Our guest this week is a specialist at offensive cybersecurity; that is, they keep you safe by attacking you and showing you your vulnerabilities. They're a red team. We've got the leader of their red team, Duanne Laflotte, to help us understand how hackers think – and what we can do to stop them. He confirmed some of the recommendations we often make (Ahem: password managers good), but showed us some defenses aren't that helpful. A particularly relevant part to our backup audience is what he told us about the vulnerabilities of our backup system. At least one of them Mr. Backup had never thought of. Duanne is fun and scary all at the same time. I know this will be one of our top episodes this year.
Mentioned in this episode:
Interview ad
Speaker:
Have you ever watched the movie sneakers and wondered if
Speaker:
companies like that really exist?
Speaker:
Well, they do.
Speaker:
And we've got the head of one of those companies here as our guests this week.
Speaker:
I'm super excited, man.
Speaker:
His stories are amazing and we learn what it's like.
Speaker:
To attack companies.
Speaker:
Essentially on their behalf.
Speaker:
Right.
Speaker:
Basically, he's the head of a red team and, uh, boy, was this a fun episode?
Speaker:
I hope you like it too.
W. Curtis Preston:
hi, and welcome to backup Central's Restore it all podcast.
W. Curtis Preston:
I'm your host, w Curtis Preston, a k a, Mr.
W. Curtis Preston:
Backup.
W. Curtis Preston:
And I have with me my Google Sheet consultant Prasanna Malaiyandi.
W. Curtis Preston:
How's it going?
W. Curtis Preston:
Prasanna?
Prasanna Malaiyandi:
I am good, Curtis.
Prasanna Malaiyandi:
I have years and years of experience with Google Sheets,
W. Curtis Preston:
Yeah.
W. Curtis Preston:
So, so we've been, we've been going through this, uh, you know, as of
W. Curtis Preston:
my recent purchase, two weeks now, as of as of yesterday, I now have my
W. Curtis Preston:
proud owner of a Tesla model three.
W. Curtis Preston:
Base model, 270 miles of range.
W. Curtis Preston:
And I've been trying to figure out whether or not it makes sense for those
W. Curtis Preston:
that don't live here, electricity, that here being San Diego, electricity is
W. Curtis Preston:
very expensive and you have to choose, you, you have all these plans to choose
W. Curtis Preston:
from that offer different costs for different times of the day, right?
W. Curtis Preston:
It's a time of use plans and especially for those of us that have solar and uh,
W. Curtis Preston:
there is an EV plan that offers super cheap rates, you know, way late at
W. Curtis Preston:
night, but it pumps up the rates, the other rates, one of them ridiculously.
W. Curtis Preston:
So it goes from 50 cents a kilowatt hour to 81 cents a kilowatt hour for
W. Curtis Preston:
the, for the peak time, which is four to 9:00 PM So I was like, Uh, I'm not
W. Curtis Preston:
sure if this will work out for us.
W. Curtis Preston:
Right.
W. Curtis Preston:
I could, I could potentially save a lot of money.
W. Curtis Preston:
I could potentially cost myself a lot of money, so I created this
W. Curtis Preston:
gigantic spreadsheet and Prasanna's been helping me through it.
W. Curtis Preston:
What do you think, how, how do you think we are on the how
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
No, I think, I think your spreadsheet makes sense.
Prasanna Malaiyandi:
Um, I think it's not too, I'm actually surprised that no one has built
Prasanna Malaiyandi:
an online calculator to do this,
W. Curtis Preston:
I should have just given this to chat G P T.
W. Curtis Preston:
Here's my usage chat, G P T.
W. Curtis Preston:
Here's my usage for the year.
W. Curtis Preston:
'cause that's what I have is I have my usage for the peak off, peak and super
W. Curtis Preston:
off peak periods for the last year.
W. Curtis Preston:
And then plug in the rates for all of those and then the
W. Curtis Preston:
new rates for all of those.
W. Curtis Preston:
And it turns out, in my case, the break even point was if I'm going
W. Curtis Preston:
to charge at least 80 kilowatt hours per week in my Tesla, then it
W. Curtis Preston:
makes sense to switch over, which
Prasanna Malaiyandi:
250, or it's like 350 miles, right?
W. Curtis Preston:
Yeah, which is not gonna be a problem
W. Curtis Preston:
based on my driving patterns.
W. Curtis Preston:
There's a $16 a month thing to be on that plan.
W. Curtis Preston:
Um, and I,
Prasanna Malaiyandi:
but why do they charge you $16 a month?
Prasanna Malaiyandi:
That's just highway robbery.
Prasanna Malaiyandi:
You know
Prasanna Malaiyandi:
it, it's not like anything really changes.
Prasanna Malaiyandi:
You're still paying the transmission fees.
W. Curtis Preston:
it's called a utility.
W. Curtis Preston:
It's called a monopoly.
W. Curtis Preston:
You can't just go get electricity somewhere else, right?
Prasanna Malaiyandi:
can live in a city that provides its own electricity like me.
W. Curtis Preston:
Oh, shut up Prasanna.
W. Curtis Preston:
Prasanna pay, what is it, 15 cents a kilowatt hour.
Prasanna Malaiyandi:
So we pay 12 cents a kilowatt hour for the first 300 kilowatt
Prasanna Malaiyandi:
hours, and then it goes up and get this, it goes up, it's astonishingly,
Prasanna Malaiyandi:
astonishingly high to 14 cents.
Prasanna Malaiyandi:
And this is no time of use.
Prasanna Malaiyandi:
You just use it whenever you want.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
So in order to do that, I just have to move from San Diego where the
W. Curtis Preston:
average home price is a million, up to Santa Clara, where the
W. Curtis Preston:
average home price is twice that.
W. Curtis Preston:
That's what I have to do to.
Prasanna Malaiyandi:
Santa Clara is not as expensive as the rest of the Bay
W. Curtis Preston:
So it's only like 1.8 million.
Prasanna Malaiyandi:
uh, you can get like one and a half, maybe something
W. Curtis Preston:
we'll see.
W. Curtis Preston:
We'll see that.
W. Curtis Preston:
Yeah.
Prasanna Malaiyandi:
that's a lot of miles driving in your car to make up
Prasanna Malaiyandi:
that half a million dollar difference.
W. Curtis Preston:
it is.
W. Curtis Preston:
I would be driving probably back and forth from here to there.
W. Curtis Preston:
Stopping.
W. Curtis Preston:
Stopping at a supercharger along the way.
W. Curtis Preston:
Uh, anyway, our guest, uh, I'm sure has gotta be antsy at this point.
W. Curtis Preston:
He, uh, let's bring him on.
W. Curtis Preston:
guest today has specialized in offensive cybersecurity for over 20 years.
W. Curtis Preston:
He's the C T O and red team leader at Pulsar Security, which offers a
W. Curtis Preston:
comprehensive package of services designed to bring maximum security benefits at
W. Curtis Preston:
minimal cost without sacrificing quality.
W. Curtis Preston:
He's also a host of the Security this week podcast.
W. Curtis Preston:
Welcome to the pod, Dwayne Laflotte.
Duane Laflotte:
Yeah, great.
Duane Laflotte:
Great to be here.
Duane Laflotte:
Thank you so much for, uh, for the invite.
Duane Laflotte:
Um, and I was, I was itching at that electricity talk.
Duane Laflotte:
Do you use any solar or No solar?
W. Curtis Preston:
Yeah, I have solar, but the solar system was
W. Curtis Preston:
designed for when I didn't have an ev.
Duane Laflotte:
All I'm saying is how did they read how much electricity you use?
Duane Laflotte:
They use that smart meter outside,
W. Curtis Preston:
yeah.
W. Curtis Preston:
The smart
Duane Laflotte:
And they drive by and they pick up a 900 megahertz
Duane Laflotte:
signal or a 2.4 gigahertz
Duane Laflotte:
signal from
Duane Laflotte:
that
W. Curtis Preston:
the, I like the way you're, I.
Duane Laflotte:
if you were to, if you were to saturate that band, uh, you
Duane Laflotte:
probably would be using no electricity.
Duane Laflotte:
Just throwing that out there and this is what my job is.
Duane Laflotte:
How do we break, how do we break these things where they
Prasanna Malaiyandi:
so unfortunately Dwayne for me, so we have a smart
Prasanna Malaiyandi:
meter too, but what our city has done is they've put basically wifi
Prasanna Malaiyandi:
access points all throughout the city.
Prasanna Malaiyandi:
And so you get free wifi anywhere in Santa Clara, which is great, but at
Prasanna Malaiyandi:
the same time, they don't have to drive by anymore, and it just automatically
Prasanna Malaiyandi:
connects to those and downloads the data.
Duane Laflotte:
the other thing that's interesting is your smart meter,
Duane Laflotte:
it probably has a Mac address to connect into that particular thing.
Duane Laflotte:
So if you d off your own smart meter, it will never connect to the wifi.
Duane Laflotte:
Which means,
W. Curtis Preston:
You would of course not
W. Curtis Preston:
suggest doing such things, but
Duane Laflotte:
No, of course
W. Curtis Preston:
you're saying theoretically speaking,
Duane Laflotte:
Theoretically, from a networking red team standpoint,
Duane Laflotte:
it might be what I would do.
Duane Laflotte:
Um,
W. Curtis Preston:
if per chance you were doing a, a pen test for SDG and e or um,
Duane Laflotte:
Yes.
Duane Laflotte:
Is this where you guys put the legal disclaimer in the,
W. Curtis Preston:
yeah.
W. Curtis Preston:
Oh, actually, you know what I
Duane Laflotte:
Dwayne says,
W. Curtis Preston:
Yeah, yeah.
W. Curtis Preston:
No.
W. Curtis Preston:
What I, well, what I will share out is our, our usual disclaimer that
W. Curtis Preston:
this is an independent podcast, and the opinions that you hear are ours,
W. Curtis Preston:
not our employers, if we have one.
W. Curtis Preston:
And, uh, also, if you wanna be a part of the conversation, please
W. Curtis Preston:
reach out to me at w Curtis Preston at gmail, or, uh, WC Preston on
W. Curtis Preston:
Twitter or linkedin.com/in/mrbackup.
W. Curtis Preston:
That's Mr.
W. Curtis Preston:
Backup on LinkedIn.
W. Curtis Preston:
And, uh, we'll get you on here and talk about what you like to talk about, uh, as
W. Curtis Preston:
long as it's stuff we like to talk about.
W. Curtis Preston:
Um, anyway, so, so, Dwayne, for those that I, I think most people probably
W. Curtis Preston:
know about Red team and Blue Team, but why don't you tell us what a red team
Prasanna Malaiyandi:
Speaker:
Isn't there a purple team?
Duane Laflotte:
There is, yeah.
Duane Laflotte:
Purple's, purple's kind of the new thing.
Duane Laflotte:
Um, it used to be they would just pit the teams against each other.
Duane Laflotte:
So Blue team is defense, right?
Duane Laflotte:
It's the guys who really like reading through logs and looking for bad guys.
Duane Laflotte:
Um, the, the red team, we are, uh, we are the offensive team, so we
Duane Laflotte:
like pretending to be the bad guys.
Duane Laflotte:
Um, and thinking all of the, well, how could I get my smart meter
Duane Laflotte:
off of the electric grid thoughts?
Duane Laflotte:
Um, and then putting those in action, um, and, and, and attacking an organization.
Duane Laflotte:
And that involves everything from, um, you know, 'cause a lot of people
Duane Laflotte:
throw around terms like pen testing or vulnerability scanning or red teaming.
Duane Laflotte:
And those are three very different things.
Duane Laflotte:
From the red teaming side.
Duane Laflotte:
It's holistically looking at the company.
Duane Laflotte:
So it's everything from the employees, um, to what sites they view, uh, you
Duane Laflotte:
know, from the company to, uh, who are your partners as a company that we could
Duane Laflotte:
use to maybe leverage to get into the organization, um, to, uh, we've had teams.
Duane Laflotte:
Uh, the reason I talk about jamming sensors and whatnot, we
Duane Laflotte:
actually do have teams that will physically break into organizations.
Duane Laflotte:
Um, and I can tell you that all the motion sensors on most alarms are 900 megahertz.
Duane Laflotte:
And I can saturate that, walk through a building with that
Duane Laflotte:
emotion sensor going off.
Duane Laflotte:
So there's like all sorts of really cool things that we as a
Duane Laflotte:
red team will be trained to do.
Duane Laflotte:
It looks very much like thievery.
Duane Laflotte:
Um, but we're the good guys, I promise.
Duane Laflotte:
So that's, that's our job.
Duane Laflotte:
And purple is the mix, right?
Duane Laflotte:
It's people who know a little bit of that offensive and a little bit of defensive,
Duane Laflotte:
um, just to be better on both sides.
W. Curtis Preston:
So would another term for that be ethical hacking?
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
Ethical hacking, um, is definitely another term people use for that.
Duane Laflotte:
They, people have moved away from ethical hacking.
Duane Laflotte:
Um, a little bit more to more focused terms.
Duane Laflotte:
'cause cybersecurity's so big at this point.
Duane Laflotte:
Um, it used to be like if you were in cyber, you kind of did the same thing.
Duane Laflotte:
You looked a little bit at, you know, offensive, you did a little bit of
Duane Laflotte:
coding, you did a little bit of whatever.
Duane Laflotte:
Um, and, and that ethical hacker is really that generalist.
Duane Laflotte:
Um, then you move into like, the really focused sides of
Duane Laflotte:
even offensive cybersecurity.
Duane Laflotte:
Like if we just talk about offensive, um, I have people on
Duane Laflotte:
my team who are reverse engineers.
Duane Laflotte:
So what they will do is tear apart a system, take, um, there's one company
Duane Laflotte:
we broke into the company through a tv, um, that, that was sitting in their
Duane Laflotte:
lobby that was connected, the wifi.
Duane Laflotte:
So how did we do that?
Duane Laflotte:
We literally bought one of the TVs, tore it apart.
Duane Laflotte:
Um, attached a, a bus pirate and a J tabulator to the, the, the system
Duane Laflotte:
ripped the firmware off the chips and read through the firmware and
Duane Laflotte:
found an exploit and then used that to, to break into the tv.
Duane Laflotte:
Um, that's a specialty in and of itself.
Duane Laflotte:
Then you have, you know, your, your web developers who are really good offensive,
Duane Laflotte:
you know, web certified experts who know how to tear apart things like angular
Duane Laflotte:
and.net and understand how all that works, but wouldn't necessarily be your reverse
Duane Laflotte:
engineers and wouldn't necessarily be your network guys who are offensive network
Duane Laflotte:
who understand, you know, spanning trees and how I can manipulate a network and
Duane Laflotte:
how M D N S works and like how to break all that, who are entirely different
Duane Laflotte:
from the guys who are cloud, like how to manipulate, pulling universal keys from
Duane Laflotte:
the cloud and how to get the cloud to, how to get two clouds to attack each other.
Duane Laflotte:
'cause they're never gonna block each other.
Duane Laflotte:
Like, that's all tactics as well.
Duane Laflotte:
So it's definitely like been been specialized since the
Duane Laflotte:
ethical hacking term came out.
Prasanna Malaiyandi:
That is like my, sorry, my mind is just like blown just
Prasanna Malaiyandi:
hearing what you just talked about.
Prasanna Malaiyandi:
'cause that covers such a broad spectrum.
Prasanna Malaiyandi:
Right?
Prasanna Malaiyandi:
And I.
Prasanna Malaiyandi:
I wonder when people think about defending themselves from hackers, right?
Prasanna Malaiyandi:
Are they sort of pigeonholing themselves?
Prasanna Malaiyandi:
Because I know Curtis, we've always talked about, okay, make sure you prevent
Prasanna Malaiyandi:
lateral movement, make sure that you have multi-factor authentication, right?
Prasanna Malaiyandi:
All the rest of these things.
Prasanna Malaiyandi:
But there's, like you were saying, Dwayne, there's other ways, like through
Prasanna Malaiyandi:
partners, through like that tv, right?
Prasanna Malaiyandi:
You didn't even think about that as an IT person maybe, and you're
Prasanna Malaiyandi:
like, ah, it's just a tv, whatever.
W. Curtis Preston:
Of course, I, I would tell, tell me, Dwayne, tell me, tell me,
W. Curtis Preston:
tell me I'm wrong and it is totally okay.
W. Curtis Preston:
'cause this is not my bag.
W. Curtis Preston:
The, the, the problem, the, the, the, uh, mistake that that company
W. Curtis Preston:
made was that this smart tv, this network-based TV was on the same
W. Curtis Preston:
network that the rest of every, that the rest of their corporation was on.
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
So part of it, absolutely, this particular customer, it was on the same network.
Duane Laflotte:
Um, but what we have seen before is a guest network, right?
Duane Laflotte:
Um, isolated no devices.
Duane Laflotte:
And then we'll see people connected to the guest network who are also connected to
Duane Laflotte:
the executive or to the internal network.
Duane Laflotte:
And the reason they do that is because in the lobby, they
Duane Laflotte:
don't get the corporate network.
Duane Laflotte:
So they're like, oh, well the guest network's here, so I'll connect to it.
Duane Laflotte:
So what's really nice is once they connect to it, like when they leave the building,
Duane Laflotte:
we can emulate the guest network.
Duane Laflotte:
They'll connect to us.
Duane Laflotte:
We'll drop a piece of, uh, malware or, or a captor portal or
Duane Laflotte:
whatnot on their, on their device.
Duane Laflotte:
When they walk it back into the building, that portal will then
Duane Laflotte:
beacon out to us, and now we have access to the corporate network.
Duane Laflotte:
So, you know, we, we definitely see, even though you isolate it, you can't
Duane Laflotte:
pull the humans out of the system unfortunately, for the most part.
W. Curtis Preston:
If we could just get rid of all those
W. Curtis Preston:
damn users, the, our computer
Duane Laflotte:
right.
W. Curtis Preston:
would be a lot.
Duane Laflotte:
Yeah.
W. Curtis Preston:
A lot safer.
W. Curtis Preston:
Absolutely.
W. Curtis Preston:
Um, yeah.
W. Curtis Preston:
Goodness gracious.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
I, when I talk to somebody like you, I've, I've had, I've had a handful
W. Curtis Preston:
of conversations with, you know, folks on the offensive side, uh,
W. Curtis Preston:
throughout my career, and I always walk away just super depressed.
W. Curtis Preston:
I'm just like, like, why even try, you know, um,
W. Curtis Preston:
you
Prasanna Malaiyandi:
did you have that story, Curtis, about the guy
Prasanna Malaiyandi:
who, with the various uniforms who would break into buildings?
W. Curtis Preston:
oh yeah.
W. Curtis Preston:
I mean, yeah.
W. Curtis Preston:
So I, I, I know a guy that does physical, uh, pen testing, right?
W. Curtis Preston:
Um, and his job is, is to physically get into a place that he's not
W. Curtis Preston:
allowed to be, take a selfie and, you know, G T F O, right?
W. Curtis Preston:
And, um, and he just, uh, and uh, he just told me, he's like, I have
W. Curtis Preston:
never, never not been able to get into where I was supposed to get into.
W. Curtis Preston:
Right.
W. Curtis Preston:
It, it's all about social engineering and, and sometimes it's about,
W. Curtis Preston:
uh, But, uh, card scanning, right?
W. Curtis Preston:
Um, you know, scanning somebody's, uh, uh, what are those called?
W. Curtis Preston:
The what?
W. Curtis Preston:
No, I know what it's called, the badge.
W. Curtis Preston:
But
Duane Laflotte:
yeah, yeah, yeah.
Duane Laflotte:
The R F I D,
W. Curtis Preston:
that, that's what I was thinking, the R F I D badges, right?
W. Curtis Preston:
Um, I heard, I heard a talk, um, you know, it was, uh, Kevin Mitnick once
W. Curtis Preston:
talking about, you know, the scanning badges in a bathroom, which just, it
W. Curtis Preston:
was just wrong, but it was, it was just like, it's just so easy, right?
W. Curtis Preston:
Because you're just a little weird, a little weird.
W. Curtis Preston:
Um, but, um, yeah.
W. Curtis Preston:
Well, well, let me ask you, so here, so here's what's funny.
W. Curtis Preston:
So it, when I think back, I, I'm a, I'm a big movie buff, right?
W. Curtis Preston:
When I think back, the only like red team type stuff that I've seen
W. Curtis Preston:
depicted, uh, a lot or like an entire movie based around it was sneakers.
W. Curtis Preston:
Um, do you remember that movie?
Duane Laflotte:
Oh, like a fantastic movie.
Duane Laflotte:
Sneakers.
Duane Laflotte:
Yeah,
W. Curtis Preston:
pretty good, right?
W. Curtis Preston:
I mean, it's, it's funny, I immediately thought of sneakers when you were
W. Curtis Preston:
talking about the motion sensors, because you remember what they did.
W. Curtis Preston:
They raised the, they raised the temperature of the entire room to 98.6,
Duane Laflotte:
And what's what's funny about that is that's not far off.
Duane Laflotte:
So, you know, looking from my red team's ex, like as the red team leader, I'm
Duane Laflotte:
playing Robert Redford's job, right?
Duane Laflotte:
So I'm going through an understanding like, okay, cool, we got this
Duane Laflotte:
target, how do we attack it?
Duane Laflotte:
And, and I have my specialists, I have my mother who, who understands, you
Duane Laflotte:
know, sensors and, and understands, you know, uh, different wavelengths
Duane Laflotte:
and signals and that sort of stuff.
Duane Laflotte:
And I, you know, I have my, uh, you know, my, my face guy who's good at
Duane Laflotte:
talking to people and that sort of thing.
Duane Laflotte:
So I'm planning this out.
Duane Laflotte:
I'm like, okay, here's how we're gonna attack, here's how
Duane Laflotte:
we're gonna do whatever we do.
Duane Laflotte:
But looking at sneakers from, from my perspective, my job, you go, okay, cool.
Duane Laflotte:
Well, they got access to the temperature control system.
Duane Laflotte:
Is that even possible?
Duane Laflotte:
Um, and, and sure enough about, uh, about a month ago we were pen testing a bank.
Duane Laflotte:
Um, I, I like to call it the bank job.
Duane Laflotte:
We were doing the bank job.
Duane Laflotte:
Um, and, and as we were, as you were doing the bank job, this is, uh,
Duane Laflotte:
it's about a month ago, so it was.
Duane Laflotte:
In May, early May cold up here, cold-ish at night.
Duane Laflotte:
Um, we did sure enough, get access to the HVAC system.
Duane Laflotte:
Um, and, and what could we have done with it?
Duane Laflotte:
We were like, okay, we could shut it off.
Duane Laflotte:
Um, and it gets cold enough at night where maybe pipes freeze
Duane Laflotte:
and burst and that sort of stuff.
Duane Laflotte:
We could crank it up, I guess, but then, you know, I started
Duane Laflotte:
thinking about sneakers.
Duane Laflotte:
I was like, oh my gosh.
Duane Laflotte:
So if they're using infrared and we could crank it up, we could get in the bill.
Duane Laflotte:
But yeah, so it's, you know, it's entirely as you go back and look at
Duane Laflotte:
that movie, um, it was impressive how much stuff they got Right.
Duane Laflotte:
From a, you know, what you might do as a red teamer is very cool.
Prasanna Malaiyandi:
Yeah,
W. Curtis Preston:
Have you Prasanna, have you seen this movie?
Prasanna Malaiyandi:
I'm trying.
Prasanna Malaiyandi:
I don't think I have.
W. Curtis Preston:
It is, uh, it's a, I mean, I don't know.
W. Curtis Preston:
Yeah, I don't know.
W. Curtis Preston:
I mean,
Duane Laflotte:
list.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
I don't know how much of it is just complete bss, but
W. Curtis Preston:
it is a fun movie to watch.
W. Curtis Preston:
They get, I think they get a lot of stuff, interestingly.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, I mean, just the, just the whole thing of like the scene where Robert
W. Curtis Preston:
Redford's got a bunch of packages, he's got balloons and he's like, can you,
W. Curtis Preston:
can you just buzz me through, you know?
W. Curtis Preston:
Um, and, uh, so what you're telling me, Dwayne, is you, you
W. Curtis Preston:
play the role of the devastatingly handsome disarming guy who disarms
Duane Laflotte:
that's what I like to, yeah, that's, I mean, I wouldn't, I wasn't
Duane Laflotte:
gonna put that label on it, but thank you.
Duane Laflotte:
Yes.
Duane Laflotte:
Um, but you know, honestly, it's a great movie to watch.
Duane Laflotte:
I mean, you've got really good actors in there.
Duane Laflotte:
You've got Robert Redford, Sidney Poitier, um, Dan Royd.
Duane Laflotte:
Ben Kingsley.
Duane Laflotte:
Right.
Duane Laflotte:
Um, yeah, there's, uh, river Phoenix is, there's like a ton of really
Duane Laflotte:
good actors in That's fantastic.
Prasanna Malaiyandi:
So speaking of movies or entertainment, I know
Prasanna Malaiyandi:
Curtis, you had put me on to a TV show called The Undeclared War, Dwayne.
Prasanna Malaiyandi:
Have you seen that?
Duane Laflotte:
I haven't, I have not
Prasanna Malaiyandi:
It was on Peacock.
Prasanna Malaiyandi:
Yeah, it's on Peacock, and it's basically a fictional story about a
Prasanna Malaiyandi:
cyber attack by Russia against the uk.
Duane Laflotte:
Ooh, okay.
Duane Laflotte:
I'm adding it to my list.
Duane Laflotte:
I've, I've looked it up.
Duane Laflotte:
I've added it's my list.
Duane Laflotte:
I'm excited about
W. Curtis Preston:
yeah, it's a series.
W. Curtis Preston:
Go ahead Prasanna.
Duane Laflotte:
Well, and so, sorry, go ahead.
Prasanna Malaiyandi:
No, no, no.
Prasanna Malaiyandi:
Go ahead.
Duane Laflotte:
I was gonna say, it's, it's interesting when we bring
Duane Laflotte:
up movies and whatnot because you, you find polarizing, um, people in
Duane Laflotte:
the cybersecurity space where some people in cybersecurity are like, oh
Duane Laflotte:
my God, I can't watch those movies.
Duane Laflotte:
'cause it's, it's, it's like being a doctor and watching, you
Duane Laflotte:
know, uh, er and you're like, they would never do any of that crap.
Duane Laflotte:
Um, and I'm on the other side of it where I'm like, I love watching these movies
Duane Laflotte:
'cause they like, they're part of the, it's the passion of cybersecurity and
Duane Laflotte:
hacking that I got in the nineties, right?
Duane Laflotte:
And I watched Hackers and I watched sneakers and I watched war games
Duane Laflotte:
and, and it was that, that awe of how could you tear a system apart?
Duane Laflotte:
How could you make it do things that it was never even designed to do?
Duane Laflotte:
Um, and, and bend it to your will as a red teamer.
Duane Laflotte:
And, and that's what these movies and these shows do for me, is they
Duane Laflotte:
bring that, that awe back, right?
Duane Laflotte:
Um, even though some of it might not technically be true, it doesn't matter.
Duane Laflotte:
Um, so yeah, it's on my, definitely on my list.
Prasanna Malaiyandi:
So given that you do offensive security, right, red teaming,
Prasanna Malaiyandi:
and I know we'll talk more about that.
Prasanna Malaiyandi:
I guess the question is, in your personal life, doesn't it freak you out a bit?
Prasanna Malaiyandi:
Like what do you do to protect yourself against some of those things?
Prasanna Malaiyandi:
You know, like the fact that you're surrounded by this all
Prasanna Malaiyandi:
the time, trying to break things.
Prasanna Malaiyandi:
Does that sort of translate into your personal life where you're like,
Prasanna Malaiyandi:
okay, RFIDs can be hacked, so I'm gonna get one of those wallets that
Prasanna Malaiyandi:
block RFIDs all the time, right?
Prasanna Malaiyandi:
Wifi network.
Prasanna Malaiyandi:
I'm just gonna keep everything unplugged all the time.
Prasanna Malaiyandi:
Like nothing comes on my network.
Duane Laflotte:
Yeah, it's a great question.
Duane Laflotte:
And I also have, um, I have probably three of the, uh, um, I.
Duane Laflotte:
Worst end users from a cybersecurity standpoint.
Duane Laflotte:
You could imagine.
Duane Laflotte:
I have three children and they're they'll, they, like, you can never
Duane Laflotte:
tell them what to visit or not visit or click on or not click on.
Duane Laflotte:
It's just, it is what it is.
Duane Laflotte:
So, um, so it's interesting, it's twofold.
Duane Laflotte:
One, yes, there are certain things I take into account in my daily life that
Duane Laflotte:
I notice a lot of people don't like.
Duane Laflotte:
I use a password manager all the time for all my passwords because, you know, using
Duane Laflotte:
the spreadsheet, if the spreadsheet gets compromised in some ways somebody gets it.
Duane Laflotte:
I'd rather have a company who focuses on managing passwords and
Duane Laflotte:
sometimes they do it wrong, right?
Duane Laflotte:
Like KeyPass, but more often than not they're gonna get it right.
Duane Laflotte:
So there are little things like that where I get paranoid and
Duane Laflotte:
I go, yes, I wanna do that.
Duane Laflotte:
I turn on two f a for everything.
Duane Laflotte:
I have all of my accountant credit locked through the three different, uh, you know,
Duane Laflotte:
providers, your credit, Equifax and all those guys, uh, Experian and whoever else.
Duane Laflotte:
So there are certain things I do because I'm a cybersecurity professional
Duane Laflotte:
and I can see, you know, we have access to all the deep dark web.
Duane Laflotte:
Information on all the people, and I'm like, oh my God, I can see all this info.
Duane Laflotte:
But from another standpoint, I worry less because I know how hard
Duane Laflotte:
it is to break into a smart device.
Duane Laflotte:
Like I know how hard it is to reverse engineer a chip and
Duane Laflotte:
figure out a way to break into it.
Duane Laflotte:
So from that standpoint, if I just, yeah, you know what?
Duane Laflotte:
I'm gonna set a strong password on my wifi.
Duane Laflotte:
Like I, we have a crack cluster at the office, um, that has, at
Duane Laflotte:
this point, I think it has 40 or 50, um, 30, 90 GPUs in it.
Duane Laflotte:
So, and talk about electricity.
Duane Laflotte:
Woo.
Duane Laflotte:
Um,
W. Curtis Preston:
you might consider moving that to Prasanna's neighborhood.
Duane Laflotte:
I might have to think.
Duane Laflotte:
I'm gonna have to, um, so we can guess about we, if we grab a, a
Duane Laflotte:
crack, a hash from a password.
Duane Laflotte:
So just a little bit.
Duane Laflotte:
If your users aren't breaking into wireless networks all the time, um, I.
Duane Laflotte:
Uh, if, if I go up to a wireless network, I can see all of the clients
Duane Laflotte:
that are connected 'cause it's all over 2.4 gigahertz wireless.
Duane Laflotte:
Everybody can see those signals.
Duane Laflotte:
They're open, um, but they're encrypted between the client and the access point.
Duane Laflotte:
But I can tell the client to get off the access point.
Duane Laflotte:
I can d off it, I can say, Hey, I'm the access point.
Duane Laflotte:
Get off the, get off the, the access point just for a couple minutes
Duane Laflotte:
and it'll de off that client.
Duane Laflotte:
And then the client, when they reconnect, we'll see a handshake, right?
Duane Laflotte:
And that handshake's an encrypted password.
Duane Laflotte:
But we can take that and then we can try and crack it.
Duane Laflotte:
So I can then take that handshake, take seconds to get, I can pull
Duane Laflotte:
it on my offline cracker and, and our offline cracking device.
Duane Laflotte:
Can guess 3 billion passwords a second.
Prasanna Malaiyandi:
Wow.
W. Curtis Preston:
Wow.
Duane Laflotte:
So you say, you say to yourself, well, okay, shoot, my
Duane Laflotte:
wireless is probably not secure.
Duane Laflotte:
Um, but if you start looking at the math of it, you say, listen, if it's,
Duane Laflotte:
if your password for your wireless is in any list of passwords ever, Right.
Duane Laflotte:
Um, so if you go to have I been p.com right?
Duane Laflotte:
And you type in your wireless password and click check and it's in the list.
Duane Laflotte:
Yeah, they can get it in seconds, but let's say it doesn't show up on that,
Duane Laflotte:
that in any list now it's a mathematics, uh, problem to, to brute forcing.
Duane Laflotte:
So let's say minimum password's, eight characters.
Duane Laflotte:
And I can do that in, uh, let's say a day.
Duane Laflotte:
And that's actually quicker than that.
Duane Laflotte:
It's about an hour for me to do an eight character.
Duane Laflotte:
All uppers, lowers, numbers, whatever.
Duane Laflotte:
If you put nine characters on that, and, and let's say we don't do, um, all uppers,
Duane Laflotte:
we don't do all special characters.
Duane Laflotte:
We don't do all numbers.
Duane Laflotte:
That's still 26 times an hour.
Duane Laflotte:
So we're looking at a day now.
Duane Laflotte:
We do an, we do a 10 character password.
Duane Laflotte:
It's 26 days.
Duane Laflotte:
We do an 11 character password.
Duane Laflotte:
Right now we're ending up at 26 months.
Duane Laflotte:
We're at two years for us to break that, and that was just
Duane Laflotte:
all lowercase characters.
Duane Laflotte:
So the longer that password is, as long as it's not in a list, I personally
Duane Laflotte:
know how hard it would be to crack.
Duane Laflotte:
So I'm like, ah, we gotta have 15 character password.
Duane Laflotte:
It's reasonably good.
Duane Laflotte:
Some uppers and lowers.
Duane Laflotte:
Nobody's gonna crack it.
Duane Laflotte:
It's just not gonna happen.
Duane Laflotte:
Um, so it's a great question because a lot of people are like, you know, oh my gosh.
Duane Laflotte:
And for me, I calm down on certain things, but other things I do reasonable stuff.
Duane Laflotte:
My family, however, like my wife, like, she will give valid
Duane Laflotte:
emails from family members.
Duane Laflotte:
She's like, I'm not clicking on that.
Duane Laflotte:
No, I know, I hear all the dark stories.
Duane Laflotte:
I'm not, I'm not clicking on anything.
Duane Laflotte:
Like, if she gets a phone call from someone, she's like, Nope.
Duane Laflotte:
And I'm like, I, I think that was our bank.
Duane Laflotte:
She's like, Uhuh, I'm not.
Duane Laflotte:
I'm so, yeah.
Duane Laflotte:
I think my family takes the brunt
W. Curtis Preston:
You know, my
W. Curtis Preston:
f my favorite thing, and it used to, it was a different bank that I'm at right
W. Curtis Preston:
now, but they, they would call for, basically it was a fraud alert, right?
W. Curtis Preston:
That, that I would have a, I would have a potentially fraudulent
W. Curtis Preston:
charge and then they would call me, they call me from Rando number.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, and even if it said different number, I wouldn't believe it.
W. Curtis Preston:
But they call me and they're like, this is a b, C bank.
W. Curtis Preston:
Um, we'd like to talk to you about a potentially fraudulent charge.
W. Curtis Preston:
Please authenticate yourself.
W. Curtis Preston:
And they want me to like, they want me like, you called me, right?
W. Curtis Preston:
You want, and they're like, this is the process.
W. Curtis Preston:
Like, you want me to give you, like, they wanted like, like my social or
W. Curtis Preston:
something for me to authenticate my, like, you called me like you don't, like,
W. Curtis Preston:
you don't understand how stupid this is.
W. Curtis Preston:
Like, I was so angry.
W. Curtis Preston:
I was like, I like, I'm glad you called me for a fraud alert.
W. Curtis Preston:
But I'll tell you what, I'll call you, right?
W. Curtis Preston:
I will call the, the known number for the bank, and then I will authenticate myself.
W. Curtis Preston:
I'm not giving my social to some rando who just showed up on a phone number.
W. Curtis Preston:
Like, what, what are you thinking?
Duane Laflotte:
And I think what the, the worst part of that.
Duane Laflotte:
Um, you, like, you are savvy in the security world, so you're like,
Duane Laflotte:
okay, this, this doesn't feel right.
Duane Laflotte:
But I think the worst part is the bank is training their normal, you know,
W. Curtis Preston:
right,
Duane Laflotte:
that this is the normal process, right?
Duane Laflotte:
We're gonna call you.
Duane Laflotte:
So when they get a call from a spammer, they're like, oh, well this is the normal
W. Curtis Preston:
Yeah, exactly.
Duane Laflotte:
Just like they used to train if you click
Duane Laflotte:
on links and emails, right?
W. Curtis Preston:
Just like, uh, years ago when I worked at, uh, at a bank, we
W. Curtis Preston:
would, uh, train, they all, everybody got regular cybersecurity training and it, and
W. Curtis Preston:
one of the things that we told 'em was, no one in it will ever, ever, ever call
W. Curtis Preston:
you and ask you for your password, ever.
W. Curtis Preston:
Right.
W. Curtis Preston:
And then the next day after training, someone from IT would call them
W. Curtis Preston:
and ask them for their password.
W. Curtis Preston:
And it worked like 20% of the
Duane Laflotte:
yeah.
Duane Laflotte:
And they'd always give it, they're like, oh, they're from it.
Duane Laflotte:
Of course.
Duane Laflotte:
Yeah.
W. Curtis Preston:
from it.
W. Curtis Preston:
We're like, oh, you're
Prasanna Malaiyandi:
what could you do though to train users, though?
Prasanna Malaiyandi:
I think that's like the hardest challenge, right?
Prasanna Malaiyandi:
Or one of the biggest challenges,
Duane Laflotte:
So I, I think it is, and I think it's not, I think we, I
Duane Laflotte:
think in some ways we've been trained as people to stop listening to that voice
Duane Laflotte:
in your head that says, this is weird.
Duane Laflotte:
Um, so I like to think of humans as almost like networks.
Duane Laflotte:
'cause I understand networks, uh, and they kind of make sense.
Duane Laflotte:
So imagine you are a, you're a network and you have this, this
Duane Laflotte:
intrusion detection in your head.
Duane Laflotte:
And there are certain times we've gone through, we've all gone through this
Duane Laflotte:
where we're on the phone, somebody asks us a question, we, we answer
Duane Laflotte:
it, then they ask another question.
Duane Laflotte:
We go, wait, this is weird.
Duane Laflotte:
Like, I've never been asked this question over the phone before.
Duane Laflotte:
Nobody's ever asked me for my social.
Duane Laflotte:
Nobody's asked me what the last four digits on my credit card like, No, no,
Duane Laflotte:
but then we go, oh, well this, you know, I wanna be nice, I wanna be polite.
Duane Laflotte:
I'm not gonna, right.
Duane Laflotte:
So we get to that, that where we just disregard all the alarms we,
Duane Laflotte:
we have in our head because we're like, well, I'm on with this person
Duane Laflotte:
and they must be well-meaning.
Duane Laflotte:
Um, and I think we need to get back to you listening to those voices in your head.
Duane Laflotte:
There's, you know what?
Duane Laflotte:
This doesn't feel right then.
Duane Laflotte:
It probably isn't.
Duane Laflotte:
Um, if it's not something you normally do, if it calls you up every day and
Duane Laflotte:
asks for your password, you know, great.
Duane Laflotte:
I, I get it.
Duane Laflotte:
Yeah.
Duane Laflotte:
You give them the password and no harm, no, no, uh, fault on yours.
Duane Laflotte:
But if they've never called you up and then they call you up, like, that's weird.
Duane Laflotte:
Even if really is it?
Duane Laflotte:
So, you know, I wouldn't, yeah.
Duane Laflotte:
I think you need to, I need, that's how I like to train users is like, really
Duane Laflotte:
listen to that voice in your head.
Duane Laflotte:
If it's something you've never done before, um, don't start now.
Duane Laflotte:
Right.
Duane Laflotte:
Find other ways to verify.
Prasanna Malaiyandi:
But then how do you train them?
Prasanna Malaiyandi:
Taking that and the flip side of that, right.
Prasanna Malaiyandi:
How do you train them to start doing things then?
Prasanna Malaiyandi:
Because if they've never done it before, then how do you start to
Prasanna Malaiyandi:
build that voice in their head?
Duane Laflotte:
Yeah, so that's a good question too.
Duane Laflotte:
Um, what I typically do then is say, listen, when that voice goes off in
Duane Laflotte:
your head, um, and, and you're like, this is odd, this isn't the right thing.
Duane Laflotte:
What you need to do is start thinking about alternate paths,
Duane Laflotte:
alternate uh, communication paths.
Duane Laflotte:
So, like Curtis had said, when the bank called him, he said, this is weird.
Duane Laflotte:
I'm out.
Duane Laflotte:
What I'm gonna do though is I'm gonna look on the back of my credit card.
Duane Laflotte:
I'm gonna find that number that's on the back of my credit card
Duane Laflotte:
and I'm gonna call you back.
Duane Laflotte:
Now would that be fail safe a hundred percent of the time?
Duane Laflotte:
Uh, listen, if you're getting attacked by a nation state, they
Duane Laflotte:
would've tapped into the phones and it wouldn't have mattered, right?
Duane Laflotte:
So we gotta assume a nation state's not coming after each of us.
Duane Laflotte:
'cause at that point, we're kind of in trouble anyways.
Duane Laflotte:
Um, but if it was a random spammer yeah, you verified via an alter channel.
Duane Laflotte:
So that's typically what I'll do is say, listen, if something's weird,
Duane Laflotte:
get outta that particular thing.
Duane Laflotte:
Whether it's an email, whether it's text messages, um, whether
Duane Laflotte:
it's, you know, a phone call.
Duane Laflotte:
Just get outta that and find an alternate way to communicate.
Prasanna Malaiyandi:
Hmm.
Duane Laflotte:
Now I say alternate way and I stress that because
Duane Laflotte:
we, we had a customer, um, that unfortunately lost, uh, hundreds of
Duane Laflotte:
thousands of dollars in a a scam.
Duane Laflotte:
And, um, their boss sent them an email saying, Hey, we need to change our a C H.
Duane Laflotte:
That should have been red flag.
Duane Laflotte:
How often do you change your a c h for bank to bank transfers
Duane Laflotte:
for a particular vendor?
Duane Laflotte:
Um, and we said, and they, and that person then said, listen, I verified,
Duane Laflotte:
I did what you told me to do.
Duane Laflotte:
I verified to make sure that this was right.
Duane Laflotte:
And we said, okay, cool.
Duane Laflotte:
What alternate channel did you use?
Duane Laflotte:
And, and we said, they said, well, I sent an email to my boss asking, you
Duane Laflotte:
know, if this was a real transaction.
Duane Laflotte:
We're like, but didn't your boss communicate over email?
Duane Laflotte:
And they were like, yeah.
Duane Laflotte:
And we're like, that's not an alternate path that you used the same path.
Duane Laflotte:
So what had happened is the hacker actually, and 'cause a lot of us would
Duane Laflotte:
notice that like fake Gmail account saying, it's your boss, this particular
Duane Laflotte:
boss, their email got compromised.
Duane Laflotte:
So they were in their inbox.
Duane Laflotte:
So it's like, no, there's nothing you, you like different path.
Duane Laflotte:
Call them, talk to them face to face, especially when we're
Duane Laflotte:
starting to talk with big money.
Duane Laflotte:
Right.
W. Curtis Preston:
Yeah,
Duane Laflotte:
would be my suggestion.
W. Curtis Preston:
yeah.
W. Curtis Preston:
I've seen the, I've seen and heard of that, um, and I've seen it and heard of
W. Curtis Preston:
it where, where basically they have hacked the entire email system and the, and then
W. Curtis Preston:
customers are using email as their M f A.
W. Curtis Preston:
Right?
W. Curtis Preston:
And so they, they, they, you know, basically, and they use that to basically
W. Curtis Preston:
at that point, they've taken over, right?
W. Curtis Preston:
They can do whatever they want.
W. Curtis Preston:
They can reset passwords, they can then authenticate that with
W. Curtis Preston:
the m ffa, uh, which is why email and, and SMSs suck as MFAs.
W. Curtis Preston:
Um, and you know, and speaking of, speaking of which, you know, uh, we, you
W. Curtis Preston:
know, recently in the last few years, right, you know, I've been pushing
W. Curtis Preston:
more of m f A on, on myself as well, which includes pushing it on my wife.
W. Curtis Preston:
And there's a lot of things that she doesn't do very often.
W. Curtis Preston:
And then she'll, I, I remember a couple of weeks ago where she went to go
W. Curtis Preston:
log onto something and she got angry.
W. Curtis Preston:
She says, oh crap.
W. Curtis Preston:
Like, that's right.
W. Curtis Preston:
I gotta go get that thing right.
W. Curtis Preston:
I gotta go get the M FFA thing to get the thing to put in the thing.
W. Curtis Preston:
And I remember getting angry at that moment going, yeah, who cares
W. Curtis Preston:
about having So having security, like, I'm sorry that you gotta spend
W. Curtis Preston:
an extra 30 seconds to protect all the money we have in that account.
W. Curtis Preston:
Uh, anyway,
W. Curtis Preston:
I
Prasanna Malaiyandi:
I remember that.
Prasanna Malaiyandi:
I actually remember that conversation,
Prasanna Malaiyandi:
Curtis.
W. Curtis Preston:
Um, so let me, let me ask you this, Dwayne.
W. Curtis Preston:
So, you know, I, so I like the password manager.
W. Curtis Preston:
We're, we're a big fan of those here.
W. Curtis Preston:
Um, and we've covered, we've also covered the, you know, the major, I believe,
W. Curtis Preston:
just pause, it was LastPass, right?
W. Curtis Preston:
That was the major hack
Duane Laflotte:
Uh, last pass.
Duane Laflotte:
Yeah.
Duane Laflotte:
What's last pass Was last pass?
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Um, and I, yeah, so yeah, we've also covered like the big LastPass hack and it
W. Curtis Preston:
just, like, it sounded bad, it got worse and it just, it just never got better.
W. Curtis Preston:
Um, and so it's, so no, no one password manager is, is perfect.
W. Curtis Preston:
Uh, and if, if something becomes compromise, it's time to move.
W. Curtis Preston:
But that doesn't mean the concept of password managers is wrong and
W. Curtis Preston:
tell me something that's better.
W. Curtis Preston:
That's what I want to know.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, because, you know, you talk about password length, I've just been over
W. Curtis Preston:
it because I have a ridiculous number of passwords in my password manager.
W. Curtis Preston:
Um, the, um, I, I just, I keep setting 'em to like 20, like 20
W. Curtis Preston:
has been my, has been my number.
W. Curtis Preston:
Right.
W. Curtis Preston:
And, um, by the way, while you were talking about it earlier,
W. Curtis Preston:
I counted the number of.
W. Curtis Preston:
Characters of my wifi password.
W. Curtis Preston:
It's is 18, so I felt I
Duane Laflotte:
I'll see.
Duane Laflotte:
You're good.
Duane Laflotte:
You're good?
Duane Laflotte:
Yeah.
W. Curtis Preston:
Um, and it, and it, and it's not, it's not, and I've been
W. Curtis Preston:
pod um, I am definitely, I've definitely had some accounts that got, um, that
W. Curtis Preston:
got hacked or whatever, but who hasn't?
W. Curtis Preston:
Um, so besides password manager and M f A, uh, and, uh, and, um, pa um, sorry, patch
W. Curtis Preston:
management, what would you think are, are the next sort of best bang for the buck?
W. Curtis Preston:
That, and, and, and again, let's just, let's just do context.
W. Curtis Preston:
What are audience is typically really worried about is the ransomware
W. Curtis Preston:
hacks and Exfil and exfiltration, um, of, of that data, which what we're
W. Curtis Preston:
hearing is that exfiltration is now step one of a coordinated attack.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, so that's why we talk a lot about lateral movement, right?
W. Curtis Preston:
Trying to limit, limit lateral movement.
W. Curtis Preston:
Uh, what would you say are the next.
W. Curtis Preston:
Few things that would stop a guy like you,
Duane Laflotte:
Yeah, that's a great question.
Duane Laflotte:
So here I'm gonna, I'll, I'll spill some of the secrets, um, from
Duane Laflotte:
our, from our red team tactics.
Duane Laflotte:
Um, and, and sadly I'd say all of these are going to deal distill down to policy.
Duane Laflotte:
That's it.
Duane Laflotte:
It's gonna be, here are the policies you should be following
Duane Laflotte:
to make yourself more secure.
Duane Laflotte:
Um, so xFi is always one of the big things, um, that, that a lot of
Duane Laflotte:
our customers are concerned with as well, especially when we're doing
Duane Laflotte:
banks, um, financial organizations, embassies, that sort of stuff.
Duane Laflotte:
Anything we can ex fill is important and, and that's why there's this
Duane Laflotte:
massive d l P market out there.
Duane Laflotte:
Right looking for exfiltration of data.
Duane Laflotte:
Did it go over email?
Duane Laflotte:
Is somebody trying to upload a file to a website?
Duane Laflotte:
Something along those lines.
Duane Laflotte:
Um, I can tell you, uh, the red teamers as well as the, the hackers out there
Duane Laflotte:
are not uploading data over Port 80.
Duane Laflotte:
They're not uploading data over port 4, 4, 3.
Duane Laflotte:
Um, they're not, you know, they're not using the standard channels because
Duane Laflotte:
there are so many other ways for us to exfil data out of an organization.
Duane Laflotte:
Um, so for example, um, the first thing we do when we break
Duane Laflotte:
into a company, um, and we
W. Curtis Preston:
can I, can I, sorry to interrupt you,
W. Curtis Preston:
but can I ask you a question
Duane Laflotte:
sure,
W. Curtis Preston:
Why not?
W. Curtis Preston:
Because if they were uploading over that port, it would seem like
W. Curtis Preston:
it would be a lot easier to do.
Duane Laflotte:
it's absolutely a lot easier to do, but it's,
Duane Laflotte:
it's a, it's too watched.
Duane Laflotte:
Um, so everybody knows to watch all the web traffic.
Duane Laflotte:
Um, so even, even if I were to break up what I'm exfil into small parts and
Duane Laflotte:
then like turn it into hex and then try and post it to a website, A lot of
Duane Laflotte:
your D L P solutions are looking at the reputation of the website I'm posting to.
Duane Laflotte:
Right.
Duane Laflotte:
And they're, they start doing that analytics of that communications chain.
Duane Laflotte:
Um, and, and H T M L communications, h t p communications are very well understood.
Duane Laflotte:
So it's easy for a corporate organization to go, well, we're
Duane Laflotte:
not gonna allow anything out other than through this proxy.
Duane Laflotte:
And we, we are going to then mount in the middle with a certificate
Duane Laflotte:
so we can see all that traffic.
Duane Laflotte:
So it's, it's risky for somebody who wants to break into a company and, and steal
Duane Laflotte:
data, um, to, to go over those ports.
Duane Laflotte:
They just won't anymore.
Duane Laflotte:
It just doesn't make sense.
Duane Laflotte:
And that is, it's super, it's, it's like, it's like we're, we're
Duane Laflotte:
sitting out in a field, right?
Duane Laflotte:
And, and port 80 is this steel door in the middle of the field.
Duane Laflotte:
And, and we go, well, we could go through that steel door, um, or we
Duane Laflotte:
could walk around the side of it.
Duane Laflotte:
not use the steel door, right?
Duane Laflotte:
So for us, we're like, it's just easier not to use the steel door, for example.
Duane Laflotte:
I'm guessing at least your home networks, but probably your corporate
Duane Laflotte:
networks, you don't block traffic out.
Duane Laflotte:
Most people don't.
Duane Laflotte:
They block traffic in, right?
Duane Laflotte:
And then for d l P solutions, they look at web traffic, they look at, you
Duane Laflotte:
know, um, maybe even, uh, they look at, you know, other ancillary traffic,
Duane Laflotte:
but most of the time not, um, like web sockets and that sort of stuff.
Duane Laflotte:
But most of the time they don't.
Duane Laflotte:
So when we get into an organization, I mean, one of the first things
Duane Laflotte:
we do, ha have you guys ever, um, you take a file, uh, I assume
Duane Laflotte:
you've used Windows in the past.
Duane Laflotte:
Um, we use Linux a lot, but take a file, right?
Duane Laflotte:
Click on it, drag it to your desktop, and create a shortcut, right?
Duane Laflotte:
Pretty simple.
Duane Laflotte:
And then you double click on it and it opens up the shortcut.
Duane Laflotte:
Well, what if that shortcut reached out to a file server, right?
Duane Laflotte:
Well, you could do that.
Duane Laflotte:
You could grab a file off a file server and create a shortcut.
Duane Laflotte:
When you double click on it opens up the file on the file server.
Duane Laflotte:
Well, what if that file server was on the internet?
Duane Laflotte:
Can you do that?
Duane Laflotte:
Well, you can.
Duane Laflotte:
Yeah.
Duane Laflotte:
4, 4, 5, which is Ss and B.
Duane Laflotte:
Traffic does travel out over the internet.
Prasanna Malaiyandi:
Oh,
Duane Laflotte:
Most people don't ever do it.
Duane Laflotte:
So it's easy for us to, what we do is we'll go to a w s, spin up a server turn
Duane Laflotte:
on 4, 4, 5, and responder and a listener.
Duane Laflotte:
Um, and then we drop this shortcut at the customer site.
Duane Laflotte:
Um, and then we just wait.
Duane Laflotte:
And what happens is everybody who browses that share doesn't even touch the file,
Duane Laflotte:
but browses the share your file Explorer wants to put an icon on every file.
Duane Laflotte:
So when it does, it touches that file and it goes to figure
Duane Laflotte:
out what type of file it is.
Duane Laflotte:
So it reaches out to us and gives us your hash, your handshake.
Duane Laflotte:
For the network because it assumes it's connecting to.
Duane Laflotte:
And, but who would stop SS m b traffic going out over the internet?
Duane Laflotte:
Right?
Duane Laflotte:
So this is one of the tactics we'll use.
Duane Laflotte:
So then, you know, we were working with certain organizations where they're like,
Duane Laflotte:
we have D L P, we have blah, blah blah.
Duane Laflotte:
We have all this other good stuff.
Duane Laflotte:
And, and literally all we had to do to x fill the data was map a windows,
Duane Laflotte:
drive out to the internet and copy the data from one server to another
Duane Laflotte:
and it just copied with Windows copy.
Duane Laflotte:
And they're like, yeah, we didn't see 10 gig worth of data, customer
Duane Laflotte:
data just go out over s and b 'cause nobody's watching it.
Duane Laflotte:
Um, so the, so this is where I say a lot of it comes down to process.
Duane Laflotte:
It's, you know, uh, least privileged process on traffic
Duane Laflotte:
going out of the organization.
Duane Laflotte:
If it's a not a port that you need, shut it down.
Duane Laflotte:
Uh, 4, 4, 5 should never go out to the internet ever.
Duane Laflotte:
There, there's no reason for it.
Duane Laflotte:
Um, I.
Duane Laflotte:
A lot of your home routers will actually block it by default.
Duane Laflotte:
But corporate now, they're okay with it, which is just weird.
Duane Laflotte:
Um, so I'd say part of that, part of that is process lease
Duane Laflotte:
privileges on the way out.
Duane Laflotte:
If you don't need a port, lock it down.
Duane Laflotte:
That's gonna shut down a lot of the xFi tactics that we would use.
Duane Laflotte:
Um, there are still some xFi tactics, tactics that we will use that
Duane Laflotte:
would be hard for you to shut down.
Duane Laflotte:
Um, there was one, I can't remember.
Duane Laflotte:
Uh, there was one system, we had an administrator, we got access to this
Duane Laflotte:
box and, um, he said, listen, I'll give you a jump station 'cause most, most of
Duane Laflotte:
our engineers work on a jump station.
Duane Laflotte:
And, and he gave us this jump station.
Duane Laflotte:
And, you know, God bless him, he was, he, he really wanted to get the gold,
Duane Laflotte:
the gold star on the, the, the pen test.
Duane Laflotte:
And the drum station had access to nothing.
Duane Laflotte:
Like, it didn't even have access to the internet.
Duane Laflotte:
Like when we connected to it over remote desktop, this thing couldn't
Duane Laflotte:
open files, couldn't, like, couldn't go anywhere, couldn't do anything.
Duane Laflotte:
Um, And we're like, okay, what do people use this for, honestly?
Duane Laflotte:
And he's like, ah, you know, they, we may have applications on there at some point.
Duane Laflotte:
It's like, okay.
Duane Laflotte:
So it was completely locked down and the way we were able to get our tools
Duane Laflotte:
in and on that box was through d n s.
Prasanna Malaiyandi:
I was gonna ask about d n s.
Prasanna Malaiyandi:
Yeah.
Duane Laflotte:
Yeah.
Duane Laflotte:
Um, and listen, this thing couldn't communicate with the internet,
Duane Laflotte:
but it's on a Windows domain.
Duane Laflotte:
So we would then request through the domain controller to go out
Duane Laflotte:
to our hacker.com website, and it couldn't pull down files.
Duane Laflotte:
This is D N Ss, but you can request text records, which is the associated
Duane Laflotte:
data with the d n s records.
Duane Laflotte:
So we would encode like the first 64 bytes of a file in hex, pull that down.
Duane Laflotte:
And once we had all the hex bits, we reassembled it into an executable.
Duane Laflotte:
Um, at the local station.
Duane Laflotte:
So, and, and it works both ways.
Duane Laflotte:
You've got xFi and infill that way.
Duane Laflotte:
So, uh, there are some that are really hard to block.
Duane Laflotte:
You'd have to have very specialized tools watching, um,
Duane Laflotte:
for those types of infill xFi.
Duane Laflotte:
But I'd say just start with the basics.
Duane Laflotte:
Shut down the ports that are going out that you don't absolutely need.
Duane Laflotte:
And it gives you a lot less to look at.
Duane Laflotte:
Like, did we have a hundred thousand d n s requests yesterday and now
Duane Laflotte:
we have two and a half million?
Duane Laflotte:
That's probably weird.
Duane Laflotte:
We probably should look at that.
Duane Laflotte:
Right.
Duane Laflotte:
Um, it'll give you less of a, a surface of attack.
W. Curtis Preston:
Hmm.
W. Curtis Preston:
It is, it is.
W. Curtis Preston:
It was interesting because I, I had a conversation with a cyber person.
W. Curtis Preston:
Um, and he was crapping all over the idea of using D N Ss as an attack surface.
W. Curtis Preston:
Um, just like, it's like, it's just not, it's just nobody does that.
W. Curtis Preston:
And I'm like, okay.
W. Curtis Preston:
Um,
Duane Laflotte:
In a totally lockdown environment.
Duane Laflotte:
I, I'll tell you, it's a pain in the butt.
Duane Laflotte:
Um, because it's slow think, um, like if you guys ever used a, a 14 four modem back
Duane Laflotte:
in the 1990, it's, it's like that where you're like, okay, d i r from our side.
Duane Laflotte:
And it's like,
Prasanna Malaiyandi:
This
Duane Laflotte:
so from nostalgia standpoint it's pretty cool.
Duane Laflotte:
But, um, so yeah, I get that it's not, it's not the best channel,
Duane Laflotte:
but if it's the only one available, yeah, we'll absolutely use it.
W. Curtis Preston:
Right.
W. Curtis Preston:
Interesting.
W. Curtis Preston:
Um, man, I could talk, I could talk to you all day.
W. Curtis Preston:
It's
W. Curtis Preston:
both, it's both, very interesting and exciting and super depressing.
W. Curtis Preston:
Um, yeah, the, um, because you know, we, we had, we talked to somebody
W. Curtis Preston:
yesterday and basically their.
W. Curtis Preston:
Point.
W. Curtis Preston:
And, and it's a point that I agree with, but, um, you know, and that is, you
W. Curtis Preston:
know, I I would summarize it as this.
W. Curtis Preston:
Don't spend all your time trying to stop this stuff.
W. Curtis Preston:
Learn how to detect it when it's happening, and learn how to respond
W. Curtis Preston:
when it, when it has happened.
W. Curtis Preston:
Right.
W. Curtis Preston:
Learn how to watch for xFi.
W. Curtis Preston:
But in your case, you're, you're saying that some of this stuff is
W. Curtis Preston:
gonna be nearly impossible to detect.
W. Curtis Preston:
Look, you know, stop.
W. Curtis Preston:
I think what you're saying is stop the really obvious stuff, right?
W. Curtis Preston:
Uh, you can, you can do the, you can watch the port 80.
W. Curtis Preston:
Right?
W. Curtis Preston:
But you're saying that nobody's gonna, so, because I, I had heard that they're still
W. Curtis Preston:
using like these, um, and their names are escaping me, but like, these file sharing
W. Curtis Preston:
sites, um, like, like mega mega file
Duane Laflotte:
mega uploads and mega
Duane Laflotte:
download and Yeah.
Duane Laflotte:
Mega file.
W. Curtis Preston:
And wouldn't those go over port 80?
Duane Laflotte:
Yeah.
Duane Laflotte:
And they do, and that's why most, most people aren't using those anymore.
Duane Laflotte:
Like it used to be, um, what was it?
Duane Laflotte:
Uh, pay bin and that sort of stuff.
Duane Laflotte:
Like people were finding these sites where you could paste up a lot of data.
Duane Laflotte:
And, and the problem is d l P solutions really have caught onto those.
Duane Laflotte:
Uh, and I can tell you as a, so as a developer, uh, and as a, um, a guy
Duane Laflotte:
who's trained in writing viruses that bypass any antivirus on the planet,
Duane Laflotte:
it's really not that hard to open up any other port and start transferring data.
Duane Laflotte:
'cause nobody's looking for it at that point.
Duane Laflotte:
Right.
Duane Laflotte:
Um, silly things like, um, say, okay, uh, S S H.
Duane Laflotte:
Okay.
Duane Laflotte:
So if every, if every you've ever, uh, you know, gone on a Linux box or whatever and
Duane Laflotte:
you wanna connect to it remotely, use ss s h, which is a secure tunnel, um, well it's
Duane Laflotte:
a secure tunnel 'cause it's encrypted.
Duane Laflotte:
So if I just s ss h and s c p copy of file to a remote Linux box,
Duane Laflotte:
that's an entirely encrypted channel.
Duane Laflotte:
Nobody's gonna see what's in that.
Duane Laflotte:
So why are you not blocking like port 22 out?
Duane Laflotte:
Right?
Duane Laflotte:
Oh, well, you know, one of our developers said they need to connect
Duane Laflotte:
to some remote, uh, you know, Linux box in a w s like, okay, well there's
Duane Laflotte:
better ways to do that, right?
Duane Laflotte:
Um, so yeah, I you'll start to see a lot of, and, and you'll start to see a
Duane Laflotte:
lot of these people using things like, um, you know, even like, so a lot of
Duane Laflotte:
the Cobalt beacons, uh, cobalt Strike Beacons and that sort of stuff are,
Duane Laflotte:
are starting to use different ports just so that they're not detectable.
Duane Laflotte:
'cause everybody's looking for 80 and 4, 4 3, right?
W. Curtis Preston:
Mm-hmm.
W. Curtis Preston:
Mm-hmm.
Duane Laflotte:
and it's just easy to use something else.
W. Curtis Preston:
So my summary of what I heard all over that is
W. Curtis Preston:
blocking outgoing ports that, that you don't need right di disallow all.
W. Curtis Preston:
And allow the ones that you know you need, you'll break a couple
W. Curtis Preston:
of things, I'm guessing, right?
W. Curtis Preston:
You'll break a couple of things in the beginning, you'll fix those
W. Curtis Preston:
things and then you'll be better.
Prasanna Malaiyandi:
but but isn't that sort of supposed to be the way
Prasanna Malaiyandi:
you approach network firewalls, right?
Prasanna Malaiyandi:
It's always a deny all, and you add access for what you need.
W. Curtis Preston:
But I think,
W. Curtis Preston:
but I think Dwayne's making the very valid point that people haven't
W. Curtis Preston:
historically done that going out.
Duane Laflotte:
Yes.
Duane Laflotte:
Yeah.
Duane Laflotte:
And it's weird because like, um, and, and it's the same thing with windows, right?
Duane Laflotte:
Windows in initially started with everything's open and
Duane Laflotte:
you need to lock it down.
Duane Laflotte:
And that's why they got the, the bad rep of being the unsecured operating system.
Duane Laflotte:
And, and Linux started the entire opposite.
Duane Laflotte:
There's nothing running on it unless you open it up.
Duane Laflotte:
Um, networking has always been trust the inside and not the outside.
Duane Laflotte:
Right.
Duane Laflotte:
So we, we've been trained to, if they're on the inside, oh, they already have
Duane Laflotte:
access to the juul, so to who cares?
Duane Laflotte:
We don't need to worry about them going out.
Duane Laflotte:
But, but the problem is, especially with ransomware and whatnot, the going out
Duane Laflotte:
part is the important part at this point.
Duane Laflotte:
Um, so yeah, you absolutely want it.
Duane Laflotte:
And, and I like to think of it as a least privilege, uh, network stack, right?
Duane Laflotte:
So exactly what you're talking about is what privileges do you
Duane Laflotte:
need going out and let's say we manage a $22 billion organization.
Duane Laflotte:
Yeah.
Duane Laflotte:
You're not gonna set everything to deny out and then open it up.
Duane Laflotte:
But what you could do is you probably have pretty sophisticated firewalls.
Duane Laflotte:
You set them in monitoring mode, uh, and at the end of a month
Duane Laflotte:
you see what ports are in use.
Duane Laflotte:
Maybe you allow those and everything else gets blocked, right?
Duane Laflotte:
So there are ways to do this without sort of breaking the organization.
Duane Laflotte:
But I'll tell you the same thing applies to win like, um, corporate resources.
Duane Laflotte:
We see far too often where we we're in an organization and it's like, oh, here's a
Duane Laflotte:
public share that everybody has access to.
Duane Laflotte:
And oh, by the way, it's got, uh, you know, we've seen things like, um, social
Duane Laflotte:
security numbers, we've seen applications for mortgages, we've seen, uh, HR
Duane Laflotte:
files, and we're like, why do we with no account have access to these things?
Duane Laflotte:
And they're like, I don't know, people just put 'em in the public share.
Duane Laflotte:
It's easy for anybody to access it.
Duane Laflotte:
Um, so lease privilege needs to be used everywhere, but,
Duane Laflotte:
um, including
W. Curtis Preston:
That's your policy thing that you were talking about,
Duane Laflotte:
Yes, exactly.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
concept of least privilege.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Um, that is a really good concept and policy that people should have everywhere.
W. Curtis Preston:
Let me, let me ask you this.
W. Curtis Preston:
So what, so a company comes to you and, and, you know, and
W. Curtis Preston:
they're like, hack us or whatever.
W. Curtis Preston:
I don't know exactly exactly what they say, but they, so what, what
W. Curtis Preston:
do they say and what do they get out of it right when they walk away
W. Curtis Preston:
from having, having been summarily beaten, um, and, and, and shamed.
W. Curtis Preston:
Um, what, what, what did they get out of it at that point?
Duane Laflotte:
Uh, that's a, that's another good question.
Duane Laflotte:
So we do, um, the way we do red team engagement is a little bit different
Duane Laflotte:
than most cybersecurity companies.
Duane Laflotte:
Um, so the heart of our organization is very much a training company.
Duane Laflotte:
Um, you know, I was a Microsoft certified trainer for decades.
Duane Laflotte:
Um, my c e O was also a certified trainer for decades.
Duane Laflotte:
We're all about teaching as much as we possibly can.
Duane Laflotte:
So we bring that into our red team engagement.
Duane Laflotte:
So the way it starts is t typically people do come to us and say, Hey
Duane Laflotte:
listen, we're not really sure what our SEC cybersecurity posture is.
Duane Laflotte:
Can you test it?
Duane Laflotte:
Right?
Duane Laflotte:
Can you hack us?
Duane Laflotte:
Um, and we'll get some information from them.
Duane Laflotte:
We'll obviously get the TS and CS sign that says you can't throw us in
Duane Laflotte:
jail, and all that other good stuff.
Duane Laflotte:
Um, 'cause we have had people come up to us.
Duane Laflotte:
We had one guy come up to us, say, I'd like to engage you
Duane Laflotte:
to, to, to hack into this bank.
Duane Laflotte:
You know, I'm, I'm their IT manager.
Duane Laflotte:
And we're like, okay, cool.
Duane Laflotte:
But we don't see that you're their IT manager on LinkedIn.
Duane Laflotte:
Um, or anything along those lines, you No, no, no, it's okay.
Duane Laflotte:
It's fine.
Duane Laflotte:
Um, but all things will go through me.
Duane Laflotte:
So, and I was like, okay, so we can't talk to the bank and you want
Duane Laflotte:
us to, no, we're not doing that.
Duane Laflotte:
Um, so we talk to somebody at the bank, but for the most part they come to us,
Duane Laflotte:
say, hack us, here's the resources.
Duane Laflotte:
Um, you know, ideally they say, here's our IP addresses
Duane Laflotte:
that are valid to hit go nuts.
Duane Laflotte:
Um, sometimes they, they kind of tunnel us into, I only want you to
Duane Laflotte:
focus on these systems, but they get kind of a better risk assessment
Duane Laflotte:
if it's let us look at everything.
Duane Laflotte:
And then what we typically do is, uh, we'll literally open up a, a zoom
Duane Laflotte:
meeting, um, from nine in the morning till usually two in the morning, um,
Duane Laflotte:
where their blue team can join and watch what we do and we'll talk 'em through it.
Duane Laflotte:
But like, I know, and it's, it feels weird.
Duane Laflotte:
It's like, Hey, I'm, I'm beating up your child, but let
Duane Laflotte:
me explain how I'm doing it.
Duane Laflotte:
Um, and they have to sit there and watch.
Duane Laflotte:
I guess that makes it
W. Curtis Preston:
let me explain why your child is ugly.
Duane Laflotte:
right.
Duane Laflotte:
Exactly.
Duane Laflotte:
And we'll show you empirical proof.
Duane Laflotte:
So, um, what's nice about that is far, you know, a, it
Duane Laflotte:
gives, it's more collaborative.
Duane Laflotte:
It's not like I'm delivering a report at the end, and the blue teamers are like,
Duane Laflotte:
well, those red team guys suck, right?
Duane Laflotte:
It's, it's, Hey, we wanna work with you, we want you to know these tactics and
Duane Laflotte:
watch how we're moving around in network.
Duane Laflotte:
Um, and, and b what we typically see from the blue team is they'll go, Hey guys,
Duane Laflotte:
guys, you know that system over there?
Duane Laflotte:
You haven't looked at it yet.
Duane Laflotte:
Yeah, it's been causing us troubles.
Duane Laflotte:
We wouldn't mind if you, you know, kind of tried to push
Duane Laflotte:
that over a little bit, right?
Duane Laflotte:
So we're like, all right, cool.
Duane Laflotte:
We'll take a look at that system.
Duane Laflotte:
So, um, so we, we use it as a training engagement, usually for like a week with
Duane Laflotte:
their blue team and or red team if they have one, giving them other ways to think
Duane Laflotte:
about the network and lock things down.
Duane Laflotte:
And if we find something mission critical, we stop and we work with them to fix
Duane Laflotte:
whatever it's, we find another hacking team in there, um, which we have, um,
Duane Laflotte:
or we'll find, uh, yeah, we've, we've definitely found indicators of Compromise
Duane Laflotte:
IOCs, um, for, for other teams in there.
Duane Laflotte:
And that's an, that's an all engagement stop.
Duane Laflotte:
And we call in
W. Curtis Preston:
And, and, and when you say other teams, you mean,
W. Curtis Preston:
you mean bad guys at that point?
Duane Laflotte:
Yeah.
Duane Laflotte:
Yeah.
Duane Laflotte:
And we'll, um, my team will go into forensics mode.
Duane Laflotte:
We'll track 'em down and we'll be like, all right here, here's where they came in.
Duane Laflotte:
Here's who they are.
Duane Laflotte:
Here's right.
Duane Laflotte:
If the, especially if the customer doesn't have a threat hunting team.
Duane Laflotte:
Um, so that's typically what we do.
Duane Laflotte:
And then, and then the report we deliver to them.
Duane Laflotte:
Is very actionable.
Duane Laflotte:
It's here was the issue we found, here's the risk, here's what could happen.
Duane Laflotte:
Here's how you fix it, and here's how you run the commands yourself
Duane Laflotte:
that we ran to exploit it.
Duane Laflotte:
So until these come back clean, there's no need to, you know, check
Duane Laflotte:
back in or anything like that.
Duane Laflotte:
Just go through.
Duane Laflotte:
So we want them to have all the tools, um, and, and we even tell customers
Duane Laflotte:
after being with us for a year or two, like, go find another security vendor.
Duane Laflotte:
Like, no, it behooves you.
Duane Laflotte:
Like we look at it one way and we, and we start to get tunnel vision when we
Duane Laflotte:
hit this network over and over again.
Duane Laflotte:
Go find somebody else who's gonna look at it in a different way, right?
Duane Laflotte:
Um, so that's, that's how we approach it.
Duane Laflotte:
So what they get from us is, you know, training a report that gives
Duane Laflotte:
them some actionable intel and how they can test their own network.
Duane Laflotte:
Um, and then advice that they can hopefully learn, uh, and we'll,
Duane Laflotte:
we'll adopt more customers.
W. Curtis Preston:
Oh,
W. Curtis Preston:
I like
Prasanna Malaiyandi:
awesome.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
Speaker:
Yeah, I like that a lot.
W. Curtis Preston:
Speaker:
I, I'm curious to know if you've ever had a situation where like
W. Curtis Preston:
Speaker:
you've got the blue team there and they get like angry because,
Duane Laflotte:
Oh
W. Curtis Preston:
you know, it's
Prasanna Malaiyandi:
Yeah.
Duane Laflotte:
Oh yeah, yeah.
Duane Laflotte:
Okay.
Duane Laflotte:
Yeah, we've, we've, okay, so we've had situations where we've had, uh,
Duane Laflotte:
developers of applications on the line where we just tear the application apart
Duane Laflotte:
and, and they're, they're very much like, oh, man, like, and we tell them
Duane Laflotte:
that, like, they're like, what the f And I should have been better at this.
Duane Laflotte:
And I'm like, listen, like if you're not a, if I've been a developer, uh,
Duane Laflotte:
act since the early nineties, mid nineties and, and, and a cybersecurity
Duane Laflotte:
focus since, you know, 2000 so.
Duane Laflotte:
And, and there are a lot of these things I miss and I'm solely focused on cyber.
Duane Laflotte:
So don't beat yourself up.
Duane Laflotte:
This is what we do, right?
Duane Laflotte:
We specialize in these things.
Duane Laflotte:
Um, and I like that type of mentality 'cause that person wants to be better.
Duane Laflotte:
Um, I have had, we did have one blue teamer on a, uh, it was a
Duane Laflotte:
massive, uh, fortune 500 company.
Duane Laflotte:
Um, and he was the network security guy and he was on the call and, and every
Duane Laflotte:
time we run into a finding, we'd be like, oh, all of your, your switches actually
Duane Laflotte:
are doing, uh, T F T P automatically from an IP address that doesn't exist.
Duane Laflotte:
We just switched over to that IP address and that we can feed configurations to all
Duane Laflotte:
of your switches and that sort of stuff.
Duane Laflotte:
Anyway.
Duane Laflotte:
Go.
Duane Laflotte:
Well, you know, that's, uh, that always by design, um, that's the whole way.
Duane Laflotte:
Like, and we're like, oh, okay, that's cool.
Duane Laflotte:
We're just, you know, we're just saying this is, and, and every single time.
Duane Laflotte:
We would get this.
Duane Laflotte:
And, and we finally, we finally at one point went through and exploited it, um,
Duane Laflotte:
a particular switch config, and was able to pull down all the information on switch
Duane Laflotte:
config and decode this guy's password.
Duane Laflotte:
And we're like, oh, well, the way that we broke the entire network and became
Duane Laflotte:
domain admin is because this administrator here, here's his password on the switch.
Duane Laflotte:
And by the way, it's the same password on the domain.
Duane Laflotte:
And he's just like, I was like, yeah, yeah.
Duane Laflotte:
We try not to be adversarial, but occasionally we will get someone who,
Duane Laflotte:
uh, will, will invoke the ire of the red
W. Curtis Preston:
Yeah, your, your goal is to bring them along with you,
W. Curtis Preston:
like you said, for them to be educated.
W. Curtis Preston:
But, uh, you know, a as a person who's been on the receiving end of that kind
W. Curtis Preston:
of stuff, sometimes it's hard to, to
Duane Laflotte:
Oh, absolutely.
W. Curtis Preston:
it personal.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, yeah.
W. Curtis Preston:
So, all right.
W. Curtis Preston:
I, I, I, um, I have one final area and we've gone a little
W. Curtis Preston:
longer than we typically go.
W. Curtis Preston:
But I have one final area that I want to ask you about, and that is, so, you know,
W. Curtis Preston:
at its heart our podcast is about backups.
Duane Laflotte:
Mm-hmm.
W. Curtis Preston:
What, what do you know about backup and recovery
W. Curtis Preston:
systems as an, as a, as an, uh, a, um, what's the term that you use?
W. Curtis Preston:
Uh, an attack surface.
Duane Laflotte:
Ah,
W. Curtis Preston:
about backup systems as an attack surface?
Duane Laflotte:
so I have a very poignant example.
Duane Laflotte:
Um, we just recently, um, we're doing a pen test two weeks ago,
Duane Laflotte:
uh, in an organization where we breached it over the backup system.
Duane Laflotte:
Um, and I.
Duane Laflotte:
So they were all virtualized, of course.
Duane Laflotte:
Um, and they were backing up all of their VMs and we got access to the
Duane Laflotte:
backup manager because the password for the backup manager was weak.
Duane Laflotte:
Um, it was actually default passwords.
Duane Laflotte:
'cause people think to themselves, it's a backup manager, what do I care?
Duane Laflotte:
Right?
Duane Laflotte:
What are they gonna restore it?
Prasanna Malaiyandi:
Yeah.
Duane Laflotte:
And that's what we did.
Duane Laflotte:
We actually took the backup of the domain controller and pulled it over the internet
Duane Laflotte:
to us and restored it in my own lab.
Duane Laflotte:
And then we're able to tear it apart, pull every single username and password.
Duane Laflotte:
Not like, except.
Duane Laflotte:
And they, and at that point, so, so I would be careful that repository is just
Duane Laflotte:
as sensitive as your primary network.
Duane Laflotte:
It's not only your path to recovering from disaster, but from an attacker.
Duane Laflotte:
I'm always looking for backup systems, um, and what I can pull out of
W. Curtis Preston:
filtration, right?
Duane Laflotte:
right?
Duane Laflotte:
Yeah, exactly.
Duane Laflotte:
So it's like pulling that data off.
Duane Laflotte:
Um, you know, uh, backup accounts should have strong
Duane Laflotte:
passwords and should be audited.
Duane Laflotte:
Backup systems should be audited for who's trying to log in, et cetera.
Duane Laflotte:
Um, backup service accounts that are running on boxes, we've seen far
Duane Laflotte:
too often just have weak passwords.
Duane Laflotte:
Um, and it's super easy for us to then compromise.
Duane Laflotte:
And the thing about backup, backup is awesome, actually.
Duane Laflotte:
Um, the, the backup service right on Windows gives you the ability to
Duane Laflotte:
read any file without being audited.
Duane Laflotte:
So, so you have all these auditing tools looking for users like reading files
Duane Laflotte:
and opening secure files and whatever.
Duane Laflotte:
But if you can request the se backup, right?
Duane Laflotte:
You can touch anything and nobody ever sees it.
Duane Laflotte:
So from a, from a, from a surface of a tax standpoint, like backups
Duane Laflotte:
are like a win button for us.
Duane Laflotte:
We're always looking for like, Hey, do they have a backup system?
Duane Laflotte:
Is there an account we can compromise that has se backup rights?
Duane Laflotte:
'cause if so, you know, money, we can go open any file we want and
Duane Laflotte:
nobody will know we were there.
Duane Laflotte:
So yeah, I, I would absolutely say, uh, surface of attack is large there.
Duane Laflotte:
Um, and you really need to go back to basics.
Duane Laflotte:
Make sure good passwords, strong auditing on backup systems and, and don't just
Duane Laflotte:
think it's your path for recovery.
Duane Laflotte:
It could also be an attack target.
Prasanna Malaiyandi:
that's crazy.
Prasanna Malaiyandi:
I did not know that about the Windows roll.
Duane Laflotte:
It's so cool.
Duane Laflotte:
So many cool things you could do.
Duane Laflotte:
Privilege escalation from ransomware can be done through backups.
Duane Laflotte:
I mean, there's so many cool things.
W. Curtis Preston:
Uh, okay.
W. Curtis Preston:
I was, I was, I was,
Prasanna Malaiyandi:
is,
W. Curtis Preston:
I was, I was excited and then I, and then I just, I just got
W. Curtis Preston:
really depressed right at the end there.
W. Curtis Preston:
I was like, God, it could be used for, yeah.
W. Curtis Preston:
You know, the thing that we try to tell, like I've been trying to, I
W. Curtis Preston:
I what this, this is gonna sound really weird, uh, especially given
W. Curtis Preston:
that you joined that, you know, you crossover into cybersecurity in 2000.
W. Curtis Preston:
What I think we're having at this point is a nine 11 moment.
W. Curtis Preston:
And, and here's what I mean by that.
W. Curtis Preston:
Up until nine 11, The thinking was, oh, well, just like, don't do anything crazy
W. Curtis Preston:
with the guys that are control, you know, that are the, the, the hijackers.
W. Curtis Preston:
Uh, okay, they can have access to the, the thing, but what are they gonna do?
W. Curtis Preston:
Right?
W. Curtis Preston:
They're gonna, they're gonna wanna land the plane, they're gonna wanna
W. Curtis Preston:
hold everybody hostage so that they can release some prisoners.
W. Curtis Preston:
And a pri, you know, no one had ever said, Hey, let's go train, you know, train
W. Curtis Preston:
the hijackers on how to, how to land a, you know, a 7 47 so that they're gonna
W. Curtis Preston:
use the, the plane as a bomb, right?
W. Curtis Preston:
Um, as the weapon itself.
W. Curtis Preston:
And, and what, that's what's happened with backup in the last, let's say five years.
W. Curtis Preston:
Is that the ransomware folks are definitely, um, they're, they have
W. Curtis Preston:
started seeing that two things.
W. Curtis Preston:
One is that if they can take out the backup system, you're
W. Curtis Preston:
more likely to pay the ransom.
W. Curtis Preston:
And two, the backup system is, like you said, this massive attack service that
W. Curtis Preston:
that could be used for exfiltration.
W. Curtis Preston:
I did
Prasanna Malaiyandi:
pot of gold.
W. Curtis Preston:
until you, until you mentioned I didn't think about it
W. Curtis Preston:
being used for privilege escalation, uh, which makes it even more depressing.
W. Curtis Preston:
Uh, and, and the, the thing is that so many times the backup system
W. Curtis Preston:
is administered by the new guy.
W. Curtis Preston:
Right.
W. Curtis Preston:
It's,
Duane Laflotte:
That was my first
W. Curtis Preston:
the
W. Curtis Preston:
first job I ever got.
W. Curtis Preston:
Oh, it was your first job
Duane Laflotte:
Yeah.
Duane Laflotte:
Mine too.
Duane Laflotte:
And, uh, and I'll date myself.
Duane Laflotte:
It was, it was these d l t tapes I was pulling out every day and then
Duane Laflotte:
putting in these new, these yeah.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Yeah, yeah.
W. Curtis Preston:
Good times.
W. Curtis Preston:
Good times.
W. Curtis Preston:
Uh, well, well, dway, I, this has been fascinating.
W. Curtis Preston:
Um, I don't know if I'm gonna be able to trim any of this
W. Curtis Preston:
down to our usual show size.
W. Curtis Preston:
So I hope that folks have enjoyed staying, uh, staying with us this amount of time.
W. Curtis Preston:
I want to thank you so much for coming on
Duane Laflotte:
It was my pleasure, honestly.
Duane Laflotte:
And this is, this was super easy, super comfortable.
Duane Laflotte:
Honestly, any guy, anytime you guys wanna talk cyber or
Duane Laflotte:
latest attacks, just hit me up.
Duane Laflotte:
I'd love to chat.
W. Curtis Preston:
the time, right, Pana all the
Prasanna Malaiyandi:
Yes.
Prasanna Malaiyandi:
Oh, that's exactly what I was thinking.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
I was like, just hearing the stories you talk about Dwayne, it's like fascinating.
Prasanna Malaiyandi:
It's like a world that like I've never really been exposed to and
Prasanna Malaiyandi:
just hearing the stories firsthand.
Prasanna Malaiyandi:
Like Curtis always talks about backup stories, which is great 'cause
Prasanna Malaiyandi:
I've never cut my teeth on backup.
Prasanna Malaiyandi:
But like hearing like the stories you or the experiences you have.
Prasanna Malaiyandi:
I think it's eye-opening.
Duane Laflotte:
And horrifying.
Duane Laflotte:
And, and you notice me, I get giddy when things break.
Duane Laflotte:
Like the internet's on fire.
Duane Laflotte:
I'm the guy going, woo-hoo.
Duane Laflotte:
Like, let's see where this goes.
Duane Laflotte:
Which I know is a little sadistic.
Duane Laflotte:
I get it.
Duane Laflotte:
But,
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Well, um, yeah, so thanks, uh, thanks again also to our listeners.
W. Curtis Preston:
Uh, you know, we'd be nothing without you.
W. Curtis Preston:
And remember, remember to subscribe so that you can restore it all