personal experience working back and forth a casual personal experience working back and forth talking about friends family the sort of things that you care about casually that can leave them to taking you more seriously professionally you can recruit new members in D&D so as you find that you want more players in the game we're different players drop out you may go looking for friends to come and join the campaign there are the group that you're playing with if you work at reach out to these other people and other aspects of

the company you can get those good working relationships it gives you more eyes the sock alone can't find every problem because there may not be there's contact specific things with um blogs they may not even realize a security event there's been times that we've had people who are developers or an operational general operations say hey I notice anomalous thing that doesn't seem quite right in brought in the security groups and digging in we're able to recognize that it was an incident and it was happening but if we didn't have those boots on the ground of the people that weren't supposed to be doing sucked or analysts psychic work we wouldn't have ever known about it it also gives

you domain knowledge about risks I work in big banking so there's a lot of aspects of things like insurance that I don't necessarily understand I'm a computer person if I talk with people that do banking day in and day out and they can say hey this is how I think a bad guy could take money out of the bank they may have ways that I've never thought about that I can then conduct a red team experiment and say okay do we actually have a way to detect this would this work should we start being concerned about that building this interpersonal relationships can give you a lot of information that really helps like that D&D house it counts

multi-class so he might be like I mentioned I hoes briefly a wizard you can be a fighter which is just that generic people with swords that get around hitting things as we advanced within the game you can become a little bit of both so you could be a fighter wizard and there's a concept that's pretty popular or increasingly popular these days called security champions where you reach out to people within the different groups they may be developers they may be operations and you give them additional training you give them additional in standardization to focus on security so they are the eyes and ears within the group both feeding and information that you need but helping

spread the word about some good security so in the development group if you give them the good expensive training on how to write secure code they can work during the one-on-one mentoring with other people on the team but you can't afford to send everyone to their training but they can bring that knowledge back and share it with them so reaching out and greeting these security champions without within the group can really help a fellow I know through sans Derek rook had an interesting experience where he started doing lockpick training that's a way to just kind of reach out to different people and do something that was a little bit fun a little bit security and obviously unrelated to the

day and day security of the company he was working for at the time but he found that the people who got really interested in doing the walk picking also started developing thoughts about how especially with physical security the company could be reached so he had good information from people like administrative assistants who would come and say hey you know this key badge system has the following flaws that someone could exploit it so he bred that security champions through just kind of throwing out something fun and non-work-related that helped create the security the boost for security within his company so a buzzword that I used a lot perhaps too much is purple team as Curtis has at one point referred to me

as mr. purple and it's the idea of bringing both the red team and the blue team's together as a single color and to me this is a big part of the realignment is that there is no separate purple team you know there might be one person in a large enterprise his job is to do coordination but purple teaming is just having the red and blue teams work together effectively it's getting together increasing the effect of the other by working hand in hand rather than working in opposition to each other and by doing so you create a feedback loop where you can more rapidly iterate and find things and fix them rather than working separately and maybe not having that

synergy and the big focus is that rather than having these goals that might be the one the goals I talked about for red and blue teams is having goals to increase the security of the organization and I kind of I was worried about saying people saying to me well everything you're saying is completely obvious you know the teams should be working back hand in hand but in practice and again I'm not just talking about my employers I'm talking about gathering information from a lot of people in a lot of different companies and a lot of different industries in practice the two teams don't necessarily work all of it well together or all that often and why is this important

there's a framework that CrowdStrike is pushing the 11060 framework the goal is that your company or enterprise or organization should be able to do in one minute detect there's been an intrusion within ten minutes you should be able to launch an investigation and within sixty minutes you should be able to respond and why do we need this one minute section and wrap it the ability to respond in the 2019 report they did they analyzed it a number of different apts and it the worst case with the Russian a PT's they were saying that from the initial intrusion getting that foothold there was able to start pivoting around to other systems on the network within 19 minutes so if you didn't have at

least some ability to respond within ten you might have multiple systems compromised with the complexity of large modern organizations you more or less have to assume that attackers are going to get in the phase of imagining that a firewall is perfect that people aren't going to click on that malicious file that people aren't going to reuse passwords you can't count on that the big important thing is how quickly can you respond after initial incident how quickly can you get it locked down and how can you keep them from hitting once they stare you start moving around interestingly they suggest that the North Koreans were the second fastest and the Chinese were third fastest that may or may not be true I've

seen some very fast action from Chinese actors at various points but and CrowdStrike is a service provider that wants to sell you products and services so take this with a grain of salt but attackers do start moving around very quickly one stays to get that first foothold a problem that I've seen with large scale of purple team exercises is if you start just taking a red team exercise and put the blue team on it and say okay this is not a purple team exercise it can be really daunting especially when there's a visibly gap early in the chain if the attackers get in and they're not detected and they start pivoting around you they're not

detected and they get domain and they're not detected if you're sitting there's a blue team it's really easy to say throw up your hands and say there's too much to do with them saying that there's these visibility gaps forever and nothing gets fixed this whole exercise is pointless so to me a key point in trying to fight this is reducing scope and an excellent way of getting this as they attack matrix it's this is a framework for analyzing how attackers typically move to different organizations it's created by my turn it's a ongoing process that's collaborative between my other number of different organizations so it's constantly changing constantly updating that gathers their techniques that attackers use analyzes how they do it in

different races and the big attacks it's really nice because it's granular and then against specific examples of how it works it's more or less a successor to the cyber killer chain that Lockheed Martin created it was a good start but didn't give a lot of visibility into exactly how the tax would be done within it and also having annoying effective those trademarks so technically if you wanted to the follow of the block that little trademark symbol every time you used it so it goes left to right I top to bottom and it examines ways it large or sophisticated packages typically go through organizations and this that's like not every slowly segments backer and something is just a script can use

guests actually grabbing or having some balls may not do all of these but if you worried about serious attackers and that kind of thing typically most these done successful intrusion and the first three and the last two are the two key choke points or choke areas as far as I'm concerned for making sure that you've got the ability to detect I mean you want to have as much disability capability and then the technologies but those are the two important things detecting the gotten in the first place and detecting that they're starting to move your crown jewels on your organization so this is just a small part if I included any kind of matrix you'd have to squint really

really really hard to read all of these but you can see it it each segment has free some examples so the initial comp eyes might be made right by download after that they might use Apple script to execute additional malware use accessibility features to establish justice mechanism etc etc if this is an interesting view I definitely recommend going to the website and taking a look and start to think about what apply is your organization many of these examples are specific to Windows if your specific to Mac so you can go through and say our group doesn't have to care about this at all because we're in Linux and OS 10 shop exclusively or we only use way to worry

about the bash profile type attacks it'll give you some visibility on how to start thinking about what attackers are gonna do and where you checkpoints are where you this little gaps might be and where your mitigation should be so if you haven't gotten all fired up about attack there's a conference that have done twice now wider hosted it called a cat con it was last fall but they have online archives both 2019 2018 so if you want to start exploring how you can start really getting a lot of work with this I recommend checking that out so going back to the purple team concept what I recommend is granular tests have the red and blue teams working together and go

through the attack matrix and figure out what the likely way that an attacker is going to attack or where a visibility gap might exist and check out just that single place don't spend a lot of time trying to do an entire simulated attack if you know that you're going to fail pretty early on do the test and then work together to mitigate that single issue rather than going on and doing an entire campaign make sure that you have the ability to detect and mitigate on all your network segments especially if your large enterprise and as an extra extra extra disclaimer I spend most of my time on large enterprises large group so you kind of be enterprising so I'm

used to working in an organization has many subs and affiliates we're actually going through a giant merger right now so we're taking two giant networks and combine them into one so you can't necessarily assume that just because you have detention and your core network are this one part of your network you can detect everywhere so definitely make sure that all of your key segments network segments has the ability to detect things and if you don't have the ability to do that tension work together and creating that it's that signature if you're on the defensive side don't just hand off to the blue team hey you've got this problem go fix it work with them to

make sure that they can do it so that they're not spending a lot of time learning the tools that you know but they may not know very well and PowerPoint has gone wonky please drop in and let me know if we haven't advanced to the silence those responsive reactions and repeatability I'll continue and assume that it's actually working properly for the conference around 50 of 66 just shows the HTTPS mitre org attack on

now we're seeing you which is fine okay perfect all right that's actually much better on the slides so in thinking about the framework it's about responsive reactions to repeatability do you like test if it can be detected is there a playbook for it playbook if you're not familiar is generally a term used by the sock that when something happens when there's a trigger and something's detected exactly what steps you follow like I was saying earlier you wet your sock to be highly autumn highly automated if possible and highly regimented regimented if you have multiple analysts so that things aren't depending on how one person does it if there's the playbook work together to make sure the playbook actually works to

contain the attack if the playbook was written by someone who didn't have enough knowledge on how to stop the attack you may think that you know how to do it but it doesn't work so make sure that actually does that if it doesn't work work together to revise the playbook and repeat the test or ensure that the controls are solving reputable so a classic example of people fixing things incorrectly is what I think of is the one equals one bowler ability where if you're not familiar sequel injection uses logic errors so you can do things like add 1 equals 1 2 a sequel query and get every piece of information out of the database rather

than the one you're supposed to and oftentimes you hand a developer hey here's a kick case where if you use this following string this webform it hands back the entire database and they write a fix that says ok if one equals one is within the string this thing was delicious and kill it but if you used two equals 2 or one is greater than 0 anything that they didn't have that hard-coded fix for it would still work so as on the offensive side trust but verify assume that they did good work but modify the test enough to make sure that they didn't make a hard core they test the hard coded fix that fixes just that

one specific previously to make sure the things the gap is actually closed so a benefit of giving this purple team approach there's a lot of information sharing that will help both sides have knowledge that can help the other so an example of this is

I've had developers say hey I know that there's a problem with such-and-such library and we've not been able to get enough points on the agile board this by the way was not the current company to get it fixed can you help prove that there's a vulnerability with it so that we can make sure that it actually gets fixed they cared about the security they cared about the stability stability of the system but they couldn't necessarily get it handled so by coming to me I was able to get it taken care of had I not been told that insider information about what library that they were using I wouldn't necessarily know that that particular type of attack would work it

breaks down the silos it makes the testing were accurate and gives better control so if someone who really knows the logs goes through the attack afterwards and says hey this looks like it might have actually worked there's something like buying sequel injection that I might have run and not detected that it works but the logs would show the developers or the operators can come to me and say that it would work and I think this cooperation is important the bad guys have a lot of time on their side if you're a big enterprise if you have a lot of money if you're you have intellectual property that's worth stealing if disrupting you would be worth a lot

of money and they can block but blackmail you they can spend weeks or months maybe even a year to figure out how to get into your system your organization has cooperation on its side take as many opportunities to level the field as you can

one way of doing this a fun thing that you can do to start breaking down this blue is only good aspect it is set up as a cyber range which I realized sitting cybers probably know the drinkable offense but let the blue team step outside adjusting the good stuff out so I've been using this charity tools set up something outside of your organization so that there's no chances of things going wrong send about an AWS or a sure what have you were just a dedicated virtual lab within your company where they can use Callie's see what the alleges tools actually look like buttons execute attacks I've seen this work really well at developers who may not understand exactly what

cross-site scripting is because you know okay so you can pop an alert box seeing one what's the big deal what's the impact of that if you let them play around and use beef the browser exploitation framework and see just how much you can do with just JavaScript that's really eye-opening to them and they can start actually being a lot more secure because I've had this hands-on experience in the cyber Ange seeing what the tools do and how they work it also works with help provide that internal career path so most people want to move up most people that wouldn't be sitting in a 12 hour sock shift for the rest of lines giving them additional tools

that's something do the better job do the job better so they can become a higher level analyst or moving into something more expensive and get those glamorous positions I've seen a lot of value for pairing up people on the defensive and offensive side and doing right o bonds where you're sitting side by side in some cases talking things out seeing how the tools work can help appreciate and understand the challenges that both sides have it creates that feedback loop where someone can say hey I just did such-and-such did you see it any logs and they can immediately go and look and if there's nothing in the logs if there's nothing floating to the sim you know right then and there you've got

a problem that needs to be addressed this helps the red team you can learn the playbooks so that you can start thinking about how to work around them and make sure that those playbooks actually do what people think that they do the blue team learns the tactics techniques and procedures that the offensive side is going to do and that's not just the red team offense aside with real-world attackers and how to get detect them

I'll sir may I see from the bottom side that pepper boy didn't save it so my apologies for saying besides are do you look for signatures way that you can make things similar for the development operation side of things see you can get management on board with in providing vulnerability remediation as to performance metric make sure that at the end of the day they they're not going to get their bonus are they going to get a bad review if they don't include the mana bility remediation and if they do or if they do things like proactively reach out to you that look at a better bonus push applications is testing left this is a big buzzword within

application testing the moment if you think of things as left right from the development early process to the right hand side being the actual release candidate running the earlier in the process you can get things caught the better in some cases we're integrating tools into the developers ideas as they work so that as they write a piece of code that's gonna have cycle injection right then and there pops ups and says hey you just did something bad fix it that's incredibly cheap compared to having it get into the release cycle and having to go back and the developers forgotten how the code works I have to switch context and figure out how to rewrite it to fix the code provide

logging feedback during development so if someone of the blue team says we need to know what sort of things are happening when in our logs fail to detect a breach if you tell developers they can make sure that that's actually part of the log format from the offensive site only require remediation of the actual serious issues a lot of tools were running Chernykh generate hundreds dozen or thousands of fix of vulnerabilities if you dogmatically say that everything that's ranked as a medium has to be fixed they're just not going to get things done make sure that you're being realistic and get the important things addressed but leave enough time for there other things that they actually

care about try to deliver actual reports if possible integrate it into their tracking system if you can put a bug into JIRA right then and there there's a single injection issue that helps integrate with their workflow and that just makes everyone's job easier if it doesn't have to go cut and paste from this report by this project manager through several layers of tools I'm going to step aside from the D&D metaphor for just a moment to talk about the Hubble tank which is a concept that I'm borrowing from that's the multiplayer online role-playing games to Mubarak is such as EVE Online EverQuest and of course World of Warcraft if you're not familiar the characters call

it tanks are generally those characters exist to take lots and lots of damage so that other elite characters can give a fun stuff so it's not that they can't be fun but generally you're not being getting to the throw was spelled around that sort of thing you're upfront you're getting assaulted left and right and it was there just soon to be how do you having firing off the spells this is the lesson I learned by that whole rat biting incident that I keep mentioning for no good reason is that the wizard by themselves they founds the security person standing alone could not succeed the red team gets the glory he could fly out of the grammar but at the end of the

day I can create vulnerabilities and I can find risks but I'm not doing the work that actually gets things done it's the stock staff who does the actual detection of if in an actual tech does occur and it's the people doing the development and operations side you get things actually fixed so I'm getting to do the fun stuff on the offensive side and they're kind of taking and I think that we don't actually take that appreciate that quite enough as an industry so do your best to make them feel appreciated spend time mentoring them explain to them rather than telling them if you sit down and say there's this problem and fix it they may not fix

it but it doesn't mean that they can explain they can explore and find some of the things on their own if you go through and make sure that they really understand what's going on they may spot the other things that you missed during your testing and other parts of the code that you just didn't get to or in something that used borrowed car that you're not of Bush banishment for the training and advancement opportunities for them and just say thanks like I said thank you a lot of the thankless work they have really long shifts typically and there's a lot of burnout that I've seen within socks so at them and Dave just making them feel appreciated can pay off so

wrapping up I definitely want to say thanks to you vet Andy and the other two people whose names are on a slide that got eaten by PowerPoint I know that this was a big dramatic shift with having to go to an online format and I'm sure that there's other volunteers that put a lot of work also helping make this happen so big thanks to them for bending over backwards to make sure that's happening rather than just canceling thanks to the sponsors especially for making sure that there was funding to continue to do things that the organizers didn't eat and it costs I know that it was probably temptation to back out so I definitely she ate that thanks to all the other

speakers who made sure that they could do the online presentations and trying to persevere in the faces the bursaries and thanks everyone who attended so if you take aways explore what behaviors your company incentive buzzes both where you came in others try to figure out how to rely on those bad incentives if you can and if you can't curse like do it make sure that you're talking to the Antron saying hey we're seeing this problem and I think it's because the developers of the operations team are not made to appreciate and send advice to care about it so here's why we should get senior management on board with changing that as a practitioner say to

yourself when you're doing something does this actually result in better security there's some things that you just have to do particularly within regulated environments where the auditors say you must do something and whether or not increases security you do it but for things that you have freedom of choice over choose the things that will have big impact rather than things that just say okay I did a test and I found 20 different serious vulnerabilities and I may even fix them all break down the silos share that information back and forth so it's a collaboration between the red and blue teams rather than working in opposition to each other and definitely as much as you can take care of those people on the

front line I know that we're gonna move the questions to slack yeah we there's lots of comments and questions about your presentation I think you had some really very cool key points that people really latched onto and I know everybody enjoyed the dandy aspect even though you upfront said I don't play that's okay I think had great references and we appreciate it so I oh there's a question how do you manage the purple team sort of realignment with external or consulting red teams I don't know if you want to answer that immediately or just jump into slack if there's time I'm happy to do a couple of questions live just briefly since I have the problems to the

slide deck and I think a couple slides got missed entirely I will happily tweet out a link later if people went to download the slide deck and their speaking notes so they can actually see most of what I talked about with them speaking notes as well my twitter is mostly read-only but accepts the ends so you're welcome to add me or just drop me a line at me I'm Lincoln I'm a and I probably stick a link out there as far as working with the external groups we wills we're making a big push to work with boutique groups that really want to help us increase security rather than just deliver your compliance check boxes I'm sure people have had some problems

with if you have been in this field for a while some consulting companies exist because they're PCI a QoS a company and they're hired by companies that they just want that check box and they run an SS can and they may format the report and call it proper pen test but in reality it's just compliance we're finding the vendors to deliver quality and we're making sure that they're aware that our goal is actually increased the security we tell them that we're heavily focused on the wider framework and the cyber killer chain and so as they do information presenting to frame it in that context so that we can work it into our workflows and when possible we will

have them do on-site work so that we can have the people working on the company side by side with them we're working in close collaboration with them rather than remote pain testing

all right I don't know if it just makes more sense for you to either look at slack or if you just want to go into slack and just start answering the questions I'm directly lots of good feedback on your presentation so we truly appreciate it and with that we appreciate your time and your attention and your cool slides so with that I'm going to turn it over to the other Bayside's organizers I'm gonna mute you do and appreciate your time and attention thank you so much thanks