Realigning From Chaotic Evil

whoo so our next speaker here for you today is a security analyst and former wizard eaten by a rat but it looks like he got better so Joe Scott shopman is a application security focused security professional with experience ranging from web application development - purple team engagements he has spoken at regional and national conferences on threat hunting web shells purple teams and more so he's going to be talking to us about realigning from chaotic evil and as a speaker for besides our to you we just want to show our appreciation with a sneaky book to you good afternoon is the volume good all the way in the back great so about me I got the introduction

already you may have noticed from the title I am NOT just a security person I am a geek I've done a pretty much a little bit of everything in IT at some point I started in web app development in system administration did DevOps then I've done just about everything in security at some point are there so it's given me a variety of perspectives on the different incentives that we have in this industry you can add me on Twitter I don't really post much just kind of sarcastic comments and on other people's posts you're welcome to add me on LinkedIn I'll add just about anyone the obligatory disclaimer I am NOT speaking on behalf of BB&T truest or any other

entity all opinions expressed on my own I'm stickler about using images with permission so everything's cleared and an additional is claimer I am NOT just talking about my employer's past and present so please don't take the take away that I should never work with Joe because he works terrible places a lot of this is gathered from stories often gotten from friends working in most the big companies in Syria and Industry is out in Silicon Valley that sort of place and the last disclaimer I'm not actually a D&D guru and if you are at some point you're probably gonna start reaching your hand up and saying you're using that term wrong it's just assembly it's just sort of a metaphor so bear with me

and don't correct me I played a brand X ripoff of D&D in my misguided youth so I use the terms a little bit differently so why am I giving this talk there is a big threat that I've seen a lot of industry research on that I wanted to update you about and that is works you see here in the Gandalf Magic Quadrant that there's a number of things there's COBOL and Windows XP still hanging out as the undead Cuban oddities is coming up but really on the upper right hand corner the leaders big teeth and sharp pointy things we've got orcs so really why why did I choose this as a talk at a security conference so I

started with the very typical thought of we need to realign the synergies of how we incentivize things in security bla bla bla and if I submit is to talk how many people would have actually shown up but if you want something a little bit more InfoSec as a title you can think of this as social engineer - social engineering your way to security success a lot of people have the technical parts of security nailed they can do the defensive stuff really well they can do the offensive stuff really well but if you don't know how to communicate with the other side's your counterparts whether you're working as a contractor or whether you're working as someone

who's odd part of the comp main company you need engage with the other side's effectively and I've seen a lot of people making mistakes on how they do that because you people assume that what motivates them motivates everyone and that's not always true and the big problem is the corporations and corporations companies organizations what have you they often don't align the incentives that are given people that's the things that affect their raises their bonuses whether they get praised internally that sort of thing or not where they don't actually learn that for security so these are some ideas on how to fix that so I've got a dear friend who worked with a guy that he got very

very upset about because this guy would pick out the projects that management rewarded people for working on he would only work on those projects anything that he knew that management didn't really care about he did zero work on and this made my friend very upset he thought that this guy was a and obviously doing that tude extreme probably kind of problematic but if management doesn't actually recognize what needs to be done and reward people that do the necessary work that's a management problem so very often people do what you incentivize them to do so this may be counter security this may be counter to stability this may be counter to everything good that you want as a

corporation organization but if that's what's gonna get them the ten thousand dollar bonus a twenty thousand dollar bonus what have you they're gonna do that and there's other factors too you know people have pet projects that will they will pursue certain things doggedly because they love a certain platform or a certain application so it's not always about incentives but within the corporate structure it very often is so if you're not familiar with the Indy or AD&D which is advanced didi has dungeons of dragons a D&D has advanced entrance dragons it's a fantasy game where it's a collaborative form of fiction basically that's mediated by dice and so people come together and tell a story and when

you need to figure out what happens you roll some dice and figure things out it was inspired by the tokens Lord of the Rings mythos which as we know as a guy that gets corrupted by the One Ring zero so this popped up the other day and it's a little introduction to what alignment is

I thought it was a fun little thing Oh also as a side on D&D it's a Teta yo rebirth right now because it's been featured prominently and the Netflix show stranger things which I'm not actually familiar with but a bunch of people came up the previous time I get this talk it's like yeah my kids love stranger things I wouldn't blame D&D with them so it's kind of neat seeing this come back from the 80s so what is a wine right within the system so good it implies a gear altruistic here you'd value life you're trying to do things right within a fairly typical human ethos you know that's the defense of people within your companies you know the blue team

the people monitoring the stock people of hopefully your developers all have think the best interests of the company at heart evil is all about doing what you're not supposed to be doing this could be malicious insider it could be a insider who just doesn't care they're burnt out they're stressed out and they're doing the bare minimal to get by without you know actually doing it takes to keep the company safe or it could be that right evil this could be foreign companies foreign countries trying to get into your into your company's defenses that sort of thing then also within the good and evil you've got buffle and chaotic so you can be lawful evil so this might be someone working

for the Russian government who they obey of the Russian laws they BAE the rules that they're supposed to do they clock in the morning and they do that sort of thing but they are evil because they're coming against you against your best interests you can also have pure chaos there's you know it's all about the walls it's about the fun a chaotic evil person might just be doing things to destroy things wiping up files getting lots of money a good chaotic person again this might be someone who's kind of there working for you company they're a little burned out and they're not doing what they're supposed to do and they're a force that kind of spins around especially within

state governments where people often can't be gotten rid of I've seen people kind of bounce around and disrupt whatever department they happen to end up in for a while and they get pushed out the next one and they're just a force of chaos within the company or departments so when you're putting together group of D&D players you want to have kind of similar players with kind of motivations so borrowing from the Creative Commons I found someone did some fun illustrations to using Lego characters if you have a good character who is a priest who supports the forces of light within the game and obeys all the laws and throw in a necromancer you're not gonna be able to tell a good

story together because the players are going to be fighting against each other rather than working with each other and to make this collaborative story this is what you should try to avoid when you're putting together people's motivations so as a brief aside when I say read there's a technical term in the industry for red team that I like which is when you're actually simulating an advanced attacker this is commonly misused a lot of people use red team as general pentesting in the context of this red just means offensive security so it could be anything from running vulnerability scans all the way through doing actual red team exercises the red team or offensive security is simulating evil

you're doing things that shouldn't be done to the applications to the systems but generally you're doing it as somebody's been authorized to do so it's the fun part of the industry generally when someone says yeah when I talk to someone say I do security oh you hack things yeah because no one says oh do you work in a sock that's the really fun part of the job and so I think that one of the problems we have as an industry is we give too much respect to the offense of security and not enough respect to the defense of security and we'll talk a little bit more about that later so from the defensive side because

I've been on the defensive side when you're getting the security report from the pen testers it can feel kind of like this you know that there's something bad lurking out there and you're gonna get smacked down your management's going to come down hard on you and it doesn't matter how hard you work in a large enough organization there's going to be some risks that are gonna expose by test so some common things that seem to incentivize the defensive side it could be objective based it could be get shell get root access on the system get to mania and could be generated really scary reports say I got three million credit card records that I could have

or it could just do be do so many tests this year this quarter what have you as I said the defensive side is more of the good side of things this is the commonly referred to as the blue team it could be socked which is Security Operations Center and analyst it could be people doing threaten until we feel that you hear forensics malware analysis that sort of thing the blue team is often restrained in what they can do they're often dealing with long shifts I know a lot of companies that use three twelves and that can be pretty grueling to deal with there's often a lot of training sock work is a really good first place in the industry but you kind

of get thrown in with a little bit security background maybe and you're just kind of being bombarded with the alerts and messages from systems you don't really understand but you know that you're supposed to respond to it 20 of these a day it can be hard to advance sometimes there's not always a good pathway forward once you start get started on the blue team path and there's not necessarily a playground set up that you can start learning some of the hands-on offensive security parts and depending on your organization the analyst side may also have lack of funding and some of the really good tools like Sims the search engines that go through terabytes of data can be

really expensive to license so management may not be willing to provide that for the blue team so that can be a frustration so they're oftenly different often differently aligned in a large corporation the Blue Team and Red Team often has a complete different management structure so they not just their team but the people they report to people they report to may have completely different things that they're incentivized to do by the company some common metrics have seen blue team's it could be the number of tickets closed this can create a perverse incentive where if it's actually a percentage of tickets closed if you open fewer tickets you can have much higher hit rate it could be the reaction time to alerts or

the really big one especially for the high-level executives is not appearing the news as having been hacked that's a really important metric for many blue teams and if you fail at that one you made that maybe a career limiting move so if you have these different scents coming together the blue team this is where I got the title of this from may see the red team as a force of chaotic evil and I'll expand it just a second but I'm also going to throw in people like operations and programmers here security only creates problems for them so every time a security guy comes and says you need to do this extra thing is taking away from some other

responsibilities that they have is probably what their bonus depends on so you need to balance what you do working with them so if you come in just smashing things causing problems and being completely unsympathetic to them you do look like chaotic evil because at that point it's not there's not much difference between you and an external attacker as far as affecting what they're getting paid to do the red team often sees blue team is being too tied down if the blue team tends to be a lot less flexible there's the good side and bad side of things that the blue team often has a playbook that is a strict set of things that you're supposed to do and execute

that playbook when something happens but very often they're supposed to do exactly that sort of thing and the red team will say that's a problem because you're not flexible enough so a few of the other incentives I've seen corporations developers very often they're sanitized by adding new features rather than the sabili or security at a previous company I worked at we had a big stability problem for quite a while where's the developers would do a software release and stuff would crash and crashing crash and people would be paged all night so we in that case we actually did rely on this sentence because we put the developers on the page of duty also and strangely enough

when they started being woken up at 3 o'clock and 320 and 340 the code Sybilla got a whole lot better so that wasn't security related in this case but it was just general stability but it was a case where the management did step in and say we have a problem what can we do to realign those incentives and make it actionable difference and it did operations so if you're not familiar with D&D this is a basilisk you has a turn to the-- of course they're into stone they're often incentivized by uptime or speed to deployment rather than security so they operations generally doesn't like change if something's working they want to keep it that way they don't necessarily what

you're doing security testing on it if you do find security testing they may say well that doesn't actually need to be fixed because if their bonus is based on how many nines percentage uptime they have if you make them take think something down and spend entire weekend doing reboots to get things fixed that affects that in management they're often sent of Isis just not here from security at all other than consulting companies security doesn't bring in money management usually cares about bringing in money so and I'm exaggerating a little bit good managers do pay attention to the security because they know that there's an impact if there's a breach if they get owned if they hit the

news but very often if they think things are fine they may stick their fingers in the ears and try not to hear from security very often so I mentioned the 9s up a second ago if you're not familiar in the system in world there's the nines of uptime so 19 to 9s would be 99 percent uptime three nines is 99.9% uptime and five 9s 99.999% uptime and that's something that's very often sawed off there these are photos a photo of my actual dice from my misspent youth that is a rare 30 slider which was hard to get back in the day before the internet and I traded pretty dearly to get that so one of the companies I

worked at decided that they should have five nines uptime for the storage facility for the storage and that's what the people were incentivized to do so they bought some very expensive storage that had five nines uptime it could it was down for something like 15 minutes a year if that but because it was so expensive we ran out of space constantly so about once a week no one in the company could get work done for a while until we went through and figure out some files to delete but that wasn't what the system is were incentivized to care about because that one metric is what they were told to care about by management so this is another example in

the other way of where an incentive went poorly for the company so a lot of the big picture here is beyond our ability to change as a practitioner you know manage more management especially senior management can start to do some of this but part of what I'm here to talk about is to tell people to tell their managers to change the sort of thing but also to think about the different centers that come together if you can weave and narrative based on what incentivizes different people and this could be about fixing things this could be about giving funding getting training that sort of thing if you know what they care about and you can tell the story that makes

them care about why you you get this thing that you're going after that will give you a better success rate that's some things that we can actually do I'm gonna get a little bit more hands-on and some practices that I have put into place so a lot of D&D adventures start in the tavern you know it's a good place to throw random characters together and gives them the excuse to start talking and then some comes up and gives you your quest I get a lot of value out of doing much as with people I do much us with people on the same team I work on with people on different teams with insecurity in completely different

groups like going out and talking to accountants they have completely different views about how things work at the company and sometimes you get really good intelligence out of that and also going out talking with vendors staying talk topical and a vendors will often buy you lunch as part of this so you know you can take you damage that a little bit and it also helps build camaraderie if people like working with you if they think of you as a human if they know that you've got four kids or you do mountain biking whatever it is you're not just some security person coming in and breaking stuff you're someone that they want to help that's just human nature and that goes back to

the social engineering part the more likeable and approachable you can be the better results you're going to get as a security practitioner and you can use this to recruit new members for your party so I know someone who'd started doing block picking classes as a little fun extra within his company and the people got really fired up about that turned into really good sources of intelligence about what was going on inside the company so he dealt with among other things physical security and there was an admin assistant who got really into picking blocks and she started saying oh you can get around the security gates here here and here stuff that he didn't have the time to do going out and checking

every single door but by recruiting her as someone to help him even though that wasn't how it was sold to her or even his initial intent he got a lot of value out of that so there's also the concept security champions this is especially big with in development so D&D has multi you have a class so you might be a fighter a wizard magic user generally most people start with one thing but as you get more experience with your character you can start doing two things at once so you can start recruiting people to be used for your security champions within development or even operations where you give them training you give them additional incentives

based on keeping things secure and they spread knowledge within the application team development teams it's not practical to get everyone doing the development at a master's level of security but if you have that person saying okay here's a great baseline here's how it will help you because bugs are get progressively more expensive to fix the longer they go on if you have a tool built into your IDE or into your brain that catches the security bug as you type it that's almost free to fix if it gets into your CI pipeline and you have to go back it's fairly cheap if it gets to the actual build and then it's starting to be deployed out to test

systems and it has to go back be fix and then you have to redo your user acceptance testing or your integration testing again that's getting expensive if it gets all the way to production maybe ever breach that could be millions of dollars just giving out lots of credit card monitoring and credit monitoring packages to millions of people so if you can have that security champion working with the developers saying here's why you care about this and here's how to do it you can get a lot of value out of that so bringing everything together I talked a lot about purple teams it's something that I'm a fairly big believer in because I've seen the blue team red team models working

separately and it typically doesn't work but if you're not feeling real with purple teams there is no single purple team it's when you have the red and blue team's incentivized to work together and incentivized enabled and powered all that good stuff both sides work with the other and you get this wonderful feedback loop of getting stuff discovered and fixed quickly rather than working in opposition and you know people often say isn't this obvious shouldn't we be doing it well yes but I've seen very obvious things not happen very often especially in the large corporations things are very slow to change or there's that silo ization where they have these completely different management changes I mentioned

so I push to get the two teams working together as much as I can so a focus on detection which i think might be a better metric that both the red team and the blue team can work towards so this is a the 11060 framework was created by CrowdStrike it's the idea is that you have one minute to detect an intrusion after you detect it you have 10 minutes to investigate and after you investigate you have 60 minutes to react and they're pushing this because they've got some research they put out fairly recently on the breakout times for ABT's which is a great word to say security conferences I know so according to their research and

they're a little biased because they are an incident response and defense company if you get hacked by a Russian government group you're looking at 19 minutes before they go from the initial computer they get into to another computer on your system or the network itself North Korea they say is about 140 minutes and the Chinese I suspect that there are some Chinese groups are way up there in the Russian range but I have no actual proof and five immunity two minutes sounds like a lot but many people don't detect reaches for months so by that point they've gotten into your network they've got into different systems and they've probably got in your crown jewels the things that actually

matter and gotten them out of your company so I've done some purple team engagements where it was more or less a big red team engagement that we're saying was a purple team engagement and when you're just getting started with this if you have a large gap you don't get a lot of value out of it because you find a hole and then you go on and you do this and you do this and you do this and the blue team still hasn't seen you get in through the initial hole and that gets really demoralizing for the blue team because it's not really collaborative at that point and it's just either the out the analogy I use a

lot is you're getting punched in the face and you know you're doing your best and there's so many holes you've been telling management for years that you need to get this thing done the red team comes in does exactly what you said that they could do and then you get blamed for it and so one of the big things that being talked at probably about 40% of the talks I've seen at conferences this year have at least mentioned the attack matrix if you're not familiar this was created by mitre it is kind of a add-on or a successor to the cyber kill chain TM by Lockheed Martin and what it does is it takes the concept of the different

phases of attacks and breaks it into granular segments so I will not read all of these but basically it is top-down left-to-right what an attacker does once they start getting into your network and really what you care about is how they get in and then impact at the end and all the things in the middle are important as with security this is a great thing to push left on if you assume that left is the upper left because each one of those is cheaper progressively from impact to detect and stop so by the point that they're already doing exfiltration you've lost the game that's very expensive to recover from if you can do catch them doing defense evasion

that's reasonably cheap if you can catch the initial access that's the cheapest you're going to get and you can find this online I this is actually a large enough screen you can probably read some of it so this is an example but each column actually goes way down to the bottom this is just what I could fit in the screen and so it's examples the execution may be a compiled HTML file that has an execute has JavaScript it exploits Java exploits Internet Explorer Explorer privilege escalation the app cert dll's it's taking advantage of Windows not having great security and so it's specific ways that attackers are known to do these things so each one of

these if you go those are links if you go to the actual attack matrix and it will say who's known to use them so the big apt groups that are known to use different things that give examples of it there's some hands-on example they've got in it mightor themselves has an emulation program that will do various parts of these segments I'm not going to go too much deep plie too much deeper into it but if you're fired up and want to learn more they're actually doing a conference that is online at the end of the month and it's free to attend on the online streams so I would definitely recommend checking out at least some of those if

you want to learn more about the tech and so what you can do is start building you take that chart and turn it into a heat map and say here's what we can detect here's what well you can start first and say here's what doesn't doesn't apply to your environment so if you're oh s 10 shop and Linux shop and you have no windows you can take all of those things are windows specific and eliminate them it's also a framework that you can add to so if you find that checkers are actually doing something that is not part of the framework you can add it for your personal framework you can also submit it to them and if they validate

it they will add it so you can go through figure out what your best choke points are where you've got the best visibility into what people are going to be doing and start going through and saying okay here's where what we can detect is what we can't detect and should be able to do and you do a small granular test rather than doing the big red team test where it's getting to me and I've been in getting the credit card numbers out of where it have you it's just okay we found a gap let's stop and work on it together once you can detect it then do you have a playbook if you don't have a playbook work in some cases

the attackers can explain hands-on with the blue team here's what the actual here's how this attack actually works so a common example of when defenders don't know how to tech works so sequel injection a lot of people use the one equals one as a logic did part of the logic within sequel so a lot of people wrote roles that said okay look for one equals one that doesn't actually solve the problem because you can use any sort of logic there it's having the attacker go to the defense side and say no that doesn't actually make sense here's what you need to be looking for that's when you can start getting the effective defenses after you have the effective

defensive set up do you have the playbook does a playbook work and just go through pick out the places where you can detect the attackers cheaply and easily and also look for that exultation because that's the big one that you need to worry about also all right went through some of this already right a big part of it like I said the blue team you want things to be repeatable because it has to be reliable especially if it's a large corporation how you respond day-to-day shouldn't vary on how who's working that day I've seen some people advocate for having people in the sock you have different toolkits so one person might be using completely different tools on the other

that person goes on vacation the other person doesn't know how to use that tool that's a bad situation you need reliable and the reliability and risk reliability and repeatability for the defensive side but the red team can help ensure that these actually work properly so the two teams can share information back and forth both sides know things that the others don't and have experiences that the others don't they use different tools and you know the defensive sites probably heard the Metasploit but may not know a whole lot about it the attackers may have heard a spunk but they may not know a lot about it by having them work together you can get better results one of the things I

always say is the bad guys have almost infinite amount of time they can spend weeks months even years in some cases if it's a really high valuable target very often a penetration test might be scoped for a week two weeks maybe four weeks if you're lucky so everything you can do to cheat or I've been criticized for calling it cheating but everything you can do to make it more effective by that's what you can do to take advantage of it and getting that internal knowledge from the developers from the system ins from the blue team that lets you do a much more effective pen test more quickly and get better more accurate results so on the web

application side of things as a defensive web person I know that large application so you have to do a lot of scanning because it'll have hundreds or thousands of pages and thousands if not tens of thousands or hundreds of thousands of variables and finding which one of those actually has a vulnerability if you do it manually you might get lucky right off the bat but you probably don't have time to do it all so you have to use an automated scanner if I share that information with the defensive side they can start taking steps to prevent this so as a programmer I can say if I detect what's up the SI sequel injection or really any kind of

attack just drop the session if you as the attacker have to go and log in again every single time it catches you doing something that's an attack whether it works or not that's a big pain point if they really care about you if there's billions of dollars on the line they may keep going but a lot of time you just have to be faster than your friend that's running with the in front the bear with you on the same side like it's not just on the programming side as a defender I can put in waffles that do the same thing that dropped the session or caused the session to be terminated so but had I not worked on the defensive

side I also wouldn't know to tell the defensive side that these capabilities exist so in this case the things I've done on both sides of the fence but if you haven't worked with your counterparts and see what can be done to make each other's lives easier and make the attackers lives more difficult I advocate for setting up a cyber range like I said the hacking part is the fun part everyone loves doing this part and having an environment set up at within the work structure where they're given time and access to systems that they're given permission to hack especially like taking web developers who don't understand what cross-site scripting is don't understand what the impacts can be

letting them actually run some attacks can be really eye-opening and with the sock staff give them the context understand what sequel injection is because a lot of time they just know that this tool is saying their sequel injection or even worse that there's a one equals one attack letting them see that you can actually use sequel injection to get all the credit cards and out of the database or in some cases if they have command shell enabled that they can start running commands through the web interface using sequel that can give them in a context of understanding oh this is what I need to be really caring about when there's alert that comes in for this versus a

low impact alert that might be popping at the same time and giving them the training also gives them a career path every time you have someone on the blue team leave because of lack of advancement opportunity they're taking great domain knowledge about your company about your systems about the problems that's going at the during that's very expensive to expect to replace so if you give them a career path that they can go from that low-level analyst position and start doing some of the more fun better paying and glamorous positions that's a big help in my opinion and having people actually pair up do side-by-side engagements riding alongside that can be really eye-opening when someone's saying

okay I just did this attack did you see it and they're saying right there you can start going back and forth really quickly and finding these holes and starting plugging them part of what the red team needs to get out of this is how are the fenders going to react when this is detected because there's often ways around the defenses so when they see the playbook being executed and what's catching them what's not catching them they can start thinking of more evil things to do to get on that and then provide feedback on how to fix the playbook at the same time the defenders the common term in the industries TTP's tactics techniques and procedures they

see what the bad guys are often doing one of the big things in the field right now is adversary emulation where you'll take a group that you think might be attacking you and go look up what they're known to do as part of their attacks and try to emulate that specific adversary as closely as possible to see how your defenses are so the red team doing that research deploying tools showing them exactly how the bad guys are doing things and why that can be really opening opening for the blue team and they can start coming up with how to make defenses for that so you can strive for similar synergies you know try to get the management on board with this so

like I said I'd like the mitre attack framework that if both the red team and blue team are incentivized based on taking that heat map and turning it green rather than things that don't actually matter that don't actually increase security then you can start delivering some real value for the company pushing the application testing left if you can get the developers involved get things built into the CI pipelines the earlier you can catch stuff the cheaper it is the more effective you're going to be you can tell the developers this is what you need to be logging very often application developers don't think in terms of security context as far as what they log so they may not be logging the

actual IP so a common situation that pops up with complex web applications is the IP address you get in your logs is the load balancer that's talking to your application server there's a separate header exported for or if you're using something like Akamai Akamai provides a different header that is the actual end users IP address but up in in cases where you're trying to do analysis and try to figure out what's going on and all you know is that your load balancer is attacking you an awful lot there's no way to actually trace it back to who was actually making the attack and see what else they were doing so giving that information to the developers of here's

what we deemed to know is the blue team here's what I'm afraid of getting logged as the red team that can let them make sure that things actually get logged as an attacker I tried really hard to only demand remediation of serious issues a lot of it especially the scamming tools will find on an application sometimes hundreds or large applications thousands of unimportant vulnerabilities vulnerabilities that would there's no effective way to turn them to an exploit it's just a violation of best practices if you're doing vulnerability management using something like Qualis or rapid sevens or necess you can get many many things that may not actually have any impact on that system if you narrow it

down to just what actually matters make them fix the things that matter but don't hang it over the heads if they can't fix the things that don't that gets them more on your side and lets them do other things actually bringing the money for working with web application developers if you can deliver bugs into their bug tracking system directly in a usable way that saves them a lot of time it lets their management see numbers of bugs caused by security issues which lets their management create incentives to actually do code securely but it also works better than so you email this project manager and say that there's a problem here and send them a report and

you can look an our bug defect tracking system here to see it and then they have to take that they cut and paste it and they may miss something that's really hard for the developers perspective giving them the full information natively in a workflow that they're used to that makes their lives easier and better and in general with any sort of security test assuming that there is any finding if the pen testers offensive security whatever it is don't take as an opportunity to help educate the blue team that's a missed opportunity so getting towards the end I wanted to depart to another bit of geekery so I'm going to talk a little bit about tanking

so if you're not familiar tanking this is commonly used in the role-playing games the massive multiplayer online role-playing games like yeah World of Warcraft is a big one but there's a number of other words and it's also used in some other games but tanks exist mostly to take a lot of damage they usually don't get to do the really fun cool stuff you know those are people who are the wizards and that sort of thing standing behind them throwing the spells and doing all that sort of thing and the tanks are there to take the damage in the front and you know they swing the sword and they get tabs something like that well it's not the cool glamorous

part and I think that the sock staff especially the really junior ones often exists do a lot of the grunt work that's not fun but they're the ones to actually keep the company secure so I can sit there and do an offensive test like whether it's an application test or pen test that doesn't actually make the company more secure until those vulnerabilities get fixed day in day out if the sock is doing their job they're making the company more secure they're doing the actual defense so I think as an industry we can do better to make them feel appreciated I think that we should be mentoring them better if this is part of why I started speaking is we

had junior sock people that were coming to me with questions and it was the same questions that again and again so I started saying how can I start delivering the information that they need ahead of time so they don't have to come to me and ask and that I like to explain rather than tell a lot of the tools that they do just it's throwing information at them and they know it's a severity 5 which is red and that they have to do this and click here and do that giving them a context of understanding what something does why it's important what the impact is what it can lead to that makes them feel a lot better they feel included

you get better results with that because they feel oh people on the totem pole they often don't get the big training budget that's another thing that I think we should start trying to fix and you know very often management will say well if we give them training they'll be for a better job well if we don't train them they're still gonna leave for a better job why don't we give them training give them a better job ourselves and just saying thanks it's grunt work it's unpleasant they often are going through some very very boring logs doing the stuff that isn't very fun and you can feel really unappreciated especially if you're doing that 12 hour night shift

you're living in a cave you don't get to see daylight you know just reaching out as a company and making them feel appreciated I think is a big win so to wrap up you takeaways I'd love to have you come away with today is just to start thinking about the different incentives that affect both you and your team in other ways and how you start utilizing that to get better results going back to the social engineering aspect we need to take the moment to understand why they're doing something because there been times that people have come they've done things that make absolutely no sense to me and I get upset I get angry and I saw

consider why they're doing something and from their perspective there was a very good reason and once I understood that reason and could rephrase what I needed I could get what they wanted by expressing it in a way that motivated them so I got much better results of that if you have the power if you see a negative incentive get rid of them talk with your management when you do something say does this actually increase security or not because doing the test that has no results writing a rule in this search engine for the security side for the defensive side they just actually find anything those done increase security so think about whether what you're doing

has actual business value for your company or not break down the silos share information get other people outside of security on board with that with you make them understand what the impact of it is so they can understand why they have to stop tailgators coming in why they can't plug in USB drives you know I work in banking we have mortgage people that have to get a whole suite of documents from people in order to get the post processing done and it's very easy to say oh I'll just go out to Google Drive and download this and stick it on my system giving them the knowledge of what the impact it is and give them the tools and the ability to

do it as safely as possible that's what gives the actual value to the company and as best you can take care of the people doing the not fun stuff you know make them feel appreciated and push management to treat them as best as possible questions comments magic missiles

thank you for time [Applause]