00:14
Give it a thumbs up. Ok. All right, good morning, everyone. Hopefully you enjoyed the keynote this morning. Um Hopefully it was entertaining, uh, probably not as much entertainment as Shaq yesterday for those of you that got to see Shaq. But, uh uh thank you guys again for attending.
00:38
Uh I'm Andy Stone, I'm CTO for the Americas here at Pure. And um I'm gonna be hosting the session today with my friend Hector Monger and we'll, we'll talk to Hector here in just a second. Um But this session is gonna be a little different than the sessions that you're generally attending at. Accelerate in that we're not gonna talk a whole
00:56
lot about storage and I don't know if you're really surprised by that. You can raise your hand and, you know, maybe we can shift courses a little bit, but this is going to be all about security and we're going to talk about one of our favorite topics today. Ransomware and some broader context about kind of what's going on in the world in terms of the state of security.
01:17
How should you be thinking about security in your environments? And, yeah, what are some things you can do from a storage perspective to be prepared as these new events in the world unfold. Feel free to come on up, grab seats or several, open up front. We don't buy, I'm not gonna call on you out of turn.
01:32
Don't worry, there's no test at the end. Um, but, you know, make yourselves comfortable. I think this is gonna be pretty entertaining for those of you that especially that, that have an interest in this topic. So, uh, with that we'll go ahead and get started. Um, Hector. Would you mind doing a quick intro of yourself?
01:47
Yeah. Sure. Hey, everyone. Good morning. Um, my name is Hector. I am a former bad guy, uh, current good guy, I think. And, uh, I, I'm mostly on the offensive side. I've been a security practitioner and enthusiast for a long time.
02:03
Uh, but, but even now to this day as I'm getting older, I'm still a red teamer. Pen Tester. I'm still on the offensive research. Um, it's fun, you know, it's interesting. Um, as long as you're finding new bugs, otherwise it gets tedious.
02:15
I'm sure some of you can understand. Uh, security is quite boring sometimes. Um, so I was, uh, as I said before, I was a former bad guy. I was from, you guys remember back in the days, um, worked with Anonymous work with, uh, Fear the Beer and, and hack Weiser and all these different groups,
02:32
hacker groups in the nineties and early two thousands. Um, I was, uh, definitely someone that nobody had expected to be doing what I was doing. Um, I remember when the FBI came to my apartment and, and kind of locked me up there. Um, they, they were confused as to who I was and, uh,
02:53
the, I'm not sure they were entirely sure that I was the guy that was actually doing the hacking. They were asking me questions like, uh uh so who's, I'm like, oh, it's me, you got me. I mean, it is what it is. Let's go, let's Parla. Um But during that time, as, you know, as that pseudonym, uh with that persona,
03:13
a lot of what I did initially, we talk about this early with Andy was very innocent minded, you know, a lot of hacking in, you know, in the eighties nineties was about information and knowledge. It wasn't necessarily to be the bad guy. Um It wasn't until uh I got older unfortunately. And I want to be cool that I heard of the concept of hacktivism and hacktivism was kind of starting off in the mid,
03:36
mid, mid to late nineties. You had a, a group by the name of t of dead cow that introduced the concept you guys might know of CDC. Um And then, yeah, from there, I started attacking China. Don't ask me why, but I, I spent a lot of my time attacking China Russia.
03:51
Um So I am uh, I would say technically at A P to, to Russia and China, um, until the FBI got off at me for hacking the FBI. So, so that's kind of where I'm at guys. So I hope that's a nice little intro. We could always go into questions later. Yeah. So I guess Hector, given that background, what do you think the current state of the market is when it comes to
04:11
security and specifically, I guess this topic of ransomware? Yeah. No, I mean, that's a great question. Right. I mean, it's, it's a conversation I'm always having with clients with people. Um, even today, Andy and I spent a whole hour on it.
04:24
Uh, so ransomware is a thing. It's still a big thing. It still works. It's still, um, you know, effective for Attackers and adversaries. Um, the real core issue is, you know, the human element mostly, right? With the exception of that 5% of, you know,
04:40
where exploits are being used zero days, for example, um, or one days, um, everything else or mostly everything else is, is the human element and of course, lack of, uh, policy implementation, enforcement, uh, lack of assets management, lack of, uh, end point security controls or technical controls.
04:56
You put all of that into one big ball and that's, you know, you have ransomware. Um, but even, even, oddly enough, even more other than that, uh, you have something like the BEC, right, the business email compromises um those have been actually on, I would say much more steady rise than ransomware um,
05:13
has been effective for Attackers. I think the average price according to Verizon's, um, you know, the data breach report, um they're looking at numbers like $50,000 versus 26,000, you know, bec towards uh or against ransomware attacks as average. Um And then of course, you have exploits right recently in the last month, I'm sure some of you had to deal with this.
05:35
Um It's been a ton of exploits being released um against VM ware against. Uh uh um and it's kind of been uh interesting because we see patterns uh within the cyber security industry where there's a, a long low or dull time frame where exploits are not really used at all and then we'll see ransomware blow up. Um And then now we're seeing kind of like a mix we've seen so other social campaigns and
06:00
exploits use, that's kind of where we are. Now, this one last thing I'll kind of point out there. Um And that's insider threats. It's a lot of insider threat attacks. We're seeing at least with my customers, I'm not sure if you guys have experienced that. Um But as she starts, uh you know, firing employees, especially those in the tech sector
06:16
and the tech side of things, um You wanna make sure you wanna disable their user accounts. Uh because some of you, some of these companies out there are not disabling accounts, an active directory, um or in a, and these guys still have access and all you have to do is sell that access on a dark website or it's a ransomware group and they might even get a percentage of the ransom. So it's a crazy business model.
06:38
We were talking earlier and I mean, some of these guys have Attackers have actually just retired billionaires in some cases, right from the, the exploits that they've had. So Hector, um you know, ransomware has been around a while around really since probably, you know, 2010 a little earlier. And so what makes it so effective still? Why is it still such a big problem?
07:00
Yeah, I mean, kind of going back to what I said a moment ago, right? You have the human element, which is an issue when you look at most ransomware attacks, there's some sort of social engineering taking place, whether it's a social engineering attack where an email comes in or S MS comes in. Um uh I would say S MS fishing right now is really popular.
07:15
So definitely pay into that, be careful with those. Um And so you have somewhere someone on the other end clicking on a link, unfortunately, believing that the link is legitimate, submitting credentials um or opening themselves up to long term persistent attacks where it wouldn't be a link to a site asking for passwords. It'll be a link to a site asking for permission
07:38
and for you guys that don't know, fishing is a really big thing right now and once you authorize an app to your account and you give them the permissions during that one click process, the attacker at that point or the adversary um is gonna maintain control of your account for a period of time until you either get fired. You quit or you delete your account, right?
07:57
Um So yeah, the human element is a major issue here, but there's, you can't always blame the end users, right? It's just always there's gotta be a 50 50 you gotta find a medium somewhere because another big issue is technical controls. Andy, right? You have a company, they have invested in every EDR under the book,
08:14
they've invested in every security tool, but they have zero, you know, email, security controls, right? They're not blocking spoofed emails, right? They might have proof point, but it is a default installation or set up. They haven't configured proof point to mitigate certain things. Um They'll, they'll go with Microsoft 3 65 and
08:34
you know, won't pay the extra couple of bucks to do the A TP, right? The advanced threat protection where it does link scanning and so on. Um Yeah, it's, it's uh it's a complex set of issues. It's not, it's not black and white, but it's mostly human elements,
08:46
mis configurations and lack of policy for sure. So, I mean, you talked about hacking and some of the stuff that's going on there. I think a lot of folks here, things like, uh, multi factor authentication really helps to increase the security. It makes you in, uh, you know, Impenetrable and, and, and vulnerable to some of these attacks,
09:05
but that's not really the case. Like what, what is it, you know, about those, uh, forms of additional authentication, I guess that are, are weaker. How do you, how do you actually circumvent them? How hard is it? Yeah. No, that, that's fantastic. I'm glad you asked that question because this is uh is a conversation we need to have,
09:22
right? I mean, for years, you've had cybersecurity experts, including myself. I said the same thing because I wanted you guys at at the very least move away from a one fact authentication. I I'd rather be happy with you having S MS, right? M fa than not having anything at all. So um but for years,
09:40
you have had experts and researchers and folks tell you, yeah, at the very least set up S MS. OK. Problem with that is that you have something called the rogue telcos. Uh they exist, there's 5000 plus in the world and it could be a random telco in the middle of sedan that's selling access to the bad, bad guys who will be able then to exploit or abuse
10:01
issues with different telephony protocols or mobile protocols. Um We've heard of stories where um a BT groups are, you know, harassing someone or stalking someone or intercepting S MS messages and they're, no, they're not doing a, a secondary social attack. Um, they're not, uh, you know, kidnapping the person for the,
10:20
you know, the one time password, right? They are basically just abusing the, the phone systems, right? Um, but that, that aside, let's say, let's say you're dealing with a, with a less sophisticated actor, they don't have the money or access to, to a rogue telco.
10:35
Um OK. So, and then you the social engineering methodology changes, right? Um The attacker would then do a secondary secondary fishing campaign with, in this case, they don't need to ask for your password at all. They will just proxy you through the legitimate website, intercept your authentication,
10:53
cookie and maintain, maintain persistence that way. OK. So let's talk about more m fa issues. OK? Um If an attacker is able to compromise your account and they um are able to uh you know, get access, so let's say, let's say is a great example.
11:11
Um If in a, as the administrator, you don't configure the service to time out or block or lock the account after three attempts, um then you essentially opening the door for what they call M fa exhaustion, right? Um And that, we've seen that I've done it before. It's, it's actually pretty fun.
11:28
Um So you just sit there, you keep pressing authentic, authentic, authenticate and eventually the victim is probably gonna say yes or turn their phone off. In my case, I did a red team job. I'm sitting across from the guy and I just started blasting with prompts until you. Ok. Um It works and that's a problem and that's also a policy problem,
11:47
right? Because if you, if you're looking at it from the administrative perspective, if an account is not able to authenticate the secondary process or that method within, let's say three or five attempts and there's obviously something wrong. OK. Um So we wanna lock the accounts.
12:04
So yeah, there's, there, there's a ton of different uh uh different attack paths, not all of them are great. Don't get me wrong. OK. Um And I, and I still believe that M fa is better than nothing. But, you know, there's a reason why you have companies like Google and Apple enforcing or pushing out the idea of Keys,
12:22
right? Because now it starts to, you know, eliminate some of the issues from the S MS based attacks. Um You start to eliminate or, or mitigate some of the um common social engineering attacks. And now I think, and to be honest with you, now we're gonna have to wait for the researchers to come out with keys based attacks. So it's just a matter of time,
12:40
it's a matter of time. So, you know, we talked a lot about the technical side of this and, you know, when I look at the ransomware space. A lot of what I see with these ransomware Attackers is they're, they're really not that good. A lot of them are not that technical and not sophisticated. A lot of them are more business type people
12:57
looking for who's likely to pay and what's your take on that? Where do you see, you know, the, the actual ransomware attacker fitting in nowadays? Yeah. No, I mean, that's, that's something that's interesting and I'll even give you an example from my law like a so as a group, I learned to build teams based off of another group that existed called Team Te,
13:20
I'm not sure you guys remember, remember those guys, team Teso made a ton of exploits, right? That's back in the days. But here's the cool thing about Team Tesla, they were all brilliant. They were all super geniuses, but one guy would do exploit research and find vulnerabilities. One guy would do exploit development and write the exploits.
13:36
One guy would do Q and a another guy did documentation. Another guy reached out to whoever and they did marketing. It's like a 56 man team and it was awesome and they worked like a machine I built exactly that way. And with, we had the two hackers, the two rooters, me and, and Kayla or, or Ryan Aroy, really cool guy.
13:56
Um Then we had someone dealing with infrastructure, we had someone deal with, with marketing and the marketing side was actually funny, big shout out to, he's a funny guy. Um And so as you fast forward, you start looking at these ransomware groups and they're very similarly structured.
14:11
OK, whether they learned, you know, to kind of build that from, you know, just by chance or they learned it from looking at us and, you know, uh team tests on those different groups. Um is whatever, what matters is that we're seeing some interesting um you know, indicators that the initial access brokers, which is the guys that are actually breaking
14:31
into your systems or the guys that are engaging with social engineering campaigns, um are probably much more experienced and more sophisticated. Um especially the exploit side, social engineering could be half and half. Um Now, once we see a compromise take place and we see the ransomware actually um and uh the ransomware payload about to be executed, everything between the initial entry to the
14:53
execution of the payloads um is completely like watching an intern just write a bunch of commands into the terminal. And you could see that when you look at uh man reports from Google. Now, um uh that was a great acquisition by the way. And then you see uh a bunch of different um even did a uh a release recently and you're
15:11
just seeing a bunch of blobs of commands, sometimes they fail and then they'll have another person come in and try to execute the ransomware later on and try to do a lateral movement. So I guess the point here, right is that you're not just dealing with one actor, you're not dealing with one specific capability, you're dealing with a wide range of Attackers with different experience and skill sets who
15:32
may or may not be successful when you're in, in, in your environment. Um And that's even more scary than you thinking. There's a million script attacking me, right? Uh Because now it's a million Attackers with various skill sets and various exploits that are focusing on my business. Right? It's problematic in a lot of cases though where
15:49
I guess they hit resistance hard, a lot of them will turn and move on nowadays just because it's, it's easier to go hit the next target who might be easier to make your money and more cost effective. Yeah. Yeah. That's right. That's right. Interesting. Well, you know, I hear a lot about we, we all read about these, you know, fed takedowns, right?
16:07
And the shutdowns of various groups and whatnot. Why isn't that making a real impact on, you know, stopping these attacks? Yeah, because, because it is, it's, uh, it, the whole scene is ripe with opportunist, right? I mean, if you, if you see if you see a ransomware group or a forum get taken down, then that's a void that's left open for someone
16:31
else to jump in and take it over and make money. It's, it's a money business, right? Um, Chris Tarbell, you had him last year, right. Chris is awesome. Former FBI guy got, took down sick road, he took me down to it became best friends afterwards. Shout out to Chris, um Chris and from their
16:47
experience and from, you know, he doesn't speak for the FBI. But the general, the general idea is that, you know, kind of once Bitcoin became a thing, it started being used. Um It felt like a lot of those organized groups uh really just torpedoed towards financial crimes and ransomware and so on.
17:05
And so when you have that taking place, you're always gonna have an active step right up. I mean, we talked about the Ukraine China situ, oh, sorry, Ukraine Russia situation. Um And immediately the one thing that for, for those, for those of us that have been in security for a long time, we know that um the Ukrainians and Russia have been working quite
17:24
some time together in different groups. And once the special military operation happens, uh those groups segmented and they separated and they broke into pieces, right? Um And they even had some infighting within each other with, within the groups. Um Now it feels like we have double the ransomware groups because now you have
17:41
Ukrainians over here and you have the Russians over here and then you might even have some groups in the middle that they still wanted to work with each other because there's a ton of money involved uh, there's a point that he made earlier and it was kind of like a one liner and he said that some of these guys have retired, that's how crazy this is. And when you think about the fact that these guys are gonna retire off your misery and off
18:02
of the destruction of your brand and your rep reputation that is terrible to think about. And I, and I'll tell you what and I'm with you guys. Uh you know, you know, we could definitely work together and talk about the issues that these organizations are facing that allow these guys to make the money in the first place. Um We definitely need to curtail these kind of attacks um because we're,
18:21
you know, we're in a place now where we could talk about um the attack vectors and the methodologies that these guys are all using. And so I thought about, OK, how can we mitigate those techniques, tactics and procedures? Um And there's a lot of ways to do that with a budget and without a budget that that's perfect lead in.
18:40
And the next place I was gonna go is let's, well, let's talk about how do you defend yourself. So, you know, one of the things that, that I tend to talk to folks about nowadays is uh this concept of resiliency. So, you know, security goes through iterative life cycles, just like every technology space, right? And, and resilient with resiliency today,
19:00
it's all about recover ability. How do we make data recoverable after an attack? Right, because we know the attacks are going to come, we know something is going to happen at some point. So how do we prepare for that and make sure that we're in a position to recover post attack? What I would tell you and, and Hector, I wanna get your thoughts on this.
19:17
You know what I would say nowadays is backup is no longer good enough. Backup has and, and I know this is not uh an offensive statement to any of our backup partners who might be here, but you know, back up really is resigned to long term data retention and compliance. Nowadays, you don't as a business want to have to try to recover your entire environment from just backup,
19:39
right? So what we're thinking of now is how do we build these tiers of resiliency into an architecture so that you can recover from multiple forms in multiple ways? And you know, back up is still really important. You need to have it like it needs to be there, but you want to think about recover in terms of speed.
20:00
Is that what you're seeing as well? Yeah. Well, when I'm dealing with clients post breach, post compromise, um the biggest issues that they're dealing with is that yes, they've, they've, they've probably created policies, they may even have purchased software or they may have even created the structure necessary for even one of your tiers, right? One of the tiers you, you mentioned um the
20:25
biggest problem a lot of these companies are facing is that they did not properly implement any of it, right? And so you could debate and argue with, well, where does that come from? Is that from the cio that created the policy? Is that from it that didn't implement it? Is that from the that didn't verify or validate?
20:40
Right? Um And so that's, that's really honestly what I'm seeing from, from my side, from the offensive side of the, of this industry is, you know, improper, uh, implementation or validation or controls have not been uh um configured so that they actually work. Um, there are some places unfortunately and, uh, you know,
21:02
that I've seen where they have a, a mature security program, they have the CIO, they have a CSO, they have everything they need in place. They have all the tools and all the products. They have a budget, dedicated security and their backup software or solutions or policies are lax, right? They're not backing up active directory.
21:22
That's one, you know, they're, uh, they have a, a central, you know, backup solution on the same network that I've compromised during the red team. Um, now I have domain admin privileges over that backup solution. Um, and they have, they have no redundancies. They'd have no, um, you know, no way to, to recover if I were to delete.
21:44
Um, or destroy that server. Um And when you see ransomware actors getting into these networks and compromising, active directory, administrative privileges and moving laterally, one of the first things they're looking for is, well, first of all, can we write into S and B shares? Right?
22:00
But two can we take over the backup solution? And, yeah, I mean, that's a major issue. Yeah, I guess where, where we get a domain admin credentials and we move laterally over there, we can change the backup policies. We delete, but I don't generally delete data. Like I found that to be too noisy in operation,
22:18
it's a lot easier to do other things, ransom a, a catalog or an index, do that kind of stuff. It seems to be much more effective. But yeah, well, one thing I've seen the worst case scenario I've seen and this is a quick one here. Uh I've seen an attacker and then this, this goes out to all of you here that are domain admins on the windows environment.
22:36
You wanna make sure that your service accounts are not in your schema group because if an attacker gets access to that account that has control of your domain schema, any changes to your domain has to completely rebuild the domain and they would just almost instantly destroy the entire, it's done. You're done at that point. That's like talking about, uh you know, I talked about one of my favorite attacks was
22:58
time, like drifting time and, yeah, that, that would be equally as nasty. Yeah. Fun, fun one. So, you know, um, with pure, we have safe mode and hopefully some of you have heard of safe mode, some of you are hopefully using safe mode in the room. Um, Hector, you're, you're a bit familiar with safe mode.
23:15
What do you, what's your take on, you know, using safe mode as kind of an effective, uh, uh, component to, to as a tier, I guess in the protection process, right? Not the only thing we're gonna use obviously. But um, no. Yeah, yeah. No, absolutely. I mean, I, I think the the biggest one for me
23:32
if I put myself back in the, in the um, yeah, I would say my, my old hat, my, my old black hat on and I start looking at, ok, well, if I were a black hat now in 2023 and I'm looking at um creating a scenario because it kind of forces the victim to, to pay me a ransom. I mean, that's pretty much what these guys want. They don't really care about anything else.
23:53
Um Safe would, would definitely cause me a, a major issue. I'm more than likely not gonna get paid because what's, what's the sense in paying me if, if your data is immutable, if your data cannot be modified, if your data can be restored. Um It's not a scenario like I laid out a moment ago.
24:14
Where? Ok. I'm a bad guy. I get access to that one single centralized backup server. I have domain admin bridges on it. Um, I'll just delete everything is whatever, uh, or encrypts, the, whatever data that's there. Um, if I take a, take control of domain admin uh on the domain controllers,
24:30
maybe I'll, uh, you know, uh, disable backup policies all across the network. Now, that's assuming that the environment doesn't have like a safe mode situation, then it would be effective, you know, without it, then the attack would be academic at best. It would be, it would still be a, I would say it would still be problematic because now you have to deal with time the, that the, the problem of,
24:57
well, how did, how did this attacker get inside this network? There may even still be some down time from that instant response. But at the very end of the day, you still have your data and you can still move forward and that's the kind of resiliency that really matters. Yeah, I think, you know, being able to get the business back up and running is by far the,
25:14
the most important thing, you know, one thing we didn't talk about, I think in, in terms of defense. Um and it'd be interesting to get your take on is you the FBI uh NSA everybody that's publishing guidance in essence for folks nowadays, you know, number one thing that they say to focus on is visibility, you know, so we've got and elastic out in the world that are helping,
25:34
you know, provide security analytics and those capabilities. But you know what I see a lot in a lot of cases is with a normal storage, those systems turn into bottlenecks. So you can either ingest data fast or you can correlate data fast. Those are the two operations that security analytics platforms are really doing.
25:53
And if they're slow, your search results take too long to return. And that means that you're not effective in a cyber threat hunt campaign. So you, you're not effectively finding the bad guys before they do bad things, I guess. You know, what's your take on visibility overall? How, where would you kind of place that on the
26:11
spectrum of defense? Well, it's very important, right? I mean, it is, it's almost like when you look at, you know, a security. So you're building a security program and you're, you're looking at ways to deal with information and data and OK, you go with, you go with elastic,
26:33
you go with some other servers, right? There's a whole bunch of different directions you could go, but each direction you go has its own pros and cons, right? Um When you deal with something like Splunk, we're talking about a lot of data, tons and tons of data that you have to figure out your own custom queries for in some cases, customers should go to a third party vendor to manage
26:53
that Splunk instance or go to directly to big shout out to, it's a great, it's a great tool. Um But the more data you collect, the more information you collect, um the more a problem you're gonna have where now you might have to re require or hire new human resources to deal with the data.
27:10
Um Then you have to kind of figure out what do you do with the data after you identify a potential indicator, right? If you find something that's a trigger, well, what's next again? You know, I've only seen this really work with organizations that have a mature program that have a solid foundation and they have a security by design implementation.
27:31
Ok? Um You know, once you implement something like a SIM or similar into your environment, you, you're actually adding on to that and it's very problematic. I'll be honest with you. Uh Andy, I don't, I don't see a lot of clients really handling it well and they usually end up just going with a third party. So service, um,
27:50
to kind of help them deal with that issue because it is, it is, you know, in some cases monstrous. Yeah, I haven't, I haven't seen a, some third parties I think are, are better than others, obviously 100%. It's a no brainer, but I think, um I generally see more effective results coming from in house teams because they
28:07
know the environment and they're able to respond more effectively. Um I wanna go back, you know, we were talking about the kind of the attacks and, you know, some of the things that you would do or were might do, you know, in terms of destruction. And one of the things that Hector and I were talking about, you know, a little earlier was um the state of the world in terms of,
28:28
you know, what happens next, right. So we're in this ransomware era today, right? Where it's people focused on money, monetary outcomes. What happens though when the Chinese and the Russians decide to team up and come after the US? So say we decide, you know, there's a war and
28:45
with Taiwan or something along those lines, I mean, are these attack groups likely to get destructive? What does that mean? I mean, what, what happens 100%? I mean, think about this, right, we saw when the special military operation or the war um started in Ukraine. Um within that same week, you had getting
29:07
compromised for the purpose of disrupting um uh modems in uh Ukraine, of course, affected Poland and Germany as well. I believe um you saw other instances where different service providers or telephone companies were compromised as well. It is part of their, of a red when there is a compromise or rather when there is a conflict to make use of technology and to start to create some chaos.
29:30
I'll give you an even older example. Um There was back in the days of early to mid two thousands. Uh there's uh you know, you had Estonia big shout to Estonia. They, they're highly digital for government. And so Estonia is one of those places where you could even build a business over the Estonian
29:50
government websites and get your passport and do a whole bunch of different things. Um You could become a citizen of Estonia, right? Uh So the country itself is very big on uh e-commerce huge on it. There was a conflict, uh even a political spat between Russia and, and Estonia and overnight it was taken off line, the entire country went off line.
30:12
I'm sure guys, maybe at least one of you remember this. It was really interesting, um, massive distributed denial of service attack that crippled Dystonia for like a week or two. And that was a proof of concept that that's, uh, that, you know, it can be done and here's how it would affect you if you screw with us if you mess with us.
30:28
Right? So the answer my friend is unfortunately, yes, once a conflict happens directly between us and Russia and it gets really bad, they will become destructive. Now, your ransomware campaigns are gonna become Wiwa campaigns. Um The whole point of those payloads are just to be running your systems and destroy,
30:51
destroy, destroy, this is not new, it's not theoretical. We've seen it already. Um And I wouldn't wanna give you guys some, some, some something to think about when the pandemic started the end of 2019 to 2020. Uh There were some hacks and compromises that took place without mentioning company names. Um but it was like a, a pipeline company and it was a meat processing company.
31:11
You guys remember that? Um What happened immediately after that? Right? So you had price of gas explode up, You had gas stations without oil or gas. You had the price of ground beef and meats go up. Um, the price of other foods like eggs is also went up.
31:28
Um And so whether those were coordinated or not, whether those were test runs for a foreign government, we have no idea. Right? We can make assumptions but, you know, I don't like to work with assumptions. That's what you're gonna see if there's a conflict between us and Russia or us and China over Taiwan. Right?
31:46
They are going to attack critical infrastructure. They're gonna attack your mcdonald's, they're gonna attack your Uber eats and they're gonna shut down, you know, whatever they're gonna shut down and it's gonna be effective because they know that us as Americans, we like our comfort and we like our luxuries and we're good old capitalists. And so when you take away our gas and you take
32:04
away our mcdonald's and you shut down Uber eats, you're gonna have some pissed off people outside. Uh, again, this is not theoretical. We saw this happen during the pandemic and I want you guys to kind of use that as examples. And remember you guys all play an important part of that, believe it or not, you guys all play each and every one of you in your companies play a part
32:22
of the United States national security or security posture, right? Because one of you in here might be a supply chain to 10 other companies on the other side of the room. And if you're compromised and taken off line, you're gonna be affecting these other 10 businesses and you have no idea of their supply chains for another 100 businesses.
32:41
That's just the way we are. This is where it is. Yeah, I mean, I think the destruction is gonna be crazy. Yet another reason I'm gonna not up here to do a pure commercial, but I wanna plug safe mode. So where you're using pure, where you're not using pure and you have critical workloads,
32:54
I would really consider it. Um safe mode could make the difference between your organization being to operate long term and, and not so something to really think about and, and keep in mind um I wanna be a little cognizant of time and I wanna offer some folks in the audience uh opportunity to ask questions of either me or Hector and um you know, so we'll, we'll open it up to you guys and see what you might have Roger is gonna be our Mike
33:19
runner for the back. I'll do the front. Yeah. Can you talk a little bit about anomaly detection that's available now? And how we can use that with peer support to get better support if we think we're under attack and we think we're a target. Ok. Ok. So, um so pure is coming out with a feature later this summer uh around the arrays,
33:41
we're gonna leverage some A I and ML on the arrays to identify anomalous behavior as it relates to data reduction. OK. So data reduction being uh the concept of compression and data do de Dulic location. So let's pretend for a second you're getting 4 to 1 data reduction on your arrays. We know that we can see that through the telemetry data that's presented to pier one.
34:08
What we're, we're programming is the, the idea that if that data reduction rate goes down. So let's pretend it goes to zero. That likely means that we're receiving encrypted data. And so we're gonna now send an alert to say, hey, you need to go check this out because something abnormal anomalous is happening in the environment.
34:26
So take note. So that'll be, you know, the, the step that we can provide from a pure perspective. Now, what I want to caveat and, and, and uh let Hector build on a little bit is there is no one today that can identify ransomware running in your environment before the attack actually launches, OK. The way that the malware works is polymorphic.
34:48
It's called constantly changing. It's running in memory on hosts like it, it makes, it's really, really hard to identify. And so, you know, be cautious of that point when people are talking about anomaly detection, you've got to understand that those anomalies are coming in the form of isolated incidents that are, that are being performed by these threat actors as they're coming into your
35:10
environment. So, you know, somebody in accounting all of a sudden elevates their privilege to domain admin, right? It's probably anomalous, right? So you should take action. So I mean, I'll let Hector build on the on the whole concept of, of how the ransomware is working but you know, know that there is no vendor pure or otherwise
35:29
that can detect ransomware or a ransomware style attack in your environment before the attack campaign actually unfolds. Yeah. And I'll double down on that. I mean, I, I I'm a in a different way. So I'm, I'm based on the pen testing side, I'm on the, you know, offensive side and when I have the same conversations with clients where they're like,
35:49
hey, we wanna, we wanna look into buying this or getting that or implementing this or hey, Hector, we have this. Can you validate this? Um the the biggest issue is that um annoy detection. I mean, it's great a concept. I'm not saying it doesn't work because what you're getting are indicators now, are these indicators of compromise or indicators of use?
36:08
Right. Are these normal activity? And how can we detect whether something is different than the other? For example, how can you differentiate? I mean, it's good to know that like, you're like one of your employees kind of, you know, that works remotely, decided to visit the mother in law over the weekend and now
36:23
they're logging in from a North Carolina IP address. Right. It was, it's good to know that that's, that's the issue, right? Uh, hr issue at least. Um, but it's also good to know if you have employees locking in different times. Um, and so of course, it's different ways to detect anomalies.
36:37
If you look at endpoint protection, we look at the end point system, right? Workstations. Um, can we develop a way to detect behavior differences? Now, that's interesting because you have EDRS, some of them are very good. Some of them that are ok. And that's kind of the basis of their products.
36:56
They're doing behavior profiling on your users. Um, not only on their user activity but also on the kind of software that they're running. So now the moment that they're running a, who am I command at three in the morning, that's a major to detect. So, what do we do from there? So now what the EDR does is it'll make note,
37:14
it might even block the execution. You have companies, EDR companies are now offering rapid like a rapid response team at the moment that that anomaly takes place, that rapid response team within five minutes are taking over the machine and they're shutting it down for instant response. So yeah, it works. It can work.
37:33
But are you always gonna be able to detect 100% a ransomware campaign or intruder? No, that's not possible. Definitely not. And and I think one other thing to build on, you know, to identify an actual indicator of compromise, you generally need to correlate across three domains, the end point, the end user and the network,
37:50
those three. So where you've got a or an elastic in your environment, you know, I said you have to ingest data and you correlate data, you have to be able to do both fast because if you only can ingest data fast, you won't be able to correlate and find those events quickly. If you only correlate fast and you're not ingesting fast,
38:08
you're not gonna see the live data as it as it's happening. So being able to ingest and correlate across those three domains so that you can feed your cyber threat hunters is how you actually identify an indicator of compromise and actually potentially stop a campaign before it unfolds. Your next question I think is in the back.
38:28
Yeah, I'm curious from a hacker perspective. Did you guys ever consider going after like the storage controllers? Because I always hear about you talking about hitting end user data, but it seems like it would be a lot more effective to go after the actual storage controllers. They are typically not locked down that well.
38:48
Yeah. No, that's a great question. Um And it all depends. So if I were the bad actor um in, in an ongoing campaign right now, 2023. Um my biggest what would be interesting for me at least would be to gain as much
39:07
privileges as possible to domain admin, right? Uh The next thing would be to get access to, to security tools. Uh I wanna get access to, I wanna get access to sim, I wanna get access to uh the EDR console. If possible, I wanna start taking control of domain admin accounts or uh previous accounts. Um Yeah, and then, you know, depending from there, I will,
39:30
you know, start looking at backups and start looking at uh uh data centers or any connectors back to Azure or anything that, that might be useful to me. But here's the reality, here's the reality, most ransomware groups and most bad actors are trying to do a quick drive by, right? We hear about some Attackers that will stay in the system for six months.
39:54
Two years. Those are not the ransomware guys, those are a PTS, right? Those are advanced persistent threats. Those are the guys that hacked the Office of Personnel Management O PM. They were in O PM for two years. Right. Those are the guys that probably would, you know, target that, that area, right?
40:10
Uh But most of the actors that you're more likely to deal with or be fast paced, they wanna get in, they wanna compromise later, movement, execute, engage encrypt, exfiltrate and they're done and now he's got to sit back and wait for you to pay them. And I think that there, there may be one exception to that and that is as, as this whole thing evolves,
40:30
right? As the ransomware groups become more destructive, right? Because likely what's gonna happen is you're gonna see more and more pressure from federal organizations in various countries, right? To say, don't pay a ransom when that happens, the likelihood of destructive campaigns rising is high.
40:48
So these attack groups are now going to say, ok, I'm gonna get into your environment. We will go after the storage controllers and oh by the way, they already know what every storage system and backup platform looks like. Like Hector knows what Dell looks like. He knows what Netapp looks like. He knows what pure looks like everybody and same thing on the backup side.
41:06
Rubric com cos take your pick, right? That's where they're gonna really start to focus in on those because now they'll say I'm in your environment. If you don't pay me, I'm gonna destroy the whole thing. I will burn your house down. Oh yeah. Any more questions? Alright.
41:28
I'll get shot guys come on. You asked me an old hacker story. I tell, I tell you about hackers, the FBI or not, right. I've got another one. So say, for instance, you've got a environment and you have safe mode executed or a beam or something where you can
41:44
build a protected environment after the hack comes through. How hard is it to find the files that started the hack? Because I mean, that to me seems like the, the best way to do it is if you can go back to the day of determine what, what executed the hack and remove those, like removing a cancer from your environment.
42:06
Uh Let's just go first. Anyway. II, I have a pretty hard answer on that. Yeah. Yeah, I mean, so what I always tell folks is you start your recovery from the clo point closest to the attack, possible. You're not likely to find all the indicators of compromise, the bad things that are in the environment from a first run.
42:24
It's gonna take a lot of time. You need a Hector and his team to come in and work for a while to actually find all that stuff. It's not a fast process, but what is fast is where you can come back online with a beam and a pure or something along those lines, right? You can at least find the glaring indicators of compromise. I generally call those things like root kits,
42:45
running malware, clean those off, get your business back up and running quickly into, at least, uh, I call a limp mode. Right. So you're still doing the forensic in the background, but you, at least your business is working again versus being down. Yeah. And, and I, I'll be honest with you, it's, it's, it's difficult in many, in many situations to identify the original attack path.
43:07
And also I identify the original, um, I would say, uh, encryption point or, or infection point because there's a lot of ways as the attack, I could sit here and give you guys a run down on, you know, all the different ways I can execute commands remotely over SMB or WM I or these different protocols. There are legacy protocols um that Microsoft
43:29
still has enabled by default on all of your servers on all your internal networks. Um I don't need to RDP into your machine to execute a payload anymore or II, I haven't been able to do that. I, I don't have to do that since, you know, since the 19 nineties basically, or two thousands, right? Um And in most cases, if you don't have a SIM
43:50
or centralized logging, that's raising some sort of alerts or events, then you're, it's gonna be very difficult for you to kind of identify where, right, where it started. Um Keep in mind Hector is also gonna get access to that and he's probably gonna go in and corrupt or a, a absolutely. So if, if the, if the bad guy has access to,
44:12
uh you know, the highest pro is possible, they're getting access to your domain controller, they get access to Splunk or your internal sim. This is why a lot of companies would go with third party vendors for that, the sock teams and so on. Um Because now you have uh an outside perspective, kind of like we have a pure,
44:29
right? Um rather than, you know, being stuck in, in a little bubble there, a little bubble that's now at this point controlled by the attacker. Yeah. So, uh you know, I'll, I'll wrap up. I know Roger's trying to give me the hook, but I'm gonna take liberty and extend my, my chat here for a second.
44:45
Um The, you know, that's why it's really important to think about resiliency in terms of tier, right? That's where that middle tier that I mentioned before really comes into play. It gives you a longer term forensic view that you can leverage to do that longer term analysis and other things. But look, we're happy to take these conversations off to the side.
45:03
I'd love to spend more time with you. Folks, talk about security with you or your teams. Um I'll be out in the hall with Hector here after the, the conversation and you know, we'll, we'll answer questions as you might have them. Um with that Hector, you wanna tell everybody a little bit about your podcast? Yeah. Yeah. Yeah, I have a podcast guys.
45:20
Definitely. Uh, if you guys are interested is actually with the guy that arrested me, uh, Chris to, uh, you know, after he took down Silk Road and took down anonymous and, um, we couldn't speak because, uh, you know, the FB A just cannot with, uh, with, uh convicts at that point. Uh, but he retired from the FBI. We started talking chopping it up and became
45:42
best friends. And then we created a podcast. And what we're doing is what Annie and I did today we go through different topics, different stories and then we answer, listen to questions for free hacker and the fed. So on the Apple and, and Spotify. All right. Well, thank you guys for attending.
45:57
Thank you for being, uh, partners of pure and we look forward to continuing the conversation. Right.
