April 2, 2025 • 63 mins
Join host Joshua Nicholson, a seasoned cybersecurity veteran with over 24 years of frontline experience, as he dives deep into the high-stakes world of incident response and takes you on an exclusive dark web tour. In this power-packed episode, Joshua shares real-world lessons learned from handling hundreds of cyber incidents, breaking down the best practices, critical backup strategies, and common pitfalls that organizations face when responding to attacks.
But that’s not all—this episode also unmasks the dark web, revealing its hidden layers, the tools and techniques used to navigate it, and the threats lurking in its shadows. From TOR networks, VPNs, and sock puppets to cybersecurity playbooks and business-aligned security strategies, this episode is a must-listen for IT professionals, CISOs, and business leaders alike.
🔹 Listen now: https://podcasts.apple.com/us/podcast/cyber-security-america/id1668216285
🔹 Follow the podcast: https://www.darkstack7.com/
🔹 Connect with Joshua Nicholson: https://www.linkedin.com/in/joshuanicholson/
#CyberSecurity #IncidentResponse #DarkWeb #CyberThreats #CyberDefense #InfoSec #SOC #TOR #VPN #CyberRisk #ThreatIntel #DigitalForensics #EthicalHacking #CyberWar #DataBreach #CyberStrategy
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:05):
Welcome to the show.
Today I'm gonna talk abouta couple subjects that's are
pretty near and dear to my heart.
The first one I'm gonna talkabout is incident response.
I'm gonna go over some of the bestpractices, some of the issues that
we're seeing in incident response.
Now as well, to take you on a tour ofthe dark web, I want you to be able to
understand what the dark web is, whatare the tools that you use to access it?
(00:25):
How do you stay the do's anddon'ts rules of the road.
I'm also gonna go overa couple other topics.
So for instance, IT securityversus cybersecurity.
I think there's a lot of stuff thatwe can unpacked as part of that.
The second one I wannafocus on is the top eight.
Lessons learned from Incident responses Ihave been through hundreds over my career.
(00:47):
The company I'm with right now hasgone over hundreds and since they've
been around, so there's a lot ofinformation to pull from now, backup
strategies for success, we're gonnago over what does that mean and what
kind of backup strategy you wanna have.
We're gonna do some EDRanalysis, what matters?
What are some of the kind of differentfunctional areas of an endpoint
detection and response tool setthat you want to be focused on?
(01:11):
Start telling you which one's the best.
I'm not gonna sit here and try topitch you and tell you which EDR
product you ought to purchase.
I'm just gonna go over some of thedifferent areas that should be important
to you as criteria for evaluation.
Now the dark web TOR across the globe.
I'm gonna talk about sock puppets.
Sock puppets are fake identitiesor research accounts that's used
(01:32):
for us to get on the Darkweb.
We either have to negotiate with threatactors or we have to be able to do a
number of different things from a researchperspective to see what vulnerabilities
and also what sensitive accountsare being sold on different forums.
You can't do that with saying,here I am, Joshua Nicholson.
They would trace you to your family.
They could harass your family.
It would not be good.
(01:52):
So there's several reasonswe use Sock puppets.
Now, VPN services is another technologythat helps us do some anonymity
before going on the dark web.
So I'm gonna show you some free VPNservices, how you wanna make sure you
don't have what's called DNS leaks.
That just robs your anonymity.
And then we're gonna talk about TORonion routing and TOR onion browser the
(02:12):
different circuits as well as TOR bridges.
The last section we're gonna goover is what good cyber looks like.
Now we go over somePowerShell security hardening.
I give some examples of PowerShelltechniques, attackers use, and then
technical depth in business alignment.
I also wanna talk about wrong methodology.
(02:32):
You're gonna see where I show you amethodology that I see make horrible
problems for us in the future,and I think you ought to avoid.
Now, hall, how does it all come together?
I'm gonna go over securityoperations, runbooks, playbooks.
How did that kinda work?
I'm going to give you an overallgraph or business process diagram
that just shows you how the pieces andparts of cybersecurity work together.
(02:54):
How do they plug in together?
And it's just demonstrative.
Then I'm gonna talk aboutmetrics that matter.
MTTD, this is important to me.
I see this all the time withdifferent MDR providers that provide.
24/7 monitoring of endpointdetection and response tools.
Now they use a lot of differentterms and SLAs and response times,
(03:15):
and I go over that architecture.
Now, one thing I never really went overon this podcast very much is a lot of
my background, but this was important.
This is a presentation I gaveat the ISC2 monthly meeting.
So I'm from New Orleans,Louisiana, born and raised.
I moved to Charlotte,North Carolina around 2012.
(03:38):
I have been in cybersecurityfor nearly 24 years.
I am mostly, primarily focused onincident response, security engineering.
I served as senior delivery executive.
I oversaw multiple complexenterprise accounts.
So my background is reallyon that enterprise side.
An example, I run cybersecurityoperations many years ago
for Bri Bristol Myers squid.
(03:58):
During the pandemic, during oneof the most difficult times in our
nation's history, I serve primarilyas an incident response commander.
So what an incident commander is duringmajor incidents and events, you provide
that strategic council to seniorexecutives, board members and so forth.
You help make decisions on whatto shut down that could have
impacts of millions of dollars.
(04:18):
Your job is to run highly technicalteams to be able to communicate
to their management team inorder to have the best outcome.
Now, part of my specialty really lieson being a SOC leader, specializing in
a hybrid delivery approach, where you'recombining managed detection and response
24/7 with onsite incident response teams.
(04:39):
Now coming up from my background, I spentfive years active duty in the Marines.
I started off at NorthropGrumman afterward as a Sys Admin.
Started my cybersecurity careerat Hancock Bank in New Orleans.
So did a about seven years with them.
Phenomenal group of people down at WhitneyBank, cybersecurity Consulting, at EY.
So I was a manager forEY moved me to Charlotte.
(05:00):
Told me I was gonna do alot of work in Charlotte.
That never happened.
I was on a plane for two plusyears, I know about two years,
and got a wealth of experience.
Did a lot of work on Wall Streetin New York and in California.
Then I took, had to get off the road.
So I became I moved over toWells Fargo here in Charlotte.
I was the vice president andgroup information security officer
for consumer lending division.
(05:21):
I had credit cards, mortgage, and carloans before going to PhishMe, before
going over to Booz Allen Hamilton at BoozAllen Hamilton, we were doing, we were
on the gov, not on the government side.
We were on the commercial side.
HAD to build managed detectionresponse incident response
for a lot of large customers.
Before we spun out into anew company called Deep Seas.
So there's a number of us from the ManagedDetection Response team called MTS.
(05:47):
And we spun out into a newcompany called Deep Seas.
And with Deep Seas, Ihandled service delivery.
The vCISO team, incident Response was alsoa member of the senior management team.
And so about four months ago whereour, one of our major partners,
surefire Cyber and we're doing somuch business together, made sense.
But I moved over to Surefire Cyber andI am the Incident Response Director
(06:10):
for Advisory retainers and resiliency.
So that is a phenomenal company.
If you're not familiar with Surefire,I'm sporting the shirt here.
If you're not familiar withus, please go Google us.
Take check us out on surefire cyber.com.
But we're focused really on anincident response market, and
that's pretty much all we do.
We focus on that.
We have a lot of insurance companies,a lot of brokerages that we work with.
(06:33):
And our business is doing nothing butexploding and we are hiring every month.
Now before we get into thisepisode, I want to go over what's
gonna happen on the next one.
Give you a prelim to that.
So you see on episode 36, we haveopen source intelligent collection
reconnaissance in footprinting.
I always thought it was really importantfor those who are not truly highly
(06:55):
technical more risk management focused GRCfocused to at least understand OSINT and
understand what kind of footprint OPSECthat you have within your environment.
Where are we leaking out information?
Where areas we should cleanup and not have so much
information out in the public.
We're gonna go over what'sactive and passive collection.
We're gonna do some target reconnaissance.
(07:17):
What's footprinting?
We're gonna do some opsecas well as Google Hacking.
And Dorking.
I love Google Hacking and Dorking.
You always end to ask yourselfwhy they keep finding these secure
shell keys out on GitHub and didthese different repositories.
You actually, you just Google search forthose private, SSH keys and you'll be
surprised what public websites, socialmedia, always a good area to be able
(07:41):
to pull information about a target.
Now if you look over on the righthere, that's what this episode is,
cybersecurity, battlefield Insights,incident Response, and dark Web Safety.
These are the QR codes tourthat, and I really appreciate
everybody can follow us on YouTube.
We're on Apple Podcast, Spotify aboutfive or six other platforms as well.
(08:02):
Amazon, you could just go to Amazonapp and we're on Amazon Music now.
This is the cybersecurity landscape.
Now.
This is what we see that confusesso many different people.
This is the sea of different toolsets that provide security to do
something within our ecosystem.
Really difficult to figure outwhat tools you need, what's your
(08:23):
approach and how she can handle that.
Now one of the areas I think isreally important to go over is
IT security versus cybersecurity.
Now we recognize the main, themaintaining a true partnership and
cross integration with customers andservice provide critical operations to
success for a cyber defense mission.
So we talk about customers all thetime and it's not just you wanna
(08:46):
have that customer mentality, evenif you're at a company, you are
working at a company for itself.
You want to treat the rest of the company,the other departments as customers.
'cause you are providinga service to them.
If you stay in that mentalityyou're gonna do well.
So when you focus on threatprotection, for instance, that
first box, that's cybersecurity.
We do threat intelligence.
(09:06):
You work on what's threatdetection, phishing exploits,
malware credential, phishing.
You do threat response for containment.
Response.
I can't tell you how many timesI've seen where companies went to
contain a threat on a machine andend up locking themselves out of it.
I've seen 'em use conditionalaccess groups and lock themselves
out of Azure, and I have to callMicrosoft for emergency access.
(09:27):
Now, threat hunting, you got ADvancedactors, they stay low and they're slow
and they hide in anomalous traffic.
It takes a real concerted effortto be able to find those threats.
Now as you move down the pyramid,you get to that next one.
We wanna IT security and wewanna focus on cyber resiliency.
This is a team that focuses on resourceprivilege management, secure configuration
(09:47):
management, network resource segmentation,security controls, management.
That's your what your standards, whichare audits with your certifications
and security training and awareness.
It's not just policies, proceduresbut you also wanna have that training.
How do you institutionalizethat within your organization?
Now, information technology as thatthird, that bottom pillar on the
(10:07):
triangle, that's where your networkmanagement, your routers, switches
are come from compute storage on-premor on cloud, workplace enablement,
either desktop devices, collaboration,even mobile devices now and then
business continuity, disaster recovery.
That's one of the biggest, most critical Iitems when it comes to Incident response.
'cause it plays intoyour ability to recover.
(10:31):
Now one of the things that was importantabout this episode is how do we focus
on some of the lessons learned froma lot of these different incidents?
If you look at surefire doesabout 60 incidents a month.
So we got and been doingthat for several years now.
So we got good experience of what'shappening, what's not my prior job
over at over at Deep Seas as well.
(10:53):
A lot of the same trends now,number one, that area is that
Azure AD migration, trip wires.
I see this happen a lot.
There's a rush to move to O 365.
It's a rush to use online services andthen just provide log on authentication
that's alreADy seamless, thateverybody has username and password
alreADy, so they wanna be able tomove that architecture to the cloud.
(11:16):
Easier said than done, andyou definitely wanna make sure
you do it in the right way.
Some of the keys there arethose are security components
are missing or overlooked.
For instance, there is a connectorthat connects your on-premise
Domain C ontroller to your cloud.
Your AD your Azure cloud, your a DS.
Now you wanna have thatrun on a member server.
(11:37):
You don't wanna have thatrun on a domain controller.
So there's a lot thatyou wanna focus on there.
I'm not gonna go toodetailed on each area here.
I'll give you some high level, and thenlater on in another episode, I'm gonna
drill into each one of them rush to thecloud for authentication infrastructure.
We was just talking about MFAstill from universally deployed.
I see this as common.
Every intrusion seems to haveMFA not universally employed.
(12:01):
Some components, some service,some log on ID something didn't
have MFA and they got hit.
Now the second thing we talk aboutfirewalls getting breached regularly.
Now, it used to be you'd have a firewall,then you'd have a VPN concentrated
and it was separate devices almost.
Now that ne never gets done.
You have the firewall, VPN combination.
(12:23):
So you would use their primary firewallto also be your user VPN platform.
Now all major firewall vendorshave experienced security issues.
Fortinet, ASA , Checkpoint,you name it, they've had an
issue and they do to this day.
Those major attacks that yousee across the board, a lot
of 'em target these firewalls.
(12:44):
Now, secure configuration managementpractices usually not followed.
We're seeing this still as well.
We see operating systemsthat are built that are not
hardened excessive permission.
We have services runningthat should be shut down.
We're still not hardeningmachines before they roll out.
Patch management, change reviewprocess is usually immature.
They pretty much just a list of sayingthese are patches that are going out.
(13:07):
There is real, no discussion on coverageand accountability and so forth.
So we just see a real poor patchmanagement process a lot of times.
Then we move into the third columnand that's that PowerShell lockdown.
So I'm gonna go over some thingslike restrictions that are not
enabled attackers can run freely.
I'm gonna go over some ofthat in a later slide here.
(13:28):
What are those restrictionsand how you lock that down?
We're seeing logging notturned on by default.
If you have event, you have commandsthat are being issued in PowerShow
and we don't have logging, we haveno idea to find out what happened.
That seems to happen a lot.
There's some configuration managementthat can help turn that on.
And then logging configurationneeded to decode BASE64.
(13:48):
So what'll happen is you have.
The easy way to circumvent security orobfuscate things in security is by taking
your commands and BASE64, encoding them.
And when you do that, you breakdifferent security tools because they
don't unpack the BASE64 and have thattrue command that it can process.
(14:09):
So we'll go over some of that as well.
When that event comes back and it'sstill BASE64, the SIEM not gonna see.
It's not gonna read,it's never gonna alert.
Now consider using digital certificatesto sign and verify scripts.
We see this as well.
You wouldn't have an attacker beable to drop a malicious power
shell in an environment if you'reconfigured that only signed PowerShell
(14:29):
scripts are allowed to execute.
So that's always something to look at.
Now, the fourth column and thefourth item we wanna focus on is new
technology, threats to detection,of course, artificial intelligence,
forensics artifacts, model compromises.
How do you.
Manipulate these models in order to havean output that is beneficial to you.
(14:50):
We talk about DNS overHTTP risks and issues.
If some of you haven't noticed this,but you have what's called DOH or DOT
DNS over HTTP and one of it what that isessentially normally you would have your
DNS traffic, your Port 53 name resolutiontraffic would use the local DNS servers
in order to resolve the name such aslike cnn.com, yahoo.com, anything like
(15:14):
that to resolve it to its IP address.
Modern browsers now Firefox Chrome,a lot of 'em had the option, but
now a lot of 'em are turning on bydefault, in which they tunnel the DNS
traffic over HTTP to the provider.
That cuts out any data you're gonna havefor hunting that's now in the provider,
and you have no control over whereyour machines and how name resolution
(15:36):
is happening in your environment.
Now Firefox and Chrome are not theonly browsers looking to do this.
So you definitely wanna seewhat your browser supports
and how you're configured.
IPv6, there's a lot ofdifferent vulnerabilities.
IPv6, even at the DNS spoofinglevel, if you don't need it,
it's just best to turn it off.
Just use IPv4 and then younot translate to the internet.
(15:58):
No need to have IPv6 unless you'rein some big organization and
there's a specific use case for it.
I would avoid it at all costs.
Alright, so number five, remoteaccess solutions being abused.
Now, RDP is used extensively.
She only be turned on in a JITmethodology, just in time methodology.
(16:21):
So we see this a lot.
For some reason, people stillopen up RDP to the internet.
They don't have all MFA on it.
They don't have a lot ofthe security controls.
Real bad idea to do that.
A lot of people are scanningfor open RDP all the time.
We see these get popped.
Just in time is having a process inorder to allow access and to spend
(16:42):
an RDP service up when Administrativeaccess is necessary and turn
it off when you don't need it.
So that service attack spaceis much less if you have JIT
security controls in place.
Now.
Supply chain compromises continue.
MSP.
Remote management products andservices are perfect targets.
Why try to drop malware on a host?
(17:03):
Why try to compromise a system?
If you could just use the remote accesstools that are built in and designed
to work on all the hosts, perfect.
Perfectly always use the IT tools there.
It makes it look like a regularuser and you don't get alerted and
flagged on a lot of different malwarethat you might need to download.
A six pillar is configurationdrift and technology debt.
(17:25):
So cloud change management is chaotic.
There's not real strong structure on that.
A lot of things happen dynamically.
I saw one incident where a persontook a server and allocated an
outside IP Address in Azure, andbefore you knew it, it was exposed
to the internet, RDP to the internet.
And that was a configuration in cloud.
In the old days, I used to have totake a server or take a network cable,
(17:49):
put it on the outside, switch on theoutside interface, on the firewall.
I'd have to and assign an IPAddress that's in that non
1918 Address space there.
So a globally routed Address.
And I would mark that off on thespreadsheet, configure that, and
that's how we put something outoutside, completely on the internet.
Now you don't have to do anything.
It's a click of the button in Azureand the workflow management does it.
(18:11):
So very powerful cloud, verydangerous at the same time.
A lot of older systems stillout there in production.
We see that a lot, several oldermachines that are no longer making
patches or they're no longer systems.
There should be a area to contain.
I remember when I was at Whitney Bank,even at Wells Fargo, when they did
(18:32):
mergers and acquisitions, they didn'talways get rid of all the old technology
debt and systems that were there.
There was always this thought that theymay need to get into that old system.
It had some records and some data,so you end up putting it off to
the side and it never goes away.
Six years later, it's still sitting insome back closet somewhere and it's on
the network and it's and it's a threat.
It's a risk.
(18:55):
Privileged access, mismanagementexcessively high user
roles and permissions.
I see that a lot to get things working.
They put 'em in a lot of different groups.
I see Admins not following bestpractices, like checking email
with a domain Admin account.
No privileged access should eventouch the Internet or a mailbox.
And if it does touch theinternet is to download a patch
to a very specific system.
(19:16):
It should go nowhere else from there.
We're still seeing the abuse of that.
There should always be two accounts,one regular account for that person to
check their emails, surf the internethas no Admin rights to the desktop.
It's just there for that purposes.
And then there's a step up authenticationor a checkout process you wanna do with a
PIM system, privilege identity managementsomething like a CyberArk where you check
(19:38):
out Admin IDs or you make those Admin IDschecked out in some other type of process.
You do access reviews.
They're just not being conducted theway you would think they're doing.
Bosses are accessing, doyou still have this access?
Do you still have this need?
They're just not being done.
Azure rules are extensive, notwell used in most environments.
Most people don't even knowwhat all the Azure rules are.
(19:59):
There's tons of them.
And they don't have groups likethey did in Active Directory.
These are called roles.
Another thing that you definitelywanna focus on is enabling LAPS.
You wanna prevent that la lateralmovement through past the hash attacks.
Now, what is lapse?
It's local Admin passwordsynchronization tool.
So what happens in a largeenvironment, you, let's say
(20:20):
you have a thousand machines.
They compromise that local machine, thefirst thing they're get to do is dump
the LS a s process and try to get theNTLL hashes that are running in memory.
Once you have those, if they have theNTLM hash for that local Admin account
and you've made the local of Admin accountstandard on all your desktops to be
(20:40):
the same, now that they have that hash,they don't need to crack the password.
They already have thekey, the hash itself.
They pass that as they connect tothe machines that are to them and
the other machines accept thatis a legitimate key for them.
So if you're able to compromiseone desktop, you're able to
compromise all of them if you havingthe same local Admin password.
(21:02):
We don't wanna do that.
We wanna have something separate.
At my time at Avondale, Iremember Avondale ship Systems.
And what we used to do is take the hostname, what a combination of a password in
the beginning and a combination of someother standard at the end of it, and that
was the password for that local Admin.
That really hard to dowith thousands of machines.
It's not even feasibleat doing it that way.
(21:23):
Now the lapse service isreally pretty easy to install.
It will handle the synchronization ofdifferent Admin passwords with on those
environments, and it's probably thenumber one key item to stop ransomware.
You need Admin rightsto, to run ransomware.
You need to be able togo lateral movement.
If you can't do that becauseyou can't do pass the hacks.
It just reduces the significanceof it or the probability of it.
(21:46):
A lot.
Now changing technology, threatsto detection number eight.
That's where we talked about IPv6.
Don't need it, turn it off.
A lot of vulnerabilitiesjust at the protocol level
and it's really complicated.
For a lot of people, especially ifthey're trying to do IPv6 permits on a
firewall, it gets much more complicatedversus normally just using IPv4 with
(22:08):
your 65,000 ports that are availablenow, generative ai, there's several
different models and things out there.
I really wanna focus on privileged datagoing into 'em using sensitive data.
You could see someone from financegoing, you know what, I don't wanna
try and calculate all this numbers.
Let me just throw it to JetGPT and see what happens.
And that has privacy andleak concerns from it.
(22:30):
Protocol tunneling and thenvirtualization and thin clients
is o one of the last areas.
Now this is one of my favorite to goover because I'll let, it helps me to
reinforce the master, the 3, 2, 1 rule.
And what is the 3, 2, 1 rule?
If y'all remember, colonial Pipeline 202021 Colonial Pipe was all over the news.
(22:55):
It impacted us here at Charlotte.
It caused us not to beable to get gasoline.
It, it really was a big hit.
The ransom attack was thelargest cybersecurity attack
to target an oil infrastructurein the United States history.
So May 7th, the dark sidegroup deployed ransomware on
the organizations computerizedequipment that managed the pipeline.
So this was their OT environment.
(23:17):
The colonial pipeline, CEO, revealeddark side's attack vector as a single
compromised password to an activeVPN account that was no longer used.
If you recall, when I went backover those top eight things
that we're seeing in incidents.
VPN and MFA were right there.
Here's an example of both of those beingpopped and used in this compromise.
(23:42):
Now, when you look at the top 10protection practices, prompt systems,
upgrADes and patching, we know that'ssomething you definitely wanna make
make sure that's best practice.
You need to stay up with that.
They find vulnerabilities insoftware versions all the time.
You want to implement zero trust model.
If you don't know what zero trustis, it's pretty much having author
authorization, authentication,every step of the communication.
(24:05):
It's really a framework little twodetailed to go over in this episode.
Network segmentation, it'sthe same as having watertight.
Doors on the Titanic.
So if you have one area of the ship thatgets compromised, you're able to segment
that ship off and prevent water fromfilling into the other compartments.
(24:25):
It's the same concept here.
You wanna be able to segment the network.
If there's intrusion.
That intrusion, that intruder, ifthey went lateral, would only have
access to a small set of the systemsand not to the entire environment.
Endpoint, MDR, not even a legitimate use.
Now to have just antivirus on yourmachine without having , endpoint managed
(24:47):
detection and response or an EDR toolis definitely not best practice anymore.
You wanna make sure you have a capabilitythat is monitoring your system, can
contain it and do that in 24/7 model.
Then rapid eradication and recovery.
It's always important to be ableto image systems, put 'em back to a
hardened state, ensure data is covered,and then recover quickly and fast.
(25:10):
What you'll notice in mostbig investigations, there is
a preservation we want to do.
We want to ensure we haveall the forensics data, we
wanna figure out what happens.
Really fast.
After that, you have to move into recoveryand eradication and then recovery and
re-image that system and get it backinto production as quickly as possible.
So you don't have a lot oftime, especially in enterprises.
(25:32):
You gotta be able to determine what'sgoing on and then re recover and
re-image as quickly as possible.
Immutable and indelible storage.
I wanna make sure your backups are safe.
We see several ransomware actorswill encrypt your backups.
They're gonna go after your backup system.
That is what preventsthem from getting paid.
If everything's encrypted and they'reholding you hostage and you have it on a
(25:54):
backup tape, you're not gonna pay them.
So they wanna make surethey take that out.
Regular testing and validation.
It's one thing to have anintrusion detection system.
It's one thing.
It to test it to make sure that it works.
And when you would do it a fire alarm,the same way you would do with smoke
detectors, you need to have thatregular testing in that validation.
(26:14):
And number nine has gotta be one ofthe biggest educate employees here.
When you say that, no, I'm not gonna buyyou a gift card, and no, I didn't click.
Send out a link, please clickthat on your local phone.
There needs to be some education of whatthe local threats the latest threats
are, and how should they stay safe.
And then cybersecurity playbooks.
So cybersecurity playbooksare always very important.
(26:35):
You gotta be able to know whatyour actions will be in a certain
situation, and you'll be able toexecute it as quickly as possible.
Now, real quick, the master 3, 2, 1 rule.
What is it?
You have the first one.
Three, three different types of data.
I'm sorry.
Three different copies of data.
You wanna have two different mediatypes, one of which is offsite.
(26:57):
You're gonna have that a datacenter cloud, or on tape.
And then one is offline.
So it's not accessible, it'soffline, it's stored somewhere else.
And then the 3, 2, 1, 1 0 rule here isthat zero is no errors after backup,
recoverability verification, whichI see a lot of companies may do the
(27:17):
three copies of data that's common,the two different types of media, eh,
sometimes you have something goingto tape and some are going to disc.
One of which is offsite.
Yeah.
That goes to a data center usuallyit'll replica replicate to two
data centers, or they'll put itat some other location offline.
Sometimes, ba we did that at Whitney Bank.
(27:39):
You would see those types will gooffline to another physical location
in the event you need to restore it.
And this last one errors,backup recovery verification.
I almost never see, I neversee them testing the backups.
Never try to restore datato make sure it works.
Not try to say, Hey, these four serversjust got encrypted by ransomware.
(28:00):
Let's test if we canrestore and get them back.
This almost never happens, andthat's probably the biggest thing
we wanna make sure does happen.
All right.
So EDR analysis.
If you look here from the left, spamfiltering, email known ro, we rogue
websites unknown rogue websites, spamfiltering, web filtering, that was
(28:21):
the solution that we used for that.
That's the one that is in,in many cases the one we've
relied on the most in the past.
Then you move over to theright from a protection
perspective, you have Legacy AV.
Now, legacy AV is really good forknown malware, sometimes unknown
malware, like zero day attacks as well.
A legacy AV does help some file listattacks and it does help with some
(28:44):
of the exploits that you will seeas we move more over to the right
after Legacy av, they went to NextGen av, and then after Next Gen av,
you see them going to EDR, enterpriseEndpoint Detection and Response.
This is where we took a. Whereyou're doing antivirus, you're
looking at files, you're lookingat different websites are going to,
(29:05):
but now we need to look at exploits.
And now we need to look athow do we manage that system.
When it does get hit, how do weput it in quarantine, allow us to
do incident response in forensicsbut not have to physically grab the
machine and unplug it and so forth.
We need to be able todo all that remotely.
So the endpoint detection responsesolutions EDR market is defined as
(29:28):
solutions that record and store endpointsystem level behaviors use various
data analytics techniques to de todetect suspicious system of behavior.
Now, EDR solutions must provide thefollowing four primary capabilities.
Now, they detect security incidents, theycontain the incident at the end point,
they investigate security incidentsand they provide remediation guidance.
(29:53):
Now if you're looking for differentplaces to find out what are the best
ones which ones should I review?
Definitely just go to Gartner.
I'm gonna go over someanalysis here in a minute.
You also open it EDR tolook at now on this screen.
Some of you on the audio podcastside, listening on Spotify, on
Apple, might not be able to see this.
So I go over some of these criteria.
(30:14):
But on this presentation, on this slide,I have a list of EDR vendors and the
criteria, the functional criteria thatthey use, starts off with behavioral
detection, automated remediation,vulnerability monitoring, device control,
analyst, workflow guided investigations,threat intelligence, speed integration,
(30:38):
custom rules, Advanced threat hunting,and then rogue device discovery.
Now this chart shows checks andpluses and so forth for the products
that cover these areas, but I wannafocus just on what is I, what do I
feel is important in an EDR product.
Now at Deep Seas, they manage fiveto six different EDR products.
(31:00):
From your Sentinel Ones to CrowdStrike,Microsoft, carbon Black, and so forth.
Some have different pros and cons from amanaged detection response perspective.
Sentinel One is really good.
You can automate things reallyquickly and fast and push 'em out.
Where products like Carbon Black,really noisy, a lot of tuning you can't
automate and push a lot of stuff out.
(31:21):
You need to work with their team on theirbackend to deploy different instances.
So there's always pros and cons.
To 'em.
Some of the criteria that I findis the most important are these
three that I got highlighted.
Vulnerability management.
I always like having vulnerabilitymanagement tied into it.
It prevents me from having to have anotherproduct, another tool, another system.
And it's usually just alicense upgrade for it.
(31:42):
It's not like you're gonna use thatfor all vulnerability management
in the organization, but itdefinitely high helps to tie that in.
I also like the custom rulesstar packs within Sentinel One.
They can get a little pricey as yougo up on the number of star packs.
Other ones don't charge you for that.
But the ability to create custom rules orsome EDR products that don't really allow
that unless you buy a special license.
(32:04):
When you look at the next oneis Rogue Device Discovery.
Multiple incidents have, I've beenon now where they hAD EDR in place,
but the system that got hit did nothave it on, it was not fully deployed.
You can rely on your change managementand your discovery process and to
discover these machines that don'thave it, but it seems to happen a lot.
They put machines out there, it doesn'thave the customer image, or it came
(32:26):
from some lab and they decided tosave some money and not put EDR on
the machines that are on the lab.
And they end up getting hitand they used lateral movement
from there to to cause havoc.
So Rogue device discovery says, Hey, Isee this other Windows machine here and it
doesn't seem to have my agent on it alert.
And that's something that can helpyou manage your infrastructure.
(32:47):
This just goes over some of it,like if you go to the previous
one, e Security planet.com iswhere I got a lot of this data.
If you want to do some analysisbetween different EDR products, I
definitely would go there and do that.
This just kinda shows you some of thegrading points they give for detection,
response management, deployment,ease of use, value and support.
(33:07):
Those are always things youwanna worry about when you're
choosing an EDR provider.
How good are they detecting things?
How can you respond and what'sthe workflow management all
the way up to deployment.
If it's really hard to deploy theagents and configure 'em, that's
always something to worry about.
So I covered a lot thereand an incident response.
(33:28):
And the next phase of this presentation,I wanna move into the dark web tour.
I wanted to give someinterest in the dark web.
What is it?
What isn't it?
And go from there.
This is what everybody really thinks.
Dark web is drugs, right?
On the screen here I got MoonRocks online I could buy for $680.
You got ADderall, yougot heroin, Percocet.
(33:52):
Black Mamba Kush Online, we gotcrystal meth for $750 and we
got Fentanyl sold as a liquid.
And powder for sale for $860.
Looks like there's a sale.
It used to be a thousanddollars, now it's $860.
So this is what everybody thinkswhen they think the dark web.
Now this is real.
I pulled this data about a week anda half, two weeks ago, used a TOR
(34:13):
browser up ahead, up at the top.
You can see where it is.
A long screen of charactersfollowed by a onion.
Those are dark web sites that use onion.
And that's where you're, thisis what most people think.
Now what are, when we say thatpeople get confused all the time,
what is the regular internet?
(34:35):
What is the deep web?
What is the dark web?
And what does it all mean?
Alright, so this is anexample on the deeper.
Deep, deeper, deepest.
So this is what I wanted to focuson, just explaining what is the
surface web, what is deep web?
What is dark web?
Now you see the surface web.
It's called the clear web.
It's the internet as you know it.
(34:56):
It's when you use a search enginesuch as Google, Bing, DuckDuckGo
news sites, social media, onlinestores, blog forms, personal websites.
That all makes up the internetas you generally know it.
Now they use encryptionfor different websites.
So encryption is not the key to if it's onthe surface web or if it's somewhere else.
(35:16):
Now, that next layer downis called the deep web.
Now, the deep web is notaccessible to surface web crawlers.
So the way Google, the way Bing,why they work is they crawl the
internet looking for more information.
They index it, and they provide it asa searchable asset with a. The website.
So you can go to google.com, youcan type in cybersecurity America
(35:38):
Podcast and it will show youthe website, provide you a link.
You click on it and you're ableto see the podcasts website.
Now on the deep web, having VPN or someother strong authentication and security
allows you access to medical records,legal documents, scientific reports,
government resources academic information.
(35:59):
And so far pretty much everything thatruns the world now, VPNs with MFAs
are used extensively in this area.
You do a lot of private SaaSapplications have exploded, dissolving
the perimeter for the most part,the perimeter no longer exists.
It's the perimeter is the user.
Used to be that networks andfirewalls were the perimeter.
(36:21):
Now, with cloud and applications that goeverywhere, that require internet access,
the perimeters now the person, it'sno longer the network of the firewall.
It's the user.
So that identity has become the newper perimeter instead of firewalls.
Now we've had an explosion ofwork from home and that has opened
the attack surface significantly.
(36:42):
When you go home, you're connectingto a wifi that also has probably four
other machines that are on it from yourkids' laptop to their mobile phone,
to the Xbox, to the Roku code that youhave all on that same wifi network.
So it leaves you exposed.
Now when you're at home,you go to surf the internet.
You no longer have proxy services or anyof that other stuff that you normally
(37:02):
would have within a corporate environment.
So it does make you a lot moreexposed to the cyber threats
that are out there today.
The crown jewels of ourorganization are primary targets,
and they are in that deep web.
Now the dark web.
Okay, so let's get onto the dark web.
It's only accessible through certainbrowsers such as tour browser, proxy
(37:23):
chains, a number of different toolsets used for drug trafficking, private
communication, political protests,illegal information and it's also
used for a lot of good purposes,which I'm gonna go over later.
Now, some of the bad purposes usedto hide stolen data to anonymously
communicate with the hostage after aransomware or data exfiltration attack.
(37:45):
It's a black market for drug trafficking,illegal weapons, malware, stolen credit
cards, sex trafficking, and it's forunblocking news and religion as well.
Now, when they talk about communicatingwith a threat actor, that's
essentially what my company does.
So Surefire Cyber does what's calledTA Comms or Threat Actor Communication.
Someone has gotta talk to this threatactor after they've stolen your
(38:08):
data and they're in the dark web.
So we have to go into the dark webas well, and to be able to privately
communicate with a different identityin order to be able to negotiate a
settlement that's probably in themillions in order to be able to get
data back or to get suppression.
There is a real art and a science to it.
(38:29):
Now, what is on the dark webfrom a cybersecurity perspective?
Okay.
I saw earlier where there's a lot ofdifferent drugs that are out there.
I know credit cards can be outthere, but what is one of it from
a cybersecurity perspective reallyis the initial access brokers.
So these are different sitesthat you could go to where
people are selling access.
(38:49):
You have one here.
For instance, an actor on theRussian language XSS crime forum
is selling RDP access to the domaincontroller of an unnamed large
bank and a tier one EU country.
He did not show any proof of accessor elaborate on the identity of
the bank, so you have differentpeople are selling different things.
Here's another one.
An actor on the same crime forumwas selling domain Admins, RDP,
(39:13):
access to a US-based manufacturerwith 978.8 million in revenue.
For $6,000.
The victim remains unidentified.
So they're not gonna identifythe victim until you pay.
So this is where they're selling access.
It's real easy now to stealsomeone's credentials and go sell it
somewhere, so than it is to actuallyexecute the cyber crime yourself.
(39:35):
I don't have to attack a system, Idon't have to find vulnerability.
I don't have to steal data, I don'thave to ransom and go back and forth.
All I do is steal credentialsand I sell it on this forum.
And I'm just one small part inthis whole economy of crime.
Now, if you wanna learn more intelligenceservices here, surefire Cyber has an
intelligence site, I go to the website.
(39:56):
You could find that.
But I also like and highly recommendthe Deep Seas, they have a monthly
threat intelligence rollup that they do.
You can always go towww.deepseas.com/learn and you can
get a lot more free intelligence.
Now this is just another exampleof what we see on the market.
(40:18):
We see that there is these PayPalaccounts and the, this guy, Mr. Robot, for
instance, he bought five PayPal accounts.
All of them are valid with decent amountof money, and most of 'em used two of them
for the moment and was able to bypass PALPayPal's OTP when when doing payments.
So on the dark web, just like on a normalcrime forum, your reputation is everything
(40:44):
now here's some otherwebsites that you can see.
Dark web websites Western News canbypass oppressive governments filtering
through tour providing anonymous datadrop off sites for whistleblowers.
So you see in this picture here,you got a secure drop off location.
It's a dot onion site.
So if you're a whistleblower or youwanna leak something to the press
or whatever that is, you can go andfind these different organizations.
(41:08):
So Bloomberg, BBC, CNN, Financial Times,New York Times, Buzzfeed, the Guardian,
they all have servers on the dark web.
And the reason is to provide anonymity,but also to provide news for people that
are being filtered, such as in China.
China does not allowaccess to Western News.
So in order for them to findout what's going on, they route
through the dark web to do that.
(41:30):
Now as we move over to the right,here's some other onion search
sites that you can use that helpsyou navigate through the dark web.
You have to remember that you have toknow where these sites are to go to.
You just can't type it into aGoogle type thing and find it.
You can to an extent with duck go forthose sites that wanna register in it.
But a lot of places that have criminalityon it isn't widely Advertised.
(41:54):
You need to know whereto find these places.
That's what makes it so difficult.
Now, what is a sock puppet and whatare some of the best practices?
So sock puppets are created to isolateOSINT research that's open source
intelligence research, ensuringa separation between the personal
and work lives of investigators.
(42:16):
It's essential to emphasize theimportance of separating an investigator's
real identity from their researchaccounts, otherwise known as practicing
good operational security or OPSEC.
One of the things here is that when we'renegotiating with threat actors, we don't
want them to know who we are in the world.
They want to know who our childrenare in our family, so they can harass
(42:38):
them because we won't pay or we'restopping a ransomware payment to them.
So it's very important tokeep our identities secure.
Now what I have here, these are platformsthat don't require registration, allow
users generate a random email Address.
You're gonna need that whenyou're on the dark web.
You have to stand up different accounts.
Everything pretty much is email based.
So you want to use some of theseanonymous email providers, a lot
(43:01):
of 'em that are on the dark web.
You also want to provideAI fake profile picture.
Here's a website is handy Here is thishttp://this-person-does-not-exist.com.
And what it does is you see on theright, you have gender, age, ethnicity,
and I can create my own profile.
So if I want to create a white male from19 to 25 years old, it will take thousands
(43:23):
of images of people's faces aroundthe world and creates an AI rendering
combination rendering that doesn't exist.
There's no human in theworld that has that face.
And so it takes a conglomerationof all these different faces.
So this one on the right, ifI was to image search this on
Google, he's not gonna show up.
(43:43):
On a JC Penny catalog or somemagazine or something that just
proved that this person wasn't real.
'cause they just snippedit from the internet.
It won't show up anywhere.
Now how do you p ay in the dark world?
You got private virtual credit cards.
We have Bitcoin tumbling as well.
When you go to pay for different things,let's just say it's something that if
(44:04):
the server was compromised and you didn'twant that activity traced back to you.
If you used Bitcoin that you bought from,I don't know, Coinbase for instance once
they bust that criminal on the dark web,they're gonna have all the bitcoin that,
that he in his wallet that was used.
They can trace that back to your wallet,especially if it's Coinbase where you
(44:27):
have a driver's license that you had togive them in order to have an account.
So a lot of, a lot of actors use tumbling.
They will tumble that Bitcoin, it'sthe same as money lau money laundering.
You take your Bitcoin that youbought, you sell it to someone else
for a fee, and they sell you Bitcoin.
That is completely different number and ismatched to a completely different wallet.
(44:47):
Then of course, fake name generators.
How do I create names and howdo I create whole families when
I need to be able to do this?
So here on the screen unfortunatelyeverybody on the audio podcast
won't be able to see this,but I have three pictures.
I have a little girl as number one.
I have an African American femaleas number two, and I have a white
(45:09):
a male as number three, potentiallylooks a little Middle Eastern.
Now.
All three of these, I had a live audience.
I asked when everyonepick which one's fake.
And for the most part, everyonepicked number three is being fake.
And I picked this image onpurpose 'cause of its distortion.
You could see up here on the topof the hat that it's all distorted.
(45:30):
It's cut off.
He's got this hair that'sput on the front brow.
It doesn't look likethe generative AI model.
Did a really good job creating this one.
And so everyone gravitated to that one.
The being fake, the girl in the middlegot the most votes for being the true.
And the little girl on the left waswhat everybody thought was fake as well.
(45:51):
All three of 'em are now the AfricanAmerican woman in the middle.
fooled me if I would had to guess.
That looked like a realpicture and a real person.
This person doesn't exist.
Also gives you access to body types.
You can create different body types.
You don't want to be a have yoursock puppet be skinny, fat, whatever.
You can really go crazy with this.
How do I create names?
(46:12):
You have this website for fakename generator so I can pick
the ethnicity that I want.
And then the name range, andit's gonna spit out a name
and an Address and so forth.
Now I've tried out several of theseand it's hit and miss some, write
Address, write everything, andthen some, it's completely off.
It's it would not pass the sniff test.
I'll give you one for instance.
(46:32):
I did an identity.
I was doing a family tree and it hadone identity where it had a woman, a
mother of four, and she was a plumbinginspector for the last 20 years.
I don't know about you, I just don'tknow too many mothers of four that
are plumbing inspectors for 20 years.
It just doesn't sound right.
This has got a societal,something's not right about that.
The same way, if you look atthis account, I hear, I have
(46:54):
on the screen, Donald Bigham.
It says he is a disc jockeyingand ambulance attendant.
Okay.
Is that possible?
Sure.
But a lot of information down here, UPStracking number Western Union, MTCN.
So when you do this kind of work, youwanna make sure that this makes sense.
And if somebody was to start researchingthe identity you're putting together,
(47:15):
that Address really does exist.
That person really does live there.
And a lot of this can check outif they start to investigate.
Here's the Sims family generator.
This one's where you don'thave to be very creative.
They will make you yourhome family for you.
And you can see thenames just randomly here.
I thought it was funny.
You create your sock puppet andit says imaginary nationality.
(47:37):
So for instance, you haveHobbit, Klingon, or Ninja.
So I have no idea what a Hobbit family, aKlingon family is gonna be and so forth.
So it's interesting.
But they also had some reallycool tools here as well.
So a credit card, a CHgeneration in validation.
If you wanna know if acredit card number is real.
You can go to these validators.
It'll tell you if that's a real number.
It'll tell you if it'sa real routing number.
(47:59):
We also have national IDs ifthis is a real social security
number uk number as well.
Now, what are some of the best practiceswhen you're creating that managed research
or managing your research account?
Number one is appear as a regular user.
Avoid suspicious behaviorwhen setting up your account.
(48:19):
Don't reuse any personal accounts.
Don't reuse a an email accountyou want to, because it's easier
to check it there than it is.
You want complete segmentation.
You wanna ensure the account blendsin with the intended audience.
If you're gonna target a cybersecurityperson to phish them, to get access
to the credentials, the accessto the network they're providing.
(48:39):
You wanna look like you're in the roleor in LinkedIn and have a persona that
should be talking to someone like that.
You wanna use a VPN before tour routingand you would check for DNS Leakage.
I'm gonna go over that in a second.
Essentially I would use a VPN, I'd go intoCanada or some other place in the United
States and then enter the TOR Network.
And the reason for that is thosetour circuits, and I'm gonna go
(49:02):
over in a minute, can be unreliable.
You're on tour, all of a sudden youget disconnected, you're going to a
site, and all of a sudden your true IPaddress is exposed because it, it fell.
If that happens, you want it tocome back to the IP address of
the VPN, not to your home network.
I'm gonna go over DNS leakage.
This is essentially when DNS queries usethe local IP provider instead of using
(49:25):
the VPN's IP addresses that are provided.
Now for maximum protection,this is something I use.
I use a Kali Purple Linux vm.
It's been properly configuredand snapshots created.
So what does that mean is Idownload virtualization software.
I can use a virtual box,or I use VMware, ESX.
There's a couple of 'em that I use.
(49:46):
You essentially will download theKali Purple Linux distribution from
their website, and you run that asa virtual machine on your desktop.
Now, what you want to do, once you getthe virtual machine up, you allocate
all the memory to it that you need.
Especially when you're searching, whenyou're going through the dark web,
it can be really intense and a littleslow just because of all the different
(50:08):
layers of onions it has to go through.
So the experience is underwhelming.
But the snapshot allows if I amdealing with malware or I'm dealing
with something that I could getcompromised myself on that Linux machine
I can shut it down and snapshot itback to the original configuration.
So I build it, create the snapshot.
(50:30):
I go and use it once I'm done withit and there's a problem, or I've
been dealing with something likemalware that's potentially dangerous.
You go and snapshot it backto the, to original state.
So there is no change, there's nochance you can compromise 'cause they
can't come outta that virtual machine.
And you've snapshot it backto the original IP address
(50:50):
and location you wanna avoid.
VPNs during account creation, this iswhere social media platforms flag them
with that anti-bot technology they have.
So you don't wanna be labeled from that.
You wanna use different IP Addresses,like wifi to different wifi, public
wifis to mimic real user behavior.
It helps to bypassAdaptive security controls.
(51:13):
And the other one is identify and profile.
Setup.
Now use fictional details forname and identity with no reuse.
It doesn't mean come up withsomebody you knows name down
the street or a family member orsomething is literally fictional.
You wanna provi use a differentemail provider as we talked about,
if phone verification is required,you can use a burner phone or a
(51:35):
sim card to be able to do that.
And then you need tomake it sound realistic.
And the last thing I would dois check what and tell your
wife that you're doing this.
So it doesn't like you have aninfidelity account going on,
honey, this is my sock puppet.
It's made to do for research.
It's not some crazy account that I have'cause I don't having an affair on you.
So it's very important to workthat out with your spouse.
(51:59):
Now, fourth area of concern,privacy and security settings.
We want adjust thosesettings for maximum privacy.
If performance is not an issue especiallyif you're using multiple identities
and you switch in between 'em and youcan have different cookies or different
settings and so forth that can leak.
You wanna make sure youhave maximum privacy.
If conducting passive research,keep the account locked down.
(52:21):
If engaging, actively build adeliverable ba a believable backstory
and follow a base before going public.
So if you're gonna use a Facebookaccount and you need to build some
followers as part of that, youneed to build this persona up.
You need to be able to spend timein it has to have a good backstory.
And if you're gonna actively have toengage this person, not pack passively,
(52:42):
research them you definitely wannamake sure you have a believable story.
Number five, profile photo and activity.
Use landscape or stock images cropto remove some of that META data.
Avoid using real people'simages to prevent detection.
They, you can just google imagesearch things and you can find
if this person is real or not.
(53:03):
So you wanna maintain naturalinteraction, like pages comments,
and engage periodically.
That all shows that you're a real person.
You're putting likes on things.
You've you you're actually usingthe account as a normal user.
And then six, build thatcredibility gradually.
Add friends to the account.
Consider how that backstory aligns withthe profile and activity connections.
(53:25):
Now real quick, I'm gonna jump into VPNs.
The VPN provides a secure connectionbetween an endpoint remote location
and say the main office, your abilityto connect from home into the main
office, usually provided over A VPN,several different VPN technologies.
I'm not gonna get into all of themfrom PPTP to open VPN and so forth.
(53:46):
But essentially what you want to knowis it's access restricted content.
This allows when you use A VPN, youcan get around geo restrictions.
If you wanna say, I want to see a movieon Hulu that's only allowed in Europe
because of licensing where you can VPN toEurope, you have an Europeon IP Address
now, and somewhere within Europe, youcan now access that resource because
(54:07):
the GEO lock the VPN makes you look likeyou're actually residing in that area.
Torrent and throttling prevent ISPbandwidth, throttling, secure mobile
data authentication, security, andthen travel convenience is always a
prime example, but when we're talkingabout the dark web, I use a VPNs
to say safe before going into TOR.
(54:27):
That's the key point.
VPN to a different country.
And then from there TOR browsein, what are some of the free
VPN services that are out there?
You can always go to vpnbook.com.
It's a website allows availableopen VPN and PPTP connections.
You can look over here on theright, you can see where they'll
tell you the server status.
So here's French 200 that's onlinePoland, several in the United States.
(54:51):
There's a UK proxy, Canadian andtwo that are online in Germany.
And you can see the latest news of whatVPN servers came up, which ones got added.
And you gotta remember,these are coming up and down.
Throughout the day orwhatever their frequency is.
And it's really to provide that anonymityto, to provide you access to resources
(55:14):
that you could VPN and protect yourself.
So once you've done that, you onceyou've gone to that site, you'll
downloAD the open VPN configuration.
When you get here, allow you todownload one of these, and then
you would import it into the clientthat's on your Kali Linux machine.
You'll check for and preventDNS leaks that's coming up here.
You can also use proxy chainsfour for other protocols.
(55:36):
If you wanna be able to use RDPover the dark web, you can do that
through things like proxy chains,
DNS leak.
So A DNS leak can ruin your anonymity bypoor configuration and lack of testing.
All DNS traffic should be tunneled overthe VPN to the provider system and not the
(55:58):
locally configured DNS settings, the host.
If the TOR Circuit was to break, itwould reveal your home IP Address.
So what I love this, a lot of peopleknow how to do IP config slash all
tells you what your local IP ADdress is.
You need to know what youroutside IP ADdress is.
So when you go to a website andgeolocate you you need to know what
(56:20):
you're coming out as and so forth.
You used to be able to just do this.
You can still do this.
You go, www.whatsmyip.com and it'lltell you where your IP Address is and
what part of the world you're from.
Much easier way to do this is there'sa, an application on Linux and on all
Microsoft desktops, windows 10 and 11called Curl, and its job is to make.
Commands or calls out toa website or to an API.
(56:45):
So in this case curl ip info.io and itwill bring back JSON object and it'll
tell you what your IP ADdress is, whatcity you're in, what region, and so forth.
I did this when I was in New Jerseylast week for my company's all hand.
So once again, curl ip info.iocan be your best friend.
You definitely want to check yourleaks by going to www.dnsleaktest.com.
(57:08):
That will tell you if you're showingup and you're having a leak and
you have an anonymity problem.
Now the core of this, the gateway to darkweb, is through the various layers of
this onion, and that is Tor onion routing.
So what is Tor High Anonymityoffers near impossible traceability
through onion routing technology.
It's free and reliable, nodependencies on service provider, and
(57:30):
it uses a network of random notes.
Now, some of the disADvantagesof TOR is exit node risks.
Data can be exposed at exit nodes, slowspeeds, routing through multiple nodes,
slows down connections, and then datausage consumes significant bandwidth.
It's unsuitable for metered plans.
So if you look up on the top righthere, that TOR node tunneling is
(57:53):
just showing how over each of thenodes on the TOR network, it's being
encapsulated, or one envelope, themessage goes into another envelope,
which goes into another envelope.
So what happens is, as it's moving.
Through each of these nodes, ithas full protection all the way to
the exit node before it goes out.
(58:14):
So what does that look like?
You could see here you have aweb client connect to that tour.
Bridge, usually bounce for two,two other nodes before out onto
one of those dark web servers.
Now this is what a TOR browser looks like.
This is the circuitI've been talking about.
(58:35):
This is my virtual machinethat I have on the left side.
This is snapshot one.
You could see where I'm on this onionsite here on this dark web onion site.
And my circuit has merouting through Poland.
You'll see it says Guard
.Then it goes from Poland to the United States to Russian.
And so now my IP Addressis actual Russian.
Some of the people are asking,how do you come out looking like
(58:58):
you're a Russian IP ADdress?
This is exactly how you do thisNow, very difficult to really pick.
You're not really able topick what circuits get set up.
You can hit new to new tour circuit forthe site and it'll generate you a new one,
but you just can't pick which ones youwant from a middle node to a exit node.
You can do that with tools like proxychains, four, where you can actually
(59:20):
pick what knows you go through a littlebit more complicated, but for the
most part, make it simple for users.
They generate this circuit for you.
Now think about it, if I'm VPN to Canada.
Then I'm going to Poland and then backto the United States, and then back to
Russia, and then to wherever site thatI'm going to, which is this dark web
(59:43):
link for the best dark sites around.
You go to this website, right?
So for me to go to this onion site, I gothrough Poland, United States, and Russia.
Now, not very productive at all.
You're bouncing around.
This is slow, but I at least wantedto highlight how it gives you
an IPv4 and an IPv6 IP ADdress.
Now, would you trust anything you sendcoming out through a Russian IP Address?
(01:00:07):
You just have to assume everything.
The Russian government is sweeping up andthey're looking at anything you go to.
So you definitely will be targeted morein some countries rather than others.
This is another topic.
I'm not gonna get too much into it.
You could do some research on it.
These are bridges.
So tour bridges essentially are,secret bridges where you don't
know the IP Address, you'regonna be told the IP Address.
(01:00:29):
It's a landing zone for you tocommunicate really hard to to break that.
So you also have pluggabletransports such as OPFS four.
They rely on the use of these bridges.
Like ordinary tor tour relays,bridges are run by volunteers.
They are not listed publicly, soADversary can't identify them easily.
(01:00:50):
Using bridges in combination withpluggable transport helps to conceal
the fact you're using tour in the firstplace, but may slow down the connection
compared to using ordinary tor relays.
Now, other pluggable trans like meekand snowflake are definitely other
uses for anti -censorship technology
(01:01:14):
now.
That pretty much ends thatsection of the dark web.
Definitely wanna go ontothe next section here.
What does good look like?
This will be coming up in the next video.
I appreciate havingeverybody on on this one.
The next one's gonna talk moreabout PowerShell security hardening.
We're gonna talk about examples ofPowerShell techniques attackers use.
(01:01:35):
Then we're gonna talk about thetechnical depth and business alignment.
Okay, this is not technical, but itis business alignment that I see get
screwed up so often that I had toinclude that in this presentation.
What that wrong methodology is, I'mgonna show you very specifically
what a wrong methodology Looks like.
Then I'm gonna go over how it allcomes together in security operations.
(01:01:58):
What, how do you make all thesefunctions, these techniques and so forth.
I ran the Cyber Fusion Center formany large customers, and I always
thought it was good to show themhow we put all this together.
I talk about the metrics that matter whenit comes from an MDR perspective, but
(01:02:20):
now that has, that concludes all the,my presentation for this podcast.
I really appreciate yourtime and everybody listening.
I hope you gathered some goodinformation about incident response.
Some of the things that we're seeingin different customer sites with
things you wanna focus on that have thegreatest impact to your organization.
Hopefully you've learned a little bit moreabout the dark web, what's involved and
(01:02:43):
how to stay safe and, I hope everybodylearns something, so stay secure
and I hope you hit that like button.
You subscribe, you hit comment, andyou join me on the next episode.
Thanks for listening to this episodeof Cybersecurity America on the
(01:03:04):
Voice America Business Channel.
We hope you've learned some valuableinformation to help you be a better
executive leader and navigate today'scomplex world of cybersecurity.
Until next week, stay secure.
Welcome to the show.
Today I'm gonna talk abouta couple subjects that's are
pretty near and dear to my heart.
The first one I'm gonna talkabout is incident response.
I'm gonna go over some of the bestpractices, some of the issues that
we're seeing in incident response.
Now as well, to take you on a tour ofthe dark web, I want you to be able to
understand what the dark web is, whatare the tools that you use to access it?
(00:25):
How do you stay the do's anddon'ts rules of the road.
I'm also gonna go overa couple other topics.
So for instance, IT securityversus cybersecurity.
I think there's a lot of stuff thatwe can unpacked as part of that.
The second one I wannafocus on is the top eight.
Lessons learned from Incident responses Ihave been through hundreds over my career.
(00:47):
The company I'm with right now hasgone over hundreds and since they've
been around, so there's a lot ofinformation to pull from now, backup
strategies for success, we're gonnago over what does that mean and what
kind of backup strategy you wanna have.
We're gonna do some EDRanalysis, what matters?
What are some of the kind of differentfunctional areas of an endpoint
detection and response tool setthat you want to be focused on?
(01:11):
Start telling you which one's the best.
I'm not gonna sit here and try topitch you and tell you which EDR
product you ought to purchase.
I'm just gonna go over some of thedifferent areas that should be important
to you as criteria for evaluation.
Now the dark web TOR across the globe.
I'm gonna talk about sock puppets.
Sock puppets are fake identitiesor research accounts that's used
(01:32):
for us to get on the Darkweb.
We either have to negotiate with threatactors or we have to be able to do a
number of different things from a researchperspective to see what vulnerabilities
and also what sensitive accountsare being sold on different forums.
You can't do that with saying,here I am, Joshua Nicholson.
They would trace you to your family.
They could harass your family.
It would not be good.
(01:52):
So there's several reasonswe use Sock puppets.
Now, VPN services is another technologythat helps us do some anonymity
before going on the dark web.
So I'm gonna show you some free VPNservices, how you wanna make sure you
don't have what's called DNS leaks.
That just robs your anonymity.
And then we're gonna talk about TORonion routing and TOR onion browser the
(02:12):
different circuits as well as TOR bridges.
The last section we're gonna goover is what good cyber looks like.
Now we go over somePowerShell security hardening.
I give some examples of PowerShelltechniques, attackers use, and then
technical depth in business alignment.
I also wanna talk about wrong methodology.
(02:32):
You're gonna see where I show you amethodology that I see make horrible
problems for us in the future,and I think you ought to avoid.
Now, hall, how does it all come together?
I'm gonna go over securityoperations, runbooks, playbooks.
How did that kinda work?
I'm going to give you an overallgraph or business process diagram
that just shows you how the pieces andparts of cybersecurity work together.
(02:54):
How do they plug in together?
And it's just demonstrative.
Then I'm gonna talk aboutmetrics that matter.
MTTD, this is important to me.
I see this all the time withdifferent MDR providers that provide.
24/7 monitoring of endpointdetection and response tools.
Now they use a lot of differentterms and SLAs and response times,
(03:15):
and I go over that architecture.
Now, one thing I never really went overon this podcast very much is a lot of
my background, but this was important.
This is a presentation I gaveat the ISC2 monthly meeting.
So I'm from New Orleans,Louisiana, born and raised.
I moved to Charlotte,North Carolina around 2012.
(03:38):
I have been in cybersecurityfor nearly 24 years.
I am mostly, primarily focused onincident response, security engineering.
I served as senior delivery executive.
I oversaw multiple complexenterprise accounts.
So my background is reallyon that enterprise side.
An example, I run cybersecurityoperations many years ago
for Bri Bristol Myers squid.
(03:58):
During the pandemic, during oneof the most difficult times in our
nation's history, I serve primarilyas an incident response commander.
So what an incident commander is duringmajor incidents and events, you provide
that strategic council to seniorexecutives, board members and so forth.
You help make decisions on whatto shut down that could have
impacts of millions of dollars.
(04:18):
Your job is to run highly technicalteams to be able to communicate
to their management team inorder to have the best outcome.
Now, part of my specialty really lieson being a SOC leader, specializing in
a hybrid delivery approach, where you'recombining managed detection and response
24/7 with onsite incident response teams.
(04:39):
Now coming up from my background, I spentfive years active duty in the Marines.
I started off at NorthropGrumman afterward as a Sys Admin.
Started my cybersecurity careerat Hancock Bank in New Orleans.
So did a about seven years with them.
Phenomenal group of people down at WhitneyBank, cybersecurity Consulting, at EY.
So I was a manager forEY moved me to Charlotte.
(05:00):
Told me I was gonna do alot of work in Charlotte.
That never happened.
I was on a plane for two plusyears, I know about two years,
and got a wealth of experience.
Did a lot of work on Wall Streetin New York and in California.
Then I took, had to get off the road.
So I became I moved over toWells Fargo here in Charlotte.
I was the vice president andgroup information security officer
for consumer lending division.
(05:21):
I had credit cards, mortgage, and carloans before going to PhishMe, before
going over to Booz Allen Hamilton at BoozAllen Hamilton, we were doing, we were
on the gov, not on the government side.
We were on the commercial side.
HAD to build managed detectionresponse incident response
for a lot of large customers.
Before we spun out into anew company called Deep Seas.
So there's a number of us from the ManagedDetection Response team called MTS.
(05:47):
And we spun out into a newcompany called Deep Seas.
And with Deep Seas, Ihandled service delivery.
The vCISO team, incident Response was alsoa member of the senior management team.
And so about four months ago whereour, one of our major partners,
surefire Cyber and we're doing somuch business together, made sense.
But I moved over to Surefire Cyber andI am the Incident Response Director
(06:10):
for Advisory retainers and resiliency.
So that is a phenomenal company.
If you're not familiar with Surefire,I'm sporting the shirt here.
If you're not familiar withus, please go Google us.
Take check us out on surefire cyber.com.
But we're focused really on anincident response market, and
that's pretty much all we do.
We focus on that.
We have a lot of insurance companies,a lot of brokerages that we work with.
(06:33):
And our business is doing nothing butexploding and we are hiring every month.
Now before we get into thisepisode, I want to go over what's
gonna happen on the next one.
Give you a prelim to that.
So you see on episode 36, we haveopen source intelligent collection
reconnaissance in footprinting.
I always thought it was really importantfor those who are not truly highly
(06:55):
technical more risk management focused GRCfocused to at least understand OSINT and
understand what kind of footprint OPSECthat you have within your environment.
Where are we leaking out information?
Where areas we should cleanup and not have so much
information out in the public.
We're gonna go over what'sactive and passive collection.
We're gonna do some target reconnaissance.
(07:17):
What's footprinting?
We're gonna do some opsecas well as Google Hacking.
And Dorking.
I love Google Hacking and Dorking.
You always end to ask yourselfwhy they keep finding these secure
shell keys out on GitHub and didthese different repositories.
You actually, you just Google search forthose private, SSH keys and you'll be
surprised what public websites, socialmedia, always a good area to be able
(07:41):
to pull information about a target.
Now if you look over on the righthere, that's what this episode is,
cybersecurity, battlefield Insights,incident Response, and dark Web Safety.
These are the QR codes tourthat, and I really appreciate
everybody can follow us on YouTube.
We're on Apple Podcast, Spotify aboutfive or six other platforms as well.
(08:02):
Amazon, you could just go to Amazonapp and we're on Amazon Music now.
This is the cybersecurity landscape.
Now.
This is what we see that confusesso many different people.
This is the sea of different toolsets that provide security to do
something within our ecosystem.
Really difficult to figure outwhat tools you need, what's your
(08:23):
approach and how she can handle that.
Now one of the areas I think isreally important to go over is
IT security versus cybersecurity.
Now we recognize the main, themaintaining a true partnership and
cross integration with customers andservice provide critical operations to
success for a cyber defense mission.
So we talk about customers all thetime and it's not just you wanna
(08:46):
have that customer mentality, evenif you're at a company, you are
working at a company for itself.
You want to treat the rest of the company,the other departments as customers.
'cause you are providinga service to them.
If you stay in that mentalityyou're gonna do well.
So when you focus on threatprotection, for instance, that
first box, that's cybersecurity.
We do threat intelligence.
(09:06):
You work on what's threatdetection, phishing exploits,
malware credential, phishing.
You do threat response for containment.
Response.
I can't tell you how many timesI've seen where companies went to
contain a threat on a machine andend up locking themselves out of it.
I've seen 'em use conditionalaccess groups and lock themselves
out of Azure, and I have to callMicrosoft for emergency access.
(09:27):
Now, threat hunting, you got ADvancedactors, they stay low and they're slow
and they hide in anomalous traffic.
It takes a real concerted effortto be able to find those threats.
Now as you move down the pyramid,you get to that next one.
We wanna IT security and wewanna focus on cyber resiliency.
This is a team that focuses on resourceprivilege management, secure configuration
(09:47):
management, network resource segmentation,security controls, management.
That's your what your standards, whichare audits with your certifications
and security training and awareness.
It's not just policies, proceduresbut you also wanna have that training.
How do you institutionalizethat within your organization?
Now, information technology as thatthird, that bottom pillar on the
(10:07):
triangle, that's where your networkmanagement, your routers, switches
are come from compute storage on-premor on cloud, workplace enablement,
either desktop devices, collaboration,even mobile devices now and then
business continuity, disaster recovery.
That's one of the biggest, most critical Iitems when it comes to Incident response.
'cause it plays intoyour ability to recover.
(10:31):
Now one of the things that was importantabout this episode is how do we focus
on some of the lessons learned froma lot of these different incidents?
If you look at surefire doesabout 60 incidents a month.
So we got and been doingthat for several years now.
So we got good experience of what'shappening, what's not my prior job
over at over at Deep Seas as well.
(10:53):
A lot of the same trends now,number one, that area is that
Azure AD migration, trip wires.
I see this happen a lot.
There's a rush to move to O 365.
It's a rush to use online services andthen just provide log on authentication
that's alreADy seamless, thateverybody has username and password
alreADy, so they wanna be able tomove that architecture to the cloud.
(11:16):
Easier said than done, andyou definitely wanna make sure
you do it in the right way.
Some of the keys there arethose are security components
are missing or overlooked.
For instance, there is a connectorthat connects your on-premise
Domain C ontroller to your cloud.
Your AD your Azure cloud, your a DS.
Now you wanna have thatrun on a member server.
(11:37):
You don't wanna have thatrun on a domain controller.
So there's a lot thatyou wanna focus on there.
I'm not gonna go toodetailed on each area here.
I'll give you some high level, and thenlater on in another episode, I'm gonna
drill into each one of them rush to thecloud for authentication infrastructure.
We was just talking about MFAstill from universally deployed.
I see this as common.
Every intrusion seems to haveMFA not universally employed.
(12:01):
Some components, some service,some log on ID something didn't
have MFA and they got hit.
Now the second thing we talk aboutfirewalls getting breached regularly.
Now, it used to be you'd have a firewall,then you'd have a VPN concentrated
and it was separate devices almost.
Now that ne never gets done.
You have the firewall, VPN combination.
(12:23):
So you would use their primary firewallto also be your user VPN platform.
Now all major firewall vendorshave experienced security issues.
Fortinet, ASA , Checkpoint,you name it, they've had an
issue and they do to this day.
Those major attacks that yousee across the board, a lot
of 'em target these firewalls.
(12:44):
Now, secure configuration managementpractices usually not followed.
We're seeing this still as well.
We see operating systemsthat are built that are not
hardened excessive permission.
We have services runningthat should be shut down.
We're still not hardeningmachines before they roll out.
Patch management, change reviewprocess is usually immature.
They pretty much just a list of sayingthese are patches that are going out.
(13:07):
There is real, no discussion on coverageand accountability and so forth.
So we just see a real poor patchmanagement process a lot of times.
Then we move into the third columnand that's that PowerShell lockdown.
So I'm gonna go over some thingslike restrictions that are not
enabled attackers can run freely.
I'm gonna go over some ofthat in a later slide here.
(13:28):
What are those restrictionsand how you lock that down?
We're seeing logging notturned on by default.
If you have event, you have commandsthat are being issued in PowerShow
and we don't have logging, we haveno idea to find out what happened.
That seems to happen a lot.
There's some configuration managementthat can help turn that on.
And then logging configurationneeded to decode BASE64.
(13:48):
So what'll happen is you have.
The easy way to circumvent security orobfuscate things in security is by taking
your commands and BASE64, encoding them.
And when you do that, you breakdifferent security tools because they
don't unpack the BASE64 and have thattrue command that it can process.
(14:09):
So we'll go over some of that as well.
When that event comes back and it'sstill BASE64, the SIEM not gonna see.
It's not gonna read,it's never gonna alert.
Now consider using digital certificatesto sign and verify scripts.
We see this as well.
You wouldn't have an attacker beable to drop a malicious power
shell in an environment if you'reconfigured that only signed PowerShell
(14:29):
scripts are allowed to execute.
So that's always something to look at.
Now, the fourth column and thefourth item we wanna focus on is new
technology, threats to detection,of course, artificial intelligence,
forensics artifacts, model compromises.
How do you.
Manipulate these models in order to havean output that is beneficial to you.
(14:50):
We talk about DNS overHTTP risks and issues.
If some of you haven't noticed this,but you have what's called DOH or DOT
DNS over HTTP and one of it what that isessentially normally you would have your
DNS traffic, your Port 53 name resolutiontraffic would use the local DNS servers
in order to resolve the name such aslike cnn.com, yahoo.com, anything like
(15:14):
that to resolve it to its IP address.
Modern browsers now Firefox Chrome,a lot of 'em had the option, but
now a lot of 'em are turning on bydefault, in which they tunnel the DNS
traffic over HTTP to the provider.
That cuts out any data you're gonna havefor hunting that's now in the provider,
and you have no control over whereyour machines and how name resolution
(15:36):
is happening in your environment.
Now Firefox and Chrome are not theonly browsers looking to do this.
So you definitely wanna seewhat your browser supports
and how you're configured.
IPv6, there's a lot ofdifferent vulnerabilities.
IPv6, even at the DNS spoofinglevel, if you don't need it,
it's just best to turn it off.
Just use IPv4 and then younot translate to the internet.
(15:58):
No need to have IPv6 unless you'rein some big organization and
there's a specific use case for it.
I would avoid it at all costs.
Alright, so number five, remoteaccess solutions being abused.
Now, RDP is used extensively.
She only be turned on in a JITmethodology, just in time methodology.
(16:21):
So we see this a lot.
For some reason, people stillopen up RDP to the internet.
They don't have all MFA on it.
They don't have a lot ofthe security controls.
Real bad idea to do that.
A lot of people are scanningfor open RDP all the time.
We see these get popped.
Just in time is having a process inorder to allow access and to spend
(16:42):
an RDP service up when Administrativeaccess is necessary and turn
it off when you don't need it.
So that service attack spaceis much less if you have JIT
security controls in place.
Now.
Supply chain compromises continue.
MSP.
Remote management products andservices are perfect targets.
Why try to drop malware on a host?
(17:03):
Why try to compromise a system?
If you could just use the remote accesstools that are built in and designed
to work on all the hosts, perfect.
Perfectly always use the IT tools there.
It makes it look like a regularuser and you don't get alerted and
flagged on a lot of different malwarethat you might need to download.
A six pillar is configurationdrift and technology debt.
(17:25):
So cloud change management is chaotic.
There's not real strong structure on that.
A lot of things happen dynamically.
I saw one incident where a persontook a server and allocated an
outside IP Address in Azure, andbefore you knew it, it was exposed
to the internet, RDP to the internet.
And that was a configuration in cloud.
In the old days, I used to have totake a server or take a network cable,
(17:49):
put it on the outside, switch on theoutside interface, on the firewall.
I'd have to and assign an IPAddress that's in that non
1918 Address space there.
So a globally routed Address.
And I would mark that off on thespreadsheet, configure that, and
that's how we put something outoutside, completely on the internet.
Now you don't have to do anything.
It's a click of the button in Azureand the workflow management does it.
(18:11):
So very powerful cloud, verydangerous at the same time.
A lot of older systems stillout there in production.
We see that a lot, several oldermachines that are no longer making
patches or they're no longer systems.
There should be a area to contain.
I remember when I was at Whitney Bank,even at Wells Fargo, when they did
(18:32):
mergers and acquisitions, they didn'talways get rid of all the old technology
debt and systems that were there.
There was always this thought that theymay need to get into that old system.
It had some records and some data,so you end up putting it off to
the side and it never goes away.
Six years later, it's still sitting insome back closet somewhere and it's on
the network and it's and it's a threat.
It's a risk.
(18:55):
Privileged access, mismanagementexcessively high user
roles and permissions.
I see that a lot to get things working.
They put 'em in a lot of different groups.
I see Admins not following bestpractices, like checking email
with a domain Admin account.
No privileged access should eventouch the Internet or a mailbox.
And if it does touch theinternet is to download a patch
to a very specific system.
(19:16):
It should go nowhere else from there.
We're still seeing the abuse of that.
There should always be two accounts,one regular account for that person to
check their emails, surf the internethas no Admin rights to the desktop.
It's just there for that purposes.
And then there's a step up authenticationor a checkout process you wanna do with a
PIM system, privilege identity managementsomething like a CyberArk where you check
(19:38):
out Admin IDs or you make those Admin IDschecked out in some other type of process.
You do access reviews.
They're just not being conducted theway you would think they're doing.
Bosses are accessing, doyou still have this access?
Do you still have this need?
They're just not being done.
Azure rules are extensive, notwell used in most environments.
Most people don't even knowwhat all the Azure rules are.
(19:59):
There's tons of them.
And they don't have groups likethey did in Active Directory.
These are called roles.
Another thing that you definitelywanna focus on is enabling LAPS.
You wanna prevent that la lateralmovement through past the hash attacks.
Now, what is lapse?
It's local Admin passwordsynchronization tool.
So what happens in a largeenvironment, you, let's say
(20:20):
you have a thousand machines.
They compromise that local machine, thefirst thing they're get to do is dump
the LS a s process and try to get theNTLL hashes that are running in memory.
Once you have those, if they have theNTLM hash for that local Admin account
and you've made the local of Admin accountstandard on all your desktops to be
(20:40):
the same, now that they have that hash,they don't need to crack the password.
They already have thekey, the hash itself.
They pass that as they connect tothe machines that are to them and
the other machines accept thatis a legitimate key for them.
So if you're able to compromiseone desktop, you're able to
compromise all of them if you havingthe same local Admin password.
(21:02):
We don't wanna do that.
We wanna have something separate.
At my time at Avondale, Iremember Avondale ship Systems.
And what we used to do is take the hostname, what a combination of a password in
the beginning and a combination of someother standard at the end of it, and that
was the password for that local Admin.
That really hard to dowith thousands of machines.
It's not even feasibleat doing it that way.
(21:23):
Now the lapse service isreally pretty easy to install.
It will handle the synchronization ofdifferent Admin passwords with on those
environments, and it's probably thenumber one key item to stop ransomware.
You need Admin rightsto, to run ransomware.
You need to be able togo lateral movement.
If you can't do that becauseyou can't do pass the hacks.
It just reduces the significanceof it or the probability of it.
(21:46):
A lot.
Now changing technology, threatsto detection number eight.
That's where we talked about IPv6.
Don't need it, turn it off.
A lot of vulnerabilitiesjust at the protocol level
and it's really complicated.
For a lot of people, especially ifthey're trying to do IPv6 permits on a
firewall, it gets much more complicatedversus normally just using IPv4 with
(22:08):
your 65,000 ports that are availablenow, generative ai, there's several
different models and things out there.
I really wanna focus on privileged datagoing into 'em using sensitive data.
You could see someone from financegoing, you know what, I don't wanna
try and calculate all this numbers.
Let me just throw it to JetGPT and see what happens.
And that has privacy andleak concerns from it.
(22:30):
Protocol tunneling and thenvirtualization and thin clients
is o one of the last areas.
Now this is one of my favorite to goover because I'll let, it helps me to
reinforce the master, the 3, 2, 1 rule.
And what is the 3, 2, 1 rule?
If y'all remember, colonial Pipeline 202021 Colonial Pipe was all over the news.
(22:55):
It impacted us here at Charlotte.
It caused us not to beable to get gasoline.
It, it really was a big hit.
The ransom attack was thelargest cybersecurity attack
to target an oil infrastructurein the United States history.
So May 7th, the dark sidegroup deployed ransomware on
the organizations computerizedequipment that managed the pipeline.
So this was their OT environment.
(23:17):
The colonial pipeline, CEO, revealeddark side's attack vector as a single
compromised password to an activeVPN account that was no longer used.
If you recall, when I went backover those top eight things
that we're seeing in incidents.
VPN and MFA were right there.
Here's an example of both of those beingpopped and used in this compromise.
(23:42):
Now, when you look at the top 10protection practices, prompt systems,
upgrADes and patching, we know that'ssomething you definitely wanna make
make sure that's best practice.
You need to stay up with that.
They find vulnerabilities insoftware versions all the time.
You want to implement zero trust model.
If you don't know what zero trustis, it's pretty much having author
authorization, authentication,every step of the communication.
(24:05):
It's really a framework little twodetailed to go over in this episode.
Network segmentation, it'sthe same as having watertight.
Doors on the Titanic.
So if you have one area of the ship thatgets compromised, you're able to segment
that ship off and prevent water fromfilling into the other compartments.
(24:25):
It's the same concept here.
You wanna be able to segment the network.
If there's intrusion.
That intrusion, that intruder, ifthey went lateral, would only have
access to a small set of the systemsand not to the entire environment.
Endpoint, MDR, not even a legitimate use.
Now to have just antivirus on yourmachine without having , endpoint managed
(24:47):
detection and response or an EDR toolis definitely not best practice anymore.
You wanna make sure you have a capabilitythat is monitoring your system, can
contain it and do that in 24/7 model.
Then rapid eradication and recovery.
It's always important to be ableto image systems, put 'em back to a
hardened state, ensure data is covered,and then recover quickly and fast.
(25:10):
What you'll notice in mostbig investigations, there is
a preservation we want to do.
We want to ensure we haveall the forensics data, we
wanna figure out what happens.
Really fast.
After that, you have to move into recoveryand eradication and then recovery and
re-image that system and get it backinto production as quickly as possible.
So you don't have a lot oftime, especially in enterprises.
(25:32):
You gotta be able to determine what'sgoing on and then re recover and
re-image as quickly as possible.
Immutable and indelible storage.
I wanna make sure your backups are safe.
We see several ransomware actorswill encrypt your backups.
They're gonna go after your backup system.
That is what preventsthem from getting paid.
If everything's encrypted and they'reholding you hostage and you have it on a
(25:54):
backup tape, you're not gonna pay them.
So they wanna make surethey take that out.
Regular testing and validation.
It's one thing to have anintrusion detection system.
It's one thing.
It to test it to make sure that it works.
And when you would do it a fire alarm,the same way you would do with smoke
detectors, you need to have thatregular testing in that validation.
(26:14):
And number nine has gotta be one ofthe biggest educate employees here.
When you say that, no, I'm not gonna buyyou a gift card, and no, I didn't click.
Send out a link, please clickthat on your local phone.
There needs to be some education of whatthe local threats the latest threats
are, and how should they stay safe.
And then cybersecurity playbooks.
So cybersecurity playbooksare always very important.
(26:35):
You gotta be able to know whatyour actions will be in a certain
situation, and you'll be able toexecute it as quickly as possible.
Now, real quick, the master 3, 2, 1 rule.
What is it?
You have the first one.
Three, three different types of data.
I'm sorry.
Three different copies of data.
You wanna have two different mediatypes, one of which is offsite.
(26:57):
You're gonna have that a datacenter cloud, or on tape.
And then one is offline.
So it's not accessible, it'soffline, it's stored somewhere else.
And then the 3, 2, 1, 1 0 rule here isthat zero is no errors after backup,
recoverability verification, whichI see a lot of companies may do the
(27:17):
three copies of data that's common,the two different types of media, eh,
sometimes you have something goingto tape and some are going to disc.
One of which is offsite.
Yeah.
That goes to a data center usuallyit'll replica replicate to two
data centers, or they'll put itat some other location offline.
Sometimes, ba we did that at Whitney Bank.
(27:39):
You would see those types will gooffline to another physical location
in the event you need to restore it.
And this last one errors,backup recovery verification.
I almost never see, I neversee them testing the backups.
Never try to restore datato make sure it works.
Not try to say, Hey, these four serversjust got encrypted by ransomware.
(28:00):
Let's test if we canrestore and get them back.
This almost never happens, andthat's probably the biggest thing
we wanna make sure does happen.
All right.
So EDR analysis.
If you look here from the left, spamfiltering, email known ro, we rogue
websites unknown rogue websites, spamfiltering, web filtering, that was
(28:21):
the solution that we used for that.
That's the one that is in,in many cases the one we've
relied on the most in the past.
Then you move over to theright from a protection
perspective, you have Legacy AV.
Now, legacy AV is really good forknown malware, sometimes unknown
malware, like zero day attacks as well.
A legacy AV does help some file listattacks and it does help with some
(28:44):
of the exploits that you will seeas we move more over to the right
after Legacy av, they went to NextGen av, and then after Next Gen av,
you see them going to EDR, enterpriseEndpoint Detection and Response.
This is where we took a. Whereyou're doing antivirus, you're
looking at files, you're lookingat different websites are going to,
(29:05):
but now we need to look at exploits.
And now we need to look athow do we manage that system.
When it does get hit, how do weput it in quarantine, allow us to
do incident response in forensicsbut not have to physically grab the
machine and unplug it and so forth.
We need to be able todo all that remotely.
So the endpoint detection responsesolutions EDR market is defined as
(29:28):
solutions that record and store endpointsystem level behaviors use various
data analytics techniques to de todetect suspicious system of behavior.
Now, EDR solutions must provide thefollowing four primary capabilities.
Now, they detect security incidents, theycontain the incident at the end point,
they investigate security incidentsand they provide remediation guidance.
(29:53):
Now if you're looking for differentplaces to find out what are the best
ones which ones should I review?
Definitely just go to Gartner.
I'm gonna go over someanalysis here in a minute.
You also open it EDR tolook at now on this screen.
Some of you on the audio podcastside, listening on Spotify, on
Apple, might not be able to see this.
So I go over some of these criteria.
(30:14):
But on this presentation, on this slide,I have a list of EDR vendors and the
criteria, the functional criteria thatthey use, starts off with behavioral
detection, automated remediation,vulnerability monitoring, device control,
analyst, workflow guided investigations,threat intelligence, speed integration,
(30:38):
custom rules, Advanced threat hunting,and then rogue device discovery.
Now this chart shows checks andpluses and so forth for the products
that cover these areas, but I wannafocus just on what is I, what do I
feel is important in an EDR product.
Now at Deep Seas, they manage fiveto six different EDR products.
(31:00):
From your Sentinel Ones to CrowdStrike,Microsoft, carbon Black, and so forth.
Some have different pros and cons from amanaged detection response perspective.
Sentinel One is really good.
You can automate things reallyquickly and fast and push 'em out.
Where products like Carbon Black,really noisy, a lot of tuning you can't
automate and push a lot of stuff out.
(31:21):
You need to work with their team on theirbackend to deploy different instances.
So there's always pros and cons.
To 'em.
Some of the criteria that I findis the most important are these
three that I got highlighted.
Vulnerability management.
I always like having vulnerabilitymanagement tied into it.
It prevents me from having to have anotherproduct, another tool, another system.
And it's usually just alicense upgrade for it.
(31:42):
It's not like you're gonna use thatfor all vulnerability management
in the organization, but itdefinitely high helps to tie that in.
I also like the custom rulesstar packs within Sentinel One.
They can get a little pricey as yougo up on the number of star packs.
Other ones don't charge you for that.
But the ability to create custom rules orsome EDR products that don't really allow
that unless you buy a special license.
(32:04):
When you look at the next oneis Rogue Device Discovery.
Multiple incidents have, I've beenon now where they hAD EDR in place,
but the system that got hit did nothave it on, it was not fully deployed.
You can rely on your change managementand your discovery process and to
discover these machines that don'thave it, but it seems to happen a lot.
They put machines out there, it doesn'thave the customer image, or it came
(32:26):
from some lab and they decided tosave some money and not put EDR on
the machines that are on the lab.
And they end up getting hitand they used lateral movement
from there to to cause havoc.
So Rogue device discovery says, Hey, Isee this other Windows machine here and it
doesn't seem to have my agent on it alert.
And that's something that can helpyou manage your infrastructure.
(32:47):
This just goes over some of it,like if you go to the previous
one, e Security planet.com iswhere I got a lot of this data.
If you want to do some analysisbetween different EDR products, I
definitely would go there and do that.
This just kinda shows you some of thegrading points they give for detection,
response management, deployment,ease of use, value and support.
(33:07):
Those are always things youwanna worry about when you're
choosing an EDR provider.
How good are they detecting things?
How can you respond and what'sthe workflow management all
the way up to deployment.
If it's really hard to deploy theagents and configure 'em, that's
always something to worry about.
So I covered a lot thereand an incident response.
(33:28):
And the next phase of this presentation,I wanna move into the dark web tour.
I wanted to give someinterest in the dark web.
What is it?
What isn't it?
And go from there.
This is what everybody really thinks.
Dark web is drugs, right?
On the screen here I got MoonRocks online I could buy for $680.
You got ADderall, yougot heroin, Percocet.
(33:52):
Black Mamba Kush Online, we gotcrystal meth for $750 and we
got Fentanyl sold as a liquid.
And powder for sale for $860.
Looks like there's a sale.
It used to be a thousanddollars, now it's $860.
So this is what everybody thinkswhen they think the dark web.
Now this is real.
I pulled this data about a week anda half, two weeks ago, used a TOR
(34:13):
browser up ahead, up at the top.
You can see where it is.
A long screen of charactersfollowed by a onion.
Those are dark web sites that use onion.
And that's where you're, thisis what most people think.
Now what are, when we say thatpeople get confused all the time,
what is the regular internet?
(34:35):
What is the deep web?
What is the dark web?
And what does it all mean?
Alright, so this is anexample on the deeper.
Deep, deeper, deepest.
So this is what I wanted to focuson, just explaining what is the
surface web, what is deep web?
What is dark web?
Now you see the surface web.
It's called the clear web.
It's the internet as you know it.
(34:56):
It's when you use a search enginesuch as Google, Bing, DuckDuckGo
news sites, social media, onlinestores, blog forms, personal websites.
That all makes up the internetas you generally know it.
Now they use encryptionfor different websites.
So encryption is not the key to if it's onthe surface web or if it's somewhere else.
(35:16):
Now, that next layer downis called the deep web.
Now, the deep web is notaccessible to surface web crawlers.
So the way Google, the way Bing,why they work is they crawl the
internet looking for more information.
They index it, and they provide it asa searchable asset with a. The website.
So you can go to google.com, youcan type in cybersecurity America
(35:38):
Podcast and it will show youthe website, provide you a link.
You click on it and you're ableto see the podcasts website.
Now on the deep web, having VPN or someother strong authentication and security
allows you access to medical records,legal documents, scientific reports,
government resources academic information.
(35:59):
And so far pretty much everything thatruns the world now, VPNs with MFAs
are used extensively in this area.
You do a lot of private SaaSapplications have exploded, dissolving
the perimeter for the most part,the perimeter no longer exists.
It's the perimeter is the user.
Used to be that networks andfirewalls were the perimeter.
(36:21):
Now, with cloud and applications that goeverywhere, that require internet access,
the perimeters now the person, it'sno longer the network of the firewall.
It's the user.
So that identity has become the newper perimeter instead of firewalls.
Now we've had an explosion ofwork from home and that has opened
the attack surface significantly.
(36:42):
When you go home, you're connectingto a wifi that also has probably four
other machines that are on it from yourkids' laptop to their mobile phone,
to the Xbox, to the Roku code that youhave all on that same wifi network.
So it leaves you exposed.
Now when you're at home,you go to surf the internet.
You no longer have proxy services or anyof that other stuff that you normally
(37:02):
would have within a corporate environment.
So it does make you a lot moreexposed to the cyber threats
that are out there today.
The crown jewels of ourorganization are primary targets,
and they are in that deep web.
Now the dark web.
Okay, so let's get onto the dark web.
It's only accessible through certainbrowsers such as tour browser, proxy
(37:23):
chains, a number of different toolsets used for drug trafficking, private
communication, political protests,illegal information and it's also
used for a lot of good purposes,which I'm gonna go over later.
Now, some of the bad purposes usedto hide stolen data to anonymously
communicate with the hostage after aransomware or data exfiltration attack.
(37:45):
It's a black market for drug trafficking,illegal weapons, malware, stolen credit
cards, sex trafficking, and it's forunblocking news and religion as well.
Now, when they talk about communicatingwith a threat actor, that's
essentially what my company does.
So Surefire Cyber does what's calledTA Comms or Threat Actor Communication.
Someone has gotta talk to this threatactor after they've stolen your
(38:08):
data and they're in the dark web.
So we have to go into the dark webas well, and to be able to privately
communicate with a different identityin order to be able to negotiate a
settlement that's probably in themillions in order to be able to get
data back or to get suppression.
There is a real art and a science to it.
(38:29):
Now, what is on the dark webfrom a cybersecurity perspective?
Okay.
I saw earlier where there's a lot ofdifferent drugs that are out there.
I know credit cards can be outthere, but what is one of it from
a cybersecurity perspective reallyis the initial access brokers.
So these are different sitesthat you could go to where
people are selling access.
(38:49):
You have one here.
For instance, an actor on theRussian language XSS crime forum
is selling RDP access to the domaincontroller of an unnamed large
bank and a tier one EU country.
He did not show any proof of accessor elaborate on the identity of
the bank, so you have differentpeople are selling different things.
Here's another one.
An actor on the same crime forumwas selling domain Admins, RDP,
(39:13):
access to a US-based manufacturerwith 978.8 million in revenue.
For $6,000.
The victim remains unidentified.
So they're not gonna identifythe victim until you pay.
So this is where they're selling access.
It's real easy now to stealsomeone's credentials and go sell it
somewhere, so than it is to actuallyexecute the cyber crime yourself.
(39:35):
I don't have to attack a system, Idon't have to find vulnerability.
I don't have to steal data, I don'thave to ransom and go back and forth.
All I do is steal credentialsand I sell it on this forum.
And I'm just one small part inthis whole economy of crime.
Now, if you wanna learn more intelligenceservices here, surefire Cyber has an
intelligence site, I go to the website.
(39:56):
You could find that.
But I also like and highly recommendthe Deep Seas, they have a monthly
threat intelligence rollup that they do.
You can always go towww.deepseas.com/learn and you can
get a lot more free intelligence.
Now this is just another exampleof what we see on the market.
(40:18):
We see that there is these PayPalaccounts and the, this guy, Mr. Robot, for
instance, he bought five PayPal accounts.
All of them are valid with decent amountof money, and most of 'em used two of them
for the moment and was able to bypass PALPayPal's OTP when when doing payments.
So on the dark web, just like on a normalcrime forum, your reputation is everything
(40:44):
now here's some otherwebsites that you can see.
Dark web websites Western News canbypass oppressive governments filtering
through tour providing anonymous datadrop off sites for whistleblowers.
So you see in this picture here,you got a secure drop off location.
It's a dot onion site.
So if you're a whistleblower or youwanna leak something to the press
or whatever that is, you can go andfind these different organizations.
(41:08):
So Bloomberg, BBC, CNN, Financial Times,New York Times, Buzzfeed, the Guardian,
they all have servers on the dark web.
And the reason is to provide anonymity,but also to provide news for people that
are being filtered, such as in China.
China does not allowaccess to Western News.
So in order for them to findout what's going on, they route
through the dark web to do that.
(41:30):
Now as we move over to the right,here's some other onion search
sites that you can use that helpsyou navigate through the dark web.
You have to remember that you have toknow where these sites are to go to.
You just can't type it into aGoogle type thing and find it.
You can to an extent with duck go forthose sites that wanna register in it.
But a lot of places that have criminalityon it isn't widely Advertised.
(41:54):
You need to know whereto find these places.
That's what makes it so difficult.
Now, what is a sock puppet and whatare some of the best practices?
So sock puppets are created to isolateOSINT research that's open source
intelligence research, ensuringa separation between the personal
and work lives of investigators.
(42:16):
It's essential to emphasize theimportance of separating an investigator's
real identity from their researchaccounts, otherwise known as practicing
good operational security or OPSEC.
One of the things here is that when we'renegotiating with threat actors, we don't
want them to know who we are in the world.
They want to know who our childrenare in our family, so they can harass
(42:38):
them because we won't pay or we'restopping a ransomware payment to them.
So it's very important tokeep our identities secure.
Now what I have here, these are platformsthat don't require registration, allow
users generate a random email Address.
You're gonna need that whenyou're on the dark web.
You have to stand up different accounts.
Everything pretty much is email based.
So you want to use some of theseanonymous email providers, a lot
(43:01):
of 'em that are on the dark web.
You also want to provideAI fake profile picture.
Here's a website is handy Here is thishttp://this-person-does-not-exist.com.
And what it does is you see on theright, you have gender, age, ethnicity,
and I can create my own profile.
So if I want to create a white male from19 to 25 years old, it will take thousands
(43:23):
of images of people's faces aroundthe world and creates an AI rendering
combination rendering that doesn't exist.
There's no human in theworld that has that face.
And so it takes a conglomerationof all these different faces.
So this one on the right, ifI was to image search this on
Google, he's not gonna show up.
(43:43):
On a JC Penny catalog or somemagazine or something that just
proved that this person wasn't real.
'cause they just snippedit from the internet.
It won't show up anywhere.
Now how do you p ay in the dark world?
You got private virtual credit cards.
We have Bitcoin tumbling as well.
When you go to pay for different things,let's just say it's something that if
(44:04):
the server was compromised and you didn'twant that activity traced back to you.
If you used Bitcoin that you bought from,I don't know, Coinbase for instance once
they bust that criminal on the dark web,they're gonna have all the bitcoin that,
that he in his wallet that was used.
They can trace that back to your wallet,especially if it's Coinbase where you
(44:27):
have a driver's license that you had togive them in order to have an account.
So a lot of, a lot of actors use tumbling.
They will tumble that Bitcoin, it'sthe same as money lau money laundering.
You take your Bitcoin that youbought, you sell it to someone else
for a fee, and they sell you Bitcoin.
That is completely different number and ismatched to a completely different wallet.
(44:47):
Then of course, fake name generators.
How do I create names and howdo I create whole families when
I need to be able to do this?
So here on the screen unfortunatelyeverybody on the audio podcast
won't be able to see this,but I have three pictures.
I have a little girl as number one.
I have an African American femaleas number two, and I have a white
(45:09):
a male as number three, potentiallylooks a little Middle Eastern.
Now.
All three of these, I had a live audience.
I asked when everyonepick which one's fake.
And for the most part, everyonepicked number three is being fake.
And I picked this image onpurpose 'cause of its distortion.
You could see up here on the topof the hat that it's all distorted.
(45:30):
It's cut off.
He's got this hair that'sput on the front brow.
It doesn't look likethe generative AI model.
Did a really good job creating this one.
And so everyone gravitated to that one.
The being fake, the girl in the middlegot the most votes for being the true.
And the little girl on the left waswhat everybody thought was fake as well.
(45:51):
All three of 'em are now the AfricanAmerican woman in the middle.
fooled me if I would had to guess.
That looked like a realpicture and a real person.
This person doesn't exist.
Also gives you access to body types.
You can create different body types.
You don't want to be a have yoursock puppet be skinny, fat, whatever.
You can really go crazy with this.
How do I create names?
(46:12):
You have this website for fakename generator so I can pick
the ethnicity that I want.
And then the name range, andit's gonna spit out a name
and an Address and so forth.
Now I've tried out several of theseand it's hit and miss some, write
Address, write everything, andthen some, it's completely off.
It's it would not pass the sniff test.
I'll give you one for instance.
(46:32):
I did an identity.
I was doing a family tree and it hadone identity where it had a woman, a
mother of four, and she was a plumbinginspector for the last 20 years.
I don't know about you, I just don'tknow too many mothers of four that
are plumbing inspectors for 20 years.
It just doesn't sound right.
This has got a societal,something's not right about that.
The same way, if you look atthis account, I hear, I have
(46:54):
on the screen, Donald Bigham.
It says he is a disc jockeyingand ambulance attendant.
Okay.
Is that possible?
Sure.
But a lot of information down here, UPStracking number Western Union, MTCN.
So when you do this kind of work, youwanna make sure that this makes sense.
And if somebody was to start researchingthe identity you're putting together,
(47:15):
that Address really does exist.
That person really does live there.
And a lot of this can check outif they start to investigate.
Here's the Sims family generator.
This one's where you don'thave to be very creative.
They will make you yourhome family for you.
And you can see thenames just randomly here.
I thought it was funny.
You create your sock puppet andit says imaginary nationality.
(47:37):
So for instance, you haveHobbit, Klingon, or Ninja.
So I have no idea what a Hobbit family, aKlingon family is gonna be and so forth.
So it's interesting.
But they also had some reallycool tools here as well.
So a credit card, a CHgeneration in validation.
If you wanna know if acredit card number is real.
You can go to these validators.
It'll tell you if that's a real number.
It'll tell you if it'sa real routing number.
(47:59):
We also have national IDs ifthis is a real social security
number uk number as well.
Now, what are some of the best practiceswhen you're creating that managed research
or managing your research account?
Number one is appear as a regular user.
Avoid suspicious behaviorwhen setting up your account.
(48:19):
Don't reuse any personal accounts.
Don't reuse a an email accountyou want to, because it's easier
to check it there than it is.
You want complete segmentation.
You wanna ensure the account blendsin with the intended audience.
If you're gonna target a cybersecurityperson to phish them, to get access
to the credentials, the accessto the network they're providing.
(48:39):
You wanna look like you're in the roleor in LinkedIn and have a persona that
should be talking to someone like that.
You wanna use a VPN before tour routingand you would check for DNS Leakage.
I'm gonna go over that in a second.
Essentially I would use a VPN, I'd go intoCanada or some other place in the United
States and then enter the TOR Network.
And the reason for that is thosetour circuits, and I'm gonna go
(49:02):
over in a minute, can be unreliable.
You're on tour, all of a sudden youget disconnected, you're going to a
site, and all of a sudden your true IPaddress is exposed because it, it fell.
If that happens, you want it tocome back to the IP address of
the VPN, not to your home network.
I'm gonna go over DNS leakage.
This is essentially when DNS queries usethe local IP provider instead of using
(49:25):
the VPN's IP addresses that are provided.
Now for maximum protection,this is something I use.
I use a Kali Purple Linux vm.
It's been properly configuredand snapshots created.
So what does that mean is Idownload virtualization software.
I can use a virtual box,or I use VMware, ESX.
There's a couple of 'em that I use.
(49:46):
You essentially will download theKali Purple Linux distribution from
their website, and you run that asa virtual machine on your desktop.
Now, what you want to do, once you getthe virtual machine up, you allocate
all the memory to it that you need.
Especially when you're searching, whenyou're going through the dark web,
it can be really intense and a littleslow just because of all the different
(50:08):
layers of onions it has to go through.
So the experience is underwhelming.
But the snapshot allows if I amdealing with malware or I'm dealing
with something that I could getcompromised myself on that Linux machine
I can shut it down and snapshot itback to the original configuration.
So I build it, create the snapshot.
(50:30):
I go and use it once I'm done withit and there's a problem, or I've
been dealing with something likemalware that's potentially dangerous.
You go and snapshot it backto the, to original state.
So there is no change, there's nochance you can compromise 'cause they
can't come outta that virtual machine.
And you've snapshot it backto the original IP address
(50:50):
and location you wanna avoid.
VPNs during account creation, this iswhere social media platforms flag them
with that anti-bot technology they have.
So you don't wanna be labeled from that.
You wanna use different IP Addresses,like wifi to different wifi, public
wifis to mimic real user behavior.
It helps to bypassAdaptive security controls.
(51:13):
And the other one is identify and profile.
Setup.
Now use fictional details forname and identity with no reuse.
It doesn't mean come up withsomebody you knows name down
the street or a family member orsomething is literally fictional.
You wanna provi use a differentemail provider as we talked about,
if phone verification is required,you can use a burner phone or a
(51:35):
sim card to be able to do that.
And then you need tomake it sound realistic.
And the last thing I would dois check what and tell your
wife that you're doing this.
So it doesn't like you have aninfidelity account going on,
honey, this is my sock puppet.
It's made to do for research.
It's not some crazy account that I have'cause I don't having an affair on you.
So it's very important to workthat out with your spouse.
(51:59):
Now, fourth area of concern,privacy and security settings.
We want adjust thosesettings for maximum privacy.
If performance is not an issue especiallyif you're using multiple identities
and you switch in between 'em and youcan have different cookies or different
settings and so forth that can leak.
You wanna make sure youhave maximum privacy.
If conducting passive research,keep the account locked down.
(52:21):
If engaging, actively build adeliverable ba a believable backstory
and follow a base before going public.
So if you're gonna use a Facebookaccount and you need to build some
followers as part of that, youneed to build this persona up.
You need to be able to spend timein it has to have a good backstory.
And if you're gonna actively have toengage this person, not pack passively,
(52:42):
research them you definitely wannamake sure you have a believable story.
Number five, profile photo and activity.
Use landscape or stock images cropto remove some of that META data.
Avoid using real people'simages to prevent detection.
They, you can just google imagesearch things and you can find
if this person is real or not.
(53:03):
So you wanna maintain naturalinteraction, like pages comments,
and engage periodically.
That all shows that you're a real person.
You're putting likes on things.
You've you you're actually usingthe account as a normal user.
And then six, build thatcredibility gradually.
Add friends to the account.
Consider how that backstory aligns withthe profile and activity connections.
(53:25):
Now real quick, I'm gonna jump into VPNs.
The VPN provides a secure connectionbetween an endpoint remote location
and say the main office, your abilityto connect from home into the main
office, usually provided over A VPN,several different VPN technologies.
I'm not gonna get into all of themfrom PPTP to open VPN and so forth.
(53:46):
But essentially what you want to knowis it's access restricted content.
This allows when you use A VPN, youcan get around geo restrictions.
If you wanna say, I want to see a movieon Hulu that's only allowed in Europe
because of licensing where you can VPN toEurope, you have an Europeon IP Address
now, and somewhere within Europe, youcan now access that resource because
(54:07):
the GEO lock the VPN makes you look likeyou're actually residing in that area.
Torrent and throttling prevent ISPbandwidth, throttling, secure mobile
data authentication, security, andthen travel convenience is always a
prime example, but when we're talkingabout the dark web, I use a VPNs
to say safe before going into TOR.
(54:27):
That's the key point.
VPN to a different country.
And then from there TOR browsein, what are some of the free
VPN services that are out there?
You can always go to vpnbook.com.
It's a website allows availableopen VPN and PPTP connections.
You can look over here on theright, you can see where they'll
tell you the server status.
So here's French 200 that's onlinePoland, several in the United States.
(54:51):
There's a UK proxy, Canadian andtwo that are online in Germany.
And you can see the latest news of whatVPN servers came up, which ones got added.
And you gotta remember,these are coming up and down.
Throughout the day orwhatever their frequency is.
And it's really to provide that anonymityto, to provide you access to resources
(55:14):
that you could VPN and protect yourself.
So once you've done that, you onceyou've gone to that site, you'll
downloAD the open VPN configuration.
When you get here, allow you todownload one of these, and then
you would import it into the clientthat's on your Kali Linux machine.
You'll check for and preventDNS leaks that's coming up here.
You can also use proxy chainsfour for other protocols.
(55:36):
If you wanna be able to use RDPover the dark web, you can do that
through things like proxy chains,
DNS leak.
So A DNS leak can ruin your anonymity bypoor configuration and lack of testing.
All DNS traffic should be tunneled overthe VPN to the provider system and not the
(55:58):
locally configured DNS settings, the host.
If the TOR Circuit was to break, itwould reveal your home IP Address.
So what I love this, a lot of peopleknow how to do IP config slash all
tells you what your local IP ADdress is.
You need to know what youroutside IP ADdress is.
So when you go to a website andgeolocate you you need to know what
(56:20):
you're coming out as and so forth.
You used to be able to just do this.
You can still do this.
You go, www.whatsmyip.com and it'lltell you where your IP Address is and
what part of the world you're from.
Much easier way to do this is there'sa, an application on Linux and on all
Microsoft desktops, windows 10 and 11called Curl, and its job is to make.
Commands or calls out toa website or to an API.
(56:45):
So in this case curl ip info.io and itwill bring back JSON object and it'll
tell you what your IP ADdress is, whatcity you're in, what region, and so forth.
I did this when I was in New Jerseylast week for my company's all hand.
So once again, curl ip info.iocan be your best friend.
You definitely want to check yourleaks by going to www.dnsleaktest.com.
(57:08):
That will tell you if you're showingup and you're having a leak and
you have an anonymity problem.
Now the core of this, the gateway to darkweb, is through the various layers of
this onion, and that is Tor onion routing.
So what is Tor High Anonymityoffers near impossible traceability
through onion routing technology.
It's free and reliable, nodependencies on service provider, and
(57:30):
it uses a network of random notes.
Now, some of the disADvantagesof TOR is exit node risks.
Data can be exposed at exit nodes, slowspeeds, routing through multiple nodes,
slows down connections, and then datausage consumes significant bandwidth.
It's unsuitable for metered plans.
So if you look up on the top righthere, that TOR node tunneling is
(57:53):
just showing how over each of thenodes on the TOR network, it's being
encapsulated, or one envelope, themessage goes into another envelope,
which goes into another envelope.
So what happens is, as it's moving.
Through each of these nodes, ithas full protection all the way to
the exit node before it goes out.
(58:14):
So what does that look like?
You could see here you have aweb client connect to that tour.
Bridge, usually bounce for two,two other nodes before out onto
one of those dark web servers.
Now this is what a TOR browser looks like.
This is the circuitI've been talking about.
(58:35):
This is my virtual machinethat I have on the left side.
This is snapshot one.
You could see where I'm on this onionsite here on this dark web onion site.
And my circuit has merouting through Poland.
You'll see it says Guard
.Then it goes from Poland to the United States to Russian.
And so now my IP Addressis actual Russian.
Some of the people are asking,how do you come out looking like
(58:58):
you're a Russian IP ADdress?
This is exactly how you do thisNow, very difficult to really pick.
You're not really able topick what circuits get set up.
You can hit new to new tour circuit forthe site and it'll generate you a new one,
but you just can't pick which ones youwant from a middle node to a exit node.
You can do that with tools like proxychains, four, where you can actually
(59:20):
pick what knows you go through a littlebit more complicated, but for the
most part, make it simple for users.
They generate this circuit for you.
Now think about it, if I'm VPN to Canada.
Then I'm going to Poland and then backto the United States, and then back to
Russia, and then to wherever site thatI'm going to, which is this dark web
(59:43):
link for the best dark sites around.
You go to this website, right?
So for me to go to this onion site, I gothrough Poland, United States, and Russia.
Now, not very productive at all.
You're bouncing around.
This is slow, but I at least wantedto highlight how it gives you
an IPv4 and an IPv6 IP ADdress.
Now, would you trust anything you sendcoming out through a Russian IP Address?
(01:00:07):
You just have to assume everything.
The Russian government is sweeping up andthey're looking at anything you go to.
So you definitely will be targeted morein some countries rather than others.
This is another topic.
I'm not gonna get too much into it.
You could do some research on it.
These are bridges.
So tour bridges essentially are,secret bridges where you don't
know the IP Address, you'regonna be told the IP Address.
(01:00:29):
It's a landing zone for you tocommunicate really hard to to break that.
So you also have pluggabletransports such as OPFS four.
They rely on the use of these bridges.
Like ordinary tor tour relays,bridges are run by volunteers.
They are not listed publicly, soADversary can't identify them easily.
(01:00:50):
Using bridges in combination withpluggable transport helps to conceal
the fact you're using tour in the firstplace, but may slow down the connection
compared to using ordinary tor relays.
Now, other pluggable trans like meekand snowflake are definitely other
uses for anti -censorship technology
(01:01:14):
now.
That pretty much ends thatsection of the dark web.
Definitely wanna go ontothe next section here.
What does good look like?
This will be coming up in the next video.
I appreciate havingeverybody on on this one.
The next one's gonna talk moreabout PowerShell security hardening.
We're gonna talk about examples ofPowerShell techniques attackers use.
(01:01:35):
Then we're gonna talk about thetechnical depth and business alignment.
Okay, this is not technical, but itis business alignment that I see get
screwed up so often that I had toinclude that in this presentation.
What that wrong methodology is, I'mgonna show you very specifically
what a wrong methodology Looks like.
Then I'm gonna go over how it allcomes together in security operations.
(01:01:58):
What, how do you make all thesefunctions, these techniques and so forth.
I ran the Cyber Fusion Center formany large customers, and I always
thought it was good to show themhow we put all this together.
I talk about the metrics that matter whenit comes from an MDR perspective, but
(01:02:20):
now that has, that concludes all the,my presentation for this podcast.
I really appreciate yourtime and everybody listening.
I hope you gathered some goodinformation about incident response.
Some of the things that we're seeingin different customer sites with
things you wanna focus on that have thegreatest impact to your organization.
Hopefully you've learned a little bit moreabout the dark web, what's involved and
(01:02:43):
how to stay safe and, I hope everybodylearns something, so stay secure
and I hope you hit that like button.
You subscribe, you hit comment, andyou join me on the next episode.
Thanks for listening to this episodeof Cybersecurity America on the
(01:03:04):
Voice America Business Channel.
We hope you've learned some valuableinformation to help you be a better
executive leader and navigate today'scomplex world of cybersecurity.
Until next week, stay secure.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.