Intern-alyzing Your Defense

okay hi I'm Justin I work for a local company it's not super important but over the past few months I have been able to partake in two of the most fulfilling things I've ever done in my information security career I'm here to tell you about one of them spoiler alert it's about cyber education in April I heard about a talk by a guy named Tobin shields who's sitting here in the front row he gave a talk about cyber education at our company and I didn't get to attend the talk I just got the slides for it and I went through the slides and I thought this is something that is very very important the pipeline for

information security personnel are it's it's drying up cyber education is not as popular as we'd like to think it is a lot of it has to do with some of the the culture a lot of ask to do with the the job situation but the education that does exist tends to focus on threat research in academia you go to a four-year institution you learn how to stay in a four-year institution but there's such thing as blue collar jobs in the information security field how many people here defend a company raise your hand how many people are on-call sometimes Believe It or Not you are the blue collar of the information security field and you are underserved by the

community at large by the infrastructure for education and by conferences and this is why I'm super excited that track B is all dedicated to cyber education and defense this year this is a not a first for B sides but it's it's a long time coming and we should give a round of applause to the B sides crew for putting this together because this is awesome

so why why is education targeting attack research and academia because defense isn't sexy

we are underrepresented at conferences because the things that we do aren't sexy they're not going to get headlines you write policies you do risk analysis you write firewall rules you don't talk about you don't have fancy names for the things you do and icons for the things you do the training you get is either on the job or the training you get is from some certification authority that you have to pay an annual maintenance fee from academia is failing you so in May after listening to Tobin's talk in May my boss Steve Mann seen and I sat down in a coffee shop with a local organization called there now called in for all they used to be called back the

business education Compaq they're an organization that puts together internships for underserved education educational institutions high schools and colleges mostly every every almost every intern I've ever dealt with at Intel and at my current employer silence has been from the Beck and they've all been fantastic and the Beck is fantastic to work from because it's not you don't have to go through your intern procedures at your job you hire them as contractors you go through your contractor procedures and you get interns at a low rate to do jobs for you and their long-term interns they're not just for the summer we have one of them sitting here in the front row so I'm gonna call him out

why did you get so we sat down and I thought - we thought to ourselves we should get Tobin and his cybersecurity program in touch with the BEC to put together internships for cybersecurity students so we can generate a pipeline from high school to internship to college to job and they were talking about doing something in around 2019 hey we can get something for you the summer of 2019 and here comes the first curse of the night I've got [ __ ] I need to get done now so we started talking about it and the [ __ ] I'm talking about is controls testing what is controls testing controls testing is just one of those things on a list of a never-ending

list that you have to do it's usually only done once when you put the control in place and then you count on your red team's or your vulnerability test to do it and they can't do it red team is by their very nature can't test every control in your environment and vulnerability scans often don't don't go deep enough so you need to do these controls tests on your own but no one ever does them because it's just another thing to do I are our Enterprise put several controls in place to protect domain administrators it's a very hot button topic of mine I'm kind of good at it I'd like to think I am and but I put

these controls in place and we weren't seeing any results no either no one was pinging domain administrator or my controls weren't working and I wasn't sure which was which so the goal was I need to test these controls I need to make sure that they're working and those controls I put in place were against four very specific tools we can go into that later how do I get these things tested purple teaming purple slide I like purple teaming I think purple teaming is a better way to go about testing your security controls than red teaming and adversarial approaches because adversarial approaches to testing security controls only tests your security and your knowledge at that particular point and any gaps in that

knowledge don't come out until the very end and if you analyze the data you have to rely on the red teamers to take Goodenough notes for you to analyze that data so you can improve purple teaming means that your red team and blue team work together that means both of them are learning and growing at the same time they work off one another they learn from one another and during the course of the event both of them gain in skills so I prefer purple teaming so between May and mid-july I hated controls testing we got this internship developed with the ion controls testing funded and staffed by the end of July we got in this program we got two students

and two instructors to come and sit with me and test these controls out the program was designed around four tools I wanted the interns to use responder PowerShell empire bloodhound and was the last one to open maybe cats over the course of five weeks they tested each one of those tools in their environment in our environment while I watched them and I got to watch them interplay with the tools I got to help them use the tools they learned they taught me some things about the tools I didn't know at the same time I got to sit and watch them through my environment how they affected my environment where my controls worked where they failed the

over the course of four weeks they tested those tools they also took one more week at the end to write a report and give a presentation working on those soft skills that a lot of the blue collar information security people need the most your ability to talk to other people outside of your organization's is almost as vital as your ability to log into a firewall put in a rule the the the way the work would go was over the week I got them for 18 hours a week six hours a day over three days the first day I would introduce a tool and the control I wanted them to test the next day and a

half they would spend testing that control and then the last day I would teach a two-hour class on this is the control we put in place to stop you from doing what you did here's how successful you were here's some ideas on why I did what I did and what it means to our organization how this is how I would respond to it if in case this ever happened in my environment and these are the tools that I use to do my job from day to day so how did it work as far as I'm concerned this thing paid for itself in the first week our interns were able to find a control that we put

in place that had a typo in it that made the control completely ineffective completely ineffective fortunately that control was only put in the week earlier so there wasn't a lot of time but paid for itself in a week the students got to play with I know their attack tools and they did some attacking but they got to play with those tools in a live environment and they got to see what happens when you apply defensive measures against those tools they got exposure what it takes to defend a network against the tools and they got experienced drafting a report and giving a presentation to an executive about exactly what they found and the report was awesome it's everything I could have

wanted from report it showed where we were strong it showed where we were weak it gave us a direction to go to to fill some of the gaps and fix some of the problems we had in our controls it's everything you want from controls testing or a Red Team report the teachers we had two teachers they traded back and forth the first was Terry brought from the Center for Advanced Learning which is a technical high school here and then halfway through Tobin came in and Tobin works at Mount Hood Community College at they what's the name of your program the cyber security and networking program at Mount Hood Community College and Tobin's giving a talk at one

and the reason why I'm giving this talk is because I love the way this guy talks so I highly advise you guys come at one listen to his talk the teachers got to see what live defense looks like in an environment they got to see the tools that I use the processes and procedures that I use they got to ask me direct questions about their curriculum versus what the real-world implications are and the the benefit of this is that they get to now tune their curriculum in such a way that they can give students real-world experience and real-world goals to attain to so when they leave Mount Hood Community College which is a two-year technical vocational program

they're gonna walk out with the skills needed to get that level one blue collar information security job additionally additionally the teachers got a program got a program that they could deliver to the state to allow them to get funding to possibly apply this program to more companies so more people can take advantage of this particular thing as for me the things that I got from this was a I got a better understanding of my environment than I had before which is if you are a jaded information security person that's actually gold because you think your environment is one way and it creeps over time and being able to resit and figure out how it's changed over

time is absolute gold I got to learn better the controls I put in place and some of the weaknesses of they are some of the controls I put in place worked amazingly well but had one fatal flaw that needs to be addressed that I didn't know existed until this but this particular point I got her I got a report to deliver to my bosses that showed that I was doing a good job but I still had some work to do but most of all and this is super cliche and I really hate that I have to say this I learned as much from the students as they learned from me that's super cliche that should have gone on a slide but we

work in a very negative environment where it's easy to get jaded and cynical and sometimes working with fresh faces and fresh ideas and the energy that only comes from the youth is just the Shawn the army need to get get out of your own way and move forward

how do you get how do you get some of this action this is actually pretty easy and I have I highly recommend going to Tobin's talk and then talking to him afterwards he's going to have all the best information on how to do this but I do have obligatory content first of all get out your list of never ending list of things to do and find four or five of those things that are measurable achievable and short-term projects don't focus on long-term goals don't focus on research focus on things that are actionable and measurable break the lists in to achieve over projects and make sure the barriers for achieving those projects are removed if there are things that you put in

place to stop people from doing things remove those barriers so they can achieve them you have a compressed time frame you want them to be successful baking opportunities to impart knowledge the you have a bunch of knowledge that the educators don't have because you have lots of experience in the field doing real security work and you need to bake in opportunities to impart that knowledge on them and don't shirk on the soft skills if learning how to talk to people about what you do is just as important as your ability to do it and then at the end contact Tobin and Darren marks Darren I don't have Darren's here he's not here Darren marks works at back firmly back

now in for all he was their point contact at at getting all of this put together he was the person who got us our interns the program he and Tobin are performing are putting together is what we took advantage of and thanks now this usually has a bunch of questions so I'm prepared to take a lots and lots of questions anyone yes they were on my live Network yes they were attacking real stuff yeah

we'd haven't worked that out yet controls testing is one of those awesome things that never not need not needs to be done so I always have controls that need to be tested they can't possibly test all of them I put in place and they need to be tested regularly so they can always come back I have no issue about bringing them in as frequently as they can possibly be brought in it depends on their school schedule and stuff the the part we're dealing with is funding and one of the things that Tobin and Darren are putting together is trying to get state funding so that we don't have to pay the interns the interns get paid by

the state rather than by us a medium-sized company that's not terribly large yeah yes sir

where it's basically I'm a corporate defender I defend my company from bad guys I could take this program to any sector I could take this anywhere because there's always things that need to be tested there's always small little things that I need to get done that I just don't have time to do

the cycling of controls has nothing to do with the interns the cycling the controls go in place as they're needed or has the technology changes or as the infrastructure changes there are standard sets but there are things that are hey this would be a good idea let's try that yes sir they were told don't do that I was I was watching them and monitoring the whole time that's the point of purple teaming and the only control that they could have done harm with was a responder in our environment and we we didn't the if you put barriers in place for them achieving their goal they're not gonna learn as much you're not going to give you the full amount of testing

that you're going to want if you give them a fictionalised environment you're going to get a fictionalised results so yeah don't don't put them in a place don't put them in an opportunity to fail put them in an opportunity to succeed

mm-hmm yeah in in a small environment where we have a few resources yeah I did I'm not gonna lie it did take my ability to do my day job but the the benefit is I am better today than I was before him and that's all we can be is better so that's what the Center for Advanced Learning does it's a technical part-time Technical High School where you go to your regular high school halftime and then you go to this high school and inside there they have technical tracks tobin's probably gonna talk all about that at one o'clock our interns were high school graduates moving on to college programs yes sir yeah they were sitting right in front of me whole time

they don't get free run of the building no yes sir

it's it's all about it's all about keeping the the task small if you keep the project small and you keep them bunched together so they're all thumb attica li lined together so you don't have interns jumping from one idea to another idea to another idea so I don't have to do the reset and that you make the the everything measurable in the short-term your amount of work for pre work is just getting him on boarded at that point and then maybe setting up the environment so that they'll be successful that took me a little bit of time I'm not gonna lie it did take me a little bit of time the report I got out

of it was well worth my time yes

I had to present this to my my VP who was in charge and I sold it with Mount Hood Community College offered to renamed their computer lab after us know the thing that I brought in is you sell it as a this is good for the community you live in a community your your business lives in the same community you're going to be trying to pull information security personnel eventually from this pipeline learning to fill the pipeline helping them fill the pipeline so when they graduate they're perfect for your job and getting interns into your environment means that you get to see the new crop of information security personnel and you're going to see how they work and

that gives you first dibs so that's how I sold it and the lab thing wasn't bad either my questions

that would make my job way easier yeah I totally I boarded that the the as long as they achieved the goal which was testing the control so if they if they use another tool instead of we're at windows credential interns that I made me cats fine great that test the control

yeah that was the purple teaming part of it when I originally drafted it I I kind of set it on a red team and just let him go and then and then just let him do their thing I found it was way more beneficial for me and for the company to actually sit with them and not necessarily walk them through the steps on how to use the tools let them do their thing let them learn give them give them tools that are not difficult to master and then I get to watch them on the defensive side and when they have questions I'm there to answer them I'm here to fix problems I'm there to at one

point in time they got away with something they weren't supposed to and I was there to stop them so I think I think sitting down with them and doing the actual purple teaming is worth your your personnel time because they get to learn the environment way in ways that they didn't know it before

I did not but I work for a security organization so I'm cheating the the the thing that why this was such a perfect report because it did show that the controls were working in most cases but there were gaps that were unforeseen which is why it was the perfect report because it shows that I was doing my job that I did good that are our defenses for domain administrator actually pretty good but I still have a little more ways to go I have more projects to do I have more things in the pipeline to go so those are the exact kind of reports the ones that show me that I'm doing everything right I'm suspect it's like

it's like well my doctor says my blood pressure is fine I'm like I don't think you know how many fries I experience because they're not jaded and set in their ways their brains work in lateral ways that mine don't anymore because I've lost that elasticity so

yeah cuz I still think that that's adversarial your your white team doesn't know what's going on they have to detect it right yeah so purple teaming the they know exactly what's going on they know what time servers were compromised they know exactly what servers are compromised they know how they were compromised that means they can go through all of the data to see if there's anything there to build a new control with yeah yes business in fact I recommend taking a blue person and sticking him on the red team teaching them had a red team and then while they're doing that also doing their blue team activities I think who's got the time cuz I think my time's up

no they're supposed to be someone who's got my light nobody has the light all right well 11:30 that's my time's up everybody I got four minutes all right any more questions we write the report and as they were writing the report I was editing the report saying hey you're talking to these types of people you need to include this information you're talking to these types of people you need to move this this type of information because executives don't need all the details and some people do need all the details I help them write the presentation to make sure they delivered the right information to my executive when they give their presentation yeah that was I was

actually trying they and they did the whole report the right out of the report and the presentation in one week how many red team organizations have you ever dealt with has done a report in a week

yeah probably if I had them that's great I just didn't I just don't have him yet yeah and and he accidentally breaks all the things no using internal poisons is great if they're interested in and the I I really enjoyed using interns because one thing I learned when I was in until I went down to Costa Rica and went and taught a class down in Costa Rica to the sock down there and sock personnel if you how many people are in a sock you job sucks doesn't it it sucks it's it's it's a very stressful job and it's it is repetitive and not necessarily rewarding and when I went down there and teach the sock people some apt hunting stuff they

were so excited about it they were just wanted to learn they just wanted to be there and learn everything that they could because their career depended on it to get him out of the sock and that's what that's what the interns were like they just wanted to learn they just wanted to be there they just wanted to play around and show me things that I hadn't seen before so great sure

it's the ultimate blue-collar job yes and no but you can also make them hungry ones if you can learn how to talk to them in the way that they want to understand it yeah so one of the things that one of the things is super impressive was two weeks before they got there a harm jury released it goes back and goes pack doesn't come in a binary format it's he only gives you the source code and compile it and while the interns took it home and compiled it and brought it in because I didn't I didn't do it I just and we tested it and it was awesome but then because our tool detected it I'm like well we should try

to obfuscate this so he taught himself had to obfuscate what was it c-sharp c-sharp code I brought it back in and we tested the Optus kata versions of it so yeah

way too early this is we just started this program and they're just now starting college one of them's going to my alma mater which I feel for him because it's in Klamath Falls I said I'm sorry I'm Austin we lost that guy forever alright there's supposed to be something speaking right now That's not me I'm sorry I didn't mean to take your time I tried [Applause]

you