Pulling at the Strand of the Botnet Web

good morning beat sides hey you guys haven't seen that before I interviews your awesome super speaker and the day a couple things so I don't know if you can tell from the keynote but we blew up capacity expectations as you can see we're almost things standing room only in here track 1 is also full and that the track 3 looks similar so the reason I bring this up is that lunch is catered by barbecue joint native I'm not lumpy it now but I know how much we all love barbecue thing is to Dubya limited amount of barbecue so we're not exactly telling you how much portions to take but we would ask you to use the D bad

philosophy which if you're not familiar don't be a dick you know feel but make sure you leave some free fellow man woman and then a few seconds of a little short go for it Dan but just so you know we are gonna be a little bit maybe thin on the barbecue so yeah watch out for that how many of us in here have leaky electronic badges with stuff soldered on uh okay how many of us know about the game that goes on with that badge not many ok so you might have noticed when you turn it on originally yeah these lights going across and you got a live in little better ask you some questions

later so these are light up as you play what we call foxes around the buildings so this is to encourage you to walk around the building buying little areas is it'll devices sitting around maybe some of the devices are on the back of these packages you know she's got a little esp8266 12f one here this is your first time [ __ ] around yes devices welcome to the next rabbit hole you'll be dealing with for a year two little devices if you have questions and need more explanation on this or how to proceed let me know I'd be happy to talk to you about it in future but we are at that time to get started so Aaron Riley

I've known this cat for a while he is also a Colombian native this is how much we love the Kansas City community we come out here all the time because this is where the folks are at unfortunately the Missouri we don't have a whole lot of folks but we have an awesome community in here so to the [Music]

[Applause]

[Music]

you know always goat cheese so get this started we need to briefly go over what about that is I mean briefly because I understand a lot of you understand where it is but we're going to get on some terminology expectations we're going to discuss what botnets aren't how they're strung together communication there are we're going to go through how that spreads that's the propagation there's a couple ways of doing that we're going to look at what an infection could be and what it could look like in different scenarios after seeing what an infection is we're going to play around a little bit with it as well then you need to know the three P's and those are a cycle

stage that helps maintain and mitigate your network resources so just to briefly go over what about editing over the terms vocabulary so we have a collective base if when I use a term you understand it's a different term that you use it's the same thing we're going to go over the generic types of botnets and then to really put it all together we're going to talk about a real life scenario Imhotep chiodo the banking Trojan and every time I'm going to go through what a botnet bus here under related to a real life pocket that's actually active and we researched quite a bit so your terms of vocabulary what we're looking at here is a botnet is difficult of

Tommy's is control of a command control structure that is owned by a bot master I'm sure a lot of you understand that I typically call the command and control structure c2 like to be called Zambia baa

the Bob Master is the person that made sure of the maintaining and propagation of the infection propagation just means

now all these botnets aren't one was specifically fit into this they can overlap couple of different ways into different areas are in there but we're talking about span of botnets necklace comes to mind in the last three months of 2017 it was responsible for 60% of the world spam now we're looking at weaponized botnets endings that they can do a lot of destruction and they're only meant for harm moriah botnet was definitely what comes to mind grief they were responsible for the 2016 in cyber exactly kinds of value internet burqa flowers that won't be at eleven point three million unique IDs massive on that program

yes they were able to individual

understand is because it was where they will about will come image make it's one resource and the cheapest miner had over a million baht miners and in one year collectively they three million dollars which is pretty soft now he what's at Chiodo is a hybrid of a lot of these its weaponized it makes a lot of money updated them and they also can propagate certain ways that other operators want that infrastructure so will put their payload on top of Gio's and they get paid by that as well so we're gonna go over that total time see what that yo what is it alright well they're actually two different variants of the PLO botnet okay but they're so unique that we can

blink them so much it's our old apartment it's not even it's not even like you know but so what it is it's the banking Trojan it is very rapid it's very modular its polymorphic in nature which means that each and every download is changed every time so antivirus signatures can't detect it it's very small base so that any bees will see although it's not really doing anything it has really no perceptual resource utilization is just calling up so what it calls out it pulls down a module that modules skills financial banking stuff you're already on the go you know you already have an infection in your network like I said part with some extra trade sensitive information it downloads

an antlered drops other malware they found that if they can drop this banking Trojan on client steal that financial that's money there what I'm thinking also greatest second party to it they can get dropped off that to maybe bring you to the party and I get money by getting there anyway that's a lot of money alright so when you talk about the botnet architecture and there are two main ways research and development of a botnet now the two main ways are your peer-to-peer model that that's the bride lock net that means my neighborhoods main structure I get my neighbor instructions and there's really no single point of failure it's really hard to stop because once it's going and it is rapid enough

get the way out in front of it and break it off it's pretty much problem is it's not very manageable right operators can't manage that they simply man it out and still propagating through their network they can't stop it it's in the novel they have the refolding it's all the way out five server mode is another way this is familiar with three different layers Giotto is a client-server Bob and we'll talk about that in a minute so when a botnet is actually connected to the sea to it is by when the infection is not communicating to the sea to bottom it has to make that our third great ball home are just the one heartbeats hey I'm

here it just makes it situ aware of its existence a lot of them don't steal information on first first gift of communication because that exploration will be alerted on because when you make the connection and you're sending a whole bunch of packets at something that you've never made connections before that power was the Ori hold on what is this and so looking at it it's gonna break it down so what they do is they say hey up here DNS request to a value type or 8080 a game you know intervenes and that's all in it another go okay well if you next request means that the kidney he's actually there and there was no information exchange

ENS queer man there you go alright you're alive and I bought it we do that a lot in different ways on the left hand side we'll see the older ways that are still trying true on the left hand side you'll see on the right hand side you'll see like the newer protocols that are used within tandem or laid over some of the older ways of going on to it now an S is common because you have the ability to go my feet and still have the domain are coded within the bottle alright so the domain is you know Aaron Riley DNS net and the I just watch the changing I don't have to change jack in

the botnet they already have the hard-coded domain they can get to me wherever I need to do so I can stop your ID block there's other things that can happen see this our hard-coded list of CPUs within the binding so it'll iterate through each and every c2 until it connects to one and they don't know all right that's the connection males knew there well a lot of times that botnet the c2 will tell it hey move down to and we'll connect there move down three and we'll connect their next instruction from the so you'll get a connection sure but it might be just two attempts let's take out here their response back says move to channel 2 you know maybe blue

channel 1 it's kind of like I like the highway

20 communication things it's the messaging I don't know how a lot of enterprise networks allow these two messaging to go through the internet I understand it with a lot of Mac's will allow for text messages and stuff to go onto the back from your phone that way or the other and it kind of begins a lot of filtering on the network and I hope you've seen SMS fishing or fishing however you want to call it but it is a vector now and people are sending those links to MAC address virgin fax they have that text enabled so that when they click on any device the Mac not your phone so it's pretty ingenious now how

does a book set in Giotto communicate so we talked about different ways about the old articles the newer protocols we talked about the architecture now put it into perspective Giotto is a multi-tiered t-tube structure which means that the operators those are all sending it off they don't actually talk to each other they have different Springs they have epochal and you talk to all right and they are used in different they never serve the same SI toos there are four layers of servers twos in between and those all communicate via the port note so you don't know what game points in point it's always just flipping through okay really hard to be on these guys now once

they have their speeches up and going then they have what they call running box so you'll have a bot that's the big spot that is just a pure infection there's no modules attached to it that's just the base they have like no I called privates you know in sergeant major and all these people message me helps me organize them but they do that so they understand well this private hasn't given in the instructions if I give it the financial module move to a sergeant and it's now making me money you know I didn't even that's how they organize the SI toos of the multiplayer pull those down and segment the mouth and inside themselves epoch one will have two strands inside

ones delivering a second payload for profit the other ones not because they didn't pay for

they're very very adapt to what they're doing so they direct the sockets there's only four the emote XG / c2 we'll go through the chains of infection of how it gets to the client but the c2 is a threat to IP or socket communication there's kind of ridiculous because all network should be stopping that you shouldn't allow your endpoint this or some random IP over certain port then once it's kind of down and on there it pulls for instructions from the seed list where I talk about how it does the seed list but then what we're doing here is pulse for instructions then going at this module but if that module gotta grab this the attempts are so

small one to two they don't cross your network alerting signals this through similar like two attempts that so many false positives you would just drive me nuts and they notice so you wanted to attempts in the moment wanted to attempts to move on so they're really skirting the firing line what's going on so propagation like I said this is the ability to spread from one line to the next line and there are two main methods of doing this you have your passive which is end-user enabled which means I and you you know something bad and you go alright split you open it up and just put double click and have everything going that's passive you need users open

it up it needs everything interaction

we'll talk about how yoga does office macros or PDFs and what those look like actually the binaries enabling it this is typically lateral movements Moriah net with brute force in IOT device with a conference of username and passwords that found on the internet which is brute force it login compromise it then move on to the next box and it was doing it automatically there was no you sir enable and Olynyk said it's a lot of lateral movement on the networks and we'll talk about the lateral movement is to say so how bizarre Imhotep Giotto proliferate how do they get across the network the first coming in first and foremost are a constant propagation they need the user to start

it but once it started it will run on its own once it's infected it's like one guy getting a flu in the house the rest of the house is going to get as long as you know I have so the past propagation is sent by spam a lot of times there are links or there PS with links inside them the offers mackerel they're laid off smack related documents so it could be an XLS it could be a topics could be other things as long as it can enable macro and they're often change together so you're not going to see just the office macro and the payload you're going to see a link to a PDF PDF as a link in it

because the office macro now that Ghost downloads the payload why because they're testing your security measures they don't want to give you the payload if they're busted right away you know they're not going to give all that resources and you know experience that payload up if it's just going to get blown out the water so they do change it steps structure inbox that have deliver another malware like I've said before and shrimp pot is another banking children why don't one thing controlled you bring another banking Trojan they look for two things jukebox a point-of-sale banking Trojan it's most its most on casters all right so for network and trip back and find a part of sale why not

you don't need to give in don't need these c2 infrastructure you just need to build the finance that's fine begins giotto it's all the information you need as well so who in trick bot gets its information the other goes on the Beastmaster so they not only do they get their information they get whatever information a second party - and what they got it's pretty interesting and then they turn around they sell out very well in the black market the modules for instructions are code that it calls down it could be a code snippet it can be literally just a text file that tells it what to look for it could be a string of bank names that

we'll see in a minute in the processes you still out of those after the initial call out though it will attempt to spread laterally if given the command like I said they'll rank so if certain ranks if you give up off the scalp the scaphoid clever hey gives that module the scalpel didn't take the credential set they found on the computer it will look at the network and then find a neighbor take the pencil side skull throw it at it and go save that login successfully if I did inspect this machine I'm gonna take those credential steps and try and find somebody else it's what it's doing it's just time to root for screwed in tools on the network

it's pretty simple but it's also one of those neat things protects then but the main thing I wanted to bring across is that when the modules do come down they're very very small so the columns two attempts models very small it's amazing everything on your navy and surveying your network alerting because of how small everything is and that's what they know these guys are the threat operators here I like actually out of Russia and they seem to have a lot more resources than gold operators and they understand antivirus protection a lot more than some of the other botnet operators it seems that they understand that if I got a small footprint pulled out small heartbeats

you know or have small heartbeats but small Mahajan I don't get detected because they're looking for the big package so everything all in one now we're talking about and the chain is an infection we didn't talk about how it actually pulls the payload downlink I said it doesn't steps the first email we'll have a lot of subject lines the emails always be financially true so all of you something like your bank is a withdrawn so much here the other one is that your 1 million mark but in the archive it's an office macro a document macro actually runs PowerShell what's the name our cell and runs a small bypass called a bypass policy execution script which means that if I passed all

your security policies and downloads binary alright and that's the URL the contacts actually do are up so it avoids or URL it avoids the director socket filtering it avoids a lot of URL filtering if you're not doing certain ways of attention this pioneering downloads that's what it does it calls absolute URL slash spring luck nothing else on you all right that comes down as a catalyst by name there's no good see all right once it gets to the memory the giotto infection goes all right let's live an MC dot exe throw in the temp and plot also a major a minor emergency at the office macro they have before switch to JavaScript instead of an office natural we believe

that was a testing of their infrastructure and testing them another way that they can get profitable of action through their botnet it didn't seem to work very well because JavaScript typically doesn't run and a lot of enterprises by default it's turned off in certain areas so it didn't quite work out for them so they move on the optional secondary payload we've seen a lot the killer let's prank somewhere

it was devastating enough to Brazil that they had to do certain mitigation tactics to the Brazilian government it was pretty interesting I thought I would love to get down there but I don't like to wear one of those things so when you're looking on your network and you're trying to find one of these zombies and you want to you know make sure your networks pretty resilient to these things we need to talk about alerting you have your host base alerts you have your network based lurks and they need to be sent and driven they need to be automated you don't need to have an alert fire to an email and then hopefully somebody reads that email you

have an alert fire as an instant message and they have like another to work there's slack box they'll do that maybe smart happening yes all right your managers can understand about where it's been taken you have these things on an ongoing basis to be effective with your host base there are a lot of products out there that do operate entire operating system monitoring I will but they are very good quite a bit they allow you to do a lot more than just warranty and look at it from an outside view they give you what's going on in the operating system we're going to go through some of these tools that have up here and what I use

them before your packet analyzer I particularly use Wireshark this could be your sim it really can if you have pretty good logs understanding it I like to have between the client and the gateway because it kind of outside you take away what they gave is blocking you are you seeing anything so I'd like to have it right there in the middle you're processing alleged this is on the client I'm use process hacker we're going to see why this is really important

afterthought it's one of those things that once remediated things you need to make sure you've gotten everything and it has a root kit that will redo the infection after you've a mediator so now that we have some tools we have some understanding of what a lot that is we need to figure out what kind of zombie it is and I'm not like the attribution of Mariah or Giro or Eva tech that's not really helping you what's helping you is a financial term is it weapons based is it doesn't click fraud because you understand the generic type so understand how and what's looking for and what resources you need to go unblock or set or mitigate earlier and so when we're

looking at this packet analyzer it's one of those things that I said shows the network traffic that's great hey also so when you're looking at the network traffic you need to cross-reference between what is noticed what is normal and what is an admiral what do you know what is the unknown on and what is the unfair words that no no and so you need to go through and kinda compress and find that weird or regular network traffic and by doing that you need to be right there like I said from the host the Gateway right in between the process analyzer gives you inside of the network traffic coming from the machine yes it gives you shop validation it

allows yes I see on the outside of this machine that is calling out from the sea to what process is doing that is their whole process the browser is it PowerShell is SPC host is that a normal thing so when you're looking at the process analyzer there's Network taps on lobbies and cross attacker passage and the network tab will show you what process is calling out to what resource alright then take that and you go into that process okay you've got the memories once the memory strings are dumped you can look into it's a financial by banking shoes is there a Bank of America in there is there Google Wallet Bitcoin miners all these type of things

it'll have strings in there and tell me what type of a botnet it is original all of them do it's really more than Natsu because if they don't but they can't utilize resources thinking if they're you know how do you cycle if it's in the browser and it has X to exit my neuronal wallet location like I said shop validation you see on the network you see it was a process analyzer it's this process what is it doing okay we have an infection all right now that you have an infection you need to look at the protocol analyzer like I said several remediation time you look at it all right I understand that this didn't work

traffic's bad I stopped all this other network traffic at 14 I mean what did it do you take that protocol analyzer and you scan the computer it don't have an RDP port is there because these ports that are hoping are not going to show on the network traffic it networks not going over all right I've seen botnets over the course all day and so later on logically it stole I use this port now they'd already opened it so why not protocol analyze and say that words open what does that mean is this a second channel or as a backdoor those are the reasons really need to kind of go back afterwards and take a protocol analyzer

to your windows don't think you just swipe understanding what's going on the box within their system application and security are not very detailed on default so if you want to make those logs very detailed you're gonna have a CPU get on your client that's not what everybody wants they want a fast moving clients then pull those down so what you can do is you can say alright well at this time she said showing up an email that went to work alright on the event you are the application backs it off Microsoft Office it opened at this time well then PowerShell ran right afterwards you can see that those all right or JavaScript that's RAM or a yes program you know you

can see what applications also don't work instant humanitarian you can see what they were doing or connecting to you can see they start so kind of gives you a trail of what we're doing and what we're looking at a venue so we're playing Wasabi's

it's kind of fun to type things out and see if the system memory is trying to exfiltrate out the basics before I know Hollander all right so there's a couple things for you and there's a couple things don't 14:01 don't care jus care if it's the CEO I called him why'd I like warm tea Don I have the Commissioner of steak burger stock and I'm the commissioner get infected by driving by is I'm quarantine his machine with bones I know

they are your biggest asset of what happened what's going on if you don't treat them like a bad person or a operator now but having admin credentials as one of those things I don't think a lot of people text or

process and things like that I had a check come to a satellite satellite office and he wasn't given admin credentials wasn't given any of that and he was supposed to wipe the computer it rename report and give user back all of this credentials after resetting them so you just didn't realize that that was something he needed or he didn't realize that now some of the dots here these are big don't leave it access to the network seen a lot of that see a lot of people blocked out the router that's fine but it's a LAN to all these other computers you want to wipe Bertina Bloomberg or like one of them also don't want to shut down the pipe is you're

gonna lose a lot of process number you're gonna lose all that memories can be gone don't close the browser's don't close any of the application because you're losing that memory as well like I said the process number you can see what they're doing and what's going on even the end user you can see what they're doing from the perspective of its Springs and mother utilizing resource wise Adolfo's them leave them up if you have one of those operating systems that monitor her my operating system monitoring security suites take a snapshot of the machine while it's infected because then you can pull a lot more things off of it stand the files that weren't backed up you can play with

it a little bit longer and give the end user factor this mean you can do a root cause analysis that we'll talk about a minute do all sort of things oh don't forget about using this you're being quarantined with a bad thing from don't forget about so now that we understand the architecture now that we understand the propagation style now those is what it looks like what is the other side right what does it look like when Giotto is on your network like I said before we have the direct two sockets after the infection we have the extension of binary downloads or the detection chain okay we have all sorts of other lateral networks and attempts

and different things that are coming over H to be trapped on other course which means I've seen AC chapter or 420 over reporters over 1024 and I don't realize why and when your network if you don't need each other not one recording that's number one we're at work why not is there anything really supposed to be going over report a B that's not where these supposed to be going over another for that you standardize on that's great just happen alert if it's not yeah in the process memory strings like I've talked before with process pattern you're gonna see a lot of financial driven information you're gonna see Bank that so if you've ever been to any of

your banks on your web browser it goes into the web browser to steal all that a street all your potential sets and then brings it back down alright I have a PM that has been to 50 banks websites it is entered 22 credential sets which are all fake and really funny for someone like George Washington and every time I set off Gio help they grasp every one in five minutes or less and I was trying to exaggerate that much that information back up based crazy okay so the the network traffic the basic keyboard encoding cookie value was a big key the reason is is because it's not requested to cook it's literally about a cookie value from

nowhere and it's handing it to someone on the first communication in town that's not right that's definitely not how Web Services work you asked for one to give you your candy back and forth well this guy goes hungry my value to the park and slap down that basic support chomp is the fingerprinting of war machine as your operating system it has your username your credentials your IEP your geolocation as almost everything that don't let you finger print magazine which also brings us to another thing over on fingerprint and PowerShell is asking for all these things by your machine that's something you should learn that's close space and it's CPU cycle driven so I understand if

you're not doing ok so like I said before the process marries you're going to see a specific Mozilla deucer agent it always keeps up-to-date value appreciated Mozilla has updated itself they're right behind and updating itself as well it's pretty interesting the saga seat list you will spend the process memories you will small fifty sake list it's pretty cool table block oh it's great then with the persistent file placement is before then it puts in startup then it puts their Program Files then it tries to get a rootkit if the module allows it to there's a module there's a rootkit module and that's captain there's what we call it and he pretty much calls a shot it seems pretty pretty high up here

on the ranking about does its propagation how's everything against the bottom generic-type how do we do host base is the best because you're right there on ground zero when it comes to the zombie infection you have the best chance of mitigating it right there and stopping it I believe in user education is one of the best to stopping as you can also put DLP on your endpoint so how many people will have a DLP program but it's pretty it's pretty great you can set certain information to be sensitive it doesn't have to be what is already known since information so if you say you know this file that has just you know my name and

it's a text file that sensitive anytime the boobs I want to know you can set those kind of things which is really great and Bob mention they go after it the orange trying to do but they're trying to read it to try that you know executed or right to it if you have an alert off then you're breaking up here you're good to go with that infection understanding when it happens never makes it kind of the same as post but we read a little bit deeper because we need to work on our SMTP and DMS and DLP like I said before it's just a DNS request and that's how the Bob tells the botnet that they all hear a lot maybe you say

Mike server server that is any other request anything else I don't know if you have those alerts set but it's all those things you do SMTP is another one a lot of botnets will exaggerate their information via email but they set their own evil plot it's pretty fun they write it by them via the terminal and has all that kind of thing you'll see if the process screams it's not like they use outlook for anything like that story on machine so then you have giving you all sorts of things with protocol analysis and web across but aprox is a big loop for networks because into gates drive-by downloads if you have a what a proxy out

there and you're going up surfing through the web and drive-by download gets that what box it should be able to negate that it shouldn't say you know what I don't need all that it should go all right this is something bad you all repel wrapping is enough and that is also beginning with the use of web proxies so now that we understand how to mitigate them we need to understand what happens what we need to do when we find them when it's in our network what we need to do like I said Lauren HP your first move it should be automated you need to your network when we first turned it on the state we're cleaning

everyone turn it off and then started working back up pulling snapshots I said before it's easy for you to pull a snapshot if you have the operating system spirit monitoring suite and what we'll do there is full snapshot you can do a root cause analysis which helps you with your mitigation techniques later you can also grab the files off that machine that wasn't backed up earlier you can scan those files and then hand it back to the end user if they're clean if typically I don't have any time to do something to speed in grab it put on those interesting slather them like brandy wipes computer and then drop the risk in noggin alerts and Christmas

so for me a root cause analysis like I said gives you a way to mitigate what happened to the user how to stop them before and during the rebuild is those things that people are like yeah I understand just put an image on you're good to go yes understand you need to make sure that the but make sure you have one in place and that's the abuse remediation and with industry mediation credentials

then with the when you standard Lacy's digital files you can release the end-user monitor what's going on a fleeting user takes the files let them play on their computer for 15 20 30 minutes to make sure that they aren't you know read that condition with the files make sure that they aren't having a rootkit that just you know with certain right clicks or left things it activates there's certain things you can do so watch for a period of time whatever feels good ears to hear shop then unimportant you because if you do it before this end users out there from the files were to reinvent themselves and your operation so how do we stop he won't definitely

other we already know what it does and how it works tool based do it but how do we stop it so we need to do a lot of things on eco space if you disable office macros okay but if you need office macros disable power so if you spot any generic use pretty easy to certain system tools that you could say our app it over alright and that's done my system you can have I'm working for client fingerprinting like I said before that's a great way of saying you know something's really going wrong here the network base we're going to disallow direct connections to sockets like I've said before block system total downloads single login for

her credential second Lansing before they grab the credentials they try and brute force with those same credentials on the next machine to them if you have a rule set in your network this as this traditions that can only be used on one computer at a time network access control is this credential set been used before is it logged on anywhere else can't walk on it came log on so it kind of stops the propagation to spread okay but he must have had some SMB exploits when he was available I might drop back to an old tried-and-true method but if you can stop it from having multiple credentials log on across your network that's great no I understand we have some service

cuts some of the admins are going you know I have one account that runs on all these computers that's cool but understand that that service account is going to be document 7 your sock runs into a certain finishes that that's trying to go across the network they can say this service account or not and from there they can make their accurate decisions then we need to talk about your email attachment standards and security analysis like I said you can have a policy business policy what it does though is it makes an easy decision for your end user they come down as a standardized way all right it stops the infection right there also it helps when you're going through your

logs of a security person going that's not a standard that's not standard and you can point them out and pick them to grab and then drop the racism best you are mapping is the when the email comes down it has a link in it the link is looked through by an email security staff that link is then wrapped with a this might not be sick I have a wrapper when it's clicked on the web proxy thing goes out and grabs it scans the website stands whatever might be coming down from the website and then gives the abuser yes that's nice okay here it is or no it was bad and you're not allowed to keep

to it then it will alert because if you're supposed to take that you know link block you can do all sorts of things but also tell you at the end use what the user is doing you go down get to you with the web proxy fast enough that's another thing the web proxy isn't 100% sometimes it'll just go and it'll get so fast because it's overloaded that I can't block in time so it's a great thing to have it's breaking out blocks off of as well so like three

[Music] seeds are planted practice you have a baseline of both so that when something weird happen to automatically know what appearances you have backup frequently backup all your networks your router configurations is something that people think about for backing up do that because if an alive got a new router and strip your router configurations how hard is it for you to think you know 10 years ago I put this thing in I think what did the communities that I run it's what most things back that up have security measures in place that seems like a no nonsense thing but you would be surprised when we talk about communication channels a lot of network where there's that gap right here is

you're not know if you didn't know who 389 is open on it now now plan how to document plan for responsibly remediation okay we understand what that means have a documentation plan for networking client change because when your stock is going through and looking at why this IEP is going to this it wasn't doing it before they can go to your network admin to go what happened will change go to the change documentation ok it's ok it's not wrong you know that me change documentation is key first off how did the disaster recovery plan how each plan this is one of those things that we black practice quite a bit when I was with the state we did it once a year and

we would have rolled face we'd have roll basic rules which is really good but we haven't have him planned out we had to know who was doing what when it happened and what was prioritize we didn't ask for recovery do I need to bring up the web server first or do I need to bring up our our smtp server our which one rather enough first and you have this prioritized in the plan and practice need to do drills maybe throughout her week once and you do it over and over and over again with those weak points statement and pressure network for how to get a plan in place to mitigate planning for that mitigation practice is the medication come into

effect these are the cycle that you can go through you're looking at your at your networks and

you don't have quite a bit of a cross platform of one I bought them swinging buildings built for some cinnamon in it you don't see a lot of good variety because those IOT devices I hope you like some kind of different creature because yes they have different operating systems I got to play with and you firmware out to a lot of times why Mozilla you know a lot of C I'm not sure the what they were doing before they were using IE at the beginning of it they were using an internet explorer I don't know why Mozilla I think a lot of reasons is because businesses are standardizing and so it's a useful user agent within an enterprise that's what I

think

yeah CPU cycles so what they'll do is they'll take the password

oh yeah it's modular Bacchus you know a bomb like that always fall for some fasteners with a different password guessing easily yeah

he doesn't have a

or

[Applause]

you