BSides Ottawa 2024 - Day 2 Keynote and Speakers
Show original YouTube description
Show transcript [en]
e
so let's get going so today's keynote speaker is uh Tanya Jenka also known as she hack purple she's a bestselling author International speaker awardwin cyber security expert and a recognized Authority in application security for 28 years it she's trained thousand professionals founded Weck purple and SRE Academy training platforms and currently leads education Community for S so she Remar will include her career includes counterterrorism ort love Stu here securing the Canadian federal election and advocating for safer software worldwide please uh join me in welcoming her to the stage thank [Applause] [Music] you hi everyone I am t as promise um very briefly before we start I wanted to um let me see if this works yeah I want
to talk about Adrian who here knows Adrian he was the founder of this Prides and he passed away this year and I just wanted to very quickly um say some nice things about him so he was the founder of this conference and he loved community and he loved mentoring and he loved bringing people into this field and he was one of my mentors and this is the first conference I ever spoke at in my whole life and I've now spoken at besides all around the world and I remember I came to the bides and they were so welcoming and so wonderful and then Adrian said but you should speak here next year and I was
like are you kidding no way and he's like yeah you should and then he he and a whole bunch of people from oosp helped kind of Coach me and eventually after a few months I spoke at the oasp I did not die like I thought I would um and then I spoke at the JavaScript meet up the payon Meetup all these other meetups and then Adrian announced the internet I was speaking at bides and I had not applied I'm like and then the day came and I was so nervous and so terrified I was like no I cannot do this and he's like don't just go up there he's like I'll be right here I'm like yeah go down there
where it's safe not on the stage where it's so scary and so he came up on stage with me and he stood next to me while I gave my talk and my demo completely failed and he's like F just keep going they just sit there super awkward he's like I don't do a ship it's awkward I don't care I'm here for you and so this person like he was one of my mentors and he cared about community so much and I just want to give a thank you to have thank [Applause] [Music] you okay thanks for going along with me on that and now I want to talk about maturing your upside program so they
told me I have to stay on the stage and I'm not running around past the stage so sorry that there's a table in front but um I want to talk about so I am very interested in the security of software as a software developer for super long time and then I switched into securing software because well basically I I became super fascinated and I I was just like oh this is a way that I can help I still get to be my super extroverted self and talk to nice devs all day and then I also get to smash things and punch them in the face um so I get to be destructive and constructive in the same job I'm like it
was very sweet and I wrote this talk because um so I left the Canadian government in 2017 I joined Microsoft and then in 2018 part-time I joined this company called Ian research and one two three hours a week I consult with these really big companies like really really big like you know their names and I helped their abtec teams improve their programs and after so many years I started spotting Trends and I went through the 400 teams I've worked with and then I've done like lots of Consulting on the side too and I was like yeah there tends to be three abside moduls I see when they need a call because they're having problems and
then these are the steps that I've taken that I've seen over the years work to improve them and if you're thinking well I don't have a giant budget Tanya I can't spend money like insert name a huge company here I have a if you have no money plan and if you have money plan so I've got one foreverone okay so um what we going to talk about today we're going to talk about common application security models uh we're going to talk about why so I feel like this slide is misleading not fail it's more like why am I not getting satisfactory results so I'm paying a fortune for this program while while working our buttons off why are we not
getting what we want so I don't want to say fail but not good is it and then how we can do better that's what this whole Talk's about and then at the end I'll have like a couple of resources that might you um I gave half of you a sticker for the Free Academy and the other half just got a random sticker of me so so you'll all get to C at the end okay so um oh I guess I already told you how I conducted my research as meeting with so many teams for so long so that's where this came from and so uh who am I I'm T cha I'm head I'm head of community
at Sun because they bought my little company which was very nice of them I'm known as JX purple I've written two books now so my second book comes out in February um I actually made a card game recently called ABS Antics and it's like um a party game so perhaps last it if I had thought to do that I have one in my bag in case anyone wants to play it it's like Cards Against Humanity but not offensive but still funny okay so it is offensive against security but not against people um so I I I started some stuff and I advise some people and I I do some research this is enough about me you're like that's good
I want to talk about maturity right so we as an industry are working superbly hard we working really really hard but we're not getting the results that we all wish we could get right like I don't want my mom to be like did you hear about this rage I don't want the normals to know because we're making such big mistakes I want us to stop making giant mistakes I want us to stop having data breaches and giant attacks I want us to win and I feel like we're working really hard some of us are winning and some of us aren't and some of us are only winning cu no one spotted all of our giant pools yet right and so
I want us to mature and right now we have a couple application security Frameworks that exist and I wanted to briefly address why I almost never use them and so there is a was Sam there's Bim there's n and now there's one called DOA which I think is a big nice step in the right direction but essentially these are extraordinarily expansive Frameworks and if you have a team with 20 plus applications so who here has an abct team with 20 or more people okay so I saw one hand and it was kind of like okay so most of us um so I made some teachers that say I am the ABAC team because most team are one person
right exactly a lot of us are like hi I'm the ab Team all of me and I also am in charge of infrastructure um and so as a result we can't do this we also need millions of dollars to even think about doing one of these um it costs so much money it has so many different things it's very very comprehensive expansive exhaustive even but when I show one of these to a client they look at me like I'm an alien and they're like well that's impossible so could you tell me a real solution and so that's why I created my own framework over the years and you can totally adopt any parts you like and you don't have to do any of it
if you don't want to but um I just want to say I respect these Frameworks but they're too big for most of us like if you're Walmart maybe you could do this because you have all of the money in the world but for the rest of Morin that doesn't work okay so on to the models this is my favorite ISO model yeah it's the best we should have more kitties and our models anyway okay Bond models okay so that's oh also no so I AI in order to make um most the images for this presentation and it's weird and so throughout the presentation you're going to see someone that like their arm is backwards or they have a whole bunch
of arms or for some reason they have a suit with no sleeve um and that is the AI just being fun and so you can feel free to laugh at those okay so the first model I like to call let's pentest the important stuff only and as you can imagine this model is where we has just the important stuff so it's very common so I don't get approached very often when people are doing this model because when people engage me they're usually at model two or three um this is but I saw this a lot in the federal government I saw this a lot um with medium and small businesses smbs as people call them I still see
this with lots of Enterprises I have worked with lots of companies that you know their name and they are starting their first absite program this year so I'm glad they're starting but late um so usually they have no formal system development life cycle so we're doing agile we're doing waterfall we're doing devops or we're saying we are but really we just have a CI and sometimes we use it um we have a scrum meeting so we're pretending we're agile there's all sorts of options and they're all over the place right there's a mixed Tech stack so we're doing job we're doing not. net we're doing Ruby I do code ql I do this I do that everyone's
I'm going to do mongod DB cuz I want to be different and I'm you need Snowflake and for some reason I'm allowed um there's code everywhere so there's not one depository there's 20 and they're all different ones and um everyone's doing their own thing and that is the worst if you're trying to do security that sucks so bad why is this model bad so you have almost coverage right cuz you're just pesting your two super important apps and blowing all your money out that um you're well there's a hundred reasons this Mod's that but in my opinion the absolute worst reason is that you are not investing in any of your teams so pestor comes in they're all brilliant and smart
and they they tell you a bunch of things that are wrong the devs fix those things and maybe they'll learn a little bit from that one report that one team the rest of the teams get nothing no one's being taught there's no tools so that they can do better next time every time the pester comes in and it's a knock out because they've had no support and so we are not winning with this model and we are spending um so how do we mature this model so I have two plans so this is going to start with um a bunch of things and then I'll I'll show you some free things as part of it so secure coding
training if your team rates code they should write secure code if they're designing apps you want secure design stuff so this could be buying a book this could be holding lunch in learns this could be hiring a trainer this could be computer Based training at the end I'm going to give you a link with a free secure coding training course that I made and it's just free there's no upsell although they do add you to the newsl I do what I can okay so now the no budget plan okay so we have no budget we have time what can we do we can use free tools so I really like zap and burp so bur's 500 bucks and in the world of
information security that's basically free right so if you $500 we can do that um and then there's lots and lots of free static analysis tools so we can do Dynamic and static analysis for free or almost for free um for instance like so there's there's Sun there's break fan if you're doing Ruby it's only made for Ruby there's Bandit it's only made for python so there's so there's tons of tools I think there's like 34 free SS or something right so find one that you like enough and use it so we'll start with those so we'll do some scans on our code find bugs and then we'll fix them right and we'll just save them somewhere
we'll fix them okay so then we're going to create a secure coding guideline which you can totally steal from my free course you just like download the PDF then add more good stuff CU mine's very basic because I had to make one that applied to everyone that's really hard so add your stuff over time so you give them a guideline and tell them this is what I would like to see from you so you guide them make it super short and concise even if it takes longer for you so it takes less time for the hundreds of them that you serve and then um ideally every new project so when we kick off a project we start Gathering
requirements right if you're going to build an API there's certain security requirements know you want give them that list at the beginning and you're more likely to get it at the end so we want requirements for every new project from the security team and ideally if possible slip some privacy requirements in there cuz like while you're asking for Stuff um consult okay so this is the hard one consolidate all your code into the same repository when you do that your life is better you can hook up tools and then scan all of your apps at the same time this is a lot of but everyone in the entire software development shop wins when you do it and
then okay so this is this is even more hard than the last step push for a real system development life cycle where everyone's doing the same one and they're actually doing all the steps not just the ones they feel like um and centralization and standardization so try to get everyone on the same wavelength this is a thing you'll have to partner a lot so you're going to have to make friends and influence people but you can do this this is a very valuable exercise you won't have to do all the work yourself usually there's tons of senior deps that are like oh my God I live in a terrible world I cannot find anything and then you'll be like I want
to do this project can do it with me yes okay there's still more for if you have no budget um so threat model so remember before you're just pentesting like two super important apps do a threat model and if you're like what is that there is a guy named Adam sherack and I will talk to you about him after and he has this thing called the four question frame for threap modeling and it's just four questions and you literally have a meeting and you ask those four questions a lot of times and then slowly you have a document full of threats and what you're going to do about it um he's really great he has a bunch of books but
just you can read this like one pag or he wrote and you can get started and so if You' just threat bottled those two most important apps you will get some big value and then um if you've had some software problems in the past if you can talk to your developers about that most of them are unaware that their web apps get attacked all day long most of them have no idea because we keep secrets really well and we as an industry are not great at marketing and so if we start sharing information we are allowed to share we'll get more buyin and interest okay a few more scan all your code for secrets secrets
are like so passwords are for humans but secrets are ways that a computer says to another computer hey I'm this guy I'm allowed in and they're oh yeah you are that guy thanks they show them the secret they're allowed in so an API key maybe a password a hatch a certificate connection sharing Etc scan your code probably going to if you're in this state you're going to find so many and you want to start managing them in a better more way and there's lots of free secret scanners on the internet you can buy a paid one but this is the free plan um there's a free wff from oosp called mod security and is it the best W
in the world probably not but if you put it in front of so like let's say you have an app and you're like oh gosh this is so bad I'm literally embarrassed about it and I know that it's dangerous and I'm totally afraid of it put a laugh in front of it now we don't use a wa instead of doing a good job a WAFF is like a Band-Aid because you've been wounded right you like all you scrap your KNE put a Band-Aid on you don't just wear Band-Aids all over your body right so we put it on until it gets better we don't just put wa on everything and then call it a day so just not in place of good
absc it's cuz we're hurt and we need to get better um and then so you still pest the important stuff right but think about it now you start impressing the pentester that person has to work at it now they have to try they're not just like fish in a barrel they're like oh gosh that is some work right so we have now matured a bunch and invested a lot in our team invested in tools we've set things up we've automated some things like we've come quite a long way but what if you have money so see her she's like yeah I got a budget so if you have a budget I have a couple suggestions so you don't need a
gigantic budget but let's say you have 150,000 or more um I would the best money in my opinion and I'm biased because I am an ABC person and I do enjoy having jobs um hire an absite person this person will be able to actually do all the things on the list or most of them right if you hire an abside person they will come with a 100 other ideas as well they'll be there every single for you this is a good investment in my opinion and then of all the free tools I find free sass the crappiest I know I work at a SAS company so please take this with a grain of salt but the paid sass nextg go fast more
accurate results I feel they're worth paying for um don't pay for a desk I just wouldn't do it um even if they're like really fancy in their Enterprise I still find I can do better with those cheapy ones I find them very powerful and if you have a smart trained person running them they are super dangerous compared to if you have someone that does not know what they're doing and they're just pressing the scan button they'll get just so much better results spending that money on an absc person than on a product okay um and then you still have to do step two just to be clear okay um oh sorry I someone wanted to take a picture and eyes too fast I
apologize great call okay and so now now model two so I'm going look at my time and see if I need to rush or not no I'm awesome yes okay so tools tools and more tools oh my gosh we bought every tool that's what they call this one I come in with this one a lot and so let me tell you about it so they usually have bought a bunch of tools but they only rolled them out a bit so I've talked to a 100 teams where they're like yeah we have a sass in the desk I'm like cool what percentage of all your apps are you scan they're like this one's 30% this one's 40% what
should we buy next I'm like you should use your licenses that you're not using but that you pay for I I work at a vendor make us work take all of the value you pay for push us like I know that maybe the teams internally are like hey don't say that but like you should use every single thing you paid for like take that value you deserve it um lots of bug reports but guess what no one's fixing any buts so we're emailing PDFs to teams and not talking about it um we are very inconsistent so this team got a pentest and we did a threat model that other team we did this weird SAS scan and we
emailed them a PDF 6 months ago and haven't heard from them and then that other team we didn't even talk to them at all it's completely random totally inconsistent um they always own a SAS in a d so SAS is static analysis so justs your written code d means Dynamic analysis so your apps running somewhere and you're like and you're do little attacks against it they always have these two tools there's lots of other tools that exist but they always have these ones for some reason um there's usually like no documentation or there's a little bit there'll be like one amazing document that's like a zillion pages long and then nothing else is documented and no
one knows where the documentation is I worked somewhere and the lady was like we have a secure coding guideline I'm like cool can you send it to me she's like it's on the intrnet I'm like I looked I couldn't find it well it's there well can you show it to me and she's like after a few weeks she couldn't find it and then she's like but we have one and so I'm like cool come with me and I go to like this senior Dev I'm like hey Stephan do we have a secure cating guideline he's like what are you talking about then we go to another one another one another one and I'm like so
it's nice that you paint someone to write one we don't have one if no one knows right and she's like taken so documentation is actually important but basically the thing I hear all the most is like why won't the developers fix the bugs and then I'll say did you ask them and they're like well I think it's rhetorical yeah you didn't talk to them at all and then they like why won't they talk to me right okay so why is those bad so you are probably thinking many reasons why this is bad um one of the biggest reasons is that like we are creating a little bit a friction here and we are paying a fair amount of money and we're
not getting super fantastic results every app has a completely different security posture and we don't know what its posture is you can come in there's like a zlion seats up front you don't have to stand if you don't want to but you can if you just like dig standing um this this thing's bad for so many reasons so again we're not investing in our staff and like when you train them and when you like showed them how to use this tool like 6 months later they're just like doing it and you don't have to like interfere it's awesome right and we're not getting that um maybe we have a pet tester come in and we're like yeah but the scope is this
big don't look anywhere if you could close your eyes during the test that would be P right so this model is not getting us what we want and we're spending a fair bit we're working pretty darn hard and like no one's talking to each other and there's not and then we we don't have a feedback Circle right we're like I emailed the report into nowhere no one answered me I'm upset the devs are like what is this crap it's not going well okay so how do we mature this model there's a whole bunch of things we could do and unfortunately a lot of them cost money this first image I'm going to tell you about it I so I asked the AI
give me a picture of a little girl getting older and older and older till she's an old lady and it gave me that and like I was imagining my little girl and I was like she might look like that someday I'll take it whatever she wants to do when she grows up so please do all the stuff from the previous the previous I know the AI is really special um and so if you have money at this point this is where you would hire a second aback person and there's it's very important when you're hiring the abset person we want to make sure so if you are going from one to many it's very important that one of
them has the Super pentester skill so you can stop constantly hiring out so they are this badass that can punch things in the face and like find every little bug and you have one person that I call the cuddly ABS person that's like I'm going to threat model with you and write a policy and automate the code for you and then I'll pair program with you the person that does all the other absc things it is ridiculously rare you find a person that does both um they're out there they are unicorns give them a hug if you have one they're very rare but most of the time someone's like I am amazing at testing and like I'm so glad they're on our side
and then you have the people that are like I do all the other things I will have the meetings I will go follow up on the things I will automate stuff I'll do all this extra stuff you can't have all pentesters and you can't have all cuddley you need to have at least one of each and then after that hire whoever you want but it's really important that if you just have two you have one of each or otherwise you're going to spend a fortune on pest or you're going to have the best pent tested systems in the world and no one is going to do all the cuddly things both I feel are very
important okay so next every two years or so I like to reassess my tools I know the government really like signing for 3 to 20 years um but you will get better Pang for your book if every 2 years first of all you renegotiate but second of all more importantly look at them and see okay so it's been 2 years and we're still rolled out at 25% why are we rolled out at 25% because we had to have 100 meetings in order to get permission to roll it out maybe this isn't the right tool for us CU there's modern tools you can roll out in a day now right oh we've rolled it out no
using it no one will turn it on we've given them training no one will touch it this is the wrong tool I know I work in a place that sells a tool it is not the right tool for everyone there's no magical one that works for everyone so reassess and see is this is this our soulmate tool this it's the one that is working for us if so awesome if not move on and use that to negotiate because they have competitors and be like I'll switch to you if and that stuff works okay oh sorry wrong button I apologize if I pointed it at you um okay now you've decided let's say you decided this is the right tool for us we do
really really like it it's not fully rolled out because we needed certain permissions go roll it all the way out use every single license you're paying for right get your value get complete coverage more importantly we want every single app like we want to know where they're at every single one not most them and certainly not just the new ones we need every single app we need to have an idea of like this one's red this one's yellow this one's green okay the hardest advice in the entire presentation provides support talk to people who hears introverted actually I should probably say who hears who hears extroverted I'm going to see a couple of hands because introverts will keep their
hands down I I a lot of my closest friends are introverts but sometimes we have to put ourselves out there and talk and be approachable even when it's uncomfortable we need to go have conversations devs are usually really nice most of them care about security most of them aren't doing it because they have 27 priorities most of them would actually like to talk to you when I go talk to them they're usually like hey what's up I have almost never had anyone yell at me like they're really not scary and so we need to go to and provide support whenever we can the more often we talk to them the more they'll tell us the
more we know what's going on and the harder they'll work for us to fix bus okay we want to manage incidents better so when I come up with this they usually are like yeah we have an instant response team but like don't worry we don't have any software incidents we're never attacked that means they are and they don't know right so we want to do better we want to be able to respond we want to first of all be able to detect and respond when we are being attacked and so we want to create a way to report incidents that's easy when I was at Microsoft they're like oh if you're on the VPN you just put in report it now
you didn't it was in a URL it just you just typed report it now and it went to a page you reported it and then they literally just call you be like T what's happening and quite often I I heard report something they be like we know we've been on it for 30 minutes thanks ma'am got to go they were really sorry um working on Microsoft was quite eye opening it was awesome um so then we want to give the devs training and in the Free Academy I have a free training course so no excuses free it's like 30 minutes of videos and it's like what does an incident look like please call the security team no
one's going to yell at you if it's a false over summary of the whole course but basically like they need to know what incidents look like they need to know what it looks like when they're being attacked they're like oh yeah my API just keeps crashing all the time for no reason and we got this weird like $10,000 the cloud bill when usually it's 200 I'm sure it's fine right and what we want is for them to be like oh I need to call security and it's safe to call security security will help me um and then lastly we need an instant response process where everyone knows their responsibility I have worked at a whole bunch of places
where they're like yeah we have an IR process I'm like does anyone know what they're supposed to do other than the security team and they're like well I mean they should know like you never told them I got to tell them okay now for model three model three is what I call the Stranglehold giant spend I'm just like looking at my time and I'm doing okay so this this is the most expensive one I see this less often this one oh man some of you are living this one so look at the dog what is happening in his AI model I was just like I'm going to keep it because it's the worst one I know the dog's having issues today
it's a magical dog the laws of physics do not apply to it um okay so this tool this this this one is weird they have every single tool I've worked with teams over there're like I have 11 tools in the pipeline it takes 21 hours to run everyone hates me um they're spending millions and millions and millions and millions of they have lots of absc people everyone's working really hard um they have a governance model where no one can get anything done I worked somewhere in the government and I will not tell you which place and I worked at many departments over my many years so you won't know which one where we had a 21 step
approval process where my bosses bosses boss had to sign off on every single scan I ever ran and if we rushed and went totally nuts me and Catherine filling up a zillion Forbes could get it done in 3 weeks and it's like why isn't their OBS very good I don't know I have no idea why um that helps no one and that bosses bosses boss signing like do you think she has any do you think she even knows who I am or gives a crap that I don't work there right like she has actual work to do yeah um constant friction so imagine there's a cat and you are petting it backwards very aggressively all day long you have not killed the cat
the cat wants to bite your face off that is what's happening for The Debs and for security everyone's miserable no one is happy with this model no one's getting what they want um security posture not satisfying so it's better than the previous two models it is more secure you have no innovation you cannot release fixes I worked at another place and I remember it we had an 18mon release cycle once a fix was approved so I would ask for about fix we'd have to have a Trum meetings and then it took 18 months who thinks that's appropriate put up your hand who thinks that's reasonable No Hands yeah and then we had an emergency that was very very
serious and we needed to do a fix and they said that if everyone worked a trillion hours of overtime they might be able to do it in four months that's these guys they cannot respond um Dev and SE do not speak to each other or if they do it's four-letter words I remember my first week at this company and the security person was like look at this St he's using the f word and he CCD my boss and his boss and the client I can't believe it and then I read the thread and I'm like wow our team are jerks I am that we are the problem I am shocked they didn't use effort earlier
what restraint I would have murdered you if I was him so they both think the other SES the problem and I am often accused of siding with devs okay so why is this model bad everyone's like we already know but you are paying a fortune and not getting what you want everyone's miserable your people quit people will quit this place I left that place I was like I cannot breathe I cannot do security I cannot stand it the good ones will all leave you right and guess is what you get left but not the cream of the crop right and morale goes down it sucks and you're not getting what you want if you were getting the
best security in the entire world and you had those things happen maybe you might feel it's worth it but you're also not getting great security you still have tons of chinks in your armor and that sucks so uh I like to scale so now you need to scale your program not literally anymore you need to scale it like startups mean the word scale and you can do this by hiring more abstract people who do a lot of automation or you can start a security Champions program and if you don't know what one of those is it means basically every Dev team has one person that is the champion of our cause which is security and if you teach
them you train them you spend time on them they communicate for their team it's awesome so that's one way you could scale but another thing you could do if you don't have a Champions program is you advocacy program and that's where you do a lot of developer education you do a lot of things to improve the culture where you work towards a more positive security outcome there lots of soft touchy da stuff which I really sucked at when I switched into security and you're like oh she's so good at talking I sucked at the beginning I was like do it because I said so turns out that doesn't work like at all I'll just ask my kids
um before we had guidelines now we have standards and and we trans we change from a guideline to a standard by supporting everyone so a standard is not a stick that we whack people at it is the goal we all aspire to be at and we help everyone get there and we I remember I had this team when I was in the government and I I met with them and I was like yeah our securitying guidelines becoming a standard and the boss was like can my team meet with you and talk about it and then halfway through the meeting he just blurted out oh my God getting fired like oh my gosh no please don't leave me no one's
getting fired no no I need you I need you so bad to help me make these apps more secure we need you more than ever he's like okay let's look at it again so you might need to assure people this is not a stick this is where we all want to be and but it becomes a standard and eventually it's enforcible right but the first year or so you're just like how can I help you get there cuz we're going there we going together um as Sun grip one of our company values is make it go fast and we are obsessed with making things go fast no matter what it is even meetings yes meetings um take time invest time to
make everything go fast automate things improve things tune things make things go faster all your devs will love you make things Self Service do everything you can to make things go fast and the devs will Super respect you plus it's super fun let's be honest um examine your API so at this point if you have a bunch of web apps but it turns out you're doing some micros service stuff you definitely want to work on your apis apis often need different tools they need a slightly different perspective they always need a Gateway I do not sell a Gateway I really think you all need one if you have apis on the internet so there's like a bunch of things you can
do I talk about this a lot I love apis um and I love it when hackers can't get at them for best um we want to embrace threat modeling at this point if you so you have a ton of Staff once you've automated some things and make things go faster you've improved relations a really good way to get to know lots of devs and get their Buy in is by doing threat modeline and I would love to talk to you after more about how to start a threat modeling program if that's of interest to you but like threat modeling is a conversation it's where you work together you brainstorm you discover threats hopefully you fix a whole bunch
of them but like you doing this is awesome it's awesome for building trust and discovering problems um you should have a company wide programmed out for managing secrets secrets are very serious they cause a lot of security incidents we only want them in the right hands um so if we want to manage Secrets properly continuous scanning I asked the AI for continuous scanning and it made me this and I was like this is the weirdest thing I've ever seen I want one imagine if we had this instead of OC Transpo I regret that anyway we want to set up automation so that our tools run without us so we can go on vacation I know it's
a wild idea a security person that could take a vacation um we want to do this next we want training that doesn't suck you want training that works for your team so that's not necessarily me what I sell so some people when I was in government I remember I ran this one team two guys had Safari Books online I just wanted to read every textbook I had a bunch of guys that have flal Sate I had a bunch of people where I'd s in The Learning Tree I had one that would go to conferences and I can't remember the other one just wanted audio books and then they all started learning we did job shadowing um we did this lunch and
learn program for 3 years we did all these weird things that just barely managed to do our budget good right so whatever you choose make sure it works for your team not everyone wants to go to a conference not everyone wants to do computer-based training when you give them no time to do it and you expect them to do it at home right so pull your team ask them what they need try to give them lots of different formats like especially if you're going to make them read a book give them like a pdf version or like an ebook version a physical version and an Audi book version and you would be surprised how many more people
are willing to read the book you ask them to read right so when we accommodate tyes of learning styles we do so much better um if you have a w you might want to upgrade to a rasp if you sell a w I'm sorry I feel it's an upgrade um this is just my opinion it's my opinion right you don't have to agree that is okay um or IAS which is like a very intense type of testing where it tests the tool from the inside out so this is for very critical apps you would do this so it's like this is the mission critical thing that makes our whole company B you might want these tools it's up to you though
you don't need it for all of them probably um we want the absc team to be trained in instant response or the instant response team to be trained in ABC so they know when to call you I remember I was working somewhere we had an amazing amazing incident response team that did not know ABC and I remember my buddy coming over to me and he's like hey Tanya we're sort of having an ABC incident we need you I'm like great did that happen today he's like it started like 3 four weeks ago um we were trying to deal with it without you and like yeah we made a big mess come on right I want them to come immediately
to me or I want them to know what to do either way so you like you're you're being attacked just to be clear if you're anything on the internet you are being attacked so we need to be ready for that and then lastly see that guy's amazing smile he's like I am so happy because I am informing my program with data so we want to use data for sure to improve our program and I talk about metrics that matter things that you might want to do I'm kind of obsessed with data by using data over the years I've discovered how to improve programs very quickly and if you're a consultant you get totally renewed very easily if
you show them the data that See's like see we were doing this that wasn't working I can that for this was working really well so I triple down on that and then look at these results boom renewal because you're making a difference and you can prove you're making a difference right data really helps us I see a lot of companies just guessing with their programs because go blah we do not have money and time to cess we want data and so now I have a conclusion for you and hopefully I'm not to over time um so what did we learn we learned three common absct models and hopefully how to identify them so you can see if you're one of those models I
gave this talk last week and the guy's like yeah we know which model we are we're going to need to talk to you again like okay awesome great um how to mature the models and these slides I I don't know if bides has a way to share them but um you can email me after I have cards if you want to and I will just email them to you I'm very happy to share if bides doesn't have a way to do it um how to build an awesome ABAC program if you do any of these things it will improve your program and so with that I have a couple a couple resources the first one is the academy with the
free training so there's many many many free trainings in here secure coding Etc and like I said it's completely free but they will add you to the newsletter so that's your payment so I apologize but the marketing team won right it's life but I mean fre is pretty good um and and it's free for as many people as you want so literally 400 devs can sign up and take the class and it is okay that is the deal that I made um my books they're not free I'm sorry capitalism sucks but I'm biased my mom said the purple one's pretty good she hasn't read the yellow one yet but my mom's like a con but but seriously if you want to
learn to be an application security professional the purple book is for you if you want to write better code the yellow books for you um cyber mentoring Monday so every Monday since 2018 on Twitter and now on LinkedIn and I've been told I've been asked very nicely so on Monday I'm going to start on Blue Sky as well I do the I do this hashtag every single Monday and I help people find each other so as um Adrian helped me find out I a terrible matcher every time I matched people for mentors and a fellow parent was terrible um but you can match each other and I can help connect you so I'm a good
connector bad Matchmaker that's okay and so basically just post like hey like I want to get into instant response someone willing to have a virtual coffee with me here's the things I've done so far I read these two books and I'm super interested you know what community should I join what book should I read next Etc and someone will just swoop out of somewhere and be like oh hi make sure your direct messages are open so they can message you um tldr sck so I I have this friend named Clint and he writes this every week it is a newsletter that is free and it's not the news it's a summary of all the research for every
single security topic summarized and then you just basically like I just read the absc section obviously and then I go through and I'm like oh damn that one's good I'm going to read the whole article I'm like thanks Clint you just made me look super smart um and then lastly resources is me so she hacks purple on every single platform you can think of um I don't have Instagram though that's a lie I need to update that um and I don't have Facebook because basically you could just talk to my assistant and it turned out like everyone didn't want to talk to Amanda she's awesome though I don't know why but I have YouTube I have even have
a Tik Tok I don't know what I'm doing I heard Tik Tok aable yesterday so maybe don't follow me there but um basically I make videos I share things for free all the time and lastly I want to say thank you so much to all of you for coming thank you to bides for having me and thank you for this
community I have to stand at the podium and stay the question period do we have any questions cuz I would love to answer them and if you're shy and want to ask me after I'm going to stand outside and just like chat with anyone that likes to talk to me because I'm an extrovert my Briggs says I'm 100% I'm an
[Music] extrovert hey uh great presentation thank you for coming um you did talk about uh one way to kind of help all is trying to create a Champions program my organization did try and do that I tried really hard to run the program um what I received in return is complete out of the from all of the development do you have any suggestions to kind of help with this I do absolutely um so first all I have a talk and a Blog series about it and if you email me so you can grab one of my cards I'll send it both to you um second of all there's actually like companies you can hire they'll just run it for you if
you're like I have too much money and not have time um but for the rest of us um so I was not good at speaking when I started and I was really like I mentioned earlier terrified to speak but I did it anyway and I would talk I would go through our metrics of whatever was the worst thing that was happening and I would show it to them and I'd be like yeah I found injection o says it really sucks I was not an expert then right and I'm like this can happen that can happen this did happen to us and then I'm like let me show you and they're like oh that looks like it that sucks yeah and I'm
like here's how we fix it can we try to fix it and so I just had like a bunch of learns and I bribed them so since traveling the entire world I I have discovered Canadians love pizza more than any other country in the world we eat so much pizza compared to the rest of the world and I like it too so yeah um I so what I would do and this is like dirty pool I would order pizzas and then I would open the pizza box and then I would walk all through the devs making a smell and they'd be like what is that I'm like you have to come hear me speak if you want some
pizza and then i' be like I would make cookies and donuts like donuts and make cookies and I would just bribe them with food and that worked really well and like making things smell really good is like it seems to be clear like that's dirty trick but it worked really well and then I would just speak from the heart and tell them like specific things that affected us and I found that that worked really well another thing I did was I had very specific responsibilities for them so my first program in the government we just I just asked them to scan their zap I showed them how to use it zap's a free Dynamic scanner and I
gave them a safe place to do it like you can totally beat the craft out of this right so deploy your app to this server and then just and then I made like a little grid and I'm like if your app is a three so we had we were one to three on our risk scale like if you're three you fix these things you're two you fix those Etc I'm like when it comes to me if you did it so I would run the scan again um and then I would just check if they' done it or not then do a real test right and then if they did it I would run over in our big open air office and
I give them a high five and the high five became security has approved of me and I remember the first time a death got up he went like this and I was like yeah and then if they didn't do it I'd come over and I'd be like what is going on man and i' give them like the disapproval puppy dog face and like they're like I just didn't have I'm like so your time is more important than my time and they're like no and I do like the full mom guilt thing I'm like I'm not upset I'm just disappointed and then they wouldn't do it again and next time they did the high pass and so like direct clear exactly
what they're supposed to do requirements lots of positive reinforcement bribery with delicious food I know we don't all have a budget sometimes to be quite blun like I would just I would just pay for cookies and and donuts because I was really desperate to make my job work um in Private Industry asking if you can buy $12 worth of donuts is nothing but in the government you probably have to fill in 37 forms and and beg and then also like be in the newspaper for being a bad person so I apologize with fazer situation um but I would just bake cookies it's like super cheap to bake cookies um there's lots of options but yeah positive reinforcement extremely
clear definition of what you want and then whenever possible like speak from the hurt about direct things impacting them so not like oh OCTA had this weird breach that was this whole thing that would never affect us they don't care it needs to be like how to do their specific job better and I'll talk to you more after awesome do we have more questions and questions one more uh thanks again uh this is probably the third time I've seen you speak at conferences um but how would you go about approaching um kind of like establishing an APC program especially in like a a startup space that nobody really knows any anything about Security First off um as well as applying it
across like multiple pillars right so data engineering infrastructure and that dep awesome question question okay so when I did my first outside program the government Department I worked at didn't have anything like that we were the just pentest the important stuff people and what I did was is I analyzed all of our incidents for the past 6 months and I looked at all of them and I had a meeting with the bigger biggy biggy people all of the sea levels and I was like 26% of all of our incidents were ABC incidents in Secure software and they're like okay and 72% of what we spent was on that it cost almost $1 million in the past 6 months we were in
the newspaper because of it we had a data breach because of it we had to go and gravel to the Privacy commissioner about it disaster much and all of them were caused by two specific vulnerabilities that I think I could smash if you gave me six months to do it we're full authority to go do this program and they're like oh approved I like kidding and they're like that you came to us with evidence you came to us with clear costs it it's obvious it's going to cost way less to prevent those two types of incidents from now on and we never want to be in the newspaper again like that yes right and so if you
can show any sort of evidence of your organization being affected if not because you're in the startup space show them stats on the startup space so so in Canada 50% of small businesses that are hit by a Cyber attack go out of business period right and what are startups they're very fancy small businesses they're very scaly like excited small businesses right and so show them Those ads and and explain this is how much it would cost because a lot of them are like oh it's going to be millions of dollars and it's like no you could be pretty Scrappy as I showed you I have often had very little budgets I'm so excited when I have one um and so as a
result like the more evidence you can show them the better and then for actually starting one so I usually try to work with the project managers they are your friends and the team leads and I do a lot of talking because I've discovered that works for me um and so I'll start like having lunch of Ls and telling them about the program I am so annoying I come to like the the de standup and I'm like hey everyone I'm starting this program we're going to do this so I tell them like a trillion times so they're like yes we know um and I try to make it short and brief and cute and I try to weave myself through their
processes so if I know they have a stand like they have um a Sprint every two weeks I'm like Okay cool so every two weeks I would like uh to run a scan and then have like the top two things fixed is that possible or you're starting a new project I have requirements I'm going to need to add to that and I slowly just start like sprinkling more and more in as they will tolerate me so you can't do the whole program on day one because they're like whoa that's too much but over a year you can start adding more and more stuff and what you need to make sure is each one's reproducible so you can't just manually
go until tell them each Sprint every single team it has to be an agreement that from now on we're doing thisbe start with one team and you're like look it's been 6 weeks no one died can we do that with your team and like slowly you roll it out over and over and over and that's what I've had a lot of good luck with it also helps if you have approval from above that's where all the data comes in data is like your best weapon and so if you are not Gathering metrics you might be surprised you probably have a whole bunch like if you've run scans if you've had pen tests in the past and
if not like start just Auto scanning a whole bunch of stuff like get one of the sast connect it to your um to your Cod repository be like scan everything this weekend and then go look through it and see if it's scary or not scary it's usually scary um thank you so much everyone I really appreciate it um thank you he probably has more things to say I'm just going to be out there I'm going to be here all day you're awesome [Applause]
how can we use llm to help security operators my bra and eventually come join you guys and uh that's what we did so that's me um I always like to start these presentations with a little bit of a level set about what what an llm actually is and how does it work um some of this might be old news to folks in the crowd but I guarantee there's a lot of folks in the crowd who you know maybe have used chat gbt frequently maybe they're using um GitHub copil they don't really know how it works and for some of the stuff we're going to talk about it's important to have that kind of Bas level
understanding about what a large language model actually do um we're then going to talk a little bit about why there's so much height in this space and then most importantly talk about what's real and what's not because you know everybody in the cyers space is just getting blasted with ai ai ai ai ai just like we were all blasted two or three years ago and the cycle happens um people who know me know that I really like things grounded and real when I talk about stuff so I'm going to tell you guys about some things that are actually real that you can use for free today right now that will actually help um your security
operations programs and then we'll get a little bit into some of the higher level risks and what I think our best practices and where this is probably all going over the next couple years here we go all right so that level set understanding llm what is it at a Bas onine so it's very simple what a large language model is doing is guessing the next word in sense that's it at its core that's what an llm does so if you started and and the way that it does this guessing is obviously gets really complicated it's based on you know training based on pites and pedabytes and tex building a large neural network and then using the
weights in that Network to guess in best word but at its core this is what it's doing whenever you go and interact with chat gbt or Bing or CLA or any of the models you are putting in a bunch of words and then they are just word by word guessing the next best words to add to that until it gets to what it terms the completion of the thought that it's generated so the reason that's that's important to understand is a couple things first of all this only works if you have an input right AI at least the current generation of large language models if you don't input something it can't predict the next word
right so they're not just spontaneously coming up with with new ideas and new thoughts you always have to have a starting point for the llm in order to get anything new and the other reason this important get to it in the next slide is that because it's just doing this word prediction it can only output data that it has previously been trained on and that's why when Chach first came out and we were all like wow this is crazy um but people quickly realize well this is like living in a time machine because the that iteration of it it was stuck in the past you would ask it questions and it would answer them as it was like 12
months ago and so how did how did the various companies get around that so they came up with this this process called retrieval augment generation we're not going to into all the weeds do that but at a high level the way that retrieval augmented generation works is you go and talk to the llm right there's a step that happens before before your text makes it into the llm whatever you're typing in that thing it's getting replaced under the covers by another model doing something called embedding and what embedding is is it places words with numbers and binary symbols looks information up in a vector database Vector database you don't need to understand what it is it's
just a simple simple database of like a matrix just numbers that's what a matrix and it's then able to go and retrieve context right and that context is essentially spiced in to what you typed so that when the llm sees what the llm is actually seeing to make that completion is not exactly what you tighten in most products it's changed a lot before it gets to the large and it's changed through this rag process the reason this is important is because when we're talking about using this stuff in cyber security that this process rag is what's at the core it's kind of the differentiator between all of the different products that are building things around AI this is what's
different they all have their own methods of of this Rag and that because that's where your context comes in right if you have something like Microsoft co-pilot and you're asking security co-pilot hey you know what what did this IP address do yesterday and next the only way that it has any idea how to do anything with that query is because of this process otherwise like if that text just went straight into into the llm the the large Ang would be like what you know it doesn't know what your IP is it doesn't know what yesterday it doesn't know how to go like it's literally just doing that completion of predicting the next work all of that API retrieval the
fetching of the information and all that happens at this stage um before it goes to the model on so that's all we're going to talk about from the technical side but I I'd like to level set with that so that when we're having conversation later you kind of know how this step works yeah I already said like so a lot of the stuff you didn't input will end up in that query and then sometimes also the response is post BOS process right so when the llm gives you that information sometimes before you see it in your tool it's actually changed again so you're not seeing what was actually coming out of the L so current pipe um versus where you
know why is there so much Buzz around right um first thing I like to point out is this this whole notion of AI versus machine learning right so machine learning and cyber security has been around for 25 to 30 years it's not new um we were doing machine learning back when I graduated from University for a product called you know we were doing what was called nbad Network Behavior anomaly detection right and we would monitor the traffic on the network and do things like statistical analysis and whole winners analysis based on the patterns that um the network was doing over two weeks and Trigger alerts you know we were doing that step back in 2000 something that's machine learning
that is machine learning so we've been doing machine learning and cyber security for a long time it's at the core of you know any antivirus product any EDR any network security tool almost anything that's producing alerts has been doing machine learning but what happened after after the cat GT explosion is machine learning stuff being cool right so AI became the new buzz word and one of the things you got to kind of deconstruct when you're looking at a lot of the the stuff that's thrown at you in um advertisements and product pitches is people will claim Ai and you've got to kind of decide you've got to kind of look at what they're actually doing to figure are you doing
are you using llms or are you using machine learning I'm not saying machine learning is bad as I just said it's at the core of everything we do and in fact I'm going to kind of get in the next Point um llms are horrible for a lot of cyber security tasks and there are companies that are trying to pitch this idea of using llms for things like um you know uh Behavior detection and finding threats in the network and you know personally I I think that's a dead end because we have llms are are inefficient at doing things extremely rapidly they're great at doing Innovative things much more efficiently than a human but an llm isn't going to
be able to replace a traditional machine learning algorithm to detect threats on the network or to You Know sample detect things on the endpoint detect unusual process behaviors and execution registry modifications um because it's not fast enough it's too expensive it's not fast enough in order to do those use cases you have to be able to process hundreds of thousands of you know uh Network flows a second hundreds of thousands of of you know dozens and dozens of process executions of file changes on the laptop a minute um LMS can't do that they don't operate at that speed they're not engineered to do that um it's very unlikely that over the next 2 3 years
that they're going to get that efficient either um so there's there's use cases that they're good for and use cases that they're not good for uh I see though that there is a part of the buzz around llms is tied to you know we hear about the cyber security skills shortage um there's a lot of debate on how real the skill shortage is you know how have skill shortage on so many open positions but there is a very real skill shortage in terms of senior season cyber security professionals who can do threat hunting who can discover apts and things of that nature and the hope is that llms are going to be able to create more of
an advantage of the defender or the attacker in these scenarios because they can kind of help level up people it's not necessarily about replacing people it's about taking the people that we have and leveling them up a lot faster so that those those folks that are you know they they don't have as much they don't have 10 years of experience but the llm is going to be able to augment their thought process and be able to make them operate in a much more efficient way so that's why there's so much hype around this um so I talked a little bit about the realistic capabilities and this idea of you know using llms to detect threats
and why I don't think that's going to be successful um I'm going to couch that in the presentation and contradict myself there's a there's another um challenge that a lot of uh these systems have and it's access to the data right so we talked about the context that an llm needs to make decisions well if the product that you're trying to use llms and AI with doesn't have access to the information that it needs to make decisions it's not going to be able to make decisions well and this is where you can run into issues when there's siloed information so a lot of organizations you know will have a large variety of different Tools in
their cyber security environment um the average Enterprise has between 15 and 49 different cyber secy tools that they have to integrate together and if those tools so we talked about the hyp right and how everybody's integrated AI into everything well if all of these different tools have their own AIS and those AIS don't work together or talk to each other you're just kind of recrea the same problem in a different way right so um the point of this is that these things are not Silver Bullet right if if you're using you know Crow strike on your for your endpoint security and you're using Microsoft sendal for your your uh Azure security and then you go
into co-pilot and ask a question that that co-pilot is not going to have visibility into your cke system right so because they don't talk to each other they can create these information gaps and as a result give you actually long guidance right this is what's important like because you're going to an llm you're actually it's kind of different than SK the way we use security tools in the past in the past you were going and you were using a tool and you knew it had an information Silo and then you would go and look at this other you know you mainly tie them together but with an llm a potentially Junior operator asking it guidance and
then asking it a question what should I do with this and the AI will extremely confidently give it a completely wrong answer right so that's the thing you have to be a little bit cautious with is these information silos and the fact that they can create problems um the final thing is this idea of co-pilots versus agents so we talked about how um AIS they kind of don't do anything unless you interact with them there's the newer technology that's coming to bear and we heard a little bit of this in the keynote is this idea of AI agents and AI agents operate semi-autonomously um they don't they still have llms as a core but what's
happening with an AI agent is essentially the the output of the last construction the last thing is then fed back to the beginning of another process and it creates that Loop so an AI agent you set it on a task and then it will go and do what it needs to do to complete that Tas with guidelines and parameters that you build in and this is where you kind of get into um the the difference between something like an agent versus a co-pilot right a lot of the products nowadays are what we would call co-pilots they're kind of like chatbots your operators can go in they can get more information more context they can help you learn and these systems are
great they're great for certain use cases but they're not necessarily where we see the end game this which is more of an agentic approach with an agent that can actually go and do something right that's where you're going to get the real advantage of some of these systems all right so let's let's look at some case studies and by case studies I mean where are people actually using this today in the real world getting success um you know let's get beyond the hype in the marketing um I'm involved in a lot of different AI working groups so I see firsthand the people who are deploying this stuff in the sock you know using home build things using
Source tools using commercial tools it's a lot of mixture there's a lot of activity going on in the world in this space and people are getting real value of it so first case study is operationalizing threat intelligence right so you've got thre intelligence that you have access to in yourself maybe you can't afford a commercial fee maybe you're relying on blogs websites um you know PDFs that people email you for your transes how do you get all the information out of those documents and turn it into detections that you can use in your sim and your EDR well guess what llms are very very great at natural language that's how they're built so there are new open source tools that
leverage llms to help you take in threat intelligence either from feeds or from PDFs or point a websites and the llm will automatically go through that 40 50 page document for you and extract not just the indicators cu the indicators we've been doing fairly efficiently for a long time like you can do that with simple NLP but with the llm can actually read the text and understand the ttbs in it and then map it to things like minor attack framework so we're not talking about just running regular Expressions over text and getting IP addresses out here we're talking about feeding in these threat reports and at the other side getting real actionable information that you can then go give to
your detection engineering team to go with theoy so I've got a couple links here to um free and open source tools um this that better available um open AI CTI summarizer by col M Aron klin um who's part of the first AI s and uh Texas sticks is made by this fantastic individual I link at the the end who publishes a lot of different open source tools for CTI so I'd recommend checking out those at the end of the slide at the end of the presentation I'll have like kind of a QR code link you can get all these next Second Use case is instant response and threat hunting right so we see a lot of teams that are
looking at this this idea of how do I actually get the promise so we've been talking about a for about 10 years now and the problem that a lot of organizations run into as they try to automate their instant response is that the promise of SAR was that you'd be able to get this tool and using low code you could kind of say okay when I see this I want to automatically go and send this email and then I want to escalate to this person and I want to go and add a a a rule in my VR form this system that sounds great but because they they don't want to to do that manual anymore but what we've
seen with sore is you're kind of trading one problem for another you're trading having more cyber security analysts for more python coders and sore experts to be able to build all these labels and it it's it's challenging right sore hasn't really led up to its promise it hasn't simplified things as much as it should llms have a a real chance to change that and all of the major security automation companies are investing a lot in this technology you can see stuff coming up from times pal Alto and they're they're focusing in on this problem of using the llm to generate those playbooks and generate those P flows the reason it works so well is because
you're kind of taking advantage of one of the things that people sometimes think of as a negative with you know one of the negative things that people said what about hallucinations right hallucinations are are are problem at the beginning we talked about how hallucinations can be a problem with your operators doing a chat fought type thing and asking and gives you completely wrong thing to do well when you're doing something like threat hunting right that creativity that an llm can do like if an llm causes a hallucination says oh maybe I should go and look at this and it's kind of like you know Pie in the Sky idea you know one once in a thousand
times that might actually lead to some success in that threat on um and guess what if it does there's no real issue right if if you if you went down a path you didn't find anything as long as you come back and then go down the the other fork in the road um there's no harm done and in fact that's the way a human threat Hunter Works whole way the threat works is they use their experience intuition and knowledge of cyber security to kind of go and look for threats and they will take a lot of wrong turns and go down a lot of dead ends and you know an llm doing the same thing is actually a
fantastic use case so another another uh interesting one that we have here is this tool called Diana um this is a fantastic open source tool that uses llms and some of the processes I just kind of go about talked about with threat hunting to help you refine your detections right so you can go to Diana and say I want to detect um you know this kind of Behavior this kind of threat actor and it'll generate rules Splunk Sigma Q RAR many different tools um and you can then interactively refine it you can then go in and talk to that just similar to when you know if you're using chat GT to play around and make funny cat pictures um
you can do the same thing with your cyber security detections using this tool it's pretty neat final case study is this idea of automating compliance tasks so again you know llms are really good at anything that has to do with large volumes of text right that's kind of their bread in these days so if you look at things like um cyber security compliance and GRC questionnaires that we all have to deal with anybody who's in any kind of a company that sells any prodct whatsoever if you're not answering if you're not currently answering 30 cyber security questionnaires a week you will be over the next 12 to 18 months because what's happening is there's you know the good
thing for everyone in this conference is the drum beat around supply chain security and how important it is to your third party risk has been successful right there's there's a lot of new legislation happening in the United States and and in Europe in around you know having to do um software supply chain security assessments well that's the good news the bad news is well you know what you're now on the receiving end of it you now have to answer those questions as well because if you have the product you know you also have to build answer those so when you're getting those you know 10 20 30 40 different cyber security questionnaires from your customers about your security
program um llms can take those questionnaires and what you do is you point the llm at your your corporate policy information Point them at your sock certificates your internal inent response procedures your handbooks your information that's inside of your notion database or your SharePoint and it'll read all of that and then it'll know how your company's inst response procedures work and when you get those questionnaires the llm can actually answer them for you it could save you oodles and oodles of time um you know having you know even if you don't trust it to give the final submission and I wouldn't um the fact that it saves you so much time in the beginning to then go half to
back and just correct a couple of the answers is a fantastic use case for large language mons so risks and best practice right so so if you're going to deploy this technology and I'm not just talking about deploying a custombuilt solution but if you're deploying any commercial Solution that's using this technology there's a bunch of things you got to be cognizant of um folks are are cautious about data privacy issues a lot of people are uh concerned that the information in their company is going to be used to train the large language model um and then it'll show up in some and we have seen this is a significant concern we have seen this happen over a
while so what are the mitigations you have that so there's a couple of them first is um most of those platforms do have licenses that you can go and purchase access to them so that they give zero data retention and you have a contract in place so that that provider of that large langage model is not going to use any of your information um one thing to be aware of and be cognizant of is sometimes this is another layer on top of just buying Enterprise access so as one example you know if you go to open Ai and you purchase the Enterprise access to open AI so that you can um make queries back and forth your information will not be
used for training um that's part of the the legal ease but if you really kind of go through everything you will see your data is actually held for up to 30 days for inent response processes right so they still do have that information for eliminated amount of time before they delete it so that's something to be aware of um the second mitigation you can do is use local models right so there's there's a there's a lot of um free and open source um generative AI models that you can run locally like Lama um and a lot of these you know you can talk to talk to your vendor who's providing you tool and say do you have
the option to deploy this locally or do you depend on a cloud service and if it is a cloud service are you running that model or are you supped to get to open AI or whoever and how you deal with that so most of these tools um do have the ability to that's that's another great mitigation plan so we talked about hallucinations right so how do you how do you guard against that and it kind of depends on the use case like I mentioned some use cases are you know hallucinations are something to worry about a lot but there are use cases like we mentioned where hallucinations you know what it doesn't really matter um so
mitigation number one how if if the if the tool has what's called a source of Truth it can actually go and validate the information that it's going to spit out to you before it spits it out and make sure that that source of truth that source of Truth agrees right and you can do this in a couple of different ways usually the way this is done is there's actually a second llm that's filtering the result of the first llm and it's validating that what this thing is giving it to you is actually you know aligned with this other source of Truth so that it's not like completely made up uh the second mitigation is human in the
loop so I would strongly recommend for any deployment of this technology right now at least right now um there should always be human in for any process right so there you know if you're doing a cyber security question a hum should read the result before they throw them on the fense if you're doing instant response you use this stuff as an accelerator so that your level one analysts act more like level 3es but don't get rid of your level one analysts right that human in the loop is incredibly important right now uh and then the third is is continuous Improvement so a lot of these systems have the ability to feed information back and teach the llm um about that it
got something wrong um that that questionary use case is a great great example of that right where if it gave you the wrong answer and you go and correct it if you submit that back to the system and it learns that then the next time it has to answer that question for another questionnaire it won't get it wrong the next time so this continuous Improvement part is another important mitigation um so we talked you know the final thing is you know a lot of people are concerned about kind of the ethical implications of this technology and and I'm definitely one of them I I worry a lot about you know what's what's going to happen in you know 5 10 15 years it's
hard to predict but we talked about leveling up the people right so if if we think that the skills Gap Is Real at least at the high end then how do you how are we going to have people if if the llm start taking over all the junior tasks how are we building the pipeline for the next generation of side professionals right and what I would suggest is llms can actually be a fantastic training aid these tools are leveraged properly right because they do that love lot that Junior um L1 analyst is now able to learn in real time it's almost like having a level three coach sitting over your shoulder and saying hey you should think about doing that
you should think about doing that that is training it's a different way to do training but it's arguably a much more efficient way to do training and have people learn how to become an advanced S screen professional so best practices um so first of all this stuff is applicable to organizations of all sizes and you're going to have to deal with this kind of whether you like it or not because the reality is that that Ai and llms are being embedded under the covers of almost every product we use right so it's you know I hear organizations creating policies around you know how to use llms the company and the process the approval process that you should go
through before you use l and that is definitely something that any any any organization should be going through this process how are we going to leverage this but the caution I give is the caution I give is this is not about you know how are we going to use chat ggt in our company what are you going to be allowed to do what are you going to to do this is about hey um you know we use workday and now workday all of a sudden without asking us is now using llms they just integrated it in and we don't actually know how they're using that or if any of our information is going data set for because it turns into
this is all another type of supply chain security problem that we're all going to have to wrap our heads around um another consideration when you're thinking of best practices do you want to go Standalone or do you want to do like more of a platform approach right and this is where some of the things I talked about earlier come into play these when you create information silos the AI is not able to bridge those silos so think about you know versus having all of these kind of oneoff AI systems or your different tools think about tools that can Bridge the gaps you know how how can we have something that knows about our Sim alerts and our Cloud
alerts and our threat intelligence information all at the same time as opposed to being Silo because it's not going to be able to make that decision commercial versus open source um you know this is a another so right now there's a ton of activity in both so we talked about how you know commercial providers are going to provide you with this stuff whether you want it or not a lot of cases um on the open source side there is so much Innovation happening in open source AI right now um that there's really no reason to not kind of start experimenting with this so as I meant you know I've got a lot of links in here
for some free and open source tools all of these are used able to be pointed at you know local models you can just run on your a server in your own company or on AWS uh ec2 incidence or something you don't have to you don't have to um purchase you know tokens from open AI to experiment with that stuff so you know the Vari entry is lower than you know some proceed to be so where's the sell going in the future um so we talked about SAR right and security automation so one of the first things that I think is going to happen in this space is Gen is is completely disrupting the S am because so this for
a couple of reasons so first we talked about how you know one of the challenges with security automation is you're kind of changing one problem set for another you're changing bunch of Security Experts or a bunch of python experts and coders and you know not necessarily saving you any time or money well the interesting thing the other interesting thing about security automation is anybody who's ever done it or in any kind of a capacity knows that part of the issue isn't just doing automation it's actually the integration itself it's like how do I you know I have to make this API college and this product this information and sometimes those apis are not documented documentation date um so
that that whole building that integration is challenging well when you combine you know take the whole cyber secur part of large language models and push it aside for a second and look at all the Innovation that's going on in large language mosts to generate code um you know things like the cursor editor um like GitHub co-pilot apply those to the sore problem right and now this whole problem of connectors also Al starts to P right because the llm can actually write the code to do the llm can't just generate the Playbook it can generate the Playbook and then it can actually generate the source code to connect to these services to make the Playbook actually work right so as we start to
see this stuff mature and have it be more reliable it's not completely reliable today as it becomes more mature and more reliable um you know the idea the kind of Nirvana of being able to just go in and describe something that you want done and then have the system automatically be able to do that as an Automation and not have to attemp to do it anymore it's going to become more can LMS eventually surpass human analysts right so earlier in the talk I said you know you do not want to get you know this we're leveling up existing people it's it's yet to be seen you know we're seeing really impressive results out of llms um leveling up these an so are we
going to get to a point where the llms are able to you know automatically respond to the majority of cyber security incidents um I think that that's the ways off um and and you know maybe we'll never get there but using it as an accelerator something that already works today and finally um using stuff for detection so at the beginning of the talk I talked about how llms are not really well suited to real time detection they're not suited for finding you know Finding threat actors messing around Network or you know you know deploying a dropper on your end point um that's best for other machine learning the caveat to that is um llms are a
subset of generative AI right generative AI you kind of think of this as as a men diagram and LM or pie chart and llms are just a piece that there's other gener other types of generative AI use cases right um and you can totally Envision a world where we take a a huge Corpus of network attacks EDR attacks and use that to train Uh u a neural network and then leverage generator AI to predict threat active behaviors in advance there are companies that are working on this I think it's probably like two or three years away before you see anything if you see anything it could end up just being p in the sky um I'm a little bit
SC love it um but you know the the idea of being able to predict the next you know the idea of being able to detect in real time and then be able to predict the next thing the threat actor is going to do and then stop it in the very early in the killer chain is the goal of these systems so not large language models but still generative AI so um wrap up um I think I'm here so first of all everything I just told you is going to be completely out of date within 30 days this space is moving so incredibly fast right if you want to keep up to date on Jer of AI and and
llms and how they're being security and what's going on you really got to kind of you know put in a little bit of work because the landscape is moving and changing so incredibly rapidly um I've got a couple of resources up here that can help with that um so down in the bottom uh right corner here this Dylan Williams uh he's the guy that makes that Diana tool he has this fantastic NE page and for anyone who doesn't know what start NE is it's kind of like a giant dashboard of links and he's got hundreds of links of a you know you know newsletters you can sign up to YouTube tutorials you can go and watch and use
cases and links to software and companies all about just gen and security operations um so that's a fantastic resource we are also we have a slap Community um we've got uh 15 people on that right now I believe and it's growing all in time and purp in just sharing news sharing knowledge engaging discussions you know we we found that there wasn't any community that was really focused on just talking with this m just llms and sa Ops because there's so much going on with llms so much there's different pillars of cyber security using them in app using them in Cloud using them this that the other but there wasn't any Focus St so we' started
that up we've also been a podcast that's going on um and then finally you know I'm sure you've all heard this before a AI is not going to replace you but someone using AI will right this is if you're not kind of if you've been kind of like viewing this for the lot of skep this ISM I highly encourage you to try to get up to speed on it because it kind of is changing the whole world from a and like I said earlier it's doing it whether you want not the tools that you use are bringing this in and they're not asking question with that I don't know question um if you have any questions um
I'll be outside for a few minutes and here the rest of the day easy to find [Applause]
how's everyone doing today good awesome all right I'm getting used to these mics I'm also uh fighting my the losses my my voice so bear with me five or six bages so I should be okay but if I Collapse just uh come help me all right I'd like to start these off with a fun tune okay so I'm going to play something for you guys and I want to see everyone dancing and
stuff e
you guys don't know this song is this like brand new it's it's it's from P Collins he's like a new rapper on the Block you guys don't like it he's talking to Billy saying Billy don't lose my number so it's kind of like don't go me um nobody knows something okay let me tell
you like aren't you jacked up from that song I freaking like I play this driving in to wherever I'm going and it's just like trying to get crazy obviously you guys are all s it didn't do the same thing that I wanted to um that's you know it's okay so what was Mr P Collins doing here or Puff Collins he was talking about what anybody know actually I found out this week that Mr Collins didn't really have any meanings to a song he just freestyled them and C these like Su Studio I didn't know what that was so actually I was disappointed like I thought we had to have songs and uh you don't just sounded good
so you kept it greatst but anyways this song too to me it means don't lose a connection it means I'm going to track you down as a good cyber person is going to do so I'm going to track you down so that's kind of why the song is kind of related to what I'm talking about today data breaches and so companies versus teble hackers and security researchers the corporate side I want to say that I don't endorse doing bad things to companies because they get really angry and plus there's nothing protecting you legally so if you're going to do it make sure to cover your butt and document everything but I'm not endorsing it I'm just saying and I'm
also not here to um give companies crap because that's not what I want to do okay this is supposed to be a very suspenseful Slide the second slide are you ready for a world of cyber security okay the person in the back super red and they waved at me so thank you sir but that was only one person nobody else thank you all right anybody else yes yes okay that's better okay let's try the second question what would you do if your data was breached tomorrow try okay that's a way to do it why not you know what else would you do hide okay yes if those Secrets get un cover you want to hide what's
that yes you you put you Factor authentication on everything right is that what you're saying I do that with my kids too I wrap them in two factor and just wrap them all do you think or do you trust that organizations are protecting your data properly no some AR some aren't more that aren't and than more that aren't and the other thing are you prepared for the folks that are in the business for the folks that are trying to get into the business I I honestly say try something different because being in security kind of sucks sometimes uh there's the joke about how security cyber security is like an onion not because of the layers but because it
makes you cry so that's kind of it so when you become a cyber SEC professional and you're doing all kinds of things like this you have to balance a few things one is transparency you have to be ethical of what you're doing and you have to be super curious and also want to break things but in a good way so it's a challenging industry but it's super exciting and it constantly gives if somebody wants help you're able to help many many people so keep that in mind if you're interested in even trying it I I recommend you definitely do because it is the best how about me I have something written down here and I kind of want to
read it and I don't but um it's kind of like the first chapter of my book that I'm somewhat writing so I just bear with it you guys cool with that is that okay if I do this yes you have no choice you're stuck in you lock the doors yes you in the back lock it yes all right so try this again one
second so it started with different kind of thrill ducking security guards and dodging police and jumping fences to reach the coolest and gnarliest skateboarding spots around town yes I used to skate and I still do so don't say I'm too old to skateboard that's not nice back then it was about testing boundaries and getting creative with risk sometimes it meant breaking into the school's machine shop to build some ramps sometimes was helping my friends with their Mar s and breaking into the local area of network so that I can change some things but just letters anyways later in the icy currents of the North Atlantic the Canadian Navy it gave those early skills to discipline and focus that would shap my
career in the high stakes defense and intelligence after leaving the Navy I worked with General Dynamics and I developed advanced ulation and triggering systems for weapons test to don't hate me for that but the real test came during my decade plus tenure with the Canadian Security intelligence service anybody here from cus you're not supposed to see it it was a advancing through Senior Management I focused on counterterrorism and catch this counter proliferation took me years to get that word right it's just a tongue twister targeting threats across both digital and physical Realms here I honed on Dual operational skills for close access tactics and or cyber offensive Maneuvers you'll see on my website that I talk a
lot about the physical and cyber science I know we're at a cyber security conference but I truly believe you can't have one without the other today I use the same mindset that once drove me to explore hen skate spots hold on I use the same mindset that wants Jo explore skate spots that fuels I can't all right what I'm trying to say is I use the same passion and interest curiosity to try to protect organizations and individuals who those individuals organizations are made up of those but then there's also the victims from breaches these are third parties these are employees these are people that use the service maybe once or twice so I try to use that curious kind of
deviant Behavior to Red Team on these companies and make them better right now uh I'm the self-proclaimed best in the market smallest in ransomware negot and someone can challenge me on that it's fine cuz I didn't really double check if I actually have a best or not but I really think I do the right thing right now I track ransomware Gams amongst other things and as we see the numbers there which I didn't memorize but 232 groups and this constantly changes a bunch of forums and telegram channels which I really did not like what happened in France with telegram guy and so I kind of wish that didn't happen because you really did give them
a back door to that which is unfortunate bad people should have a space that they feel safe to do their business just kidding okay supporting victims in organizations so a bunch of these projects that are here uh are are there as open sources open resource resources for people to be able to recover from from Ransom more breaches and other kind of breaches as well I also do provide there's a lot of the Canadian fraud Center as well as cesa for the US they provide tons of really good resources for individuals that want to recover from an attack the biggest thing and the simplest thing that I ask organizations to do is to know what you have do an
asset inventory is simple have some sort of awareness in your organization make sure that everyone knows that they have a role to play security is a team sport I know it's cheesy but it's good and instant response planning if you know something bad's going to happen and you can't do anything to stop it at least know what to do when it happens that's the minim thing up oh yes and I forgot to introduce myself my name is Andrew Amo and I have this really cool title that I just made up which is called the chief holistic security officer cool right no okay that's fine uh clab security is my baby and so um that's what we're trying to do
any questions so far good because you're not allowed to ask questions yet just kidding okay I do have one thing that I want to try and do with you guys here and it's not related to this you guys okay if I try Okay does anybody know Chuck Morris nobody just like you don't know P Collins you guys aren really playing nice here you should go along with my really old pop culture references just uh let's see what we have here see what's that see that I like that one
ISU very good I like that hang I have in my email here myself
cck Norris does not need to hack he types one command you guys hear with this one no he types in pseudo Chuck Norris and the entire internet obeys it's not bad right thought was okay so what do we know about companies companies are there to make money they're also there to to change the World to Change community and so on but the biggest thing and we all know people are in business to make money to make sales and why is it that we're surprised when companies prioritize their image the timely release of their product over vulnerabilities in security why are we surprised we shouldn't be surprised because when it comes down to it Security's always been at the bottom
we kind of want that to change but the idea is if you're going to pick one over the other when you're a business a business you're always going to pick the fact that you need to make money the other thing is too that we also see I'm pretending to be a company we see ethical hackers vulnerability researchers and people that call up and say there's something wrong with your cuz Everyone likes to hear that there's something wrong with what they've done right it's you wake up in the morning you're like oh man I can't wait till I go get some coffee and someone approaches me and says man you messed up yes no nobody likes that so imagine a
company has all kinds of things on the go and someone goes up to them and says you have all these problems they hate it ethical hackers are seen as threats and definitely not allies I'd like that to change but it's going to be a while when something happens someone here said you hide right so I think it's very appropriate so a lot of the companies when something bad happens the first thing they want to do mejer reaction is to hide covered up I don't want this to get to my board I don't want this to my investors and a lot of them think that because it's on the dark web that it is only accessible by by uh
criminals dark web is not only by criminals if you've heard differently it's used by Freedom Fighters and all kinds of other people that are not doing anything wrong so it is out in the open and we really want that as let's say secur researchers we want transparency to be the biggest thing and we want this trust to be there I rather someone come and tell me that something's wrong before someone that is malicious uses that vulnerability to do whatever they want to do and destroyed my business I rather the first one we can be in agreement with that or is anybody want to be hacked versus be told I'm just making sure I include everybody that's
all gentlemen the back no yes I like that it's true okay that's a good one okay there you go I learned something this case was really interesting I spoke to the gentleman that was in this sticky situation he got really involved with this because in the city of Columbus he's trying to uh bring awareness and more people into uh cyber security so he came across a rans more attack in the city of Columbus and went through the data stuff that I typically do as well do a data privacy analysis of the impact on victims and the organization too I'm not just saying victims it's everybody even third parties and investors everyone and he actually came across some underage
material medical um medical test results images forms whatever so he took it upon himself to contact the city of Columbus city of Columbus Mor Mak surprise I've had if anyone worked at a call center which I don't recommend works at a call center and calls up somebody and they get hung up on and sworn out this is what this guy did he tried to email he tried to show up in person he ignored him ignored him ignored him until he went to the media and said someone needs to do something about this because it's out there when he went to the media the city of Columbus sued him did nothing to do uh with uh with the data actually just
left it there there's in the article the lawyer that was defending the city literally says that you have to be a super tech genius to access the dark web and so the reason that he was being charged because he went to the dark web deciphered all kinds of things to get in there and then disclose it to other people and so he's going to get charged the nice or the uh the happy ending was that they actually dropped the charges but the idea here is that there seems to be a very huge disconnect between what happens after the data is breed and where it is and how accessible it is and a lot of companies still Flex
their old school legal muscles that don't really apply as CE assist or suing this researcher doesn't stop the rest of like the other seven billion people from accessing that data it's just localized so who cares if you're going to send me a c assist letter you're stopping one person you're not stopping the entire world you're still not addressing the problem you're just being bullied in my opinion sorry did I miss something there oh yes and the other thing is it misleads public into thinking that ransomware attacks only happen to uh the vandag arm because the new the uh North Koreans are after the nuclear codes that's the only time it happens they don't realize it happens hundreds of
times a day to any sort of business doesn't matter what business you're in so that is a problem so are hackers are ethical hackers allies are threats anybody allies or threats allies allies all right oh I forgot to take that little bullet point off there that sucks okay so don't look at this okay right there all right so there this is a funny story that happened a few years ago but I love it so much a St Louis reporter is charged for hacking the Department of Education cuz when he was on the site he pressed F12 on his browser which gives you the website source and inside the source code or the source language of code in
there um there was Pi social insurance numbers names of accountants and stuff so he reports it to the Department of Education and they charge him with hacking saying that if you press F12 on your keyboard you are hacking and breaking the law and I was like damn I'm way better than I thought then you have John Jackson ceasing the CIS case after revealing flaws in talk space really know he look sounds cool Dennis had a bunch of legal documents uh served against them because he revealed some apple vulnerabilities it's just ridiculous and then two students actually reported to the police after they responsibly told um the fre hour app that they had issues the app people actually called
the police on them so two students got AR rest in business so what do you think this does for one it doesn't open up a good communication Channel because if people keep getting arrested and charged they're afraid it's scary to get a letter I know it's just a piece of paper but you get a letter that means that there's a whole legal department behind you it's got this power on so then you kind of like well maybe I'm not going to hack anymore this kind of sucks it's negative I was trying to help them and all of a sudden I'm not being treated very well the other thing long term is that people find vulnerabilities and guess
what if it's really good it's worth millions of dollars and guess what you're going to do if the company doesn't pay you you're going to go to the dark side so zero days is a giant market I mean a lot of people here maybe like work on zero days that's why they're driving really cool cars like super and we want to be able to have that energy and all of that work funneled in a positive manner you want to make sure that companies are open to this in the last 10 years we've seen a lot of programs and big companies accepting a lot more um bugs coming in vulnerabilities and things like that but there's still room there's still room
for improvement in terms of paying out the bounties there's a website I don't recommend you go in and check it out but you should um it actually offers you different money different uh what do you call it bounties for zero days and you can go on there and like okay if I'm going to buy that house in Barbados I need to find something that's along the lines of let's say an iPhone and I can get 4 million that is a whole dark Market that's there because the organizations legitimate organizations didn't want to play ball and this is where it fuels the criminal mindset in that whole industry we probably wouldn't have been here if when people back in the day were trying
to penetration test on a company provided them a report and the company turned around and didn't sue them or gave them for it they would have accepted them and used their information they wouldn't have turned around and turned it into the third largest economy in the world I mean there's always going to be that criminal kind of greed to it but I feel like we wouldn't be where we're at now if we would have accepted this kind of been more open to some sort of negative feedback and learn from that so why why are companies like this are they evil do they all have you know blue and orange faces with hands sticking out like
that that'd be really hard to see by the way if you don't have eyes so you um man these jokes are dropping like flies amazing okay so why are companies like this it's normal I don't blame him for it you've invested everything into the business and all of a sudden everything could be B on because someone hacked you and you're going to be sued and people are going to be upset at you your investors are going to run away so it makes sense that companies have a fear of embarrassment they have a fear of financial losses so you become defensive if your friend comes out to you and starts calling you names the first thing you're going to do is say
please give me some more no you're going to be you're going to be defensive like why you calling me that don't call me that I didn't call you internally the guidance that companies have typically will favor on minimizing the impact which means putting Band-Aids on it so internally the tech the tech groups might say we can make this go away I don't want to lose my job either I'll make this go away for you so there's a lot of internal discussions that would benefit from a third party or ref fresher look at things from a different perspective so that gets them in trouble also hackers ethical hackers researchers doesn't matter what it is so when I first started my business I
actually sat outside on my doorstep and my called cool called companies that were recently hacked I had a system where I would look it up anybody from Canada I would call them up it was hard and I understand it because from their perspective like who's this guy and why is he calling me he probably wants money he wants to take advantage of what's going on so much so that when I called one um one Law Office in drama the lady says didn't you just call me 5 minutes ago I'm like no she's like well another Andrew from the lock bit group just got off the phone with I'm like he uses name and I'm like
I know it's a common name but man that kind of sucks for my business right so that type of thing so she's like how can I trust you so you can offer things like you can look me up online or whatever but it's already really hard and to start off like the misunderstanding of like what the impacts are and so on the fear makes everyone close in under a group of friends and colleagues the biggest long-term impact if you don't take any sort of feedback from these other researchers and so on is that you're going to be losing out on making your company more secure it's like having somebody proof read your paper before you hand it in
you're you've been working at that for days you can't see anything and there's like misplaced bullet points that you forgot to take off I should have had a third party look at it right so this is the thing oh yeah this chart it's my first chart I've ever included in the talk CU I don't like charts it's a mind map and I don't know if anyone can see this so I'm going to try to like laser it so this is typically how it works the breach detection there's a ransom note where your systems go down or somebody screams in your office the internal staff with good intentions tries to do it himself or herself and contacts
Ransom their group which I would recommend not to do it do not do it yourself you could have the intentions to do it but prepare I'll Tell You by after because that usually goes wrong the attackers esate the impact in the r what could have been I don't know $30,000 is now $300,000 CU they think you're messing around with them then let's say 48 hours to a week passes and the attackers breach uh sorry publish the breach on the web and this is typically where the researchers get wind of it from different sources and different different groups publish at different times so it's kind of hard to say it's going to be a week two weeks
whatever but they don't usually do it immediately unless something goes wrong your MSP your it goes oh don't worry we don't need security we have our systems backed up I can just flick a switch everything's back up cool everyone's happy the business is told that technical by the technical folks that everything's done and we're back up and running what's wrong with that is it the same is it a better system is it patched is it going to let the people come back in it is so repeat victims you'll see in the same same forums you'll see repeat victims getting hit multiple times why CU they do this they just back up sorry they restore from backups that have the
issues in the first place so this is typically what happens and a lot of it doesn't even touch on the data that's on the web it's as if it's forgotten so you see a lot of scams come from this the use of AI to punch through a lot of the data that's being on the dark web creates you can create profiles for individuals and do custom attacks on each one what I'd love to see is this is when something happens we go from here all the way here and then you let me or someone like myself do the talking for you why cuz I'm not going to treat the attackers like they're idiots I know it's a business
transaction I know they're doing their job even though it's not a nice one they're doing their job I'm not going to insult them by pretending like I'm smarter than that so I'm going to negotiate down from 250,000 to 25,000 but guess what and this is hilarious I obtain a penetration test report from them what they actually give me a really nice professional report telling me how they did it I can't get that for $25,000 you try to get somebody do a penetration test you got to scope it down whatever it's ridiculous you're not going to get it you're actually going to get it I enure that the data is removed from the dark web or people like myself I'm
not trying to sell myself here I'm the saying this is what you benefit from you access or assess the privacy and data impacts so you can look at and say that you're going to have a bunch of is impacted you're going to have Municipal departments impacted what can you do I could we can provide the remediation steps and so on address the gaps and actually fix it and give you a foundational security to make you better this is kind of what should happen this here has good intentions but it doesn't work another thing I saw London Drugs uh anybody know what that is yes yes okay it's like the street drugs you buy in London
um when I saw that it was a lot of this it was a lot of the CEO coo pushing the SE suicide I don't know if we have Cecil in the in the audience but Cecil don't typically have a seat at the big boy table or big girl table usually they they report to CTO they to other people so this happens here too so it's like this guy right here he has a lot of really good information that he can provide to the media and clear up a lot of the worries but that doesn't happen this is also a problem is that you have Executives in companies that feel like they know how to deal with the media
better but in cases where it's very technical somebody that's Technical and is there to do the job should be the one talking this means that you won't get things like there's no impact there's nothing to see here because it's BS we know that and then because it comes out later saying that there is a bunch of impacts on people so a lot of things are misrepresented there's poor communication and people lose trust the third party assessments I was talking about this it's like a fresh set of eyes looking at your paper the benefit is that you kind of remove all those internal biases that you have let's not lie if you're doing the work and someone says oh this is broken
like you're looking like it's not broken it's it works 100% so we need to remove that you need to have someone externally to come do it similar to financial audits on organizations you have third parties come do it why because now the public knows that a third party has an eye on there's no internal bias that kind of massages or kind of changes the truth a little bit the biggest thing is that will do the um identify the breach impact overall recommend actionable fixes and it definitely increases accountability and uh with independent oversight the biggest thing I'd like to see as a positive is that you have you turn these breaches as an organization turn these breaches into
opportunities to become better and a lot of people don't like to be told or have constructive criticism given to them it sucks but you can use that as an organization you're getting free pen testing somewhat free but you're getting that information where you'd have to go out and seek it and it's unbiased they actually want to do that so the biggest thing I offer uh to organizations and ethical hackers try to work together with the organization if they turn you down the first time try on the routes to provide them with the information don't get yourself in trou trouble it's not worth it biggest thing is reach out to some of the victims have a caned conversation
and find out if they've been scammed or not a lot of times they don't want to talk to any of the victims but if you talk to the victims you'll find out that someone had their Deed from their house taken from them because some data that was stolen from this breach has a massive impact which means as a organization you're going to want to I don't know classify your data minimize the data that you collect all of these things that you don't really need you shouldn't have and it makes your liability a lot
work all right so this is the fun part I want to make the cyber security world to be a collaborative fun butterflies and unicorns purple clouds the idea is that we want transparency transparency ethics we want good communication and we want the companies and these ethical hackers and folks that are here right now doing the ctfs and things like that we want to give you that ability to go to a company and be like look at the work I've done it's awesome work you guys can totally benefit from this I also want to do some good I also want to get better on my craft and all you need to do is look at my report and just
recognize that you have issues and maybe give me a bounty or something for my time that's really where we want to do that we want to be able to have these ethical haers and researchers go to the companies as a first step versus going to the zero days company or the Shady you know in the dark alley kind of uh you know exchange of information you don't want that because if you don't support it it'll go somewhere else now I want you to ask yourself where the person beside you whichever you can ask both if you want what will you do to make cyber security more open and collaborative what can we do together what can we do
individually and the biggest thing I recommend hacking of any sorts be it physical digital cyber you have to be engaged you have to remain creative you have to be somewhat of a deviant but in a good way so keep that up and don't be discouraged on any sort of reaction that you get and you will get cease and assist letters you will get sort of uh sued sometimes anyways contact me if that happens I have some contacts but honestly just take action and be positive about it now I swear I promise you're not going to download any malware onto your phone if you click those but I have my my podcast I have my LinkedIn please reach out I I love
networking I didn't do any networking when I was with the government and I think it's it's the best way to learn things learn from others and Foster really collaborative of community so please reach out with any questions I have a I have a podcast that's super popular I have like 15 followers on Rumble so it's amazing and then that's our website there and I really want to thank bides because uh last year was they accepted my my talk and it was so much fun that I couldn't wait to come back so thank you guys for everything and thanks for coming it's excellent to have everyone here and I hope to see you again [Applause]
we have a question here I also have some more chap Jo if anyone here
sorry if I the question so you're asking to negotiate or any or not yeah so this is a massive uh way of discussion if you to law enforcement law enforcement will flat out say no don't negotiate don't pay anything if you talk to Insurance organizations they'll be on the fence it'll be a 50/50 my recommendation is address each situation as a case by case now I say that because depending on what data is actually out there there's still a possibility take it off and I know it's like we're trusting criminals to do the right thing but really there is a code thiefs and so they really stand by that because they have a reputation just like
any company so if you are going to pay the ransom and ask them to take the data down what I've seen is that they actually do and they don't sell it resell it to that for sure there's a lot of other groups that will double A stort and do that that stuff you don't see them around for very long but so that's kind of my my thing it depends on the situation um I wouldn't say it's like rule of rule of thumb or something about to to pay it or not uh I lean more towards negotiating versus not paying at all purely because you can get a lot more information and make yourself stronger and better versus just ignoring
it cuz not paying it really just says I'm ignoring this so yeah how do you get it uh they just like on on the messaging that you're talking to them oh you're it's like you're talking to a technical colleague you just say listen I'm willing to throw another five grand on the table if you give me a pest like you need to tell me how you did this and sometimes you'll be like no and you're like okay well this doesn't really help me so how are we going to negotiate I'm willing to pay you but I need some information and typically that works very well and uh like I said these uh individuals that are on the other side
are human they're technical trols as well so if you were to talk to anybody here right now you probably wouldn't start off by saying you're an idiot I'm not paying anything right you would start off and be like let's build a rapport let's talk to each other let's find out where you're standing and then let's negotiate some things out of that so that's typically how it works and a lot of the times uh groups CU there's a whole thing about if you get a negotiator involved the whole thing the whole thing's off so I never go in talking about me being a negotiator I go in as I'm I'm helping and I want this to go away as fast as
possible and that's one biggest thing is doing that and then how to get it back um it's asking nicely that really that really works and I know it sounds weird it's like the guy just stole my car I'm going to go ask something from him and say how how' you do it but it works because like technical folks they're proud of what they did right and it doesn't work with every group also because uh some of them have like call centers or or communication centers so the person you're talking to isn't actually the person that did it so they really don't care so you have to escalate it like through customer
service any other questions lunch break so we want to talk to Andre talk to them outside thank you very much s [Applause]
everybody doing well okay Friday afternoon I'm glad you're all sticking around so we're going to get going again so next up we have Alex is going to following the digital snails Trail look
good first thank you to beat sides for speak today thank you for for so as you can see I am a PhD candidate in Department of political science at Carlton University which means that this is not going to be a technical presentation at all rather my research is in how countries develop their offensive cyber programs and for funsies I look at how Canada and uh my research dates back to about 2017 when Canada was first starting to to ramp up its policies and throughout this time I've gathered up quite a bit of information about how G armed forces or the C develop its cyber program and so this is how now present this research to show the
general history of how this program has developed so before jumping in too deep as a disclaimer everything here today is of my own views and is not cheered by anybody who may be hiring me Ando me I and second is that everything in this presentation is Ted from open source intelligence or access to information process unless state it otherwise and this is all to say that this is really incomplete and that this isn't a comp out but rather I'm the first one to do it that not even the government of Canada nor the military has really tried to put effort into compiling this history and so that's what I am doing through my website K
cyan content to try and gather what we know from open source uh intelligence and identify where the gaps are and hopefully provide some pressure to the government and Military to give us some more information and so jumping into the fun stuff now uh overall I've identified about five periods in how the king forces have developed their Cy program I'll be walking you through these five periods of what we know so far and hopefully ends with a good amount of time for questions so this all really begins in 1999 when the CF created the information protection Center and this was their initial uh computer Emergency Response Team so it wasn't really too much at this time but really the necessar basics
for cyber security and cyber defense but as the C went into Afghanistan was acquired new capabilities working with the United States and realizing that maybe we aren't keeping up with network and communication Technologies as we should be so they start procuring more which increases the demands for the Cav's uh cyber defenses and as this is going on the computer uh the communication security establishment which is can signals intelligence organization starts to conduct penetration testing of uh Department of National Defense and the Cs networks and I've also been reli and told that the CF is also doing some penetration testing uh during this period as well and much of this goes into identifying that what they had at this time just wasn't enough
which motivated the creation of the K forces Network Operation Center in 2004 and this network Operation Center still exists to this day and as the fews went on there isn't too much that we know a little that we know is that there's a growing amount of capabilities particularly with net centri Warfare which is really just all about network communications and joining units with others using cyers space intern that newer Technologies and so that they're trying to keep up with uh these increased uh Services they are slowly increasing their uh forces focusing on cyber security including expanding their communication Reserve information Protection Team into cyber brl and this new roughly begins their what I would say the calf's difficulty and leveraging
the reserves as consistently to to say you'll find many that will are working in the forces in another job but maybe in their private life are aiso and they just aren't being uh utilized to their best in the forces and it's through the reserves that they're trying to do this in recent years they've made some changes but it's from one of here it's still an ongoing effort however by 2009 the C really isn't keeping up with the world and by 2009 you have the United States creating United States uh cyber and in 2007 you had the cyber attacks on Estonia and in 2008 Russia's use of Cate operations in its invasion of uh Georgia then this all culminated in NATO the
North Atlantic Treaty Organization the uh military Alliance that Canada is part of uh agreed to create the Cyber defense management prop which was really all about uh centralizing overseeing uh the protection of military systems in NATO and all the while they're pushing allies to do more that United States is on the Forefront and more or less the whole of the alliance really isn't keeping up Canada included now with Canada at this point they still considered cyber as a component to C4 ISR which is really to say they viewed uh cyber as a tool that they saw computers and they had people that work on computers that that was about it and this is problematic because it overlooks
how cyberspace functions as a domain of operations that we work in cyers space as well as GRS and this even today is something that many in the government and Military just aren't quite able to grph and so the analogy that I often use is that this is like looking at the air domain as just airports you realize that you miss that planes actually fly through the air because there's a lot going on there and so as this is going on cc is continuing to conduct some penetration testing and overseeing the government's cyber security posture and finds just rampid infiltration in data death by China and Russia in particular and this all goes into the first Canadian cyber
security strategy in 2010 now this was great and all good about 84% of this funding went to the communication security establishment now this did go to help stand up their massive network of hostb sensors that they have to defend the government and that there constantly trying to expand this network actually but this kind of left the military and others kind of lost I know what to do and with little funding on what to do and overall the cap had kind of three Tas uh going forward they were to get their house in order and strengthen their networks they created a cyber our task force which was to really look at what needs to be done to build
up the forces cyber capabilities we had a director General cyber General there to manage these capabilities and they looked to allies on what they could do to improve but Shar SC that happened and 2011 the government of Canada created shared services Canada that was meant to really centralized the management of Information Technology in the government not a bad idea except it was really brushed and there wasn't much thought went that went into what military networks should be under control of civilians versus what should be under control of the military and as a result what was happened that significant inefficiency was found at every level including in Service delivery procurements resource managements delegation of authorities and it wasn't uh it took the work of the
Department of National Defense and those in the military actively working on this for for to ensure that there was a direct impact on military operations and either good or bad in the end many of these networks were transferred back to the military because they were deemed outside of Sher Canada Mand government Network and as shared services Canada was happening and the military is just trying to deal with someone's outside management of their assets internally it wasn't really much better you had the stand up of the Cyber task force and the director General cyber who what their big task during this time was to optimize current cyber capabilities and set the conditions for additional uh Force development
and partly because of Shar Serv Canada as well as internal issues there wasn't too much progress during these initial years which led to the chief of the defense staff which is the most senior officer in the military issues guidance specifically stressing that uh we need to develop morej capabilities so better networked uh Communications need to develop a cyber force and we need to have uh operates in cyers space like it is a domain now this was also the first recognition that the military identified cyberace as a domain but this was ultimately purely military and wasn't um policy for the government yet and in the end all of this failed uh because of a lack of a and AR refers to
uh authorities responsibilities and account and the best way to understand this is a who what and the how of military commanding control so you can quickly understand that if there's conflicting Aras in a rigid hierarchy as military this can create some big issues and hopefully some that people can see in the back uh the highlighted is where the management of the Cyber assets really were so there have been all over the place in uh the military and this uh created issues on no matter what portfolio you're really looking at it now internationally things were moving much quicker than Canada was at NATO uh in 2014 members agreed that article 5 applies to CeX now Article Five is the mechanism of
NATO which states that an attack on one of us is Attack on all of us so in 2014 they say a Cyber attack on one of us could mean Cyber attack on all of us and this escalated further in 2016 when uh NATO agreed that cyberspace is a of operations and so this may not mean too much but what it actually means is that uh NATO alliance is treating uh cyberspace like any other military they're treating as the Army would treat land or the Air Force treating uh the air and this is a very conscious effort by them to invest more in treat uh threats in cyber space more seriously and out of this they agree on the Cyber
defense pledge and the Cyber defense pledge is really just an agreement that we're all going to invest more and all the while United States is setting the tone of what all these Investments are and the United States is slowly adopting a strategy called persistent engagements and persistent engagement is all about being confrontational with threats to ensure that uh threats and APS aren't able to uh relax and aren't able to get a strong foothold and that they always have to worry about cyber commands on their back and we can quickly see that a lot of this comes to inform strong engaged in 2017 strong secure engaged was the Trudeau government's big defense policy and it it's a major milestone in how the
cap developed its cyber capabilities because established three major things the first was it recognized cyberspace as a domain of operations as I noted this is a very important for to now this was a full uh political recognition of this by the government uh you have a cyber force being created to really professionalize the service of those working in cyber and in addition to creating this cyber force they would assume an assertive posture which means that they would develop the ability to conduct offensive operations and lastly they would have all this under a deterrence framework and now cyber deterrence does not work but that's a a talk for another day and so as uh as they began work under
this under strong security age they were able to quickly stand up the saer force now much of this was built on proing work beginning in 2013 with the uh Chief leg of Defense staff companies but in 2017 they actually finally now have a trade and this started the overall professionalization of the service and then and in 20 uh 21 you have the first class that graduates and 2022 you have the actual badge authorized approved you can see that on the side here there we see uh all night likely working in cyber in the C and they are now conducting a study about a cyber officer trade as well so now that they have a cyber command
they're really trying to build it out with profession and those with a lot of knowledge and this includes having a cyber officite trade and this is roughly what the training looks like uh the training for a saer operator is approximately 72 weeks and so 60 of those weeks is at a civilian college that could either be world's College here in Ottawa or Nova Scotia Community College um I haven't heard much about no specian Community College but Willis college does not have that good of a reputation in the calf uh I'm not sure if that has to do with how uh the k en forces School of Communications and electronics the 12 weeks that they have there I hear that
uh most seyer operators spunk out at that point don't know if that has to De with Well's college but it's this is information that hasn't been told to me and uh we ultimately have the world Military College as well that has a lot of great coursework through the that you actually see online this includes malware analysis exploitation a lot of cool stuff uh they recently also started the cyber security foundations program which is sort of the professional development program of working through all the RC classes that they have and they also do General certifications and send out people for training a usual training that a lot of people will do and so this is sort of the basics of what they're
doing but they are looking at expanding even more but as SC on the CSC is up to some very cool stuff and in 2019 the CSC Act is passed well before the CAC act they already have an existing mandates for C and information assurance and Technical and operational assistance so this allowed them to help uh the rest of the government uh this is what allowed them to conduct those uh penetration tests in the early 2000s but now they have a new mandate for foreign cyber operations and under foreign cyber operations they can condu defensive cyber operations and active cyber operations and I'm sure you're all thinking oh defensive separate operations must be defensive now uh what the government of Canada
often kind of misunderstands even not their own legislation is that defensive separate operations and active separate operations are both offensive separate operations what they actually Define are the conditions that the CSC can be authorized to use offensive separate operations so in a defensive cyber operation Canada is under a direct attack and a defensive cyber operation is in a respon resps to stop that attack while as an antiy operation is really to disrupt threats that exist and aren't necessarily actively attacking you now for a while the government of Canada was using the same language on the indan Armed Forces but since the creation of cyber command in September they're increasingly using theologists call Western uh definitions of cyber
operations so you'll see them refer to to defensive cyber operations and offensive cyber operations what I have yet to really see them go into is uh active defense uh operations how they VI these and there is still yet to be a determination on to degree that they can conduct computer network exploit attacks uh versus computer network attacks meanwhile at the Department of National Defense they conduct some audits figure out they have issues with their Aras the recommendations they should do something about their Aras this this is me paraphrasing this is literally just saying they should have fix they arst and so in 2021 that's basically where they at they stand up the Cyber forces they do have an offensive cyber
unit but the Aras that they're now finally figuring out what everybody already knew that before really anything gets done they need to figure out what to do with those uh areas and this is why I often talk about the development of cyber capabilities uh in the calf as connected to digital transformation because the mechanisms for digital transformation in the C are the exactly the same as with cyber so the inability for both of them are exactly the same but Russ Invasion rather second invasion of Ukraine in 2022 completely changed how the government is approaching cyber defense so few different variables play into how the policy uh changed uh first Russia's uh use of separate operations on you know every
level of its uh Invasion motivated NATO and particularly United States to push its allies including Canada to do more and it's part of this pressure that Trudeau uh prime minister Trudeau promised that Canada would be more confrontational with Russia and he specifically stated in cyber as well and it's during this time that the military comes to the agreement that we can't wait to digital trans to digitally transform anymore that we have to proceed even if the government is being slow and so they started to plan it even without the government's input and uh a few things immediately followed from here the first was that Canada established a hun forward operation in Mafia now H operation is a joint defensive cyber
operation conducted between a host country and another country that is embedding what's usually a uh military uh unit and Canada established this as of their uh commitment to Nato in laia where they have their enhanced forward presence and it's become a regularized part of their commitment to Nato there and uh we know that this began roughly in uh March uh or April 2022 because the government of K deemed both Ukraine and laan networks as systems of importance and this is a key phrase because systems of importance has an important meaning under the CSE act and so this means that CSE can provide direct support to Ukraine and Lafia with cyber operations and we get an idea of uh that
the hunb operation has been just fully split up by May 2023 when the United States uh least uh press saying that they completed a hunt for operation with Canada and laa and so this is quite usual to get the news about what the Canadian military is doing from the US Military and the second thing that occurred was an authori review the the then Minister of Defense Anita Anand ordered a review of how the government can order the military or CSC to condu cyber operations and what was found was the government uh can authorize uh SE oper through Crown peroperative now I won't get to deep on what that means rather that what this means simply is that how
the government deploys the military and traditional content are the exact same ways that military can deploy separate operations that currently there is no distinction between how either are deployed and so this actually gives them an enormous amount of flexibility and how they can deploy the military specifically for cyber and this differs quite a bit from how they can deploy the CSC as I discussed before the active and defensive cyer operations defines clearly in what circumstances they can be deployed and we know this directly contributed to how the government understands the use of cyer operations because they authorize Armed Forces to conduct a cyber operation in 2022 or 23 uh the pp map there has no relevance is
just for Vibes that the year end reports for National Defense in the 2223 and Report has a lot of great information in there that I would really recommend anyone to read but the key part of it is that it states that uh theat conducted a uh offensive cyber operation with the communications security establishment and in particular that Crown prerogative was used as a justification for this attack for this operation and so this highlights the importance of CC and its relation to the Armed Forces because of cs's Technical and operational assistance mandates when the CSC supports uh the military say in an offensive cyber operation they do so by adopting the Mandate and authorities of the C and by
doing so they also enjoy the benefits and exemptions of the military and so when they do so the csc's uh offensive cyber operations are not reported as cyber operations they're instead reported as a request for assistance from the military and going to even more concerns there the military has no obligation to report if they've conducted a separate operation while they did report this in their yearend reports this was a amazing feat of transparency that they AR arly known for so there are a there are mechanisms in place for the government to use the Armed Forces behind when they conduct separate operations even with the communication security estment and much of these activities came to inform uh our North strong and
free the defense policy updates that the government released uh this year in April and the big thing that uh AR Nord strong fre announced was was the creation of the Cyber command now this was something many people were calling for years including myself and so this was a bit of a surprise as we really didn't expect it to happen but even better the month after that the Digital Services Group was created which is meant to fix all of those AR issues that I had discussed and finally in September the C cber command was uh created uh in very quick order and looking at the uh defense policy update it actually looks like cyber command is being given a good amount of
funding unfortunately uh I have learned that not all of this is for cyber commands that how the listing specifically is refers to both intelligence and cyber operations broadly so although the whole 917 million over 5 years that is for enhancing separate operations I've been told that they are quite happy with the funding that they are getting but cyber command is not getting that full 9917 million despite that when you compare the funding to a lot of other things in the defense policy updates um cyber operations is gting significantly more funding than many other traditional um capabilities that you would think that the government would be investment in and um the total budget over 20 years
is 2.8 but as we are likely to see a change in government take this with result and the Digital Services Group I would argue is an even more important creation than cyber community because it uh joins the Chief Information officer group in uh the military and digital transformation office into one big organization that's rather than try and figure out the Aras and what organizations does what they say screw it or one organization out and this is all really process treat and more than anything that uh they're optimistic they might be able to find some cost Savings in there but ultimately they're after efficiency to ensure that they can not only provide the services to the
military but procure new uh capabilities but also provide that support to uh ccber commands because a unique part of the Digital Services Group is that it provides direct organizational support to Cy command and this is unique because uh normally say Special Operations Command which uh Cy command is have modeling itself off on how to stand up itself they have most of these activities done done internally by uh military members and so they're Outsourcing a law of this to the Digital Services Group where they believe that s creates a lot more efficiencies by allowing cyber command to focus on operations and so by being able to focus on these operations what general Yer who is the commander of cyber commands calls
a minimal viable command so he calls us some minimal viable commands Direct uh mimicking minimal viable products because they're establishing kind of the basics of the command so that they can build out this organization and what it needs to be because this is quite new for Canada and really uh most militarist that at this point the cath is quite is starting to become more mature in developing a cyber command than other militaries it's really looking at the rest of the th eyes members in unit stat on how to build this out and what the Cyber command includes is likely a bit more than you may initially so they have the network Operation Center that we discussed at
the beginning they have the offensive cyber units with connections with CSC you still don't know too much about what that's going to look like but uh they are quite confident with their capacity that they have right now um and the Level Training and uh recruitment that they do have which is unique because for many years they were always stressing to even more people but actually kind of sounds like now that they're quite happy with the amount of people that they are getting and they also have signals intelligence in their electronic warfare which was a surprised to some people but fantastic inclusion and they're formalizing their relations with csse uh uh much better what this is going to
look like is likely how the CC has its connections with global Affairs Canada which has some assistance and it's offit program at the communication security establishments just kind of figure it out what are the laws and what are the conditions if you are going to uh conduct an operation and so this is the kind of connections that we can likely see in the future with both CSE and likely Global Affairs candidate and they also specific state that they're building towards kind the spoken wheel model where cybercom is there for pullback ability and supports the main activities of Cy defense are form Focus might to see this but and visual servic group now kind kind of connected to everything and
when you're talking about cyber and digital activ I would say makes sense and going forward cybercom has quite a few challenges a lot of it is kind of internal uh the government's procurement system is really not made for uh cyber capabilities are really digital anything for that matter and as much as they were happy with recuit in training they're now looking at kind of specialization now that they're already looking at developing a separate intelligence program but at the moment they have Intelligence Officers doing that and even they kind of don't want to call themselves as cyber threat intelligence because it's a joke compared to what the actual industry is doing but they're just trying to grow
out what what they actually do as a c and that leads to the next challenge which is scaling their growth as as they started as this minimal viable command as I mentioned they're looking at building the initial operating capacity and from there what it means to be a cyber command as we don't have TR many uh countries to compare ourselves to that we have the United States which has massive amounts more than we have available so it's really Val what is a small scale sub find and other issues are really to do with politics that the government of Canada tends to be very risk at especially athletes and this Tri down to how the military operates and there's a
greater need to provide and have trust in what the military is doing that they spend their careers working on this that there needs to be more trust in what the military is doing and ultimately because there's likely change in government soon and political parties use National Defense in the military for political purposes there is a concern that this will affect how not only cyber command is created but also uh overall Canadian defense and if there's anything to take away from this is that as much as the C digitally transforms it requires more C capabilities which for this audience I know isn't much of a surprise but despite this it's always us or Alli pressure that actually causes policy
change in Canada and that all the while CSC is always tend to be there to provide that good assistance and to Provide support not only for the governments but also for the calf and not assistance but also they're working very closely to develop the offensive capacity that's really what they've been working on since 2017 since giving this mission is not only building up this group of offensive cyber operators but also to working with the CSC thank you [Applause] open the forward to some questions
EMP thank you for your talk if you were in a position of Authority or power to be able to guide the development of calf cyber or if you were a to I guess determine policy priorities what were some of the areas that you think that should really be focused and expanded on and and developed over the next 5 to 10 years well I would say right now I'm optimistic about what they're currently working on and this is something I would not have said even uh a few months ago that they are uh really engaged in how not only to build out organization the specific capabilities there I I strongly believe what they need to work on is better
public engagements as this could be said about anything with the military but uh engagement with u the academic commun but also this community that to better understand what it means to operate as cyber command in Canada because what when we talk about cyber commands we often look at what the United States is doing but what Canada is building is much different from what the United States is doing in that it needs to De develop its own thinking and strategy to this as I I testify to the House of Commons that cyber command need to be created but also that they needed to understand where they fit within persistent engagement that I kind of I'll mention in briefly in the
presentation that the United States strategy of persistent engagement is a real defining strategy on how countries are uh approaching B actors largely apts and States so what kada needs to do really is figure out where they fit in that strategy if they're going to do like a just carbon copy events or have their own unique Canadian spin on persistent engagement
hi uh Joy Cher from the RCP department of security uh how open is the CAF to uh data sharing with other GC departments uh with their um cyber uh incident um uh you know monitary and other capabilities I would say in theory they're very open to it their potential for it is a lot more difficult to that because you're dealing with National Security data but also their General capacity for that data as data valuation in the hes is 10 years behind I would say maybe even more that they're just starting to get their hands to with data evaluation so uh I would question to degree that they even have that data available and they would likely be open to sharing
it with um national security agencies uh with the RCMP I could see some potential there but I know a lot of the connections between the CF and RCP are quite weak that the the usual level collaboration nwork often with the Cs for obvious reasons thank
you um any means to inflict harm or change that the uh Target would not wish and so this is my own definition here the the definition that the government of Canada uses with offensive operations you won't find anything on that the closest that you'll get is kind the active cyber operation stuff that I had talked about so you for me that's kind of how I perceive it I view offensive capabilities and operations in a very broad understanding not just uh linear fashion but they they can either be drawn out or have i b really context dependent here that for the calf uh they don't have as mature of an understanding there quite yet I know
that they have some doctrine that discusses it but at least the the doctrine that I've seen is quite old so I don't know to what degree they've matured since I think it was 2017 that I saw their doct on
that yes that's I'm not sure to the capacity that the calf will be developing malware but uh if you're look at budgets you see that CSC is purchasing malware likely from the US that malware is used what kind we don't quite know yet okay thank you very much [Applause]
good afternoon everyone thanks for coming out with my talk uh as you can see this is me in front of the White House in 2022 the goatee will never come back again but the White House is a great trip uh we're going to talk about contextualized threat intelligence and the value to your organization how to actually build a program that can actually address this issue so just to go over we're going to through the agend today we're going to do a quick introduction we're going to talk about building your operation we're going to talk a little about analysis from reporting and hopefully if there's time we're going to do a little bit of a question and answer time
permitting so in today's rapidly evolving threat landscape Enterprises face an unprecedented volume of sophisticate SE traditional approaches to security often fall short in addressing the complexity and speed at which threats emerge this presentation highlights the transformative role that contextualized threat intelligence plays in modern Enterprise security operations by transforming raw data into actionable insights tailored to an organization's unique environment contextualize threat intelligence Empower security teams to proactively defend against threats prioritize risks and respond more effectively join me as we explore how this critical capability enhances decision- making optimizes resources and fortifies Enterprise resilience in the face of cyber aers building your
offer so as you can see we we have to face a certain amount of of challenges that everybody understands and these are a lot of the traditional style threats that we Face everyone here is dealt with ransomware attack if you work in the iot space iot attacks are a big thing Cloud attacks are a massive issue at the moment and gener if you go on the list everyone in this room has probably dealt with one or more of these types of attacks at some point in the day-to-day operations so why cyber threat intelligence cyber security is more challenging today than ever before every day Enterprises face new threats that are more sophisticated more targeted and
often harder to detect at the same time the sheer volume of data security teams must analyze can be absolutely overwhelming raise your hands new worked in security operations right who here has been absolutely exhausted from alert fatigue exactly so we all know the pain it's like trying to find a needle in a hay stack except the hay stack keeps getting bigger and the needle keeps moving forward so some of the key challenges first the evolving PL landscape attackers are constantly adapting their techniques making yesterday's def uh defenses in ins sufficient for today's attacks second we're dealing with sophisticated adversaries they aren't just loan hackers anymore many attacks are orchestrated by well-funded highly organized groups with specific goals and
I'll have you know some of these APS have better HR Healthcare and benefits than some of our organizations true fact third data Overlook security teams are inundated with alerts and indicators making it difficult to focus on what truly matters and last the technical Integrations and qualitative reporting you must produce for your organization shouldn't leave them asking why they are spending money on threat intelligence now this is like the the the whole thing of this goes down to the so what why do we do this why do we do intelligence why do we produce reports now we understand the challenges let's dive deeper into what contextualized intelligence really means and how it transform forms raw data into
actional insights have you ever wondered why some security some security alerts feel more relevant to your organization than others even when the underlying threat data seems similar this is where contextualized threat intell or cyber threat intelligence comes in or CGI for short and it makes all the difference at its core CTI is about taking raw threat data like IP addresses uh Mau signatures or fishing links commonly known as ic's or artifacts and enriching it with context to make it actionable to defend or to mitigate it's not just about knowing there's a threat or admiring a problem it's about understanding who's behind it why they're targeting you how they're operating you or how they're operating sorry and most importantly what it means
for your specific organization there are four key components to threat intelligence that's done affect or sorry to contextualize threat intelligence that's not infecting first understanding the threat actor and their motives whether they're cyber criminals looking for financial gain activists pursuing financial goals or nation states conducting asage second analyzing their attack methods and tactics for instance the tools that they use and the vulnerabilities they exploit you have to understand their ttps their tactics techniques and procedures third assessing the impact what could happen if this threat materializes and finally ensuring organizational relevance connecting this intelligence to your specific industry infrastructure and risk profile now I'm going to give you an example imagine if you receive an alert
about a new ransomware variant without context it's just another threat in a SE of alerts but with contextualized threat intelligence you learn that this ransomware is actively targeting organizations in your sector it exploits a vulnerability in software that you use and it's linked to a group known for stealing sensitive data Suddenly It's Not Just noise it's a clear actionable priority so what's the so what of this the real power of contextualize threat intelligence lies in its ability to cut through the noise transform data into action with actionable insights and equipped your team to act decisively on the next slide we'll explore the tangible benefits that bring uh that that CTI will bring to uh Enterprise security
operations so while I just finished talking about so we're talking about the business value RIS approach so if you guys see a look at this it's all about speaking in the language of risk so while I just finished saying that you know the return on investment is an incorrect measure to determine the success of your program right you want to focus on speaking solar language of risk and you want to actually make that context into something that makes sense and means something to your organization that's where the ROI can come in let's talk about now what are the key points of pitching a risk based a risk-based program to your board of director or twoe senior uh leadership
first thing is prioritization you should set a log course required Investments categorized uh comparatively between two or three different cyber secur solution Technologies or threat intelligence Technologies per category with a focus on an outcom driven justification in other words you can't just rely on one tool one feed one specific type of of soulle source information for your intelligence going back to my days in Sig we never ever relied on just a single source to provide us with actual information of Crea an off generally you need multiple sources of collateral to verify that the information is quite possibly real or a higher percentage of being potentially real the same methodology applies to Cy justification each different tool
technology and headcount request should come with a legitimate business justification for the necessary investment and this goes back again to so what and three eliminate silos work across your organization needs to break silos and Pitch the value of your security program as a business enablement and protection tool that's where the intelligence part comes in because it specifically demonstrates how utilizing intelligence will protect your environment your customers your data before a threat actor even has a chance to manipulate it if it's done correctly and so three you have to eliminate you have to work across your organization to break silos and you have to understand that security is just a protection tool but everyone is involved
with security it's not just the security team that needs to do the security work it is on you beyond just a security awareness training program Beyond just your fishing campaigns or your fish testing campaigns you have to build a culture of security within your organization so that each individual member of that organization knows that they contribute to the overall security they are part of the shield they cannot be a liability they cannot be part of the risk and I and I'll take this kind of separately the biggest Threat Vector most organizations will face are their own employees their own staff honest to goodness we've reached the point of infrastructure maturity and investment that it's kind of hard to just break in
with an open port most security teams are mature enough to be able to check basic basic security principles that be infrastructured later where organizations fail however is getting their personnel to understand why certain procedures are in place why the Sops are so strict why they have to do the MFA why they have to auate in a certain way and why they lose rules or accesses based on changes in their employment status or in their role within the organization they can't just maintain their access to everything forever so program benefits when it comes to cyber security information is a powerful tool but only if it's the right information that's where the contextualized threat intelligence Factor delivers it's your
ability to cut through the noise and focus on what truly matters to your organization that end client specific approach is key to making your SE Sues and your boards see the Val value of your program's outputs now let's explore how this transforms security operations and there's four Keys first is proactive defense contextualize threat intelligence enables proactive defense it is at the very core of the IDE by identifying threats before they materialize you're no longer reacting to attacks after the fact you're actively anticipating and preventing them for example if intelligence shows a new vulnerability is being in your industry you can prioritize patching systems before the attackers Target you and and please be honest everyone who has who
has vulnerabilities in the regular scans that need to be patched that have run for over 6 months it's okay low Pride it happens you guys are just not being honest and that's okay I'll port scan all of you we'll find out for sure
now instant response efficiency it it is important to keep instant response efficiency in mind because threat intelligence allows you to actually have a more effective approach to your inent response because then you know what the threat actor's potentially doing the ttps reveal to you you how they will move latterly or how they will adapt your operations to counterbalance your defens system with clear actionable intelligence your team can detect investigate and respond to threats faster instead of sifting through irrelevant alerts which is honestly what most security ANS have to do a lot of the time they can focus on high priority incidents reducing response times and limiting damage enhance risk protection it helps with risk prioritization
not all threats are created and contextualized threat intelligence helps you understand which ones are also the most relevant to your organization and which ones can be disregarded this ensures your resources your time your people and your budget are focused on the areas that matter the most and noce this is going to be a theme throughout this entire talk budget is everything budget justification is everything you have to explain to your seite and your board constantly why are we investing in people to do this work why are you investing in these tools do these activities why is this program even exist if you run a TI program as amazing and as fun as as cool as it is
you are constantly justifying Your Existence and it's something you have to keep in mind it's the price of admission to play and finally improve decision making it empowers improve decision making that's what intelligence does that's as a qualitative tool that is its purpose when you provide provide that impr report to your leadership it should be a critical Factor when they make decisions that impact the security of your organization not all threats are going to be easy to consume but the contextualized intelligence provides a complete picture enabling Security leaders to make informed choices about everything from inant response strategies to long-term Investments and security tools and it also allows those leaders to justify the investment Neary with those to their
boards and to their CS let's give you an example for instance let's say your threat intelligence reveals that a particular ransomware group is actively targeting companies like yours armed with this knowledge you can bolster defenses in KY areas prepare specific playbooks and train your team to recognize a group Tacs all before the attack even happens in short contextualized threat intelligence doesn't just add value it multiplies the effectiveness of your entire Security operation in the next slide we'll briefly talk about the necessary components of that Security
operation so does anyone need me to read through what all these individual components are I feel like I'm in a room full of mostly practitioners you guys know what a seam is you guys know what an IDs is what an IPS is you guys know what the nextg firewall is right you guys know content filtering right you guys know that there is reach detection technology available and that there are also tools that help based on your networks diet
traits now in order to to identify and secure the weakest points along your attack surface in your organization your security operations team should include intelligence naap uh vulnerability capabilities per s's best practices the extent of these Services should be outlin and your sock Services planed so really when you when you are doing your vulnerability management you have to have intelligence in mind because the intelligence should feed your sensors that are actually conducting the scans for the vulnerabilities typically it includes dealing with the bondly man cycing or life cycle excuse me as shown in the sand bondly man on often times for this type of process you need to have a tool that's such as nessus or metlo these are very common
tools and you can download them on like nessus is I'm pretty sure is still open source you can download actually for free if your organization can afford Enterprise tools but the intelligence driven portion of this practice focuses on enabling the sock to determine the levels of risk each respective vulnerability means to your organization in order to prioritize your mitigation and your Pion and if we're going to talk about intelligence it's hard to talk about intelligence without talking about speaking in the language of risk when you are trying to translate intelligence or security to non-technical leadership you have to learn to speak in the language of risk and I think this is something that Security leaders the
difference between the good Security leaders the effective Security leaders and the ones that are still having room to grow is that the effective leaders understand the language of risk and they understand the language of business at a board and strategic level they understand the impacts of the investment they understand the impacts of the potential loss and they know how to translate that in a language that their leadership can
understand now this is the bread and butter of the intelligence life cycle who here knows thre life cycle is be hands up you de this before right this is actually really important because this carries over not just in the cyber world this carries over in Military Intelligence and civilian intelligence and singal intelligence it's the same general logic across the board and you know arguably that's why I was even able to succeed in this career because I had spent so many years as a signature I've got security beaten over my head since I was like 17 years old so when I got into cyber I might not have understood code right away but I could understand the process
of security because it all boils down to this first thing planning and detection this is the starting point of the intelligence life cycle where objectives are set based on your organization specific needs so some of the Key activities for this you have to Define your intelligence requirements and your prior or your primary intelligence requirements primary priority whichever the two basically that means what threats are targeting us are sector in our geography establishing the scope and focus of the intelligence effort is also in this phase and allocating resources and setting timelines for intelligence production generally speaking this produces a clear path that guides the intelligence process also just just so you know like intelligence reporting is
as complex and as difficult as it is it really does have to be in a timely manner so you have to train your teams to be able to quickly assess information and then produce the cont contextualized reporting why along with support to decision making in a very very quick turnaround time the faster your intelligence gets into the hands of the decision makers that need it the more relevant it is if you're finding something or you think you found something but it's really over 24 or 48 Hours old it it might just be irrelevant so you have to be on your toes to do it right second phase is collection this steps involves Gathering raw data and
information from various sources to address the identified requirements so some of the sources you can look at open source intelligence o everyone here does OS whether you know it or not everyone here does o if you have creeped anything online if you tried to find tickets for an event if you've tried to figure out what's going on with your favorite NHL or NFL team because you're going to make a bet on the weekend that's open source intelligence technical sources like malare samples networ logs and indicators of compromise are also important sources to keep in mind because they feed directly into creating security device content which is actually the thing that is used to detect those artifacts when they be come
in contact with your environment and of course human intelligence because insights from industry peers as well actor thread actors can often be a very good direct source and and I'll tell you this story uh when I was at Defcon this year I did about like 4 and a half hours of resenting between the blue team Village and the in the cloud Village and so when I was at Cloud Village uh I was telling a story about how in one of my previous employers um where I was ciso we had actually repelled an attacked by fancy bear which is a very very wellknown Russian AP group at the end of the talk we're taking questions and you know we're all
right we're having a good time we're having a good laugh and this lady comes up to me this very Ukrainian looking lady and she says hello I was part of that group I was part of that group for 6 years now she's turned sides and she works for an American company and she lives quite comfortably in Washington but the fact is I met my adversary face the face she remembered the attack I was talking about that's pretty darn cool but it's also a really good source of understanding what were the ttps and now I can take that information and I can be more nuanced more refined in my current environments when I'm trying to defend
against Russian Chinese North Korean Iranian State actors Etc and finally of course dark web monitoring and proprietary intelligence feeds um you know there's great feeds like cctx I think they're here as well uh this week uh there's a lot of good feeds that you can get online subscribed to and there's a lot of good open source feeds and of course if you get on the dark web um you know try to avoid some of the more Insidious things out there try not to get too involved but you can find almost all the raw information you need by doing dark web monitoring the output of this should be a repository of raw data that needs to
be processed and analyzed uh and by the way just for Tool recommendations open CTI or Miss uh if you're playing with garbage because I think m is garbage if you ever played with M analysis here the collected data is converted into use into a usable format for analysis so you need to you need to filter and organize your data to remove a relevant and duplicate information which you help to get a lot you have to normalize technical data such as as decoding malware or pursing log files and if anyone has ever had to go through the process of pursing a particularly heavy log file or going through a you know going through a BAP um it can
really be draining on the OD and if you're doing it for hours and hours a day and especially if you're on a night shift it's like rubbing sandpaper against your eyes but it's a necessary evil hopefully we get to the point that AI tooling can actually make that process more efficient and finally you want to enris the data with contextual details it's just as time stamps and geolocations this is where using tools like virus total or Hy analysis actually comes into play because they actually provide that type of charting information for you and they provide reporting from when other users will actually report on that pred act and it gives you a centralized source for it based on the IC or based
on the hatch so the output of this process should be structured data that can be further analyzed for actionable insights this is where the money comes in fourth is processing and production in this critical step process data is analyzed to generate meaningful insights tailor to the organization's context so in this phase you need to identify patterns Trends and relationships between threats assess threat actor capabilities motivations and potential impacts produce intelligence reports dashboards and alerts with actional recommendations this is your finished intelligence product this is where I say intelligence or thre intelligence specifically is not just meant for people with st degrees you don't have to be a programmer or a coder to be able to do this part this is
actually where you want to have some people on your team who are qualitatively educated with a more we'll say Political Science Background international relations background who can actually understand the nature of thread act motivation I say this all the time to people when we are when we are trying to defend against adversaries we're not defending against the computer we are defending against people we are still fundamentally fighting humans I'll I'll be in a digital theater but you have to understand the human psychology and the geopolitical psychology of where those people come from and what they're associated with this is how you actually Mak sense of the data you're seeing threat data and indication data that that that's great by itself and
plugged into your security devices it's awesome for proving real value at a technical level but if you're trying to provide real intelligence value to your leadership they need to understand who's going after them what they're going after why they're going after them and what is the end goal that way the leadership that often times non-technical leadership understands the nature of the threat risk that is facing their organization and that they are be there to support you and Empower you to defend against those threats it's all a communication process so this is where my pitch for for hiring folks who are not just pure technicians look for people with liberal arts degrees look for people with different ways of
thinking because they're going to be the ones who understand the thread actor perspective better they're going to be the ones that think outside the box and are able to take that perspective I cannot Hammer home enough the value of people who think differently than the standard stem grab much respect to our stem grads and our comp science fols it's all of us together that's kind of the whole win the game and finally dissemination and feedback this final step ensures that the intelligence reaches the right stakeholders and collects feedback to uh to refine teacher efforts we'll say because really you can always get better you can always produce better products you can always filter better data you can always find better
Technologies or better means of collecting on new source data or finding new source data if you're doing dark web monitoring yourself so some of the Key activities for this include sharing intelligence relevant teams not just your analysts but perhaps other other security teams in your industry and it might even be with competitors but honestly intelligence is a team sport if we're all Canadians in a Canadian industry I understand we might be competitors with each other you know like I might be competing with Bell on a bid or CGI or whatever the organization is but at the security Team level if someone's going after our industry threat sharing is the only way that we can protect each other because if they
pone one of us they're going to use that exact same methodology to pone all of us we have to start talking to one another this whole concept of overco competitiveness between organizations to the point that we're not allowed to speak or reach out to other security teams in our sectors that is a a it's absolutely a career limiting move because we have to rely on each other to defend against the nature of the complex threats that we're facing now we are facing cyber crime groups that have equal or greater capability in some nation states we're facing script kitties that are now renting Mal right these are the things that we have to understand and if someone in another
organization across town sees it and I haven't seen it I would really appreciate if they told me and vice versa
at a higher level what do your program need to produce the production of threat models that provide an ability to make knowledgeable decisions for prediction preparedness prevention detection hunting response and forensic actions against various cyber actives and cyber attacks excuse me it's acting as a key leadership support tool that and facilitate the ability to better evaluate and make informed forward leaning strategic tactical and operational decisions on existing or emerging threats to the organization organizations uh are trying to identify and mitigate various business risks by converting unknown threats into known threats and this helps them by implementing various Advanced uh and protective uh defensive strategies so this is the whole defense in depth thing where if you're actually getting
Advanced Rec collection and you're actually building your infrastructure you are then able to provide a more we'll say a comprehensive approach to mitigate against the attack staying current with the constant innovation of gtps used by threat actors is also an important factor cyber threats are becoming major risk to any business sector so therefore a robust CTI program will allow you to incorporate and leverage actionable CTI data to strengthen your existing security posture and demonstrate security value to your leaders your senior leadership and stakeholders we achieve this by ensuring maximum integration of our threat intelligence program into the security operations program as a whole which then takes us to the next slide oh this is super awesome we love
seeing this this is what an integrated threat intelligence capability looks like integrated contextualized cyber threat intelligence in your security operations isn't just an enhancement it's a necessity in today's threat PL sched but how's it fit in to all the tools and processes you already use and break it down first is contextualized intelligence which creat ceiling to key components of your security Enterprise like TR detection systems right like your seam like your inant response playbooks and like the risk assessment playbooks or sorry Frameworks to make the most of contextualized intelligence there are a few best practices to keep in mind the first is automation so using automated tools and feeds to the intelligence is timely and updated in real time threat
modeling which regularly assess and and and shows how specific threats can apply to your organization environment and then sharing intelligence across teams to ensure everyone from analyst to executives are aligned and inform silos are the biggest uh Insight of threat against the success of your program if you are hoarding intelligence if you're are hoarding information you are doing your organization and your team at this service by integrating threat intelligence into your existing tools and workflows you're not just adding another layer of security you're making every layer smarter and more efficient so uh I got kind of the the less than 10 minute warning so there's a little bit more to go through but I just
want to go through quickly on this section on the analysis reporing so bottom line up front is a military style of security and CH reporting that I have always found highly effective throughout my entire career it's something I carried over from the S World it stands for a bottom line up front and it's designed to enforce speed and Clarity in reports and emails the basic idea is simple put the most important ideas first usually at Point form don't tease relay your main point because people are busy and time is valued the true value of a report like this is that the top level of a report is aimed for the top level of the organization the further you go down the
report the further down the working Lev of the organization is meant to the the report is meant to address at the very bottom of the report should contain security security team specific information such as security advice content scene signatures firewall rules indicators of compromise and specific domain domains or host being targeted if that information is known so I'll just give you guys a quick example and then have a couple minutes for Q&A but this is like a a a markdown report like an actual template that I use so as you can see the name of the report should be the big headline that should be the thing that actually catches the attention of your senior leadership
right and you have to this is where journalistic writing comes into play anyone in a sign course journalistic writing is the thing you have to pass before you can ever even go into a Skip and write a real report you have to be able to adopt real writing standard and style which I know can be difficult for some people who have only worked in an engineering World your date reported your collection date the executive summary this is really important the executive summary needs to to summarize the so one of the report in a consumable manner in usually non-technical language then you go into talking about the compromise if there was a compromise you talk about the attack description
now you can start get a little bit more technical now you can go in and again talking about V be fight it for so many years doing the actual hour analysis right is this going to be more long form this could be where you put you know uh pictographs prographics descriptions you can actually sew if there's a workflow this is where you R in and then finally the indicator compromise your report should always include I this is the actual technical data that gets fed into your security devices this is the raw threat intelligence this is the thing that protects your organization be clear about when were putting together your I also just another tip notice that there's brackets
on the last thought there for most of these right or at least somewhere on the URL lines you have to offis skate it so just to give you a real life example when I was working at uh my first job at a big sock someone actually put out a report without Opus skating the links to it one of the client service managers sent it over to the client and the client clicked on the link because it was an act AC URL they got pwned as a result of the threat intelligence report that we sent to them because the CSM didn't actually verify that it was capped in OB skating little mistakes like that will ultimately get you program cut or fired
for that CSM he was fired but to me it was a lesson learned that I'll never forget I see your hands don't worry and then finally be sure that you actually put your off Source references like no one wants to be uh no one wants to be given a report they think is made up so actually cite your references if you can show that you did your research like showing that you did your homework is kind of important in this field otherwise people think you're playm and then obviously your recommendations you should try to provide actionable recommendations whenever you produce an that product report the point of doing intelligence is guiding decision- making and Leadership so if you're not providing
accurate relevant recommendations I hate to say all the technical work in the world you can create a great story and qualitative narrative but your report is absolute you have to provide actionable recommendations as a result of the threat information that youve found and of course uh put your analyst details I think it's really important for the sake of running a team that you site the people that contribute and do the work right because the last thing anyone wants is to work their ass off on something and not get any recognition for it it's important and it's important for our careers to develop our careers to understand who gets accredited to what and how they contributed and I think I have less than
5 minutes for questions I sck one question in backg there
yeah so one miss this junk I need to tell you this right now if you ever tried to build a manage and Miss environment it's absolute garbage and don't ever do it unless you hate yourself or you ha your team uh second thing is because I believe in education I believe if you have a non- technical board like still put it in like open CTI or whatever it is whatever your tool is but part of our job unfortunately as Security Professionals and as intelligence professionals is we signed up to be Educators I have no skill or ification as an educator but I spend a good portion of my week educating my non-technical staff on just what the
hell this is and that that education process is important because they understand the value of what you're doing and again I think it's also important to as an operator analyst to be detailed like put the details in and make sure you do obious SK because they might ask you what about this what about this what about this and if it's if it's URLs that are doing redirects they need to see how that's structured like there's things sometimes where you'll have a URL for a malicious site that's meant to mimic a corporation and it's just one letter that's actually made in acrylic but it looks like Standard English and that's a differentiation in the URL you have to explain to your
senior Executives like these are levels of details that thread actors use to do us does that make sense
no of course no worries and again like you can each do it a different way but that's the way I like to do it last questions anyone over here uh hi there recovering ceso so question George on the theme of it takes a cyber Village organizationally car a comment on the interaction between cyber investigation and HR enforcement feel free to reuse the term head Spike yeah the pday I kind of got a little bit overboard uh yeah so basically if you can actually attribute a malicious action to a member of your organization or if you can attribute an unintentional mistake that leads to an exploit or exposure this provides kind of like the evidence chain
for you to go to HR and be like this person is too much of a risk to be employed here we have to get rid of them or in some cases this person likely conducted criminal activity and we kind of need to go to the RCMP or whatever your Authority is that link between the community and then the actual business functionality like HR that's when the situation gets real and actually like kinetic action needs to happen to that staff I think you had a question time Sor thanks guys appreciate everyone
coer and CEO MX I've been working in the security industry for 14 years now and I'm excited to share my presentation and the
effects weaponized m is the private industrialization of deadly and effective exp that have been designed to simplify and produce the technical complexity of launching a multitude cyber killes against an intended target the purpose of weaponized m is to deploy SP agents which multitude operational objectives including Espionage surveillance extortion blackmail and theft of sensitive or classified information many of the vendors we'll be talking about today are commonly referred to as commercial spy vendors or csds for sure they advertise and sell to products like traditional armaments where you would need to purchase a magazine of rounds that can be used with your new weapon the current state of weaponized hour in regards to device surveillance has reached an all-time
high if you're sitting there and wondering if your phone is vulnerable the answer is yes all you need is a phone number and within minutes you can be the next victim as an attacker you have the ability to access the microphone camera emails text messages location services bring history application data and so much more the list will only become longer as I showcase their technical capabilities while we dive into the Hidden World of cover surveillance we must consider that most of our digital lives are on our mobile phones and to many of us extension of who we are as an individual weaponized Mal can have a profound impact on the intended target and the communities in
which they live what I find Most Fascinating about these tools is that they are promly sold by the private sector which actually now surpass government in the development of similar tools required to conduct intelligent operations and cyber warfare commercial spy vendors try to make these attacks as easy as is very easy for the customer with Point click dashboards like the Cyber operations platforms you see here they can initiate attacks to G uh Target devices they can gather intelligence and they can manage existing infections now our industry is full of acrs so I just wanted to make sure that I didn't leave anybody behind with some of the terms are going to be used throughout my presentation
a zero click attack is a term used for an exploit that can infect a device without requiring any user interaction an example would be like receiving an IM message or missing a phone call on WhatsApp a oneclick attack requires only a single action from the intended target typically various social engineering techniques are employed to trip the intended target into opening delicious label non- remote attacks also refer to as tactical infections allows an attacker to exploit devices in physical proximity malicious Wi-Fi networks and mobile Bas stations can be used to silently deploy a zero click or a oneclick exploit attackers can also exploit vulnerabilities in cellular basan software and Bluetooth some leak documents specifically show exploits
that now Target voiceover LTE and Wi-Fi call a strategic ISP infection allows forwork injection attacks deployed an internet service provider or a national internet gateway this differs from standard Mass IP and internet surveillance um as is used to silently deliver spyware to the Target a man in a middle attack or mitm for short is where an attacker can read modify and block manipulate netork requests men in the middle attacks can be used in a variety of different ways most notably for Network injection or trying to bypass encryption a commanding control server has multiple uses they can be used to send commands to spy agent to distribute malicious payloads they can also be used to receive stolen uh data exfiltrated from
Target devices spear fishing is a serious threat to everyone and can be very difficult to detect it normally involves sending an email or a message to an intended target from a known or trust sender in the case of weaponized maler the message is perfectly crafted to pers targets to execute that one play explo before we get into how some of these attacks work let's highlight some of the key players in the industry that are very much prevailing today many of these commercials SP vendors are collectively branded as lawful interest out to companies they claim only to sell to customers of legitimate use for surveillance wear such as intelligence and law enforcement agencies the reality is that many of these tools are often
abused under the the guys of national security from spying on human rights activists journalists academics and government officials in recent news Amnesty International released a report shedding light on how these tools are now even being used to facilitate gender based violence in Thailand many of these companies have in upon selling private organizations for corporate Espionage extortion and intimidation thanks to the hard work from the European investigation collaboration of Bic media network with technical assistant from an International Security lab we finally have polip into global spor trade ages camar as ames's International Secretary General said the Predator files investigation shows we have long feared that highly invasive surveillance products are being traded on a near industrial scale and are free to operate
with shadows without oversight or any genuine accountability it proves yet again that European countries and institutions have failed to regulate the sale and transfer of these
products all right on to the first one inexa Alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including Advanced fiber Mass surveillance platforms and tactical infection systems for targeting and intercepting a multitude of devices the links between these companies are shrouded in secrecy corporate entities structures between them are constantly morphing rading rebranding andol the NEX group was created in 2012 and primarily operates from France specializing in Mass surveillance systems it was actually created to take over another surveillance business uh from the French company called pharmacis the NEX group originally contained NEX Technologies from France and advanced Middle East system which was the sister
sales office located in Dubai the intellecta group founded in 2018 by a former Israeli army officer is controlled by a Holdings company faced in Ireland the main companies under the umbrella are cyrox wi spere and Sen which specialize in the creation of virtual avatars for spear fishing it is unclear the alliance next group of companies and the intellex group are actually still active today in 2024 the intellex alliance is best known for its Predator spyware which targets both IOS and Android devices it was originally created by the north Macedonian company citrox which became part of the alliance in 2018 Predator is normally combined using other products that the alliance offers to increase the probability of a
successful infection using products like Mars or Jupiter for strategic ISP infections spearhead Triton and alphax for tactical infections with the optional add-on Epsilon to facilitate managemental attacks against mobile devices or even automated active avatars or AAA which is a platform to manage fake social media accounts and message application accounts used to social engineer uh targets into expl into opening and exploit L and so gr is is uh an Israel cyber Arms Company best known for the development of Pegasus they are well known thanks to the extensive media coverage received during numerous legal battles there also made headlines when the FBI came very close to using peges for domestics find in the United States early versions of Pegasus which was
first identified in 2016 used spear fishing techniques but by 2019 the NSO vs alter game and graduated from single click exploits to zero click exploits when it was found that what targeted by Pegasus simply calling the intent to Target's WhatsApp number will automatically exploit the device you didn't even need to answer the call by 2020 Pegasus shifted towards primarily using zero click exploits and network based attacks these methods allowed clients to break into Target phones without requiring any user interaction and since 2020 many of the exploits used were based on vulnerabilities in iPhones iMessaging FaceTime features Pegasus was to fail to device using a zero click uh it can also be installed by setting up a wireless
transceiver near Target devices uh or by gaining visit access to the device RCS Labs is an Italian surveillance company it's been active action for over 30 years recently they required by cyle a was a company that provides cyber electronic warfare and intelligence to both private Enterprise governments and law enforcement agencies their spy wear is named perit and is known for its ability to impect both Android and iOS devices both companies have been surrounded in controversy and have been known to sell to authoritarian regines permit is specifically designed to infect mobile devices it can carry out various surveilance activities including tracting calls uh accessing your messages recording audio and of course exting data from your device
there spyware operates using a really interesting modular approach where additional features can be downloaded as after the initial infection takes place this makes it flexible and adaptable for different seral needs depending on the attended Target permit is often delivered via malicious link sent through SMS messages for spe fishing attacks the spyware has been linked to sophisticated operations and often involve collaboration with local telecommunication providers to disable data connections for see the victim to connect to a malicious Wi-Fi network where it can actually deliver the payLo it was also found to be in numerous carrier branded applications Black Cube this company may not possess all of the technical cap capabilities of those previously mentioned but it's widely
recognized for its expertise innr Services it started as an Israeli private intelligence firm and has been involved in controversial corporate Espionage legal investigations and intelligence gther activities it wasn't until recently they were found to have affiliation with a company called ah Global technologies that offer zero exploits for both Android and I most notable
tool so basically if one of their base stations in a room every single home has a blueto drive instantly infected AR penetrate mobile devices for any interaction once the device information is collectively transmitted the agent will automatically erase itself from the target device removing all evidence of successful infection Black Cube was reportedly hired by hary lindstein to gather information on individuals including journalists and his potential accusers in an effort to prevent stories of sexual harassment from being published they've also been involved in
Related talks
25:35
24:05
43:33
26:43
56:04
54:09