Command The Breach

[Music] Hello, hello, hello, hello. How are you guys doing? I think let's let's give an applause to the guys from Bides. We're probably going to say thank you to them later, but um to the organizers and to everyone who's done the effort to present today. It's a lot of effort to be here. So, let's give a round of applause to them um for making it a good day. All right. Uh my name is Yaku. I'm not going to bore you with who am I for now because there's Peter and beer waiting for you. So, I want to start with a question. Um, this this next 45 minutes is going to be interactive. I've got a

roaming mic. I'm not scared to walk up to you and put it in your mouth and ask you a question. Um, but who of you have done a tabletop exercise before? Your work like 10%. Okay. Was it valuable? Mr. MWR says yes because he does it for payment. Um, for anyone else, was it valuable? My my my issue with some of the tabletops we do is it's super fluffy. So, you start with um we've got an incident, no one can access any machines. Oh, wait. It's ransomware. What do we do? We plug out everything and then we go on with our lives. Um, it's it's the same thing. It's that Mike Tyson thing. Someone said it earlier

today like you've got to plan until you get punched in the face. Um, same kind of thing. So my my hope with this session is to give you a bit more of an interactive tabletop and and the the idea behind this is not to get the answers right um not to be the technical sharp one and you can um I don't know decode basics before on the fly um in memory um but to be able to think about options when you are in an incident what do you do next what do you spend time on what do you spend resources on and then also for you guys to go back afterwards um on Monday and go back to work and think hang on

this that we do did today is this possible in my environment can this happen if this would happen at work or at a client if you're consultant how would you deal with it would you make the same decisions is it possible or not so as I said this is an interactive session I need input from you guys um to make this work. So a brief background, you are a security analyst at the NTNECSA that is the not the nuclear energy corporation of South Africa. I like not to get sued. Um you have office only security team with an IR retainer for from an external company. Um so there's a few external companies here that does

IR retainers. um you are that um all monitoring of systems and alerts are done by the internal team. So how is this going to work? So basically you'll basically get a brief to say this is what's happening or this is what you saw. This is what you what's going on and then you guys will have to choose what to do next. All right. So with those three options on the screen, let's practice this. Uh what are we going to do? Option A, B, or C? Who votes for A? Okay. Who votes for B? Okay. Who votes for C? Okay. B. B wins. Okay. So, we've not you've chosen democratically. Option B. We're doing a B. Ah, well done. Give

yourself a round of applause. That was a good choice. Okay. Are we ready to start? You get how it's going to going to go. I need input from you guys. I need interaction from you guys. Um, I've got the roaming mic. Um, so just shout out stuff. And here we go. So remember you are the security analyst. Um you've got a retainer so we can go IR if we need to. Um but yeah. So we'll we'll start with this. It's Friday. It's 3:00. All right. The phone rings. The dude says, "I just forwarded an email to you. What do you do? Close laptop and run? you forgot about that 12 hour 12-hour solo hike you were going to do in the

Mahalisburg. Um so you decide to start that now or you sigh you cry and you read your email. What do you do? Close laptop and run. Okay, some people are honest. Um and then sigh cry read email. Okay, cool. We read the email. Fine. Okay, obviously you read the email. Okay. So, at the NTN ECCSA, um we've got a new detection engineering team that started recently because we've been attending things like bides, Joeberg, and Cape Town and Oaks Coffee and whatever. So, we've now listened, we've now learned that we need this type of department. So, people need to look at uh how we can configure more rules. So, this team built a couple of rules.

Um, and one of the rules they they built triggered an alert um, last week on a server um, with that command there. Net user chunks something something add. Net local group administrators chunks something something add. All right. Does anyone does someone want to shout out? What does that do? Create a user new admin. Is that the official um stance of Orange Cyber Security or um I'm confused. Um okay. So, so basically they've got a rule. They're checking net user commands. They've seen this. They've sent you an email. What do you do if you see this? Option one, call IR. Option two is the Monday option. That's the one where you um have stuff to do

the weekend like normal human beings. And number three is you send it to the sock. You hope they're still in the office um to start investigating. So let's let's vote. Who's going to call IR on this? The IR retainer companies put up their hand. Um what's next? Uh who's going to wait until Monday to deal with this? Do you want to tell me? All of you is going to look at this now. It's Friday afternoon. Okay. So that leaves the last option. Everyone's saying sock. We need to investigate. Yes. Huh? Bunch of freickies. Okay, cool. We're going to the sock. Oh, what's that? Um, it's a QR code. Do I need to wait? Can I scroll?

I don't know. Okay, so got to find out. Okay, cool. So, we've got a server. We'll refer to this as the 317 server while you look at Rick Ashley singing to you. Um, yes, there we go. So, um, okay, cool. So, so that's what we need to investigate. The server we're looking at is something called Z A N E C SRV or 317. Um, just for short, we'll refer to that as the 317 server. Um, and we see that uh command. So, that's that's what you have to read read your email. We're going to look at it. Um, how are we going to look at it? um options that we've got. We can call the server owner and ask

him, "Dude, um is this you? What's going on?" Um or we can network quarantine that box out of an abundance of caution. Or we can go and look at the process tree um for those commands. Who wants to network quarantine the box? Yes, it looks bad. What is chung sum? Who's who's chung? Okay, cool. Uh I we we can ask that question again. Who wants to look at the process tree of those commands? Couple not going unconvinced couple who wants to call the server owner and ask him. Is that it? Server owner. Okay. The CEO of SPO says we need to do it. So I I'll do it. Need to check so which other consultancies are here that I can

call out. Um okay, cool. So, what did he say? Call the server owner. Cool. We call the server owner. He's quite happy that we called him. He's very interested in his own stuff and really wants to uh know when something bad is going on. So, we call him. He's happy. He said they'll speak to the team um to see if it was one of them. But then he also concludes a call say, "Listen, dude." But it's uh late on Friday. U my team is probably all over the show. So, uh not much from there. Okay, cool. So, what else we got? This is tree review. What What would have happened if you network quarantine that

thing right there right now? The ones that put up your hand. If you just network quarantine that box, it would have been cut off the network, I guess. But repercussions would you've gotten a take a lot voucher the Monday for taking proactive action? No. You would have probably caused some production impact and had some angry service owner finding you like why is my thing not running anymore? Okay, so we dodged that bullet. Well done. Well done. All right, so we do a process to review and we see this. I'll give you a sec to look at it. Uh there's something called Nexa user manager.exe which spawned cmd.exe and then uh added users. That's interesting. Okay,

the keen eye would notice the username has changed now, but don't worry about that. bit late on a Saturday. Just look at me. Follow me. I've got you. All right. Cool. So, so basically what we've got from this is we've got this weird exe. Well, maybe it's not a weird exe. Maybe it's legit process. We've got an exe that's running net commands. What do we do with that exe? I've got options for you. I've got options for you. Okay. Upload it to Virus Total. I've got reverse engineer it. We are the creme de la creme of the South African cyber security community in this room. I hope we can. Or we're going to check the orc

prevalence. What does that mean? We go and we check where else in organization is this thing running. Cool. Who wants to upload it to virus total? Cool. Nice. Who wants to reverse engineer it? Okay. There's some country skills gap there. Um and then check organizational prevalence. Cool. I think virus total win one win once win. Okay. Cool. Virus total it is. We take Nexa user manager. And we push it to virus total. What's going to happen when you upload stuff to virus total? Everyone is going to see it. So some keen researcher out of the US picked up this interesting file that was uploaded to Virus Total and he writes his little report and it gets picked up

by bleeping computer and the headline in Bleeping computer is now um nation state threat actors targeting southern Africa because someone picked up the EXE on virus total um and they were able to reverse engineer it and they saw the links to whatever n ECSA there. Um, not good, not great. Now you've got management on your back because this thing has been published. Um, Yan from Milan from my broadband just phoned um the CEO for comment. Um, and now you need to deal with that as well. All right. Okay. With that in mind, shame on you all. Shocking. Um, what do we do? Do we go check organizational prevalence where this thing is else in organization

or do we reverse engineer it to see what it what it does? Organizational prevalence. reverse engineering that guy like who of you have been on on an internet call. Who've been on an instant call? Yes, you guys have got fluffy jobs. What do you do when you're on a proper incident call? Decisions usually aren't made at like what is the best to do? It's like a guy like that joining the call suddenly and with confidence says reverse engineering and everyone keeps quiet. So, we're going to do reverse engineering now. Um, because someone said it with confidence. Cool. What happens when you suddenly wants to reverse engineer something in your company? Huh? So Jeff who did a course on Udemy 3 years ago,

takes two days to get his VMs back up and running and install everything and get stuff. And now he goes to the ad team and can you guys give me a Windows license because this thing expired and and then two days later he comes back with nothing. Who of you guys are are comfortable that your teams can reverse engineer proper I don't know let's call it a malware not not the red team stuff we see in the country from some misgrown companies um but proper stuff. So, so, so ju just just think of that. What is the plan? What is the plan for you? If you see something on network, are you going to virus total it and

that's it? Or do you have a retainer with someone proper where hopefully your analyst name starts with Vladimir and the RS rhymes of lostto um that can pull the stuff apart for you. Okay, it's not going great. Um, so let's let's check the organizational prevalence. This This one I would scan if I were the scavenger hunt types. Um, I'm gonna Okay, cool. So, you search the thing. You search for Nexa updator.exe. Where'd you find it? No way. Okay, what's next? So, three options for you guys. We can do a RAM dump of the server. Who wants to do a RAM dump of this server to analyze what's going on? Again, the confident guy. We need to either someone

mute him on a on a call um or get his line manager to ask him to go do his work. Um second option is proxy logs. Who wants to look at proxy logs relating to that 317 server? No one. Someone someone has dealt with proxy logs. Yes. Friday. So the other option is to look at the account activity of the account was created. Okay. Yes, confident guy. Yeah, summoned. That guy is a seesaw. I think he knows what he's doing. Um, so we'll we'll do it. Okay, everyone happy? Account activity. So, basically, we want to go check what happened when this account was created. Remember that stone now stuff? Just forget about it. Okay, happy days. All right, what do we see?

What do we see? So, shortly after this command account was created with um some net commands, um a file called word.exe EC was created in a downloads folder of that server. Someone was smart enough to um although your track record talks different but someone at least was smart enough to go look at the look up the hash of that file. Uh and this is any portable. Who does not know what any portable is or any [Music] who knows what any is? Let me do that. Sorry. Inverse. Yeah, you better put it behind. Um, okay. Any is a remote management and monitoring tool. All right. So, three options. We can phone our server owner and check with him.

Listen, dude. Why are you guys running any desk? Um, or we can to quarantine this thing. Or we can call in IR. Um, the retainer is written. They're happy to trigger it. Um, just say the word and the money start rolling. So, check with server owner. Who wants to phone the server owner and ask, "Listen, dude, are you guys rolling any desk? He's on weekend. His phone's off. Then you deal with the escalation framework. Um, you find his boss. Uh, network quarantine. Who wants a network quarantine thing? Four of you. Um, and who wants to roll IR? Jeepers. IR. We're going to do IR. Yes. Someone said yes. From that side. Cool. We roll. IR. We get our expensive dollars out. Uh

we hope our break glass accounts were created and that they've got access. So what happens if you phone?

They're going to ask you what are you doing? There's any desk. Have you read any threat report in the last three years um where any disc was involved? This is ransomware. This is nation state. This is bad stuff. Um, and you haven't quarantined it. Shame on you. So, you bow your head in shame. You walk back to your keyboard and you go to quarantine it. Thank you. All right. Cool. So, we've got one thing that took us 15 minutes. The country is in decent hands. Um, I I think we'll um I don't know if China's got decent IR people. Uh, so any we've got any desk. That's what we've got. This is where we are. We're going to go I ringing

to recap. We've got those net commands. Um we've got any desk. What do we focus on? So, so two things. Uh so server is compromised. Do we want to see how we got it compromised or do we want to see what did he do on that server after he compromised it? So who wants to see how we got onto that server before? The first thing three people who wants to see what he did after he got onto the majority rules. So everyone Dennis, do you want to say do you want to what?

So sorry so your your line is very bad. You're breaking up. We'll just drop and join back on the call. Um the team has made a decision. We we're assigning resources. Um so there we go. Majority rules. Have you been on an incident? M often times majority rules or the loudest person rules. This is legit. Go think of it. Go think of the incidents you've been on or the mems you've been on if it's just technical issues. It's not it's not usually sound reasoning that wins. It's the guy that's confident that did a CISP 10 years ago. Um that okay, nothing wrong with a CISP. Um so it's usually the guy that's most confident that everyone just just goes

with because someone might be too scared to raise his voice. So just just think about how you deal with that. All right. So what did the TA do on this pro server? Um we've got options. We can review the any logs. Um, we can review command and scripting activity on the box or we can pull a RAM dump. Ram dump. Ram dump. I've got RAM dump. Ram dump. It is. We're doing a RAM dump. Sorry, ma'am. Please wait. Put up your hand on the call if you want to say something. Um, okay. What happens when you do a RAM dump? Freaking nothing. Who of you guys have been able to do a RAM dump in your

organization? Actually got something from it. So the hot IR companies are saying, "Yeah, yeah, we do it all the time." So, so this is also something to go think about. So, so I think we spoke some spoke earlier about some of the forensic stuff and it's like, "Okay, cool." So, because you might not want to switch stuff off because you want to like secure volatile information. Um, Jason there at the back is probably dying inside because of what I'm saying now. Um, the SANS faculty will reject all my certifications after this. But, but just just go think of it. So number one, how do you do a RAM dump of a box of an enterprise server that's running 128

gigs of RAM? Uh where do you put it? Uh so um EDR tools can do RAM dumps. Um but secondly, who's going to run it for you? Is it Jeff who did reverse engineering on Udemy? Who's going to fire up volatility and pointing against this thing and try and do it? Or have you tried it? So, so maybe Monday go back, go do a RAM dump of a server and go try and analyze it with the tools that's there and just get that practice going because the last thing you want is to take 12 hours during incident trying to do a RAM dump and you get nothing for it. Okay, RAM dump bad idea. Shame on

you at the back person. Okay, I heard any log files. Who wants to look at the any log files? Dude with the cool hat and people in the light. um or review commander script activity. Hey Jason, are you just waving or do you feel passionately about doing something? Um as you'd see um we we're listening to our young analysts and we're doing any um cool. So you look at your any logs um as Jason has to go outside and smoke in um just to get his bearings again of all the crap you're doing. So any desk log files anyone wants to tell me what's happening there on screen why no well yeah maybe was there no internet

then as well maybe someone in your team was smart enough to go and block the category on your proxy to allow or to block remote access tools you know you've got such category most likely on your proxy that you've got to say block any desk and team viewer and whatever if you don't use it. Cool. This is actually this is pretty good news. RAM dump we've done. So this is what we've got. Command and scripting activity. Everyone happy? Cool. You go and review command and scripting activity for that server based on your fancy logs that you've got. And you see that? What does that do? Anyone wants to shout it out? Of what? Archive of what?

Project Ukutulla. Cool. So, someone ran a command in this time frame of stuff we're looking at that created an archive um in project ukatula. It's most likely that user that was created look looking at the path. Happy happy with that. I'll take that. So, what do you do next? So, someone created an archive. Boohoo. Um, do we continue reviewing scripting activity? There might be some more goodness there for us to look at. Uh, do we review proxy logs for C2? Everyone loves to find C2 and DNS traffic and or do we extract and review what is in the files.zip folder that was just created. Who wants to continue reviewing commander scripting activity? Cool. Some of you who wants to do a

review of the proxy for C2 traffic. All the red team people's like, "Yeah, C2, C2, go find the C2." Um, or extract and review the files in a zip fold. Who wants to check that? This is too close. But I mean, his hand is staying up. We're probably going to do it. Um, I can't see that far at the back. Cool. So, we extract and review the files in the zipper. We want to know what is being archived. Is this weird or not? Uhoh. Uhoh. You find confidential data above your pay grade. You suddenly learn that NTN CSA is running something called Project Ukutulla. Um something something nuclear weapons program something. Um you ask management

and now they just brought in bunch of lawyers to give you a pack of NDAs to sign because you just learned about this project that no one should knows about know about. Does this create a different angle on the incident you're dealing with when you find out that your company that's only supposed to be like nuclear medicine research is now doing something else? Who would who would maybe want to go after us if we're looking at nuclear weapons programs and stuff? Anyone? IPD. Which ID? Oh, the Oh, the US. Okay, that was it on my bingo card. Who else? Iran. Okay, maybe Iran. Yeah, North Korea. Maybe anyone maybe. Okay, clearly no threat intel people in the room. We'll continue.

Okay, cool. Happy days. So, so what now? So, back to command and scripting activity or C2 traffic? Command and scripting activity. Yes, C2. Okay, I think it's command and scripting. That's a clear That's a clear one. Cool. We go back. Ah, we find this command in there. Anyone wants to shout out what it is? Data XL. Well done. Data Xville to where to box. What is box? The thing you shouldn't be. Um, no. bad joke. Um, sorry. Okay, we've got data xfel. So, someone is uploading files.zip to a box file. What does it mean? What does this mean? Um, because we clearly have the special class in the room. I'll help you. Cool. What do you do? You check with the

internal box team. Luckily, you know, we use box as enterprise um to do stuff. So, they tell you, hang on. Um that's actually our box account there. We've checked it and they go and check the folder and they see uh someone's able to add an external share to that folder um with that email address. Is just just to before we pivot is this a crisis or not? Is this where you phone the CEO and the media relations team for holding statement and legal? Yes. No. uh something to think of think about it when when in your incident process do you escalate when in your incident process do you phone the CEO and say listen you need to be read into

something that the sock is dealing with cool so we've got that we're going to move over to what someone there wants to do want to do earlier is to look at how the thread actor got onto the server in the first place. Cool. So as a recap, we've got any disesk and user accounts being created on that 317 server. Um we've got data being exfiltrated to box and then shared with external property. So I think we can assume at this stage that that is gone. Someone took it. Project Ukutulla is in the wind. Not great. Not great. Cool. How we doing? All right. We're going to move along swiftly. Okay. Okay, so the next question is how

did the server the the threat actor get onto that 317 server? Options, digital forensic analysis. Do you want to check firewall logs or do you want to look at Windows security event logs? Window security event logs. Some people uh firewall logs, digital forensic analysis. Some people at the back says digital forensic analysis. We shall do digital forensic analysis of that server. Cool. We find Jason like Jason can I borrow your encase dongle please? Um so then your digital forensic team comes back and say listen hang on uh what what do you want to look us look what you want us to look at or what okay incidentally I know a guy called Lucas who does digital forensic

analysis. Um so so Lucas was nice enough to pull us the this the security event locks from the service along something to think about Monday if you want to do full on forensic analysis of a server what do you do number one hood your phone do you have an internal deem do you have an external party is going to do it for you um how are we going to do is it VMware stuff are you going to do snapshots is it onrem stuff sitting in a data center somewhere that you need like three lines of paperwork to get in to go physically plug in a hard drive and image it think about that how do to do

that. Can you use the backups from your backup system, a snapshot from that to to analyze it? Cool. We're going to look at event locks now because that's what the digital forensic team says we can look at. So, Windows firewall event locks on the box, terminal service event locks on the box or security event lock. Security event locks. That's the majority. We'll do security event locks. So, Windows security event lock it is. Here we go. What's going to happen? Any ideas? Nothing. anyone [Music] we've got six hours worth of event logs on that server and Lucas tells you look dude I can't do magic if the data isn't there it's not there who of you have

checked at your security window security event lock file on the server recently recent years anyone it's it's some cases you got like 45 minutes of data due to retention policies and how noisy that Windows event lock security event lock is nothing so something to check unless you're pumping all those security event locks into the seam Um, if you've got Microsoft money. Okay. What else? Firewall locks. Windows firewall. Event locks or terminal services? Terminal services. Two, three guys. Firewalls. Firewall logs. What? Like a bunch of old people want to look at firewall logs. Okay. Firewall logs. What do we find like usually with firewall logs? Okay. So, that leaves us with terminal services log. What would be in the

terminal services log? What is a threeletter acronym? Huh? RDP. It's not a house. You get um remote desktop. Well done, guys. Well done. So, cool. We've got an RDP event log event. Someone RDPed onto that box from that IP address. You've got an IP address. What is that? A public IP address or a private IP address with it. Yes, it's a private IP address. Cool. So, you've got an IP in your network. How do you know what that is? Do you check the CMDB? Do you look at DNS logs? Or do you do what every Splunk admin wants to kill you for and do index equals star and that IP address? Who wants to check the

CMDB? Oh, at least nobody tries the CMDB. Well done. DNS logs. Who wants to look at DNS logs? Some people. Who wants to look at do Splunk random Splunk searches? Okay, there's like two people wants to do Splunk searches. There's like three people wants to do DNS logs. We'll look at DNS logs. Did you really think we've got DNS logs? Who's got DNS logs? No one. If you've got DNS logs, you probably, I don't know, Investic Private Bank or something. Um, I should have asked, is there anyone from the Saab, the credential authority, the information regulator in the room? Okay, too late. Anyway, okay, cool. So, that didn't work. CMDB or Splunk searches. Splunk searches. Yes, Splunk

searches. Here we go. Can you believe that that worked? Unfortunately to the detriment of everyone wanting you the analyst to do proper analysis they just go put in a bloody IP address and they find the data. Okay. Basically they found that IP address is linked to a server called Mena server 07. All right. So this is what we've got. We've got options. We know someone RDP from our Ben to the 317 server and then the bad stuff happened that we discussed earlier. Okay. Happy days. What do we do on Mena? Do we go play around with the EDR on it? Um, do we phone my Benna Charlie and ask him? Or do we do another

general seam review for the Mena server logs? Um, who wants to do a EDR scratch around? Okay, some of you. Nice. Who wants to phone Mena Charlie? Someone at the back. Uh, who wants to do a general seam log review for Mena? I think that's a majority. That's a majority. Okay, cool. Happy days. We'll do a general scene review. Sorry, nothing. Um, have like just just think of about that. You going to analyst and tell them, listen, go log into the seam and go find me malicious activity for the server. Does that work? That hardly works. Someone to go and stumble across something. You need to be specific. Okay, so that leaves us with phoning mob

or edr. EDR. EDR it is. Well done. Cool. What have we got? So now you've RTR of live responded or whatever EDR you're using um to my beta. What command are you going to run? Netstat PS or cat. You can't do all of the above. You are a very poor analyst. You need to do one thing at a time. Who wants to do netstat? Uh PS some of you. And cat. Cat. Someone shouted me cat. We're going to do cat. What will shouting person What will cat do if you run that on a Linux box?

So, let's test if the connection works. Sure. That's not what it does. It just shows you user information in Linux box. Um, so cool. That again netstat PS netstat PS netstat netstat. What's net going to show us? Net network connections. All right, we see this netu. What's happening here? Anyone? It's connecting to a AWS EC2. That's interesting. Okay. Maybe I don't know. And what process is connecting to net to AWS? Python. So, we'll just do PS as well. And PS shows us this. Okay. Who wants to put two and two together?

So, well, there's a Oh, that's a bunch of allegations there. Um, okay. So, some dude says reverse shell. Well, what I will give you, we've got we've got a Python file running on a box. Um, and it's going to AWS. Looks a bit odd. I think we need to look at it um in the collective 9 minutes we've got left to solve this incident. Okay, cool. What now? Um, what do we do with that Python file? Do we manually review it? Do we phone my Benna and ask him about it? Or do we upload to Virus Total? Virus Total. Now you're scared of Virus Total. Um, who wants to review the health check file? Yes, bunch of coders. I understand

Python. I can look at a file and just see bad stuff. D Health check. Health check. Health check. Health check. Elf check stuff. El check beacon or bacon if English is your second language. Um, so what does that do? This is a Python reverse shell thingy. If you upload to Virus Total, Virus Total would have told you it's a Python reverse shell, but now you're scared of getting in trouble with management. Okay, what do we do now? I just told you what's going to happen to Virus Total. So, we're going to phone. Everyone happy? What do you want to ask Babena? Anything else? There was a health check on your server. Basically, my just does your

bra. I don't know what this is. Um, this does not look right. Okay, cool. So, this is what we got. We've got a compromise of the Mena server and then that likely led to RDP to whatever. Do I have five minutes? No, I don't. You haven't. You got to answer the next question. You with the time person. Okay. So what else we do? We're going to send the Mena server to forensics just because Jason opened today. I felt we need to honor the forensic fraternity in the room. Um so we're going to send the server to forensics.

Some say we are still waiting for them for feedback. Um but legit go think about it. How long is going to take someone to image a server? What are they going to do? Um here's another option. Let's go check the environment for that 13 IP address. That's the IP address of the EC2. Good idea. Yes, you get lucky or not. This is sometimes fun. This happened once to me when you've got too much um access um and you can search everything. This is a bad idea. Anyway, so you go search IP address across everything you've got and you find email um with an email that says, "Hang on, this alert for your GitHub enterprise account. Um, someone

just logged into your organization from this 13 IP address. That looks dodge. Dealing with the the log of the team, you figure out that that authentication to GitHub was via a personal access token. Who of you guys use GitHub in your organizations? Everyone stick up. Who of you guys allows your devs to have personal access tokens into the repo? You don't have to put up it. You're going to get hacked. Um the something to go think about. Something to go think about. How are those personal access tokens managed? If someone gets their hands on it, can they log into your enterprise GitHub? All right. We've got three things to do. We've got six minutes. Oh, two. I

object, your honor. Okay, we'll do it in two. Okay. So, what else can we do for that 13 IP address? We'll finish this. Don't worry. I won't leave you hanging. What can we do? Do we put in restrictions on GitHub to prevent access to that certain IP? Do we log an abuse complaint with AWS because we're very, very angry? Um, or do we investigate where else this IP touch the network? Who wants to put an IP restrictions on GitHub? No one. You're scared of your devs, huh? Um, who wants to log abuse complaint to AWS? You don't trust the system. Uh, okay. So we got obviously we're going to investigate where else his IP touches

the network. Yes, happy. We're going to do it. So you dust off the seam. You log in. You try three times if you forgot if it's your user number or if it's your email address to login. You get in. What do you find? Jump. Someone logged into the organizational Jira account with that same IP address. Huh? Cloud services coming to bite you. You cannot believe you're lucky. You just found something. You walk out. You go play the lotto at the cafe and you come back and you continue your analysis. What do you do? What do you do? You've got one minute to solve it. The CEO is going to join the call just now. He wants an update from you. Um, do

you investigate what the IP did on Jer or do you look into the account with which it logged in? Account. Someone said account. It was a very nervous account. Let's do that. Okay, cool. Almost there. That's interesting. It used a legitimate account. This guy called Jimmy. Um, you speak to Jimmy. It says that's my account. Wasn't me. Um, that's interesting. We're going to investigate what the IP did on Jira. So, you find your Jira team. Have everyone has anyone dealt with their Jira team? So, they keep you awake for 45 minutes um watching the guy sharing your screen, trying to go through audit logs. Eventually you it usually ends with just export everything, give it to me. I'll go look

at it. Um you go look at it. You start your own analysis and you realize the the jer logs doesn't help you much. What else can we do? Next. Next. Thank you. So So we know someone access Jurro from that IP address. Two things left to solve this investigation. Then you're free for alcohol and pizza. Do we investigate Jimmy's corporate device or do we call the threat intel team? Jimmy's device. Two people. Threat intel. Okay. I don't know what's easier. Jimmy's device. We tell Jimmy, we want to investigate your devices. He gives us a lot of stuff like a laptop and a phone and a desktop and two servers and whatever. Everyone gigs in. Um, what do we find? Nothing.

Eventually, sanity prevails and we find a threat intel team. They rock up with their Scooby-Doo mystery van. They're going to search the dark web for you. What do you think they find on the dark web to Jimmy? Any idea? Shout it out. Compromised credentials. Yes. Can I have a round of applause for compromised credentials? What is this? Stealer logs for Jimmy Stonehous's accountum. But hang on, final twist. What's the host name there? House of Stone PC. Is that our corporate machine names? No. You phone Jimmy. You ask Jimmy. Jimmy, what did you do, dude? What? What? What? Jimmy. And Jimmy says, um, uh, I don't know. You asked Jimmy if he logged into Jurro from his home PC. Jimmy's like, "Uh,

no." And then you go see you need want to test if you can login external but you can't. So let me ask this question. Million dollar question. Let me stop. So it's Jimmy's private machine that was compromised. His corporate credentials were on there. He did not use it. Wait. How did Jimmy's corporate credentials get onto his private machine? Any ideas? Well done. Well done, sir. In the light. Can't see you. Hope you're good. Well done. Organ credential syncing via Google Chrome. Your Gmail account is signed into your um organizational laptop. You save um passwords in the browser. It syncs home. Your son comes to you and say, "Dad, GTA 5 is out. Um, I can get

it online. Um, just help me install this crack and you help him install this crack and it infects the machine with TML and it goes extracts all the safe passes from the browser. And with that, we've got two questions. One we've solved and the other one I'll give it to you because Jared is going to kick me off in the next few seconds. You had a white list for Amazon AP IP addresses on your Jira. Everything else was blocked, only Corp IPs, but someone whitelisted all the AWS ranges. That's how the threaders got onto the Jurro with the EC2. And with that, we are done. Go home, go think of this on Monday in your

organization. Can this work in your organization? What do you need to detect it? What do you need to investigate it? is any of this viable and then go speak to your people and think how you can remediate for this. Thank you very much. [Applause]