0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/489 Thanks! 1 00:00:09,360 --> 00:00:11,309 Good evening, everybody. 2 00:00:11,310 --> 00:00:13,379 The next talk is on these 3 00:00:13,380 --> 00:00:15,029 armed deputies you're looking for, 4 00:00:16,260 --> 00:00:18,749 we will be hearing about 5 00:00:18,750 --> 00:00:21,449 the bad guys on the Internet, 6 00:00:21,450 --> 00:00:23,249 how they are behaving and how they are 7 00:00:23,250 --> 00:00:25,379 changing their behavior when we 8 00:00:25,380 --> 00:00:27,719 look at them to improve the 9 00:00:27,720 --> 00:00:30,389 defending against them. 10 00:00:30,390 --> 00:00:33,119 And here we have inbreds 11 00:00:33,120 --> 00:00:35,309 and Engardio one, I hope 12 00:00:35,310 --> 00:00:36,359 I pronounce it correctly, 13 00:00:38,370 --> 00:00:40,559 who will give us an insight 14 00:00:40,560 --> 00:00:41,339 there. 15 00:00:41,340 --> 00:00:42,449 Stages. Thank you. 16 00:00:50,420 --> 00:00:51,770 And play. 17 00:00:55,140 --> 00:00:56,490 Guys who started 18 00:00:59,040 --> 00:01:01,439 well, we started anyway 19 00:01:01,440 --> 00:01:03,479 while they fix that, got it, feel free to 20 00:01:03,480 --> 00:01:04,049 help them. 21 00:01:04,050 --> 00:01:06,539 Welcome to our talk called 22 00:01:06,540 --> 00:01:08,759 Apte Reports and OPSEC 23 00:01:08,760 --> 00:01:10,919 Evolution or these 24 00:01:10,920 --> 00:01:12,329 are not the AP reports you're looking 25 00:01:12,330 --> 00:01:13,859 for. This is actually not the first time 26 00:01:13,860 --> 00:01:14,939 that I started talking about my 27 00:01:14,940 --> 00:01:16,709 presentation. So this is not at all 28 00:01:16,710 --> 00:01:18,379 exciting for me. 29 00:01:18,380 --> 00:01:19,919 Basically, what we're going to talk about 30 00:01:19,920 --> 00:01:22,469 today, we're going to talk about 31 00:01:22,470 --> 00:01:24,929 how AAPT reports mostly 32 00:01:24,930 --> 00:01:28,289 are beneficial not to the defenders, 33 00:01:28,290 --> 00:01:29,789 but actually to the attackers. 34 00:01:29,790 --> 00:01:31,919 Now, when we say defenders, we're not 35 00:01:31,920 --> 00:01:34,169 talking about fellow malware researchers. 36 00:01:34,170 --> 00:01:36,089 These guys, they know their business. 37 00:01:36,090 --> 00:01:37,199 They've been doing that for a while. 38 00:01:37,200 --> 00:01:38,429 They're very technical. 39 00:01:38,430 --> 00:01:39,779 By the way, this presentation. 40 00:01:39,780 --> 00:01:41,969 Oh, thank you. This presentation is 41 00:01:41,970 --> 00:01:43,709 not technical. If you're looking for, you 42 00:01:43,710 --> 00:01:45,959 know, ideas, screenshots and stuff 43 00:01:45,960 --> 00:01:48,089 like that, it's not that. 44 00:01:48,090 --> 00:01:49,409 OK, I'll walk away. 45 00:01:49,410 --> 00:01:50,699 Now, if you're looking for Kernell 46 00:01:50,700 --> 00:01:51,779 shortcode. Yes. 47 00:01:51,780 --> 00:01:53,519 Marvel researchers, you guys can go to 48 00:01:53,520 --> 00:01:55,499 the encryption talk. 49 00:01:55,500 --> 00:01:56,639 So. Yeah, I know. 50 00:01:56,640 --> 00:01:58,169 I can see that. Thank you. 51 00:01:58,170 --> 00:02:00,689 So these are not the AP reports 52 00:02:00,690 --> 00:02:02,339 you're looking for. 53 00:02:02,340 --> 00:02:03,719 Quick introduction. 54 00:02:03,720 --> 00:02:05,639 I remember this is Godi. 55 00:02:05,640 --> 00:02:07,049 That's about it. 56 00:02:07,050 --> 00:02:09,359 And why are we here? 57 00:02:09,360 --> 00:02:11,489 So I use my time without the 58 00:02:11,490 --> 00:02:13,169 presentation to say that we want to 59 00:02:13,170 --> 00:02:15,389 simplify the attack process, OK, and 60 00:02:15,390 --> 00:02:17,639 demonstrate the evolution of various 61 00:02:17,640 --> 00:02:19,949 factors over the years and suggest ways 62 00:02:19,950 --> 00:02:21,329 to close the gap. 63 00:02:21,330 --> 00:02:22,619 We're going to stipulate that there is a 64 00:02:22,620 --> 00:02:24,809 gap, an information gap between 65 00:02:24,810 --> 00:02:26,879 the attackers and the defenders. 66 00:02:26,880 --> 00:02:29,339 And while I let 67 00:02:29,340 --> 00:02:30,569 you start, there's just a little 68 00:02:30,570 --> 00:02:32,159 tradition that I have over the years. 69 00:02:32,160 --> 00:02:33,719 I'm going to take my shoes off. 70 00:02:33,720 --> 00:02:35,489 It makes me feel more comfortable. 71 00:02:35,490 --> 00:02:38,099 And it starts with David, with Kaspersky. 72 00:02:38,100 --> 00:02:39,479 He'll be watching that. So, David, this 73 00:02:39,480 --> 00:02:40,480 is for you. 74 00:02:41,970 --> 00:02:43,559 That's everybody watching Bart take his 75 00:02:43,560 --> 00:02:45,659 shoes off, you can look 76 00:02:45,660 --> 00:02:47,189 is hiding behind the podium. 77 00:02:49,560 --> 00:02:51,719 So a little disclaimer, 78 00:02:51,720 --> 00:02:53,759 we're Israelis, so last year when I was 79 00:02:53,760 --> 00:02:54,760 talking with Tillman, 80 00:02:55,920 --> 00:02:58,049 I interrupted him. 81 00:02:58,050 --> 00:02:59,759 We talked together, but essentially I 82 00:02:59,760 --> 00:03:02,429 need to do disclaimer that as Israelis, 83 00:03:02,430 --> 00:03:03,489 we interrupt each other. 84 00:03:03,490 --> 00:03:05,399 We're not actually fighting. 85 00:03:05,400 --> 00:03:07,169 OK, as a disclaimer, just so you're ready 86 00:03:07,170 --> 00:03:09,059 for that, or at least that's the story. 87 00:03:09,060 --> 00:03:10,799 That's what that's my claim and I'm 88 00:03:10,800 --> 00:03:12,239 sticking to it. 89 00:03:12,240 --> 00:03:14,339 So let's play a little bit of story. 90 00:03:14,340 --> 00:03:16,649 We're going to get into several stories 91 00:03:16,650 --> 00:03:18,179 and several examples about amputees and 92 00:03:18,180 --> 00:03:20,489 their evolution, how we can counter that 93 00:03:20,490 --> 00:03:21,780 if we believe we should. 94 00:03:22,880 --> 00:03:24,979 But before that, a couple of examples 95 00:03:24,980 --> 00:03:26,599 for what we are essentially what got us 96 00:03:26,600 --> 00:03:27,919 interested in doing this stuff. 97 00:03:29,510 --> 00:03:30,679 So we always had moer. 98 00:03:30,680 --> 00:03:31,729 That's the beginning of cyber. 99 00:03:31,730 --> 00:03:33,169 We can agree to that. 100 00:03:33,170 --> 00:03:34,370 But then we had a pretty one. 101 00:03:35,600 --> 00:03:37,159 And on the one hand, as a security guy 102 00:03:37,160 --> 00:03:38,929 said, what, what, what? 103 00:03:38,930 --> 00:03:40,429 I know this is happening, why this is 104 00:03:40,430 --> 00:03:41,899 such a big deal. Why didn't the press 105 00:03:41,900 --> 00:03:44,509 everywhere, but everyone was cool. 106 00:03:44,510 --> 00:03:46,579 It was the first time that 107 00:03:46,580 --> 00:03:48,739 it's an attack or threat actor was 108 00:03:48,740 --> 00:03:50,479 fully compromised. 109 00:03:50,480 --> 00:03:52,139 They showed everything. 110 00:03:52,140 --> 00:03:53,989 Everything went with their pants down. 111 00:03:53,990 --> 00:03:56,029 Essentially, they even showed a picture 112 00:03:56,030 --> 00:03:57,499 of their offices. 113 00:03:57,500 --> 00:03:58,879 That was pretty awesome. 114 00:03:58,880 --> 00:04:00,769 And they changed how we see things 115 00:04:00,770 --> 00:04:03,019 because now we actually had proof 116 00:04:03,020 --> 00:04:04,020 this was going on. 117 00:04:05,340 --> 00:04:07,499 And it actually affected the bad guys, 118 00:04:08,520 --> 00:04:10,339 but they were not alone. 119 00:04:10,340 --> 00:04:11,729 They were not alone in finding out their 120 00:04:11,730 --> 00:04:13,409 entire infrastructure is now gone. 121 00:04:13,410 --> 00:04:14,369 And what are we going to do now? 122 00:04:14,370 --> 00:04:15,269 Oh, my God, it's going to take us. 123 00:04:15,270 --> 00:04:16,889 So you didn't have to come back and build 124 00:04:16,890 --> 00:04:19,289 back our entire infrastructure and 125 00:04:19,290 --> 00:04:21,449 all our new Trojan horses are gone and 126 00:04:21,450 --> 00:04:23,909 the vulnerabilities and everything. 127 00:04:23,910 --> 00:04:25,859 But then there were also other campaigns. 128 00:04:28,750 --> 00:04:30,379 Stuxnet. 129 00:04:30,380 --> 00:04:32,149 As competitive flames, toxins with very 130 00:04:32,150 --> 00:04:34,399 tight, bigger than 131 00:04:34,400 --> 00:04:36,739 most power, I guess, but that's 132 00:04:36,740 --> 00:04:37,639 debatable. 133 00:04:37,640 --> 00:04:40,219 Well, essentially, it was 500 K modular 134 00:04:40,220 --> 00:04:41,599 built for a specific target. 135 00:04:41,600 --> 00:04:42,749 Very much about OPSEC. 136 00:04:42,750 --> 00:04:44,839 It was all about the centrifuges in 137 00:04:44,840 --> 00:04:46,699 the Iranian facility. 138 00:04:46,700 --> 00:04:48,259 And then on the other hand, you have 139 00:04:48,260 --> 00:04:49,159 flame. 140 00:04:49,160 --> 00:04:51,679 It's huge, 20 141 00:04:51,680 --> 00:04:53,779 megabytes, everything you can 142 00:04:53,780 --> 00:04:55,159 imagine, all the modules, all the 143 00:04:55,160 --> 00:04:56,479 vulnerabilities, everything that can 144 00:04:56,480 --> 00:04:58,009 possibly go wrong. 145 00:04:58,010 --> 00:05:00,229 When the threat actor loses 146 00:05:00,230 --> 00:05:02,149 this specific campaign, the specific 147 00:05:02,150 --> 00:05:03,799 Trojan horse is now done. 148 00:05:05,250 --> 00:05:07,649 Just try to imagine if one was affected 149 00:05:07,650 --> 00:05:09,599 badly, at least according to Mandiant, 150 00:05:09,600 --> 00:05:11,249 were there to replace the entire 151 00:05:11,250 --> 00:05:12,899 infrastructure of the entire toolset, as 152 00:05:12,900 --> 00:05:14,399 far as we know. 153 00:05:14,400 --> 00:05:16,559 I wonder we don't have any information, 154 00:05:16,560 --> 00:05:19,199 but how did the Flame guys act 155 00:05:19,200 --> 00:05:20,430 20 megabytes? 156 00:05:21,680 --> 00:05:24,019 It's insane, so how 157 00:05:24,020 --> 00:05:25,729 do people evolve? How do they cope with 158 00:05:25,730 --> 00:05:28,879 that? How do other threat actors react? 159 00:05:28,880 --> 00:05:29,899 So we can see a few examples. 160 00:05:29,900 --> 00:05:30,900 For example, Gousse. 161 00:05:31,820 --> 00:05:33,589 It was a skilled operation, but the 162 00:05:33,590 --> 00:05:35,569 example Kaspersky gave was very target 163 00:05:35,570 --> 00:05:37,639 specific, it would only open on a 164 00:05:37,640 --> 00:05:39,199 specific machine. 165 00:05:39,200 --> 00:05:40,819 They couldn't open the encryption. 166 00:05:40,820 --> 00:05:41,749 It was pretty complex. 167 00:05:41,750 --> 00:05:42,949 Technically, I don't get it. 168 00:05:42,950 --> 00:05:44,479 Maybe you would if you read the report or 169 00:05:44,480 --> 00:05:46,609 read it was pretty interesting. 170 00:05:46,610 --> 00:05:48,409 Maybe three, three. 171 00:05:48,410 --> 00:05:50,329 BURBY depending on the name like. 172 00:05:51,720 --> 00:05:53,309 We recently responded to an incident 173 00:05:53,310 --> 00:05:55,499 responsible deputy three, and much like 174 00:05:55,500 --> 00:05:57,749 many other types of deputies, 175 00:05:57,750 --> 00:05:59,430 they first know put a dropper down. 176 00:06:00,680 --> 00:06:02,989 Do their thing and then use 177 00:06:02,990 --> 00:06:05,149 their heavy tools not to lose their 178 00:06:05,150 --> 00:06:06,529 tools immediately as they enter the 179 00:06:06,530 --> 00:06:07,530 network. 180 00:06:08,610 --> 00:06:10,709 You've got to get to the 181 00:06:10,710 --> 00:06:12,899 talk last year, since then, Trend Micro 182 00:06:12,900 --> 00:06:15,209 and Checkpoint and other people came 183 00:06:15,210 --> 00:06:16,350 in and talked about it as well, 184 00:06:17,550 --> 00:06:18,869 and essentially they used an off the 185 00:06:18,870 --> 00:06:21,329 shelf to contact everybody 186 00:06:21,330 --> 00:06:22,769 with their own OPSEC with their own 187 00:06:22,770 --> 00:06:23,770 calculation. 188 00:06:26,500 --> 00:06:27,500 Now, embar. 189 00:06:28,720 --> 00:06:30,789 So let's cover up sex in 60 190 00:06:30,790 --> 00:06:33,009 seconds, what is OPSEC, OPSEC, 191 00:06:33,010 --> 00:06:35,259 operational security at first 192 00:06:35,260 --> 00:06:36,729 you want to ask yourself, why do I even 193 00:06:36,730 --> 00:06:38,679 need that? Wait, wait, wait, wait. 194 00:06:38,680 --> 00:06:39,999 Scheve with that. 195 00:06:40,000 --> 00:06:42,069 So, one, you have to 196 00:06:42,070 --> 00:06:43,119 assure success. 197 00:06:43,120 --> 00:06:44,649 You're here on a mission, right? 198 00:06:44,650 --> 00:06:45,759 You need to do something. 199 00:06:45,760 --> 00:06:47,469 You need to steal information. 200 00:06:47,470 --> 00:06:48,969 You want to sabotage, you want to do 201 00:06:48,970 --> 00:06:50,829 something. So if you came all the way 202 00:06:50,830 --> 00:06:52,509 here and went through all the trouble, 203 00:06:52,510 --> 00:06:54,669 you want to succeed and then 204 00:06:54,670 --> 00:06:56,709 you want to prevent detection. 205 00:06:56,710 --> 00:06:57,879 Detection is not good for you. 206 00:06:57,880 --> 00:06:59,469 It's not good for your reputation, for 207 00:06:59,470 --> 00:07:00,879 your end of the year bonus. 208 00:07:00,880 --> 00:07:02,079 And it might even prevent you from 209 00:07:02,080 --> 00:07:04,209 finishing your task if you got detected 210 00:07:04,210 --> 00:07:05,289 too early. 211 00:07:05,290 --> 00:07:07,749 And last but not least, is 212 00:07:07,750 --> 00:07:09,309 this thing called attribution? 213 00:07:09,310 --> 00:07:12,069 Attribution is 214 00:07:12,070 --> 00:07:13,959 well, it started as a serious thing now, 215 00:07:13,960 --> 00:07:15,249 not so much. We're going to come back to 216 00:07:15,250 --> 00:07:17,349 that later. But you would like 217 00:07:17,350 --> 00:07:19,479 to not be identified if 218 00:07:19,480 --> 00:07:21,339 you do get caught, because sometimes you 219 00:07:21,340 --> 00:07:22,479 do get caught. 220 00:07:22,480 --> 00:07:24,729 And this actually also 221 00:07:24,730 --> 00:07:26,649 exists in other processes as well. 222 00:07:26,650 --> 00:07:28,899 When you do software development, you're 223 00:07:28,900 --> 00:07:31,119 expected your Kuai process, your 224 00:07:31,120 --> 00:07:32,709 your design. If you have security by 225 00:07:32,710 --> 00:07:34,929 design and stuff like that, it's intended 226 00:07:34,930 --> 00:07:37,539 to basically achieve the same 227 00:07:37,540 --> 00:07:39,339 goals, maybe accept attribution, because 228 00:07:39,340 --> 00:07:40,990 obviously they know who you are. 229 00:07:43,230 --> 00:07:44,459 When is it compromised? 230 00:07:44,460 --> 00:07:46,739 When is your OPSEC not what you want? 231 00:07:46,740 --> 00:07:49,979 Well, first of all, time to market OPSEC 232 00:07:49,980 --> 00:07:51,299 bears costs. 233 00:07:51,300 --> 00:07:53,369 It takes time to do you have to 234 00:07:53,370 --> 00:07:55,769 invest resources in maybe developing 235 00:07:55,770 --> 00:07:57,449 tricks or maybe you have to be very 236 00:07:57,450 --> 00:08:00,179 careful or do something very slow. 237 00:08:00,180 --> 00:08:02,369 OK, for example, I can walk 238 00:08:02,370 --> 00:08:04,739 through metal detectors and obviously, 239 00:08:04,740 --> 00:08:07,109 you know, I am half metal, 240 00:08:07,110 --> 00:08:08,819 but there are some detectors that if you 241 00:08:08,820 --> 00:08:10,949 walked through them slow enough, 242 00:08:10,950 --> 00:08:13,079 you don't get caught and you need to see 243 00:08:13,080 --> 00:08:14,549 the faces of the operators want to do 244 00:08:14,550 --> 00:08:15,550 that. 245 00:08:17,880 --> 00:08:21,239 True story, scalability, 246 00:08:21,240 --> 00:08:23,429 sometimes in order to be able to scale 247 00:08:23,430 --> 00:08:25,529 up your operation, you're going to 248 00:08:25,530 --> 00:08:26,699 give up some principles. 249 00:08:26,700 --> 00:08:28,619 For example, what happens if one sample 250 00:08:28,620 --> 00:08:29,549 gets caught? 251 00:08:29,550 --> 00:08:31,139 Well, there are going to be many others 252 00:08:31,140 --> 00:08:32,489 and there are going to be looking for 253 00:08:32,490 --> 00:08:34,829 them. So that's something that goes away. 254 00:08:34,830 --> 00:08:36,450 And, of course, ease of deployment. 255 00:08:37,620 --> 00:08:39,199 Maybe you want to use the same science 256 00:08:39,200 --> 00:08:41,158 infrastructure, maybe you want to use the 257 00:08:41,159 --> 00:08:43,469 same distribution channel, 258 00:08:43,470 --> 00:08:45,689 if your distribution channel gets 259 00:08:45,690 --> 00:08:47,549 compromised, then now you have a big 260 00:08:47,550 --> 00:08:48,449 problem. 261 00:08:48,450 --> 00:08:50,159 And what we're basically saying, and this 262 00:08:50,160 --> 00:08:51,869 is a generalization, by the way, I 263 00:08:51,870 --> 00:08:53,579 interpret the entire talk. 264 00:08:53,580 --> 00:08:55,079 It's a generalization. 265 00:08:55,080 --> 00:08:56,969 So, yes, there are always contradicting 266 00:08:56,970 --> 00:08:59,129 examples, but we have a storyline 267 00:08:59,130 --> 00:09:00,179 which we're trying to follow. 268 00:09:00,180 --> 00:09:01,769 So if you want to tell us that there is a 269 00:09:01,770 --> 00:09:03,659 contradicting example, you're probably 270 00:09:03,660 --> 00:09:05,699 right. Tell us later. 271 00:09:05,700 --> 00:09:07,889 Most of the AP reports 272 00:09:07,890 --> 00:09:09,419 represent some sort of an opposite 273 00:09:09,420 --> 00:09:12,269 failure. Someone got caught and 274 00:09:12,270 --> 00:09:14,309 someone managed to discover what happened 275 00:09:14,310 --> 00:09:15,570 there to a certain degree. 276 00:09:17,520 --> 00:09:19,919 So what we're trying to say here is 277 00:09:19,920 --> 00:09:22,319 you need to know the enemy 278 00:09:22,320 --> 00:09:24,629 now as a defender, you don't always 279 00:09:24,630 --> 00:09:27,149 know the enemy, because when Apte 280 00:09:27,150 --> 00:09:29,279 is being created by nation state actors, 281 00:09:29,280 --> 00:09:31,019 they don't really share their failures 282 00:09:31,020 --> 00:09:32,759 with you. You end up reading, Apiata 283 00:09:32,760 --> 00:09:33,449 reports. 284 00:09:33,450 --> 00:09:35,579 So what we're trying to do is 285 00:09:35,580 --> 00:09:37,199 trying to figure out what the other guy 286 00:09:37,200 --> 00:09:39,929 thinks. Now, we do have one good example, 287 00:09:39,930 --> 00:09:40,930 the hacking team. 288 00:09:42,710 --> 00:09:45,169 I hope there's no one here from that 289 00:09:45,170 --> 00:09:47,149 nice company. Well, they got caught and 290 00:09:47,150 --> 00:09:48,949 not only did they get caught, but their 291 00:09:48,950 --> 00:09:50,599 emails were leaked as well. 292 00:09:50,600 --> 00:09:52,759 And we actually have information. 293 00:09:52,760 --> 00:09:54,439 We have their emails. 294 00:09:54,440 --> 00:09:56,689 And as the report says, 295 00:09:56,690 --> 00:09:58,999 their prime primary concern seems 296 00:09:59,000 --> 00:10:01,429 to have been not getting caught again, 297 00:10:01,430 --> 00:10:02,809 which is understandable because it's kind 298 00:10:02,810 --> 00:10:04,309 of bad for your business. 299 00:10:04,310 --> 00:10:06,529 But when it comes to nation state actors, 300 00:10:06,530 --> 00:10:08,119 we don't have that information. 301 00:10:08,120 --> 00:10:10,489 So we're going to try to figure 302 00:10:10,490 --> 00:10:10,969 it out. 303 00:10:10,970 --> 00:10:12,259 That's just for the record. 304 00:10:12,260 --> 00:10:13,369 We didn't really emphasize it. 305 00:10:13,370 --> 00:10:15,659 The Citizen Lab Research Blog quote, 306 00:10:15,660 --> 00:10:17,779 Yeah, this is thanks to Sezen Lab. 307 00:10:19,190 --> 00:10:21,409 And we're going to try to sort of reverse 308 00:10:21,410 --> 00:10:23,569 engineer the thought process of 309 00:10:23,570 --> 00:10:24,529 an attacker. 310 00:10:24,530 --> 00:10:26,899 And here's a problem. 311 00:10:28,100 --> 00:10:30,199 Many Apte reporters suck now when 312 00:10:30,200 --> 00:10:31,200 I say suck. 313 00:10:32,980 --> 00:10:35,049 I'm I am trying to be provocative because 314 00:10:35,050 --> 00:10:37,269 I've learned that that's sometimes a way 315 00:10:37,270 --> 00:10:39,369 to achieve the interview for 316 00:10:39,370 --> 00:10:41,229 an AP report I cover. 317 00:10:41,230 --> 00:10:43,179 What, didn't you write an AP report? 318 00:10:43,180 --> 00:10:45,639 I did. It was one one I think 319 00:10:45,640 --> 00:10:47,179 a coauthor is here. I'm not sure. 320 00:10:47,180 --> 00:10:48,309 And then I stopped it. 321 00:10:48,310 --> 00:10:50,769 Didn't you present one here? 322 00:10:50,770 --> 00:10:52,299 I may have. You may have. 323 00:10:52,300 --> 00:10:53,419 I may have. You may have. 324 00:10:53,420 --> 00:10:56,349 OK, so what's wrong with AP reports? 325 00:10:56,350 --> 00:10:58,869 This guy, he's a commentator. 326 00:10:58,870 --> 00:11:00,939 He sits up there and he tells 327 00:11:00,940 --> 00:11:02,529 you what's going on in the game. 328 00:11:02,530 --> 00:11:04,689 Right. And in AP to report 329 00:11:04,690 --> 00:11:07,629 or a malware research is a lot like 330 00:11:07,630 --> 00:11:09,699 you telling me how good the other 331 00:11:09,700 --> 00:11:11,019 guy is. 332 00:11:11,020 --> 00:11:13,389 Right. Look at this 333 00:11:13,390 --> 00:11:15,429 most sophisticated attack platform. 334 00:11:15,430 --> 00:11:17,529 Look at this amazing deployment 335 00:11:17,530 --> 00:11:20,339 technique. Look at this amazing rootkit. 336 00:11:20,340 --> 00:11:22,709 And it's very nice, but as a defender, 337 00:11:22,710 --> 00:11:24,989 if I not a malware researcher myself, 338 00:11:24,990 --> 00:11:27,299 that's not useful to me, Apiata 339 00:11:27,300 --> 00:11:29,609 reports are common, commonly very 340 00:11:29,610 --> 00:11:31,859 long. Some of them are as long as 60 341 00:11:31,860 --> 00:11:33,209 pages long. 342 00:11:33,210 --> 00:11:35,189 And in those 60 pages, there is so much 343 00:11:35,190 --> 00:11:37,409 technical information that sometimes 344 00:11:37,410 --> 00:11:39,389 you just don't know what to do with that. 345 00:11:39,390 --> 00:11:41,459 And many AAPT reports that 346 00:11:41,460 --> 00:11:44,249 we see the public ones, they're not full. 347 00:11:44,250 --> 00:11:46,139 The ones that we see are intended for PR 348 00:11:46,140 --> 00:11:48,209 purposes, and the full reports 349 00:11:48,210 --> 00:11:50,279 are only shipped to some maybe 350 00:11:50,280 --> 00:11:52,469 paying customers or maybe there's not 351 00:11:52,470 --> 00:11:54,629 even a fuller version than 352 00:11:54,630 --> 00:11:56,469 the one that we see. 353 00:11:56,470 --> 00:11:58,479 And as a result. 354 00:11:58,480 --> 00:12:00,849 There is an asymmetry. 355 00:12:03,990 --> 00:12:05,719 Horrible, horrible, I see not everyone 356 00:12:05,720 --> 00:12:07,879 gets it, a 357 00:12:07,880 --> 00:12:08,880 cemetery 358 00:12:10,730 --> 00:12:12,529 is calling me first right now, just so 359 00:12:12,530 --> 00:12:14,269 we're clear on what's going on here. 360 00:12:14,270 --> 00:12:15,320 I called you Bould. 361 00:12:16,790 --> 00:12:19,429 So there is an information 362 00:12:19,430 --> 00:12:22,039 gap because the attacker 363 00:12:22,040 --> 00:12:24,079 can use all that malware research stuff, 364 00:12:24,080 --> 00:12:25,080 so. 365 00:12:25,850 --> 00:12:28,009 The information gap benefits 366 00:12:28,010 --> 00:12:30,349 the attacker, but not just the 367 00:12:30,350 --> 00:12:31,639 attacker. 368 00:12:31,640 --> 00:12:33,679 Everyone learns because all the other 369 00:12:33,680 --> 00:12:36,529 actors are reading the same reports. 370 00:12:36,530 --> 00:12:38,509 And even though this talk is about nation 371 00:12:38,510 --> 00:12:40,549 state actors, we'd like to remind you 372 00:12:40,550 --> 00:12:42,709 guys that the malware writers 373 00:12:42,710 --> 00:12:44,449 that work in the cybercrime world, they 374 00:12:44,450 --> 00:12:46,069 also read the reports. 375 00:12:46,070 --> 00:12:47,659 And actually what we're seeing whenever 376 00:12:47,660 --> 00:12:49,339 there is an AP to report out, the 377 00:12:49,340 --> 00:12:51,859 technology's leaking to the 378 00:12:51,860 --> 00:12:52,860 criminal world. 379 00:12:55,400 --> 00:12:57,919 And that makes APEC reporters actually 380 00:12:57,920 --> 00:13:00,859 free Kiwa for the attackers. 381 00:13:00,860 --> 00:13:03,229 So sometimes you can see lessons learned, 382 00:13:03,230 --> 00:13:06,019 right? The one key to infrastructure 383 00:13:06,020 --> 00:13:07,279 was huge. 384 00:13:07,280 --> 00:13:09,349 Parts of it, like big parts of it, were 385 00:13:09,350 --> 00:13:11,629 registered with the same name, same email 386 00:13:11,630 --> 00:13:13,699 address. And I remember Ugly Gorilla 387 00:13:13,700 --> 00:13:15,319 163 dotcom. 388 00:13:15,320 --> 00:13:17,539 But the Turlough malware is 389 00:13:17,540 --> 00:13:20,599 a very sophisticated satellite 390 00:13:20,600 --> 00:13:24,139 downlink, highjacking through ISP 391 00:13:24,140 --> 00:13:26,809 to inject packets that could be received 392 00:13:26,810 --> 00:13:28,909 without actually exposing the location 393 00:13:28,910 --> 00:13:31,069 of the destination. 394 00:13:31,070 --> 00:13:33,259 And then we had learning in progress. 395 00:13:33,260 --> 00:13:34,669 So they're learning, but they're not done 396 00:13:34,670 --> 00:13:36,949 yet. So Stuxnet and DeQuan Flame, 397 00:13:36,950 --> 00:13:38,239 they all share the same code. 398 00:13:38,240 --> 00:13:40,979 Old reports clearly show that. 399 00:13:40,980 --> 00:13:42,929 And guess what, Dooku, too, is still 400 00:13:42,930 --> 00:13:45,149 using large parts of that 401 00:13:45,150 --> 00:13:46,349 framework. 402 00:13:46,350 --> 00:13:47,939 Now, remember, we talked about OPSEC. 403 00:13:47,940 --> 00:13:49,619 It's a lot of time and money to develop 404 00:13:49,620 --> 00:13:51,479 such a thing. So you do try to use 405 00:13:51,480 --> 00:13:53,549 whatever you have left and some things, 406 00:13:53,550 --> 00:13:54,869 well, you never know. 407 00:13:54,870 --> 00:13:57,029 And attribution is a good is a good 408 00:13:57,030 --> 00:13:59,219 case. If you look at Iron Tiger, 409 00:13:59,220 --> 00:14:01,439 clearly Chinese, but it was sent 410 00:14:01,440 --> 00:14:03,839 to Taiwanese targets with traditional 411 00:14:03,840 --> 00:14:05,669 Chinese versus simplified. 412 00:14:06,990 --> 00:14:08,279 The attack emails. 413 00:14:08,280 --> 00:14:10,439 We're talking about the matters 414 00:14:10,440 --> 00:14:12,329 of the straits, Capretto. 415 00:14:12,330 --> 00:14:14,159 Well, everything fits so well. 416 00:14:14,160 --> 00:14:16,289 The language, the identities, everything 417 00:14:16,290 --> 00:14:18,479 looks perfectly Spanish. 418 00:14:18,480 --> 00:14:20,969 And in fact, it looks too perfect. 419 00:14:20,970 --> 00:14:23,159 Even even if you look at geolocation, 420 00:14:23,160 --> 00:14:25,079 their attacks were against some activists 421 00:14:25,080 --> 00:14:27,120 nobody would care about except for Spain. 422 00:14:29,550 --> 00:14:31,799 But in Duku, too, there were already 423 00:14:31,800 --> 00:14:33,149 playing games with the researchers. 424 00:14:33,150 --> 00:14:35,519 There are multiple false flags, 425 00:14:35,520 --> 00:14:37,619 right? We know that they put in 426 00:14:37,620 --> 00:14:40,049 the gorilla string, which is Chinese. 427 00:14:40,050 --> 00:14:42,659 We know that they put in the Romanian 428 00:14:42,660 --> 00:14:45,689 anti hacker, which is Christine's 429 00:14:45,690 --> 00:14:46,889 Twitter alias. 430 00:14:46,890 --> 00:14:48,899 Right. So they start playing back with 431 00:14:48,900 --> 00:14:49,900 us. 432 00:14:50,520 --> 00:14:52,499 So you read an AP report, you take the 433 00:14:52,500 --> 00:14:54,179 time, you read 60 pages. 434 00:14:54,180 --> 00:14:55,469 What do you get? 435 00:14:55,470 --> 00:14:56,470 Well. 436 00:14:57,030 --> 00:14:59,009 You got a lot of malware analysis, that's 437 00:14:59,010 --> 00:15:02,059 the major part of what you get. 438 00:15:02,060 --> 00:15:04,159 After that, you get a little 439 00:15:04,160 --> 00:15:06,229 bit of IONSYS 440 00:15:06,230 --> 00:15:09,019 indications of compromise, right, 441 00:15:09,020 --> 00:15:10,639 and they will be about the malware that's 442 00:15:10,640 --> 00:15:12,289 actually actionable intelligence. 443 00:15:15,430 --> 00:15:17,739 Not all samples go on multiple targets, 444 00:15:17,740 --> 00:15:20,289 so you look at the setu infrastructures, 445 00:15:20,290 --> 00:15:22,239 you get domain names and that's also 446 00:15:22,240 --> 00:15:24,489 actionable. But with the development 447 00:15:24,490 --> 00:15:26,889 of OPSEC, these stopped being 448 00:15:26,890 --> 00:15:28,389 shared across campaigns. 449 00:15:28,390 --> 00:15:30,519 So the long term value of 450 00:15:30,520 --> 00:15:32,589 each of these IONSYS is very small. 451 00:15:32,590 --> 00:15:34,659 And at the end, if at all, there's 452 00:15:34,660 --> 00:15:36,909 very little about the attack vector, 453 00:15:36,910 --> 00:15:39,099 how the attack was actually facilitated, 454 00:15:39,100 --> 00:15:41,199 how did it all start and 455 00:15:41,200 --> 00:15:42,579 what was the attacker objective? 456 00:15:42,580 --> 00:15:44,449 What did they steal? 457 00:15:44,450 --> 00:15:45,699 Because you really want to know what they 458 00:15:45,700 --> 00:15:47,499 were doing. It's nice that they hacked 459 00:15:47,500 --> 00:15:49,299 this company, but what were they looking 460 00:15:49,300 --> 00:15:50,300 for? 461 00:15:54,730 --> 00:15:56,559 So I'm a little bit confused at this 462 00:15:56,560 --> 00:15:58,659 stage because we see a little 463 00:15:58,660 --> 00:16:00,549 bit of this facility that there may be 464 00:16:00,550 --> 00:16:02,349 some false flags, we're trying to make 465 00:16:02,350 --> 00:16:04,549 sense of an AP report, perhaps for 466 00:16:04,550 --> 00:16:06,189 our own research, perhaps to defend an 467 00:16:06,190 --> 00:16:07,299 organization. 468 00:16:07,300 --> 00:16:08,529 What is actually going on? 469 00:16:08,530 --> 00:16:09,909 Are we getting the correct picture? 470 00:16:11,350 --> 00:16:13,449 So what we did so far in 471 00:16:13,450 --> 00:16:16,429 the previous slide is try to re engineer, 472 00:16:16,430 --> 00:16:18,639 reverse engineer what the 473 00:16:18,640 --> 00:16:20,439 forensics, the forensics process 474 00:16:20,440 --> 00:16:21,440 essentially. 475 00:16:22,320 --> 00:16:24,419 Reverse engineers, what the doctor 476 00:16:24,420 --> 00:16:26,549 does so but we reengineer 477 00:16:26,550 --> 00:16:27,969 what they do and actually talk about the 478 00:16:27,970 --> 00:16:30,929 attack process, about the engagement 479 00:16:30,930 --> 00:16:32,249 of the attackers and the simplified 480 00:16:32,250 --> 00:16:33,899 model, we cannot just simply call an 481 00:16:33,900 --> 00:16:35,979 engagement process. 482 00:16:35,980 --> 00:16:36,980 So. 483 00:16:40,420 --> 00:16:42,249 We start with simple intelligence 484 00:16:42,250 --> 00:16:44,499 requirements. Here's the thing 485 00:16:44,500 --> 00:16:46,599 we have the least information about, 486 00:16:46,600 --> 00:16:48,949 and it's essentially like going shopping. 487 00:16:48,950 --> 00:16:50,889 What am I interested in today? 488 00:16:50,890 --> 00:16:52,389 Is this this nuclear deal? 489 00:16:52,390 --> 00:16:54,279 Is it this interesting product that is 490 00:16:54,280 --> 00:16:55,849 developed somewhere around the world? 491 00:16:55,850 --> 00:16:58,090 What would you like to know? 492 00:17:00,860 --> 00:17:01,860 Now. 493 00:17:02,800 --> 00:17:04,858 Let's just take an Iraq example, because 494 00:17:04,859 --> 00:17:06,449 it's older now, so people won't be as 495 00:17:06,450 --> 00:17:09,029 sensitive to it that Saddam Hussein 496 00:17:09,030 --> 00:17:11,159 has WMD, 497 00:17:11,160 --> 00:17:14,578 where are WMD? 498 00:17:14,579 --> 00:17:16,769 Does he intend to use said 499 00:17:16,770 --> 00:17:18,639 WMD? 500 00:17:18,640 --> 00:17:20,519 Who is working on WMD? 501 00:17:20,520 --> 00:17:22,618 And can we save Matt 502 00:17:22,619 --> 00:17:24,689 Damon? Can we get Matt Damon back yet 503 00:17:24,690 --> 00:17:26,819 again? Just wondering about that. 504 00:17:27,900 --> 00:17:29,579 And then the second part is let's compile 505 00:17:29,580 --> 00:17:31,619 a target list. Where can I actually get 506 00:17:31,620 --> 00:17:33,299 this information? 507 00:17:33,300 --> 00:17:35,409 So sometimes 508 00:17:35,410 --> 00:17:37,469 we person who would hold the information 509 00:17:37,470 --> 00:17:39,959 I want, so verticals, banking, 510 00:17:39,960 --> 00:17:42,359 pharmaceuticals, energy, aerospace, 511 00:17:42,360 --> 00:17:44,279 that's interesting enough or we can have 512 00:17:44,280 --> 00:17:45,809 both. We talk about specific targets. 513 00:17:45,810 --> 00:17:47,399 We're interested in this target because 514 00:17:47,400 --> 00:17:48,659 they hold the information we want. 515 00:17:50,740 --> 00:17:52,809 Then again, we said we won't do many 516 00:17:52,810 --> 00:17:54,459 counterexamples, but one important 517 00:17:54,460 --> 00:17:56,859 counterexample example that you gave us 518 00:17:56,860 --> 00:17:57,879 was this officer group. 519 00:17:57,880 --> 00:17:59,649 There are everywhere right now very high 520 00:17:59,650 --> 00:18:01,509 profile and they seem to be very 521 00:18:01,510 --> 00:18:02,529 opportunistic. 522 00:18:02,530 --> 00:18:04,509 They don't seem to be working with any 523 00:18:04,510 --> 00:18:06,009 specific agency that they find 524 00:18:06,010 --> 00:18:08,109 information and then try to sell it so 525 00:18:08,110 --> 00:18:09,579 that everybody works according to this 526 00:18:09,580 --> 00:18:10,580 model. 527 00:18:12,620 --> 00:18:13,939 As to intelligence gathering and I'm 528 00:18:13,940 --> 00:18:14,989 going to pass it over to anybody in a 529 00:18:14,990 --> 00:18:18,229 second, it starts with reconnaissance 530 00:18:18,230 --> 00:18:20,419 and then we have a target to report, 531 00:18:20,420 --> 00:18:22,489 essentially trying to figure out 532 00:18:22,490 --> 00:18:24,859 what's going on, what can we find out? 533 00:18:24,860 --> 00:18:25,860 How can we get in? 534 00:18:26,790 --> 00:18:28,929 And then get all this information 535 00:18:28,930 --> 00:18:29,930 in an organized fashion. 536 00:18:31,080 --> 00:18:32,579 So the target operation is basically 537 00:18:32,580 --> 00:18:34,199 everything you need so you can do your 538 00:18:34,200 --> 00:18:35,769 job OK. 539 00:18:35,770 --> 00:18:38,039 And once 540 00:18:38,040 --> 00:18:40,139 you have that, you can start 541 00:18:40,140 --> 00:18:42,329 acting and you do that by 542 00:18:42,330 --> 00:18:44,129 attack, plan and execution. 543 00:18:44,130 --> 00:18:46,769 And this is an iterative step. 544 00:18:46,770 --> 00:18:47,969 You start by an attack plan. 545 00:18:47,970 --> 00:18:50,109 This is how I intend to plan. 546 00:18:50,110 --> 00:18:52,709 Let's say I want to send 547 00:18:52,710 --> 00:18:54,959 an email or I want to use for scanning 548 00:18:54,960 --> 00:18:56,039 or as injection. 549 00:18:56,040 --> 00:18:57,479 I choose some technique. 550 00:18:57,480 --> 00:18:59,579 And for that I 551 00:18:59,580 --> 00:19:01,529 need to choose my tools. 552 00:19:01,530 --> 00:19:03,629 Right. Sometimes I will use 553 00:19:03,630 --> 00:19:04,679 off the shelf tools. 554 00:19:04,680 --> 00:19:06,899 Obviously, this is a very large 555 00:19:06,900 --> 00:19:08,519 shelf, as we've all learned. 556 00:19:08,520 --> 00:19:10,859 Sometimes I will customize, sometimes 557 00:19:10,860 --> 00:19:12,839 I will write something particular for 558 00:19:12,840 --> 00:19:13,319 this target. 559 00:19:13,320 --> 00:19:15,419 Sometimes I'll just take somebody else's 560 00:19:15,420 --> 00:19:17,849 malware and make small adaptations. 561 00:19:17,850 --> 00:19:18,869 Right. 562 00:19:18,870 --> 00:19:19,870 Well, you do that. 563 00:19:21,290 --> 00:19:23,449 You get these examples, let's look at 564 00:19:23,450 --> 00:19:25,849 two Stuxnet and Goss', Stuxnet 565 00:19:25,850 --> 00:19:27,529 is you mentioned before, was very 566 00:19:27,530 --> 00:19:29,659 targeted. The code that was there was 567 00:19:29,660 --> 00:19:31,789 meant to deal with pulses of 568 00:19:31,790 --> 00:19:33,949 specific vendors doing specific 569 00:19:33,950 --> 00:19:36,169 things. That thing had absolutely 570 00:19:36,170 --> 00:19:38,479 no use anywhere on the planet anywhere 571 00:19:38,480 --> 00:19:39,709 else. Right. 572 00:19:39,710 --> 00:19:41,809 And Gousse, it was a big 573 00:19:41,810 --> 00:19:43,189 multifunctional tool. 574 00:19:43,190 --> 00:19:45,349 But there's still one mystery that no one 575 00:19:45,350 --> 00:19:47,659 managed to solve on the USB infection 576 00:19:47,660 --> 00:19:49,819 mechanism. They found an encrypted 577 00:19:49,820 --> 00:19:51,889 payload. The payload is encrypted 578 00:19:51,890 --> 00:19:54,409 by an empty five hash run 579 00:19:54,410 --> 00:19:56,659 ten thousand times on certain parameters 580 00:19:56,660 --> 00:19:58,849 of the hard drive. And in fact, till this 581 00:19:58,850 --> 00:20:01,129 very day, no one managed to find out 582 00:20:01,130 --> 00:20:02,989 those parameters. They don't know which 583 00:20:02,990 --> 00:20:06,019 computer was the designated target 584 00:20:06,020 --> 00:20:08,209 many people try to enumerate and that we 585 00:20:08,210 --> 00:20:09,109 still don't know. 586 00:20:09,110 --> 00:20:10,909 We only know that there is only one 587 00:20:10,910 --> 00:20:13,009 computer on this planet that will have 588 00:20:13,010 --> 00:20:14,810 the payload decrypt and execute. 589 00:20:15,890 --> 00:20:18,379 Or in a Dell SecureWorks 590 00:20:18,380 --> 00:20:21,109 report of one of the targets, uh, 591 00:20:21,110 --> 00:20:23,149 that they analyzed, turns out that the 592 00:20:23,150 --> 00:20:24,909 attackers. 593 00:20:24,910 --> 00:20:27,159 Took advantage of a platform that already 594 00:20:27,160 --> 00:20:29,919 existed in the target, it was 595 00:20:29,920 --> 00:20:32,079 an endpoint management program, 596 00:20:32,080 --> 00:20:34,539 and they use that to lateral 597 00:20:34,540 --> 00:20:35,919 move throughout the organization. 598 00:20:35,920 --> 00:20:38,199 By the way, we saw the same with Target, 599 00:20:38,200 --> 00:20:40,179 right? They used accounts installed by 600 00:20:40,180 --> 00:20:42,399 another program to open shares. 601 00:20:42,400 --> 00:20:43,869 So we see that all the time. 602 00:20:44,980 --> 00:20:47,139 And once you're in, you acted 603 00:20:47,140 --> 00:20:48,699 on your plan. 604 00:20:48,700 --> 00:20:50,589 So the first time you just get into the 605 00:20:50,590 --> 00:20:52,329 target, now you're running code inside 606 00:20:52,330 --> 00:20:54,369 the target. But your your job is not 607 00:20:54,370 --> 00:20:55,299 done. 608 00:20:55,300 --> 00:20:57,399 Now you need to move forward, 609 00:20:57,400 --> 00:21:00,159 lateral movement, maybe get to 610 00:21:00,160 --> 00:21:01,869 the real place because you usually use 611 00:21:01,870 --> 00:21:03,189 the weakest link to get inside an 612 00:21:03,190 --> 00:21:04,389 organization. 613 00:21:04,390 --> 00:21:06,819 So now you go back to intelligence 614 00:21:06,820 --> 00:21:08,589 gathering and this time it's a little 615 00:21:08,590 --> 00:21:10,059 different because now you're no longer 616 00:21:10,060 --> 00:21:11,889 outside and everybody staring at the 617 00:21:11,890 --> 00:21:12,890 screen stop talking. 618 00:21:13,920 --> 00:21:15,449 Who who got that Twitter, Facebook? 619 00:21:17,080 --> 00:21:18,809 Who didn't watch it all the way? 620 00:21:20,720 --> 00:21:21,969 Really? 621 00:21:21,970 --> 00:21:24,079 OK, so we're going 622 00:21:24,080 --> 00:21:26,089 to save you, that's a minute 40, but when 623 00:21:26,090 --> 00:21:28,099 you're inside the target, things look 624 00:21:28,100 --> 00:21:29,089 different. 625 00:21:29,090 --> 00:21:30,499 No, no, just kidding. 626 00:21:30,500 --> 00:21:33,109 We wanted to do that about copyright in 627 00:21:33,110 --> 00:21:34,400 two more minutes of your life. 628 00:21:37,400 --> 00:21:39,409 Intelligence gathering is different now 629 00:21:39,410 --> 00:21:41,809 because now you're inside the target 630 00:21:41,810 --> 00:21:44,119 and the target has all sorts of defenses, 631 00:21:44,120 --> 00:21:46,529 so you're OPSEC gets revisited, 632 00:21:46,530 --> 00:21:47,749 right? 633 00:21:47,750 --> 00:21:50,209 You need to map the target's defenses. 634 00:21:50,210 --> 00:21:52,729 What are they using? Do they have any of 635 00:21:52,730 --> 00:21:54,579 any peripheral devices? 636 00:21:54,580 --> 00:21:56,929 What are they using any sandboxing? 637 00:21:56,930 --> 00:21:58,429 Now, the interesting thing about this is 638 00:21:58,430 --> 00:21:59,539 when you think about intelligence 639 00:21:59,540 --> 00:22:01,949 operations, you think about your target. 640 00:22:01,950 --> 00:22:02,969 What am I going to face? 641 00:22:02,970 --> 00:22:05,189 Am I going to face an AIDS, am I going 642 00:22:05,190 --> 00:22:05,939 to face something else? 643 00:22:05,940 --> 00:22:08,579 I need the clicker to click everything. 644 00:22:08,580 --> 00:22:10,569 OK, there we go. 645 00:22:10,570 --> 00:22:11,699 Didn't say please don't. 646 00:22:11,700 --> 00:22:12,899 Please. 647 00:22:12,900 --> 00:22:15,179 OK, so essentially originally 648 00:22:15,180 --> 00:22:17,639 you would say, what am I facing 649 00:22:17,640 --> 00:22:19,139 then? Is it a threat to me? 650 00:22:19,140 --> 00:22:20,759 So for example, they may have a security 651 00:22:20,760 --> 00:22:21,989 control and you wouldn't care about it 652 00:22:21,990 --> 00:22:23,579 because it wouldn't stop you. 653 00:22:23,580 --> 00:22:25,049 But then things started to change. 654 00:22:26,130 --> 00:22:27,779 You would start saying these aren't 655 00:22:27,780 --> 00:22:29,849 viruses, for example, may 656 00:22:29,850 --> 00:22:32,369 not threaten me and I can bypass them, 657 00:22:32,370 --> 00:22:34,859 but they have an entire home base, 658 00:22:34,860 --> 00:22:36,959 the back end where they can go in later 659 00:22:36,960 --> 00:22:39,089 on, threaten me, quite 660 00:22:39,090 --> 00:22:40,529 signatures, whatever it is that is 661 00:22:40,530 --> 00:22:42,239 written about right now, they can 662 00:22:42,240 --> 00:22:44,279 essentially find me after the fact. 663 00:22:44,280 --> 00:22:45,569 So that's a threat. 664 00:22:45,570 --> 00:22:47,729 I have to take different other viruses 665 00:22:47,730 --> 00:22:49,889 as a threat now. That changes everything, 666 00:22:49,890 --> 00:22:50,890 but it's still not good enough. 667 00:22:52,210 --> 00:22:53,439 Look for other players, 668 00:22:54,550 --> 00:22:55,779 think about it, there is another player 669 00:22:55,780 --> 00:22:57,639 on the machine, and Reagan is a very good 670 00:22:57,640 --> 00:22:58,959 example. 671 00:22:58,960 --> 00:23:00,729 When Kaspersky even called the computer, 672 00:23:00,730 --> 00:23:02,529 they found it on an apt magnet. 673 00:23:04,670 --> 00:23:06,619 So now am I supposed to think about 674 00:23:06,620 --> 00:23:08,779 looking at the computer and saying which 675 00:23:08,780 --> 00:23:10,699 other nation states, criminal 676 00:23:10,700 --> 00:23:12,439 organizations slash whoever it might be? 677 00:23:14,350 --> 00:23:16,299 And some tools installed here already, 678 00:23:16,300 --> 00:23:17,549 and I need to collect intelligence on 679 00:23:17,550 --> 00:23:19,469 that in retrospect or wait and analyze 680 00:23:19,470 --> 00:23:21,119 every system I go to. 681 00:23:21,120 --> 00:23:22,439 That sounds like a little bit too much 682 00:23:22,440 --> 00:23:24,299 work, but it's something that, depending 683 00:23:24,300 --> 00:23:25,469 on your OPSEC, you're going to have to 684 00:23:25,470 --> 00:23:26,470 face now. 685 00:23:29,310 --> 00:23:31,769 Then the last thing is really 686 00:23:31,770 --> 00:23:33,929 but really try to hide your identity, 687 00:23:33,930 --> 00:23:35,249 unless you're some of the Chinese group 688 00:23:35,250 --> 00:23:36,250 and then you don't care. 689 00:23:39,060 --> 00:23:41,369 So we have a few example, 690 00:23:41,370 --> 00:23:43,140 the hurricane panel, you can read 691 00:23:44,220 --> 00:23:45,899 the report, but quiet strike, there was 692 00:23:45,900 --> 00:23:47,099 actually a duel there. 693 00:23:47,100 --> 00:23:48,419 They got detected. 694 00:23:48,420 --> 00:23:50,699 Then the incident response team came. 695 00:23:50,700 --> 00:23:52,649 They started dueling for a while and it 696 00:23:52,650 --> 00:23:54,719 took a while of the scheduling 697 00:23:54,720 --> 00:23:56,849 before the actor decided to give 698 00:23:56,850 --> 00:23:57,850 up. 699 00:23:58,300 --> 00:24:01,059 This is from Semantics Report, 700 00:24:01,060 --> 00:24:03,399 the Stuxnet look at the information 701 00:24:03,400 --> 00:24:05,679 back then, no one cared about anything 702 00:24:05,680 --> 00:24:08,049 or maybe they were just naive because 703 00:24:08,050 --> 00:24:10,239 nothing had been caught before that with 704 00:24:10,240 --> 00:24:11,799 maybe one or two exceptions. 705 00:24:11,800 --> 00:24:13,959 Here you have the compile 706 00:24:13,960 --> 00:24:16,089 compilation times of all the 707 00:24:16,090 --> 00:24:18,159 files used inside the target 708 00:24:18,160 --> 00:24:20,139 and then you have the infection time. 709 00:24:20,140 --> 00:24:22,149 Now, aside from the fact that, as you can 710 00:24:22,150 --> 00:24:24,579 later seen, Kaspersky reports, the 711 00:24:24,580 --> 00:24:26,799 compilation times are used to determine 712 00:24:26,800 --> 00:24:28,509 the attribution. 713 00:24:28,510 --> 00:24:29,889 This gives you a lot of information. 714 00:24:29,890 --> 00:24:31,959 This tells you how long it takes them 715 00:24:31,960 --> 00:24:34,529 from the creation of the file. 716 00:24:34,530 --> 00:24:36,719 To the deployment that will tell 717 00:24:36,720 --> 00:24:39,149 you about their attack 718 00:24:39,150 --> 00:24:41,669 operation, does it take 719 00:24:41,670 --> 00:24:43,829 a minute, a day, a month? 720 00:24:43,830 --> 00:24:45,210 You can learn a lot from that. 721 00:24:46,540 --> 00:24:48,489 So we have other examples, actually, just 722 00:24:48,490 --> 00:24:50,499 one thing is if you look at Duke two, you 723 00:24:50,500 --> 00:24:52,029 can see the start to randomize that they 724 00:24:52,030 --> 00:24:54,469 started looking at forensic analysis, 725 00:24:54,470 --> 00:24:56,709 the threat to their existence, which 726 00:24:56,710 --> 00:24:58,869 goes back to the previous slide. 727 00:24:58,870 --> 00:25:01,299 So obviously, the threat actors evolve, 728 00:25:01,300 --> 00:25:03,609 right, we have use of 729 00:25:03,610 --> 00:25:06,039 previously existing tools or 730 00:25:06,040 --> 00:25:07,779 integral tools of the operating system 731 00:25:07,780 --> 00:25:09,969 because you can't sign on those, they're 732 00:25:09,970 --> 00:25:10,989 going to be there. 733 00:25:10,990 --> 00:25:12,789 So you don't need to deliver anything. 734 00:25:12,790 --> 00:25:14,499 You don't need to worry about deployment, 735 00:25:14,500 --> 00:25:16,749 encryption. You land there and just 736 00:25:16,750 --> 00:25:19,389 use like power show or act 737 00:25:19,390 --> 00:25:21,699 or IP config and Dooku 738 00:25:21,700 --> 00:25:24,639 to and we keep reminding that 739 00:25:24,640 --> 00:25:26,439 sample because it's very impressive. 740 00:25:26,440 --> 00:25:28,929 They had this huge leap 741 00:25:28,930 --> 00:25:31,149 forward. It's a revolutionary 742 00:25:31,150 --> 00:25:32,559 deployment mechanism. 743 00:25:32,560 --> 00:25:34,629 They actually the lateral movement 744 00:25:34,630 --> 00:25:36,279 was done in RAM only. 745 00:25:36,280 --> 00:25:38,709 They only use several vantage points, 746 00:25:38,710 --> 00:25:41,319 computers that they were sure 747 00:25:41,320 --> 00:25:43,449 that they would maintain command of 748 00:25:43,450 --> 00:25:45,999 and everything else was running code in 749 00:25:46,000 --> 00:25:48,249 RAM. So if that machine rebooted, 750 00:25:48,250 --> 00:25:50,439 then the superior computer could 751 00:25:50,440 --> 00:25:51,939 reinfected from far. 752 00:25:51,940 --> 00:25:54,249 But that changes everything about 753 00:25:54,250 --> 00:25:56,739 how you act inside 754 00:25:56,740 --> 00:25:57,740 your organization. 755 00:26:01,010 --> 00:26:02,749 So another aspect which people usually 756 00:26:02,750 --> 00:26:04,049 don't talk about when it comes to 757 00:26:04,050 --> 00:26:06,769 equities or other types of operations 758 00:26:06,770 --> 00:26:07,909 is their retreat. 759 00:26:07,910 --> 00:26:09,319 We often talk about dismantling, but we 760 00:26:09,320 --> 00:26:10,759 don't talk about the folding action, the 761 00:26:10,760 --> 00:26:13,339 full deck, and 762 00:26:13,340 --> 00:26:15,259 we can see some examples over time 763 00:26:15,260 --> 00:26:17,299 costing spoke about this a few times. 764 00:26:18,770 --> 00:26:19,879 Red October. 765 00:26:19,880 --> 00:26:21,769 They dismantled their operation after the 766 00:26:21,770 --> 00:26:22,909 publication took them a little bit of 767 00:26:22,910 --> 00:26:23,809 time. 768 00:26:23,810 --> 00:26:25,159 The Mask corridor. 769 00:26:25,160 --> 00:26:27,349 There was a blog at Kaspersky and 770 00:26:27,350 --> 00:26:29,449 four hours into this blog publication, 771 00:26:29,450 --> 00:26:31,180 they were gone and they 772 00:26:32,520 --> 00:26:34,639 they give their own name, the mask. 773 00:26:34,640 --> 00:26:36,979 And within four hours, their entire 774 00:26:36,980 --> 00:26:37,969 infrastructure was gone. 775 00:26:37,970 --> 00:26:39,109 As far as I know, we can talk to 776 00:26:39,110 --> 00:26:41,329 Christine about that and 777 00:26:41,330 --> 00:26:42,319 do to. 778 00:26:42,320 --> 00:26:43,519 They didn't even wait. 779 00:26:44,540 --> 00:26:46,909 They hunted the vendor, they went into 780 00:26:46,910 --> 00:26:48,709 Kaspersky trying to figure out what's 781 00:26:48,710 --> 00:26:49,729 going to happen, maybe they had other 782 00:26:49,730 --> 00:26:51,619 reasons as well, but he chose an 783 00:26:51,620 --> 00:26:52,620 interesting story. 784 00:26:54,020 --> 00:26:55,849 Of course, there are counterexamples. 785 00:26:55,850 --> 00:26:57,409 Again, we don't give many of these, but 786 00:26:57,410 --> 00:26:59,009 some of these guys just don't care, like 787 00:26:59,010 --> 00:27:01,129 LPT 12 Gaza Hucker team, I believe 788 00:27:01,130 --> 00:27:02,359 that Rocket Keating from last year, 789 00:27:02,360 --> 00:27:03,349 they're still alive. They don't give a 790 00:27:03,350 --> 00:27:04,969 shit for human language. 791 00:27:04,970 --> 00:27:06,829 They just don't care or they don't know 792 00:27:06,830 --> 00:27:07,759 or they don't have the operational 793 00:27:07,760 --> 00:27:09,499 capability to even know. 794 00:27:09,500 --> 00:27:10,669 Hey, there is a security conference 795 00:27:10,670 --> 00:27:12,619 called C.C.C.. Let's go watch TV and we 796 00:27:12,620 --> 00:27:13,620 are being compromised. 797 00:27:15,340 --> 00:27:18,099 So with that, we would like to take the 798 00:27:18,100 --> 00:27:19,929 methodology we've built about how the 799 00:27:19,930 --> 00:27:21,759 attacker works, what we reengineered 800 00:27:21,760 --> 00:27:24,039 about their tactics 801 00:27:24,040 --> 00:27:26,289 and try to look at the defender side 802 00:27:26,290 --> 00:27:28,389 now because of the limitations we 803 00:27:28,390 --> 00:27:30,249 have on information in forensics and the 804 00:27:30,250 --> 00:27:32,349 reports are a little bit a little bit 805 00:27:32,350 --> 00:27:33,919 difficult. This is a work in progress. 806 00:27:33,920 --> 00:27:35,499 Maybe you can help us out. 807 00:27:35,500 --> 00:27:37,479 Maybe we can build it to be better, which 808 00:27:37,480 --> 00:27:39,219 is the entire idea of this stock. 809 00:27:42,100 --> 00:27:44,859 So we're working my problem takeaways 810 00:27:44,860 --> 00:27:47,139 and action for each one of 811 00:27:47,140 --> 00:27:48,129 these issues. 812 00:27:48,130 --> 00:27:50,079 So, first of all, the intelligence 813 00:27:50,080 --> 00:27:51,080 requirements. 814 00:27:52,250 --> 00:27:54,289 We do not have enough information about 815 00:27:54,290 --> 00:27:55,429 the attack or objectives, if you remember 816 00:27:55,430 --> 00:27:56,779 the graph from earlier, that was the 817 00:27:56,780 --> 00:27:58,759 least amount of knowledge we had about 818 00:27:58,760 --> 00:28:00,709 any attacker or most attackers. 819 00:28:02,330 --> 00:28:04,579 And essentially, the understanding 820 00:28:04,580 --> 00:28:06,829 here is 821 00:28:06,830 --> 00:28:08,599 they are kind of stalkers, if they're 822 00:28:08,600 --> 00:28:09,919 interested in their information 823 00:28:09,920 --> 00:28:11,659 requirements, they know they're 824 00:28:11,660 --> 00:28:13,849 interested in something you have. 825 00:28:13,850 --> 00:28:15,319 They're not going to give it up, and if 826 00:28:15,320 --> 00:28:17,089 they like you, they like you. 827 00:28:18,580 --> 00:28:19,839 You know, you might wake up and say, 828 00:28:19,840 --> 00:28:21,759 excuse me, Miss Goosy, 829 00:28:23,470 --> 00:28:25,609 actually, there's one example for that. 830 00:28:25,610 --> 00:28:27,939 You can see it, this report 831 00:28:27,940 --> 00:28:30,309 presented at RSA conferences, 832 00:28:30,310 --> 00:28:32,479 RSA conference by Philbert, to 833 00:28:32,480 --> 00:28:34,539 say this year from Croute 834 00:28:34,540 --> 00:28:36,559 from a source. 835 00:28:36,560 --> 00:28:39,129 Well, I guess I'm too tired 836 00:28:39,130 --> 00:28:40,569 from Dell SecureWorks. 837 00:28:40,570 --> 00:28:43,239 There we go. So you can see that 838 00:28:43,240 --> 00:28:45,399 there was some battling going around 839 00:28:45,400 --> 00:28:47,709 there and then the attacker lost 840 00:28:47,710 --> 00:28:50,169 and then there was a quiet weekend. 841 00:28:50,170 --> 00:28:52,299 But when the weekend was over, they came 842 00:28:52,300 --> 00:28:54,229 back with new tools. 843 00:28:54,230 --> 00:28:56,379 Why? Because they had an objective. 844 00:28:56,380 --> 00:28:58,539 They had things that they needed 845 00:28:58,540 --> 00:28:59,559 to bring over. 846 00:28:59,560 --> 00:29:01,689 And just the fact that they got detected 847 00:29:01,690 --> 00:29:03,519 once does not mean that they're going to 848 00:29:03,520 --> 00:29:05,619 say, OK, forget this guy, let's go 849 00:29:05,620 --> 00:29:06,159 somewhere else. 850 00:29:06,160 --> 00:29:07,779 There's an interesting issue discovered 851 00:29:07,780 --> 00:29:09,819 here, which Phil usually writes about, 852 00:29:09,820 --> 00:29:11,889 which is they will escalate 853 00:29:11,890 --> 00:29:13,989 as needed, meaning they may 854 00:29:13,990 --> 00:29:16,569 use pretty lame lateral movement tools 855 00:29:16,570 --> 00:29:18,639 and then escalate as they find a 856 00:29:18,640 --> 00:29:19,640 position. 857 00:29:22,650 --> 00:29:23,650 So. 858 00:29:24,480 --> 00:29:26,729 The second takeaway we have 859 00:29:26,730 --> 00:29:28,799 is that stealing data is just one 860 00:29:28,800 --> 00:29:30,869 of the options, and 861 00:29:30,870 --> 00:29:32,789 I believe everybody remembers when this 862 00:29:32,790 --> 00:29:33,790 happened. 863 00:29:34,220 --> 00:29:35,989 And many in the industry started saying, 864 00:29:35,990 --> 00:29:37,809 what how did this happen? 865 00:29:39,150 --> 00:29:41,429 It is huge now, again, 866 00:29:41,430 --> 00:29:42,959 just like a big one coming from a 867 00:29:42,960 --> 00:29:44,459 security background. Yeah, it's just 868 00:29:44,460 --> 00:29:45,479 another hack. 869 00:29:45,480 --> 00:29:46,979 Naturally, from their perspective, this 870 00:29:46,980 --> 00:29:48,929 was a major issue naturally. 871 00:29:48,930 --> 00:29:51,299 So they should take it seriously. 872 00:29:51,300 --> 00:29:53,429 And I feel sorry and I would help 873 00:29:53,430 --> 00:29:54,629 if I could. 874 00:29:54,630 --> 00:29:56,789 But the main point here was 875 00:29:56,790 --> 00:29:57,839 there was a risk. 876 00:29:59,060 --> 00:30:01,159 And that risk was what might happen 877 00:30:01,160 --> 00:30:02,759 once they have a foothold inside my 878 00:30:02,760 --> 00:30:04,849 organization and everybody is used to 879 00:30:04,850 --> 00:30:07,429 thinking mostly about 880 00:30:07,430 --> 00:30:08,430 data theft. 881 00:30:09,300 --> 00:30:10,499 They kicked the body here. 882 00:30:12,900 --> 00:30:13,949 And that is something we need to take 883 00:30:13,950 --> 00:30:16,019 into consideration, essentially 884 00:30:16,020 --> 00:30:17,020 actions. 885 00:30:17,990 --> 00:30:20,209 There is a classic tool in security 886 00:30:20,210 --> 00:30:22,169 management called risk assessments. 887 00:30:22,170 --> 00:30:24,649 Usually it's a useless tool. 888 00:30:24,650 --> 00:30:26,629 It's a huge document. 889 00:30:26,630 --> 00:30:27,979 Two hundred six hundred two thousand 890 00:30:27,980 --> 00:30:29,779 pages you write down for regulation, 891 00:30:29,780 --> 00:30:31,729 throw it away at some point or you need 892 00:30:31,730 --> 00:30:32,809 just to click the box. 893 00:30:34,760 --> 00:30:36,919 But risk management is meant to be used 894 00:30:36,920 --> 00:30:39,409 and used correctly, meaning if, you know 895 00:30:39,410 --> 00:30:41,569 there is potential risk of 896 00:30:41,570 --> 00:30:43,129 an attacker getting in and then, you 897 00:30:43,130 --> 00:30:45,019 know, the potential risk is them doing, 898 00:30:45,020 --> 00:30:47,179 for example, damage, check 899 00:30:47,180 --> 00:30:48,199 your impact. 900 00:30:48,200 --> 00:30:50,029 The impact is important to determine that 901 00:30:50,030 --> 00:30:52,189 risk, make risk assessments 902 00:30:52,190 --> 00:30:54,349 make sense for your daily operation as 903 00:30:54,350 --> 00:30:56,059 opposed to being some documents. 904 00:30:56,060 --> 00:30:57,380 It's policy that's never used. 905 00:30:58,830 --> 00:31:01,499 The second part is what can we do about 906 00:31:01,500 --> 00:31:02,500 the target list? 907 00:31:04,000 --> 00:31:06,069 So first of all, our problem is we don't 908 00:31:06,070 --> 00:31:08,379 have time sensitive information, we can't 909 00:31:08,380 --> 00:31:09,639 really determine a pattern. 910 00:31:09,640 --> 00:31:11,169 Now, maybe this is available in closed 911 00:31:11,170 --> 00:31:13,239 circuits, maybe not, maybe 912 00:31:13,240 --> 00:31:14,139 not always. 913 00:31:14,140 --> 00:31:16,329 But our takeaway from this is. 914 00:31:18,030 --> 00:31:20,279 That we need to be able 915 00:31:20,280 --> 00:31:21,689 to get that information, which we'll talk 916 00:31:21,690 --> 00:31:23,879 about, but more than that, if 917 00:31:23,880 --> 00:31:26,189 you have a similar target 918 00:31:26,190 --> 00:31:28,439 to you being compromised or 919 00:31:28,440 --> 00:31:29,849 you're using similar technologies or 920 00:31:29,850 --> 00:31:31,710 platforms, take note. 921 00:31:33,030 --> 00:31:34,819 Don't wait to be attacked. 922 00:31:34,820 --> 00:31:36,779 For an organization just like yours to be 923 00:31:36,780 --> 00:31:38,579 attacked, for you to take note, to start 924 00:31:38,580 --> 00:31:39,580 doing something about. 925 00:31:40,600 --> 00:31:42,669 So, guys, if you guys 926 00:31:42,670 --> 00:31:44,409 follow Brian Krebs, then you know that 927 00:31:44,410 --> 00:31:46,749 right after the target breach every other 928 00:31:46,750 --> 00:31:48,879 week, there was a new piece 929 00:31:48,880 --> 00:31:51,069 about this was breach and 930 00:31:51,070 --> 00:31:52,989 that was breach and this was breach. 931 00:31:52,990 --> 00:31:55,389 And the thing is, the first moment 932 00:31:55,390 --> 00:31:56,889 that there was a target breach and they 933 00:31:56,890 --> 00:31:58,989 stole credit card numbers from point 934 00:31:58,990 --> 00:32:01,089 of sale devices, everyone who 935 00:32:01,090 --> 00:32:02,529 has a point of sale devices should have 936 00:32:02,530 --> 00:32:05,229 said, oh, my God, I could be next. 937 00:32:05,230 --> 00:32:07,449 And instead of actually going 938 00:32:07,450 --> 00:32:09,609 and, you know, making a 939 00:32:09,610 --> 00:32:11,769 big, big effort to see if they had 940 00:32:11,770 --> 00:32:13,999 already been compromised, everybody 941 00:32:14,000 --> 00:32:16,389 was just sitting and hoping 942 00:32:16,390 --> 00:32:18,159 that their name doesn't come up on the 943 00:32:18,160 --> 00:32:19,559 following week. 944 00:32:19,560 --> 00:32:21,089 Which brings us to another tool in 945 00:32:21,090 --> 00:32:23,189 classic securities has been ignored, 946 00:32:23,190 --> 00:32:25,049 and that's essentially the threat 947 00:32:25,050 --> 00:32:27,329 assessment threat by some. 948 00:32:27,330 --> 00:32:28,739 I mean, depends on how you define it. 949 00:32:28,740 --> 00:32:30,119 Some definitions go as far as 950 00:32:31,140 --> 00:32:33,419 threat equals intent plus capability. 951 00:32:33,420 --> 00:32:35,549 So now we know they have a capability, 952 00:32:35,550 --> 00:32:37,259 but we also know about the intent, not 953 00:32:37,260 --> 00:32:39,239 necessarily against you, but we know this 954 00:32:39,240 --> 00:32:40,359 has happened. 955 00:32:40,360 --> 00:32:42,059 It could change how we operate. 956 00:32:42,060 --> 00:32:43,229 This is based on intelligence. 957 00:32:43,230 --> 00:32:45,169 We may not have exact intelligence. 958 00:32:45,170 --> 00:32:47,069 This guy is trying to get us, but we have 959 00:32:47,070 --> 00:32:48,809 intelligence out there now. 960 00:32:48,810 --> 00:32:50,369 Somebody is doing this. 961 00:32:50,370 --> 00:32:51,569 And more than that, they may be doing it 962 00:32:51,570 --> 00:32:52,679 to people similar to us. 963 00:32:54,520 --> 00:32:55,719 Now, when it comes to the cyber 964 00:32:55,720 --> 00:32:57,699 engagement cycle, or so we call it, the 965 00:32:57,700 --> 00:32:59,800 cycle of the three repeating steps, 966 00:33:01,030 --> 00:33:03,039 we decided that we're going to change a 967 00:33:03,040 --> 00:33:04,569 little bit, the format that we're going 968 00:33:04,570 --> 00:33:06,729 to treat all three steps together, 969 00:33:06,730 --> 00:33:08,439 but we're going to divide it into two 970 00:33:08,440 --> 00:33:10,719 stages, the pre engagement and 971 00:33:10,720 --> 00:33:12,219 the engagement itself. 972 00:33:12,220 --> 00:33:13,559 Now. 973 00:33:13,560 --> 00:33:15,389 Free engagement is when everything still 974 00:33:15,390 --> 00:33:17,579 happens outside of your organization. 975 00:33:18,840 --> 00:33:21,029 The problem is twofold, 976 00:33:21,030 --> 00:33:23,129 one, publicly available 977 00:33:23,130 --> 00:33:25,319 sensitive data, anywhere from 978 00:33:25,320 --> 00:33:27,899 complete employee 979 00:33:27,900 --> 00:33:29,969 lists, network 980 00:33:29,970 --> 00:33:30,970 sketches, 981 00:33:32,730 --> 00:33:34,229 sketches to say who works in the 982 00:33:34,230 --> 00:33:35,819 organization under who, what's the 983 00:33:35,820 --> 00:33:36,820 hierarchy? 984 00:33:37,980 --> 00:33:40,289 Anything that you can get from the people 985 00:33:40,290 --> 00:33:42,299 who will. Later, you will be discovering 986 00:33:42,300 --> 00:33:44,969 U.S. security questions, whose answers 987 00:33:44,970 --> 00:33:46,409 are on their Facebook. 988 00:33:46,410 --> 00:33:47,879 OK, that also happens. 989 00:33:47,880 --> 00:33:50,189 And the second problem is lack security 990 00:33:50,190 --> 00:33:52,319 awareness, which in turn 991 00:33:52,320 --> 00:33:53,229 allows probing. 992 00:33:53,230 --> 00:33:55,379 Now, that probing can happen in two 993 00:33:55,380 --> 00:33:57,509 ways. The first one is the one we 994 00:33:57,510 --> 00:34:00,149 all know. You just use it automatically. 995 00:34:00,150 --> 00:34:02,189 You use tools, you scan the network, you 996 00:34:02,190 --> 00:34:04,409 look for open borders or 997 00:34:04,410 --> 00:34:06,479 default passwords or bad 998 00:34:06,480 --> 00:34:07,679 configurations. 999 00:34:07,680 --> 00:34:08,759 Everyone does that. 1000 00:34:08,760 --> 00:34:11,099 You just take a tool set, you do it. 1001 00:34:11,100 --> 00:34:13,229 But people always do also do that 1002 00:34:13,230 --> 00:34:15,809 manually making phone calls. 1003 00:34:15,810 --> 00:34:16,810 Right. 1004 00:34:17,260 --> 00:34:19,539 In my previous job, I worked a checkpoint 1005 00:34:19,540 --> 00:34:21,698 at least twice, I was 1006 00:34:21,699 --> 00:34:23,979 randomly next to the 1007 00:34:23,980 --> 00:34:26,289 reception desk while the reception desk 1008 00:34:26,290 --> 00:34:28,479 was trying to deal with such 1009 00:34:28,480 --> 00:34:30,609 a decoy call and on both times 1010 00:34:30,610 --> 00:34:32,829 and had they handed it over to me because 1011 00:34:32,830 --> 00:34:34,899 I was excited that the opportunity to 1012 00:34:34,900 --> 00:34:37,059 speak to a scammer and, you 1013 00:34:37,060 --> 00:34:38,649 know, you start asking them question and 1014 00:34:38,650 --> 00:34:40,749 then they hang up, but this actually 1015 00:34:40,750 --> 00:34:41,750 happens. 1016 00:34:45,500 --> 00:34:46,500 Next. 1017 00:34:47,480 --> 00:34:50,209 Well, there is 1018 00:34:50,210 --> 00:34:51,210 one more. 1019 00:34:52,570 --> 00:34:54,638 The understanding here is 1020 00:34:54,639 --> 00:34:56,329 that and this is basic, right, the 1021 00:34:56,330 --> 00:34:57,919 attacker can gain a lot of information, 1022 00:34:57,920 --> 00:34:59,559 they can do the full operation sometimes 1023 00:34:59,560 --> 00:35:01,119 without ever doing anything active 1024 00:35:01,120 --> 00:35:02,120 against your operation. 1025 00:35:02,980 --> 00:35:05,019 You need to know this is possible, you 1026 00:35:05,020 --> 00:35:07,089 need to control 1027 00:35:07,090 --> 00:35:08,649 what's going on, you need to limit public 1028 00:35:08,650 --> 00:35:09,969 information as much as possible. 1029 00:35:09,970 --> 00:35:11,379 Naturally, you won't be able to do 1030 00:35:11,380 --> 00:35:12,380 everything. 1031 00:35:13,210 --> 00:35:15,669 You need to act outside 1032 00:35:15,670 --> 00:35:16,670 your own perimeter. 1033 00:35:18,020 --> 00:35:20,089 Which is a critical thought to 1034 00:35:20,090 --> 00:35:22,609 have in this day and age 1035 00:35:22,610 --> 00:35:23,989 as well, and this is very important to 1036 00:35:23,990 --> 00:35:24,990 endorse specifically. 1037 00:35:25,870 --> 00:35:28,059 Awareness, refreshments, 1038 00:35:28,060 --> 00:35:30,039 this is a human problem, not a technical 1039 00:35:30,040 --> 00:35:32,259 problem, is what whatever awareness can 1040 00:35:32,260 --> 00:35:34,629 gain, even if it's not much should 1041 00:35:34,630 --> 00:35:36,849 be attempted, it helps. 1042 00:35:36,850 --> 00:35:38,439 I can tell you from my own experience in 1043 00:35:38,440 --> 00:35:40,539 these early certa human sensors, 1044 00:35:40,540 --> 00:35:42,879 so-called people report 1045 00:35:42,880 --> 00:35:44,559 to us. We are open to them. 1046 00:35:44,560 --> 00:35:46,689 We asking them what's going on. 1047 00:35:46,690 --> 00:35:48,849 And sometimes the they don't 1048 00:35:48,850 --> 00:35:49,989 want to say a waste of time. That will be 1049 00:35:49,990 --> 00:35:52,119 rude. Sometimes a call is 1050 00:35:52,120 --> 00:35:54,249 a negative about nothing and 1051 00:35:54,250 --> 00:35:55,479 that's fine. We treat it with all 1052 00:35:55,480 --> 00:35:57,729 seriousness because many of the best 1053 00:35:57,730 --> 00:36:00,309 reports we ever got were from people 1054 00:36:00,310 --> 00:36:02,439 who knew we were interested in you 1055 00:36:02,440 --> 00:36:05,469 to watch for stuff and alerted us. 1056 00:36:05,470 --> 00:36:07,329 Not a problem with that is that, let's 1057 00:36:07,330 --> 00:36:09,249 face it, these are quite obvious. 1058 00:36:09,250 --> 00:36:11,469 But at the same time, they still 1059 00:36:11,470 --> 00:36:12,669 don't happen. 1060 00:36:12,670 --> 00:36:14,889 So the attackers 1061 00:36:14,890 --> 00:36:17,589 still make the same progress because 1062 00:36:17,590 --> 00:36:19,719 the basic stuff keeps staying 1063 00:36:19,720 --> 00:36:21,880 under the radar or unattended to. 1064 00:36:22,900 --> 00:36:25,149 So we come to the engagement skills stage 1065 00:36:25,150 --> 00:36:27,429 now. The attacker is already inside 1066 00:36:27,430 --> 00:36:28,430 your network. 1067 00:36:29,140 --> 00:36:30,140 Not a lot of 1068 00:36:31,720 --> 00:36:33,969 compromise organizations 1069 00:36:33,970 --> 00:36:36,909 or AP reports, for that matter, share 1070 00:36:36,910 --> 00:36:38,799 the lateral movement part. 1071 00:36:38,800 --> 00:36:41,079 Mostly it's about secrecy 1072 00:36:41,080 --> 00:36:44,079 or privacy, or 1073 00:36:44,080 --> 00:36:45,609 they may not even have this information 1074 00:36:45,610 --> 00:36:46,779 sometimes. 1075 00:36:46,780 --> 00:36:49,149 Now, let's face it, everyone 1076 00:36:49,150 --> 00:36:50,139 is being hacked. 1077 00:36:50,140 --> 00:36:52,209 Everyone will be hacked. 1078 00:36:52,210 --> 00:36:54,529 Everyone has been hacked. 1079 00:36:54,530 --> 00:36:56,919 It's not a shame anymore, OK? 1080 00:36:56,920 --> 00:36:59,029 It happens to everyone, and if 1081 00:36:59,030 --> 00:37:00,559 you pretend that it hasn't happened to 1082 00:37:00,560 --> 00:37:02,059 you, then I'm worried because you're 1083 00:37:02,060 --> 00:37:04,939 probably hiding something else as well. 1084 00:37:04,940 --> 00:37:07,099 And the take away is the 1085 00:37:07,100 --> 00:37:09,409 engagement is an ongoing process 1086 00:37:09,410 --> 00:37:10,879 because it's not a hit and run thing. 1087 00:37:10,880 --> 00:37:13,189 They don't, you know, not 1088 00:37:13,190 --> 00:37:15,149 always get directly to the computer. 1089 00:37:15,150 --> 00:37:16,879 That was interesting. And the data that 1090 00:37:16,880 --> 00:37:18,919 was interesting. They will stay around in 1091 00:37:18,920 --> 00:37:21,049 your network for a while and it gives 1092 00:37:21,050 --> 00:37:23,119 you many opportunities 1093 00:37:23,120 --> 00:37:25,309 to get in the way. 1094 00:37:25,310 --> 00:37:27,109 You have more time, you can think, you 1095 00:37:27,110 --> 00:37:29,359 can plan, you can influence, and 1096 00:37:29,360 --> 00:37:31,459 the action is indeed influenced. 1097 00:37:31,460 --> 00:37:33,949 You need to put as many obstacles 1098 00:37:33,950 --> 00:37:35,239 as possible. 1099 00:37:35,240 --> 00:37:37,909 Layered security, deception, 1100 00:37:37,910 --> 00:37:40,309 OK? The attacker needs to spend 1101 00:37:40,310 --> 00:37:43,099 time and effort and resources 1102 00:37:43,100 --> 00:37:45,259 in your network because the longer they 1103 00:37:45,260 --> 00:37:46,260 are in your network, 1104 00:37:47,510 --> 00:37:48,529 the safer you are. 1105 00:37:48,530 --> 00:37:50,299 It takes them more time to get to the 1106 00:37:50,300 --> 00:37:52,339 interesting part and it gives you more 1107 00:37:52,340 --> 00:37:54,829 opportunities to catch them. 1108 00:37:54,830 --> 00:37:56,659 We may have separated the pre and the 1109 00:37:56,660 --> 00:37:58,219 post engagement. 1110 00:37:59,330 --> 00:38:00,319 Sorry about that. 1111 00:38:00,320 --> 00:38:02,599 Oh, it as we are separated 1112 00:38:02,600 --> 00:38:04,129 the pre and post invasion, but it is an 1113 00:38:04,130 --> 00:38:06,259 ongoing cycle and that's the important 1114 00:38:06,260 --> 00:38:08,089 thing to understand. They got in the U.S. 1115 00:38:08,090 --> 00:38:10,279 and they find the more 1116 00:38:10,280 --> 00:38:11,629 obstacles you put in place, the more 1117 00:38:11,630 --> 00:38:13,729 basic security you put in place, 1118 00:38:13,730 --> 00:38:15,439 the more time you will have to find them 1119 00:38:15,440 --> 00:38:17,149 and it will be hard for them to continue 1120 00:38:17,150 --> 00:38:18,349 operating. 1121 00:38:18,350 --> 00:38:19,819 And don't be shy. 1122 00:38:19,820 --> 00:38:21,709 Share your breach data. 1123 00:38:21,710 --> 00:38:24,319 Yes, someone has to be the first, 1124 00:38:24,320 --> 00:38:26,659 but you don't have to tell everything. 1125 00:38:26,660 --> 00:38:28,729 Tell about the technique, 1126 00:38:28,730 --> 00:38:30,319 tell about the things that other 1127 00:38:30,320 --> 00:38:32,389 defenders, other CIA CEOs or I.T. 1128 00:38:32,390 --> 00:38:35,179 security guys can use. 1129 00:38:35,180 --> 00:38:37,279 And you start hearing other people 1130 00:38:37,280 --> 00:38:39,700 start sharing and we're all safer. 1131 00:38:40,870 --> 00:38:41,949 And the last stage. 1132 00:38:43,880 --> 00:38:46,009 Essentially, the fold in retreat, and if 1133 00:38:46,010 --> 00:38:46,909 you don't want to share the actual 1134 00:38:46,910 --> 00:38:48,589 information, a heads up, heads up would 1135 00:38:48,590 --> 00:38:49,909 be nice, you know, just say. 1136 00:38:52,000 --> 00:38:54,159 So this is this 1137 00:38:54,160 --> 00:38:56,049 is interesting, I never previously had 1138 00:38:56,050 --> 00:38:57,489 this thought, it's really interesting for 1139 00:38:57,490 --> 00:38:58,659 me when I think about something that's 1140 00:38:58,660 --> 00:39:00,009 new for me in security, at least 1141 00:39:00,010 --> 00:39:01,629 emphasizes security in different way. 1142 00:39:01,630 --> 00:39:03,159 Everybody says cyber nowadays. 1143 00:39:03,160 --> 00:39:04,160 What's different? 1144 00:39:05,180 --> 00:39:07,159 And one of the realizations is, yes, the 1145 00:39:07,160 --> 00:39:08,779 doctors have been deleting logs 1146 00:39:08,780 --> 00:39:11,209 throughout the lifetime of security, but 1147 00:39:11,210 --> 00:39:13,489 they can destroy forensic evidence. 1148 00:39:13,490 --> 00:39:15,269 Do we plan for that? 1149 00:39:15,270 --> 00:39:18,029 A lot of our security today is based 1150 00:39:18,030 --> 00:39:20,099 on after the fact, incident response and 1151 00:39:20,100 --> 00:39:22,049 forensics, that is a major understanding 1152 00:39:22,050 --> 00:39:23,069 for us right now. 1153 00:39:23,070 --> 00:39:25,199 It's not just about endless monitoring 1154 00:39:25,200 --> 00:39:26,819 and endless alerts. 1155 00:39:26,820 --> 00:39:28,709 That is effectively where many of us get 1156 00:39:28,710 --> 00:39:30,809 our first alert post. 1157 00:39:30,810 --> 00:39:31,810 The fact. 1158 00:39:32,550 --> 00:39:34,919 And if an attacker can destroy 1159 00:39:34,920 --> 00:39:36,239 the forensic evidence, we need to make 1160 00:39:36,240 --> 00:39:38,499 sure it's their snapshots and 1161 00:39:38,500 --> 00:39:40,589 blogs, both can 1162 00:39:40,590 --> 00:39:41,590 potentially save the day. 1163 00:39:44,000 --> 00:39:46,279 So we built up this idea 1164 00:39:46,280 --> 00:39:48,439 that backup of log 1165 00:39:48,440 --> 00:39:50,509 files, for example, and snapshots 1166 00:39:50,510 --> 00:39:52,579 could be and I'm going to 1167 00:39:52,580 --> 00:39:54,319 exaggerate. 1168 00:39:54,320 --> 00:39:55,909 More important than even active 1169 00:39:55,910 --> 00:39:58,759 monitoring the back up of the logs, 1170 00:39:58,760 --> 00:40:00,379 naturally, it shouldn't be that way, but 1171 00:40:00,380 --> 00:40:02,249 nowadays it just might be. 1172 00:40:02,250 --> 00:40:03,919 And well, we were talking about this. 1173 00:40:03,920 --> 00:40:06,019 We decided to well, inva came up with 1174 00:40:06,020 --> 00:40:08,119 this word to describe this new backup 1175 00:40:08,120 --> 00:40:09,589 response plan, which everybody everything 1176 00:40:09,590 --> 00:40:10,699 is abbreviated in security. 1177 00:40:10,700 --> 00:40:11,700 Right. 1178 00:40:14,330 --> 00:40:15,330 Just saying. 1179 00:40:18,090 --> 00:40:19,709 So with that, 1180 00:40:20,880 --> 00:40:22,319 let's try and understand what we just 1181 00:40:22,320 --> 00:40:23,609 went through, because some of this was 1182 00:40:23,610 --> 00:40:24,610 common sense. 1183 00:40:25,570 --> 00:40:27,909 Some of this was a little bit new. 1184 00:40:27,910 --> 00:40:29,319 But the idea is to be able to make it 1185 00:40:29,320 --> 00:40:30,909 repeatable. What can we learn from the 1186 00:40:30,910 --> 00:40:32,709 IPCC reports and how can we use them on a 1187 00:40:32,710 --> 00:40:33,619 daily basis? 1188 00:40:33,620 --> 00:40:35,829 How can we use them whenever 1189 00:40:35,830 --> 00:40:37,899 a new AP report comes out to 1190 00:40:37,900 --> 00:40:39,939 better our security against known 1191 00:40:39,940 --> 00:40:40,940 threats? 1192 00:40:42,160 --> 00:40:44,559 So we looked at the left here 1193 00:40:44,560 --> 00:40:46,449 about the information we have in your 1194 00:40:46,450 --> 00:40:48,549 reports and the diminishing levels of 1195 00:40:48,550 --> 00:40:49,489 it. 1196 00:40:49,490 --> 00:40:51,019 And we'll look at the engagement process 1197 00:40:51,020 --> 00:40:52,809 as we simplified it. 1198 00:40:52,810 --> 00:40:53,810 And we like it. 1199 00:40:54,970 --> 00:40:57,069 Now, if you get an AP report, first 1200 00:40:57,070 --> 00:40:58,989 of all, try to understand, not just read 1201 00:40:58,990 --> 00:41:00,729 the report and look for dioceses, how 1202 00:41:00,730 --> 00:41:02,379 much information do you actually get for 1203 00:41:02,380 --> 00:41:03,339 each of these? 1204 00:41:03,340 --> 00:41:05,289 Do you have any attack objectives in 1205 00:41:05,290 --> 00:41:06,290 their. 1206 00:41:07,260 --> 00:41:09,179 And you know, when you talk about the 1207 00:41:09,180 --> 00:41:11,279 targets usually used, maybe 1208 00:41:11,280 --> 00:41:13,709 if you're lucky, you have the verticals, 1209 00:41:13,710 --> 00:41:16,849 pharmaceuticals, whatever, aerospace. 1210 00:41:16,850 --> 00:41:18,589 Once you're through that, it's easier for 1211 00:41:18,590 --> 00:41:20,689 you to go through the engineering 1212 00:41:20,690 --> 00:41:22,219 process and say, let's look at how that 1213 00:41:22,220 --> 00:41:23,220 Tucker works. 1214 00:41:24,230 --> 00:41:26,299 The engagement process tried to 1215 00:41:26,300 --> 00:41:28,419 put the data in there and 1216 00:41:28,420 --> 00:41:30,709 to what we just did, 1217 00:41:30,710 --> 00:41:32,659 what are the takeaways specific to this 1218 00:41:32,660 --> 00:41:34,549 report as far as intelligence gathering 1219 00:41:34,550 --> 00:41:35,859 goes? 1220 00:41:35,860 --> 00:41:38,649 What actions actions 1221 00:41:38,650 --> 00:41:39,650 can actually take? 1222 00:41:40,580 --> 00:41:42,769 Based on this report, based on what 1223 00:41:42,770 --> 00:41:44,449 knowledge I have, the scope of the 1224 00:41:44,450 --> 00:41:45,859 knowledge, the relevance of the knowledge 1225 00:41:45,860 --> 00:41:46,969 from the AP report. 1226 00:41:49,920 --> 00:41:51,989 And the key part of this really is 1227 00:41:51,990 --> 00:41:54,299 we need to demand better 1228 00:41:54,300 --> 00:41:55,919 AP reports, AP reports that are 1229 00:41:55,920 --> 00:41:56,920 actionable. 1230 00:41:58,580 --> 00:42:00,709 Now we have one more problem, we 1231 00:42:00,710 --> 00:42:02,449 don't actually have a solution for that, 1232 00:42:02,450 --> 00:42:03,829 but we thought it was important enough to 1233 00:42:03,830 --> 00:42:05,629 know that it is something that we call 1234 00:42:05,630 --> 00:42:06,769 the decline of shame. 1235 00:42:07,780 --> 00:42:10,179 In the beginning, like we said, 1236 00:42:10,180 --> 00:42:11,949 you didn't really want to be exposed, 1237 00:42:11,950 --> 00:42:14,049 attribution was a huge risk for 1238 00:42:14,050 --> 00:42:16,329 you and it still is for many 1239 00:42:16,330 --> 00:42:18,579 actors, especially very 1240 00:42:18,580 --> 00:42:20,679 particular nation state actors, 1241 00:42:20,680 --> 00:42:22,569 or in the case of other nation state 1242 00:42:22,570 --> 00:42:25,389 actors, very particular branches 1243 00:42:25,390 --> 00:42:27,519 or subgroups of those 1244 00:42:27,520 --> 00:42:28,749 nation state actors. 1245 00:42:28,750 --> 00:42:30,819 But with some of the nation state 1246 00:42:30,820 --> 00:42:33,039 actors and with some of the criminal 1247 00:42:33,040 --> 00:42:35,289 groups, you see that they 1248 00:42:35,290 --> 00:42:36,340 don't care anymore. 1249 00:42:37,490 --> 00:42:38,490 They get caught. 1250 00:42:40,060 --> 00:42:41,739 And you know what happens then? 1251 00:42:45,690 --> 00:42:47,879 Pretty much this 1252 00:42:47,880 --> 00:42:51,179 they continue working and operating 1253 00:42:51,180 --> 00:42:52,709 while we it for a while. 1254 00:42:52,710 --> 00:42:54,269 Please leave it on for a while. 1255 00:42:54,270 --> 00:42:56,339 Yeah, some groups have 1256 00:42:56,340 --> 00:42:58,619 actually been following the blogs 1257 00:42:58,620 --> 00:43:01,049 of the vendors that were tracking them, 1258 00:43:01,050 --> 00:43:03,569 adopting in real time. 1259 00:43:03,570 --> 00:43:05,369 That was there was a case I don't want to 1260 00:43:05,370 --> 00:43:06,599 quote too much about it because I didn't 1261 00:43:06,600 --> 00:43:08,099 have time to research it. 1262 00:43:08,100 --> 00:43:10,619 Were Trin Micro Alien VoLTE were updating 1263 00:43:10,620 --> 00:43:13,139 their blog live, if I remember correctly, 1264 00:43:13,140 --> 00:43:14,819 and the attackers were changing their 1265 00:43:14,820 --> 00:43:16,169 modus operandi. Just malware, not much 1266 00:43:16,170 --> 00:43:17,309 more than that, according to network 1267 00:43:17,310 --> 00:43:19,589 defenses as opposed to something else. 1268 00:43:19,590 --> 00:43:20,590 Leive. 1269 00:43:21,350 --> 00:43:22,350 Which is really interesting. 1270 00:43:23,770 --> 00:43:26,169 So we were being optimistic, 1271 00:43:26,170 --> 00:43:28,079 we said, OK, what? 1272 00:43:28,080 --> 00:43:30,329 What do we want to see, because 1273 00:43:30,330 --> 00:43:31,919 we said in the beginning, this is not a 1274 00:43:31,920 --> 00:43:32,939 technical presentation. 1275 00:43:32,940 --> 00:43:34,499 This is a high level thing and we're 1276 00:43:34,500 --> 00:43:37,379 presenting sort of a raw 1277 00:43:37,380 --> 00:43:39,419 thought process that we started. 1278 00:43:39,420 --> 00:43:40,619 I mean, think about it for a minute. 1279 00:43:40,620 --> 00:43:42,749 We took the time to study many, 1280 00:43:42,750 --> 00:43:44,669 many cases of ABC reports and to talk to 1281 00:43:44,670 --> 00:43:46,139 many of our friends, just like Thielemann 1282 00:43:46,140 --> 00:43:47,399 and many others will give credit to in a 1283 00:43:47,400 --> 00:43:49,259 minute and to look at our own research 1284 00:43:49,260 --> 00:43:51,389 and forensic information, all these 1285 00:43:51,390 --> 00:43:53,489 data all this time on Ida that 1286 00:43:53,490 --> 00:43:54,329 I didn't do. 1287 00:43:54,330 --> 00:43:56,339 And just to come up with a high level 1288 00:43:56,340 --> 00:43:58,409 presentation, just think of that 1289 00:43:58,410 --> 00:43:59,410 concept for a minute. 1290 00:44:00,760 --> 00:44:02,889 We're thinking once again, not about the 1291 00:44:02,890 --> 00:44:05,019 fellow researchers, 1292 00:44:05,020 --> 00:44:07,389 but the people that actually 1293 00:44:07,390 --> 00:44:09,639 have to defend certain organizations, 1294 00:44:09,640 --> 00:44:11,919 and it's not all corporates with 1295 00:44:11,920 --> 00:44:14,169 their own I.T. security teams that 1296 00:44:14,170 --> 00:44:16,449 are all very skilled and very qualified. 1297 00:44:16,450 --> 00:44:18,579 Sometimes it's an organization that 1298 00:44:18,580 --> 00:44:21,459 has an 11 people, I.T. 1299 00:44:21,460 --> 00:44:23,559 team, and then two of them wake 1300 00:44:23,560 --> 00:44:25,719 up one morning and they are told you do 1301 00:44:25,720 --> 00:44:28,029 security. Now, this is reality. 1302 00:44:28,030 --> 00:44:30,249 I've talked to 1303 00:44:30,250 --> 00:44:32,409 more than one customer that has that 1304 00:44:32,410 --> 00:44:33,580 happening today. So. 1305 00:44:34,630 --> 00:44:36,489 We would like to see better and more 1306 00:44:36,490 --> 00:44:38,049 actionable AP reports. 1307 00:44:39,400 --> 00:44:41,559 We need and when I say we 1308 00:44:41,560 --> 00:44:43,509 it's not just guardian myself, it's the 1309 00:44:43,510 --> 00:44:45,669 community, it's the 1310 00:44:45,670 --> 00:44:47,129 poor people that need to protect 1311 00:44:47,130 --> 00:44:49,059 organizations with the knowledge that 1312 00:44:49,060 --> 00:44:50,169 they are being attacked. 1313 00:44:50,170 --> 00:44:51,949 We're not saying that all ABC reports 1314 00:44:51,950 --> 00:44:54,239 suck. Some of them are very, very good. 1315 00:44:54,240 --> 00:44:55,679 We're just saying nowadays, most of them 1316 00:44:55,680 --> 00:44:57,689 are just for PR and that is hurting us, 1317 00:44:57,690 --> 00:44:59,009 it's helping them Tucker. 1318 00:44:59,010 --> 00:45:00,659 Tucker Eskew, who would like to see 1319 00:45:00,660 --> 00:45:02,969 better reports for us from 1320 00:45:02,970 --> 00:45:04,709 more vendors, they need to be more 1321 00:45:04,710 --> 00:45:05,339 actionable. 1322 00:45:05,340 --> 00:45:07,679 If I am the CISO of an 1323 00:45:07,680 --> 00:45:09,809 organization, there should be 1324 00:45:09,810 --> 00:45:12,179 something that I can use 1325 00:45:12,180 --> 00:45:14,279 use and I want to be in a better 1326 00:45:14,280 --> 00:45:16,409 place after taking the time to read 1327 00:45:16,410 --> 00:45:17,909 one of those reports. 1328 00:45:17,910 --> 00:45:20,159 And we need earlier breach 1329 00:45:20,160 --> 00:45:22,349 reports. Like I said before, give us 1330 00:45:22,350 --> 00:45:24,749 a heads up. It's important to understand 1331 00:45:24,750 --> 00:45:27,029 that maybe there's a new trend going on. 1332 00:45:27,030 --> 00:45:29,039 Maybe the if we had the heads up on 1333 00:45:29,040 --> 00:45:31,169 target and everybody else 1334 00:45:31,170 --> 00:45:33,539 were after listening to the stock, 1335 00:45:33,540 --> 00:45:35,699 then all the other point of sale vendors 1336 00:45:35,700 --> 00:45:37,979 would say, you know what, maybe 1337 00:45:37,980 --> 00:45:40,319 we should look into our setup, because 1338 00:45:40,320 --> 00:45:42,389 even until today, after so many 1339 00:45:42,390 --> 00:45:44,159 compromises, there are still so many 1340 00:45:44,160 --> 00:45:46,199 point of sale terminals connected to the 1341 00:45:46,200 --> 00:45:48,509 Internet with default credentials. 1342 00:45:48,510 --> 00:45:50,310 It's been written in so many places. 1343 00:45:51,320 --> 00:45:53,699 I was really worried about well, 1344 00:45:53,700 --> 00:45:55,909 worry about the next 1345 00:45:55,910 --> 00:45:57,779 item on the list. 1346 00:45:57,780 --> 00:45:59,759 Because I have this thing where I 1347 00:45:59,760 --> 00:46:02,069 identify it's not fair given, 1348 00:46:02,070 --> 00:46:03,959 but I identify people who are newbies and 1349 00:46:03,960 --> 00:46:05,459 security by then saying information 1350 00:46:05,460 --> 00:46:07,529 sharing collaboration and someone 1351 00:46:07,530 --> 00:46:09,009 says, oh, we need to do more information, 1352 00:46:09,010 --> 00:46:11,609 say, oh, she's not again. 1353 00:46:11,610 --> 00:46:13,889 But honestly, actionable 1354 00:46:13,890 --> 00:46:15,629 information sharing and public 1355 00:46:15,630 --> 00:46:17,039 information sharing. Information sharing 1356 00:46:17,040 --> 00:46:19,109 is happening, salvages 1357 00:46:19,110 --> 00:46:21,449 actionable much of the public 1358 00:46:21,450 --> 00:46:23,429 information sharing, which isn't much, 1359 00:46:23,430 --> 00:46:24,430 isn't actionable. 1360 00:46:25,880 --> 00:46:27,259 We understand that even the heads up we 1361 00:46:27,260 --> 00:46:29,419 talked about could be critical, really 1362 00:46:29,420 --> 00:46:30,759 critical. 1363 00:46:30,760 --> 00:46:32,749 And understanding how this can help us is 1364 00:46:32,750 --> 00:46:33,760 a common ground. 1365 00:46:36,020 --> 00:46:38,179 And lastly, and kudos to Dave 1366 00:46:38,180 --> 00:46:40,669 Marquis if he's watching us enough 1367 00:46:40,670 --> 00:46:42,919 with the attribution stuff, yes, 1368 00:46:42,920 --> 00:46:43,889 we care about attribution. 1369 00:46:43,890 --> 00:46:45,029 Yes, it helps us. 1370 00:46:45,030 --> 00:46:47,419 Yes, we can think about the business 1371 00:46:47,420 --> 00:46:49,489 of the post to think about who 1372 00:46:49,490 --> 00:46:51,889 is actually looking at US targets. 1373 00:46:51,890 --> 00:46:52,890 I understand that. 1374 00:46:54,400 --> 00:46:57,219 But then what does actually give us 1375 00:46:57,220 --> 00:46:59,349 how much is distribution work that people 1376 00:46:59,350 --> 00:47:01,269 spend so much time on just to justify the 1377 00:47:01,270 --> 00:47:02,649 liesbeth part of the brain? 1378 00:47:02,650 --> 00:47:05,079 So we feel better about it, better 1379 00:47:05,080 --> 00:47:06,279 than the other information we could have 1380 00:47:06,280 --> 00:47:09,229 had actually protect our organizations. 1381 00:47:09,230 --> 00:47:11,029 I'm not really sure. 1382 00:47:11,030 --> 00:47:13,249 But it annoys me in a way. 1383 00:47:13,250 --> 00:47:14,929 Enough with attribution or at least 1384 00:47:14,930 --> 00:47:16,040 enough with the. 1385 00:47:18,820 --> 00:47:20,619 Attribution that makes no sense. 1386 00:47:21,820 --> 00:47:23,019 That's the reason he's about more than 1387 00:47:23,020 --> 00:47:24,579 just IP addresses and we've given a few 1388 00:47:24,580 --> 00:47:26,469 examples during the talk. 1389 00:47:26,470 --> 00:47:28,569 I mean, yes, if the 1390 00:47:28,570 --> 00:47:30,669 compilation times they never 1391 00:47:30,670 --> 00:47:32,829 work on shabbath, it's maybe 1392 00:47:32,830 --> 00:47:33,830 Israel. I don't know. 1393 00:47:35,030 --> 00:47:36,289 But then again, nowadays, we've seen a 1394 00:47:36,290 --> 00:47:38,449 lot of false flags starting to be put in 1395 00:47:38,450 --> 00:47:39,409 there. It's not easy. 1396 00:47:39,410 --> 00:47:40,469 They're political, this political 1397 00:47:40,470 --> 00:47:41,509 offensive to consider, but we'd never 1398 00:47:41,510 --> 00:47:42,409 really know. 1399 00:47:42,410 --> 00:47:44,089 But whenever we talk about these people 1400 00:47:44,090 --> 00:47:46,009 go on and say, I will seize on the one 1401 00:47:46,010 --> 00:47:47,299 because it's available. And on the other 1402 00:47:47,300 --> 00:47:48,229 end, who did it? 1403 00:47:48,230 --> 00:47:49,999 Who it tell me. 1404 00:47:50,000 --> 00:47:51,529 OK, I'm willing to give it the chance to 1405 00:47:51,530 --> 00:47:52,530 say fine. 1406 00:47:53,980 --> 00:47:55,509 But it's not the most important thing, 1407 00:47:55,510 --> 00:47:57,149 and if you do it, do it right. 1408 00:47:59,660 --> 00:48:01,280 So final words. 1409 00:48:05,220 --> 00:48:07,559 AP reports can be a huge 1410 00:48:07,560 --> 00:48:09,749 help, but there has to 1411 00:48:09,750 --> 00:48:11,939 have been some change, the problem 1412 00:48:11,940 --> 00:48:14,069 with the change that contradicts 1413 00:48:14,070 --> 00:48:16,409 certain economic 1414 00:48:16,410 --> 00:48:18,689 interests of the people that create those 1415 00:48:18,690 --> 00:48:20,579 changes, AP reports. 1416 00:48:20,580 --> 00:48:22,919 But we believe that 1417 00:48:22,920 --> 00:48:25,949 if they start producing more value, 1418 00:48:25,950 --> 00:48:27,479 then that influences the amount of 1419 00:48:27,480 --> 00:48:29,699 customers we will be evolving as well 1420 00:48:29,700 --> 00:48:31,259 as the doctors right now. 1421 00:48:31,260 --> 00:48:33,389 AP reports are so-called bad, which is 1422 00:48:33,390 --> 00:48:35,609 arguable because they're the only ones 1423 00:48:35,610 --> 00:48:37,309 really evolving. 1424 00:48:37,310 --> 00:48:39,769 If they were the made the right way, 1425 00:48:39,770 --> 00:48:41,509 we're not seeing our ways the right way 1426 00:48:41,510 --> 00:48:43,579 necessarily, but if they were made in 1427 00:48:43,580 --> 00:48:45,349 a way that would help us more, they could 1428 00:48:45,350 --> 00:48:46,279 be a huge help. 1429 00:48:46,280 --> 00:48:47,839 And remember, attackers are not going 1430 00:48:47,840 --> 00:48:49,909 anywhere. We're not going to have any 1431 00:48:49,910 --> 00:48:51,979 less business because of 1432 00:48:51,980 --> 00:48:53,450 better AP reports. 1433 00:48:55,160 --> 00:48:56,870 And something that we call. 1434 00:48:58,390 --> 00:49:00,639 Stay on the attacker six, 1435 00:49:00,640 --> 00:49:02,889 they need to be worried all the time, 1436 00:49:02,890 --> 00:49:04,839 they need to be looking behind the 1437 00:49:04,840 --> 00:49:06,909 shoulder to see if there's anyone under 1438 00:49:06,910 --> 00:49:09,309 six. This is a pilot jargon. 1439 00:49:09,310 --> 00:49:10,899 I think what they say is what this 1440 00:49:10,900 --> 00:49:12,969 evolution means, Gousse, for example, as 1441 00:49:12,970 --> 00:49:13,970 opposed to flame. 1442 00:49:14,940 --> 00:49:16,679 If they have to spend so much time on one 1443 00:49:16,680 --> 00:49:19,070 target, their cost grows exponentially. 1444 00:49:20,430 --> 00:49:23,129 If we can do that with ABC reports, hey, 1445 00:49:23,130 --> 00:49:25,469 I like this evolution, it's necessarily 1446 00:49:25,470 --> 00:49:26,750 bad that they have to get better. 1447 00:49:28,270 --> 00:49:29,410 And the last thing. 1448 00:49:30,550 --> 00:49:32,979 Increase the cost of the attacker, 1449 00:49:32,980 --> 00:49:35,259 anything you can do to increase 1450 00:49:35,260 --> 00:49:37,359 the cost of the attacker, do 1451 00:49:37,360 --> 00:49:40,269 it whether by installing 1452 00:49:40,270 --> 00:49:43,209 products, using services, 1453 00:49:43,210 --> 00:49:45,729 improving the people 1454 00:49:45,730 --> 00:49:47,949 or the the the awareness of the people 1455 00:49:47,950 --> 00:49:48,950 that work for you. 1456 00:49:49,730 --> 00:49:51,679 You want to make it harder for the 1457 00:49:51,680 --> 00:49:54,049 attacker, it gives you more 1458 00:49:54,050 --> 00:49:56,299 time. It's probably not going to deter 1459 00:49:56,300 --> 00:49:57,619 them. OK, let's face it, they're going to 1460 00:49:57,620 --> 00:49:59,029 come anyway. 1461 00:49:59,030 --> 00:50:00,529 They're doing their job just like you're 1462 00:50:00,530 --> 00:50:00,859 doing. 1463 00:50:00,860 --> 00:50:01,939 There is a cemetery. 1464 00:50:01,940 --> 00:50:04,219 And as we said, we are not that 1465 00:50:04,220 --> 00:50:05,629 the attackers are more powerful than we 1466 00:50:05,630 --> 00:50:06,739 are. We have to admit that right now 1467 00:50:06,740 --> 00:50:08,119 we're trying to change that. 1468 00:50:08,120 --> 00:50:09,679 But more than that, they're not going to 1469 00:50:09,680 --> 00:50:11,089 give up the IRS. 1470 00:50:11,090 --> 00:50:12,230 They're going to keep going. 1471 00:50:13,360 --> 00:50:15,459 That said, we can start 1472 00:50:15,460 --> 00:50:17,319 making it better for us, create more 1473 00:50:17,320 --> 00:50:18,320 symmetry. 1474 00:50:20,540 --> 00:50:22,069 So this is important. So let's go through 1475 00:50:22,070 --> 00:50:23,070 this. 1476 00:50:24,050 --> 00:50:25,579 Yes, we did a lot of research. 1477 00:50:25,580 --> 00:50:27,019 Yes, we looked at a lot of code. 1478 00:50:27,020 --> 00:50:28,279 Yes, we looked at a lot of reports. 1479 00:50:28,280 --> 00:50:29,659 Yes, we had a lot of information that is 1480 00:50:29,660 --> 00:50:31,969 not public, but trying to construct 1481 00:50:31,970 --> 00:50:33,739 it in a way that, well, no one would be 1482 00:50:33,740 --> 00:50:35,849 boring while trying to create 1483 00:50:35,850 --> 00:50:37,199 the sort of methodology out of it. 1484 00:50:37,200 --> 00:50:39,139 Well, try not to be too technical while 1485 00:50:39,140 --> 00:50:40,699 still giving examples that build the 1486 00:50:40,700 --> 00:50:42,259 methodology of the attackers based on 1487 00:50:42,260 --> 00:50:44,359 what we know about them wasn't 1488 00:50:44,360 --> 00:50:45,739 easy. And we stand on the shoulders of 1489 00:50:45,740 --> 00:50:48,229 giants, people in the community, 1490 00:50:48,230 --> 00:50:50,479 industry, blogs, reports, 1491 00:50:50,480 --> 00:50:52,039 a lot of people we wouldn't be here 1492 00:50:52,040 --> 00:50:53,569 without. And they need to deserve their 1493 00:50:53,570 --> 00:50:54,570 credit. 1494 00:50:55,140 --> 00:50:56,849 Special thanks and references we took 1495 00:50:56,850 --> 00:50:59,009 from Tullman right here, 1496 00:50:59,010 --> 00:51:01,199 Ned Moran, Fehlberg costing 1497 00:51:01,200 --> 00:51:03,329 you more, Bieler, Chris, Chris 1498 00:51:03,330 --> 00:51:05,360 McConkey, Kevin Mandia and the Grug. 1499 00:51:07,270 --> 00:51:09,339 And especially to this incident did 1500 00:51:09,340 --> 00:51:11,889 a lot and provided a lot of significant 1501 00:51:11,890 --> 00:51:13,259 research support for this presentation. 1502 00:51:13,260 --> 00:51:14,260 So thank you. 1503 00:51:19,240 --> 00:51:21,339 With that, I would like to you know, 1504 00:51:21,340 --> 00:51:22,539 before we ask the questions, 1505 00:51:23,650 --> 00:51:24,849 most are repeated reports, not all of 1506 00:51:24,850 --> 00:51:26,409 them suck. 1507 00:51:26,410 --> 00:51:28,689 This hurts us. They become better. 1508 00:51:28,690 --> 00:51:30,279 We can be better than they are. 1509 00:51:30,280 --> 00:51:32,259 We can use this to keep them under six 1510 00:51:32,260 --> 00:51:34,299 like we have seen with them evolving to a 1511 00:51:34,300 --> 00:51:36,189 place where they can do less, they can 1512 00:51:36,190 --> 00:51:37,509 scale less. 1513 00:51:37,510 --> 00:51:39,009 And that is what we would like to see. 1514 00:51:39,010 --> 00:51:40,089 Thank you and would love to have 1515 00:51:40,090 --> 00:51:41,090 questions. 1516 00:51:48,480 --> 00:51:51,779 So thank you in Bahrain, Gary, 1517 00:51:51,780 --> 00:51:53,969 we have a question from the 1518 00:51:53,970 --> 00:51:55,269 Watrous on the Internet. 1519 00:51:56,610 --> 00:51:58,709 Hi. Um, so the question is, 1520 00:51:58,710 --> 00:52:00,989 what is the state of Apte response across 1521 00:52:00,990 --> 00:52:02,879 industries? And which industry do you 1522 00:52:02,880 --> 00:52:04,420 think is most vulnerable now? 1523 00:52:05,760 --> 00:52:07,979 Um, this is a sea. 1524 00:52:07,980 --> 00:52:09,329 So just like, oh, shit. 1525 00:52:10,500 --> 00:52:11,579 OK, I'll try to respond. 1526 00:52:14,350 --> 00:52:16,419 I think LPT response, there are 1527 00:52:16,420 --> 00:52:17,739 a few organizations out there that are 1528 00:52:17,740 --> 00:52:19,959 extremely good at this because they have 1529 00:52:19,960 --> 00:52:22,209 decent security, the evidence response, 1530 00:52:22,210 --> 00:52:23,889 they have controls in place, they have 1531 00:52:23,890 --> 00:52:24,969 monitoring place. 1532 00:52:24,970 --> 00:52:26,949 They are good at security, which is why 1533 00:52:26,950 --> 00:52:27,979 they're good. Apiata response. 1534 00:52:27,980 --> 00:52:30,249 That said, a lot of the response 1535 00:52:30,250 --> 00:52:31,629 to all of the incident response is now 1536 00:52:31,630 --> 00:52:33,129 outsourced. 1537 00:52:33,130 --> 00:52:35,319 So they bring companies in to do it for 1538 00:52:35,320 --> 00:52:38,439 them. And that is why I believe that 1539 00:52:38,440 --> 00:52:39,849 saving the logs, as they said, as a 1540 00:52:39,850 --> 00:52:42,069 backup, is important and essentially 1541 00:52:42,070 --> 00:52:44,259 the instant response is becoming a way 1542 00:52:44,260 --> 00:52:46,089 again. I'm going to get Flins for this 1543 00:52:46,090 --> 00:52:47,499 hour monitoring. 1544 00:52:47,500 --> 00:52:49,599 So I say some people have really good 1545 00:52:49,600 --> 00:52:50,619 stuff going on. 1546 00:52:50,620 --> 00:52:51,819 Most people don't. 1547 00:52:51,820 --> 00:52:54,249 And those and others bring in the outside 1548 00:52:54,250 --> 00:52:54,579 help. 1549 00:52:54,580 --> 00:52:56,349 Another problem with the outside, with 1550 00:52:56,350 --> 00:52:58,689 the outsourced security 1551 00:52:58,690 --> 00:53:00,909 is a response is that there 1552 00:53:00,910 --> 00:53:02,260 is a huge difference or 1553 00:53:03,310 --> 00:53:05,079 there can be a huge change in your 1554 00:53:05,080 --> 00:53:07,509 ability to do proper response 1555 00:53:07,510 --> 00:53:09,669 based on what your network looked like 1556 00:53:09,670 --> 00:53:11,859 before. So if you only call the guys when 1557 00:53:11,860 --> 00:53:13,689 you are when your house is already on 1558 00:53:13,690 --> 00:53:16,209 fire, there's not a lot they can do. 1559 00:53:16,210 --> 00:53:18,189 But if you brought them in before and 1560 00:53:18,190 --> 00:53:20,289 they help you treat the house, 1561 00:53:20,290 --> 00:53:21,339 then you're much better off. 1562 00:53:21,340 --> 00:53:22,779 Another aspect that's interesting, 1563 00:53:22,780 --> 00:53:25,239 although small, is the forensics 1564 00:53:25,240 --> 00:53:26,889 and response used to be about keeping 1565 00:53:26,890 --> 00:53:28,959 logs, chain of evidence, all 1566 00:53:28,960 --> 00:53:30,009 of that stuff. 1567 00:53:30,010 --> 00:53:31,479 People still do that. 1568 00:53:31,480 --> 00:53:33,609 But honestly, today with APD, it's 1569 00:53:33,610 --> 00:53:34,569 not as important. 1570 00:53:34,570 --> 00:53:36,279 It's more about finding the actor as fast 1571 00:53:36,280 --> 00:53:37,929 as possible, a week, two weeks, three 1572 00:53:37,930 --> 00:53:39,309 weeks, and then moving on to remediation, 1573 00:53:39,310 --> 00:53:40,809 which will take forever and cost a lot of 1574 00:53:40,810 --> 00:53:41,709 money. 1575 00:53:41,710 --> 00:53:43,629 And then it's essentially in many cases 1576 00:53:43,630 --> 00:53:46,059 about installing some agent on 1577 00:53:46,060 --> 00:53:47,349 all computers and networking, trying to 1578 00:53:47,350 --> 00:53:48,669 identify what's going on. 1579 00:53:48,670 --> 00:53:50,589 So it's not as much about what forensics 1580 00:53:50,590 --> 00:53:51,639 used to be. When you look at the 1581 00:53:51,640 --> 00:53:53,139 forensics cars, of course, anymore. 1582 00:53:53,140 --> 00:53:55,299 But I am not an expert on this 1583 00:53:55,300 --> 00:53:57,039 as much. And you should ask this question 1584 00:53:57,040 --> 00:53:58,979 again from other people as well. 1585 00:53:58,980 --> 00:54:00,319 Thank you. OK. 1586 00:54:00,320 --> 00:54:02,169 Microphone two, please. 1587 00:54:02,170 --> 00:54:04,020 Uh, yes, Ms. 1588 00:54:05,560 --> 00:54:07,869 OK, um, 1589 00:54:07,870 --> 00:54:09,669 first, I'm not really sure if this is the 1590 00:54:09,670 --> 00:54:11,649 correct audience for your talk, because 1591 00:54:11,650 --> 00:54:13,809 at least I suspect that most people here, 1592 00:54:13,810 --> 00:54:15,969 when they build a network and when they 1593 00:54:15,970 --> 00:54:18,309 they already trying to make it as secure 1594 00:54:18,310 --> 00:54:20,919 as they can, even without considering 1595 00:54:20,920 --> 00:54:23,079 a special attack or a special 1596 00:54:23,080 --> 00:54:24,669 type of attack or considering what 1597 00:54:24,670 --> 00:54:26,709 information an attacker might try to get 1598 00:54:26,710 --> 00:54:28,809 because they probably try to make the 1599 00:54:28,810 --> 00:54:30,549 system as secure as possible 1600 00:54:31,600 --> 00:54:33,009 as is. 1601 00:54:33,010 --> 00:54:35,739 And if they 1602 00:54:35,740 --> 00:54:38,049 if they do not take a certain choice to 1603 00:54:38,050 --> 00:54:40,929 use a certain type of security 1604 00:54:40,930 --> 00:54:43,059 mechanism, it's probably just because 1605 00:54:43,060 --> 00:54:44,769 they use case simply doesn't allow it. 1606 00:54:44,770 --> 00:54:46,959 And even if they had been hacked, 1607 00:54:46,960 --> 00:54:48,389 they couldn't change that. 1608 00:54:48,390 --> 00:54:49,989 For example, I work in the public sector 1609 00:54:49,990 --> 00:54:52,329 and with us the problem 1610 00:54:52,330 --> 00:54:54,459 is mostly just you have to you 1611 00:54:54,460 --> 00:54:56,419 don't have the people to fix stuff. 1612 00:54:56,420 --> 00:54:57,999 I work at a university and they're 1613 00:54:58,000 --> 00:55:00,249 basically situationist that 1614 00:55:00,250 --> 00:55:02,559 every professor and every institution, 1615 00:55:02,560 --> 00:55:05,469 every whatnot, um, has its own 1616 00:55:05,470 --> 00:55:06,729 I.T. 1617 00:55:06,730 --> 00:55:09,579 team. And usually the other team 1618 00:55:09,580 --> 00:55:11,679 is just the secretary that was put 1619 00:55:11,680 --> 00:55:12,909 on the list that is 1620 00:55:13,960 --> 00:55:15,999 saved, that the NOC, where they know 1621 00:55:16,000 --> 00:55:18,519 which subnet is attributed to which 1622 00:55:18,520 --> 00:55:20,739 institute, but usually they 1623 00:55:20,740 --> 00:55:21,669 don't have an I.T. 1624 00:55:21,670 --> 00:55:22,689 team at all. 1625 00:55:22,690 --> 00:55:25,149 So basically what you see is that, 1626 00:55:25,150 --> 00:55:27,279 um, an institute of, let's say, 20 1627 00:55:27,280 --> 00:55:29,499 or 30 computers runs Windows 1628 00:55:29,500 --> 00:55:31,869 XP in the year 2015, most 1629 00:55:31,870 --> 00:55:33,939 of them not even patched with the patches 1630 00:55:33,940 --> 00:55:36,159 that are there for Windows XP. 1631 00:55:36,160 --> 00:55:38,589 And I know that 1632 00:55:38,590 --> 00:55:40,509 there is this is not just a single case 1633 00:55:40,510 --> 00:55:42,429 at my university, but I know that there's 1634 00:55:42,430 --> 00:55:43,959 plenty of other universities and other 1635 00:55:43,960 --> 00:55:46,269 stuff where it looks just 1636 00:55:46,270 --> 00:55:47,169 like this. 1637 00:55:47,170 --> 00:55:49,359 And usually the problem there is they 1638 00:55:49,360 --> 00:55:51,429 don't even have an I.T., 1639 00:55:51,430 --> 00:55:52,430 so. 1640 00:55:53,550 --> 00:55:55,649 The actual problem is that 1641 00:55:55,650 --> 00:55:58,139 first you'd probably need to get 1642 00:55:58,140 --> 00:56:00,869 to what you'd call the management 1643 00:56:00,870 --> 00:56:03,539 level above the lacking 80 1644 00:56:03,540 --> 00:56:05,759 to actually hire people at all 1645 00:56:05,760 --> 00:56:07,919 to to have a team at all. 1646 00:56:10,550 --> 00:56:11,960 Yeah, well, that was my line. 1647 00:56:13,720 --> 00:56:15,529 So what's your question? 1648 00:56:15,530 --> 00:56:16,969 Let me answer first of all, you're 1649 00:56:16,970 --> 00:56:19,129 correct and obviously you care 1650 00:56:19,130 --> 00:56:20,359 about that and you shoot. 1651 00:56:20,360 --> 00:56:21,889 So to answer, first of all, you said you 1652 00:56:21,890 --> 00:56:23,060 talked about the audience 1653 00:56:24,350 --> 00:56:26,479 is a huge stage and a lot of people are 1654 00:56:26,480 --> 00:56:27,679 going to be watching that, not just the 1655 00:56:27,680 --> 00:56:29,569 people in the crowd, but people who watch 1656 00:56:29,570 --> 00:56:31,699 it streamed and people who are 1657 00:56:31,700 --> 00:56:32,809 going to watch that later. 1658 00:56:32,810 --> 00:56:33,829 That's one thing. 1659 00:56:33,830 --> 00:56:35,629 Second thing is that we're trying to 1660 00:56:35,630 --> 00:56:36,649 start something here. 1661 00:56:36,650 --> 00:56:37,699 We could fail. 1662 00:56:37,700 --> 00:56:39,499 We fail before and certain things. 1663 00:56:39,500 --> 00:56:41,839 But if we can start changing something, 1664 00:56:41,840 --> 00:56:43,909 then in the long term we will 1665 00:56:43,910 --> 00:56:45,109 make a difference. 1666 00:56:45,110 --> 00:56:47,539 And what you are saying is true. 1667 00:56:47,540 --> 00:56:49,759 It's easy, though, to pick that one 1668 00:56:49,760 --> 00:56:51,949 example where you know what? 1669 00:56:51,950 --> 00:56:53,539 Nothing that I've said will help. 1670 00:56:53,540 --> 00:56:55,879 That does not make what we've said not 1671 00:56:55,880 --> 00:56:58,219 good because progress takes time 1672 00:56:58,220 --> 00:57:00,709 and maybe with time, 1673 00:57:00,710 --> 00:57:03,289 some of the progress gets into 1674 00:57:03,290 --> 00:57:04,489 the full set ups. 1675 00:57:04,490 --> 00:57:07,249 And when you say that most people here 1676 00:57:07,250 --> 00:57:09,379 have a secure setup, well, guess what? 1677 00:57:09,380 --> 00:57:11,029 It's the same opposite that I mentioned 1678 00:57:11,030 --> 00:57:12,589 before. Sometimes you have time 1679 00:57:12,590 --> 00:57:14,299 constraints. Sometimes I work at a 1680 00:57:14,300 --> 00:57:15,349 startup company. 1681 00:57:15,350 --> 00:57:17,629 You know, you rush sometimes, 1682 00:57:17,630 --> 00:57:19,549 you know, you get to things later than 1683 00:57:19,550 --> 00:57:21,979 before. You have a project to make. 1684 00:57:21,980 --> 00:57:23,029 You have deadlines. 1685 00:57:23,030 --> 00:57:25,189 You rush sometimes to do things 1686 00:57:25,190 --> 00:57:26,959 later, then after. 1687 00:57:26,960 --> 00:57:28,489 It does not mean you don't know it. 1688 00:57:28,490 --> 00:57:30,379 But at the end of the day, the reality 1689 00:57:30,380 --> 00:57:32,689 that the attacker sees is what matters. 1690 00:57:32,690 --> 00:57:34,759 So maybe not 1691 00:57:34,760 --> 00:57:36,889 everyone in here was the 1692 00:57:36,890 --> 00:57:38,329 right audience. By the way, we didn't 1693 00:57:38,330 --> 00:57:39,529 choose the audience. 1694 00:57:39,530 --> 00:57:40,530 Right. 1695 00:57:41,000 --> 00:57:42,319 It's not that I have anything against you 1696 00:57:42,320 --> 00:57:43,519 guys. 1697 00:57:43,520 --> 00:57:45,709 Thank you. The thing is that I 1698 00:57:45,710 --> 00:57:47,689 knew you were coming Safet. 1699 00:57:47,690 --> 00:57:49,489 The thing is C.C.C. 1700 00:57:49,490 --> 00:57:51,259 is where the trenches are. 1701 00:57:51,260 --> 00:57:54,319 This is where people who do stuff are. 1702 00:57:54,320 --> 00:57:56,449 Where the ideas get born is where people 1703 00:57:56,450 --> 00:57:58,369 go back to the organizations from where 1704 00:57:58,370 --> 00:58:00,169 the technologies and grow. 1705 00:58:00,170 --> 00:58:01,729 This is exactly the right place, in my 1706 00:58:01,730 --> 00:58:03,289 view, to do this type of talk. 1707 00:58:03,290 --> 00:58:04,429 You're asking for a different type of 1708 00:58:04,430 --> 00:58:06,529 talk. You're asking for how can 1709 00:58:06,530 --> 00:58:08,299 I do hunting on my own when I don't have 1710 00:58:08,300 --> 00:58:10,009 a lot of resources? And in our talk, we 1711 00:58:10,010 --> 00:58:11,959 only give this a little bit of reference 1712 00:58:11,960 --> 00:58:13,369 in risk assessment. 1713 00:58:13,370 --> 00:58:15,709 And essentially risk assessment is. 1714 00:58:15,710 --> 00:58:17,899 Connects to how much wishes do you have, 1715 00:58:17,900 --> 00:58:19,219 what you can have, but that's a different 1716 00:58:19,220 --> 00:58:20,299 topic, how to do that? 1717 00:58:20,300 --> 00:58:21,889 So I'm sorry we didn't give as much 1718 00:58:21,890 --> 00:58:23,369 attention to that. 1719 00:58:23,370 --> 00:58:25,519 I also have a second question 1720 00:58:25,520 --> 00:58:28,189 you asked if people should release 1721 00:58:28,190 --> 00:58:30,679 information about breaches earlier, 1722 00:58:30,680 --> 00:58:33,079 um, doesn't 1723 00:58:33,080 --> 00:58:35,059 that contradict your example where you 1724 00:58:35,060 --> 00:58:37,189 said that you had cases where 1725 00:58:37,190 --> 00:58:39,499 the attackers were changing their 1726 00:58:39,500 --> 00:58:41,719 attack schemes, life, while, 1727 00:58:41,720 --> 00:58:43,219 for example, Trent Microbus? 1728 00:58:43,220 --> 00:58:44,569 That's a very, very, very, very good 1729 00:58:44,570 --> 00:58:46,309 question. Thank you for bringing that up. 1730 00:58:46,310 --> 00:58:47,239 It's always about timing. 1731 00:58:47,240 --> 00:58:48,649 Again, we couldn't bring everything into 1732 00:58:48,650 --> 00:58:50,869 the talk, that comment. 1733 00:58:50,870 --> 00:58:51,949 A friend of ours gave us. 1734 00:58:51,950 --> 00:58:54,289 If you're still engaging in ah, 1735 00:58:54,290 --> 00:58:56,089 maybe you can give it a heads up to 1736 00:58:56,090 --> 00:58:57,529 somebody. Maybe in close circles. 1737 00:58:57,530 --> 00:58:59,059 Maybe in open circles. 1738 00:58:59,060 --> 00:59:00,349 You don't need to give away the 1739 00:59:00,350 --> 00:59:01,350 Homeworld. 1740 00:59:01,930 --> 00:59:03,669 Definitely, it's always about timing, 1741 00:59:03,670 --> 00:59:04,839 about the right time, right place, we 1742 00:59:04,840 --> 00:59:06,399 would like, whenever it's possible to 1743 00:59:06,400 --> 00:59:07,899 release the information and not 1744 00:59:07,900 --> 00:59:08,900 necessarily all of it. 1745 00:59:10,480 --> 00:59:11,589 But you're absolutely right. 1746 00:59:11,590 --> 00:59:12,489 OK, thank you. 1747 00:59:12,490 --> 00:59:14,649 OK, and we are out of time, but I want to 1748 00:59:14,650 --> 00:59:16,929 hear the last question from our viewer 1749 00:59:16,930 --> 00:59:19,029 because these people are not here and 1750 00:59:19,030 --> 00:59:21,129 they can be asking you after you 1751 00:59:21,130 --> 00:59:21,489 talk. 1752 00:59:21,490 --> 00:59:22,749 Very nice things. 1753 00:59:22,750 --> 00:59:24,969 So when you say Apte report Socrata, 1754 00:59:24,970 --> 00:59:27,039 you just mean the publicly released 1755 00:59:27,040 --> 00:59:29,289 ones or also the ones 1756 00:59:29,290 --> 00:59:31,719 from security firms to their customers. 1757 00:59:31,720 --> 00:59:33,849 So obviously we talk about the public 1758 00:59:33,850 --> 00:59:36,039 ones because a lot of work 1759 00:59:36,040 --> 00:59:38,169 is being done by a lot of vendors, 1760 00:59:38,170 --> 00:59:40,239 but not everyone is a 1761 00:59:40,240 --> 00:59:41,559 customer of all the vendors. 1762 00:59:41,560 --> 00:59:43,869 Usually you're only a customer of one 1763 00:59:43,870 --> 00:59:46,029 vendor and some vendors have 1764 00:59:46,030 --> 00:59:48,159 more luck with Apte depends on 1765 00:59:48,160 --> 00:59:49,899 their coverage and some don't. 1766 00:59:49,900 --> 00:59:52,149 And at the end of the day, this problem 1767 00:59:52,150 --> 00:59:53,799 is about everyone. 1768 00:59:53,800 --> 00:59:55,899 So we don't want to improve it just for 1769 00:59:55,900 --> 00:59:57,849 people using a certain vendor. 1770 00:59:57,850 --> 01:00:00,069 We want to improve for 1771 01:00:00,070 --> 01:00:01,539 everyone. And yeah. 1772 01:00:02,830 --> 01:00:03,830 Kumbia. 1773 01:00:05,230 --> 01:00:06,489 Thank you very much. 1774 01:00:06,490 --> 01:00:07,490 Thank you.