June 10, 2024 • 59 mins
Episode 31, Welcome to season two of the Cyber Security America podcast. In this episode, we explore the evolving landscape of cloud security, focusing on critical considerations for organizations migrating to Office 365 and Azure AD. Stay tuned as we unravel essential strategies and insights to bolster your security posture in the cloud.
In traditional on-prem environments, users authenticate to domain controllers within a network. However, replicating this infrastructure to Azure Cloud introduces significant changes. Now, users can authenticate from anywhere globally, leading to numerous failed authentications and increased MFA prompts. This new setup can cause account lockouts that do not synchronize back to the on-prem domain controller. Therefore, when moving to Office 365, it's crucial to consider Microsoft's Defender for Identity for enhanced security posture, compliance, threat detection, and vulnerability assessments.
One of the most significant security concerns is PowerShell. It's frequently used in legitimate administrative actions and by malicious actors. Hardening PowerShell is essential, and this includes enabling transcription, which captures input and output of commands, and script block logging, which ensures Base64 encoded commands are logged and can be decoded for analysis. This helps to detect and respond to malicious activities without relying on external tools like CyberChef.
Furthermore, enforcing script execution policies (restricted, bypass, remote signed, all signed) helps manage which scripts can run, though these policies are not foolproof security controls. The key is to use them as intended to prevent unintended script execution.
Constrained language mode is another vital hardening measure, restricting access to commands that can invoke Windows APIs, which are often exploited to download malware. For example, commands like `Add-Type` can load arbitrary C# code and are frequently used in attacks.
Additionally, integrating the Anti-Malware Scanning Interface (AMSI) into applications can help detect and prevent script-based threats by scanning unobfuscated scripts before execution. This is particularly useful in environments where PowerShell is heavily used, as it adds an extra layer of security.
Effective cybersecurity requires technical depth and business alignment. Start by understanding your industry's regulations and standards. Align your cybersecurity strategy with business risks and integrate threat intelligence, incident response management, and continuous attack surface management. This strategic approach ensures a comprehensive security posture.
Finally, as organizations migrate to Azure AD and other cloud services, several key security considerations must be addressed. This includes understanding architecture changes, monitoring data flow, and ensuring tool rationalization. Critical components often overlooked include proper deployment of MFA and fi
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:05):
Today's businesses are on a vigilantwatch for threats in an ongoing cyber war.
It's time to get real world solutionsto protect and secure your valuable
business information anytime, anywhere.
Welcome to Cyber SecurityAmerica with Josh Nicholson.
You're about to gain specialaccess into a world of restricted
(00:26):
information and a backstage pass tothe inner sanctum of cyber security.
Cybersecurity operations.
Here's your host.
Joshua Nicholson again,
back here for season number two.
So glad to have such a wonderfulseason one with 30 episodes.
The last one culminating with theinterview of governor McCorry, talking
(00:47):
about technology and cyber risks withingovernment, what is it like from a mayor?
What's it like from a governor'sperspective, but on season two, we have
a couple of things that we want to cover.
One is I'll give youkind of an overview is.
There's a lot of talk about artificialintelligence, but we've done a couple
episodes on our show about that.
This one was more of, , we wantto start to get into artifacts
(01:08):
and forensics artifacts.
How do you tell what a decision was made?
What are some of the kind of the prompts?
We wanted to give some more of theusability tips and features that
we're seeing with, say, CHAT GPTand some of the other common models.
We're also going to have a timeon where we're going to have some
recruiters on that are going totalk about what do you need from
a resume and a skill perspective?
What are people looking for?
What is, uh, important to them?
(01:29):
What are the fields that, uh,are expanding, which are some of
the ones that are contracting?
What do you need to do from anSEO perspective within LinkedIn?
Uh, a lot of people askquestions related to that.
So one of the things I wantto catch people up on is that
I went to a conference calledthe CackylackyCon conference.
So this was a phenomenal littleconference in Raleigh, North Carolina.
(01:50):
And it was at a series of differentpresentations from practitioners.
But some of the areas I thought were justfascinating was, for instance, a lock
picking area where there was an area ofme and my kids were able, I was able to
take my kids to this one, we were ableto learn how to undo locks and tumbler
locks and how to get out of handcuffs.
That had to have been the bestskilled of the entire week.
(02:11):
There was how to get out ofthe double lock handcuffs.
I thought that was.
Uh, exciting.
There was also a capture the flagwhere you had, a number of different
penetration testing capabilities,a couple of contests going on.
One of it was really brokendown for the newbies.
I thought that was important, kindof give the clues, walk them through
this, make it really easy becauseit's intimidating at first for some
(02:33):
of the newer people in cybersecurity.
So I really had a good timeover there CackylackyCon.
And then this week I'm at that TechnoForensics Conference in Wilmington.
I got to speak, I spokethis morning at 10:30.
Part of this presentation here for thispodcast, I can show up with the world and
I'm going to present it here on the show.
But we had a really great time.
(02:54):
There was a lot of people there.
I would say, I don't know,a lot is a relative term.
Let's say 400 people.
It seems right around that number.
I think the attendance was reallywell supported in the AI, some of
the AI areas, but more importantlyin some of the forensics tool sets
and the demonstrations and so forth.
So it's not just a people wanting to hear.
(03:15):
Thought leadership, but it's alsopeople wanting to see actual tools
and what they do and so forth.
That happened, my presentation wasjust going over some of the latest
threats that are happening froman incident response perspective.
If the DeepSeas is a cybersecuritycompany, we have many different
services, but our core is our platformis our managed detection and response.
(03:35):
We also manage.
Sim systems, we also haveprofessional services, advisory,
as well as penetration testing.
And of course the, the vSISO function.
One of the lessons learned we havefrom DeepSeas is just looking at
the amount of data that comes in.
When you see that we have millions andmillions of different unfiltered events
(03:55):
that come in and logs that come in.
They need to be identified, theyneed to be correlated, they need
to be actioned, and so forth.
So there is a lot of information that wecan glean from these different attacks.
One of the things I'm goingto go over in this upcoming
presentation here is just Azure.
The move to Azure has opened up theattack space for a lot of people.
You can see them moving fromthe traditional on prem domain
(04:17):
controller over to Azure AD.
Which is a natural progression,especially when you want to start
leveraging O365 applications and usingthe power of cloud, Microsoft intra
ID gives you a lot of functionalityto be able to do things like that.
However, your traditional securitymonitoring tools are accustomed to
having that, uh, domain controllerlog information coming into the SIEM.
(04:40):
And those rules for brute forceattack, password stuffing, all
those types of, uh, things.
Uh, tags are, are built into the SIM.
However, they don't realize is that whenyou set up a on prem domain controller
to replicate to an Azure AD domaincontroller, you have to use what's called
AD connect, it's a little tool set.
It's a little proxy thatallows you to connect the two.
(05:01):
So that connector does that.
It replicates the SAM database informationthat's within there up to, uh, out here.
So now if your laptop is onpremises, you can log on locally
with a domain controller.
If you go to your hotel room,you can log on to your O365
applications using Azure AD.
Problem though that occurs is thatwhen you move to Azure AD in that way,
(05:24):
and you start failing authentication,you start brute force authenticating,
it's not the normal Kerberos port8080 that you would see, and you would
see a failed logon attempt of 4625.
On those domain controllers, you'renot going to see that in an Azure
cloud scenario because it's using HTTPSusing stuff like SAML and OAuth to do
the authentication and authorization.
(05:46):
So what happens if you don't accountfor those Azure AD logs into your SIEM,
you're going to be missing a whole,probably half, depending on the mobility
of your workforce, but half of thelogs and the events that are occurring.
Cyber Battlefield Insights,identifying critical shifts and
errors leading to intrusion.
This is from an MDR, IncidentResponse Commander's perspective.
(06:07):
This is my perspective.
DeepSeas, we have about 700customers around the world.
We monitor their endpoint detectionand response tools for them.
Their CrowdStrikes, theirCarbon Blacks, and so forth.
Not only do we monitor them, butwe create threat intelligence.
Over a thousand pieces of threatintelligence go into those platforms.
So it's like saying, do you have an EDR?
It's like saying, do you have a car?
(06:28):
But we make that car into a race engine.
So that perspective gives us over450,000 desktops under management.
So out of We get a number of differentincidents that occurred that we
have some lessons learned from.
everything is just bombarding us from RSA.
A lot of people at RSA,I didn't go this year.
But I went to the Kaki Laki conferenceinstead, but at RSA there was a lot
(06:50):
of talk I'm hearing from all my coworkers about artificial intelligence.
Everything was artificial intelligence.
And when you look it back AT&Tand that big outage they had, it
wasn't artificial intelligence thatdid it, it was just human error.
So artificial intelligence isno match for natural stupidity.
So in this presentation, what I'm goingto go over is I'm going to present
(07:12):
a little small overview of DeepSeas.
I am going to talk about who they are,what's the genesis of the company.
It gives us perspective in thedata for what's about to come
in the later presentation.
So this is not a sales presentation, butI do need to qualify where I'm getting
my perspective from and what kind ofdata am I making these inferences from.
(07:33):
Threat intelligence perspectives.
We also want to be able to pullfrom some of the headlines,
what's going on right now.
There's a couple of things we want tobe able to cover, how that relates.
I see a larger trend that's going on.
Then a traditional approach towardsyour security tool sets and everything.
I'm going to go over the model of howa CISO kind of looks at it from how do
I implement change, risk management.
(07:55):
I don't do it by picking my tools anddevelop my risk structure around that.
It's develop my restructure and thenput my tools that are aligned to that.
We also see some shiftingin technology here.
Just move to Azure and theauthentication go in Azure AD.
Some of the challenges that occursand how that changes from a deeper
perspective for incident response.
(08:15):
When you're looking at failedlogon attempts, you're not getting
those 4724, 4725 events anymorefrom the domain controllers.
You're getting a lot of these differentevents that are not showing up because
it's now Azure AD showing up in thecloud and it's all off over HTTPS.
We're also going to talk about thatand DNS over HTTP and how that is
(08:37):
causing havoc right now in environments.
Now, after that, we go over someof the shifting of technology.
We move into PowerShell.
PowerShell seems to be at the heart of allthe intrusions that we're working today.
All the different incidents that we have.
Are coming up.
A lot of them are remote managementtool sets and the use of PowerShell.
Then we're going to go over the top12 areas of focus that make sense.
(08:59):
For our greatest bang for a buck.
So a little background on me incase I really haven't gone over
this on the podcast before too much.
Cause you could see my LinkedInchannel from here, but essentially
24 years in information security.
I have held many differentroles and responsibilities
(09:21):
starting off in the Marine Corps.
Very technical.
I worked on radio systems.
I was a weapons instructor.
So I got both shooting, blowing stuffup, as well as being able to do IT and
build servers and networking and so forth.
After the Marine Corps went into thedefense sector, worked at Northrop
Grumman, worked as a sysadmin, NTsystems administrator, and that
(09:44):
started my career off into IT.
And that gave me a good perspective onroute switch servers architecture before
moving into Cisco routers, CCNA, CCNP,and doing infrastructure level things.
That migrated me over to HancockBank after, Hurricane Katrina.
There was a three monthtime period I was homeless.
(10:05):
We, my family and I had toevacuate from New Orleans.
We had to live with familymembers for a time period.
We had to move around, stayedin a hotel for a couple weeks.
So it was an interesting situation,not only to have to go through
Katrina, but not to have your home.
Not to have your job and not to haveyour bank account because both my credit
unions, both branches were underwater.
(10:26):
It's a very unique situation butHancock Bank tremendous opportunity
to build both their data centers outin Dallas and then the one out in
Atlanta and then became the first datasecurity manager there, being the VP
of Information Security there short,shortly after for about seven years.
A lot of great people in New Orleans.
I still love that town andeveryone I worked with.
What's really interesting is theinformation security team that's
(10:47):
over there is pretty much thesame team I hired 12 years ago.
Maybe one or two people have left,but it's pretty much the same people.
Went from Hancock bankover to Ernst Young.
Ernst Young had me flying all overthe country doing cybersecurity
work on their FSO practice.
Before I went to Wells Fargo, I didthe group information security officer.
There are, I did a lot of risk management.
(11:09):
I used my technical skills, my incidentresponse technical skills there
while doing audits and assessments.
And then moving on to CoFence.
I was the Senior VP ofProfessional Services.
I ran their phishing defense.
I built their phishing defensecenter when I was there.
That went worldwide.
And then Booz Allen Hamilton iswhere I spent about three years
working on big commercial customers,cyber fusion centers, building
(11:32):
security operation centers.
And at that time during the pandemicfor two years, I was a CFC lead
for a large pharmaceutical company.
overview of who DeepSea's is, DeepSea's30 years of experience delivering
24/7 managed cyber defense systems.
Now this is several differentiterations under different names.
(11:52):
But it's the sameplatform, the same people.
When we spun out of Booz AllenHamilton, we went through private
equity and we are the company Deep Seas.
So right around 260 employees andwe're having 700 plus customers.
some of the offerings and solutionsthat we have, for instance you can see
we start off really with the StrategicAdvisor and Professional Services.
(12:14):
is really aligned towards helpingyou with decision enablement.
What should you go after?
What should you not go after?
What's important?
What's not important?
And how do you build that into aconcise roadmap that's measurable?
That is understandable, not just from thetechnical personnel, but also managerial
with any outside security companiesthat you may have to interact with.
(12:36):
We also have offerings on themanaged detection and response.
So endpoint, email, network, sim,operational technology, and of course our
log management platforms that we're ableto provide managed services and multiple
different delivery configurations.
When you look at penetrationtesting, surface management, we
(12:56):
have the acquisition of Red Team.
So we do penetration testinginside, outside, web application
code review vulnerability riskmanagement is a big thing.
Being able to keep up with patches,being able to run CSIRT, being
able to manage that is alwayscritical to your environment.
So when you look at the DeepSeas MDRcontinuous cyber protection, so like I
(13:20):
was saying before, we have the end point.
Where we monitor CrowdStrike,Cortex, Sentinel 1, Microsoft
Defender, SOFO, Cyber Reason.
We have that network side of that too.
We have our own NIDS, so NetworkIntrusion Detection Sensors.
We also use CoreLight as a platformas well to push our intelligence out.
Very important to have a network TAPS.
Everyone thinks you can just gowith an endpoint solution nowadays,
(13:43):
but Log4j all kind of differentthreats are not detectable by EDRs,
they're all detectable by NDRs.
So you definitely still want to be able tohave a NIDS, and you also want to be able
to do full PCAP capture for some of thetraffic, especially inside your network.
Email being able to do email response.
So when you respond to aphishing email, you submit it.
You want to have an organizationtakes a look at it, analyze
(14:05):
it, and does a response back.
Logs, you're looking at MicrosoftSentinel, Devo, and Splunk.
These are solutions we bring toour customers to help drive some
cyber risk down that they may have.
And then from an operational technologyperspective, those OT environments.
Nozomi is one of our bigpartners that we do OT work with.
Some of these pharmaceutical companiesI was telling you about before.
(14:27):
manufacturing life cycles for medicinedevelopment for the development of
the drugs for the pushing out anddistribution points around the world.
So just something by the numbers.
Steve DeepSeas SOC by the numbers.
So 2023.
82,620,000 unfiltered alerts.
(14:51):
Now out of those you had 13million filtered alerts and
then an aggregated alert of 7.3.
Now, out of all that volume thatyou're getting, 'cause you get a
lot of noise from all these tools,look at 82.6 million different
alerts from down level tool sets.
All that gets filtered and correlated,used on our platform in order to come up
with that 36, 079 threat notifications.
(15:16):
A threat notification is actually an eventthat's deemed critical that the customer
needs to know about and take action on it.
And so we either send that as an itemof inquiry, or we send that to them
as a SEV1, SEV2, SEV3, or SEV4 event.
So that's a reduction of about 99.
96 percent of that volumethat's coming at you.
(15:37):
That's huge.
Most organizations have justthousands of alerts coming from it.
I can't tell you how many intrusionsI've been in where the ransomware
showed up on the EDR product, therejust wasn't anybody looking at it.
No one was seeing the alerts,it wasn't even set to block and
it wasn't even seeing all theactivity in the first place.
So it has to be managed, has to becared for, you just can't plop a, an
(15:57):
EDR product in there and expect to itto operate at its best performance.
Now you look at our TOC metrics, that'sour Technology Operations Center.
A lot of different deep dives, 113hours of deep dives with customers.
It was like saying an alert went offone of the analysts needs to either
work with that customer back and forthto analyze it, drill down to it, do we
(16:19):
need to get threat hunters involved?
Do we need to have malwareanalysts involved and so forth?
Perimeter hardening requests allthe way to that number 451, 000.
I think this is a little dated, thisslide, because I think we hit the
we're closer to the 500,000 mark.
But when you look at how manytotal endpoints that we manage
from multiple different platforms,and sometimes in the same context.
(16:41):
Imagine there's a merger, there'san acquisition, you're going to
need to manage CrowdStrike on oneend, for instance, while you merge
in a company that has Carbon Black.
How do you provide comprehensivesecurity to both of these?
Because mergers and acquisitionsare the most dangerous part of a
Organization or company's life cycle.
ready made detections.
How do you keep up with all that?
(17:02):
If you look at an internal intrusiondetection capability or an internal SOC
capability, just keeping up with SIEMuse cases and endpoint use cases and
network rules and yara rules and so forth.
That's a lot of work that Why haveto do that for one customer one time?
Do that internal.
That's where we maximizeour ability to scale.
(17:24):
And we're able to do this for hundredsof customers on be able to provide
these use cases, keep up with them,make sure they're accurate and then
deprecate them when they're no longerneeded and take those out of circulation.
Too many, too often people justkeep throwing rules out there.
So if they have 5, 000 rules, Icould just say how many different
rules, but some are so irrelevant,they're not even needed anymore.
And then you, that allneeds to be cleaned up.
(17:46):
Then when we start talking about industryleading services, like getting into
meantime to detect meantime to contain,And then what's your IR onboarding?
What's really interesting, mean timeto detect in some of these, you have
some customers, or let's just saysome EDR product vendors, that if that
EDR product saw a malicious file andate that malicious file within three
(18:09):
seconds of it landing on disk, theywould count that as part of their SLAs.
They would say, yes, I'm supposedto respond in 20 minutes for a SEV1.
But we're always responding inless than less than a minute.
And the only reason they can say thatless than a minute is because they're
taking credit for what the productwill do normally the same way as if
someone would take credit if antiviruskilled a file that's on something.
(18:31):
It's ridiculous, but too many peopledon't understand the details from it.
So when they're able to say they were ableto respond in seconds, that's bullcrap.
There is no human vetting of it.
There's no contextualization of it.
There's no QA of it.
They're just pushing stuffout as quickly as possible.
When you look at what does all thatdo, okay, we have great SOC metrics.
(18:52):
We talk about how many unfiltered events.
We talk about how manydeep dives we go into.
We talk about How many Ready-madedetections and what's the time period,
but what does that do at the end ofall this and how does that help and you
look at how does that save customers?
We did 88 ransomware attack preventionslast year, pre-encryption we were able
to catch things, shut things down.
(19:13):
So rough estimates about 135 plusmillion in ransom payments was prevented
around the average ransom payment.
Ransomware payment we'reseeing is 1.5 million.
and 1.
2 million worth of savingsfor a mid market customer.
So you can see where just thisefficiency on that on the bottom
right here shows just how we're ableto do a lot of things with a lot less
(19:37):
From a threat intelligence perspective,there was a 424 percent increase
in small business breaches justa year last 43 percent of those
were against small business.
60 percent of small businessesare victims of a cyber attack, go
out of business within six months.
I saw that in several ofthe banks that I worked at.
I had a crane company that got hitwith an ACH fraud and it was part of a
(19:59):
BEC attack and they lost over $500,000and the company went out of business.
15 people were laidoff when that occurred.
They didn't have a cyber insurance policy,so there's no way to get those funds back.
So you can see wheresome of those hits are 2.
2 million a year.
Healthcare is an industry that's most atrisk for most of those cyberattacks, and
it says 14 percent of businesses ratetheir ability to mitigate attacks as
(20:22):
highly effective, only 14 percent of them.
a ransomware attack that really manifestedinto the real world, so Colonial Pipeline
was argumentatively one of the mosthigh profile ransomware attacks of 2021.
I know I was in Charlotte when it hitand I didn't have gasoline at that time
because it interrupted the pipeline.
So this was an eventthat happened on May 7th.
DarkSide Group deployed ransomwareon the organization's computerized
(20:45):
equipment and it manages the pipeline.
it looked like the Colonial Pipeline CEOrevealed DarkSide attack vector was a
single compromised password to an activeVPN account that was no longer in use.
Well, Colonial Pipeline didn'tuse multi factor authentication.
The attackers were successful.
They were able to encrypt multipleOT machines, and they were
(21:06):
able to bring the systems down.
When we look at that, that wasonce again, VPN credentials
being compromised, lack of MFA.
This sounds like a repeat of today.
Today 2024, we're getting the same thing.
We're having VPN accounts, we'rehaving firewalls being compromised
because they had critical patcheson them that weren't maintained.
ASAs to Fortnets to checkpoints,all of them had trouble.
(21:30):
Within VPN that was allowingthese type of attacks.
Normally, it, you would haveother factors that would
compensate for that, such as MFA.
But in this case, there wasnothing that was on there and the
ransomware was able to run rampant.
So we asked, what are thetop 10 protective policies?
You definitely want topatch those systems.
You got to upgrade them.
You're going to implement the 32 1 1 backup rule, and I'm going
(21:52):
to go over that in a minute.
Thanks again.
You definitely want to startlooking at implementing Zero Trust.
Now Zero Trust is not aproduct, it's a framework.
So you have several productsthat allow you to implement
and tie into that framework.
But just remember, Zero Trustis a buzzword for framework.
It's a really good framework.
But it takes some effort and some time toreally move to that network segmentation.
(22:14):
Very critical here.
Why are the O.
T.
Systems are accessedvia VPN on the Internet?
That should have been a segmented network.
You shouldn't have had that connectivity.
You also look in point MDR.
There was no endpoint MDR thatwas there on those OT systems.
A lot of the OT systems can't handle them.
They're too old.
They're older technology.
They're not able to handle an EDR.
(22:35):
So it gets really difficult sometimesin OT where we're relegated to passive
methods such as IDS sensors and so forth.
and SIEM systems.
Now rapid eradication andrecovery is always key.
You want to focus onthat for your systems.
How do I eradicate something and recover?
So for instance, if there's anintrusion or you have a malware
(22:55):
incident on a desktop in a largecorporation first, one of the three.
First things we do isquarantine the machine.
We use the EDR software toknock it off the network.
You can't communicate in anywhere on thenetwork, but you can still work with it.
You can still pull process trees.
You can still pull information.
You can still do analysis.
You can still do a lotof things in the past.
If you just turn the machine off,we lost all volatile information.
(23:19):
You went and packed it up.
It got mailed off.
Who knows what was running at the time?
It wasn't really good way to do that.
So now we're able to use those EDr.
Products.
We even deploy products like Binalyze.
Will you do a forensics capturebit by bit of that machine and pull
that back into your repository?
New cloud.
So things have really changedover the last couple years.
(23:40):
So you definitely want to doimmutable and indelible storage.
It's really important.
Regular testing and validation.
I can't tell you how many customersonly probably 10 percent actually do
the regular testing and validationwhere they do their backups They
utilize that 3-2-1 rule, the 0 rule,and they're able to actually have
test infrastructure to restore it.
(24:01):
The ones I find that are best atit are banks when I was at Whitney
Bank because of all the hurricanesand we had to ensure that the
mainframe came back up and running.
We had alternate recovery locations.
Not all businesses canafford that, but obviously 20
billion banks can afford that.
Educating your employees what to do,when to do, how to set things up.
(24:22):
A lot of times employee education, they'rethe first ones to tell you something's
not going on or somehow my account'slogging on, or I'm getting an MFA
prompt, I never logged on to that system.
They're always your first lineof defense to be able to call in.
And then that cyber attack play book, Ican't tell you how important and critical
it is that you work to walk through whatyour incident response plan would be.
(24:43):
Okay, so we have either a malwaresituation, we've been contacted there's
an intrusion detection alert that goesoff, there's some kind of stimulus
that tells us that there's some kindof event that we need to respond to.
What do we do?
Who do we notify?
What actions can we take?
And what preventive controlscan we take to contain it?
All that kind of stuff has tobe thought about ahead of time.
(25:04):
Many situations, I get called intoan incident for a customer, they
were never a customer of ours.
They came off through somebusiness relationship.
We don't even know who they are.
We put them through the sales cycle.
We get contracts, we get on the phone.
I have no idea howtheir network is set up.
I have no idea how their cloudinfrastructure is set up.
You're literally having to startfrom scratch and ask, okay,
what is it you do for a living?
(25:25):
And that takes a lot oftime to get up and running.
But One of the things you want towork for is towards that playbook.
Who do I call when and in what situations?
And and most importantly, whodon't you call in these situations?
You always have the tactical lawenforcement type side of it, and
you have the political or managementlevel side of it and the tactical
people need to understand howto communicate up, what to say.
(25:47):
Using real words that canscare, such as the word breach.
We don't say the word breachthat has a legal connotation.
So you're going to say there's anincident that we're dealing with and
be able to quantify it correctly.
But the big one here we wanted to focuson really is that implement that 3
backup, which is Three copies of data.
You wanna have it in two differenttypes of media, so tape or
(26:08):
optical or some other type.
You have, one of 'them isoffsite, one of 'them is offline.
And then you'll have zeroerrors on a restoration test.
So you restored it, you had zero errors.
So that's really the rule to ensureavailability of all your data.
Now I'm gonna switch focus here alittle bit, and this is dark web market.
(26:30):
Some live things thatare for sale right now.
You'll see on the far righthere, this is the monthly threat
intelligence roll up from DeepSeas.
So you can always go to www.
deepseas.
com.
You can look for thatthreat intelligence posting.
And we do that every month.
But you can see here, justthere's accesses for sale.
So you can see there's an actor.
On a crime forum was sellingRDP access to a New York based
(26:52):
private equity company with 3.
5 billion in assets undermanagement for $2,000.
What a steal, what a deal.
Yet an act on the ramp crimeforum was selling domain and
local admin access to a U.
S.
based enterprise with 10, 835 hostsin five trusts and a USD of 546.
(27:13):
1 million in revenue.
You would not name theindustry, vertical, or a price.
So the way this works, these areinitial access brokers, so they have
compromised a network somewhere.
They get as much statistics as they can,what kind of revenue, what's their what's
the, how many PCs are there, and so forth.
And they sell that access to other people,and then they go find other access.
(27:33):
They don't have to They don't haveto worry about exfiltrating it, they
don't need to worry about lateralmovement, any custom malware, they
don't have to worry about anything.
They just have the access, they getit through a phishing campaign or
some other means, and then they'reable to sell it on these crime forums.
So if you see your company, and thisis always a good reason to have threat
intelligence, so for all our customers,If we saw one of our customers pop here
(27:55):
and it looked like their credentials wason a crime site here, we would notify
and say, hey, there's an admin accountbeing sold that's for your network, it's
$2,000 and it's $4,000 and so forth.
We'd do an immediate response on thatcustomer site and then poison all those
admin accounts and have them reset.
We'd also try and figure out if there wasan intrusion, do a compromise assessment.
(28:17):
That's always good information.
So what is the traditional approachwe're talking about their traditional
approach before so you see herein the top You can't always start
it off with that spam filtering.
So we got tired of annoying emails.
We get tired of annoyingPop ups and so forth.
So we have a spam filteringthat looks at content makes
(28:38):
decisions based on content, right?
And then you have known rogue websitesthat these are c2s to a certain Unknown
bad actor Or, these are rogue websites.
Those are able to block any web filtering.
Now, you have Legacy AV that steps up,that goes a little bit further than just
the web filtering, but also does theknown malwares and the known zero days.
(29:00):
As well as fileless attacks and thenexploits or something that next, or
regular legacy antivirus doesn't stop.
So you have where they'll stop normalmalware, legacy antivirus really does not
stop zero day attacks or unknown malware.
They definitely don't stop filelessattacks that run purely in memory.
They need something to bewritten to disk in most cases.
(29:21):
And then just a new exploits,very difficult for legacy
antivirus to see that.
Next gen AV was created, andyou can see where it can cover
a lot of those different areas.
But it was still lacking in several othercapabilities, which is where we moved into
the detection side of this, which is EDR.
Which EDR sits on the top ofthis, I think of it as advanced
(29:42):
antivirus for the most part.
This allows us to communicate with thesedifferent parts of the stack, as well
as manage them, quarantine the host, runincident response toolkits, and so forth
off of it, right off of the EDR host.
You can also do threat hunting, getvery detailed on what process goes where
and does what and it also can plug intodifferent repositories, such as VirusTotal
(30:04):
and some of your other Intel repository.
Allows you to detect security incidents.
Allows you to contain that incidentat that endpoint allows you to get an
investigate mode So you can look at thosesecurity incidents start to correlate
different events and then provide someof that remediation Guidelines, so
this is how We have progressed overto EDR is being Kind of the de facto
(30:28):
standard so you got to ask yourself.
Okay, where do you where do I find out?
Where I need to go for EDR.
It's always been this is the standardapproach you go find some website in here.
It's E security planet.com.
But you go find a website,someone's done some analysis
between the different EDR vendors.
It'll tell you which ones haverogue system detector, which one
has these different features.
(30:50):
I love seeing do you have theability for custom rule sets?
Being an MDR, we create custom rulesets based on new threat actors.
We need to be able.
push that and inject that into ourMDR products that we're supporting.
So we'd like the custom rulesets, rogue system detection.
That's always good.
Rogue detection, discovery they'recalled different things, but
essentially that allows you to findout if there's a host that's joined
(31:12):
to your domain that does not have EDR.
A lot of times that becomesa source of your intrusion.
So you want to be able to indicatehow many machines have total.
Then what's the Delta that have ordo not have EDR on it and the rogue
system detector helps you find that out
now and then you'd lookat the analysis of that.
You can see you can break that downon several different dimensions.
(31:33):
How does Microsoft defender friendpoints working compared to Sentinel one?
I can tell you, when it first cameout, being in cyber 24 years, in
the beginning, Microsoft was a curseword, if you ever called, used that
for a tool in security, just had ahorrible reputation for security.
Microsoft was offended theirservice systems or offer workstation
(31:53):
systems were breached commonly.
So now, just to see theproduct move towards where,
it's a really robust product.
Microsoft did a tremendous job on it.
I was actually quite surprised theirDefender product is hooked into the
kernel at a level that gives youtelemetry that other products do not.
It used to be slow, Ithink, for containment.
(32:14):
It's all very important to understandwhat you get, what you don't get.
If you are interested in BECattacks, like I want to track this
email and did this person open it?
Did they forward it to someone else?
By default, unless you have the P2licensing of the E5 license, you're
not going to see that information.
So you want to make sure you havepremium level two logging turned on.
(32:35):
That allows you to see theBEC attacks by default.
You don't have that.
You'll just see some cursory loginformation, but just like anything in
Microsoft, the more granular you wantto get at a data source, the more.
They charge you and you have tohave other licensing for them.
Sentinel One is a product wedeploy a lot at at Deep Seas.
We do it programmatically.
It's one of those EDRs we can scriptthrough a Terraform and push out and
(32:58):
manage through APIs has a really goodinterface and it's built for not only
SOC MDR analyst, but it's also built forpeople like myself in incident responders.
When looking at different threatsand so forth, but this was
always the traditional approach.
You go look at some leading trade ragand you go see what you, what's the
best product out there and so forth.
(33:18):
Look at the environment.
Try simplifying this.
This is the security landscapeand it's not even all of them.
This is just part of it.
The one in the red box thereis the CrowdStrike Microsoft,
which I just highlighted before.
So you can see it's just a speckof an ocean of different products
and different services that doa myriad of different things.
Now, how do You simplify all that,especially when we move into a
(33:41):
world where everything is goingto connect through Azure AD.
So this diagram right hereI stole from Microsoft.
So it just shows you the hybrididentity and some of the required ports.
I won't go into each of the portshere, but what I'm just hoping to
show Is that you're now authenticatingnot just with on-prem or a d, you're
also communicating with A DFS.
You're also connecting with Azure ActiveDirectory, and that's where a lot of the
(34:04):
applications, your SAPs, your ServiceNow,Dropbox, all that will be through
that Azure date, Azure AD interface.
So as you go to move towards this,it's very important to do it in
a a concerned and secure manner.
You'd have to plug into your network orconnect to a Wi Fi or something to be able
(34:25):
to authenticate to that domain controller.
Now, when you replicate that into AzureCloud, now you've changed that completely.
Now you have hosts off of theinternet that are connecting
and they're authenticating.
And, you can have someone fromIndia or from Pakistan or from
Ireland connecting and tryingto authenticate to your network.
(34:46):
So you're going to see a tonof failed authentications.
You're going to see A lot of MFA promptscoming to you that you didn't see before.
You'll see a number of different things.
And what will happen is you end upgetting locked out on one side but
not on the other because lockouts andpasswords like that do not synchronize
back to the on prem domain controller.
Now, PowerShell has got to be one of thebiggest holes we see in most environments.
(35:09):
So how do you plug that largest leak?
How shifting technology infrastructurehas been ripping holes in
detecting response controls.
Look at that.
One of the areas we want to be ableto see better is in PowerShell.
A lot of these attacks arecoming now in PowerShell.
We're seeing it across theboard as a heightened area
for attackers to go through.
(35:29):
So one of the things that is someof the hardening that we want to
concentrate on his transcription is one.
This allows windows to capture theinput and the output of PowerShell
commands into text based transcription,auditing, monitoring We want to
use PowerShell transcription.
You turn that on through GPOs.
We want to take script blocklogging on for Base64 encoding.
(35:51):
And what that is essentially whenyou're sending PowerShell commands,
and PowerShells are used legitimatelyby a lot of things on the network.
Used in Microsoft Defender tomove a different signatures.
It's moved in administrative actionsfor different software packages.
Now, script blocking allows youto take some of your commands to
ensure they don't get obscuredor they set off something else.
(36:13):
You put it into a Base64 envelope,you encode it and you're able
to send your commands on.
The problem with that encodingis that when it gets logged into
the logs there, locally in theevent log, The base 64 goes in it.
It doesn't get decoded beforegoing into the event log.
So you're just going to see this bigblock of string of text instead of the
(36:34):
actual PowerShell command that was run.
So you want to be able to configure thesystem to say decode base 64, put the
original Unobfuscated PowerShell code inthe event log, and the reason for that
is now we can see when these events areoccurring what the commands were and
we don't have to use like Datashef orone of those other cyber CyberChef tool
(36:55):
sets in order to be able to decode it.
But there is some implications to it.
So if you look down here in thebottom, I say there's an impact note.
The CIS computer information the CISrecommendations not enabling script
block invocation over concerns relatedto logs being overwritten too quickly.
So they're afraid of logsbeing overwritten too quickly
and not being retained.
(37:16):
They also worry about clear text passwordsbeing recorded in the security logs.
So there's a trade off here.
So yes, if you're doing scripts whenyou're putting Passwords in the scripts
in order to be able to run that.
Could that password berecorded in a log audit file?
Absolutely could, but this is a trade off.
I would still trade that off.
I don't put passwords in PowerShellscripts anyway, but let's say if I
(37:37):
did, I would have that as a trade offas I would want to see what that end
unobfuscated PowerShell command would be.
Now, as we move over from transcription,we move over to script execution.
So this is policies determine whichscripts are allowed to run on a system.
To prevent unintentional script execution.
(37:59):
So this control can beeasily circumvented.
Just so you know, this isnot a security control.
This is just a don't shootyourself in the foot control.
So you have script execution policies.
And there's four policies.
You can have restricted.
Bypass, remote signed, and all signed.
So some of these restrictionsall can be circumvented.
There's about 15 or 16different ways of doing that.
(38:22):
Being able to circumvent thesescript execution policies.
So once again, don'tuse them for security.
Just use them for what they'reintended to ensure they don't
run on the wrong systems.
Now, some of the commands you can doto see what is your execution policy.
So you can get to a PowerShell commandand do the get help space about
underscore execution underscore policies.
(38:43):
That'll tell you what yourscript execution policies are.
And that'll be one area youdefinitely want to focus on.
But the biggest area here when itcomes to PowerShell scripting or
PowerShell security and hardeningis constrained language mode.
So constrained language mode, youwant to restrict access to commands
that can invoke the Windows APIs.
(39:03):
Default restrictions include creatinginstances of most com objects.
user add type to load arbitrary C sharpcode, Win32 APIs, and some NET methods.
What this means is that my PowerShellis a very powerful language.
It can do a lot of different things.
It's a whole C2 infrastructureif you want to be able to use it.
But it's a very powerful language.
(39:26):
platform, but it also allowsyou to tie into other things
to extend it even further.
So into that native API, beable to call different C code.
That's exactly what they use todownload malware is that Add-Type.
So I'll go over that really soon.
Whenever they have a code and Add-Typeon the side of it, And normally you'll
see a URL, you're going to point to somecode over there, and it's malicious.
(39:49):
So here's some of the quick examples ofsome of the tactics that we're seeing.
So on the screen encodingscript contained in Base64.
So for those who are on the audioonly on the podcast here, so I have
this function called invokeEvil.
And that function has avariable called $code.
And I put Base64 encodedmalicious URL into that variable.
(40:12):
And then I run that string and Iconvert it from Base64 to code.
And then I invoke that expression.
That's a very basic waythat this script runs.
It takes base 64, assignsit to a variable, takes that
variable, does a system.
text.
encoding out in Unicode, and formatsthat base 64, and then takes it
(40:33):
and does an invoke expression.
And that is invoking a function.
That's another very powerfulthing that you want to see.
If you see invoke expression, oradd type, that's definitely a sign
of something you want to take alook at now being resourceful.
Most of these anti malware enginesimplement base 64 and coding emulation.
What they'll do is they'll see Base64 ina code and decode it and emulate what it
(40:57):
would do if it was allowed to execute.
It does a lot of those differentkind of tests and controls.
Since we also implement Base64 decodingemulation, we're also ahead of time.
On the second part of thescreen here, you'll see encoding
script with an XOR function.
I wanted to include this.
A lot of times these malwarewriters, these threat actors will
(41:18):
throw a chunk of data like XOR chunkof data into their obfuscation.
What that does is just meant to break youranalysis tools, meant to be this chunk of
data you got to work around to figure out.
What to do with.
So it's just meant to mess you up.
AMSI, the Anti Malware Scanning Interface.
Now this is for you developers.
When you're developing yourPowerShell scripts, you want to
(41:38):
be able to have it de-obfuscated.
You want to have it testedagainst an antivirus engine
and a lot of different things.
Now imagine your applicationallows scripting.
It can accept and execute arbitraryscripts using a scripting engine.
Now, when that script is ready to beexecuted, your application can utilize
the Windows AMSI API to scan the content.
(41:58):
Now, by integrating the AMSI,you can effectively detect and
prevent script based threats.
Now, ultimately, the scripting engineneeds to process plain, unobfuscated code.
This is a critical moment toinvoke the AMSI APIs to ensure the
script is safe before execution.
This is a framework.
It allows you to be able to plug intothis, whether you're doing PowerShell
(42:20):
scripts, VB scripts, other applications,you're allowed to use some of their DLLs.
You're also able to tie into thirdparty antivirus engines that may
already be on to that framework.
So definitely want youto check out the AMSI.
capabilities.
Right here is a screenshotof an encrypted hypervisor.
(42:41):
So this was on a a malware.
Royal ransomware event that occurredthe they hit the ESX I Hypervisor and
it was all 120 virtual machines weredown and it was pretty nasty So there's
the only picture we will get off of aguy's phone But you have to remember to
your ESX I your VMware Hypervisor youwant to ensure that's locked down from
(43:06):
the root passwords to as well Fury ifthey compromise root password, they can
get into the ESX I hypervisor and thenencrypt it All your virtual machines.
They don't have to go one by one.
They can just encrypt theserver that they're all on.
And takes out all 120 of them at a time.
we want to talk about,what does good look like?
I thought that was important tounderstand what good looked like.
(43:26):
We talked about this earlier,cybersecurity success requires
technical depth and business alignment.
For the longest time coming up throughthe ranks, there was a lot of technical
alignment, technical depth, butthere was no real business alignment,
business didn't know what to do.
Mostly with it.
So the way you want to start off isyou take your industry You understand
what your regulations your standardsand what do you have to comply
(43:46):
with from a business perspective?
What are the frameworks that are in yourindustry where the contracts and insurance
requirements that you have there?
What is some federalregulations that are required?
What are just some security standards?
That you want to make surethat you adhere to whether your
business has PCI requirementsbecause they take credit cards.
What you want that to do is you moveup from business to the depth of
(44:09):
business integration on that top leftquadrant, and that's risk aligned.
So you want to have risk,cyber risk management.
You want to have strategicthreat intelligence.
That's always very important.
Most people pass on that.
And you have to have securityplus business partnerships to
be able to understand that.
Now that moves to that right quadrant ofcyber tradecraft So that's saying I need
(44:32):
an incident response management program.
I need a cyber fusion center where I'mmelding these capabilities together.
I need threat detection and engineering.
I need threat hunting.
I need continuous attack surfacemanagement for vulnerability
management, so forth.
So once I have tradecraft ledcapabilities that I need, that goes
down to product vendor enabled.
(44:53):
That's when I start looking at of whodo I need in my prevent stack, my detect
stack, my response stack, and so forth.
What products align to that?
But what you'll end up seeing hereis you'll see the complete opposite.
And I swap this around.
Most environments that actually failto bring their technology and to
drive cyber risk down, they do itbecause of this reason right here.
(45:15):
They go from product vendor enabled.
They start off withgoing, I like CrowdStrike.
So I'm going to putCrowdStrike by the prevent.
Now I'm going to go up to the topleft and I'm going to see what
Tradecraft can that product fit into?
Okay, I'll have to figureout what box that goes into.
Okay, now I'm going to figure outwhere CrowdStrike goes into Cyber Risk
(45:36):
Aligned And then into my regulations.
What a backwards way of doing it.
No wonder we're never successfuldoing this backward way.
Once again, moving backwards, wewant to be able to start off with our
compliance, what are our risks, andwe're not going to go the opposite.
Now, how does that all cometogether in cybersecurity?
(45:57):
How do you, at the deep seas level,how do you pick these services together
to deliver them in a comprehensiveway to hundreds of customers
versus the ability just to deliver.
For yourself.
So we structure that in this manner.
It helps deliver services on ourcustomer side, but this is just the most
logical way of thinking about it anyway.
So you have the platform based services,which is that outcome based managed
(46:18):
service, like continuous 24x7 coverage,your threat detection orchestration,
your behavior analytics, threat hunting.
We do that through that 24x7 MDR.
Managed detection and response forendpoint, network, OT, email, SIEM, and of
course you're logging through ThreatWatch.
Now that's that blue box.
Those are those technicalcapabilities that align.
(46:40):
Now you have that really deepdark blue box over there.
That's your OT assessments.
Those are for organizations thatare manufacturing, pharmaceutical,
they have an operational technologyenvironment, they have to
account for we have capabilitiesthere that are aligned as well.
You're welcome.
And then from a incident responseperspective, so we have incident response.
We have a retainer that weuse through our partners.
(47:00):
We have an internal incidentresponse capability, but it's
really aligned towards servicingother incident response companies.
We do not want to be adeferred company ourself.
We're focused on providing platform basedservices to those type of companies.
Now vSISO, that's a, that'san offering, that's one I run.
We do virtual CISO advisoryreally three major flavors there.
(47:21):
So you need a strategicadvisor for only a few hours.
A month versus you need someone who'sriding shotgun with you on the program
driving strategic change and remediation.
Or do you need us to run the office ofthe ciso and be that entire capability
staff augment for deployed labor?
So that's one of our our bread and butterservices that we have there, and that all
(47:43):
aligns towards and helps us with the goal.
Of how does that get all put together?
So when we build a cyber fusioncenter for a customer, we start to
build these discrete functionalitytogether with each other through
playbooks, and those playbooks getimplemented through technology.
So you can see up at the top lefthere, you have the CISO function.
The ciso puts in arequest for intelligence.
(48:06):
That intelligence goes to the CTI.
So what is a request for intelligence?
Hey, I would like to understandwhat are the risks that my industry
have and what are the risks Ihave, particularly given my.
city, my geographical operatingenvironment, giving my technology
stack and a number of other factors.
CTI helps to give contextualizationto threat reports that are coming
(48:26):
in and systems that may be affected.
So right now there's vulnerabilityassessments that come out
from every major vendor.
Imagine having to pour throughall those to figure out
what's actionable, what's not.
That's what your A.
S.
R.
Function is or attack surface reduction.
Within attack surface reduction, you haveharding of operating systems and servers
and desktops and network equipment.
(48:47):
But in ASR, you also have thepatching and the software management
pieces which are critical.
You have incidents and you have C Searchwhere there's a critical vulnerability,
such as log4j or SolarWinds or oneof those big ones that goes over to
the vulnerability management team.
And you can see that beingescalated escalated to them.
And then all that plays intoa playbook where you have who
(49:10):
contacts who, when, where, and why.
Always trying to get to thatprogram delivering reduction
and mean time to detect.
This is where you'd have before where youhave this big long line here at the top.
Mean time to detect is the timethat anomalous traffic is generated
in an environment by the time thatan alert is triggered manually.
(49:32):
That time that comes over towards us.
The alert there is deciphered in the CFC.
CFC.
CFC.
And then it's made available, aligned,and then dispositioned where you have
a true positive or a false positive.
Now they go into a notification period.
Then that threat notification isacknowledged, then it's mitigated,
and then we're in recover.
So a lot of times, we'll come intoa customer's environment, this is
(49:54):
all broken, and the process doesn'teven finish most of the time.
So you want to be able to analyzethat, use a platform to get to
where afterward you have just a verystreamlined approach towards how do you
handle low level, high level threats.
level one, level twoevents that are occurring.
You use a product like CarbonBlack, it's chatty as can be.
There's thousands of alerts thatare popping out all the time.
(50:15):
It's really hard tonarrow and tune that down.
We had to do a lot oftuning on that platform.
Now, what are the top areas of focus?
What we should focus on?
That first one for me, AzureAD migrations, migration trip
wires, this is happening a lot.
So architecture change is notunderstood well enough to account for.
(50:38):
for monitoring sensors, dataflow, and tool rationalization.
That's definitely one withinthat Azure migration column.
Then you have the second one iskey key cloud security components
are missing or overlooked.
There's a rush to cloud forauthentication, infrastructure,
exposing complexity, exposing thecompany, O365 attacks, I went over that.
(51:02):
A little bit earlier.
MFA is still not universally deployed.
I thought that wouldhave been a no brainer.
We would have had that a long time ago.
But no, we still have MFA challenges.
Now, the number two on the slot here isfirewalls are getting breached regularly.
We're seeing ASAs, we're seeingcheckpoints, we're seeing Fortnets.
They're getting breached regularly here.
(51:22):
Not keeping up with patch managementand not having a good architecture
for it is really the key here.
There's a lot of securityconfigurations people don't turn on.
They turn them off.
So really having someone knowingwhat they're doing, I always suggest
like a firewall management servicethat's able to take that 24 by 7.
They're monitoring the configuration,updating it, and so forth.
When they do massive upgrades becauseof some patch, you at least know there
(51:44):
is a team behind you that's doing it.
And so that's always very critical.
PowerShell, number three,PowerShell lockdown.
Restrictions are not enabled andattackers can easily run freely.
We've seen a lot of this.
Logging is not turned on by default.
Logging configurationneeds to decode Base64.
And then you need to consider usingdigital signatures for certificates to
(52:09):
verify those scripts in your environment.
Also we talked about adtype and language type.
Lockdown in earlier slides.
Now, new technology.
Number four is new technologythreats to detection.
Artificial intelligence,forensics, artifacts model
compromise, that kind of stuff.
Poisoning and AI model.
(52:29):
If you remember that story about thatGoogle AI bot that became racist because
it kept being fed racist comments.
And so it developed that persona.
So you can see where poisoningmodels is a possibility.
And it does happen.
Then you have a new shift in technology.
We're having DNS over HTTP.
New protocols, DOH, DOT.
Now there's real risks here becausenormally in an IP network, you use
(52:52):
DHCP, you get your IP address, itassigns you your default gateway,
it assigns you your subnet mask,and it assigns you your DNS servers.
And that's so you know how to getout of your network, you know how
to do name resolution, and so forth.
So every time you go to any website orneed any name resolution, UDP 53 over
to your DNS server does it and we'reable to collect those DNS logs to be
(53:14):
able to do threat hunting later onwhat machine lookups are occurring is
a very valuable piece of information.
However, with this new protocolthat's being turned on by default
now, and several of the browsers.
So Firefox and Chrome, this ishappening where they're turning this on.
We've had two incidents that we werelooking at and seeing DNS over HTTP.
(53:35):
We didn't understand whythat was happening, but it's
happening at the browser level.
Now you can think it makes a lot of sense.
Now I can, from the provider level,not only provide you internet, HTTP,
but I can also provide you your DNSsettings settings in that stream.
Now a lot of people From a securityperspective, hate this because
you're combining data and controlplane over the same channel,
(53:55):
which you never want to have that.
You want to have tocontrol plane is separate.
You're going to have the data inapplications on a different kind
of channel, but you will noticeall of a sudden you have, I don't
know, 10,000 DNS queries a month.
All of a sudden goes to to200 and you don't know why.
Before you had to turn it on.
Now you actually have to start to turnit off or you're not going to have that.
(54:19):
The DNS records
now move on to number five.
We're still seeing remoteaccess solution abused.
RDP is used extensively andshould only be turned on in a JIt.
mode.
So just in time.
I'll talk about that here in a minute.
JIT Security controls just in time.
And for instance, you don't have remotedesktop access to that server full time.
(54:41):
You go through a privileged accessmanagement request and say at Okay.
I'm going to need to turn RDP on to thatmachine and give me the credentials I
need in order to be able to do the servicethat I need, whatever the technical
maintenance is now, once that period isover your RDP access and RDP services
(55:03):
removed from the server and your accessis removed from the server to as well.
So just in time is a much better securityapproach towards this rather than just
having full blown RDP open everything.
Okay.
Always look at supply chain compromises.
Continue MSP remote management productsand services are the perfect target.
If you look at Kaseya in 2021 theywere used to spread ransomware
(55:25):
to all their MSP customers.
So everybody that we're doingbusiness with they were able to
use Kaseya to spread ransomware.
So you always want to be criticalof those who had access tools.
Make sure there's a prompting.
And make sure that they can'tjust have access at any time.
Number six is configurationdrift and technology debt.
We're still seeing cloudchange management chaotic.
(55:46):
I saw where we had apenetration on a server.
We had a compromise of a serverover RDP that was never supposed
to be exposed to the Internet.
It was accidentally given an outsideIP address in Azure and assigned to it.
And it became fully exposed tothe Internet in that manner.
And my day, you have to exposea server to the Internet.
(56:06):
You had to go pull the Cat5 cable outof the network interface card, go around
to the front switch, and go plug it inthere, and assign an outside IP address.
But now you can just assign an addressto an object, and it's very powerful, and
so it does things that were unintended.
So you've got to be careful aboutproduction change management.
Definitely look at the Azure roles.
(56:26):
They're awfully extensive.
So you want to make sure people areput in the right permissions group
and not giving extensive writes.
But really start to tear atthem because there's a lot of
Azure rules to get to know.
Privilege access mismanagement.
Excessively high userroles and permissions.
Admins not following best practices.
And then access reviewsnot being conducted.
I've seen admins checking theiremail with their domain admin
(56:48):
credentials and clicking on emails.
So what do you think happenswhen you click on a phished
email when you have domain admin?
You're going to get compromised.
Everyone's going to get owned.
So we can only, in many cases, givesecurity principles to the security
admins to run for these companies, butwe can't make them do it in some cases.
So we've definitely got to becareful of administrative control.
We want to have a privilegedaccess management system in play.
(57:11):
Changing technology trends alsois IPv6, engineering of AI.
So you have people that are usinggenerative AI in many different ways,
as well as how I may use it in mypodcast, where I do transcriptions
and I have it write descriptions forthe YouTube channel and so forth.
That sounds very benign, but you canimagine if somebody was saying, please
(57:31):
take this legal document with this verysensitive information and write this,
or can you imagine someone taking.
Okay.
medical record and say, Hey, writea diagnosis for this and hand it to
somebody or something to that effect.
There's a lot still to go on in regards.
So that, but that's prettymuch my presentation.
I had more slides, but I really neededto keep it where it was under an hour.
(57:52):
But if you want to find more informationabout this, please visit me at www.
darkstack7.
com and my podcast there.
We'll have several links and a blog.
Everybody have a good evening.
Thank you.
I look forward totalking to everyone soon.
Look forward to some more episodes andy'all have a good evening and goodbye.
Thanks.
(58:16):
Thanks for listening to this episodeof Cybersecurity America on the
Voice America Business Channel.
We hope you've learned some valuableinformation to help you be a better
executive leader and navigate today'scomplex world of cybersecurity.
Until next week, stay secure.
Today's businesses are on a vigilantwatch for threats in an ongoing cyber war.
It's time to get real world solutionsto protect and secure your valuable
business information anytime, anywhere.
Welcome to Cyber SecurityAmerica with Josh Nicholson.
You're about to gain specialaccess into a world of restricted
(00:26):
information and a backstage pass tothe inner sanctum of cyber security.
Cybersecurity operations.
Here's your host.
Joshua Nicholson again,
back here for season number two.
So glad to have such a wonderfulseason one with 30 episodes.
The last one culminating with theinterview of governor McCorry, talking
(00:47):
about technology and cyber risks withingovernment, what is it like from a mayor?
What's it like from a governor'sperspective, but on season two, we have
a couple of things that we want to cover.
One is I'll give youkind of an overview is.
There's a lot of talk about artificialintelligence, but we've done a couple
episodes on our show about that.
This one was more of, , we wantto start to get into artifacts
(01:08):
and forensics artifacts.
How do you tell what a decision was made?
What are some of the kind of the prompts?
We wanted to give some more of theusability tips and features that
we're seeing with, say, CHAT GPTand some of the other common models.
We're also going to have a timeon where we're going to have some
recruiters on that are going totalk about what do you need from
a resume and a skill perspective?
What are people looking for?
What is, uh, important to them?
(01:29):
What are the fields that, uh,are expanding, which are some of
the ones that are contracting?
What do you need to do from anSEO perspective within LinkedIn?
Uh, a lot of people askquestions related to that.
So one of the things I wantto catch people up on is that
I went to a conference calledthe CackylackyCon conference.
So this was a phenomenal littleconference in Raleigh, North Carolina.
(01:50):
And it was at a series of differentpresentations from practitioners.
But some of the areas I thought were justfascinating was, for instance, a lock
picking area where there was an area ofme and my kids were able, I was able to
take my kids to this one, we were ableto learn how to undo locks and tumbler
locks and how to get out of handcuffs.
That had to have been the bestskilled of the entire week.
(02:11):
There was how to get out ofthe double lock handcuffs.
I thought that was.
Uh, exciting.
There was also a capture the flagwhere you had, a number of different
penetration testing capabilities,a couple of contests going on.
One of it was really brokendown for the newbies.
I thought that was important, kindof give the clues, walk them through
this, make it really easy becauseit's intimidating at first for some
(02:33):
of the newer people in cybersecurity.
So I really had a good timeover there CackylackyCon.
And then this week I'm at that TechnoForensics Conference in Wilmington.
I got to speak, I spokethis morning at 10:30.
Part of this presentation here for thispodcast, I can show up with the world and
I'm going to present it here on the show.
But we had a really great time.
(02:54):
There was a lot of people there.
I would say, I don't know,a lot is a relative term.
Let's say 400 people.
It seems right around that number.
I think the attendance was reallywell supported in the AI, some of
the AI areas, but more importantlyin some of the forensics tool sets
and the demonstrations and so forth.
So it's not just a people wanting to hear.
(03:15):
Thought leadership, but it's alsopeople wanting to see actual tools
and what they do and so forth.
That happened, my presentation wasjust going over some of the latest
threats that are happening froman incident response perspective.
If the DeepSeas is a cybersecuritycompany, we have many different
services, but our core is our platformis our managed detection and response.
(03:35):
We also manage.
Sim systems, we also haveprofessional services, advisory,
as well as penetration testing.
And of course the, the vSISO function.
One of the lessons learned we havefrom DeepSeas is just looking at
the amount of data that comes in.
When you see that we have millions andmillions of different unfiltered events
(03:55):
that come in and logs that come in.
They need to be identified, theyneed to be correlated, they need
to be actioned, and so forth.
So there is a lot of information that wecan glean from these different attacks.
One of the things I'm goingto go over in this upcoming
presentation here is just Azure.
The move to Azure has opened up theattack space for a lot of people.
You can see them moving fromthe traditional on prem domain
(04:17):
controller over to Azure AD.
Which is a natural progression,especially when you want to start
leveraging O365 applications and usingthe power of cloud, Microsoft intra
ID gives you a lot of functionalityto be able to do things like that.
However, your traditional securitymonitoring tools are accustomed to
having that, uh, domain controllerlog information coming into the SIEM.
(04:40):
And those rules for brute forceattack, password stuffing, all
those types of, uh, things.
Uh, tags are, are built into the SIM.
However, they don't realize is that whenyou set up a on prem domain controller
to replicate to an Azure AD domaincontroller, you have to use what's called
AD connect, it's a little tool set.
It's a little proxy thatallows you to connect the two.
(05:01):
So that connector does that.
It replicates the SAM database informationthat's within there up to, uh, out here.
So now if your laptop is onpremises, you can log on locally
with a domain controller.
If you go to your hotel room,you can log on to your O365
applications using Azure AD.
Problem though that occurs is thatwhen you move to Azure AD in that way,
(05:24):
and you start failing authentication,you start brute force authenticating,
it's not the normal Kerberos port8080 that you would see, and you would
see a failed logon attempt of 4625.
On those domain controllers, you'renot going to see that in an Azure
cloud scenario because it's using HTTPSusing stuff like SAML and OAuth to do
the authentication and authorization.
(05:46):
So what happens if you don't accountfor those Azure AD logs into your SIEM,
you're going to be missing a whole,probably half, depending on the mobility
of your workforce, but half of thelogs and the events that are occurring.
Cyber Battlefield Insights,identifying critical shifts and
errors leading to intrusion.
This is from an MDR, IncidentResponse Commander's perspective.
(06:07):
This is my perspective.
DeepSeas, we have about 700customers around the world.
We monitor their endpoint detectionand response tools for them.
Their CrowdStrikes, theirCarbon Blacks, and so forth.
Not only do we monitor them, butwe create threat intelligence.
Over a thousand pieces of threatintelligence go into those platforms.
So it's like saying, do you have an EDR?
It's like saying, do you have a car?
(06:28):
But we make that car into a race engine.
So that perspective gives us over450,000 desktops under management.
So out of We get a number of differentincidents that occurred that we
have some lessons learned from.
everything is just bombarding us from RSA.
A lot of people at RSA,I didn't go this year.
But I went to the Kaki Laki conferenceinstead, but at RSA there was a lot
(06:50):
of talk I'm hearing from all my coworkers about artificial intelligence.
Everything was artificial intelligence.
And when you look it back AT&Tand that big outage they had, it
wasn't artificial intelligence thatdid it, it was just human error.
So artificial intelligence isno match for natural stupidity.
So in this presentation, what I'm goingto go over is I'm going to present
(07:12):
a little small overview of DeepSeas.
I am going to talk about who they are,what's the genesis of the company.
It gives us perspective in thedata for what's about to come
in the later presentation.
So this is not a sales presentation, butI do need to qualify where I'm getting
my perspective from and what kind ofdata am I making these inferences from.
(07:33):
Threat intelligence perspectives.
We also want to be able to pullfrom some of the headlines,
what's going on right now.
There's a couple of things we want tobe able to cover, how that relates.
I see a larger trend that's going on.
Then a traditional approach towardsyour security tool sets and everything.
I'm going to go over the model of howa CISO kind of looks at it from how do
I implement change, risk management.
(07:55):
I don't do it by picking my tools anddevelop my risk structure around that.
It's develop my restructure and thenput my tools that are aligned to that.
We also see some shiftingin technology here.
Just move to Azure and theauthentication go in Azure AD.
Some of the challenges that occursand how that changes from a deeper
perspective for incident response.
(08:15):
When you're looking at failedlogon attempts, you're not getting
those 4724, 4725 events anymorefrom the domain controllers.
You're getting a lot of these differentevents that are not showing up because
it's now Azure AD showing up in thecloud and it's all off over HTTPS.
We're also going to talk about thatand DNS over HTTP and how that is
(08:37):
causing havoc right now in environments.
Now, after that, we go over someof the shifting of technology.
We move into PowerShell.
PowerShell seems to be at the heart of allthe intrusions that we're working today.
All the different incidents that we have.
Are coming up.
A lot of them are remote managementtool sets and the use of PowerShell.
Then we're going to go over the top12 areas of focus that make sense.
(08:59):
For our greatest bang for a buck.
So a little background on me incase I really haven't gone over
this on the podcast before too much.
Cause you could see my LinkedInchannel from here, but essentially
24 years in information security.
I have held many differentroles and responsibilities
(09:21):
starting off in the Marine Corps.
Very technical.
I worked on radio systems.
I was a weapons instructor.
So I got both shooting, blowing stuffup, as well as being able to do IT and
build servers and networking and so forth.
After the Marine Corps went into thedefense sector, worked at Northrop
Grumman, worked as a sysadmin, NTsystems administrator, and that
(09:44):
started my career off into IT.
And that gave me a good perspective onroute switch servers architecture before
moving into Cisco routers, CCNA, CCNP,and doing infrastructure level things.
That migrated me over to HancockBank after, Hurricane Katrina.
There was a three monthtime period I was homeless.
(10:05):
We, my family and I had toevacuate from New Orleans.
We had to live with familymembers for a time period.
We had to move around, stayedin a hotel for a couple weeks.
So it was an interesting situation,not only to have to go through
Katrina, but not to have your home.
Not to have your job and not to haveyour bank account because both my credit
unions, both branches were underwater.
(10:26):
It's a very unique situation butHancock Bank tremendous opportunity
to build both their data centers outin Dallas and then the one out in
Atlanta and then became the first datasecurity manager there, being the VP
of Information Security there short,shortly after for about seven years.
A lot of great people in New Orleans.
I still love that town andeveryone I worked with.
What's really interesting is theinformation security team that's
(10:47):
over there is pretty much thesame team I hired 12 years ago.
Maybe one or two people have left,but it's pretty much the same people.
Went from Hancock bankover to Ernst Young.
Ernst Young had me flying all overthe country doing cybersecurity
work on their FSO practice.
Before I went to Wells Fargo, I didthe group information security officer.
There are, I did a lot of risk management.
(11:09):
I used my technical skills, my incidentresponse technical skills there
while doing audits and assessments.
And then moving on to CoFence.
I was the Senior VP ofProfessional Services.
I ran their phishing defense.
I built their phishing defensecenter when I was there.
That went worldwide.
And then Booz Allen Hamilton iswhere I spent about three years
working on big commercial customers,cyber fusion centers, building
(11:32):
security operation centers.
And at that time during the pandemicfor two years, I was a CFC lead
for a large pharmaceutical company.
overview of who DeepSea's is, DeepSea's30 years of experience delivering
24/7 managed cyber defense systems.
Now this is several differentiterations under different names.
(11:52):
But it's the sameplatform, the same people.
When we spun out of Booz AllenHamilton, we went through private
equity and we are the company Deep Seas.
So right around 260 employees andwe're having 700 plus customers.
some of the offerings and solutionsthat we have, for instance you can see
we start off really with the StrategicAdvisor and Professional Services.
(12:14):
is really aligned towards helpingyou with decision enablement.
What should you go after?
What should you not go after?
What's important?
What's not important?
And how do you build that into aconcise roadmap that's measurable?
That is understandable, not just from thetechnical personnel, but also managerial
with any outside security companiesthat you may have to interact with.
(12:36):
We also have offerings on themanaged detection and response.
So endpoint, email, network, sim,operational technology, and of course our
log management platforms that we're ableto provide managed services and multiple
different delivery configurations.
When you look at penetrationtesting, surface management, we
(12:56):
have the acquisition of Red Team.
So we do penetration testinginside, outside, web application
code review vulnerability riskmanagement is a big thing.
Being able to keep up with patches,being able to run CSIRT, being
able to manage that is alwayscritical to your environment.
So when you look at the DeepSeas MDRcontinuous cyber protection, so like I
(13:20):
was saying before, we have the end point.
Where we monitor CrowdStrike,Cortex, Sentinel 1, Microsoft
Defender, SOFO, Cyber Reason.
We have that network side of that too.
We have our own NIDS, so NetworkIntrusion Detection Sensors.
We also use CoreLight as a platformas well to push our intelligence out.
Very important to have a network TAPS.
Everyone thinks you can just gowith an endpoint solution nowadays,
(13:43):
but Log4j all kind of differentthreats are not detectable by EDRs,
they're all detectable by NDRs.
So you definitely still want to be able tohave a NIDS, and you also want to be able
to do full PCAP capture for some of thetraffic, especially inside your network.
Email being able to do email response.
So when you respond to aphishing email, you submit it.
You want to have an organizationtakes a look at it, analyze
(14:05):
it, and does a response back.
Logs, you're looking at MicrosoftSentinel, Devo, and Splunk.
These are solutions we bring toour customers to help drive some
cyber risk down that they may have.
And then from an operational technologyperspective, those OT environments.
Nozomi is one of our bigpartners that we do OT work with.
Some of these pharmaceutical companiesI was telling you about before.
(14:27):
manufacturing life cycles for medicinedevelopment for the development of
the drugs for the pushing out anddistribution points around the world.
So just something by the numbers.
Steve DeepSeas SOC by the numbers.
So 2023.
82,620,000 unfiltered alerts.
(14:51):
Now out of those you had 13million filtered alerts and
then an aggregated alert of 7.3.
Now, out of all that volume thatyou're getting, 'cause you get a
lot of noise from all these tools,look at 82.6 million different
alerts from down level tool sets.
All that gets filtered and correlated,used on our platform in order to come up
with that 36, 079 threat notifications.
(15:16):
A threat notification is actually an eventthat's deemed critical that the customer
needs to know about and take action on it.
And so we either send that as an itemof inquiry, or we send that to them
as a SEV1, SEV2, SEV3, or SEV4 event.
So that's a reduction of about 99.
96 percent of that volumethat's coming at you.
(15:37):
That's huge.
Most organizations have justthousands of alerts coming from it.
I can't tell you how many intrusionsI've been in where the ransomware
showed up on the EDR product, therejust wasn't anybody looking at it.
No one was seeing the alerts,it wasn't even set to block and
it wasn't even seeing all theactivity in the first place.
So it has to be managed, has to becared for, you just can't plop a, an
(15:57):
EDR product in there and expect to itto operate at its best performance.
Now you look at our TOC metrics, that'sour Technology Operations Center.
A lot of different deep dives, 113hours of deep dives with customers.
It was like saying an alert went offone of the analysts needs to either
work with that customer back and forthto analyze it, drill down to it, do we
(16:19):
need to get threat hunters involved?
Do we need to have malwareanalysts involved and so forth?
Perimeter hardening requests allthe way to that number 451, 000.
I think this is a little dated, thisslide, because I think we hit the
we're closer to the 500,000 mark.
But when you look at how manytotal endpoints that we manage
from multiple different platforms,and sometimes in the same context.
(16:41):
Imagine there's a merger, there'san acquisition, you're going to
need to manage CrowdStrike on oneend, for instance, while you merge
in a company that has Carbon Black.
How do you provide comprehensivesecurity to both of these?
Because mergers and acquisitionsare the most dangerous part of a
Organization or company's life cycle.
ready made detections.
How do you keep up with all that?
(17:02):
If you look at an internal intrusiondetection capability or an internal SOC
capability, just keeping up with SIEMuse cases and endpoint use cases and
network rules and yara rules and so forth.
That's a lot of work that Why haveto do that for one customer one time?
Do that internal.
That's where we maximizeour ability to scale.
(17:24):
And we're able to do this for hundredsof customers on be able to provide
these use cases, keep up with them,make sure they're accurate and then
deprecate them when they're no longerneeded and take those out of circulation.
Too many, too often people justkeep throwing rules out there.
So if they have 5, 000 rules, Icould just say how many different
rules, but some are so irrelevant,they're not even needed anymore.
And then you, that allneeds to be cleaned up.
(17:46):
Then when we start talking about industryleading services, like getting into
meantime to detect meantime to contain,And then what's your IR onboarding?
What's really interesting, mean timeto detect in some of these, you have
some customers, or let's just saysome EDR product vendors, that if that
EDR product saw a malicious file andate that malicious file within three
(18:09):
seconds of it landing on disk, theywould count that as part of their SLAs.
They would say, yes, I'm supposedto respond in 20 minutes for a SEV1.
But we're always responding inless than less than a minute.
And the only reason they can say thatless than a minute is because they're
taking credit for what the productwill do normally the same way as if
someone would take credit if antiviruskilled a file that's on something.
(18:31):
It's ridiculous, but too many peopledon't understand the details from it.
So when they're able to say they were ableto respond in seconds, that's bullcrap.
There is no human vetting of it.
There's no contextualization of it.
There's no QA of it.
They're just pushing stuffout as quickly as possible.
When you look at what does all thatdo, okay, we have great SOC metrics.
(18:52):
We talk about how many unfiltered events.
We talk about how manydeep dives we go into.
We talk about How many Ready-madedetections and what's the time period,
but what does that do at the end ofall this and how does that help and you
look at how does that save customers?
We did 88 ransomware attack preventionslast year, pre-encryption we were able
to catch things, shut things down.
(19:13):
So rough estimates about 135 plusmillion in ransom payments was prevented
around the average ransom payment.
Ransomware payment we'reseeing is 1.5 million.
and 1.
2 million worth of savingsfor a mid market customer.
So you can see where just thisefficiency on that on the bottom
right here shows just how we're ableto do a lot of things with a lot less
(19:37):
From a threat intelligence perspective,there was a 424 percent increase
in small business breaches justa year last 43 percent of those
were against small business.
60 percent of small businessesare victims of a cyber attack, go
out of business within six months.
I saw that in several ofthe banks that I worked at.
I had a crane company that got hitwith an ACH fraud and it was part of a
(19:59):
BEC attack and they lost over $500,000and the company went out of business.
15 people were laidoff when that occurred.
They didn't have a cyber insurance policy,so there's no way to get those funds back.
So you can see wheresome of those hits are 2.
2 million a year.
Healthcare is an industry that's most atrisk for most of those cyberattacks, and
it says 14 percent of businesses ratetheir ability to mitigate attacks as
(20:22):
highly effective, only 14 percent of them.
a ransomware attack that really manifestedinto the real world, so Colonial Pipeline
was argumentatively one of the mosthigh profile ransomware attacks of 2021.
I know I was in Charlotte when it hitand I didn't have gasoline at that time
because it interrupted the pipeline.
So this was an eventthat happened on May 7th.
DarkSide Group deployed ransomwareon the organization's computerized
(20:45):
equipment and it manages the pipeline.
it looked like the Colonial Pipeline CEOrevealed DarkSide attack vector was a
single compromised password to an activeVPN account that was no longer in use.
Well, Colonial Pipeline didn'tuse multi factor authentication.
The attackers were successful.
They were able to encrypt multipleOT machines, and they were
(21:06):
able to bring the systems down.
When we look at that, that wasonce again, VPN credentials
being compromised, lack of MFA.
This sounds like a repeat of today.
Today 2024, we're getting the same thing.
We're having VPN accounts, we'rehaving firewalls being compromised
because they had critical patcheson them that weren't maintained.
ASAs to Fortnets to checkpoints,all of them had trouble.
(21:30):
Within VPN that was allowingthese type of attacks.
Normally, it, you would haveother factors that would
compensate for that, such as MFA.
But in this case, there wasnothing that was on there and the
ransomware was able to run rampant.
So we asked, what are thetop 10 protective policies?
You definitely want topatch those systems.
You got to upgrade them.
You're going to implement the 32 1 1 backup rule, and I'm going
(21:52):
to go over that in a minute.
Thanks again.
You definitely want to startlooking at implementing Zero Trust.
Now Zero Trust is not aproduct, it's a framework.
So you have several productsthat allow you to implement
and tie into that framework.
But just remember, Zero Trustis a buzzword for framework.
It's a really good framework.
But it takes some effort and some time toreally move to that network segmentation.
(22:14):
Very critical here.
Why are the O.
T.
Systems are accessedvia VPN on the Internet?
That should have been a segmented network.
You shouldn't have had that connectivity.
You also look in point MDR.
There was no endpoint MDR thatwas there on those OT systems.
A lot of the OT systems can't handle them.
They're too old.
They're older technology.
They're not able to handle an EDR.
(22:35):
So it gets really difficult sometimesin OT where we're relegated to passive
methods such as IDS sensors and so forth.
and SIEM systems.
Now rapid eradication andrecovery is always key.
You want to focus onthat for your systems.
How do I eradicate something and recover?
So for instance, if there's anintrusion or you have a malware
(22:55):
incident on a desktop in a largecorporation first, one of the three.
First things we do isquarantine the machine.
We use the EDR software toknock it off the network.
You can't communicate in anywhere on thenetwork, but you can still work with it.
You can still pull process trees.
You can still pull information.
You can still do analysis.
You can still do a lotof things in the past.
If you just turn the machine off,we lost all volatile information.
(23:19):
You went and packed it up.
It got mailed off.
Who knows what was running at the time?
It wasn't really good way to do that.
So now we're able to use those EDr.
Products.
We even deploy products like Binalyze.
Will you do a forensics capturebit by bit of that machine and pull
that back into your repository?
New cloud.
So things have really changedover the last couple years.
(23:40):
So you definitely want to doimmutable and indelible storage.
It's really important.
Regular testing and validation.
I can't tell you how many customersonly probably 10 percent actually do
the regular testing and validationwhere they do their backups They
utilize that 3-2-1 rule, the 0 rule,and they're able to actually have
test infrastructure to restore it.
(24:01):
The ones I find that are best atit are banks when I was at Whitney
Bank because of all the hurricanesand we had to ensure that the
mainframe came back up and running.
We had alternate recovery locations.
Not all businesses canafford that, but obviously 20
billion banks can afford that.
Educating your employees what to do,when to do, how to set things up.
(24:22):
A lot of times employee education, they'rethe first ones to tell you something's
not going on or somehow my account'slogging on, or I'm getting an MFA
prompt, I never logged on to that system.
They're always your first lineof defense to be able to call in.
And then that cyber attack play book, Ican't tell you how important and critical
it is that you work to walk through whatyour incident response plan would be.
(24:43):
Okay, so we have either a malwaresituation, we've been contacted there's
an intrusion detection alert that goesoff, there's some kind of stimulus
that tells us that there's some kindof event that we need to respond to.
What do we do?
Who do we notify?
What actions can we take?
And what preventive controlscan we take to contain it?
All that kind of stuff has tobe thought about ahead of time.
(25:04):
Many situations, I get called intoan incident for a customer, they
were never a customer of ours.
They came off through somebusiness relationship.
We don't even know who they are.
We put them through the sales cycle.
We get contracts, we get on the phone.
I have no idea howtheir network is set up.
I have no idea how their cloudinfrastructure is set up.
You're literally having to startfrom scratch and ask, okay,
what is it you do for a living?
(25:25):
And that takes a lot oftime to get up and running.
But One of the things you want towork for is towards that playbook.
Who do I call when and in what situations?
And and most importantly, whodon't you call in these situations?
You always have the tactical lawenforcement type side of it, and
you have the political or managementlevel side of it and the tactical
people need to understand howto communicate up, what to say.
(25:47):
Using real words that canscare, such as the word breach.
We don't say the word breachthat has a legal connotation.
So you're going to say there's anincident that we're dealing with and
be able to quantify it correctly.
But the big one here we wanted to focuson really is that implement that 3
backup, which is Three copies of data.
You wanna have it in two differenttypes of media, so tape or
(26:08):
optical or some other type.
You have, one of 'them isoffsite, one of 'them is offline.
And then you'll have zeroerrors on a restoration test.
So you restored it, you had zero errors.
So that's really the rule to ensureavailability of all your data.
Now I'm gonna switch focus here alittle bit, and this is dark web market.
(26:30):
Some live things thatare for sale right now.
You'll see on the far righthere, this is the monthly threat
intelligence roll up from DeepSeas.
So you can always go to www.
deepseas.
com.
You can look for thatthreat intelligence posting.
And we do that every month.
But you can see here, justthere's accesses for sale.
So you can see there's an actor.
On a crime forum was sellingRDP access to a New York based
(26:52):
private equity company with 3.
5 billion in assets undermanagement for $2,000.
What a steal, what a deal.
Yet an act on the ramp crimeforum was selling domain and
local admin access to a U.
S.
based enterprise with 10, 835 hostsin five trusts and a USD of 546.
(27:13):
1 million in revenue.
You would not name theindustry, vertical, or a price.
So the way this works, these areinitial access brokers, so they have
compromised a network somewhere.
They get as much statistics as they can,what kind of revenue, what's their what's
the, how many PCs are there, and so forth.
And they sell that access to other people,and then they go find other access.
(27:33):
They don't have to They don't haveto worry about exfiltrating it, they
don't need to worry about lateralmovement, any custom malware, they
don't have to worry about anything.
They just have the access, they getit through a phishing campaign or
some other means, and then they'reable to sell it on these crime forums.
So if you see your company, and thisis always a good reason to have threat
intelligence, so for all our customers,If we saw one of our customers pop here
(27:55):
and it looked like their credentials wason a crime site here, we would notify
and say, hey, there's an admin accountbeing sold that's for your network, it's
$2,000 and it's $4,000 and so forth.
We'd do an immediate response on thatcustomer site and then poison all those
admin accounts and have them reset.
We'd also try and figure out if there wasan intrusion, do a compromise assessment.
(28:17):
That's always good information.
So what is the traditional approachwe're talking about their traditional
approach before so you see herein the top You can't always start
it off with that spam filtering.
So we got tired of annoying emails.
We get tired of annoyingPop ups and so forth.
So we have a spam filteringthat looks at content makes
(28:38):
decisions based on content, right?
And then you have known rogue websitesthat these are c2s to a certain Unknown
bad actor Or, these are rogue websites.
Those are able to block any web filtering.
Now, you have Legacy AV that steps up,that goes a little bit further than just
the web filtering, but also does theknown malwares and the known zero days.
(29:00):
As well as fileless attacks and thenexploits or something that next, or
regular legacy antivirus doesn't stop.
So you have where they'll stop normalmalware, legacy antivirus really does not
stop zero day attacks or unknown malware.
They definitely don't stop filelessattacks that run purely in memory.
They need something to bewritten to disk in most cases.
(29:21):
And then just a new exploits,very difficult for legacy
antivirus to see that.
Next gen AV was created, andyou can see where it can cover
a lot of those different areas.
But it was still lacking in several othercapabilities, which is where we moved into
the detection side of this, which is EDR.
Which EDR sits on the top ofthis, I think of it as advanced
(29:42):
antivirus for the most part.
This allows us to communicate with thesedifferent parts of the stack, as well
as manage them, quarantine the host, runincident response toolkits, and so forth
off of it, right off of the EDR host.
You can also do threat hunting, getvery detailed on what process goes where
and does what and it also can plug intodifferent repositories, such as VirusTotal
(30:04):
and some of your other Intel repository.
Allows you to detect security incidents.
Allows you to contain that incidentat that endpoint allows you to get an
investigate mode So you can look at thosesecurity incidents start to correlate
different events and then provide someof that remediation Guidelines, so
this is how We have progressed overto EDR is being Kind of the de facto
(30:28):
standard so you got to ask yourself.
Okay, where do you where do I find out?
Where I need to go for EDR.
It's always been this is the standardapproach you go find some website in here.
It's E security planet.com.
But you go find a website,someone's done some analysis
between the different EDR vendors.
It'll tell you which ones haverogue system detector, which one
has these different features.
(30:50):
I love seeing do you have theability for custom rule sets?
Being an MDR, we create custom rulesets based on new threat actors.
We need to be able.
push that and inject that into ourMDR products that we're supporting.
So we'd like the custom rulesets, rogue system detection.
That's always good.
Rogue detection, discovery they'recalled different things, but
essentially that allows you to findout if there's a host that's joined
(31:12):
to your domain that does not have EDR.
A lot of times that becomesa source of your intrusion.
So you want to be able to indicatehow many machines have total.
Then what's the Delta that have ordo not have EDR on it and the rogue
system detector helps you find that out
now and then you'd lookat the analysis of that.
You can see you can break that downon several different dimensions.
(31:33):
How does Microsoft defender friendpoints working compared to Sentinel one?
I can tell you, when it first cameout, being in cyber 24 years, in
the beginning, Microsoft was a curseword, if you ever called, used that
for a tool in security, just had ahorrible reputation for security.
Microsoft was offended theirservice systems or offer workstation
(31:53):
systems were breached commonly.
So now, just to see theproduct move towards where,
it's a really robust product.
Microsoft did a tremendous job on it.
I was actually quite surprised theirDefender product is hooked into the
kernel at a level that gives youtelemetry that other products do not.
It used to be slow, Ithink, for containment.
(32:14):
It's all very important to understandwhat you get, what you don't get.
If you are interested in BECattacks, like I want to track this
email and did this person open it?
Did they forward it to someone else?
By default, unless you have the P2licensing of the E5 license, you're
not going to see that information.
So you want to make sure you havepremium level two logging turned on.
(32:35):
That allows you to see theBEC attacks by default.
You don't have that.
You'll just see some cursory loginformation, but just like anything in
Microsoft, the more granular you wantto get at a data source, the more.
They charge you and you have tohave other licensing for them.
Sentinel One is a product wedeploy a lot at at Deep Seas.
We do it programmatically.
It's one of those EDRs we can scriptthrough a Terraform and push out and
(32:58):
manage through APIs has a really goodinterface and it's built for not only
SOC MDR analyst, but it's also built forpeople like myself in incident responders.
When looking at different threatsand so forth, but this was
always the traditional approach.
You go look at some leading trade ragand you go see what you, what's the
best product out there and so forth.
(33:18):
Look at the environment.
Try simplifying this.
This is the security landscapeand it's not even all of them.
This is just part of it.
The one in the red box thereis the CrowdStrike Microsoft,
which I just highlighted before.
So you can see it's just a speckof an ocean of different products
and different services that doa myriad of different things.
Now, how do You simplify all that,especially when we move into a
(33:41):
world where everything is goingto connect through Azure AD.
So this diagram right hereI stole from Microsoft.
So it just shows you the hybrididentity and some of the required ports.
I won't go into each of the portshere, but what I'm just hoping to
show Is that you're now authenticatingnot just with on-prem or a d, you're
also communicating with A DFS.
You're also connecting with Azure ActiveDirectory, and that's where a lot of the
(34:04):
applications, your SAPs, your ServiceNow,Dropbox, all that will be through
that Azure date, Azure AD interface.
So as you go to move towards this,it's very important to do it in
a a concerned and secure manner.
You'd have to plug into your network orconnect to a Wi Fi or something to be able
(34:25):
to authenticate to that domain controller.
Now, when you replicate that into AzureCloud, now you've changed that completely.
Now you have hosts off of theinternet that are connecting
and they're authenticating.
And, you can have someone fromIndia or from Pakistan or from
Ireland connecting and tryingto authenticate to your network.
(34:46):
So you're going to see a tonof failed authentications.
You're going to see A lot of MFA promptscoming to you that you didn't see before.
You'll see a number of different things.
And what will happen is you end upgetting locked out on one side but
not on the other because lockouts andpasswords like that do not synchronize
back to the on prem domain controller.
Now, PowerShell has got to be one of thebiggest holes we see in most environments.
(35:09):
So how do you plug that largest leak?
How shifting technology infrastructurehas been ripping holes in
detecting response controls.
Look at that.
One of the areas we want to be ableto see better is in PowerShell.
A lot of these attacks arecoming now in PowerShell.
We're seeing it across theboard as a heightened area
for attackers to go through.
(35:29):
So one of the things that is someof the hardening that we want to
concentrate on his transcription is one.
This allows windows to capture theinput and the output of PowerShell
commands into text based transcription,auditing, monitoring We want to
use PowerShell transcription.
You turn that on through GPOs.
We want to take script blocklogging on for Base64 encoding.
(35:51):
And what that is essentially whenyou're sending PowerShell commands,
and PowerShells are used legitimatelyby a lot of things on the network.
Used in Microsoft Defender tomove a different signatures.
It's moved in administrative actionsfor different software packages.
Now, script blocking allows youto take some of your commands to
ensure they don't get obscuredor they set off something else.
(36:13):
You put it into a Base64 envelope,you encode it and you're able
to send your commands on.
The problem with that encodingis that when it gets logged into
the logs there, locally in theevent log, The base 64 goes in it.
It doesn't get decoded beforegoing into the event log.
So you're just going to see this bigblock of string of text instead of the
(36:34):
actual PowerShell command that was run.
So you want to be able to configure thesystem to say decode base 64, put the
original Unobfuscated PowerShell code inthe event log, and the reason for that
is now we can see when these events areoccurring what the commands were and
we don't have to use like Datashef orone of those other cyber CyberChef tool
(36:55):
sets in order to be able to decode it.
But there is some implications to it.
So if you look down here in thebottom, I say there's an impact note.
The CIS computer information the CISrecommendations not enabling script
block invocation over concerns relatedto logs being overwritten too quickly.
So they're afraid of logsbeing overwritten too quickly
and not being retained.
(37:16):
They also worry about clear text passwordsbeing recorded in the security logs.
So there's a trade off here.
So yes, if you're doing scripts whenyou're putting Passwords in the scripts
in order to be able to run that.
Could that password berecorded in a log audit file?
Absolutely could, but this is a trade off.
I would still trade that off.
I don't put passwords in PowerShellscripts anyway, but let's say if I
(37:37):
did, I would have that as a trade offas I would want to see what that end
unobfuscated PowerShell command would be.
Now, as we move over from transcription,we move over to script execution.
So this is policies determine whichscripts are allowed to run on a system.
To prevent unintentional script execution.
(37:59):
So this control can beeasily circumvented.
Just so you know, this isnot a security control.
This is just a don't shootyourself in the foot control.
So you have script execution policies.
And there's four policies.
You can have restricted.
Bypass, remote signed, and all signed.
So some of these restrictionsall can be circumvented.
There's about 15 or 16different ways of doing that.
(38:22):
Being able to circumvent thesescript execution policies.
So once again, don'tuse them for security.
Just use them for what they'reintended to ensure they don't
run on the wrong systems.
Now, some of the commands you can doto see what is your execution policy.
So you can get to a PowerShell commandand do the get help space about
underscore execution underscore policies.
(38:43):
That'll tell you what yourscript execution policies are.
And that'll be one area youdefinitely want to focus on.
But the biggest area here when itcomes to PowerShell scripting or
PowerShell security and hardeningis constrained language mode.
So constrained language mode, youwant to restrict access to commands
that can invoke the Windows APIs.
(39:03):
Default restrictions include creatinginstances of most com objects.
user add type to load arbitrary C sharpcode, Win32 APIs, and some NET methods.
What this means is that my PowerShellis a very powerful language.
It can do a lot of different things.
It's a whole C2 infrastructureif you want to be able to use it.
But it's a very powerful language.
(39:26):
platform, but it also allowsyou to tie into other things
to extend it even further.
So into that native API, beable to call different C code.
That's exactly what they use todownload malware is that Add-Type.
So I'll go over that really soon.
Whenever they have a code and Add-Typeon the side of it, And normally you'll
see a URL, you're going to point to somecode over there, and it's malicious.
(39:49):
So here's some of the quick examples ofsome of the tactics that we're seeing.
So on the screen encodingscript contained in Base64.
So for those who are on the audioonly on the podcast here, so I have
this function called invokeEvil.
And that function has avariable called $code.
And I put Base64 encodedmalicious URL into that variable.
(40:12):
And then I run that string and Iconvert it from Base64 to code.
And then I invoke that expression.
That's a very basic waythat this script runs.
It takes base 64, assignsit to a variable, takes that
variable, does a system.
text.
encoding out in Unicode, and formatsthat base 64, and then takes it
(40:33):
and does an invoke expression.
And that is invoking a function.
That's another very powerfulthing that you want to see.
If you see invoke expression, oradd type, that's definitely a sign
of something you want to take alook at now being resourceful.
Most of these anti malware enginesimplement base 64 and coding emulation.
What they'll do is they'll see Base64 ina code and decode it and emulate what it
(40:57):
would do if it was allowed to execute.
It does a lot of those differentkind of tests and controls.
Since we also implement Base64 decodingemulation, we're also ahead of time.
On the second part of thescreen here, you'll see encoding
script with an XOR function.
I wanted to include this.
A lot of times these malwarewriters, these threat actors will
(41:18):
throw a chunk of data like XOR chunkof data into their obfuscation.
What that does is just meant to break youranalysis tools, meant to be this chunk of
data you got to work around to figure out.
What to do with.
So it's just meant to mess you up.
AMSI, the Anti Malware Scanning Interface.
Now this is for you developers.
When you're developing yourPowerShell scripts, you want to
(41:38):
be able to have it de-obfuscated.
You want to have it testedagainst an antivirus engine
and a lot of different things.
Now imagine your applicationallows scripting.
It can accept and execute arbitraryscripts using a scripting engine.
Now, when that script is ready to beexecuted, your application can utilize
the Windows AMSI API to scan the content.
(41:58):
Now, by integrating the AMSI,you can effectively detect and
prevent script based threats.
Now, ultimately, the scripting engineneeds to process plain, unobfuscated code.
This is a critical moment toinvoke the AMSI APIs to ensure the
script is safe before execution.
This is a framework.
It allows you to be able to plug intothis, whether you're doing PowerShell
(42:20):
scripts, VB scripts, other applications,you're allowed to use some of their DLLs.
You're also able to tie into thirdparty antivirus engines that may
already be on to that framework.
So definitely want youto check out the AMSI.
capabilities.
Right here is a screenshotof an encrypted hypervisor.
(42:41):
So this was on a a malware.
Royal ransomware event that occurredthe they hit the ESX I Hypervisor and
it was all 120 virtual machines weredown and it was pretty nasty So there's
the only picture we will get off of aguy's phone But you have to remember to
your ESX I your VMware Hypervisor youwant to ensure that's locked down from
(43:06):
the root passwords to as well Fury ifthey compromise root password, they can
get into the ESX I hypervisor and thenencrypt it All your virtual machines.
They don't have to go one by one.
They can just encrypt theserver that they're all on.
And takes out all 120 of them at a time.
we want to talk about,what does good look like?
I thought that was important tounderstand what good looked like.
(43:26):
We talked about this earlier,cybersecurity success requires
technical depth and business alignment.
For the longest time coming up throughthe ranks, there was a lot of technical
alignment, technical depth, butthere was no real business alignment,
business didn't know what to do.
Mostly with it.
So the way you want to start off isyou take your industry You understand
what your regulations your standardsand what do you have to comply
(43:46):
with from a business perspective?
What are the frameworks that are in yourindustry where the contracts and insurance
requirements that you have there?
What is some federalregulations that are required?
What are just some security standards?
That you want to make surethat you adhere to whether your
business has PCI requirementsbecause they take credit cards.
What you want that to do is you moveup from business to the depth of
(44:09):
business integration on that top leftquadrant, and that's risk aligned.
So you want to have risk,cyber risk management.
You want to have strategicthreat intelligence.
That's always very important.
Most people pass on that.
And you have to have securityplus business partnerships to
be able to understand that.
Now that moves to that right quadrant ofcyber tradecraft So that's saying I need
(44:32):
an incident response management program.
I need a cyber fusion center where I'mmelding these capabilities together.
I need threat detection and engineering.
I need threat hunting.
I need continuous attack surfacemanagement for vulnerability
management, so forth.
So once I have tradecraft ledcapabilities that I need, that goes
down to product vendor enabled.
(44:53):
That's when I start looking at of whodo I need in my prevent stack, my detect
stack, my response stack, and so forth.
What products align to that?
But what you'll end up seeing hereis you'll see the complete opposite.
And I swap this around.
Most environments that actually failto bring their technology and to
drive cyber risk down, they do itbecause of this reason right here.
(45:15):
They go from product vendor enabled.
They start off withgoing, I like CrowdStrike.
So I'm going to putCrowdStrike by the prevent.
Now I'm going to go up to the topleft and I'm going to see what
Tradecraft can that product fit into?
Okay, I'll have to figureout what box that goes into.
Okay, now I'm going to figure outwhere CrowdStrike goes into Cyber Risk
(45:36):
Aligned And then into my regulations.
What a backwards way of doing it.
No wonder we're never successfuldoing this backward way.
Once again, moving backwards, wewant to be able to start off with our
compliance, what are our risks, andwe're not going to go the opposite.
Now, how does that all cometogether in cybersecurity?
(45:57):
How do you, at the deep seas level,how do you pick these services together
to deliver them in a comprehensiveway to hundreds of customers
versus the ability just to deliver.
For yourself.
So we structure that in this manner.
It helps deliver services on ourcustomer side, but this is just the most
logical way of thinking about it anyway.
So you have the platform based services,which is that outcome based managed
(46:18):
service, like continuous 24x7 coverage,your threat detection orchestration,
your behavior analytics, threat hunting.
We do that through that 24x7 MDR.
Managed detection and response forendpoint, network, OT, email, SIEM, and of
course you're logging through ThreatWatch.
Now that's that blue box.
Those are those technicalcapabilities that align.
(46:40):
Now you have that really deepdark blue box over there.
That's your OT assessments.
Those are for organizations thatare manufacturing, pharmaceutical,
they have an operational technologyenvironment, they have to
account for we have capabilitiesthere that are aligned as well.
You're welcome.
And then from a incident responseperspective, so we have incident response.
We have a retainer that weuse through our partners.
(47:00):
We have an internal incidentresponse capability, but it's
really aligned towards servicingother incident response companies.
We do not want to be adeferred company ourself.
We're focused on providing platform basedservices to those type of companies.
Now vSISO, that's a, that'san offering, that's one I run.
We do virtual CISO advisoryreally three major flavors there.
(47:21):
So you need a strategicadvisor for only a few hours.
A month versus you need someone who'sriding shotgun with you on the program
driving strategic change and remediation.
Or do you need us to run the office ofthe ciso and be that entire capability
staff augment for deployed labor?
So that's one of our our bread and butterservices that we have there, and that all
(47:43):
aligns towards and helps us with the goal.
Of how does that get all put together?
So when we build a cyber fusioncenter for a customer, we start to
build these discrete functionalitytogether with each other through
playbooks, and those playbooks getimplemented through technology.
So you can see up at the top lefthere, you have the CISO function.
The ciso puts in arequest for intelligence.
(48:06):
That intelligence goes to the CTI.
So what is a request for intelligence?
Hey, I would like to understandwhat are the risks that my industry
have and what are the risks Ihave, particularly given my.
city, my geographical operatingenvironment, giving my technology
stack and a number of other factors.
CTI helps to give contextualizationto threat reports that are coming
(48:26):
in and systems that may be affected.
So right now there's vulnerabilityassessments that come out
from every major vendor.
Imagine having to pour throughall those to figure out
what's actionable, what's not.
That's what your A.
S.
R.
Function is or attack surface reduction.
Within attack surface reduction, you haveharding of operating systems and servers
and desktops and network equipment.
(48:47):
But in ASR, you also have thepatching and the software management
pieces which are critical.
You have incidents and you have C Searchwhere there's a critical vulnerability,
such as log4j or SolarWinds or oneof those big ones that goes over to
the vulnerability management team.
And you can see that beingescalated escalated to them.
And then all that plays intoa playbook where you have who
(49:10):
contacts who, when, where, and why.
Always trying to get to thatprogram delivering reduction
and mean time to detect.
This is where you'd have before where youhave this big long line here at the top.
Mean time to detect is the timethat anomalous traffic is generated
in an environment by the time thatan alert is triggered manually.
(49:32):
That time that comes over towards us.
The alert there is deciphered in the CFC.
CFC.
CFC.
And then it's made available, aligned,and then dispositioned where you have
a true positive or a false positive.
Now they go into a notification period.
Then that threat notification isacknowledged, then it's mitigated,
and then we're in recover.
So a lot of times, we'll come intoa customer's environment, this is
(49:54):
all broken, and the process doesn'teven finish most of the time.
So you want to be able to analyzethat, use a platform to get to
where afterward you have just a verystreamlined approach towards how do you
handle low level, high level threats.
level one, level twoevents that are occurring.
You use a product like CarbonBlack, it's chatty as can be.
There's thousands of alerts thatare popping out all the time.
(50:15):
It's really hard tonarrow and tune that down.
We had to do a lot oftuning on that platform.
Now, what are the top areas of focus?
What we should focus on?
That first one for me, AzureAD migrations, migration trip
wires, this is happening a lot.
So architecture change is notunderstood well enough to account for.
(50:38):
for monitoring sensors, dataflow, and tool rationalization.
That's definitely one withinthat Azure migration column.
Then you have the second one iskey key cloud security components
are missing or overlooked.
There's a rush to cloud forauthentication, infrastructure,
exposing complexity, exposing thecompany, O365 attacks, I went over that.
(51:02):
A little bit earlier.
MFA is still not universally deployed.
I thought that wouldhave been a no brainer.
We would have had that a long time ago.
But no, we still have MFA challenges.
Now, the number two on the slot here isfirewalls are getting breached regularly.
We're seeing ASAs, we're seeingcheckpoints, we're seeing Fortnets.
They're getting breached regularly here.
(51:22):
Not keeping up with patch managementand not having a good architecture
for it is really the key here.
There's a lot of securityconfigurations people don't turn on.
They turn them off.
So really having someone knowingwhat they're doing, I always suggest
like a firewall management servicethat's able to take that 24 by 7.
They're monitoring the configuration,updating it, and so forth.
When they do massive upgrades becauseof some patch, you at least know there
(51:44):
is a team behind you that's doing it.
And so that's always very critical.
PowerShell, number three,PowerShell lockdown.
Restrictions are not enabled andattackers can easily run freely.
We've seen a lot of this.
Logging is not turned on by default.
Logging configurationneeds to decode Base64.
And then you need to consider usingdigital signatures for certificates to
(52:09):
verify those scripts in your environment.
Also we talked about adtype and language type.
Lockdown in earlier slides.
Now, new technology.
Number four is new technologythreats to detection.
Artificial intelligence,forensics, artifacts model
compromise, that kind of stuff.
Poisoning and AI model.
(52:29):
If you remember that story about thatGoogle AI bot that became racist because
it kept being fed racist comments.
And so it developed that persona.
So you can see where poisoningmodels is a possibility.
And it does happen.
Then you have a new shift in technology.
We're having DNS over HTTP.
New protocols, DOH, DOT.
Now there's real risks here becausenormally in an IP network, you use
(52:52):
DHCP, you get your IP address, itassigns you your default gateway,
it assigns you your subnet mask,and it assigns you your DNS servers.
And that's so you know how to getout of your network, you know how
to do name resolution, and so forth.
So every time you go to any website orneed any name resolution, UDP 53 over
to your DNS server does it and we'reable to collect those DNS logs to be
(53:14):
able to do threat hunting later onwhat machine lookups are occurring is
a very valuable piece of information.
However, with this new protocolthat's being turned on by default
now, and several of the browsers.
So Firefox and Chrome, this ishappening where they're turning this on.
We've had two incidents that we werelooking at and seeing DNS over HTTP.
(53:35):
We didn't understand whythat was happening, but it's
happening at the browser level.
Now you can think it makes a lot of sense.
Now I can, from the provider level,not only provide you internet, HTTP,
but I can also provide you your DNSsettings settings in that stream.
Now a lot of people From a securityperspective, hate this because
you're combining data and controlplane over the same channel,
(53:55):
which you never want to have that.
You want to have tocontrol plane is separate.
You're going to have the data inapplications on a different kind
of channel, but you will noticeall of a sudden you have, I don't
know, 10,000 DNS queries a month.
All of a sudden goes to to200 and you don't know why.
Before you had to turn it on.
Now you actually have to start to turnit off or you're not going to have that.
(54:19):
The DNS records
now move on to number five.
We're still seeing remoteaccess solution abused.
RDP is used extensively andshould only be turned on in a JIt.
mode.
So just in time.
I'll talk about that here in a minute.
JIT Security controls just in time.
And for instance, you don't have remotedesktop access to that server full time.
(54:41):
You go through a privileged accessmanagement request and say at Okay.
I'm going to need to turn RDP on to thatmachine and give me the credentials I
need in order to be able to do the servicethat I need, whatever the technical
maintenance is now, once that period isover your RDP access and RDP services
(55:03):
removed from the server and your accessis removed from the server to as well.
So just in time is a much better securityapproach towards this rather than just
having full blown RDP open everything.
Okay.
Always look at supply chain compromises.
Continue MSP remote management productsand services are the perfect target.
If you look at Kaseya in 2021 theywere used to spread ransomware
(55:25):
to all their MSP customers.
So everybody that we're doingbusiness with they were able to
use Kaseya to spread ransomware.
So you always want to be criticalof those who had access tools.
Make sure there's a prompting.
And make sure that they can'tjust have access at any time.
Number six is configurationdrift and technology debt.
We're still seeing cloudchange management chaotic.
(55:46):
I saw where we had apenetration on a server.
We had a compromise of a serverover RDP that was never supposed
to be exposed to the Internet.
It was accidentally given an outsideIP address in Azure and assigned to it.
And it became fully exposed tothe Internet in that manner.
And my day, you have to exposea server to the Internet.
(56:06):
You had to go pull the Cat5 cable outof the network interface card, go around
to the front switch, and go plug it inthere, and assign an outside IP address.
But now you can just assign an addressto an object, and it's very powerful, and
so it does things that were unintended.
So you've got to be careful aboutproduction change management.
Definitely look at the Azure roles.
(56:26):
They're awfully extensive.
So you want to make sure people areput in the right permissions group
and not giving extensive writes.
But really start to tear atthem because there's a lot of
Azure rules to get to know.
Privilege access mismanagement.
Excessively high userroles and permissions.
Admins not following best practices.
And then access reviewsnot being conducted.
I've seen admins checking theiremail with their domain admin
(56:48):
credentials and clicking on emails.
So what do you think happenswhen you click on a phished
email when you have domain admin?
You're going to get compromised.
Everyone's going to get owned.
So we can only, in many cases, givesecurity principles to the security
admins to run for these companies, butwe can't make them do it in some cases.
So we've definitely got to becareful of administrative control.
We want to have a privilegedaccess management system in play.
(57:11):
Changing technology trends alsois IPv6, engineering of AI.
So you have people that are usinggenerative AI in many different ways,
as well as how I may use it in mypodcast, where I do transcriptions
and I have it write descriptions forthe YouTube channel and so forth.
That sounds very benign, but you canimagine if somebody was saying, please
(57:31):
take this legal document with this verysensitive information and write this,
or can you imagine someone taking.
Okay.
medical record and say, Hey, writea diagnosis for this and hand it to
somebody or something to that effect.
There's a lot still to go on in regards.
So that, but that's prettymuch my presentation.
I had more slides, but I really neededto keep it where it was under an hour.
(57:52):
But if you want to find more informationabout this, please visit me at www.
darkstack7.
com and my podcast there.
We'll have several links and a blog.
Everybody have a good evening.
Thank you.
I look forward totalking to everyone soon.
Look forward to some more episodes andy'all have a good evening and goodbye.
Thanks.
(58:16):
Thanks for listening to this episodeof Cybersecurity America on the
Voice America Business Channel.
We hope you've learned some valuableinformation to help you be a better
executive leader and navigate today'scomplex world of cybersecurity.
Until next week, stay secure.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.