Tales from the Breach

thanks for being here early and we're going one more minute and then I'm going to launch into a hilarious hopefully uh story from most of our lives about how it feels to be in a breach and I have to narrate it because it's usually audio based but there's no audio output so we're going to do our best

so if you don't know me my name is Jason uh Jason adex I am a probably mostly career offensive security guy um so pen testing red teaming blood application assessment Global assessment I've kind of done everything in the offensive Arena and um in my career somehow uh I transitioned from being an offensive guy into being a security leader so I went from being team lead to then uh director to then VP then eventually to being a ceso at a very large organization um so I've sat in the ceso seat and I've felt the breach not only from being the red teamer who uses the hacker techniques to do the breach but also from the seat of

the leader who has to experience the breach and so this talk is a little bit of a mixture of both and kind of of uh some mental models I built around um breaches and adversaries and how they work these days and hopefully it'll be useful to you guys okay so we're GNA get started so this is the story of a breach okay so here we are with thread act thread actor has landed on a network with some creds that he got who knows where we have our stock analysts and they see some alerts and there's something fishy going on he's dropped some creds and we have an alert here in the sock for impossible travel saying this user um did some

stuff now the attacker is on the network and has dropped hatches and the sock has noticed that ah something's fishy going on here this user shouldn't be logging in Russia so let's look into this session and so the attacker like I better not do anything stupid hopefully they have EDR uh they have EDR but the attacker has bypassed the EDR controls now now the sock has seen that uh some fishy stuff is going on through Microsoft alerts and it's time for the attacker to move so they're on the run and now the incident response has been initiated everybody's investigating what's going on they're trying to disable the compromise accounts but they don't know if they have all of them

thread Intel is trying to figure out what's going on um which is a hard task and everybody's closing in on the attacker attacker's on the move and the detection engineering builds some rules to discover the attacker ttps and strangles out of the network and that's the end of our March but wait there's more the attacker has another account so they're Off to the Races and you know what they do is these attackers they really like to get into your ad are your a and so now the attack are scaling the different uh places that they can pivoting you know maybe xdr will stop this attacker maybe not we'll see no they unhooked the EDR the xdr so now they're scaling to the

domain controller which is the ultimate uh the ultimate kind of thing they're there that's their goal and there's another person up there hell little and now the sock has to go into instag response mode investigation mode recertification mode etc etc etc and um and that's that's kind of the story of your average Bri these days now I put this video up front not only because it's hilarious but it's actually very very accurate to how stuff happens when you're inside of a modern cyber security breach um uh you know everybody gets mobilized and and I know this from having experienced this pain um as both a uh practitioner a leader sitting in the seat when this is

happening and um having been the person who's executed these type of attacks so let's talk about my experience this is my learned experience right and so some of it might not match your learned experience having worked in it or Security in different ways U but I'm hoping my experience is a little helpful for this talk is a little bit of a mishmash between red and blue so you're in a track that is called like the red team track and like the attacker track but um really it's it's kind of half offense half defense half prescription and hopefully it'll be useful to everybody honestly um this is a Heen back to if any of you are like real

nerds like me like they used to have this show called red versus blue it was like a Halo themed show it was awesome I love this thing they basically made a whole around um two teams of Halo pvpers playing against each other which was was fantastic okay so let's rewind to what I think is a little bit of a Advent in security and adverse are let's remind the 2021 and 2022 when I was sitting in a leadership position um at a company that got reached by lassis now this is a sensitive one for some people in here because you work for these companies and your logo is on here lais was a group of young hackers who

basically had a whole bunch of really interesting tricks knew Microsoft infrastructure very very well um and compromised a whole bunch of really really big companies uh and they flaunted it in a telegram Channel and um and basically just kind of they were not really out for ransom in most most of the cases really they were out just to shame these companies and I worked at one of the companies on this list now when this happened to us at my company um you know we had a really great security team I had built a great team with great individuals who were highly skilled in their domains I would say that I covered the checklist of what

you should have as table Stakes for a security program I myself I'm a red teamer and you know paid very special attention to what adversaries are doing but this group came out of nowhere with kind of so the first part of this talk is breaking down tactics and techniques from adversaries like lapsis and the ones that followed them um and then again what I saw in the change of adversaries in 2023 and 2024 so when I was part of this breach um what happened was I got really mad right because like I said I had all of the security products I had a healthy budget I had people I trusted on my team it was amazing I love that team and um

and I got breached and all those other companies got breached and I'm in a couple of ceso slacks that the kind of slacks that you sit in with other Security leaders who like kind of pretend what they know what they're talking about but really were just like ducks on you know like the lake with their feet paddling as fast as we can like being a c is a crazy job it so stressful um and so I went into the slack and I was like hey we all got pop by these kids how did this happen like give me all of your thread and cell give me all of your data how did it happen to

you guys I'll tell you how it happened to me and our organization and so here's the Quick List and here I am Tony Stark by the way and my buddies are the iron Legion coming to see so we put together a whole bunch of WR inel a big package and then we distribute it between ourselves but let's talk about how these kids and copycats of these kids worked in the last two years so initial access is what is what we call kind of the red teaming world is like the first way get into an organization right and so initial access is really important a lot of people focus on initial access like how did these people get in well what

happened to me and all of my ceso friends big organizations that Co caused a mass work from home event right so we had people in offices who worked mostly in office never worked from home and then Co hit and we had to send everybody home right it's the responsible thing to do but we didn't have enough laptops that were corporately managed with antivirus on them or ER on to give all those employes it was impossible for a big position um not only could we not do it uh even if we had the budget to do it the vendors themselves at the start of Co like Dell and HP and stuff like people make laptops they couldn't give

them to us fast enough for that amount of time and so what happened is we had to Pivot very quickly to work from home technology uh S Services like the Microsoft cloud cloud apps um to facilitate productivity work now what happened is when we told them 4 to go home and use their computers because we didn't have one to give to them they were using their personal computers which meant that these are the same computers that their kids go on play Minecraft and Roblox and fortnite on right and these are the same boxes that sometimes they had torn to movies on or downloaded PDS or had been fished by a Mass fishing campaign or something like that and so a lot of

times these boxes were already pre-owned by attackers who were selling access to and so then they start logging into uh they start logging into um these boxes and seeing oh they're now corporately connected and uh and so what they do is the attackers they sell all of these credentials online but then groups like lapsis and others end up going on the different darket markets to buy the credentials and all they do is just search for your company's domain so you know let's see you know uh one of the companies that was in the list was Uber right Uber was hit by L so in order to get a credential to log into Uber's sslvpn or some St

service of their something like that they would just go to a site back then it was Genesis market now it's um there's Russian Market which is the predominant darket forum for buying credentials um but they would go to Genesis market and they would just put at uber.com and then anybody who had already been pre- compromised whose credentials were leaked or whose um cookies were already subject would be in the search and then they would just buy them for like $5 or something like that it's ridiculous how cheap prenal are so this was an issue and it wasn't just Microsoft services that people were targeting it was um GitHub account credentials slack credentials so they can get into slack you know things like

that and so um really what happened was uh attacker started getting credentials which was s okay so you know a lot of you thinking well maybe a leak username and password is not that bad right when it you know when an attacker gets a hold of that because a modern organization should have two fact medication right now first of all you'd be surprised about how many modern organizations haven't fully deployed to a f across everything right it's it's hard it's a hard deal especially when you're a giant company but um in this case because a lot of these machines were pre-owned uh not only did the attackers have the uh have the credentials username and

password but they had the cookies and so if you know about web technology a cookie basically is a token that you get in your browser stored in your browser and it says that you pretty much already authenticated every time you visit a website and so for some of these Services they could just grab the cookie and log straight into the portal and this is what happened to a lot of companies who were subject to this now in other times they couldn't get access to um what they were after in the end was access to the sslvpn usually of the companies um but um in other cases they would infiltrate slack they would grab the slack for user credentials and log

into the company slack which is a SAS service and then they would root around in there for more credentials because none of us have ever shed password be a slack right okay cool so they would look for more credentials in slap um and then if they couldn't get credentials that didn't require TFA for some reason they couldn't find it in what they would move on to is tofa bonding and so this was very publicly documented uh and Uber's run in with the thread after and so what they would do is um they have creds that were valid but the company would have tofa enabled with this push notification style MFA um enabled and so when you

attempt to log in you get to push notification on your phone it says you you log in do you trust this login Etc or approve the login and so what they do is just wait until a prime time of when they knew the employee like wherever they lived or whatever they would wait for a prime time where that person was like out on Friday night or something like that and they would just send a million logins to this user so their phone just blew up with like hey log in log in log in thisen actually happened to I think three people uh in this scenario and so sometimes the user would just be like get this out of my face and

click a approve right and let the attacker in other people would ignore it and that's good and then they went on to uh like plan C or D in their um in their thing and they would just be like okay I'm going to call this person so in the case of uber um they pretended to be actually the security group and the security they prend to be the security group they called up the user and they said hey we're doing some integration security testing you should be seeing up a bunch of popups on your phone can you click approve please the person was out uh I think with their family at dinner as the story goes and then they were like yeah

sure I got a call you know whatever and they click okay so um again uh you know there are other ways but mainly they were trying to do this to get access to a VPN or an organization okay so that's initial access so what did they do once they were in right um well this is actually one of my favorite parts of influence my testing for the next two years is following what these real adversaries did they didn't do anything that would alert the S usually right so all they did was get initial access and sit on the network they have access to the network now and they would look at places that has documentation or source

code or Dev SEC Ops pipeline tools and they would gather more and more credits because invariably in these places um we have hard quoted price you would you would not believe how bad we are at Secrets management like as an industry like we send passwords to our friends we store certificates and log data we hardcode API keys and documentation there's passwords and documentation everywhere um it is really really bad and so what they did is they just use web requests right like none of this really looked fishy to the saw they were already on the network authenticated and they were just going to websites like Jura Confluence cmdb uh Network log shares to look at

Network logs kit laab artifact things like this I have a checklist for you that I built with some other red teamer friends um later on the slid so if you want to look at these types of things and know where to look either as a red teamer or uh as not a red teamer as a Defender um you can make sure that you're checking off kind of the good list okay so that was the previous version of that talk in a nutshell um now I want to talk about my experience from 2023 to 2024 so I left the C SE um I wasn't waking up happy I was stressed out um I wanted to get back to more technical research I

really loved red teaming a lot and U and so I was like I'm going to go back to Red teaming but I don't want to do the type of red teaming that everyone else does I really want to emulate like the real bad right because like a lot of red teams are kind of pentest teams but just like the red team name um but they don't act like real bad guys and so what I had to do is really immerse myself in kind of the dark web and threat intelligence and figure out what adversaries were actually doing which meant uh me creating a whole bunch of sock puppet accounts on these underground forums infiltrating telegram

channels talking to friends who worked in um cyber threat intelligence and stuff like that so during this time in 2023 and 2024 like I said I moved into red teaming and dark web research um in order to make a b a better red seam methodology so this is 2023 to 2024 have you guys seen this song before the like get the [ __ ] out ofch go so this is incident response in 2023 and 2024 mostly because of this so so attacker shifted but not shifted they augmented their kind of modus operan with using credentials and attacking public L facing web apps for infrastructure so things like sslvpn logins firewalls dead SEC Ops web apps

that you control from the internet um and so they shifted and in 2023 and 2024 saw a massive number of cdes against these web portals and so uh that that was kind of their secondary that they couldn't get into credentials so I started to build a mental model of what real adversaries do how they act and it really pissed off my red Seer friends like a lot um because it wasn't how they had built their methodologies at their very fancy consultancies but I found it to work so I'm going to tell you about how I built my met model so most

some of you who are from Microsoft here other companies you face nation state adversaries this talk is not about them you are the 5% the rest of us are like the 95% and so I'm going to talk about how probably 95% are targeting an organization now independently while I was doing this in 2022 uh cesa came out with their initial access graph of techniques that adversaries used in breaches that they had um studied which mapped very closely to my individual research so um valid accounts being used being 54% of how attackers got initial access um and that's just buying it off of the dark web spear fishing um being a large amount which is also in a red team

methodology and then like some small percentage is actually web hacking um you know or Cloud sometimes Cloud misconfiguration bugs as initial access cap uh kasperski or I think it's sofos I can't remember who this came from but um one of the antivirus companies actually did another simultanous study like pretty much came at the same time as the cisa study and confirmed kind of these same things so let me break it down for you there is an order of operations that adversaries will use uh when targeting your organization and I broke it down into levels in a mind map because that's just kind of how I work so level one if an adversary wants to attack your

organization they will go to the easiest places which is they will go to the public websites um and they will go to sites like pin or places where breach dumps get posted which is uh services like dehashed or many of the sources that you can see in um breach dump aggregator tools like hate mail um and so these things are on the public web right you can find Torrance of these dumps um sometimes these are websites that get owned that your employees log into and then their credentials end up in these uh in these dumps and they use the same credential for your corporate internet so the attacker wants to or your corporate VPN so your attacker wants to check this

first this is easy this is out out there any of you can find this by Googling you're going to find Torrance of you know people who have been breached or breach data now level two is getting involved in the dark web ecosystem which um used to be Genesis Market when I started this now it is primarily Russian market and the telegram scene so level two they will go to um Russian market and do exactly what I said they'll log into Russian Market which is a dark website and they'll put in at your email domain and they'll see if there's any Mass fissures or math maare um authors who have done campaigns with drive by maare

um or cred Stiller maare um and they'll try to find you in the packs that they're selling on Russian Market which are relatively cheap actually then in level three um they'll go to the ransomware as a service Market um and they will attempt to before you know lock bit has been supposedly shut down but uh before companies like lock bit um they release ransomware data there is a private sale that they attempt to do of the data right they're not idiots right they they ransomware company and then they try to extort them into paying the ransom and then if they don't pay the ransom they go out to a private Forum where they try to sell the

data to other hackers and then if all else fails then they'll just publish it online to shame the company now if you are in these forums you can purchase big packs of ransomware data against companies that you may want to infiltrate this is more expensive these packs cost anywhere between 10 and $100,000 um to access the full data of a ransomware incident now level four is the telegram WhatsApp and Discord Market which is a burgeoning market for people selling initial access and just CRS in general now the reason that I think the biggest one in here tell telam is so popular right now is cu telegram is a chat bot most of you know it as a chat

bot but it's held in kind of like a soft non-extradition country and they don't care what goes on on Telegram and so what the uh authors of or these you know campaign Runners of fishing campaigns and Drive by malware and stuff like that what they started doing is building telegram Bots that would offer their stuff for sale and so this is also the way that drug markets are working right now counterfeit markets are working right now so you want to buy a fake Gucci purse there's telegrams out there right now that will sell you a fake Gucci purse or fake Rolex or drugs or uh credentials and so um there are two sections of the WhatsApp Telegram and

Discord sale ecosystems there's the public ones where you can go in them and see what's up for sale and see samples of the data from the breaches and what people are selling and then there's private channels so the public ones were able to look at um they this is what I would consider like the freshest data and so adversaries will go to these they have access to them and they will go to them and try to find credentials for your organization and then there's private ones which are much harder to infiltrate um the private ones are like invite only clubs of hackers and so in order to get into them you have to prove that you are

somehow complicit in crime and so in order for threat Intel researchers like if you have any friends who are hardcore threat threat Intel people and they're like in these things a lot of times they have to like do some like elicit stuff to get in there like trade credentials now if you're a CTI person um a lot of times what you'll try to do is trade stuff that's already been published you know like creds that have already been published and trade them for access to the Forum uh sometimes you'll buy something and list it up one of the markets and build up some rep like buying things like I said like Gucci purses like on the scale of stuff you

can buy that's illegal that's pretty low right um and hopefully you can get invites into these private forums that do other illicit things like get um Steelers uh Steeler logs so I have Steeler logs mentioned there on the public and private thing is because basically what happens is the drive by malware and the uh malware authors who do giant campaigns against the swath of big people internet um like a big internet targets they sell in the telegram channels they sell what's called Steeler logs and so Steeler logs is basically the output of the malware when it hits your disc it steals your browser um cookie store steals all stored passwords from your um uh from

your Chrome or um Edge U password store uh it will grab certain files off of your hard drive depending on which M it is this is things like Redline redline's one of the biggest one right now so adversaries will go here now we're four levels deep they haven't even tried to hack you yet basically they're just trying to find credentials for the easy way in okay level five adversaries will now begin to try to hack you and they will begin to look at known exploits known cves against your web infrastructure this is when they actually have to do some work level five and level six are interchangeable at this point they will move on to a custom fishing campaign to

get access if they think that will um be fruitful for them um when doing a custom fishing campaign you have two options when you fish people either you can fish them with a man in the middle popup so you fish somebody and you pretend to be Microsoft or OCTA or something like that you say put in your Microsoft credentials and you can grab their creds that way and their cookie that way if you can do a successful fish um or you can attempt to get them to open a back door file of some sort which is really less likely today a lot of the um EDR a lot of the email protection services are really

good these days so most of the fishing happens with the web popup stealing cookies type way now if a fishing or known cve uh fails a fishing campaign or a known cve fails um then they will move on to what we call end day um which is basically they will look at cves in the market that have uh that have been published but never exploit code has been posted to get Hub or anything like that so like a lot of times as a bug bounty hunter or just like a security researcher I will go out and I will do some research and I will find a bug in something um Dell uh and I'll find a bug in dell and I'll

report it to them and they'll be like yeah we're never going to release the exploit code thank you we pay you a bug Bounty don't ever talk about it again right that's kind of the the market and so what D will do is they'll put out an advisory and they'll be like hey we had a really bad bug it was in this product you can patch your product now and fix it um but never will have anybody ever seen the exploit that I made um which is a shame sometimes what they'll do is they'll look at those advisories and then they'll just do some patch dipping this is the easiest way to do exploitation um to get really good bugs

so they'll look at the version that was exploitable that I found that I was looking at and then they'll look at the version that is patched and if the project if the project is open source or they can do a binary diff of the product somehow or some reverse engineering they'll figure out what I found pretty easily because there's a difference in the code where first of all where did the code change okay well it changed here even if I can't understand what changed I know now something did change right there so they'll find my exploit and now I don't just have the exploit Dell doesn't just have the exploit they have the exploit and they'll use

that the next level is actual zero day so this is where they'll Target some kind of software that you have and this requires either hardcore funding or hardcore skill um and so they try not to get to this level but this is where they'll find a product that you're using of widely deployed and they'll attempt to do zero day research reverse engineering on that product break into it no one's ever found this bug before and they will attempt to use that as inial access and the last way is actually Insider thread or corporate Espionage the last the reason we put at the last or the bottom level of kind of what they're willing to do is because

there's a lot of opportunity to actually get attributed in level 9 um like if you do corporate estage or Insider threat um type of stuff like try to an employee um to give you access uh it's easier to be attributed by security people so it's way at the bottom so this is how I believe modern adversaries work and you can see that half of the ladder half of the levels they don't even really try to hack you they just try to buy their way in which is really interesting to me so I designed a red team methodology that stuff okay so that's the red team part now I'm to talk about like what do you

do do if you're trying to defend an organization that's going up against kind of a modern adversary like this so the first thing that a lot of the companies when they face lapsis or a lot of the companies um you know that face some of these threat actors these more modern thread actors had to do was pivot harder to physical machines right eventually we had to catch up in giving our employees who were going to work at home physical machines which were managed with EDR right antivirus software fancy antivirus software does more than that but still um or pivot to Virtual desktops um to ensure that the virtual desktop had EVR coverage um there was a lot more focus on privileged

access management for different types of apps and I am as well um that that organizations had to actually pay more attention to and then um the caveat here was that like there's some local laws for international companies that prevent EDR and personal machines but some companies tried to give their employees um access to personal antivirus for their personal machines um so they would give them a stipend basically saying here's 80 bucks you please go out and buy you know some commercial or some like uh user-based uh antivirus for your machine um but not all of them could do that based on International laws so in the authentication realm um a lot of people had to make sure that tofa

was deployed everywhere right and there are like you know different forms of tofa but one is kind of like toffa 2.5 which is the code matching and map that Azure will give you um so a lot of you know a lot of companies use Microsoft right and so you can add this level of two-factor authentication which not only prompts the user when they log in for a number on their phone from their authenticator app but also shows a map of where the login is coming from and this will save you every once in a while people will be like hey why am I getting a popup on my phone that says I'm trying to log in from Stockholm when I'm in you

know Texas or Seattle or something like that so um another thing that people did was upped and started paying attention to Impossible travel alerts a lot of people stuck in possible travel alerts in whatever product or whatever um like defensive product you use they tried to you know eventually they got too noisy so they started deprioritize these alerts well after some of these breaches they started turn those alerts up and actually started paying attention to them um manage Defender for identity people started turning that on real quick and subscribing to E5 uh for Microsoft cuz like 80% of the world runs on Microsoft services and then for um MFA registration which was one of the things

that happened in um in kind of uh this chain of hilarious events of um the lapsis people um and some other threat actors too following um they added registration to add a new MFA device to your account so let's say that you lose your phone or you need to add a new MFA device to your account um um in a couple instances the lapsis kids figured out that there was no security controls on like where or when you could do that just like if they got access to your Microsoft account they could log into the preliminary web portal and change the two-factor authentication device and then go to the VPN try to log into the

VPN and they had their own registered two-factor authentication device that was just a burner phone of theirs so there are some interesting ways to do this so you can basically set up a group um that allows MFA registration from any where but it's only for 30 days for a certain while so your MFA can only be registered for a certain set of time and based on a trusted Network so like your home network is known by Microsoft um you know based on your usage and so you could uh basically say only let them register a tofa device from that otherwise they have to call help desk and verify um you know some other way another way is um basically uh do

trusted location and conditional access on top of MFA registration um which is similar but different so the other way is just to use phto right so like a UB key or a hardware token um this is easier said than done though I think so a lot of organizations fall into this trap it's like yeah we'll just switch to phto and then you realize oh my God first of all like UB key doesn't you know like a UB key isn't um compatible with every piece of software right it's only compatible with 80% of your applications um in order to implement it um and then also to roll that out all at once is a giant pain in

the ass so um a really good friend of mine Clint Gibler did an amazing thread where he solicited I think 10 stories from cisos and um kind of blue teamers who had to implement phto in the real world in big organizations and kind of their gotas and so he did a Twitter Thread about it which is linked there if you uh if you decide to go that way the next kind of thing in the prevention friends kind of world is um Secrets management so like I talked about we're really bad at secrets in the Enterprise um and so not a lot of people actually have a dedicated Secrets management program here how many how many of your

organizations have something where um basically a whole team's job is to find secrets in the internal Network and root them out from code documentation yes I know youjr cuz I worked with you but yeah I mean so like anyone anybody have a team that does that kind of one two three yeah okay so only you know maybe the top 1% of organizations have a team that's supposed to do this we're really bad at it and so um at the place that Jr and I used to work we built the program um that did Secrets management and we broke it down into roughly four categories detect prevent respond and educate so in the detect portion you have to stop the bleeding

you have to to find everywhere in your organization where credentials API Keys certificates are being leaked in the prevent part you have to make sure your developer no longer commit those things after you've stopped the bleeding in the respond part you have to give them an option of what to do with those Secrets like Vault and then you also have to make sure that those secrets are being rotated via cred rotation policy and then you have to educate the entire organization about why you're doing this because otherwise they just hate you right developers hate you they're like why are you messing with our authentication methods the code that we have the creds that we're using

tees yeah yeah so a lot of this defense stuff can actually be turned into offensive techniques so um so like J and I work together and uh I'm sure the program has matured since I've been there I've been out 2 years right but what he's saying is they took the stuff that they found and actually took those creds that they found via the stop the bleeding part and started putting them into their dictionary files so when they were doing pen testing they would see if anyone had reused those credentials somewhere there was a regression of that type of vulnerability so here's the type of things in Secrets management that most of the time you want to look out for so

it's traditional Windows creds of people sharing API Keys SAS usernames and passwords and certificates uh when you're building a Secrets Management program now some of the post post initial access stuff um I ran into a team at um hack spacecon or hack redcon one of the cons I spoke at and I happen to had this workshop and it was called attacking Dev SE Ops pipelines and I didn't know these guys and so I walked into their class and gosh darn was it one of the most amazing classes I had taken in the last like I don't know two years and so um these guys have became fast friends with them because their whole class was about after you get

initial access what do you do as a red teamer and how is it different from what you've been taught to do as a red teamer so uh Tom and Co bear from Accenture formerly Fusion X um we spent you know days talking about this I took their workshop combined it with a whole bunch of stuff that I had learned in my career as a red teamer and as a ciso where adversaries had actually hit me if you want to take a screenshot of this slide or a picture this is the one I would suggest taking a picture of because I don't know if I'm going to release this this is part of my red team

methodology um so what do you attack when you're a red teamer well you attack knowledge bases SharePoint Confluence media Wei doy Wei notion Tiki Wei wiki.js you look at Dev and project management um software jira Trello redmine you look at source code management you look at git GitHub gitlab bitbucket subversion CVS Etc you look at repo management so artifactory Nexus AWS package manager cloudsmith you look at build servers like Jenkin and Circle C GitHub actions GitHub cicd team City Etc you look at Dev platforms so like octopus deploy or Circle C you look at configuration management uh anible Chef puppet configuration stores IAC platforms and then you also go after the secrets managers so things

like Vault Azure key store ads Secrets manager Etc the thing that all of these have in common is that when I'm a red team in Orlando on your network after I figure out initial access looking at these things all it does is require me to go to a website it's not like some service I have to log into most of these have a web gooey in front of them and so to the sock that just looks like web traffic now does all of your socks inspect every piece of web traffic that goes across the network usually not they just they just don't have time there's too many pieces of traffic going across the network and so I will go to all of these things

as a checklist if the organization has them and I will attempt to see if they have misconfigured authorization to log into them I will see if there's portions of the applications which um don't require any a I will attempt to see if they're not updated because they're websites and they might have security vulnerabilities themselves um and then eventually I will break into one of these places and I will grab more creds for me to Pivot into other places inside of your network so a newer one um that I have been loving is actually you know if you guys are a big company if you work for a big company they're probably catching the AI bug right now right and so they are

probably somewhere in your organization your data scientists your AI people if you've hired a power are training your own model to do something now when you post-train an llm model you need a piece of software to harness the data and do the post training on a computer somewhere now all of these web apps that do Post training for models are horrendously insecure right now they're all open source some of them don't require authentication at all so you can just walk into them look at what models the company's training and then steal the data they're training on which is everything it's their logs it's their documentation it's their source code whatever they're training the model to

do so this is actually a really great one for me in my red teaming practice is um I will look for some of the um open-source projects that they might have deployed internally to start building their own LMS and then you know some of these have like horrendously old web bugs because they're very new open source software so like SQL injection you know file inclusion bugs serers side template injection all kinds of web bugs and eventually the goal is to break into the training application and steal the data it's training on which is everything that the organization usually deems private okay so let's talk about exposure management so when I did the red teaming stuff for the last couple years I

started off being like okay well I've got sock puppet accounts into all these telegrams and discords and stuff like that and um and it was cool for a little while and I started out with um level one I started out downloading all these Torrance breaches the problem is is when you download breach data first of all it's a lot of data so you have to have a giant hard drive and then if you want to index it in a database that's a whole project of engineering time and also takes a lot of bandwidth and I have to keep up with the breaches and I was like okay so I get a lot of emails I get a

lot of passwords Etc um but if you want to roll your own kind of exposure management system uh the repo I recommend to start with is called Deep Dark CTI so deep dark CTI keeps track of breaches that happen to websites or ransomware data that gets uh published they also keep track of the most prominent underground Forum uh forums that exist for on the dark web and give you the onions um links for them they also keep track of some of the telegram channels that um that you can basically try to get access to and so if you want to roll your own system um you can start at deep dark CTI and really get pretty far now

the problem is is that like that's a lot of work for a red teamer and I had a small team right we only had three people um at the time of building this out into our methodology um it was really hard because it was a lot of engineering work also what happens in these breach dumps when you get them they're all formatted differently right so someone breaks into a site and they dump the database that database schema is different from another company's breach and so you have to normalize and clean the data which is hard So eventually um I mean we did this for about a year um here is a list of the telegram channels like I said on deep

dark CTI um but uh eventually I outsourc this I'm not here to sell anything but if you want to know which platform I went with to handle exposure management and get the credentials to win in my red teaming engagements you can come ask me after the talk but I don't want to sell anybody on anything okay so architecture is pretty simple a lot of people had to realize that their networks were flatter than they thought they were um and so they had to implement actual Network segmentation and jump hosts for critical it infrastructure or security products this was a big one some of the attackers in the last four years their secondary or third pivots are actually attacking

security software like Splunk or other things they would Target those because they have all the logs and they see all the passwords and stuff like that um and then also um you know you'd have remote access um or sorry uh we'd have a whole bunch of internal infrastructure apis to do certain things um like VMware or something like that and so a lot of times on flat networks the access to these apis that controlled your whole infrastructure would be out there and they would find a cred and then just take control of your infrastructure through VMware or something similar so you had to basically remove access to some of these more dangerous API that like VMware

offered so for the external infrastructure um this is harder I don't have an answer really for this right so one of the answers is that most of these firewalls or uh sslvpn or pieces of infrastructure that um attackers have pivoted to attacking because they're very frail um most of them are through web attacks actually web bugs and so the first thing I think of is like okay to buy us some time we can wrap our CDN waffs around these things right so you know if you subscribe to an aami or a cloud flare or another company that has an inline wff that stops web attacks make sure that these web apps specifically are covered by that because

it'll stop a small subsection of attacks but other than patching really quickly I don't know um I don't know the answer to this question like you know these are zero days that are coming out you know your teams end up just like having to respond to these things now one thing I really liked when I was at one of the companies I worked with um was that we had like a slacker teams Channel and a lot of people had access to it developers security Champions um security you know all the security teams had access to this Channel and when they thought there was something serious that wasn't being paid attention to like an exploit that came out like because

they're all watching Twitter they all have their own feeds whatever they just dump it in the slack Channel and then as a group we would decide hey do we action this sometimes the answer would be yes and why the hell isn't anyone talking about this and so the team would be like yeah we absolutely need to dedicate resources to patch this software across our whole or sometimes we would be faster than some of the patching cycles of the vendor itself because it would take them weeks um to put out like a a rolled patch or something like that and we could do like a virtual patch very quickly so other tips if you're involved in you know a type of breach like that

or um you know basically know your local FBI field office number so you can work with them um share your thread Intel with other people who are facing the same attacker or adversary right um this was prevalent in a couple of my jobs basically people sharing information ttps ioc's stuff like that um then once you've faced the scenario or preferably before you fa the scenario tabletop it make sure everybody knows what to do in the event of a breach because you will get breached eventually your organization will be hit by one of these adversaries and it's no fun if you've never played out whose roles and responsibilities are what you know like it's it's very stressful so um and then

one of the things about the credentials that I talked about um I have advised many companies to add um leak credentials to their bug Bounty um even even through like third party like SS that they use um to add credential finding to their bug Bounty and paid at a reduced rate so if a bug bount Hunter who is presumably like good intentioned if they find on the dark web they do their own research uh they find a cred of one of your employees out in the dark web and they submit it to your bug Bounty and it's valid and it works um pay them right uh not not like a normal web bug or exploitation bug level but

pay them at a reduced level that's it uh if you're interested in talking about stuff more or want to follow other content that we do or interested in the red teaming or training we do uh that's my site and I can take questions for the next 10 [Applause] minutes yes sir Gucci bags would you buy how many Gucci bags did I buy um so I went for fake Rolexes I have a Fascination um there's also like a a ecosystem of how good the fake is for the Rolex too which is really interesting to do research in so um yeah that was that was my thing yes sir have you ever actually called the FBI number and what kind of

experience was that did they take you seriously or do you have to be a big player good little mom and Shop so the question is um if you call the FBI numbers for your local field office for a cyber incident um do they take you seriously if you're a small company um I would say most of the time the maybe um but a lot of times we would go with C or with basically ioc data and stuff that they could use and then they would take us more seriously it's like cool you're trying to help the cause you're contributing some data to this investigation that we already know about because they're probably working on three other breaches that are happening

just like yours by the same threat actor and then once you're willing to share then they're willing to share more which was I think mostly our experience you got to have something to give them sometimes yeah yes Jr what do you find in the field to combat the emperor's new clo [Music] around so the the question is like you know I talked a lot about creds being bought on the dark web and um you know like how do you how do you combat that you know cuz you already have tof and all the good stuff so um the exposure management part is really important I think it's a you know like where we realize that Secrets management was

really important as part of a security program exposure management is actually a place that I've told a lot of people to invest in so um I run with a vendor I'll just say their name I'm not trying to sell them or anything I do work with them a lot is a flare and their whole job is basically to sit on the dark web to sit in those telegram channels as whats that channels and um and monitor credentials and so I put my domain in there and they'll tell me anytime a new leak comes out in the dark web now there's several vendors that do this like um Intel X and whole bunch of other ones too but I think um as part of your

CTI teams exposure management should probably be one of their number one um uh one of their number one responsibilities these days okay any other questions yes sir [Music]

um so the question is that you know about and able to patch and you're able to add security controls to about 80% of what you have as part of your uh attack surface and then you don't know 20% of what's out there usually um and that is a very accurate statement most organizations only know about 80% of their assets are out there um so how do you reconcile that yeah breaches do come from that 20% right um if you look at if you cross-correlate um uh things like critical bug Bounty submissions to um breach type activity from threat actors against web apps they do tend to Target stuff that you forgot about the lost and

L to toys in that 20% so um yes it does come through there like how do you reconcile it I mean I'm not going to lie to you right like if you're going to be a seatone in that seat or a Defender like you're never going to 100% be safe right you have to be ready for a breach you have to have tabletop you have to have run books you have to have a security staff that's ready to deal with it um so you know there's no way to 100% protect I think that the other pillar I don't really talk about in this talk is like how I structure and prioritize the security program asset management is my

number one understanding my attack surface so I can get down from 20% that I don't know down to 5% really important to me maybe even 2% it's still out there yeah yeah but um at least might know about it you know I might know a lot of it yeah

yes yeah I haven't seen it so the question was uh physical theft of devices uh security key stuff like that I haven't seen a lot of that in a lot the B research I've done um I mean like it could fit down there on the ladder where it's like um Corp Insider threat or just like you know following you to a coffee shop hoping to grab you a laptop or something like that but that is some hardcore usually probably government back like stuff if they really want to get access to your stuff and they on that level like that that leaves a lot of there's a million cameras in the world right so like someone can be

attributed very quickly if they're going to that level to steal access to your network yes

sir uh so I mean the the great services are have I been honed um dehash is another one that's a paid red teamer tool um I mean Troy hunts have I been ped is amazing so as an individual go there put in your email address see what breaches you've been a part of go to that site audit with password might be in there reset it change it that's that's the like consumer way to do that now for the other stuff yeah um there's not really a service that goes deep into the dark web like Troy stuff is breach data that's probably level one or level two it's not level three level four um I don't really have a great answer for you

there I have some platforms that I can look at as a security person that tell me my in there but I don't know as a consumer um I don't have a good answer for you so cool thank you every much thank you very much [Applause]