Thinking Like a Hacker: Red Team Cyber Security Strategies
In this popular episode from last year, we explore the fascinating world of red team cyber security with Dwayne Laflotte, a seasoned expert in offensive cybersecurity. Dwayne shares his wealth of knowledge and experience, diving into the tactics and strategies employed by red teams to identify vulnerabilities and strengthen an organization's defenses. From exploiting backup systems to the importance of least privilege and strong passwords, this episode is a must-listen for anyone interested in bolstering their cybersecurity posture.
Dwayne provides captivating examples of how red team cyber security professionals think outside the box to breach networks, emphasizing the need for constant vigilance and adaptability in the face of evolving threats. He also highlights the critical role of collaboration between red and blue teams, stressing the importance of a multi-layered approach to cybersecurity. Packed with practical insights and actionable advice, this episode is an invaluable resource for IT professionals and business leaders alike.
Speaker:
W. Curtis Preston (2): Are you curious about the world
Speaker:
of offensive cybersecurity?
Speaker:
We recorded this episode last year with Duane LifeLock, the CTO and red
Speaker:
team leader at Pollstar security.
Speaker:
It was one of the most popular and enlightening episodes from last year.
Speaker:
So I'm playing it again.
Speaker:
I could listen to his stories all day, make sure to pay close attention for when
Speaker:
we start talking about backup systems and their role in a cyber attack, he confirmed
Speaker:
my worst fears and then gave me new ones.
Speaker:
I think you're going to really enjoy this episode.
Speaker:
You'll learn a lot and I hope you'll enjoy listening to his stories as much as I do.
Speaker:
By the way, if this is your first time listening I'm w Curtis Preston, AKA Mr.
Speaker:
Backup.
Speaker:
And I've been passionate about backup and recovery for over 30 years.
Speaker:
Ever since I had to tell my boss that we had no backups of the giant
Speaker:
database that we had just lost.
Speaker:
I don't want that to happen to you.
Speaker:
And that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into cyber recovery heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
W. Curtis Preston (2): I'm your host, w Curtis Preston, a k a, Mr.
Speaker:
Backup.
Speaker:
And I have with me my Google Sheet consultant Prasanna Malaiyandi.
Speaker:
How's it going?
Speaker:
Prasanna?
Prasanna Malaiyandi:
I am good, Curtis.
Prasanna Malaiyandi:
I have years and years of experience with Google Sheets,
Prasanna Malaiyandi:
W. Curtis Preston (2): Yeah.
Prasanna Malaiyandi:
So, so we've been, we've been going through this, uh, you know, as of
Prasanna Malaiyandi:
my recent purchase, two weeks now, as of as of yesterday, I now have my
Prasanna Malaiyandi:
proud owner of a Tesla model three.
Prasanna Malaiyandi:
Base model, 270 miles of range.
Prasanna Malaiyandi:
You have all these plans to choose from that offer different costs for
Prasanna Malaiyandi:
different times of the day, right?
Prasanna Malaiyandi:
I could potentially save a lot of money.
Prasanna Malaiyandi:
I could potentially cost myself a lot of money, so I created this
Prasanna Malaiyandi:
gigantic spreadsheet and Prasanna's been helping me through it.
Prasanna Malaiyandi:
What do you think, how, how do you think we are on the how
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
No, I think, I think your spreadsheet makes sense.
Prasanna Malaiyandi:
Um, I think it's not too, I'm actually surprised that no one has built
Prasanna Malaiyandi:
an online calculator to do this,
Prasanna Malaiyandi:
W. Curtis Preston (2): It turns out, in my case, the break even point was
Prasanna Malaiyandi:
if I'm going to charge at least 80 kilowatt hours per week in my Tesla,
Prasanna Malaiyandi:
then it makes sense to switch over, which
Prasanna Malaiyandi:
250, or it's like 350 miles, right?
Prasanna Malaiyandi:
W. Curtis Preston (2): Yeah, which is not gonna be a problem
Prasanna Malaiyandi:
based on my driving patterns.
Prasanna Malaiyandi:
There's a $16 a month thing to be on that plan.
Prasanna Malaiyandi:
Um, and I,
Prasanna Malaiyandi:
but why do they charge you $16 a month?
Prasanna Malaiyandi:
That's just highway robbery.
Prasanna Malaiyandi:
You know
Prasanna Malaiyandi:
it, it's not like anything really changes.
Prasanna Malaiyandi:
You're still paying the transmission fees.
Prasanna Malaiyandi:
W. Curtis Preston (2): it's called a utility.
Prasanna Malaiyandi:
It's called a monopoly.
Prasanna Malaiyandi:
You can't just go get electricity somewhere else, right?
Prasanna Malaiyandi:
Uh, anyway, our guest, uh, I'm sure has gotta be antsy at this point.
Prasanna Malaiyandi:
He, uh, let's bring him on.
Prasanna Malaiyandi:
guest today has specialized in offensive cybersecurity for over 20 years.
Prasanna Malaiyandi:
He's the C T O and red team leader at Pulsar Security, which offers a
Prasanna Malaiyandi:
comprehensive package of services designed to bring maximum security benefits at
Prasanna Malaiyandi:
minimal cost without sacrificing quality.
Prasanna Malaiyandi:
He's also a host of the Security this week podcast.
Prasanna Malaiyandi:
Welcome to the pod, Dwayne Laflotte.
Duane Laflotte:
Yeah, great.
Duane Laflotte:
Great to be here.
Duane Laflotte:
Thank you so much for, uh, for the invite.
Duane Laflotte:
Um, and I was, I was itching at that electricity talk.
Duane Laflotte:
All I'm saying is how did they read how much electricity you use?
Duane Laflotte:
They use that smart meter outside,
Duane Laflotte:
W. Curtis Preston (2): yeah.
Duane Laflotte:
The smart
Duane Laflotte:
And they drive by and they pick up a 900 megahertz
Duane Laflotte:
signal or a 2.4 gigahertz
Duane Laflotte:
signal from
Duane Laflotte:
that
Duane Laflotte:
W. Curtis Preston (2): the, I like the way you're, I.
Duane Laflotte:
if you were to, if you were to saturate that band, uh, you
Duane Laflotte:
probably would be using no electricity.
Duane Laflotte:
Just throwing that out there and this is what my job is.
Duane Laflotte:
How do we break, how do we break these things where they
Prasanna Malaiyandi:
so unfortunately Dwayne for me, so we have a smart
Prasanna Malaiyandi:
meter too, but what our city has done is they've put basically wifi
Prasanna Malaiyandi:
access points all throughout the city.
Prasanna Malaiyandi:
And so you get free wifi anywhere in Santa Clara, which is great, but at
Prasanna Malaiyandi:
the same time, they don't have to drive by anymore, and it just automatically
Prasanna Malaiyandi:
connects to those and downloads the data.
Duane Laflotte:
the other thing that's interesting is your smart meter,
Duane Laflotte:
it probably has a Mac address to connect into that particular thing.
Duane Laflotte:
So if you d off your own smart meter, it will never connect to the wifi.
Duane Laflotte:
Which means,
Duane Laflotte:
W. Curtis Preston (2): You would of course not
Duane Laflotte:
suggest doing such things, but
Duane Laflotte:
No, of course
Duane Laflotte:
W. Curtis Preston (2): you're saying theoretically speaking,
Duane Laflotte:
Theoretically, from a networking red team standpoint,
Duane Laflotte:
it might be what I would do.
Duane Laflotte:
Um,
Duane Laflotte:
W. Curtis Preston (2): if per chance you were doing a, a
Duane Laflotte:
pen test for SDG and e or um,
Duane Laflotte:
Yes.
Duane Laflotte:
W. Curtis Preston (2): So, Dwayne, for those that I, I think most people probably
Duane Laflotte:
know about Red team and Blue Team, but why don't you tell us what a red team
Duane Laflotte:
Prasanna Malaiyandi: Isn't there a purple team?
Duane Laflotte:
There is, yeah.
Duane Laflotte:
Purple's, purple's kind of the new thing.
Duane Laflotte:
Um, it used to be they would just pit the teams against each other.
Duane Laflotte:
So Blue team is defense, right?
Duane Laflotte:
It's the guys who really like reading through logs and looking for bad guys.
Duane Laflotte:
Um, the, the red team, we are, uh, we are the offensive team, so we
Duane Laflotte:
like pretending to be the bad guys.
Duane Laflotte:
Um, and thinking all of the, well, how could I get my smart meter
Duane Laflotte:
off of the electric grid thoughts?
Duane Laflotte:
Um, and then putting those in action, um, and, and, and attacking an organization.
Duane Laflotte:
And that involves everything from, um, you know, 'cause a lot of people
Duane Laflotte:
throw around terms like pen testing or vulnerability scanning or red teaming.
Duane Laflotte:
And those are three very different things.
Duane Laflotte:
From the red teaming side.
Duane Laflotte:
It's holistically looking at the company.
Duane Laflotte:
So it's everything from the employees, um, to what sites they view, uh, you
Duane Laflotte:
know, from the company to, uh, who are your partners as a company that we could
Duane Laflotte:
use to maybe leverage to get into the organization, um, to, uh, we've had teams.
Duane Laflotte:
Uh, the reason I talk about jamming sensors and whatnot, we
Duane Laflotte:
actually do have teams that will physically break into organizations.
Duane Laflotte:
Um, and I can tell you that all the motion sensors on most alarms are 900 megahertz.
Duane Laflotte:
And I can saturate that, walk through a building with that
Duane Laflotte:
emotion sensor going off.
Duane Laflotte:
So there's like all sorts of really cool things that we as a
Duane Laflotte:
red team will be trained to do.
Duane Laflotte:
It looks very much like thievery.
Duane Laflotte:
Um, but we're the good guys, I promise.
Duane Laflotte:
So that's, that's our job.
Duane Laflotte:
And purple is the mix, right?
Duane Laflotte:
It's people who know a little bit of that offensive and a little bit of defensive,
Duane Laflotte:
um, just to be better on both sides.
Duane Laflotte:
W. Curtis Preston (2): So would another term for that be ethical hacking?
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
Ethical hacking, um, is definitely another term people use for that.
Duane Laflotte:
They, people have moved away from ethical hacking.
Duane Laflotte:
Um, a little bit more to more focused terms.
Duane Laflotte:
'cause cybersecurity's so big at this point.
Duane Laflotte:
Um, it used to be like if you were in cyber, you kind of did the same thing.
Duane Laflotte:
You looked a little bit at, you know, offensive, you did a little bit of
Duane Laflotte:
coding, you did a little bit of whatever.
Duane Laflotte:
Um, and, and that ethical hacker is really that generalist.
Duane Laflotte:
Um, then you move into like, the really focused sides of
Duane Laflotte:
even offensive cybersecurity.
Duane Laflotte:
Like if we just talk about offensive, um, I have people on
Duane Laflotte:
my team who are reverse engineers.
Duane Laflotte:
So what they will do is tear apart a system, take, um, there's one company
Duane Laflotte:
we broke into the company through a tv, um, that, that was sitting in their
Duane Laflotte:
lobby that was connected, the wifi.
Duane Laflotte:
So how did we do that?
Duane Laflotte:
We literally bought one of the TVs, tore it apart.
Duane Laflotte:
Um, attached a, a bus pirate and a J tabulator to the, the, the system
Duane Laflotte:
ripped the firmware off the chips and read through the firmware and
Duane Laflotte:
found an exploit and then used that to, to break into the tv.
Duane Laflotte:
Um, that's a specialty in and of itself.
Duane Laflotte:
Then you have, you know, your, your web developers who are really good offensive,
Duane Laflotte:
you know, web certified experts who know how to tear apart things like angular
Duane Laflotte:
and.net and understand how all that works, but wouldn't necessarily be your reverse
Duane Laflotte:
engineers and wouldn't necessarily be your network guys who are offensive network
Duane Laflotte:
who understand, you know, spanning trees and how I can manipulate a network and
Duane Laflotte:
how M D N S works and like how to break all that, who are entirely different
Duane Laflotte:
from the guys who are cloud, like how to manipulate, pulling universal keys from
Duane Laflotte:
the cloud and how to get the cloud to, how to get two clouds to attack each other.
Duane Laflotte:
'cause they're never gonna block each other.
Duane Laflotte:
Like, that's all tactics as well.
Duane Laflotte:
So it's definitely like been been specialized since the
Duane Laflotte:
ethical hacking term came out.
Prasanna Malaiyandi:
That is like my, sorry, my mind is just like blown just
Prasanna Malaiyandi:
hearing what you just talked about.
Prasanna Malaiyandi:
'cause that covers such a broad spectrum.
Prasanna Malaiyandi:
Right?
Prasanna Malaiyandi:
And I.
Prasanna Malaiyandi:
I wonder when people think about defending themselves from hackers, right?
Prasanna Malaiyandi:
Are they sort of pigeonholing themselves?
Prasanna Malaiyandi:
Because I know Curtis, we've always talked about, okay, make sure you prevent
Prasanna Malaiyandi:
lateral movement, make sure that you have multi-factor authentication, right?
Prasanna Malaiyandi:
All the rest of these things.
Prasanna Malaiyandi:
But there's, like you were saying, Dwayne, there's other ways, like through
Prasanna Malaiyandi:
partners, through like that tv, right?
Prasanna Malaiyandi:
You didn't even think about that as an IT person maybe, and you're
Prasanna Malaiyandi:
like, ah, it's just a tv, whatever.
Prasanna Malaiyandi:
W. Curtis Preston (2): Of course, I, I would tell, tell me, Dwayne,
Prasanna Malaiyandi:
tell me, tell me, tell me I'm wrong and it is totally okay.
Prasanna Malaiyandi:
'cause this is not my bag.
Prasanna Malaiyandi:
The, the, the problem, the, the, the, uh, mistake that that company
Prasanna Malaiyandi:
made was that this smart tv, this network-based TV was on the same
Prasanna Malaiyandi:
network that the rest of every, that the rest of their corporation was on.
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
So part of it, absolutely, this particular customer, it was on the same network.
Duane Laflotte:
Um, but what we have seen before is a guest network, right?
Duane Laflotte:
Um, isolated no devices.
Duane Laflotte:
And then we'll see people connected to the guest network who are also connected to
Duane Laflotte:
the executive or to the internal network.
Duane Laflotte:
And the reason they do that is because in the lobby, they
Duane Laflotte:
don't get the corporate network.
Duane Laflotte:
So they're like, oh, well the guest network's here, so I'll connect to it.
Duane Laflotte:
So what's really nice is once they connect to it, like when they leave the building,
Duane Laflotte:
we can emulate the guest network.
Duane Laflotte:
They'll connect to us.
Duane Laflotte:
We'll drop a piece of, uh, malware or, or a captor portal or
Duane Laflotte:
whatnot on their, on their device.
Duane Laflotte:
When they walk it back into the building, that portal will then
Duane Laflotte:
beacon out to us, and now we have access to the corporate network.
Duane Laflotte:
So, you know, we, we definitely see, even though you isolate it, you can't
Duane Laflotte:
pull the humans out of the system unfortunately, for the most part.
Duane Laflotte:
W. Curtis Preston (2): If we could just get rid of all those
Duane Laflotte:
damn users, the, our computer
Duane Laflotte:
right.
Duane Laflotte:
W. Curtis Preston (2): would be a lot.
Duane Laflotte:
Yeah.
Duane Laflotte:
W. Curtis Preston (2): A lot safer.
Duane Laflotte:
Absolutely.
Duane Laflotte:
Um, yeah.
Duane Laflotte:
Goodness gracious.
Duane Laflotte:
Yeah.
Duane Laflotte:
I, when I talk to somebody like you, I've, I've had, I've had a handful
Duane Laflotte:
of conversations with, you know, folks on the offensive side, uh,
Duane Laflotte:
throughout my career, and I always walk away just super depressed.
Duane Laflotte:
I'm just like, like, why even try, you know, um,
Duane Laflotte:
you
Prasanna Malaiyandi:
did you have that story, Curtis, about the guy
Prasanna Malaiyandi:
who, with the various uniforms who would break into buildings?
Prasanna Malaiyandi:
W. Curtis Preston (2): oh yeah.
Prasanna Malaiyandi:
I mean, yeah.
Prasanna Malaiyandi:
So I, I, I know a guy that does physical, uh, pen testing, right?
Prasanna Malaiyandi:
Um, and his job is, is to physically get into a place that he's not
Prasanna Malaiyandi:
allowed to be, take a selfie and, you know, G T F O, right?
Prasanna Malaiyandi:
And, um, and he just, uh, and uh, he just told me, he's like, I have
Prasanna Malaiyandi:
never, never not been able to get into where I was supposed to get into.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
It, it's all about social engineering and, and sometimes it's about,
Prasanna Malaiyandi:
uh, But, uh, card scanning, right?
Prasanna Malaiyandi:
Um, you know, scanning somebody's, uh, R F I D badges, right?
Prasanna Malaiyandi:
Um, I heard, I heard a talk, um, you know, it was, uh, Kevin Mitnick once
Prasanna Malaiyandi:
talking about, you know, the scanning badges in a bathroom, which just, it
Prasanna Malaiyandi:
was just wrong, but it was, it was just like, it's just so easy, right?
Prasanna Malaiyandi:
Because you're just a little weird, a little weird.
Prasanna Malaiyandi:
When I think back, the only like red team type stuff that I've seen
Prasanna Malaiyandi:
depicted, uh, a lot or like an entire movie based around it was sneakers.
Prasanna Malaiyandi:
Um, do you remember that movie?
Duane Laflotte:
Oh, like a fantastic movie.
Duane Laflotte:
Sneakers.
Duane Laflotte:
Yeah,
Duane Laflotte:
and what's what's funny about that is that's not far off.
Duane Laflotte:
So, you know, looking from my red team's ex, like as the red team leader, I'm
Duane Laflotte:
playing Robert Redford's job, right?
Duane Laflotte:
So I'm going through an understanding like, okay, cool, we got this
Duane Laflotte:
target, how do we attack it?
Duane Laflotte:
And, and I have my specialists, I have my mother who, who understands, you
Duane Laflotte:
know, sensors and, and understands, you know, uh, different wavelengths
Duane Laflotte:
and signals and that sort of stuff.
Duane Laflotte:
And I, you know, I have my, uh, you know, my, my face guy who's good at
Duane Laflotte:
talking to people and that sort of thing.
Duane Laflotte:
So I'm planning this out.
Duane Laflotte:
I'm like, okay, here's how we're gonna attack, here's how
Duane Laflotte:
we're gonna do whatever we do.
Duane Laflotte:
But looking at sneakers from, from my perspective, my job, you go, okay, cool.
Duane Laflotte:
Well, they got access to the temperature control system.
Duane Laflotte:
Is that even possible?
Duane Laflotte:
Um, and, and sure enough about, uh, about a month ago we were pen testing a bank.
Duane Laflotte:
Um, I, I like to call it the bank job.
Duane Laflotte:
We were doing the bank job.
Duane Laflotte:
Um, and, and as we were, as you were doing the bank job, this is, uh,
Duane Laflotte:
it's about a month ago, so it was.
Duane Laflotte:
In May, early May cold up here, cold-ish at night.
Duane Laflotte:
Um, we did sure enough, get access to the HVAC system.
Duane Laflotte:
Um, and, and what could we have done with it?
Duane Laflotte:
We were like, okay, we could shut it off.
Duane Laflotte:
Um, and it gets cold enough at night where maybe pipes freeze
Duane Laflotte:
and burst and that sort of stuff.
Duane Laflotte:
We could crank it up, I guess, but then, you know, I started
Duane Laflotte:
thinking about sneakers.
Duane Laflotte:
I was like, oh my gosh.
Duane Laflotte:
So if they're using infrared and we could crank it up, we could get in the bill.
Duane Laflotte:
But yeah, so it's, you know, it's entirely as you go back and look at
Duane Laflotte:
that movie, um, it was impressive how much stuff they got Right.
Duane Laflotte:
From a, you know, what you might do as a red teamer is very cool.
Prasanna Malaiyandi:
Yeah,
Prasanna Malaiyandi:
W. Curtis Preston (2): Have you Prasanna, have you seen this movie?
Prasanna Malaiyandi:
I'm trying.
Prasanna Malaiyandi:
I don't think I have.
Prasanna Malaiyandi:
W. Curtis Preston (2): I think they get a lot of stuff, interestingly.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Um, I mean, just the, just the whole thing of like the scene where Robert
Prasanna Malaiyandi:
Redford's got a bunch of packages, he's got balloons and he's like, can you,
Prasanna Malaiyandi:
can you just buzz me through, you know?
Prasanna Malaiyandi:
Um, and, uh, so what you're telling me, Dwayne, is you, you
Prasanna Malaiyandi:
play the role of the devastatingly handsome disarming guy who disarms
Duane Laflotte:
that's what I like to, yeah, that's, I mean, I wouldn't, I wasn't
Duane Laflotte:
gonna put that label on it, but thank you.
Duane Laflotte:
Yes.
Duane Laflotte:
Um, but you know, honestly, it's a great movie to watch.
Duane Laflotte:
I love watching these movies 'cause they like, they're part of the, it's
Duane Laflotte:
the passion of cybersecurity and hacking that I got in the nineties, right?
Duane Laflotte:
And I watched Hackers and I watched sneakers and I watched war games
Duane Laflotte:
and, and it was that, that awe of how could you tear a system apart?
Duane Laflotte:
How could you make it do things that it was never even designed to do?
Duane Laflotte:
Um, and, and bend it to your will as a red teamer.
Duane Laflotte:
And, and that's what these movies and these shows do for me, is they
Duane Laflotte:
bring that, that awe back, right?
Duane Laflotte:
Um, even though some of it might not technically be true, it doesn't matter.
Prasanna Malaiyandi:
So given that you do offensive security, right, red teaming,
Prasanna Malaiyandi:
and I know we'll talk more about that.
Prasanna Malaiyandi:
I guess the question is, in your personal life, doesn't it freak you out a bit?
Prasanna Malaiyandi:
Like what do you do to protect yourself against some of those things?
Prasanna Malaiyandi:
You know, like the fact that you're surrounded by this all
Prasanna Malaiyandi:
the time, trying to break things.
Prasanna Malaiyandi:
Does that sort of translate into your personal life where you're like,
Prasanna Malaiyandi:
okay, RFIDs can be hacked, so I'm gonna get one of those wallets that
Prasanna Malaiyandi:
block RFIDs all the time, right?
Prasanna Malaiyandi:
Wifi network.
Prasanna Malaiyandi:
I'm just gonna keep everything unplugged all the time.
Prasanna Malaiyandi:
Like nothing comes on my network.
Duane Laflotte:
Yeah, it's a great question.
Duane Laflotte:
And I also have, um, I have probably three of the, uh, um, I.
Duane Laflotte:
Worst end users from a cybersecurity standpoint.
Duane Laflotte:
You could imagine.
Duane Laflotte:
I have three children and they're they'll, they, like, you can never
Duane Laflotte:
tell them what to visit or not visit or click on or not click on.
Duane Laflotte:
It's just, it is what it is.
Duane Laflotte:
So, um, so it's interesting, it's twofold.
Duane Laflotte:
One, yes, there are certain things I take into account in my daily life that
Duane Laflotte:
I notice a lot of people don't like.
Duane Laflotte:
I use a password manager all the time for all my passwords because, you know, using
Duane Laflotte:
the spreadsheet, if the spreadsheet gets compromised in some ways somebody gets it.
Duane Laflotte:
I'd rather have a company who focuses on managing passwords and
Duane Laflotte:
sometimes they do it wrong, right?
Duane Laflotte:
Like KeyPass, but more often than not they're gonna get it right.
Duane Laflotte:
So there are little things like that where I get paranoid and
Duane Laflotte:
I go, yes, I wanna do that.
Duane Laflotte:
I turn on two f a for everything.
Duane Laflotte:
I have all of my accountant credit locked through the three different, uh, you know,
Duane Laflotte:
providers, your credit, Equifax and all those guys, uh, Experian and whoever else.
Duane Laflotte:
So there are certain things I do because I'm a cybersecurity professional
Duane Laflotte:
and I can see, you know, we have access to all the deep dark web.
Duane Laflotte:
Information on all the people, and I'm like, oh my God, I can see all this info.
Duane Laflotte:
But from another standpoint, I worry less because I know how hard
Duane Laflotte:
it is to break into a smart device.
Duane Laflotte:
Like I know how hard it is to reverse engineer a chip and
Duane Laflotte:
figure out a way to break into it.
Duane Laflotte:
So from that standpoint, if I just, yeah, you know what?
Duane Laflotte:
I'm gonna set a strong password on my wifi.
Duane Laflotte:
Like I, we have a crack cluster at the office, um, that has, at
Duane Laflotte:
this point, I think it has 40 or 50, um, 30, 90 GPUs in it.
Duane Laflotte:
So, and talk about electricity.
Duane Laflotte:
Woo.
Duane Laflotte:
Um,
Duane Laflotte:
W. Curtis Preston (2): you might consider moving that to Prasanna's neighborhood.
Duane Laflotte:
I might have to think.
Duane Laflotte:
I'm gonna have to, um, so we can guess about we, if we grab a, a
Duane Laflotte:
crack, a hash from a password.
Duane Laflotte:
So just a little bit.
Duane Laflotte:
If your users aren't breaking into wireless networks all the time, um, I.
Duane Laflotte:
Uh, if, if I go up to a wireless network, I can see all of the clients
Duane Laflotte:
that are connected 'cause it's all over 2.4 gigahertz wireless.
Duane Laflotte:
Everybody can see those signals.
Duane Laflotte:
They're open, um, but they're encrypted between the client and the access point.
Duane Laflotte:
But I can tell the client to get off the access point.
Duane Laflotte:
I can d off it, I can say, Hey, I'm the access point.
Duane Laflotte:
Get off the, get off the, the access point just for a couple minutes
Duane Laflotte:
and it'll de off that client.
Duane Laflotte:
And then the client, when they reconnect, we'll see a handshake, right?
Duane Laflotte:
And that handshake's an encrypted password.
Duane Laflotte:
But we can take that and then we can try and crack it.
Duane Laflotte:
So I can then take that handshake, take seconds to get, I can pull
Duane Laflotte:
it on my offline cracker and, and our offline cracking device.
Duane Laflotte:
Can guess 3 billion passwords a second.
Prasanna Malaiyandi:
Wow.
Prasanna Malaiyandi:
W. Curtis Preston (2): Wow.
Duane Laflotte:
So you say, you say to yourself, well, okay, shoot, my
Duane Laflotte:
wireless is probably not secure.
Duane Laflotte:
Um, but if you start looking at the math of it, you say, listen, if it's,
Duane Laflotte:
if your password for your wireless is in any list of passwords ever, Right.
Duane Laflotte:
Um, so if you go to have I been p.com right?
Duane Laflotte:
And you type in your wireless password and click check and it's in the list.
Duane Laflotte:
Yeah, they can get it in seconds, but let's say it doesn't show up on that,
Duane Laflotte:
that in any list now it's a mathematics, uh, problem to, to brute forcing.
Duane Laflotte:
So let's say minimum password's, eight characters.
Duane Laflotte:
And I can do that in, uh, let's say a day.
Duane Laflotte:
And that's actually quicker than that.
Duane Laflotte:
It's about an hour for me to do an eight character.
Duane Laflotte:
All uppers, lowers, numbers, whatever.
Duane Laflotte:
If you put nine characters on that, and, and let's say we don't do, um, all uppers,
Duane Laflotte:
we don't do all special characters.
Duane Laflotte:
We don't do all numbers.
Duane Laflotte:
That's still 26 times an hour.
Duane Laflotte:
So we're looking at a day now.
Duane Laflotte:
We do an, we do a 10 character password.
Duane Laflotte:
It's 26 days.
Duane Laflotte:
We do an 11 character password.
Duane Laflotte:
Right now we're ending up at 26 months.
Duane Laflotte:
We're at two years for us to break that, and that was just
Duane Laflotte:
all lowercase characters.
Duane Laflotte:
So the longer that password is, as long as it's not in a list, I personally
Duane Laflotte:
know how hard it would be to crack.
Duane Laflotte:
So I'm like, ah, we gotta have 15 character password.
Duane Laflotte:
It's reasonably good.
Duane Laflotte:
Some uppers and lowers.
Duane Laflotte:
Nobody's gonna crack it.
Duane Laflotte:
It's just not gonna happen.
Duane Laflotte:
Um, so it's a great question because a lot of people are like, you know, oh my gosh.
Duane Laflotte:
And for me, I calm down on certain things, but other things I do reasonable stuff.
Duane Laflotte:
My family, however, like my wife, like, she will give valid
Duane Laflotte:
emails from family members.
Duane Laflotte:
She's like, I'm not clicking on that.
Duane Laflotte:
No, I know, I hear all the dark stories.
Duane Laflotte:
I'm not, I'm not clicking on anything.
Duane Laflotte:
Like, if she gets a phone call from someone, she's like, Nope.
Duane Laflotte:
And I'm like, I, I think that was our bank.
Duane Laflotte:
She's like, Uhuh, I'm not.
Duane Laflotte:
I'm so, yeah.
Duane Laflotte:
I think my family takes the brunt
Duane Laflotte:
W. Curtis Preston (2): You know, my
Duane Laflotte:
f my favorite thing, and it used to, it was a different bank that I'm at right
Duane Laflotte:
now, but they, they would call for, basically it was a fraud alert, right?
Duane Laflotte:
That, that I would have a, I would have a potentially fraudulent
Duane Laflotte:
charge and then they would call me, they call me from Rando number.
Duane Laflotte:
Right.
Duane Laflotte:
Um, and even if it said different number, I wouldn't believe it.
Duane Laflotte:
But they call me and they're like, this is a b, C bank.
Duane Laflotte:
Um, we'd like to talk to you about a potentially fraudulent charge.
Duane Laflotte:
Please authenticate yourself.
Duane Laflotte:
And they want me to like, they want me like, you called me, right?
Duane Laflotte:
You want, and they're like, this is the process.
Duane Laflotte:
Like, you want me to give you, like, they wanted like, like my social or
Duane Laflotte:
something for me to authenticate my, like, you called me like you don't, like,
Duane Laflotte:
you don't understand how stupid this is.
Duane Laflotte:
Like, I was so angry.
Duane Laflotte:
I was like, I like, I'm glad you called me for a fraud alert.
Duane Laflotte:
But I'll tell you what, I'll call you, right?
Duane Laflotte:
I will call the, the known number for the bank, and then I will authenticate myself.
Duane Laflotte:
I'm not giving my social to some rando who just showed up on a phone number.
Duane Laflotte:
Like, what, what are you thinking?
Duane Laflotte:
And I think what the, the worst part of that.
Duane Laflotte:
Um, you, like, you are savvy in the security world, so you're like,
Duane Laflotte:
okay, this, this doesn't feel right.
Duane Laflotte:
But I think the worst part is the bank is training their normal, you know,
Duane Laflotte:
W. Curtis Preston (2): right,
Duane Laflotte:
that this is the normal process, right?
Duane Laflotte:
We're gonna call you.
Duane Laflotte:
So when they get a call from a spammer, they're like, oh, well this is the normal
Duane Laflotte:
W. Curtis Preston (2): Yeah, exactly.
Duane Laflotte:
Just like they used to train if you click
Duane Laflotte:
on links and emails, right?
Duane Laflotte:
W. Curtis Preston (2): Just like, uh, years ago when I worked at, uh, at a
Duane Laflotte:
bank, we would, uh, train, they all, everybody got regular cybersecurity
Duane Laflotte:
training and it, and one of the things that we told 'em was, no one
Duane Laflotte:
in it will ever, ever, ever call you and ask you for your password, ever.
Duane Laflotte:
Right.
Duane Laflotte:
And then the next day after training, someone from IT would call them
Duane Laflotte:
and ask them for their password.
Duane Laflotte:
And it worked like 20% of the
Duane Laflotte:
yeah.
Duane Laflotte:
And they'd always give it, they're like, oh, they're from it.
Duane Laflotte:
Of course.
Duane Laflotte:
Yeah.
Duane Laflotte:
W. Curtis Preston (2): from it.
Duane Laflotte:
We're like, oh, you're
Prasanna Malaiyandi:
what could you do though to train users, though?
Prasanna Malaiyandi:
I think that's like the hardest challenge, right?
Prasanna Malaiyandi:
Or one of the biggest challenges,
Duane Laflotte:
So I, I think it is, and I think it's not, I think we, I
Duane Laflotte:
think in some ways we've been trained as people to stop listening to that voice
Duane Laflotte:
in your head that says, this is weird.
Duane Laflotte:
Um, so I like to think of humans as almost like networks.
Duane Laflotte:
'cause I understand networks, uh, and they kind of make sense.
Duane Laflotte:
So imagine you are a, you're a network and you have this, this
Duane Laflotte:
intrusion detection in your head.
Duane Laflotte:
And there are certain times we've gone through, we've all gone through this
Duane Laflotte:
where we're on the phone, somebody asks us a question, we, we answer
Duane Laflotte:
it, then they ask another question.
Duane Laflotte:
We go, wait, this is weird.
Duane Laflotte:
Like, I've never been asked this question over the phone before.
Duane Laflotte:
Nobody's ever asked me for my social.
Duane Laflotte:
Nobody's asked me what the last four digits on my credit card like, No, no,
Duane Laflotte:
but then we go, oh, well this, you know, I wanna be nice, I wanna be polite.
Duane Laflotte:
I'm not gonna, right.
Duane Laflotte:
So we get to that, that where we just disregard all the alarms we,
Duane Laflotte:
we have in our head because we're like, well, I'm on with this person
Duane Laflotte:
and they must be well-meaning.
Duane Laflotte:
Um, and I think we need to get back to you listening to those voices in your head.
Duane Laflotte:
There's, you know what?
Duane Laflotte:
This doesn't feel right then.
Duane Laflotte:
It probably isn't.
Duane Laflotte:
Um, if it's not something you normally do, if it calls you up every day and
Duane Laflotte:
asks for your password, you know, great.
Duane Laflotte:
I, I get it.
Duane Laflotte:
Yeah.
Duane Laflotte:
You give them the password and no harm, no, no, uh, fault on yours.
Duane Laflotte:
But if they've never called you up and then they call you up, like, that's weird.
Duane Laflotte:
Even if really is it?
Duane Laflotte:
So, you know, I wouldn't, yeah.
Duane Laflotte:
I think you need to, I need, that's how I like to train users is like, really
Duane Laflotte:
listen to that voice in your head.
Duane Laflotte:
If it's something you've never done before, um, don't start now.
Duane Laflotte:
Right.
Duane Laflotte:
Find other ways to verify.
Prasanna Malaiyandi:
But then how do you train them?
Prasanna Malaiyandi:
Taking that and the flip side of that, right.
Prasanna Malaiyandi:
How do you train them to start doing things then?
Prasanna Malaiyandi:
Because if they've never done it before, then how do you start to
Prasanna Malaiyandi:
build that voice in their head?
Duane Laflotte:
Yeah, so that's a good question too.
Duane Laflotte:
Um, what I typically do then is say, listen, when that voice goes off in
Duane Laflotte:
your head, um, and, and you're like, this is odd, this isn't the right thing.
Duane Laflotte:
What you need to do is start thinking about alternate paths,
Duane Laflotte:
alternate uh, communication paths.
Duane Laflotte:
So, like Curtis had said, when the bank called him, he said, this is weird.
Duane Laflotte:
I'm out.
Duane Laflotte:
What I'm gonna do though is I'm gonna look on the back of my credit card.
Duane Laflotte:
I'm gonna find that number that's on the back of my credit card
Duane Laflotte:
and I'm gonna call you back.
Duane Laflotte:
Now would that be fail safe a hundred percent of the time?
Duane Laflotte:
Uh, listen, if you're getting attacked by a nation state, they
Duane Laflotte:
would've tapped into the phones and it wouldn't have mattered, right?
Duane Laflotte:
So we gotta assume a nation state's not coming after each of us.
Duane Laflotte:
'cause at that point, we're kind of in trouble anyways.
Duane Laflotte:
Um, but if it was a random spammer yeah, you verified via an alter channel.
Duane Laflotte:
So that's typically what I'll do is say, listen, if something's weird,
Duane Laflotte:
get outta that particular thing.
Duane Laflotte:
Whether it's an email, whether it's text messages, um, whether
Duane Laflotte:
it's, you know, a phone call.
Duane Laflotte:
Just get outta that and find an alternate way to communicate.
Prasanna Malaiyandi:
Hmm.
Duane Laflotte:
Now I say alternate way and I stress that because
Duane Laflotte:
we, we had a customer, um, that unfortunately lost, uh, hundreds of
Duane Laflotte:
thousands of dollars in a a scam.
Duane Laflotte:
And, um, their boss sent them an email saying, Hey, we need to change our a C H.
Duane Laflotte:
That should have been red flag.
Duane Laflotte:
How often do you change your a c h for bank to bank transfers
Duane Laflotte:
for a particular vendor?
Duane Laflotte:
Um, and we said, and they, and that person then said, listen, I verified,
Duane Laflotte:
I did what you told me to do.
Duane Laflotte:
I verified to make sure that this was right.
Duane Laflotte:
And we said, okay, cool.
Duane Laflotte:
What alternate channel did you use?
Duane Laflotte:
And, and we said, they said, well, I sent an email to my boss asking, you
Duane Laflotte:
know, if this was a real transaction.
Duane Laflotte:
We're like, but didn't your boss communicate over email?
Duane Laflotte:
And they were like, yeah.
Duane Laflotte:
And we're like, that's not an alternate path that you used the same path.
Duane Laflotte:
So what had happened is the hacker actually, and 'cause a lot of us would
Duane Laflotte:
notice that like fake Gmail account saying, it's your boss, this particular
Duane Laflotte:
boss, their email got compromised.
Duane Laflotte:
So they were in their inbox.
Duane Laflotte:
So it's like, no, there's nothing you, you like different path.
Duane Laflotte:
Call them, talk to them face to face, especially when we're
Duane Laflotte:
starting to talk with big money.
Duane Laflotte:
Right.
Duane Laflotte:
W. Curtis Preston (2): Yeah,
Duane Laflotte:
would be my suggestion.
Duane Laflotte:
W. Curtis Preston (2): yeah.
Duane Laflotte:
I've seen the, I've seen and heard of that, um, and I've seen it and heard of
Duane Laflotte:
it where, where basically they have hacked the entire email system and the, and then
Duane Laflotte:
customers are using email as their M f A.
Duane Laflotte:
Right?
Duane Laflotte:
And so they, they, they, you know, basically, and they use that to basically
Duane Laflotte:
at that point, they've taken over, right?
Duane Laflotte:
They can do whatever they want.
Duane Laflotte:
They can reset passwords, they can then authenticate that with
Duane Laflotte:
the m ffa, uh, which is why email and, and SMSs suck as MFAs.
Duane Laflotte:
Um, and you know, and speaking of, speaking of which, you know, uh, we, you
Duane Laflotte:
know, recently in the last few years, right, you know, I've been pushing
Duane Laflotte:
more of m f A on, on myself as well, which includes pushing it on my wife.
Duane Laflotte:
And there's a lot of things that she doesn't do very often.
Duane Laflotte:
And then she'll, I, I remember a couple of weeks ago where she went to go
Duane Laflotte:
log onto something and she got angry.
Duane Laflotte:
She says, oh crap.
Duane Laflotte:
Like, that's right.
Duane Laflotte:
I gotta go get that thing right.
Duane Laflotte:
I gotta go get the M FFA thing to get the thing to put in the thing.
Duane Laflotte:
And I remember getting angry at that moment going, yeah, who cares
Duane Laflotte:
about having So having security, like, I'm sorry that you gotta spend
Duane Laflotte:
an extra 30 seconds to protect all the money we have in that account.
Duane Laflotte:
Uh, anyway,
Duane Laflotte:
I
Prasanna Malaiyandi:
I remember that.
Prasanna Malaiyandi:
I actually remember that conversation,
Prasanna Malaiyandi:
Curtis.
Prasanna Malaiyandi:
W. Curtis Preston (2): Um, so let me, let me ask you this, Dwayne.
Prasanna Malaiyandi:
So, you know, I, so I like the password manager.
Prasanna Malaiyandi:
We're, we're a big fan of those here.
Prasanna Malaiyandi:
We've also covered like the big LastPass hack and it just, like,
Prasanna Malaiyandi:
it sounded bad, it got worse and it just, it just never got better.
Prasanna Malaiyandi:
Um, and so it's, so no, no one password manager is, is perfect.
Prasanna Malaiyandi:
Uh, and if, if something becomes compromise, it's time to move.
Prasanna Malaiyandi:
But that doesn't mean the concept of password managers is wrong and
Prasanna Malaiyandi:
tell me something that's better.
Prasanna Malaiyandi:
That's what I want to know.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Um, because, you know, you talk about password length, I've just been over
Prasanna Malaiyandi:
it because I have a ridiculous number of passwords in my password manager.
Prasanna Malaiyandi:
Um, the, um, I, I just, I keep setting 'em to like 20, like 20
Prasanna Malaiyandi:
has been my, has been my number.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And, um, by the way, while you were talking about it earlier,
Prasanna Malaiyandi:
I counted the number of.
Prasanna Malaiyandi:
Characters of my wifi password.
Prasanna Malaiyandi:
It's is 18, so I felt I
Duane Laflotte:
I'll see.
Duane Laflotte:
You're good.
Duane Laflotte:
You're good?
Duane Laflotte:
Yeah.
Duane Laflotte:
W. Curtis Preston (2): Um, and it, and it, and it's not, it's not, and I've been
Duane Laflotte:
pod um, I am definitely, I've definitely had some accounts that got, um, that
Duane Laflotte:
got hacked or whatever, but who hasn't?
Duane Laflotte:
Um, so besides password manager and M f A, uh, and, uh, and, um, pa um, sorry, patch
Duane Laflotte:
management, what would you think are, are the next sort of best bang for the buck?
Duane Laflotte:
That, and, and, and again, let's just, let's just do context.
Duane Laflotte:
What are audience is typically really worried about is the ransomware
Duane Laflotte:
hacks and Exfil and exfiltration, um, of, of that data, which what we're
Duane Laflotte:
hearing is that exfiltration is now step one of a coordinated attack.
Duane Laflotte:
Right.
Duane Laflotte:
Um, so that's why we talk a lot about lateral movement, right?
Duane Laflotte:
Trying to limit, limit lateral movement.
Duane Laflotte:
Uh, what would you say are the next.
Duane Laflotte:
Few things that would stop a guy like you,
Duane Laflotte:
Yeah, that's a great question.
Duane Laflotte:
So here I'm gonna, I'll, I'll spill some of the secrets, um, from
Duane Laflotte:
our, from our red team tactics.
Duane Laflotte:
Um, and, and sadly I'd say all of these are going to deal distill down to policy.
Duane Laflotte:
That's it.
Duane Laflotte:
It's gonna be, here are the policies you should be following
Duane Laflotte:
to make yourself more secure.
Duane Laflotte:
Um, so xFi is always one of the big things, um, that, that a lot of
Duane Laflotte:
our customers are concerned with as well, especially when we're doing
Duane Laflotte:
banks, um, financial organizations, embassies, that sort of stuff.
Duane Laflotte:
Anything we can ex fill is important and, and that's why there's this
Duane Laflotte:
massive d l P market out there.
Duane Laflotte:
Right looking for exfiltration of data.
Duane Laflotte:
Did it go over email?
Duane Laflotte:
Is somebody trying to upload a file to a website?
Duane Laflotte:
Something along those lines.
Duane Laflotte:
Um, I can tell you, uh, the red teamers as well as the, the hackers out there
Duane Laflotte:
are not uploading data over Port 80.
Duane Laflotte:
They're not uploading data over port 4, 4, 3.
Duane Laflotte:
Um, they're not, you know, they're not using the standard channels because
Duane Laflotte:
there are so many other ways for us to exfil data out of an organization.
Duane Laflotte:
Um, so for example, um, the first thing we do when we break
Duane Laflotte:
into a company, um, and we
Duane Laflotte:
W. Curtis Preston (2): can I, can I, sorry to interrupt you,
Duane Laflotte:
but can I ask you a question
Duane Laflotte:
sure,
Duane Laflotte:
W. Curtis Preston (2): Why not?
Duane Laflotte:
Because if they were uploading over that port, it would seem like
Duane Laflotte:
it would be a lot easier to do.
Duane Laflotte:
it's absolutely a lot easier to do, but it's,
Duane Laflotte:
it's a, it's too watched.
Duane Laflotte:
Um, so everybody knows to watch all the web traffic.
Duane Laflotte:
Um, so even, even if I were to break up what I'm exfil into small parts and
Duane Laflotte:
then like turn it into hex and then try and post it to a website, A lot of
Duane Laflotte:
your D L P solutions are looking at the reputation of the website I'm posting to.
Duane Laflotte:
Right.
Duane Laflotte:
And they're, they start doing that analytics of that communications chain.
Duane Laflotte:
Um, and, and H T M L communications, h t p communications are very well understood.
Duane Laflotte:
So it's easy for a corporate organization to go, well, we're
Duane Laflotte:
not gonna allow anything out other than through this proxy.
Duane Laflotte:
And we, we are going to then mount in the middle with a certificate
Duane Laflotte:
so we can see all that traffic.
Duane Laflotte:
So it's, it's risky for somebody who wants to break into a company and, and steal
Duane Laflotte:
data, um, to, to go over those ports.
Duane Laflotte:
They just won't anymore.
Duane Laflotte:
It just doesn't make sense.
Duane Laflotte:
And that is, it's super, it's, it's like, it's like we're, we're
Duane Laflotte:
sitting out in a field, right?
Duane Laflotte:
And, and port 80 is this steel door in the middle of the field.
Duane Laflotte:
And, and we go, well, we could go through that steel door, um, or we
Duane Laflotte:
could walk around the side of it.
Duane Laflotte:
not use the steel door, right?
Duane Laflotte:
So for us, we're like, it's just easier not to use the steel door, for example.
Duane Laflotte:
I'm guessing at least your home networks, but probably your corporate
Duane Laflotte:
networks, you don't block traffic out.
Duane Laflotte:
Most people don't.
Duane Laflotte:
They block traffic in, right?
Duane Laflotte:
And then for d l P solutions, they look at web traffic, they look at, you
Duane Laflotte:
know, um, maybe even, uh, they look at, you know, other ancillary traffic,
Duane Laflotte:
but most of the time not, um, like web sockets and that sort of stuff.
Duane Laflotte:
But most of the time they don't.
Duane Laflotte:
So when we get into an organization, I mean, one of the first things
Duane Laflotte:
we do, ha have you guys ever, um, you take a file, uh, I assume
Duane Laflotte:
you've used Windows in the past.
Duane Laflotte:
Um, we use Linux a lot, but take a file, right?
Duane Laflotte:
Click on it, drag it to your desktop, and create a shortcut, right?
Duane Laflotte:
Pretty simple.
Duane Laflotte:
And then you double click on it and it opens up the shortcut.
Duane Laflotte:
Well, what if that shortcut reached out to a file server, right?
Duane Laflotte:
Well, you could do that.
Duane Laflotte:
You could grab a file off a file server and create a shortcut.
Duane Laflotte:
When you double click on it opens up the file on the file server.
Duane Laflotte:
Well, what if that file server was on the internet?
Duane Laflotte:
Can you do that?
Duane Laflotte:
Well, you can.
Duane Laflotte:
Yeah.
Duane Laflotte:
4, 4, 5, which is Ss and B.
Duane Laflotte:
Traffic does travel out over the internet.
Prasanna Malaiyandi:
Oh,
Duane Laflotte:
Most people don't ever do it.
Duane Laflotte:
So it's easy for us to, what we do is we'll go to a w s, spin up a server turn
Duane Laflotte:
on 4, 4, 5, and responder and a listener.
Duane Laflotte:
Um, and then we drop this shortcut at the customer site.
Duane Laflotte:
Um, and then we just wait.
Duane Laflotte:
And what happens is everybody who browses that share doesn't even touch the file,
Duane Laflotte:
but browses the share your file Explorer wants to put an icon on every file.
Duane Laflotte:
So when it does, it touches that file and it goes to figure
Duane Laflotte:
out what type of file it is.
Duane Laflotte:
So it reaches out to us and gives us your hash, your handshake.
Duane Laflotte:
For the network because it assumes it's connecting to.
Duane Laflotte:
And, but who would stop SS m b traffic going out over the internet?
Duane Laflotte:
Right?
Duane Laflotte:
So this is one of the tactics we'll use.
Duane Laflotte:
So then, you know, we were working with certain organizations where they're like,
Duane Laflotte:
we have D L P, we have blah, blah blah.
Duane Laflotte:
We have all this other good stuff.
Duane Laflotte:
And, and literally all we had to do to x fill the data was map a windows,
Duane Laflotte:
drive out to the internet and copy the data from one server to another
Duane Laflotte:
and it just copied with Windows copy.
Duane Laflotte:
And they're like, yeah, we didn't see 10 gig worth of data, customer
Duane Laflotte:
data just go out over s and b 'cause nobody's watching it.
Duane Laflotte:
Um, so the, so this is where I say a lot of it comes down to process.
Duane Laflotte:
It's, you know, uh, least privileged process on traffic
Duane Laflotte:
going out of the organization.
Duane Laflotte:
If it's a not a port that you need, shut it down.
Duane Laflotte:
Uh, 4, 4, 5 should never go out to the internet ever.
Duane Laflotte:
There, there's no reason for it.
Duane Laflotte:
Um, I.
Duane Laflotte:
A lot of your home routers will actually block it by default.
Duane Laflotte:
But corporate now, they're okay with it, which is just weird.
Duane Laflotte:
Um, so I'd say part of that, part of that is process lease
Duane Laflotte:
privileges on the way out.
Duane Laflotte:
If you don't need a port, lock it down.
Duane Laflotte:
That's gonna shut down a lot of the xFi tactics that we would use.
Duane Laflotte:
Um, there are still some xFi tactics, tactics that we will use that
Duane Laflotte:
would be hard for you to shut down.
Duane Laflotte:
Um, there was one, I can't remember.
Duane Laflotte:
Uh, there was one system, we had an administrator, we got access to this
Duane Laflotte:
box and, um, he said, listen, I'll give you a jump station 'cause most, most of
Duane Laflotte:
our engineers work on a jump station.
Duane Laflotte:
And, and he gave us this jump station.
Duane Laflotte:
And, you know, God bless him, he was, he, he really wanted to get the gold,
Duane Laflotte:
the gold star on the, the, the pen test.
Duane Laflotte:
And the drum station had access to nothing.
Duane Laflotte:
Like, it didn't even have access to the internet.
Duane Laflotte:
Like when we connected to it over remote desktop, this thing couldn't
Duane Laflotte:
open files, couldn't, like, couldn't go anywhere, couldn't do anything.
Duane Laflotte:
Um, And we're like, okay, what do people use this for, honestly?
Duane Laflotte:
And he's like, ah, you know, they, we may have applications on there at some point.
Duane Laflotte:
It's like, okay.
Duane Laflotte:
So it was completely locked down and the way we were able to get our tools
Duane Laflotte:
in and on that box was through d n s.
Prasanna Malaiyandi:
I was gonna ask about d n s.
Prasanna Malaiyandi:
Yeah.
Duane Laflotte:
Yeah.
Duane Laflotte:
Um, and listen, this thing couldn't communicate with the internet,
Duane Laflotte:
but it's on a Windows domain.
Duane Laflotte:
So we would then request through the domain controller to go out
Duane Laflotte:
to our hacker.com website, and it couldn't pull down files.
Duane Laflotte:
This is D N Ss, but you can request text records, which is the associated
Duane Laflotte:
data with the d n s records.
Duane Laflotte:
So we would encode like the first 64 bytes of a file in hex, pull that down.
Duane Laflotte:
And once we had all the hex bits, we reassembled it into an executable.
Duane Laflotte:
Um, at the local station.
Duane Laflotte:
So, and, and it works both ways.
Duane Laflotte:
You've got xFi and infill that way.
Duane Laflotte:
So, uh, there are some that are really hard to block.
Duane Laflotte:
You'd have to have very specialized tools watching, um,
Duane Laflotte:
for those types of infill xFi.
Duane Laflotte:
But I'd say just start with the basics.
Duane Laflotte:
Shut down the ports that are going out that you don't absolutely need.
Duane Laflotte:
And it gives you a lot less to look at.
Duane Laflotte:
Like, did we have a hundred thousand d n s requests yesterday and now
Duane Laflotte:
we have two and a half million?
Duane Laflotte:
That's probably weird.
Duane Laflotte:
We probably should look at that.
Duane Laflotte:
Right.
Duane Laflotte:
Um, it'll give you less of a, a surface of attack.
Duane Laflotte:
W. Curtis Preston (2): Hmm.
Duane Laflotte:
It is, it is.
Duane Laflotte:
It was interesting because I, I had a conversation with a cyber person.
Duane Laflotte:
Um, and he was crapping all over the idea of using D N Ss as an attack surface.
Duane Laflotte:
Um, just like, it's like, it's just not, it's just nobody does that.
Duane Laflotte:
And I'm like, okay.
Duane Laflotte:
Um,
Duane Laflotte:
In a totally lockdown environment.
Duane Laflotte:
I, I'll tell you, it's a pain in the butt.
Duane Laflotte:
Um, because it's slow think, um, like if you guys ever used a, a 14 four modem back
Duane Laflotte:
in the 1990, it's, it's like that where you're like, okay, d i r from our side.
Duane Laflotte:
And it's like,
Prasanna Malaiyandi:
This
Duane Laflotte:
so from nostalgia standpoint it's pretty cool.
Duane Laflotte:
But, um, so yeah, I get that it's not, it's not the best channel,
Duane Laflotte:
but if it's the only one available, yeah, we'll absolutely use it.
Duane Laflotte:
W. Curtis Preston (2): Right.
Duane Laflotte:
Interesting.
Duane Laflotte:
Um, man, I could talk, I could talk to you all day.
Duane Laflotte:
It's
Duane Laflotte:
both, it's both, very interesting and exciting and super depressing.
Duane Laflotte:
Um, yeah, the, um, because you know, we, we had, we talked to somebody
Duane Laflotte:
yesterday and basically their.
Duane Laflotte:
Point.
Duane Laflotte:
I would summarize it as this.
Duane Laflotte:
Don't spend all your time trying to stop this stuff.
Duane Laflotte:
Learn how to detect it when it's happening, and learn how to respond
Duane Laflotte:
when it, when it has happened.
Duane Laflotte:
Right.
Duane Laflotte:
Learn how to watch for xFi.
Duane Laflotte:
But in your case, you're, you're saying that some of this stuff is
Duane Laflotte:
gonna be nearly impossible to detect.
Duane Laflotte:
Look, you know, stop.
Duane Laflotte:
I think what you're saying is stop the really obvious stuff, right?
Duane Laflotte:
Uh, you can, you can do the, you can watch the port 80.
Duane Laflotte:
Right?
Duane Laflotte:
But you're saying that nobody's gonna, so, because I, I had heard that they're still
Duane Laflotte:
using like these, um, and their names are escaping me, but like, these file sharing
Duane Laflotte:
sites, um, like, like mega mega file
Duane Laflotte:
mega uploads and mega
Duane Laflotte:
download and Yeah.
Duane Laflotte:
Mega file.
Duane Laflotte:
W. Curtis Preston (2): And wouldn't those go over port 80?
Duane Laflotte:
Yeah.
Duane Laflotte:
And they do, and that's why most, most people aren't using those anymore.
Duane Laflotte:
Like it used to be, um, what was it?
Duane Laflotte:
Uh, pay bin and that sort of stuff.
Duane Laflotte:
Like people were finding these sites where you could paste up a lot of data.
Duane Laflotte:
And, and the problem is d l P solutions really have caught onto those.
Duane Laflotte:
Uh, and I can tell you as a, so as a developer, uh, and as a, um, a guy
Duane Laflotte:
who's trained in writing viruses that bypass any antivirus on the planet,
Duane Laflotte:
it's really not that hard to open up any other port and start transferring data.
Duane Laflotte:
'cause nobody's looking for it at that point.
Duane Laflotte:
Right.
Duane Laflotte:
Um, silly things like, um, say, okay, uh, S S H.
Duane Laflotte:
Okay.
Duane Laflotte:
So if every, if every you've ever, uh, you know, gone on a Linux box or whatever and
Duane Laflotte:
you wanna connect to it remotely, use ss s h, which is a secure tunnel, um, well it's
Duane Laflotte:
a secure tunnel 'cause it's encrypted.
Duane Laflotte:
So if I just s ss h and s c p copy of file to a remote Linux box,
Duane Laflotte:
that's an entirely encrypted channel.
Duane Laflotte:
Nobody's gonna see what's in that.
Duane Laflotte:
So why are you not blocking like port 22 out?
Duane Laflotte:
Right?
Duane Laflotte:
Oh, well, you know, one of our developers said they need to connect
Duane Laflotte:
to some remote, uh, you know, Linux box in a w s like, okay, well there's
Duane Laflotte:
better ways to do that, right?
Duane Laflotte:
Um, so yeah, I you'll start to see a lot of, and, and you'll start to see a
Duane Laflotte:
lot of these people using things like, um, you know, even like, so a lot of
Duane Laflotte:
the Cobalt beacons, uh, cobalt Strike Beacons and that sort of stuff are,
Duane Laflotte:
are starting to use different ports just so that they're not detectable.
Duane Laflotte:
'cause everybody's looking for 80 and 4, 4 3, right?
Duane Laflotte:
W. Curtis Preston (2): Mm-hmm.
Duane Laflotte:
Mm-hmm.
Duane Laflotte:
and it's just easy to use something else.
Duane Laflotte:
W. Curtis Preston (2): So my summary of what I heard all over that is
Duane Laflotte:
blocking outgoing ports that, that you don't need right di disallow all.
Duane Laflotte:
And allow the ones that you know you need, you'll break a couple
Duane Laflotte:
of things, I'm guessing, right?
Duane Laflotte:
You'll break a couple of things in the beginning, you'll fix those
Duane Laflotte:
things and then you'll be better.
Prasanna Malaiyandi:
but but isn't that sort of supposed to be the way
Prasanna Malaiyandi:
you approach network firewalls, right?
Prasanna Malaiyandi:
It's always a deny all, and you add access for what you need.
Prasanna Malaiyandi:
W. Curtis Preston (2): But I think,
Prasanna Malaiyandi:
but I think Dwayne's making the very valid point that people haven't
Prasanna Malaiyandi:
historically done that going out.
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
And it's weird because like, um, and, and it's the same thing with windows, right?
Duane Laflotte:
Windows in initially started with everything's open and
Duane Laflotte:
you need to lock it down.
Duane Laflotte:
And that's why they got the, the bad rep of being the unsecured operating system.
Duane Laflotte:
And, and Linux started the entire opposite.
Duane Laflotte:
There's nothing running on it unless you open it up.
Duane Laflotte:
Um, networking has always been trust the inside and not the outside.
Duane Laflotte:
Right.
Duane Laflotte:
So we, we've been trained to, if they're on the inside, oh, they already have
Duane Laflotte:
access to the juul, so to who cares?
Duane Laflotte:
We don't need to worry about them going out.
Duane Laflotte:
But, but the problem is, especially with ransomware and whatnot, the going out
Duane Laflotte:
part is the important part at this point.
Duane Laflotte:
Um, so yeah, you absolutely want it.
Duane Laflotte:
And, and I like to think of it as a least privilege, uh, network stack, right?
Duane Laflotte:
So exactly what you're talking about is what privileges do you
Duane Laflotte:
need going out and let's say we manage a $22 billion organization.
Duane Laflotte:
Yeah.
Duane Laflotte:
You're not gonna set everything to deny out and then open it up.
Duane Laflotte:
But what you could do is you probably have pretty sophisticated firewalls.
Duane Laflotte:
You set them in monitoring mode, uh, and at the end of a month
Duane Laflotte:
you see what ports are in use.
Duane Laflotte:
Maybe you allow those and everything else gets blocked, right?
Duane Laflotte:
So there are ways to do this without sort of breaking the organization.
Duane Laflotte:
But I'll tell you the same thing applies to win like, um, corporate resources.
Duane Laflotte:
We see far too often where we we're in an organization and it's like, oh, here's a
Duane Laflotte:
public share that everybody has access to.
Duane Laflotte:
And oh, by the way, it's got, uh, you know, we've seen things like, um, social
Duane Laflotte:
security numbers, we've seen applications for mortgages, we've seen, uh, HR
Duane Laflotte:
files, and we're like, why do we with no account have access to these things?
Duane Laflotte:
And they're like, I don't know, people just put 'em in the public share.
Duane Laflotte:
It's easy for anybody to access it.
Duane Laflotte:
Um, so lease privilege needs to be used everywhere, but,
Duane Laflotte:
um, including
Duane Laflotte:
W. Curtis Preston (2): That's your policy thing that you were talking about,
Duane Laflotte:
Yes, exactly.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston (2): concept of least privilege.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Um, that is a really good concept and policy that people should have everywhere.
Prasanna Malaiyandi:
Let me, let me ask you this.
Prasanna Malaiyandi:
So what, so a company comes to you and, and, you know, and
Prasanna Malaiyandi:
they're like, hack us or whatever.
Prasanna Malaiyandi:
I don't know exactly exactly what they say, but they, so what, what
Prasanna Malaiyandi:
do they say and what do they get out of it right when they walk away
Prasanna Malaiyandi:
from having, having been summarily beaten, um, and, and, and shamed.
Prasanna Malaiyandi:
Um, what, what, what did they get out of it at that point?
Duane Laflotte:
Uh, that's a, that's another good question.
Duane Laflotte:
So we do, um, the way we do red team engagement is a little bit different
Duane Laflotte:
than most cybersecurity companies.
Duane Laflotte:
Um, so the heart of our organization is very much a training company.
Duane Laflotte:
Um, you know, I was a Microsoft certified trainer for decades.
Duane Laflotte:
Um, my c e O was also a certified trainer for decades.
Duane Laflotte:
We're all about teaching as much as we possibly can.
Duane Laflotte:
So we bring that into our red team engagement.
Duane Laflotte:
So the way it starts is t typically people do come to us and say, Hey
Duane Laflotte:
listen, we're not really sure what our SEC cybersecurity posture is.
Duane Laflotte:
Can you test it?
Duane Laflotte:
Right?
Duane Laflotte:
Can you hack us?
Duane Laflotte:
Um, and we'll get some information from them.
Duane Laflotte:
We'll obviously get the TS and CS sign that says you can't throw us in
Duane Laflotte:
jail, and all that other good stuff.
Duane Laflotte:
Um, 'cause we have had people come up to us.
Duane Laflotte:
We had one guy come up to us, say, I'd like to engage you
Duane Laflotte:
to, to, to hack into this bank.
Duane Laflotte:
You know, I'm, I'm their IT manager.
Duane Laflotte:
And we're like, okay, cool.
Duane Laflotte:
But we don't see that you're their IT manager on LinkedIn.
Duane Laflotte:
Um, or anything along those lines, you No, no, no, it's okay.
Duane Laflotte:
It's fine.
Duane Laflotte:
Um, but all things will go through me.
Duane Laflotte:
So, and I was like, okay, so we can't talk to the bank and you want
Duane Laflotte:
us to, no, we're not doing that.
Duane Laflotte:
Um, so we talk to somebody at the bank, but for the most part they come to us,
Duane Laflotte:
say, hack us, here's the resources.
Duane Laflotte:
Um, you know, ideally they say, here's our IP addresses
Duane Laflotte:
that are valid to hit go nuts.
Duane Laflotte:
Um, sometimes they, they kind of tunnel us into, I only want you to
Duane Laflotte:
focus on these systems, but they get kind of a better risk assessment
Duane Laflotte:
if it's let us look at everything.
Duane Laflotte:
And then what we typically do is, uh, we'll literally open up a, a zoom
Duane Laflotte:
meeting, um, from nine in the morning till usually two in the morning, um,
Duane Laflotte:
where their blue team can join and watch what we do and we'll talk 'em through it.
Duane Laflotte:
But like, I know, and it's, it feels weird.
Duane Laflotte:
It's like, Hey, I'm, I'm beating up your child, but let
Duane Laflotte:
me explain how I'm doing it.
Duane Laflotte:
Um, and they have to sit there and watch.
Duane Laflotte:
I guess that makes it
Duane Laflotte:
W. Curtis Preston (2): let me explain why your child is ugly.
Duane Laflotte:
right.
Duane Laflotte:
Exactly.
Duane Laflotte:
And we'll show you empirical proof.
Duane Laflotte:
So, um, what's nice about that is far, you know, a, it
Duane Laflotte:
gives, it's more collaborative.
Duane Laflotte:
It's not like I'm delivering a report at the end, and the blue teamers are like,
Duane Laflotte:
well, those red team guys suck, right?
Duane Laflotte:
It's, it's, Hey, we wanna work with you, we want you to know these tactics and
Duane Laflotte:
watch how we're moving around in network.
Duane Laflotte:
Um, and, and b what we typically see from the blue team is they'll go, Hey guys,
Duane Laflotte:
guys, you know that system over there?
Duane Laflotte:
You haven't looked at it yet.
Duane Laflotte:
Yeah, it's been causing us troubles.
Duane Laflotte:
We wouldn't mind if you, you know, kind of tried to push
Duane Laflotte:
that over a little bit, right?
Duane Laflotte:
So we're like, all right, cool.
Duane Laflotte:
We'll take a look at that system.
Duane Laflotte:
So, um, so we, we use it as a training engagement, usually for like a week with
Duane Laflotte:
their blue team and or red team if they have one, giving them other ways to think
Duane Laflotte:
about the network and lock things down.
Duane Laflotte:
And if we find something mission critical, we stop and we work with them to fix
Duane Laflotte:
whatever it's, we find another hacking team in there, um, which we have, um,
Duane Laflotte:
or we'll find, uh, yeah, we've, we've definitely found indicators of Compromise
Duane Laflotte:
IOCs, um, for, for other teams in there.
Duane Laflotte:
And that's an, that's an all engagement stop.
Duane Laflotte:
And we call in
Duane Laflotte:
W. Curtis Preston (2): And, and, and when you say other teams, you mean,
Duane Laflotte:
you mean bad guys at that point?
Duane Laflotte:
Yeah.
Duane Laflotte:
Yeah.
Duane Laflotte:
And we'll, um, my team will go into forensics mode.
Duane Laflotte:
We'll track 'em down and we'll be like, all right here, here's where they came in.
Duane Laflotte:
Here's who they are.
Duane Laflotte:
Here's right.
Duane Laflotte:
If the, especially if the customer doesn't have a threat hunting team.
Duane Laflotte:
Um, so that's typically what we do.
Duane Laflotte:
And then, and then the report we deliver to them.
Duane Laflotte:
Is very actionable.
Duane Laflotte:
It's here was the issue we found, here's the risk, here's what could happen.
Duane Laflotte:
Here's how you fix it, and here's how you run the commands yourself
Duane Laflotte:
that we ran to exploit it.
Duane Laflotte:
So until these come back clean, there's no need to, you know, check
Duane Laflotte:
back in or anything like that.
Duane Laflotte:
Just go through.
Duane Laflotte:
So we want them to have all the tools, um, and, and we even tell customers
Duane Laflotte:
after being with us for a year or two, like, go find another security vendor.
Duane Laflotte:
Like, no, it behooves you.
Duane Laflotte:
Like we look at it one way and we, and we start to get tunnel vision when we
Duane Laflotte:
hit this network over and over again.
Duane Laflotte:
Go find somebody else who's gonna look at it in a different way, right?
Duane Laflotte:
Um, so that's, that's how we approach it.
Duane Laflotte:
So what they get from us is, you know, training a report that gives
Duane Laflotte:
them some actionable intel and how they can test their own network.
Duane Laflotte:
Um, and then advice that they can hopefully learn, uh, and we'll,
Duane Laflotte:
we'll adopt more customers.
Duane Laflotte:
W. Curtis Preston (2): Oh,
Duane Laflotte:
I like
Prasanna Malaiyandi:
awesome.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston (2): Yeah, I like that a lot.
Prasanna Malaiyandi:
I, I'm curious to know
Prasanna Malaiyandi:
if you've ever had a situation where like you've got the blue team there
Prasanna Malaiyandi:
and they get like angry because,
Duane Laflotte:
Oh
Duane Laflotte:
W. Curtis Preston (2): you know, it's
Prasanna Malaiyandi:
Yeah.
Duane Laflotte:
Oh yeah, yeah.
Duane Laflotte:
Okay.
Duane Laflotte:
Yeah, we've, we've, okay, so we've had situations where we've had, uh,
Duane Laflotte:
developers of applications on the line where we just tear the application apart
Duane Laflotte:
and, and they're, they're very much like, oh, man, like, and we tell them
Duane Laflotte:
that, like, they're like, what the f And I should have been better at this.
Duane Laflotte:
And I'm like, listen, like if you're not a, if I've been a developer, uh,
Duane Laflotte:
act since the early nineties, mid nineties and, and, and a cybersecurity
Duane Laflotte:
focus since, you know, 2000 so.
Duane Laflotte:
And, and there are a lot of these things I miss and I'm solely focused on cyber.
Duane Laflotte:
So don't beat yourself up.
Duane Laflotte:
This is what we do, right?
Duane Laflotte:
We specialize in these things.
Duane Laflotte:
Um, and I like that type of mentality 'cause that person wants to be better.
Duane Laflotte:
Um, I have had, we did have one blue teamer on a, uh, it was a
Duane Laflotte:
massive, uh, fortune 500 company.
Duane Laflotte:
Um, and he was the network security guy and he was on the call and, and every
Duane Laflotte:
time we run into a finding, we'd be like, oh, all of your, your switches actually
Duane Laflotte:
are doing, uh, T F T P automatically from an IP address that doesn't exist.
Duane Laflotte:
We just switched over to that IP address and that we can feed configurations to all
Duane Laflotte:
of your switches and that sort of stuff.
Duane Laflotte:
Anyway.
Duane Laflotte:
Go.
Duane Laflotte:
Well, you know, that's, uh, that always by design, um, that's the whole way.
Duane Laflotte:
Like, and we're like, oh, okay, that's cool.
Duane Laflotte:
We're just, you know, we're just saying this is, and, and every single time.
Duane Laflotte:
We would get this.
Duane Laflotte:
And, and we finally, we finally at one point went through and exploited it, um,
Duane Laflotte:
a particular switch config, and was able to pull down all the information on switch
Duane Laflotte:
config and decode this guy's password.
Duane Laflotte:
And we're like, oh, well, the way that we broke the entire network and became
Duane Laflotte:
domain admin is because this administrator here, here's his password on the switch.
Duane Laflotte:
And by the way, it's the same password on the domain.
Duane Laflotte:
And he's just like, I was like, yeah, yeah.
Duane Laflotte:
We try not to be adversarial, but occasionally we will get someone who,
Duane Laflotte:
uh, will, will invoke the ire of the red
Duane Laflotte:
W. Curtis Preston (2): Yeah, your, your goal is to bring them along with you,
Duane Laflotte:
like you said, for them to be educated.
Duane Laflotte:
But, uh, you know, a as a person who's been on the receiving end of that kind
Duane Laflotte:
of stuff, sometimes it's hard to, to
Duane Laflotte:
Oh, absolutely.
Duane Laflotte:
W. Curtis Preston (2): it personal.
Duane Laflotte:
Right.
Duane Laflotte:
Um, yeah.
Duane Laflotte:
So, all right.
Duane Laflotte:
I, I, I, um, I have one final area and we've gone a little
Duane Laflotte:
longer than we typically go.
Duane Laflotte:
But I have one final area that I want to ask you about, and that is, so, you know,
Duane Laflotte:
at its heart our podcast is about backups.
Duane Laflotte:
Mm-hmm.
Duane Laflotte:
W. Curtis Preston (2): What do you know about backup systems as an attack surface?
Duane Laflotte:
so I have a very poignant example.
Duane Laflotte:
Um, we just recently, um, were doing a pen test two weeks ago,
Duane Laflotte:
uh, in an organization where we breached it over the backup system.
Duane Laflotte:
Um, and
Duane Laflotte:
I.
Duane Laflotte:
So they were all virtualized, of course.
Duane Laflotte:
Um, and they were backing up all of their VMs and we got access to the
Duane Laflotte:
backup manager because the password for the backup manager was weak.
Duane Laflotte:
Um, it was actually default passwords.
Duane Laflotte:
'cause people think to themselves, it's a backup manager, what do I care?
Duane Laflotte:
Right?
Duane Laflotte:
What are they gonna restore it?
Duane Laflotte:
And that's what we did.
Duane Laflotte:
We actually took the backup of the domain controller and pulled it over the internet
Duane Laflotte:
to us and restored it in my own lab.
Duane Laflotte:
And then were able to tear it apart, pull every single username and password.
Duane Laflotte:
So I would be careful that repository is just as sensitive as your primary network.
Duane Laflotte:
It's not only your path to recovering from disaster, but from an attacker.
Duane Laflotte:
I'm always looking for backup systems, um, and what I can pull out of
Duane Laflotte:
those systems, right?
Duane Laflotte:
So it's like pulling that data off.
Duane Laflotte:
Um, you know, uh, backup accounts should have strong
Duane Laflotte:
passwords and should be audited.
Duane Laflotte:
Backup systems should be audited for who's trying to log in, et cetera.
Duane Laflotte:
Um, backup service accounts that are running on boxes, we've seen far
Duane Laflotte:
too often just have weak passwords.
Duane Laflotte:
Um, and it's super easy for us to then compromise.
Duane Laflotte:
And the thing about backup, backup is awesome, actually.
Duane Laflotte:
Um, the, the backup service right on Windows gives you the ability to
Duane Laflotte:
read any file without being audited.
Duane Laflotte:
So, so you have all these auditing tools looking for users like reading files
Duane Laflotte:
and opening secure files and whatever.
Duane Laflotte:
But if you can request the se backup right?
Duane Laflotte:
You can touch anything and nobody ever sees it.
Duane Laflotte:
So from a, from a, from a surface of attack standpoint, like backups
Duane Laflotte:
are like a win button for us.
Duane Laflotte:
We're always looking for like, Hey, do they have a backup system?
Duane Laflotte:
Is there an account we can compromise that has se backup rights?
Duane Laflotte:
'cause if so, you know, money, we can go open any file we want and
Duane Laflotte:
nobody will know we were there.
Duane Laflotte:
So yeah, I, I would absolutely say, uh, surface of attack is large there.
Duane Laflotte:
Um, and you really need to go back to basics.
Duane Laflotte:
Make sure good passwords, strong auditing on backup systems and, and don't just
Duane Laflotte:
think it's your path for recovery.
Duane Laflotte:
It could also be an attack target.
Prasanna Malaiyandi:
that's crazy.
Prasanna Malaiyandi:
I did not know that about the Windows role
Duane Laflotte:
It's so cool.
Duane Laflotte:
So many cool things you could do.
Duane Laflotte:
Privilege escalation from ransomware can be done through backups.
Duane Laflotte:
I mean, there's so many cool things.
Duane Laflotte:
W. Curtis Preston (2): okay.
Duane Laflotte:
I was, I was, I was,
Duane Laflotte:
I was, I was excited and then I, and then I just, I just got really
Duane Laflotte:
depressed right at the end there.
Duane Laflotte:
I was like, God, it could be used for, yeah.
Duane Laflotte:
You know, the thing that we try to tell, like I've been trying to, I
Duane Laflotte:
I what this, this is gonna sound really weird, uh, especially given
Duane Laflotte:
that you joined that, you know, you crossover into cybersecurity in 2000.
Duane Laflotte:
What I think we're having at this point is a nine 11 moment.
Duane Laflotte:
And, and here's what I mean by that.
Duane Laflotte:
Up until nine 11, The thinking was, oh, well, just like, don't do
Duane Laflotte:
anything crazy with the hijackers.
Duane Laflotte:
Uh, okay, they can have access to the, the thing, but what are they gonna do?
Duane Laflotte:
Right?
Duane Laflotte:
They're gonna, they're gonna wanna land the plane, they're gonna wanna
Duane Laflotte:
hold everybody hostage so that they can release some prisoners.
Duane Laflotte:
And a pri, you know, no one had ever said, Hey, let's go train, you know, train
Duane Laflotte:
the hijackers on how to, how to land a, you know, a 7 47 so that they're gonna
Duane Laflotte:
use the, the plane as a bomb, right?
Duane Laflotte:
Um, as the weapon itself.
Duane Laflotte:
And, and what, that's what's happened with backup in the last, let's say five years.
Duane Laflotte:
Is that the ransomware folks are definitely, um, they're, they have
Duane Laflotte:
started seeing that two things.
Duane Laflotte:
One is that if they can take out the backup system, you're
Duane Laflotte:
more likely to pay the ransom.
Duane Laflotte:
And two, the backup system is, like you said, this massive attack surface that
Duane Laflotte:
that could be used for exfiltration.
Duane Laflotte:
I did
Prasanna Malaiyandi:
pot of gold.
Prasanna Malaiyandi:
W. Curtis Preston (2): until you, until you mentioned I didn't think about it
Prasanna Malaiyandi:
being used for privilege escalation, uh, which makes it even more depressing.
Prasanna Malaiyandi:
Uh, and, and the, the thing is that so many times the backup system
Prasanna Malaiyandi:
is administered by the new guy.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
It's,
Duane Laflotte:
That was my first
Duane Laflotte:
W. Curtis Preston (2): the
Duane Laflotte:
first job I ever got.
Duane Laflotte:
Oh, it was your first job
Duane Laflotte:
Yeah.
Duane Laflotte:
Mine too.
Duane Laflotte:
And, uh, and I'll date myself.
Duane Laflotte:
It was, it was these d l t tapes I was pulling out every day and then
Duane Laflotte:
putting in these new, these yeah.
Duane Laflotte:
W. Curtis Preston (2): Yeah.
Duane Laflotte:
Yeah, yeah.
Duane Laflotte:
Good times.
Duane Laflotte:
Good times.
Duane Laflotte:
Uh, well, well, dway, I, this has been fascinating.
Duane Laflotte:
Um, I don't know if I'm gonna be able to trim any of this
Duane Laflotte:
down to our usual show size.
Duane Laflotte:
So I hope that folks have enjoyed staying, uh, staying with us this amount of time.
Duane Laflotte:
I want to thank you so much for coming on
Duane Laflotte:
It was my pleasure, honestly.
Duane Laflotte:
And this is, this was super easy, super comfortable.
Duane Laflotte:
Honestly, any guy, anytime you guys wanna talk cyber or
Duane Laflotte:
latest attacks, just hit me up.
Duane Laflotte:
I'd love to chat.
Duane Laflotte:
W. Curtis Preston (2): the time, right, Pana all the
Duane Laflotte:
time.
Duane Laflotte:
Don't we
Prasanna Malaiyandi:
that's exactly what I was thinking.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
I was like, just hearing the stories you talk about Dwayne, it's like fascinating.
Prasanna Malaiyandi:
It's like a world that like I've never really been exposed to and
Prasanna Malaiyandi:
just hearing the stories firsthand.
Prasanna Malaiyandi:
Like Curtis always talks about backup stories, which is great 'cause
Prasanna Malaiyandi:
I've never cut my teeth on backup.
Prasanna Malaiyandi:
But like hearing like the stories you or the experiences you have.
Prasanna Malaiyandi:
I think it's eye-opening.
Duane Laflotte:
And horrifying.
Duane Laflotte:
And, and you notice me, I get giddy when things break.
Duane Laflotte:
Like the internet's on fire.
Duane Laflotte:
I'm the guy going, woo-hoo.
Duane Laflotte:
Like, let's see where this goes.
Duane Laflotte:
Which I know is a little sadistic.
Duane Laflotte:
I get it.
Duane Laflotte:
But,
Duane Laflotte:
W. Curtis Preston (2): Yeah.
Duane Laflotte:
Well, um, yeah, so thanks, uh, thanks again also to our listeners.
Duane Laflotte:
Uh, you know, we'd be nothing without you.
Listen On
