1 00:00:00,000 --> 00:00:03,510 for sale for $15 it's a lockpick village 2 00:00:01,979 --> 00:00:07,410 we're gonna have lunch after this at 3 00:00:03,510 --> 00:00:10,440 noon we're gonna be selling old besides 4 00:00:07,410 --> 00:00:12,420 shirts for $5 minimum donation and that 5 00:00:10,440 --> 00:00:14,759 money's gonna go to the rural tech fund 6 00:00:12,420 --> 00:00:16,430 and the mental health hackers so all the 7 00:00:14,759 --> 00:00:18,750 money's gonna go back to the charities 8 00:00:16,430 --> 00:00:21,029 if we ask for a $5 minimum donation 9 00:00:18,750 --> 00:00:23,130 those should go on sale roughly about 10 00:00:21,029 --> 00:00:26,009 one o'clock 11 00:00:23,130 --> 00:00:31,679 next up or first up for today down here 12 00:00:26,010 --> 00:00:34,920 is judo threat intelligence by Frank and 13 00:00:31,679 --> 00:00:41,879 Joe Lilly Lilly okay I'm sorry but 14 00:00:34,920 --> 00:00:43,800 should the poor man's name everybody how 15 00:00:41,879 --> 00:00:45,449 you doing today my name is Frankie and 16 00:00:43,800 --> 00:00:46,019 Joey I know it's a little hard I've got 17 00:00:45,450 --> 00:00:47,969 all the vowels 18 00:00:46,020 --> 00:00:49,530 I've got like all of them you don't want 19 00:00:47,969 --> 00:00:52,350 to play we all fortunate with me it's 20 00:00:49,530 --> 00:00:55,079 gonna be like end an L there's five else 21 00:00:52,350 --> 00:00:57,449 now so so the holy wow that's not my 22 00:00:55,079 --> 00:00:58,739 last name as you but don't think I 23 00:00:57,449 --> 00:01:01,199 haven't thought about changing it 24 00:00:58,739 --> 00:01:02,699 because I definitely yeah one of my 25 00:01:01,199 --> 00:01:04,679 daughters actually has a you and her 26 00:01:02,699 --> 00:01:06,570 first name so she's pretty much all 27 00:01:04,680 --> 00:01:08,310 covered so today I'm gonna talk to you 28 00:01:06,570 --> 00:01:10,139 about judo threat intelligence and 29 00:01:08,310 --> 00:01:11,700 despite this incredible physique I don't 30 00:01:10,140 --> 00:01:13,680 actually do judo I used to do karate 31 00:01:11,700 --> 00:01:15,619 many years ago but this is far more 32 00:01:13,680 --> 00:01:17,670 about walking through a thought process 33 00:01:15,619 --> 00:01:19,860 that I've implemented at a lot of 34 00:01:17,670 --> 00:01:21,450 organizations it's a philosophy that 35 00:01:19,860 --> 00:01:23,880 deals with a lot of the challenges that 36 00:01:21,450 --> 00:01:25,500 we have in the industry and I think has 37 00:01:23,880 --> 00:01:26,820 provided some pretty good results I hope 38 00:01:25,500 --> 00:01:27,350 you get something out of it next slide 39 00:01:26,820 --> 00:01:29,758 please 40 00:01:27,350 --> 00:01:31,470 the deal is doing a great job backing me 41 00:01:29,759 --> 00:01:33,119 up on the slide so thanks very much so 42 00:01:31,470 --> 00:01:35,310 it's a little bit of background on me so 43 00:01:33,119 --> 00:01:36,900 I've run a number of different security 44 00:01:35,310 --> 00:01:38,939 operations centers throughout the 45 00:01:36,900 --> 00:01:41,130 country a lot of New York financials a 46 00:01:38,939 --> 00:01:42,149 lot of government organizations and as I 47 00:01:41,130 --> 00:01:43,530 said what I'm going to talk to you about 48 00:01:42,150 --> 00:01:44,579 today is a philosophy that I've 49 00:01:43,530 --> 00:01:46,530 implemented it each of those 50 00:01:44,579 --> 00:01:48,960 organizations and its really kind of 51 00:01:46,530 --> 00:01:51,270 helped there's a lot of information that 52 00:01:48,960 --> 00:01:53,100 comes out on the web there's a lot of 53 00:01:51,270 --> 00:01:54,679 things that call for our attention okay 54 00:01:53,100 --> 00:01:56,640 but like what's the most important thing 55 00:01:54,680 --> 00:01:58,439 what's the most important thing that 56 00:01:56,640 --> 00:01:59,700 we're supposed to do yo don't worry 57 00:01:58,439 --> 00:02:02,729 about it cuz you'll see that in a 58 00:01:59,700 --> 00:02:04,020 cybersecurity news article right oh so 59 00:02:02,729 --> 00:02:08,628 wait a second so the next slide please 60 00:02:04,020 --> 00:02:10,530 so when we think about intelligence I 61 00:02:08,628 --> 00:02:12,769 always think about the difference 62 00:02:10,530 --> 00:02:15,320 between information 63 00:02:12,770 --> 00:02:16,910 and intelligence right so there are 64 00:02:15,320 --> 00:02:19,670 definitely things that gives us a lot of 65 00:02:16,910 --> 00:02:21,200 information but when we distill that and 66 00:02:19,670 --> 00:02:23,089 digest that down into work 67 00:02:21,200 --> 00:02:24,709 what the heck should I do now so one of 68 00:02:23,090 --> 00:02:26,090 the things I like to say is that the 69 00:02:24,710 --> 00:02:28,190 most important decision is what you 70 00:02:26,090 --> 00:02:29,480 choose not to focus on right because 71 00:02:28,190 --> 00:02:31,100 there's a thousand things calling for 72 00:02:29,480 --> 00:02:32,630 your attention so what is that and the 73 00:02:31,100 --> 00:02:35,450 difference between internal intelligence 74 00:02:32,630 --> 00:02:36,829 and external intelligence so yeah 75 00:02:35,450 --> 00:02:38,060 there's a lot of providers out there 76 00:02:36,830 --> 00:02:40,340 that are giving you an external 77 00:02:38,060 --> 00:02:42,170 intelligent you know cozy fuzzy happy 78 00:02:40,340 --> 00:02:43,850 bear you know versus whatever panda 79 00:02:42,170 --> 00:02:45,260 right we get those reports and they're 80 00:02:43,850 --> 00:02:47,900 good they're valuable but what's inside 81 00:02:45,260 --> 00:02:49,850 of our organization what can we use in 82 00:02:47,900 --> 00:02:51,500 our and that's primarily what this is 83 00:02:49,850 --> 00:02:53,660 going to focus on and then obviously 84 00:02:51,500 --> 00:02:55,610 being actionable and scalable at some 85 00:02:53,660 --> 00:02:59,740 level right brute force is not the 86 00:02:55,610 --> 00:03:03,560 solution next slide please 87 00:02:59,740 --> 00:03:06,170 so in order to understand what are we 88 00:03:03,560 --> 00:03:08,780 dealing with in the Security Operations 89 00:03:06,170 --> 00:03:11,269 threat intelligence incident response 90 00:03:08,780 --> 00:03:12,620 type world I want to measure this from a 91 00:03:11,270 --> 00:03:14,780 couple of different angles so the chart 92 00:03:12,620 --> 00:03:16,550 that you're looking at is a program that 93 00:03:14,780 --> 00:03:18,740 I wrote that's downloaded every single 94 00:03:16,550 --> 00:03:20,660 cyber security security news article 95 00:03:18,740 --> 00:03:23,990 that's been published from 16 different 96 00:03:20,660 --> 00:03:26,480 sources every day since April of 2019 97 00:03:23,990 --> 00:03:29,120 I've done world word clouds on this I've 98 00:03:26,480 --> 00:03:30,380 done classifiers on it you see how many 99 00:03:29,120 --> 00:03:33,200 of them are malware versus 100 00:03:30,380 --> 00:03:35,269 vulnerabilities and the meta of this is 101 00:03:33,200 --> 00:03:37,760 there's between thirty and fifty eight 102 00:03:35,270 --> 00:03:40,370 articles being published every day all 103 00:03:37,760 --> 00:03:42,890 right so wait a second that's a lot of 104 00:03:40,370 --> 00:03:44,210 articles and how many how much 105 00:03:42,890 --> 00:03:47,480 information is in each one of those 106 00:03:44,210 --> 00:03:49,820 articles about 400 words so let's do 107 00:03:47,480 --> 00:03:52,010 some math and that's approximating half 108 00:03:49,820 --> 00:03:53,630 a novel a day okay that's pretty cool 109 00:03:52,010 --> 00:03:56,720 but what am I supposed to do with that 110 00:03:53,630 --> 00:03:59,329 okay I can't even read like a novel over 111 00:03:56,720 --> 00:04:01,670 like five weeks like for free how about 112 00:03:59,330 --> 00:04:03,500 I have a novel a day right and then 113 00:04:01,670 --> 00:04:05,450 underneath you'll see there's some some 114 00:04:03,500 --> 00:04:07,400 studies there at the bottom talking 115 00:04:05,450 --> 00:04:08,929 about noise in the sim world we all kind 116 00:04:07,400 --> 00:04:10,700 of kind of know that that's out there 117 00:04:08,930 --> 00:04:12,709 all right so setting the stage here this 118 00:04:10,700 --> 00:04:14,690 is kind of the volume of stuff that's 119 00:04:12,709 --> 00:04:16,430 being thrown at us on a regular basis 120 00:04:14,690 --> 00:04:18,980 right there's more to it but this and 121 00:04:16,430 --> 00:04:21,858 then this next slide please and that's 122 00:04:18,980 --> 00:04:24,020 kind of clear and so as I started 123 00:04:21,858 --> 00:04:25,549 building out you know larger Security 124 00:04:24,020 --> 00:04:26,479 Operations Center I wanted to search for 125 00:04:25,550 --> 00:04:28,340 a strategy 126 00:04:26,480 --> 00:04:30,410 I really wanted something who's dealt 127 00:04:28,340 --> 00:04:31,700 with this before because somebody 128 00:04:30,410 --> 00:04:34,250 somewhere is dealt with this before I 129 00:04:31,700 --> 00:04:36,320 can't be the first one and so I looked 130 00:04:34,250 --> 00:04:38,150 at some military strategies that are out 131 00:04:36,320 --> 00:04:40,190 there who's dealt with this some 132 00:04:38,150 --> 00:04:42,859 historical context right a good example 133 00:04:40,190 --> 00:04:44,480 of this is the Vikings and England right 134 00:04:42,860 --> 00:04:46,850 when the Vikings invaded England they 135 00:04:44,480 --> 00:04:48,590 could attack any single point on the 136 00:04:46,850 --> 00:04:51,830 whole coast of England at any point in 137 00:04:48,590 --> 00:04:54,229 time but England had to defend every 138 00:04:51,830 --> 00:04:55,460 single inch of coastline for years and 139 00:04:54,230 --> 00:04:58,010 they pretty much failed at it 140 00:04:55,460 --> 00:04:59,539 that's the kind of idea and so a guy by 141 00:04:58,010 --> 00:05:00,890 name of raki introduced me to cost 142 00:04:59,540 --> 00:05:02,330 woodsy in theory which is very 143 00:05:00,890 --> 00:05:04,190 interesting it's like how do you defend 144 00:05:02,330 --> 00:05:06,530 that can karate we have like the iron 145 00:05:04,190 --> 00:05:07,640 law it's like how do you defend against 146 00:05:06,530 --> 00:05:09,830 this type of stuff and there are 147 00:05:07,640 --> 00:05:11,750 similarities to personal combat tactics 148 00:05:09,830 --> 00:05:13,580 right so I mean if you've ever walked 149 00:05:11,750 --> 00:05:15,410 down the street and come up against a 150 00:05:13,580 --> 00:05:16,729 aggressive person who's much larger than 151 00:05:15,410 --> 00:05:18,020 you like that's definitely never 152 00:05:16,730 --> 00:05:20,300 happened to me right I'm not the biggest 153 00:05:18,020 --> 00:05:23,830 guy in the world you can kind of feel 154 00:05:20,300 --> 00:05:26,060 where we may stand as defenders our 155 00:05:23,830 --> 00:05:28,250 adversaries are very well-funded or 156 00:05:26,060 --> 00:05:30,260 they're they just spend their time 157 00:05:28,250 --> 00:05:32,630 developing tools and can attack us at 158 00:05:30,260 --> 00:05:33,980 any point and so he came upon the story 159 00:05:32,630 --> 00:05:35,930 of a guy and I'm going to share this 160 00:05:33,980 --> 00:05:38,360 story with you next slide please who 161 00:05:35,930 --> 00:05:41,900 dealt with something very very similar 162 00:05:38,360 --> 00:05:43,550 to this enter dr. Joe Goro Cano so what 163 00:05:41,900 --> 00:05:47,599 I really liked about the stories that I 164 00:05:43,550 --> 00:05:50,120 read about him is that he was small in 165 00:05:47,600 --> 00:05:51,740 stature to give you an idea don't quote 166 00:05:50,120 --> 00:05:54,470 me on this but he was roughly about 5 167 00:05:51,740 --> 00:05:56,600 foot 2 and 95 pounds and he was very 168 00:05:54,470 --> 00:05:58,490 well-educated and he he wrestled a lot 169 00:05:56,600 --> 00:06:02,060 of jujitsu this is way back in the day 170 00:05:58,490 --> 00:06:03,470 and he lost he won quite a few battles 171 00:06:02,060 --> 00:06:05,090 but when he came up against the top 172 00:06:03,470 --> 00:06:08,090 school and the bigger guys he kept 173 00:06:05,090 --> 00:06:10,039 losing and so what he decided to do was 174 00:06:08,090 --> 00:06:11,719 to study the attacker so as I'm reading 175 00:06:10,040 --> 00:06:14,570 through his journal I came upon these 176 00:06:11,720 --> 00:06:17,120 quotes they basically say usually it had 177 00:06:14,570 --> 00:06:19,190 been him that threw me and all of a 178 00:06:17,120 --> 00:06:22,130 sudden I started throwing him with 179 00:06:19,190 --> 00:06:24,140 increasing regularity said really delve 180 00:06:22,130 --> 00:06:26,420 deep into that right it sounds like 181 00:06:24,140 --> 00:06:29,750 something really worthy and he says it's 182 00:06:26,420 --> 00:06:32,030 because of the results of my study on 183 00:06:29,750 --> 00:06:33,530 how to break their posture he's a guy 184 00:06:32,030 --> 00:06:35,599 this has got to be this has got to be 185 00:06:33,530 --> 00:06:37,010 worth something right how did he do that 186 00:06:35,600 --> 00:06:39,020 what was that about and so what he 187 00:06:37,010 --> 00:06:39,969 basically figured is that if he applied 188 00:06:39,020 --> 00:06:42,400 all of his 189 00:06:39,970 --> 00:06:45,490 physical strength and his small stature 190 00:06:42,400 --> 00:06:47,810 before he broke the opponent's posture 191 00:06:45,490 --> 00:06:50,539 what he was doing was just wasting his 192 00:06:47,810 --> 00:06:52,729 energy and so I see similarities across 193 00:06:50,539 --> 00:06:54,199 the cybersecurity world where you know 194 00:06:52,729 --> 00:06:56,300 we're experiencing fatigue and burnout 195 00:06:54,199 --> 00:06:57,740 the number of hours that people are 196 00:06:56,300 --> 00:06:59,419 working and just the sheer volume of 197 00:06:57,740 --> 00:07:01,789 things that we have to approach it's 198 00:06:59,419 --> 00:07:03,948 like that brute force that Zhu Goro is 199 00:07:01,789 --> 00:07:06,500 applying prior to breaking their posture 200 00:07:03,949 --> 00:07:09,020 and so what I've developed out of this 201 00:07:06,500 --> 00:07:10,940 is how we could adopt some of those judo 202 00:07:09,020 --> 00:07:11,840 principles into what we do and so I'm 203 00:07:10,940 --> 00:07:13,400 going to go through some pragmatic 204 00:07:11,840 --> 00:07:15,799 examples of what that actually looks 205 00:07:13,400 --> 00:07:17,270 like and then I'm going to step through 206 00:07:15,800 --> 00:07:18,620 some of the methodology that hopefully 207 00:07:17,270 --> 00:07:23,120 you can take away from this and find 208 00:07:18,620 --> 00:07:24,770 valuable next slide please so let's get 209 00:07:23,120 --> 00:07:26,449 to an approximation of their posture 210 00:07:24,770 --> 00:07:27,909 this isn't going to be perfect right but 211 00:07:26,449 --> 00:07:30,199 I think it's a pretty good approximation 212 00:07:27,909 --> 00:07:32,270 like attacking the profit Center 213 00:07:30,199 --> 00:07:34,069 defending a cost center it's cool every 214 00:07:32,270 --> 00:07:35,299 time we go to the budget guy they're 215 00:07:34,069 --> 00:07:37,699 like well there isn't budget for that 216 00:07:35,300 --> 00:07:40,280 well okay but we're still under attack 217 00:07:37,699 --> 00:07:42,190 why because it's a profit Center next 218 00:07:40,280 --> 00:07:44,900 click next please just once yeah 219 00:07:42,190 --> 00:07:46,909 anonymity is their armor they can come 220 00:07:44,900 --> 00:07:49,400 from any IP address anywhere in the 221 00:07:46,909 --> 00:07:50,630 world with any type of attack at any 222 00:07:49,400 --> 00:07:52,909 point in time and all they need is that 223 00:07:50,630 --> 00:07:54,139 one vulnerability that feels kind of 224 00:07:52,909 --> 00:07:57,680 painful next slide please 225 00:07:54,139 --> 00:07:59,180 thank you right and they always have the 226 00:07:57,680 --> 00:08:02,210 initiative so if you've ever stood up a 227 00:07:59,180 --> 00:08:03,919 web server in the cloud and turned it on 228 00:08:02,210 --> 00:08:06,460 and then looked at the logs like within 229 00:08:03,919 --> 00:08:09,859 about two hours you're getting attacked 230 00:08:06,460 --> 00:08:13,090 all right thanks so thought a little bit 231 00:08:09,860 --> 00:08:16,849 more about this and I think that this 232 00:08:13,090 --> 00:08:19,099 models a fair percentage of what I think 233 00:08:16,849 --> 00:08:22,520 is going on from a super super high 234 00:08:19,099 --> 00:08:25,190 level which is that defenders we take 235 00:08:22,520 --> 00:08:26,659 money who we convert that into time so 236 00:08:25,190 --> 00:08:28,520 it could be a tool it could be a 237 00:08:26,659 --> 00:08:31,310 capability it could be labor it could be 238 00:08:28,520 --> 00:08:33,949 contractors in order to effect some sort 239 00:08:31,310 --> 00:08:37,969 of an action but attackers do something 240 00:08:33,950 --> 00:08:40,789 different the they invest their time in 241 00:08:37,969 --> 00:08:43,250 a way that lets them produce some sort 242 00:08:40,789 --> 00:08:45,130 of an action in order to get money there 243 00:08:43,250 --> 00:08:47,270 are different scenarios for my summer 244 00:08:45,130 --> 00:08:49,160 ideologically driven I get that some are 245 00:08:47,270 --> 00:08:51,020 compromised driven I get that but for 246 00:08:49,160 --> 00:08:53,360 the vast majority of it think about bug 247 00:08:51,020 --> 00:08:53,510 bounty the way bug bounty works anybody 248 00:08:53,360 --> 00:08:56,720 in 249 00:08:53,510 --> 00:09:00,080 you bug bounty yeah okay so you spend 250 00:08:56,720 --> 00:09:02,810 time in the hopes of getting an action 251 00:09:00,080 --> 00:09:04,910 which will produce you money so that 252 00:09:02,810 --> 00:09:07,099 kind of helps us understand I think 253 00:09:04,910 --> 00:09:08,990 their posture and where hopefully we can 254 00:09:07,100 --> 00:09:09,320 gain an upper hand in this next slide 255 00:09:08,990 --> 00:09:12,260 please 256 00:09:09,320 --> 00:09:14,810 so again focusing on that it's like in 257 00:09:12,260 --> 00:09:16,370 that time aspect if they invest time 258 00:09:14,810 --> 00:09:18,229 they want to get action and lots of 259 00:09:16,370 --> 00:09:20,480 money so I want to step through some 260 00:09:18,230 --> 00:09:22,490 some pragmatic examples of this where I 261 00:09:20,480 --> 00:09:24,110 think that this works we see this in 262 00:09:22,490 --> 00:09:25,730 deception technology but blue team 263 00:09:24,110 --> 00:09:30,080 defenders can actually do this next 264 00:09:25,730 --> 00:09:34,460 slide please so before I begin this the 265 00:09:30,080 --> 00:09:37,550 three principles are use the attackers 266 00:09:34,460 --> 00:09:39,500 energy against them right that's how 267 00:09:37,550 --> 00:09:41,270 judo works let's a lot of you know 268 00:09:39,500 --> 00:09:43,580 certain martial arts work is let's use 269 00:09:41,270 --> 00:09:44,900 their energy against them somebody's 270 00:09:43,580 --> 00:09:47,000 running headlong at you you don't 271 00:09:44,900 --> 00:09:48,740 necessarily run right at them sometimes 272 00:09:47,000 --> 00:09:50,540 just kind of step to the side if you're 273 00:09:48,740 --> 00:09:52,190 lucky you put your foot out you know and 274 00:09:50,540 --> 00:09:54,380 then you smile it's like a Bugs Bunny 275 00:09:52,190 --> 00:09:56,780 kind of thing right use their action 276 00:09:54,380 --> 00:09:59,240 against them right maximum effect with 277 00:09:56,780 --> 00:10:01,010 minimum effort that brute force I've 278 00:09:59,240 --> 00:10:02,690 seen that brute force apply to a lot of 279 00:10:01,010 --> 00:10:05,150 security operation centers where people 280 00:10:02,690 --> 00:10:06,350 are coming home at 9 o'clock at night I 281 00:10:05,150 --> 00:10:07,790 don't know if that's the right approach 282 00:10:06,350 --> 00:10:09,890 you might have to do it for a short time 283 00:10:07,790 --> 00:10:11,750 but you got to get ahead of it and then 284 00:10:09,890 --> 00:10:14,630 break their posture before you execute 285 00:10:11,750 --> 00:10:16,460 the throw so again it's like you can 286 00:10:14,630 --> 00:10:18,620 apply all your force but until you 287 00:10:16,460 --> 00:10:21,290 understand where their balance is and 288 00:10:18,620 --> 00:10:22,760 how to break it that's when you want to 289 00:10:21,290 --> 00:10:24,319 apply your energy so let's do this 290 00:10:22,760 --> 00:10:25,939 because this is fun we'll get into the 291 00:10:24,320 --> 00:10:28,430 more of the technical stuff so let's 292 00:10:25,940 --> 00:10:32,480 apply this to an exploit kit next slide 293 00:10:28,430 --> 00:10:35,329 please all right so it's believed Oh 294 00:10:32,480 --> 00:10:37,520 exploit kit this one came out around 295 00:10:35,330 --> 00:10:38,990 March was published very interesting 296 00:10:37,520 --> 00:10:41,480 let's look at the data let's look at the 297 00:10:38,990 --> 00:10:43,760 data elements so first on the left we 298 00:10:41,480 --> 00:10:46,730 see an IP address how many bad IP 299 00:10:43,760 --> 00:10:49,670 addresses are there out in the web come 300 00:10:46,730 --> 00:10:51,890 on it's like billions right they could 301 00:10:49,670 --> 00:10:53,750 stand up anyone anytime they want 302 00:10:51,890 --> 00:10:56,000 anywhere they want so wait a second that 303 00:10:53,750 --> 00:10:58,220 feels like we're there strong let's look 304 00:10:56,000 --> 00:11:00,020 at domain names so these are subdomains 305 00:10:58,220 --> 00:11:02,530 but I spent about 8 months studying 306 00:11:00,020 --> 00:11:05,180 every newly registered domain name and 307 00:11:02,530 --> 00:11:06,889 that I could get my hands on every day 308 00:11:05,180 --> 00:11:09,649 and there's about 80 to 100 309 00:11:06,889 --> 00:11:12,829 that come out everyday what am I gonna 310 00:11:09,649 --> 00:11:14,989 do with that and the second they turn on 311 00:11:12,829 --> 00:11:16,628 the exploit kit is when it gets 312 00:11:14,989 --> 00:11:21,799 weaponized so they have the initiative 313 00:11:16,629 --> 00:11:23,869 but let's focus now on the URL so if you 314 00:11:21,799 --> 00:11:26,779 look really closely there is a weakness 315 00:11:23,869 --> 00:11:30,290 and exploit kits and the weakness is in 316 00:11:26,779 --> 00:11:32,959 order for the adversary to make use of 317 00:11:30,290 --> 00:11:38,149 it that servers got to understand the 318 00:11:32,959 --> 00:11:40,069 traffic so there's something there the 319 00:11:38,149 --> 00:11:42,139 client or the victim whatever it is you 320 00:11:40,069 --> 00:11:44,269 want to describe it has to send a 321 00:11:42,139 --> 00:11:46,309 request and that server has to interpret 322 00:11:44,269 --> 00:11:47,779 it if it has to interpret it it means 323 00:11:46,309 --> 00:11:50,358 it's got to be interpretive all it's 324 00:11:47,779 --> 00:11:53,689 repeatable they're all constructed based 325 00:11:50,359 --> 00:11:55,579 off of a similar pattern and so the the 326 00:11:53,689 --> 00:11:58,368 whole reason why it's called a kit is 327 00:11:55,579 --> 00:12:00,019 because they take this and they copy it 328 00:11:58,369 --> 00:12:02,149 hundreds and hundreds and hundreds of 329 00:12:00,019 --> 00:12:06,609 domains so they wrote it once they read 330 00:12:02,149 --> 00:12:09,079 it many click next once please however 331 00:12:06,609 --> 00:12:12,919 if we write a regex that matches that 332 00:12:09,079 --> 00:12:14,748 exact pattern which this regex does and 333 00:12:12,919 --> 00:12:16,220 you test that through your environment 334 00:12:14,749 --> 00:12:19,989 the only thing you have are true 335 00:12:16,220 --> 00:12:24,709 positives you just broke the exploit kit 336 00:12:19,989 --> 00:12:26,959 that's exactly what this is about if a 337 00:12:24,709 --> 00:12:29,268 get request or a post request goes 338 00:12:26,959 --> 00:12:32,540 through your proxy servers or your URL 339 00:12:29,269 --> 00:12:36,499 traffic that matches this regex pattern 340 00:12:32,540 --> 00:12:39,618 it's only the exploit kit so if they 341 00:12:36,499 --> 00:12:42,249 take that exploit kit and they copy it 342 00:12:39,619 --> 00:12:46,279 to a hundred thousand IP addresses 343 00:12:42,249 --> 00:12:48,649 doesn't matter and they could register a 344 00:12:46,279 --> 00:12:52,059 hundred thousand diamonds it doesn't 345 00:12:48,649 --> 00:12:55,910 matter the code running on the server 346 00:12:52,059 --> 00:12:57,860 produces this URL pattern and if you 347 00:12:55,910 --> 00:13:00,500 block that 348 00:12:57,860 --> 00:13:02,930 you've destroyed the exploit kit at that 349 00:13:00,500 --> 00:13:04,850 point in time all that the money and 350 00:13:02,930 --> 00:13:07,880 time and investment that they spent to 351 00:13:04,850 --> 00:13:11,390 create that exploit kit you just wrecked 352 00:13:07,880 --> 00:13:14,510 it so I've done this a black hole 2.0 353 00:13:11,390 --> 00:13:15,529 2.1 nuclear Scavo several others you 354 00:13:14,510 --> 00:13:18,529 know you can check them out I wrote the 355 00:13:15,529 --> 00:13:22,040 signatures from years ago this works 356 00:13:18,529 --> 00:13:24,290 and so if how many exploit kits are 357 00:13:22,040 --> 00:13:27,110 there anybody want to take a guess 358 00:13:24,290 --> 00:13:28,579 couple dozen ten who knows how many 359 00:13:27,110 --> 00:13:29,899 exploit kits are there not that many 360 00:13:28,579 --> 00:13:31,040 there certainly aren't hundreds of 361 00:13:29,899 --> 00:13:33,170 thousands and there's definitely not 362 00:13:31,040 --> 00:13:34,519 billions so if you can reverse them you 363 00:13:33,170 --> 00:13:38,180 can block them you've just taken a whole 364 00:13:34,519 --> 00:13:39,709 class in Category out of your way now 365 00:13:38,180 --> 00:13:41,420 you'll notice in this discussion I 366 00:13:39,709 --> 00:13:42,680 haven't mentioned one thing I haven't 367 00:13:41,420 --> 00:13:48,019 mentioned what malware was being 368 00:13:42,680 --> 00:13:50,689 delivered why because if you can block 369 00:13:48,019 --> 00:13:53,269 the get request for the binary I don't 370 00:13:50,690 --> 00:13:55,790 really care what the malware is because 371 00:13:53,269 --> 00:13:57,140 you're not gonna get it yes you now a 372 00:13:55,790 --> 00:13:58,819 research is really important 373 00:13:57,140 --> 00:14:00,290 yes doing that kind of stuff is really 374 00:13:58,820 --> 00:14:02,630 important than staying ahead of it's 375 00:14:00,290 --> 00:14:04,279 really important but you can't deliver a 376 00:14:02,630 --> 00:14:06,320 malware binary if you're using this next 377 00:14:04,279 --> 00:14:09,910 slide please so here's a demonstration 378 00:14:06,320 --> 00:14:13,700 now from a couple of days later another 379 00:14:09,910 --> 00:14:15,649 domain came up with this exploit kit to 380 00:14:13,700 --> 00:14:18,579 poit you'll see the domain name has 381 00:14:15,649 --> 00:14:21,579 changed but the pattern still matches 382 00:14:18,579 --> 00:14:21,579 right 383 00:14:22,380 --> 00:14:27,060 so that's how you can break a hole 384 00:14:24,130 --> 00:14:29,439 exploit kit next slide please 385 00:14:27,060 --> 00:14:31,510 it's way easier than going after the 386 00:14:29,440 --> 00:14:34,510 domains and so the whole concept is like 387 00:14:31,510 --> 00:14:38,380 what you exactly want to do is to 388 00:14:34,510 --> 00:14:40,410 destroy their developer's value you 389 00:14:38,380 --> 00:14:43,750 develop an exploit kit you deploy it out 390 00:14:40,410 --> 00:14:45,189 we block it they can't copy it anywhere 391 00:14:43,750 --> 00:14:46,930 else they can't sell it anywhere else 392 00:14:45,190 --> 00:14:48,580 I'm gonna sell you the spec Havel 393 00:14:46,930 --> 00:14:51,699 exploit kit well dude I don't want that 394 00:14:48,580 --> 00:14:54,760 man that's already been broken and then 395 00:14:51,700 --> 00:14:56,410 you break their money kind of the 396 00:14:54,760 --> 00:14:57,939 concept of where this is going and I've 397 00:14:56,410 --> 00:14:59,490 applied this at a couple orgs so let's 398 00:14:57,940 --> 00:15:04,690 keep going 399 00:14:59,490 --> 00:15:07,450 so it's apply this to web traffic all 400 00:15:04,690 --> 00:15:09,730 right going through web traffic you can 401 00:15:07,450 --> 00:15:11,170 find anomalies bumps you don't have to 402 00:15:09,730 --> 00:15:13,840 use machine learning for this it does 403 00:15:11,170 --> 00:15:15,370 help it's nice if you got it but if you 404 00:15:13,840 --> 00:15:17,250 don't have it you could do a lot of 405 00:15:15,370 --> 00:15:20,500 other stuff you do statistical analysis 406 00:15:17,250 --> 00:15:22,180 I did a talk called wrexham noise it's 407 00:15:20,500 --> 00:15:23,530 got some good information on how to do 408 00:15:22,180 --> 00:15:25,089 that if you don't have these tools and 409 00:15:23,530 --> 00:15:27,160 you'll see here there's a big old spike 410 00:15:25,090 --> 00:15:28,510 in the traffic this is traffic over time 411 00:15:27,160 --> 00:15:31,300 I'm sorry it's cutting off a little on 412 00:15:28,510 --> 00:15:34,000 the screen guys but you'll see a spike 413 00:15:31,300 --> 00:15:35,740 in the traffic here so let's dig into 414 00:15:34,000 --> 00:15:37,290 that spike let's find out what's going 415 00:15:35,740 --> 00:15:39,820 on next slide please 416 00:15:37,290 --> 00:15:41,380 so what's really interesting about all 417 00:15:39,820 --> 00:15:44,650 that's really hard to read is that hard 418 00:15:41,380 --> 00:15:46,600 to read oh man okay all right so I'll 419 00:15:44,650 --> 00:15:49,140 describe it to you and it'll be just as 420 00:15:46,600 --> 00:15:52,180 good I promise 421 00:15:49,140 --> 00:15:54,189 so what you're looking at is an 422 00:15:52,180 --> 00:15:55,890 aggregation of the user agents during 423 00:15:54,190 --> 00:15:59,050 that time frame 424 00:15:55,890 --> 00:16:00,520 yeah no idea if it was user agents I 425 00:15:59,050 --> 00:16:02,079 just picked a field let's look at the 426 00:16:00,520 --> 00:16:04,810 URLs let's look at the user agents I 427 00:16:02,080 --> 00:16:07,030 know that sounds pretty good right right 428 00:16:04,810 --> 00:16:10,719 in the middle of all of this is Firefox 429 00:16:07,030 --> 00:16:12,069 version 1.5 so yeah okay I'm getting 430 00:16:10,720 --> 00:16:14,470 some laughs yeah absolutely 431 00:16:12,070 --> 00:16:15,880 so like up here is like good Firefox 432 00:16:14,470 --> 00:16:19,360 versions at normal and then all of a 433 00:16:15,880 --> 00:16:22,900 sudden firefox one there is no reason on 434 00:16:19,360 --> 00:16:27,520 planet earth firefox 1.5 should be 435 00:16:22,900 --> 00:16:30,780 touching my infrastructure oh yeah dude 436 00:16:27,520 --> 00:16:30,780 Adrian you're the best man 437 00:16:31,750 --> 00:16:37,490 thank you very much appreciate it so 438 00:16:34,460 --> 00:16:39,320 what you can see here now you can 439 00:16:37,490 --> 00:16:42,170 actually see it is these are Firefox 440 00:16:39,320 --> 00:16:44,630 versions and there's 1.5 in there this 441 00:16:42,170 --> 00:16:46,939 is a reason why it's firefox 1.5 because 442 00:16:44,630 --> 00:16:49,850 this is a tool and that tool was written 443 00:16:46,940 --> 00:16:52,580 by folks around the time of firefox 1.5 444 00:16:49,850 --> 00:16:53,870 and people just copied in it and 445 00:16:52,580 --> 00:16:55,640 downloaded it and deployed it to 446 00:16:53,870 --> 00:16:57,890 hundreds of thousands of IPs and just 447 00:16:55,640 --> 00:17:02,020 started hitting our infrastructure BAM I 448 00:16:57,890 --> 00:17:02,020 can see them next slide please 449 00:17:02,170 --> 00:17:10,819 so let me give you another good example 450 00:17:04,220 --> 00:17:13,520 of this this is the black spider tool 451 00:17:10,819 --> 00:17:15,589 okay you see this with Olli txt if 452 00:17:13,520 --> 00:17:17,240 you're dealing with needs alerts on your 453 00:17:15,589 --> 00:17:19,369 web infrastructure you may have seen 454 00:17:17,240 --> 00:17:20,900 this one and so there's a really good 455 00:17:19,369 --> 00:17:22,489 snort signature out there I think it's 456 00:17:20,900 --> 00:17:23,600 very valuable it's very important it 457 00:17:22,490 --> 00:17:26,420 alarms you when there's a get request 458 00:17:23,599 --> 00:17:29,870 for Olli txt basically this is an 459 00:17:26,420 --> 00:17:32,180 attempted exploit and if the exploits 460 00:17:29,870 --> 00:17:33,739 successful Ali dot txt gets uploaded to 461 00:17:32,180 --> 00:17:36,580 your servers if you look at your web 462 00:17:33,740 --> 00:17:38,810 traffic you'll probably see this 463 00:17:36,580 --> 00:17:42,470 downloading all the traffic that these 464 00:17:38,810 --> 00:17:44,690 guys were doing Holly dot txt was the 465 00:17:42,470 --> 00:17:46,850 last request all right so let's think 466 00:17:44,690 --> 00:17:48,050 about this in the time sequence one of 467 00:17:46,850 --> 00:17:50,810 the other after the other after the 468 00:17:48,050 --> 00:17:53,000 other we're getting a needs alert on the 469 00:17:50,810 --> 00:17:55,909 last request of the tool okay so what's 470 00:17:53,000 --> 00:17:59,660 the first request of the tool what does 471 00:17:55,910 --> 00:18:01,370 it start with when we mapped it out it 472 00:17:59,660 --> 00:18:03,170 turned out that every single one of them 473 00:18:01,370 --> 00:18:04,820 sent the same sequence of events and 474 00:18:03,170 --> 00:18:07,760 precisely the same order because it's a 475 00:18:04,820 --> 00:18:10,399 tool somebody wrote a tool and the first 476 00:18:07,760 --> 00:18:14,330 request is head admin f-ck editor 477 00:18:10,400 --> 00:18:16,960 it's an exploit request right so when 478 00:18:14,330 --> 00:18:18,710 that request comes in we banned the tool 479 00:18:16,960 --> 00:18:20,240 so let's think about that from a 480 00:18:18,710 --> 00:18:22,340 sequence perspective so we get all the 481 00:18:20,240 --> 00:18:24,950 way to the top the first request comes 482 00:18:22,340 --> 00:18:27,139 in we banned the IP address and the rest 483 00:18:24,950 --> 00:18:29,300 of the tool I don't really care at that 484 00:18:27,140 --> 00:18:31,820 moment what's in it because it all fails 485 00:18:29,300 --> 00:18:33,350 it's all gone and so doing this at some 486 00:18:31,820 --> 00:18:33,649 of the organizations that I've worked 487 00:18:33,350 --> 00:18:36,730 with 488 00:18:33,650 --> 00:18:39,500 we've Auto been 800 IP addresses a day 489 00:18:36,730 --> 00:18:40,850 like just automatically banned them like 490 00:18:39,500 --> 00:18:42,890 the second you touch us anywhere in a 491 00:18:40,850 --> 00:18:43,620 no-no spot like you're out of there like 492 00:18:42,890 --> 00:18:45,809 you 493 00:18:43,620 --> 00:18:47,850 and so to give you an idea the 494 00:18:45,809 --> 00:18:50,940 effectiveness and that the of that the 495 00:18:47,850 --> 00:18:52,620 pen test team called us up in my sock 496 00:18:50,940 --> 00:18:55,520 and they said can you please whitelist 497 00:18:52,620 --> 00:18:59,100 our RP our IP addresses 498 00:18:55,520 --> 00:19:00,540 why I think I was like well we keep 499 00:18:59,100 --> 00:19:09,449 trying to start up the thing and we keep 500 00:19:00,540 --> 00:19:11,250 getting banned hey wait a second no no 501 00:19:09,450 --> 00:19:12,750 bro you got to give him I like you 502 00:19:11,250 --> 00:19:14,340 giving my infrastructure with all this 503 00:19:12,750 --> 00:19:17,000 defenses then you've really done a pen 504 00:19:14,340 --> 00:19:19,740 test right next slide please 505 00:19:17,000 --> 00:19:21,000 so all right so this one this is a 506 00:19:19,740 --> 00:19:22,559 little bit more intricate but it's a 507 00:19:21,000 --> 00:19:24,350 really interesting scenario so that 508 00:19:22,559 --> 00:19:26,910 you'll see there's these explode 509 00:19:24,350 --> 00:19:29,040 explosions of data points coming out of 510 00:19:26,910 --> 00:19:31,410 a central point looks almost like orbit 511 00:19:29,040 --> 00:19:35,610 it's three dimensions at the center of 512 00:19:31,410 --> 00:19:38,040 those are source IPs and exploding out 513 00:19:35,610 --> 00:19:39,719 from them or all the URL get requests or 514 00:19:38,040 --> 00:19:41,549 head or you know what I want a reverb 515 00:19:39,720 --> 00:19:43,799 pick your verb here okay 516 00:19:41,549 --> 00:19:45,780 and so it looks like it's in three 517 00:19:43,799 --> 00:19:48,990 dimensions around the tool and there's 518 00:19:45,780 --> 00:19:51,389 only two source IPS here what's super 519 00:19:48,990 --> 00:19:53,910 interesting about this is that the ones 520 00:19:51,390 --> 00:19:57,270 that are marked in red are overlaps 521 00:19:53,910 --> 00:19:58,799 meaning these two different tools which 522 00:19:57,270 --> 00:20:02,960 are designed to attack web 523 00:19:58,799 --> 00:20:07,470 infrastructure make overlapping requests 524 00:20:02,960 --> 00:20:09,900 so if I can find one of those and ban 525 00:20:07,470 --> 00:20:12,650 that infrastructure coming in towards me 526 00:20:09,900 --> 00:20:15,690 that IP address that whatever it is I've 527 00:20:12,650 --> 00:20:16,890 lately like just by accident like 528 00:20:15,690 --> 00:20:21,240 because of coolness 529 00:20:16,890 --> 00:20:23,490 I've been to tools so there's a snowball 530 00:20:21,240 --> 00:20:25,440 effect here as you do this and you start 531 00:20:23,490 --> 00:20:27,210 knocking down infrastructure where 532 00:20:25,440 --> 00:20:29,520 you're going to start to overlap tools 533 00:20:27,210 --> 00:20:31,380 and see patterns that that occur within 534 00:20:29,520 --> 00:20:33,090 them and I'll show you precisely how to 535 00:20:31,380 --> 00:20:34,620 start with this inside of your logs if 536 00:20:33,090 --> 00:20:39,540 you've got access to them from any 537 00:20:34,620 --> 00:20:43,979 direction right next slide please 538 00:20:39,540 --> 00:20:45,450 all right let's talk about the 539 00:20:43,980 --> 00:20:46,770 methodology and approach here like how 540 00:20:45,450 --> 00:20:50,400 can you actually do this inside your 541 00:20:46,770 --> 00:20:51,810 enterprise next slide so one of the 542 00:20:50,400 --> 00:20:53,640 biggest things that I see happening in 543 00:20:51,810 --> 00:20:55,260 security operation centers is that we 544 00:20:53,640 --> 00:20:57,180 have to start with the basics right 545 00:20:55,260 --> 00:20:58,410 crawl walk run there's a lot of 546 00:20:57,180 --> 00:20:59,790 organizations out there that are 547 00:20:58,410 --> 00:21:01,500 attempting to buy tools that are going 548 00:20:59,790 --> 00:21:03,990 to get them to the top and the most and 549 00:21:01,500 --> 00:21:07,710 the the most advanced capability 550 00:21:03,990 --> 00:21:09,060 immediately I haven't yet seen a lot of 551 00:21:07,710 --> 00:21:11,820 scenarios where that's been super 552 00:21:09,060 --> 00:21:15,990 successful and part of the reason why is 553 00:21:11,820 --> 00:21:17,820 we have to build from transparency so 554 00:21:15,990 --> 00:21:20,100 you start by seeing what's happening I 555 00:21:17,820 --> 00:21:22,409 couldn't analyze those web logs if I 556 00:21:20,100 --> 00:21:25,050 didn't have the f5 load balancers coming 557 00:21:22,410 --> 00:21:26,910 in or I didn't have access to those web 558 00:21:25,050 --> 00:21:28,320 logs on those servers in order to be 559 00:21:26,910 --> 00:21:29,370 able to conduct the analysis I couldn't 560 00:21:28,320 --> 00:21:32,220 tell you what was going on in our 561 00:21:29,370 --> 00:21:35,429 infrastructure unless I could see it the 562 00:21:32,220 --> 00:21:36,900 second one is in signal-to-noise what's 563 00:21:35,430 --> 00:21:40,020 the difference between an alert that I 564 00:21:36,900 --> 00:21:41,310 do care about an alert I don't I'll give 565 00:21:40,020 --> 00:21:43,290 you a one example of this we recently 566 00:21:41,310 --> 00:21:45,360 did a threat hunt in an organization 567 00:21:43,290 --> 00:21:49,200 that had uh needy arm not going to say 568 00:21:45,360 --> 00:21:51,090 which one and they had 550 alerts all 569 00:21:49,200 --> 00:21:53,880 right so like all sorts of things are 570 00:21:51,090 --> 00:21:58,199 happening but 550 things came out and 571 00:21:53,880 --> 00:22:01,770 said this is an attack of 'el that 550 572 00:21:58,200 --> 00:22:03,480 only one needed action and it was if I 573 00:22:01,770 --> 00:22:09,240 remember it it was a really nasty piece 574 00:22:03,480 --> 00:22:11,670 of malware and so what is that signal 575 00:22:09,240 --> 00:22:13,080 that signals like 0.2% or something 576 00:22:11,670 --> 00:22:14,610 right don't don't ask me to do math that 577 00:22:13,080 --> 00:22:17,159 fast I can't do that right 578 00:22:14,610 --> 00:22:18,600 it's like point two percent so you gotta 579 00:22:17,160 --> 00:22:21,330 figure out what the signal is to the 580 00:22:18,600 --> 00:22:23,939 noise but once you get to that you get 581 00:22:21,330 --> 00:22:25,710 to actionable alarms so some of the 582 00:22:23,940 --> 00:22:27,840 objectives I set in security operations 583 00:22:25,710 --> 00:22:30,210 are I want signal to noise 35 to 85% 584 00:22:27,840 --> 00:22:33,240 meaning if an alarm goes off it's got to 585 00:22:30,210 --> 00:22:35,130 be 35 to 85% accurate something like 586 00:22:33,240 --> 00:22:36,720 that that's the target goal anyway 587 00:22:35,130 --> 00:22:37,860 because then when you're looking at 588 00:22:36,720 --> 00:22:39,510 alerts you're looking at things that are 589 00:22:37,860 --> 00:22:41,370 actionable and the patterns begin to 590 00:22:39,510 --> 00:22:44,070 materialize 591 00:22:41,370 --> 00:22:45,629 so I worked with a couple data 592 00:22:44,070 --> 00:22:47,790 scientists throughout the years and one 593 00:22:45,630 --> 00:22:49,950 of them basically told me is like 594 00:22:47,790 --> 00:22:52,409 patterns do materialize it's it's like a 595 00:22:49,950 --> 00:22:54,780 creative approach to data like as you do 596 00:22:52,410 --> 00:22:56,490 it the patterns will materialize oh hey 597 00:22:54,780 --> 00:22:58,590 it's a phishing attack ell we've gotten 598 00:22:56,490 --> 00:23:01,530 a bunch of those those are you know 599 00:22:58,590 --> 00:23:03,389 those are business email compromise hey 600 00:23:01,530 --> 00:23:05,490 look we've gathered all the URLs eight 601 00:23:03,390 --> 00:23:07,800 look the URLs are all structured the 602 00:23:05,490 --> 00:23:10,830 same way that's a pattern can we do 603 00:23:07,800 --> 00:23:12,690 something about it won't you do that you 604 00:23:10,830 --> 00:23:13,949 start identifying their tools and then 605 00:23:12,690 --> 00:23:16,440 you could start building towards the 606 00:23:13,950 --> 00:23:19,110 automation yes can some tools get you to 607 00:23:16,440 --> 00:23:21,450 automation quickly they can but I have 608 00:23:19,110 --> 00:23:23,490 seen this exact pattern happen almost 609 00:23:21,450 --> 00:23:26,400 every sock I've worked in and built out 610 00:23:23,490 --> 00:23:28,380 and consulted in so I hope that this 611 00:23:26,400 --> 00:23:31,890 kind of helps set the stage of where we 612 00:23:28,380 --> 00:23:34,290 can begin good at least as far as I 613 00:23:31,890 --> 00:23:38,850 could tell okay so so let's really do 614 00:23:34,290 --> 00:23:41,220 this pardon me mmm this week my immune 615 00:23:38,850 --> 00:23:43,199 system is like the Grinch it's two sizes 616 00:23:41,220 --> 00:23:44,850 too small you know that's just I'm 617 00:23:43,200 --> 00:23:47,550 fighting off a cold let's apologize 618 00:23:44,850 --> 00:23:49,649 so grab a threat IP address that fired 619 00:23:47,550 --> 00:23:50,659 something good jumping-off point you 620 00:23:49,650 --> 00:23:53,160 gotta have something to start with 621 00:23:50,660 --> 00:23:55,290 you'll find all the signatures that that 622 00:23:53,160 --> 00:23:56,940 fired so if we're gonna be like you know 623 00:23:55,290 --> 00:23:58,050 mids or whatever whatever it is that 624 00:23:56,940 --> 00:23:59,430 you're looking at could be a wife you 625 00:23:58,050 --> 00:24:01,110 got tuned into your own infrastructure 626 00:23:59,430 --> 00:24:02,940 that's why I'm not up here standing here 627 00:24:01,110 --> 00:24:05,820 telling you how I did this with X tool 628 00:24:02,940 --> 00:24:08,340 right once you do that go look at all 629 00:24:05,820 --> 00:24:10,500 this signature fires for those 630 00:24:08,340 --> 00:24:11,970 signatures go regression test them 631 00:24:10,500 --> 00:24:13,880 through the past how many times have 632 00:24:11,970 --> 00:24:16,110 those signatures fired a lot a little 633 00:24:13,880 --> 00:24:17,700 what were they associated with and which 634 00:24:16,110 --> 00:24:20,370 will start to get to is a hundred 635 00:24:17,700 --> 00:24:24,030 percent true positive signatures like 636 00:24:20,370 --> 00:24:25,949 this starts to actually happen when once 637 00:24:24,030 --> 00:24:27,690 you do that find all the IPS that fired 638 00:24:25,950 --> 00:24:29,310 those signatures and collect all that 639 00:24:27,690 --> 00:24:32,610 metadata and what you end up with is a 640 00:24:29,310 --> 00:24:34,470 good pool user agents bad ip's web 641 00:24:32,610 --> 00:24:36,139 requests layer seven data you can use 642 00:24:34,470 --> 00:24:38,470 that excite please 643 00:24:36,140 --> 00:24:40,670 [Music] 644 00:24:38,470 --> 00:24:43,370 so as you do that you can start building 645 00:24:40,670 --> 00:24:46,660 custom arms custom alerts that are built 646 00:24:43,370 --> 00:24:49,699 on that information and you'll see 647 00:24:46,660 --> 00:24:52,190 things that are attacks that aren't 648 00:24:49,700 --> 00:24:54,890 firing it signatures you can start 649 00:24:52,190 --> 00:24:56,030 building custom rules for those right 650 00:24:54,890 --> 00:24:58,540 there because they're really useful 651 00:24:56,030 --> 00:25:01,309 they're very helpful 652 00:24:58,540 --> 00:25:03,920 then you regression test those turn them 653 00:25:01,309 --> 00:25:05,899 on and as they go to num and now you're 654 00:25:03,920 --> 00:25:08,030 starting to get closer you find all the 655 00:25:05,900 --> 00:25:09,679 100% true positives start tuning on 656 00:25:08,030 --> 00:25:11,629 those signatures and you start building 657 00:25:09,679 --> 00:25:12,470 a life cycle where you iteratively go 658 00:25:11,630 --> 00:25:14,600 down it's almost like a Fibonacci 659 00:25:12,470 --> 00:25:15,830 sequence the first time you do it is 660 00:25:14,600 --> 00:25:17,780 gonna be a whole bunch of data and 661 00:25:15,830 --> 00:25:19,370 you're gonna be like oh my gosh I mean 662 00:25:17,780 --> 00:25:21,620 the second time you do it'll be a whole 663 00:25:19,370 --> 00:25:23,139 lot less and then you know within a time 664 00:25:21,620 --> 00:25:26,719 period it depends on your organization 665 00:25:23,140 --> 00:25:28,309 it'll start to get really surgical and 666 00:25:26,720 --> 00:25:29,720 you can say I know exactly what that is 667 00:25:28,309 --> 00:25:32,149 so we just did this with a health care 668 00:25:29,720 --> 00:25:34,880 too we help them tune up their sim and 669 00:25:32,150 --> 00:25:37,929 now they are literally firing on every 670 00:25:34,880 --> 00:25:40,580 single needs alarm that fires except a 671 00:25:37,929 --> 00:25:42,679 couple of IPS which we know are super 672 00:25:40,580 --> 00:25:44,240 noisy in their infrastructure and a 673 00:25:42,679 --> 00:25:46,850 couple of signatures that we know are 674 00:25:44,240 --> 00:25:49,220 not valuable outside of that if it fires 675 00:25:46,850 --> 00:25:50,750 a signature we're gonna see it and we 676 00:25:49,220 --> 00:25:53,750 know it's bad because we know it doesn't 677 00:25:50,750 --> 00:25:55,940 happen okay and you kind of keep this 678 00:25:53,750 --> 00:25:59,059 lifecycle going as you work in your sock 679 00:25:55,940 --> 00:26:01,720 and and you'll build new content that's 680 00:25:59,059 --> 00:26:03,770 valuable next slide please 681 00:26:01,720 --> 00:26:05,270 cuz you do that you could start taking 682 00:26:03,770 --> 00:26:07,160 tactical actions I talked about 683 00:26:05,270 --> 00:26:11,870 quarantine the IP addresses it's a good 684 00:26:07,160 --> 00:26:15,710 example one example was you know if you 685 00:26:11,870 --> 00:26:18,320 have a windward spawning CMD or power 686 00:26:15,710 --> 00:26:20,150 shell or vbscript you have a vbscript 687 00:26:18,320 --> 00:26:21,559 that's launching downloading an 688 00:26:20,150 --> 00:26:21,920 executable and writing it to your temp 689 00:26:21,559 --> 00:26:24,590 folder 690 00:26:21,920 --> 00:26:28,429 what's the malware well in that scenario 691 00:26:24,590 --> 00:26:30,080 I don't know but it's Bower and if I can 692 00:26:28,429 --> 00:26:32,080 stop that vbscript from running and 693 00:26:30,080 --> 00:26:35,689 writing it to the temp folder it's 694 00:26:32,080 --> 00:26:37,879 blocked malware and that's kind of 695 00:26:35,690 --> 00:26:39,650 pretty good right just love to see these 696 00:26:37,880 --> 00:26:41,390 patterns come out and you'll figure out 697 00:26:39,650 --> 00:26:44,330 inside your enterprise how what tool can 698 00:26:41,390 --> 00:26:46,640 I use how can I use it and ban it so 699 00:26:44,330 --> 00:26:49,309 some other statistics that can give you 700 00:26:46,640 --> 00:26:50,840 about what this has produced one 701 00:26:49,309 --> 00:26:51,440 organization reduce their malware 702 00:26:50,840 --> 00:26:53,750 infection by 703 00:26:51,440 --> 00:26:55,909 seventy-five percent who was absolutely 704 00:26:53,750 --> 00:26:58,789 dramatic it rolled off a cliff and that 705 00:26:55,909 --> 00:27:00,620 was like four or five rules one 706 00:26:58,789 --> 00:27:02,059 organization we I dropped their meantime 707 00:27:00,620 --> 00:27:03,918 to contain by eighty percent in three 708 00:27:02,059 --> 00:27:06,529 months 709 00:27:03,919 --> 00:27:09,830 it was just wham you know so you can 710 00:27:06,529 --> 00:27:11,360 actually do this it's not necessarily 711 00:27:09,830 --> 00:27:12,918 the easiest thing the first time but as 712 00:27:11,360 --> 00:27:16,699 you dig through it with a methodology 713 00:27:12,919 --> 00:27:18,500 it's cool alright and okay so one other 714 00:27:16,700 --> 00:27:21,590 story to tell you 715 00:27:18,500 --> 00:27:25,419 one organization that I worked in we 716 00:27:21,590 --> 00:27:29,779 mapped out a bot and that bot was 717 00:27:25,419 --> 00:27:31,639 scraping our externally facing web 718 00:27:29,779 --> 00:27:33,350 infrastructure yeah there was some data 719 00:27:31,639 --> 00:27:35,389 on there that could give you too much 720 00:27:33,350 --> 00:27:37,939 detail but there was some data that was 721 00:27:35,389 --> 00:27:40,879 on there and they started seeing 722 00:27:37,940 --> 00:27:42,559 increases in volume over time and we dug 723 00:27:40,879 --> 00:27:45,189 into that increase in what we found was 724 00:27:42,559 --> 00:27:48,168 a bot that was 500 IP addresses large 725 00:27:45,190 --> 00:27:50,289 that was scraping data from their 726 00:27:48,169 --> 00:27:52,460 external infrastructure to download it 727 00:27:50,289 --> 00:27:54,710 not a single one of those IP addresses 728 00:27:52,460 --> 00:27:57,019 was on any threat intelligence list 729 00:27:54,710 --> 00:28:00,200 none of that traffic fired in the alert 730 00:27:57,019 --> 00:28:02,299 but it was a business risk it actually 731 00:28:00,200 --> 00:28:05,679 threatened their business they're trying 732 00:28:02,299 --> 00:28:09,830 to repeat and copy all the data and so 733 00:28:05,679 --> 00:28:11,779 like once we knocked those guys down the 734 00:28:09,830 --> 00:28:13,668 time that it took for them to stand back 735 00:28:11,779 --> 00:28:15,049 up their infrastructure come back and 736 00:28:13,669 --> 00:28:17,450 try it again with a different technique 737 00:28:15,049 --> 00:28:19,250 was two weeks it was about fourteen days 738 00:28:17,450 --> 00:28:20,840 was the average he said they were 739 00:28:19,250 --> 00:28:22,610 determined we knew who they were 740 00:28:20,840 --> 00:28:23,990 we knew what their objective was we'd 741 00:28:22,610 --> 00:28:25,189 keep our eye on the ball to try to 742 00:28:23,990 --> 00:28:28,009 protect them when we advised the 743 00:28:25,190 --> 00:28:29,450 business how to fix that but that's what 744 00:28:28,009 --> 00:28:31,820 I mean when I say internal intelligence 745 00:28:29,450 --> 00:28:34,720 like it's not going to fire any types of 746 00:28:31,820 --> 00:28:39,350 alerts next slide please 747 00:28:34,720 --> 00:28:41,169 so how am i doing on time I've no idea I 748 00:28:39,350 --> 00:28:47,330 do okay 749 00:28:41,169 --> 00:28:49,759 so overall the concept here is applying 750 00:28:47,330 --> 00:28:51,199 all of our energy and brute force before 751 00:28:49,759 --> 00:28:53,509 we understand the posture what's 752 00:28:51,200 --> 00:28:55,669 actually attacking us it may hurt us in 753 00:28:53,509 --> 00:28:57,440 our energy and you know we see a lot of 754 00:28:55,669 --> 00:28:58,759 conversations I particularly pay a lot 755 00:28:57,440 --> 00:29:00,049 of attention to what's going on with 756 00:28:58,759 --> 00:29:04,280 burnout there's going to be a good talk 757 00:29:00,049 --> 00:29:06,470 I really want to see it today on burnout 758 00:29:04,280 --> 00:29:08,000 and and how are we going to deal with 759 00:29:06,470 --> 00:29:10,040 that as an industry because we can't 760 00:29:08,000 --> 00:29:13,310 hire as many people as we think we need 761 00:29:10,040 --> 00:29:15,020 and we can't address every single 762 00:29:13,310 --> 00:29:16,610 possible scenario that's out there in 763 00:29:15,020 --> 00:29:21,680 order to attack so where do we put our 764 00:29:16,610 --> 00:29:23,929 energy excuse me and I think that this 765 00:29:21,680 --> 00:29:26,360 among other techniques this will help 766 00:29:23,930 --> 00:29:29,030 apply and focus where that energy should 767 00:29:26,360 --> 00:29:30,919 be it's getting 5,000 alarms in your sim 768 00:29:29,030 --> 00:29:33,500 a day really isn't going to help you all 769 00:29:30,920 --> 00:29:41,320 right okay so question thoughts any 770 00:29:33,500 --> 00:29:41,320 comments yes 771 00:29:45,770 --> 00:29:48,970 [Music] 772 00:29:54,910 --> 00:29:58,019 [Music] 773 00:30:06,650 --> 00:30:10,790 absolutely so in that scenario so the 774 00:30:08,930 --> 00:30:13,760 question was along the lines of okay 775 00:30:10,790 --> 00:30:16,129 using a regex for a URL request works 776 00:30:13,760 --> 00:30:17,660 but not if it's TLS encrypted and you 777 00:30:16,130 --> 00:30:19,940 can't actually see the traffic that's 778 00:30:17,660 --> 00:30:22,280 100% accurate and so then the question 779 00:30:19,940 --> 00:30:24,110 becomes alright is this a super 780 00:30:22,280 --> 00:30:25,820 difficult is this a super prevalent 781 00:30:24,110 --> 00:30:27,709 threat vector in our enterprise right 782 00:30:25,820 --> 00:30:29,090 that's the first question should I spend 783 00:30:27,710 --> 00:30:31,490 time on figuring it out is what I'm 784 00:30:29,090 --> 00:30:34,189 trying to get to second one is where do 785 00:30:31,490 --> 00:30:35,570 I have visibility do I have an EDR 786 00:30:34,190 --> 00:30:37,280 that's going to show me what happens on 787 00:30:35,570 --> 00:30:39,470 the back end of that I have a bad you I 788 00:30:37,280 --> 00:30:41,360 have a bad domain and you can see the 789 00:30:39,470 --> 00:30:43,070 domains even if it's TLS encrypted I 790 00:30:41,360 --> 00:30:46,399 have a bad domain okay let me pivot to 791 00:30:43,070 --> 00:30:48,770 the endpoint let me go look at what file 792 00:30:46,400 --> 00:30:50,420 activity registry activity Services said 793 00:30:48,770 --> 00:30:51,590 or what happened on the EDR what 794 00:30:50,420 --> 00:30:54,020 happened on the endpoint during that 795 00:30:51,590 --> 00:30:55,879 time frame and what that will begin to 796 00:30:54,020 --> 00:30:58,790 do is then draw correlations between the 797 00:30:55,880 --> 00:31:00,710 two and that will give you what the 798 00:30:58,790 --> 00:31:03,590 command structure looks like on the box 799 00:31:00,710 --> 00:31:06,290 which exploits being delivered how that 800 00:31:03,590 --> 00:31:08,990 materializes it's a word I use is how it 801 00:31:06,290 --> 00:31:11,450 behaves on the endpoint when it gets 802 00:31:08,990 --> 00:31:14,000 that you know does it write an 803 00:31:11,450 --> 00:31:16,130 executable file to you know app date a 804 00:31:14,000 --> 00:31:18,620 local temp right and then when that 805 00:31:16,130 --> 00:31:21,170 happens what does it do and can you 806 00:31:18,620 --> 00:31:23,510 introduce truck sure from that side 807 00:31:21,170 --> 00:31:24,679 because you don't have the capability 808 00:31:23,510 --> 00:31:26,660 that I described here but you probably 809 00:31:24,679 --> 00:31:28,429 have other capabilities now if you don't 810 00:31:26,660 --> 00:31:30,230 have any of those capabilities you find 811 00:31:28,429 --> 00:31:31,580 there's malware in your enterprise it's 812 00:31:30,230 --> 00:31:33,650 probably a pretty good idea to 813 00:31:31,580 --> 00:31:37,040 investigate what's the easiest way you 814 00:31:33,650 --> 00:31:40,280 can start to figure that out and I use 815 00:31:37,040 --> 00:31:42,290 the word Start specifically a lot of 816 00:31:40,280 --> 00:31:46,490 folks try to go from zero to a hundred 817 00:31:42,290 --> 00:31:49,070 percent perfect it's like well we can do 818 00:31:46,490 --> 00:31:52,280 some crawl walk run here right do some 819 00:31:49,070 --> 00:31:54,020 collecting of logs OS query you can use 820 00:31:52,280 --> 00:31:55,280 OS sec there's a whole bunch of 821 00:31:54,020 --> 00:31:57,230 different things that will in tune up 822 00:31:55,280 --> 00:31:58,610 your visibility and then help you move 823 00:31:57,230 --> 00:31:59,990 along that path till you get there for 824 00:31:58,610 --> 00:32:04,120 your enterprise does that help answer 825 00:31:59,990 --> 00:32:04,120 the question okay absolutely 826 00:32:04,360 --> 00:32:07,830 everybody else yeah 827 00:32:08,920 --> 00:32:13,839 [Music] 828 00:32:18,200 --> 00:32:22,279 [Music] 829 00:32:26,210 --> 00:32:32,230 exactly the same to me I mean I don't 830 00:32:29,960 --> 00:32:32,230 buy this 831 00:32:36,320 --> 00:32:39,250 so mysterious 832 00:32:46,100 --> 00:32:49,149 to see the thing 833 00:32:49,990 --> 00:32:56,029 hmm okay so the question was around 834 00:32:54,250 --> 00:33:00,710 artificial intelligence and machine 835 00:32:56,029 --> 00:33:03,110 learning as a proposed solution to all 836 00:33:00,710 --> 00:33:06,350 of these issues and why folks in the 837 00:33:03,110 --> 00:33:07,658 industry feel like they're not actually 838 00:33:06,350 --> 00:33:10,399 delivering on what they say 839 00:33:07,659 --> 00:33:12,289 okay so here's I'll say about that so 840 00:33:10,399 --> 00:33:13,580 the first the first issue that I've seen 841 00:33:12,289 --> 00:33:16,250 is a lot of folks are looking for 842 00:33:13,580 --> 00:33:17,629 univariate solutions to problems what's 843 00:33:16,250 --> 00:33:19,010 wrong I don't know I can't figure out 844 00:33:17,630 --> 00:33:21,490 what's in my logs what's the solution 845 00:33:19,010 --> 00:33:23,269 machine learning it feels like in a 846 00:33:21,490 --> 00:33:26,149 univariate but the truth of the matter 847 00:33:23,269 --> 00:33:28,669 is that's absolutely not how it happens 848 00:33:26,149 --> 00:33:31,820 so when you go back to that user agent 849 00:33:28,669 --> 00:33:34,250 string for firefox 1.5 the way this 850 00:33:31,820 --> 00:33:36,649 looks if you map it out if you aggregate 851 00:33:34,250 --> 00:33:39,590 the data is it looks like an exponential 852 00:33:36,649 --> 00:33:41,239 decay curve okay and the without going 853 00:33:39,590 --> 00:33:43,908 to math II like because I'm totally like 854 00:33:41,240 --> 00:33:46,039 a math Iggy can that's bad right it 855 00:33:43,909 --> 00:33:47,690 depends on the steepness of that curve 856 00:33:46,039 --> 00:33:49,250 to interpret it but it's right in the 857 00:33:47,690 --> 00:33:51,500 middle so when you run a machine 858 00:33:49,250 --> 00:33:52,789 learning algorithm and say show me 859 00:33:51,500 --> 00:33:54,440 everything that's inside of this thing 860 00:33:52,789 --> 00:33:57,080 that's anomalous you're not going to get 861 00:33:54,440 --> 00:33:59,110 that user-agent string because it's 862 00:33:57,080 --> 00:34:02,658 right in the middle of the traffic 863 00:33:59,110 --> 00:34:04,580 you're gonna get the really weird one so 864 00:34:02,659 --> 00:34:06,950 that's like one good example of this 865 00:34:04,580 --> 00:34:08,389 we're in the midst of your distribution 866 00:34:06,950 --> 00:34:09,440 curve you're gonna have the badness and 867 00:34:08,389 --> 00:34:13,220 the only people that can really identify 868 00:34:09,440 --> 00:34:16,339 that so an unsupervised machine learning 869 00:34:13,219 --> 00:34:18,049 model where basically you plug it in 870 00:34:16,339 --> 00:34:19,549 turn it on and it pops out and goes 871 00:34:18,050 --> 00:34:21,109 here's the bad guy right totally 872 00:34:19,550 --> 00:34:23,659 unsupervised you're not doing anything 873 00:34:21,109 --> 00:34:25,819 that will show you some stuff but a 874 00:34:23,659 --> 00:34:27,260 supervised learning model will really 875 00:34:25,819 --> 00:34:28,969 work in order to do that it has to be 876 00:34:27,260 --> 00:34:32,899 driven by subject matter experts and 877 00:34:28,969 --> 00:34:35,359 that connection hasn't been made yet in 878 00:34:32,899 --> 00:34:38,210 my opinion at the level that a lot of 879 00:34:35,359 --> 00:34:41,598 these products are saying it has okay 880 00:34:38,210 --> 00:34:43,280 and then the last reason is you're also 881 00:34:41,599 --> 00:34:45,500 talking about string data this is a she 882 00:34:43,280 --> 00:34:46,730 text and in order to do really good 883 00:34:45,500 --> 00:34:48,829 machine learning you want to convert 884 00:34:46,730 --> 00:34:51,679 that into numbers how do you actually do 885 00:34:48,829 --> 00:34:53,210 that effectively it's weird because your 886 00:34:51,679 --> 00:34:55,190 log is going to parse differently the my 887 00:34:53,210 --> 00:34:57,829 log and then his log and something else 888 00:34:55,190 --> 00:34:59,240 so there's it's kind of like a way of 889 00:34:57,829 --> 00:35:02,030 saying oh it's like super complicated 890 00:34:59,240 --> 00:35:02,828 not that's the reason why and so they're 891 00:35:02,030 --> 00:35:04,180 coming to every 892 00:35:02,829 --> 00:35:05,950 they're saying I've solved this problem 893 00:35:04,180 --> 00:35:07,839 but we've also heard that before I mean 894 00:35:05,950 --> 00:35:09,218 people have said well you get a sim and 895 00:35:07,839 --> 00:35:10,808 it'll solve your problem we have 896 00:35:09,219 --> 00:35:12,309 out-of-the-box rules you turn them on 897 00:35:10,809 --> 00:35:15,940 and you get bombarded with noise and 898 00:35:12,309 --> 00:35:17,200 then you cry like that's but like tell 899 00:35:15,940 --> 00:35:18,670 me that doesn't really happen like 900 00:35:17,200 --> 00:35:19,808 that's kind of really how it happens 901 00:35:18,670 --> 00:35:21,130 they're like well you just all you have 902 00:35:19,809 --> 00:35:23,619 to do is turn it on and everything's 903 00:35:21,130 --> 00:35:25,119 solved the the salespeople that have 904 00:35:23,619 --> 00:35:27,130 told me something different than that 905 00:35:25,119 --> 00:35:29,589 those are the ones I work with because 906 00:35:27,130 --> 00:35:31,690 they really get into the meat of it I 907 00:35:29,589 --> 00:35:34,509 think that eventually there are some 908 00:35:31,690 --> 00:35:36,309 machine learning algorithms and like our 909 00:35:34,509 --> 00:35:38,440 artificial intelligence I define as 910 00:35:36,309 --> 00:35:42,309 something that can interact like we are 911 00:35:38,440 --> 00:35:43,959 right here so you know this Josh always 912 00:35:42,309 --> 00:35:46,420 last names going to escape me from MIT 913 00:35:43,959 --> 00:35:48,578 has talked about where AI is from a 914 00:35:46,420 --> 00:35:50,829 brain perspective and the last I checked 915 00:35:48,579 --> 00:35:52,509 on it was like a six month old child so 916 00:35:50,829 --> 00:35:54,670 I wouldn't put my six month old child on 917 00:35:52,509 --> 00:35:56,589 a sim though I am trying to train my 918 00:35:54,670 --> 00:36:01,059 kids how to be a security at elastic it 919 00:35:56,589 --> 00:36:03,999 assure you yes you know is interesting 920 00:36:01,059 --> 00:36:05,680 somebody shipped us a package and in it 921 00:36:03,999 --> 00:36:08,529 was shredded paper and I wanted to 922 00:36:05,680 --> 00:36:10,509 demonstrate to my kids what privacy is 923 00:36:08,529 --> 00:36:11,890 like if we sat at the dining room table 924 00:36:10,509 --> 00:36:13,509 and tried to reconstruct parts of the 925 00:36:11,890 --> 00:36:16,769 shredded paper it was really interesting 926 00:36:13,509 --> 00:36:16,769 it was there another question yes 927 00:36:18,510 --> 00:36:25,800 [Music] 928 00:36:21,510 --> 00:36:25,800 I'm sorry I'm having trouble hearing you 929 00:36:31,830 --> 00:36:36,519 [Music] 930 00:36:47,100 --> 00:36:59,490 [Music] 931 00:36:56,540 --> 00:37:01,200 yeah 100% corrected so just so everybody 932 00:36:59,490 --> 00:37:02,310 can hear like what this gentleman is 933 00:37:01,200 --> 00:37:03,750 saying I definitely agree with 934 00:37:02,310 --> 00:37:05,850 wholeheartedly it's like if you don't 935 00:37:03,750 --> 00:37:07,380 have your own tools you can rely on 936 00:37:05,850 --> 00:37:09,210 other people's tools to give you that 937 00:37:07,380 --> 00:37:11,130 jumping-off point or you can rely on the 938 00:37:09,210 --> 00:37:12,540 tools that you've got so ultimately at 939 00:37:11,130 --> 00:37:15,180 the end of the day that's what Zhu Goro 940 00:37:12,540 --> 00:37:17,040 Kanto story was so powerful it's like he 941 00:37:15,180 --> 00:37:18,960 has 95 pounds of 5 foot 2 or whatever 942 00:37:17,040 --> 00:37:21,900 size he is he's really small but he's 943 00:37:18,960 --> 00:37:24,630 got what he's got and so he used what he 944 00:37:21,900 --> 00:37:25,740 had as best as he possibly could and 945 00:37:24,630 --> 00:37:27,630 that's the reason why I'm not up here 946 00:37:25,740 --> 00:37:29,040 standing and saying implement the same 947 00:37:27,630 --> 00:37:30,210 and your problems will solving this the 948 00:37:29,040 --> 00:37:32,279 technology to do it 949 00:37:30,210 --> 00:37:33,480 it's like in your enterprise it's going 950 00:37:32,280 --> 00:37:35,280 to look different if you're looking for 951 00:37:33,480 --> 00:37:37,050 things that are affecting only you in 952 00:37:35,280 --> 00:37:40,970 the way they affect you it behaves 953 00:37:37,050 --> 00:37:45,380 different ways cool 954 00:37:40,970 --> 00:37:48,620 any other questions thoughts comments 955 00:37:45,380 --> 00:37:48,620 yeah god 956 00:37:52,690 --> 00:37:55,880 [Music] 957 00:37:58,610 --> 00:38:14,580 [Music] 958 00:38:07,200 --> 00:38:16,589 August Spence 959 00:38:14,580 --> 00:38:19,440 is that something 960 00:38:16,590 --> 00:38:21,120 yeah so the question was have ever 961 00:38:19,440 --> 00:38:23,550 implemented black lists based on user 962 00:38:21,120 --> 00:38:25,819 agents like we saw the anomaly and is it 963 00:38:23,550 --> 00:38:28,800 actually worth doing so let me tackle 964 00:38:25,820 --> 00:38:30,840 first piece and then second so first 965 00:38:28,800 --> 00:38:33,480 piece yes absolutely you can do a black 966 00:38:30,840 --> 00:38:35,550 list you can also do an alarm list it 967 00:38:33,480 --> 00:38:39,450 depends on whether you want to see it or 968 00:38:35,550 --> 00:38:42,300 whether you want to block it these these 969 00:38:39,450 --> 00:38:44,910 attackers are human beings and so if we 970 00:38:42,300 --> 00:38:47,940 were so we asked the question anybody in 971 00:38:44,910 --> 00:38:52,109 here spell a word wrong but they spell 972 00:38:47,940 --> 00:38:54,180 it wrong the same way every time anybody 973 00:38:52,110 --> 00:38:56,160 oh yeah there's hands going up okay do 974 00:38:54,180 --> 00:38:57,899 not ask me to spell the word definitely 975 00:38:56,160 --> 00:39:01,230 you're going to get red squiggly lines 976 00:38:57,900 --> 00:39:03,480 on the bottom attackers suffer from the 977 00:39:01,230 --> 00:39:05,310 same thing that technique by the way I 978 00:39:03,480 --> 00:39:05,910 used in counterfeit enterprises going 979 00:39:05,310 --> 00:39:08,400 after them 980 00:39:05,910 --> 00:39:09,839 fraudulent Facebook advertisements they 981 00:39:08,400 --> 00:39:11,880 make this mistake all the time they'll 982 00:39:09,840 --> 00:39:13,110 misspell something and they'll misspell 983 00:39:11,880 --> 00:39:15,090 it the same way every time and then they 984 00:39:13,110 --> 00:39:17,880 copy it a hundred thousand times the keV 985 00:39:15,090 --> 00:39:20,250 you ever tried to convince IT to rewrite 986 00:39:17,880 --> 00:39:21,960 an old tool for some reason that's in 987 00:39:20,250 --> 00:39:22,650 the enterprise they're like I'm not 988 00:39:21,960 --> 00:39:25,050 doing that 989 00:39:22,650 --> 00:39:26,280 that was the worst week of my life the 990 00:39:25,050 --> 00:39:27,660 hackers are going through the same thing 991 00:39:26,280 --> 00:39:29,160 they're like well I can't kind of 992 00:39:27,660 --> 00:39:31,200 rewrite that tool because it's two point 993 00:39:29,160 --> 00:39:33,359 five hundred thousand places so yeah it 994 00:39:31,200 --> 00:39:34,620 can be very valuable and then and then 995 00:39:33,360 --> 00:39:36,120 the second part of the question is now 996 00:39:34,620 --> 00:39:39,170 escaping me I got too far down that path 997 00:39:36,120 --> 00:39:39,170 can you repeat it 998 00:39:39,820 --> 00:39:44,740 oh is it worth doing yeah so um in terms 999 00:39:43,060 --> 00:39:46,990 of enforcement the reason why I think 1000 00:39:44,740 --> 00:39:48,850 this stuff is incredibly value is if you 1001 00:39:46,990 --> 00:39:50,649 look at how I think it was Rudy Giuliani 1002 00:39:48,850 --> 00:39:53,049 approached law enforcement in New York 1003 00:39:50,650 --> 00:39:54,760 City now I don't remember if it was 1004 00:39:53,050 --> 00:39:55,990 broken glass or broken window that's one 1005 00:39:54,760 --> 00:39:58,210 of those things my brain just can't 1006 00:39:55,990 --> 00:40:01,419 click properly on but he enforced the 1007 00:39:58,210 --> 00:40:05,710 basic laws which ultimately demonstrated 1008 00:40:01,420 --> 00:40:07,780 to the community as well as the real 1009 00:40:05,710 --> 00:40:08,200 criminals that they were enforcing the 1010 00:40:07,780 --> 00:40:11,020 law 1011 00:40:08,200 --> 00:40:13,390 this happens believe me when I tell you 1012 00:40:11,020 --> 00:40:14,920 it happens you start enforcing broken 1013 00:40:13,390 --> 00:40:18,970 glass or broken window in your 1014 00:40:14,920 --> 00:40:21,130 enterprise and you will start making 1015 00:40:18,970 --> 00:40:22,810 other people go away a very wise man by 1016 00:40:21,130 --> 00:40:24,370 the name of Bill I worked with told me 1017 00:40:22,810 --> 00:40:25,630 you don't have to be the fastest gazelle 1018 00:40:24,370 --> 00:40:28,359 and I heard you just don't want to be 1019 00:40:25,630 --> 00:40:30,370 the slowest and so when when you're 1020 00:40:28,360 --> 00:40:32,620 banning hundreds of IP addresses and 1021 00:40:30,370 --> 00:40:34,120 blocking people and knocking down 1022 00:40:32,620 --> 00:40:36,279 malware and it's really hard to get in 1023 00:40:34,120 --> 00:40:38,440 folks what's happening is some guy is 1024 00:40:36,280 --> 00:40:40,390 sitting behind a terminal and I I just 1025 00:40:38,440 --> 00:40:42,820 say guy right could be a gal sitting 1026 00:40:40,390 --> 00:40:44,440 behind some terminal and their boss is 1027 00:40:42,820 --> 00:40:46,060 coming over them going did you hack into 1028 00:40:44,440 --> 00:40:47,050 that enterprise yet the guy's like I 1029 00:40:46,060 --> 00:40:48,670 don't know what's going on it's like 1030 00:40:47,050 --> 00:40:50,020 every time I learn a scarran I'd burn my 1031 00:40:48,670 --> 00:40:51,910 period dress I can't figure out what's 1032 00:40:50,020 --> 00:40:54,100 happening because you better get on it 1033 00:40:51,910 --> 00:40:56,350 you know it's frustrating for them and 1034 00:40:54,100 --> 00:40:57,790 jagira even says that in his logs he 1035 00:40:56,350 --> 00:40:58,930 says that when I started beating the 1036 00:40:57,790 --> 00:41:01,420 guys that were bigger than me they were 1037 00:40:58,930 --> 00:41:03,790 inordinately frustrated and what you 1038 00:41:01,420 --> 00:41:05,760 want to do is frustrate them so you will 1039 00:41:03,790 --> 00:41:08,050 ultimately build a reputation right 1040 00:41:05,760 --> 00:41:09,400 across other peoples industries it's 1041 00:41:08,050 --> 00:41:10,840 like well that's out such as such an 1042 00:41:09,400 --> 00:41:12,820 organization oh man 1043 00:41:10,840 --> 00:41:14,410 you have no idea how many headaches I 1044 00:41:12,820 --> 00:41:15,670 had try to get into those guys it was 1045 00:41:14,410 --> 00:41:17,319 painful like this 1046 00:41:15,670 --> 00:41:20,430 there's humans just like us so yeah I 1047 00:41:17,320 --> 00:41:20,430 think it's really valuable 1048 00:41:21,670 --> 00:41:28,589 anybody else questions thoughts comment 1049 00:41:25,710 --> 00:41:32,200 show hands everybody find this useful 1050 00:41:28,589 --> 00:41:35,910 yes I really appreciate the opportunity 1051 00:41:32,200 --> 00:41:35,910 to present it to you thank you so much