WEBVTT

1
00:00:00.160 --> 00:00:02.720
<v Speaker 1>Welcome to the deep dive. If you need that shortcut

2
00:00:02.759 --> 00:00:05.919
<v Speaker 1>to being really well informed, you are definitely in the

3
00:00:06.000 --> 00:00:08.880
<v Speaker 1>right place. Today we are taking on one of those

4
00:00:08.919 --> 00:00:13.720
<v Speaker 1>really persistent, kind of frustrating problems in technology cybersecurity defense.

5
00:00:13.960 --> 00:00:17.120
<v Speaker 1>We're diving deep into this whole concept of the active defender,

6
00:00:17.640 --> 00:00:21.120
<v Speaker 1>asking how do we actually move security professionals out of

7
00:00:21.120 --> 00:00:24.000
<v Speaker 1>that constant reactive mode that burn out and into something

8
00:00:24.039 --> 00:00:26.719
<v Speaker 1>more proactive a well a winning mindset.

9
00:00:27.320 --> 00:00:31.160
<v Speaker 2>Yeah, and our mission today is, I think crystal clear,

10
00:00:31.679 --> 00:00:35.079
<v Speaker 2>we really have to fundamentally understand why the traditional passive

11
00:00:35.119 --> 00:00:38.960
<v Speaker 2>security model just isn't cutting it anymore. It's failing. We're

12
00:00:39.000 --> 00:00:41.880
<v Speaker 2>going to explore how adopting the knowledge the insights from

13
00:00:41.880 --> 00:00:45.560
<v Speaker 2>the offensive security community, that hacker mindset is maybe the

14
00:00:45.560 --> 00:00:47.920
<v Speaker 2>only way to really transform your defense posture.

15
00:00:48.000 --> 00:00:49.799
<v Speaker 1>And when we say failing, I mean we have the

16
00:00:49.880 --> 00:00:52.439
<v Speaker 1>numbers right. The stats from the sources we looked at

17
00:00:52.479 --> 00:00:56.240
<v Speaker 1>are genuinely well terrifying this traditional approach. It basically means

18
00:00:56.280 --> 00:00:58.280
<v Speaker 1>you sit back, you wait for an alert. You're waiting

19
00:00:58.280 --> 00:01:00.880
<v Speaker 1>for an attacker to make some loud noise that tells you, hey,

20
00:01:00.920 --> 00:01:02.320
<v Speaker 1>I'm already inside.

21
00:01:02.200 --> 00:01:05.840
<v Speaker 2>Exactly, and when they finally make that noise. The real

22
00:01:05.920 --> 00:01:08.439
<v Speaker 2>question is how long have they already been there? The

23
00:01:08.560 --> 00:01:11.280
<v Speaker 2>average to get this, The average time to discover and

24
00:01:11.319 --> 00:01:14.359
<v Speaker 2>contain an attacker inside an organization's network in twenty twenty

25
00:01:14.400 --> 00:01:16.879
<v Speaker 2>two was two hundred and seventy seven days.

26
00:01:16.879 --> 00:01:19.200
<v Speaker 1>Two hundred and seventy seven days. That's what nine.

27
00:01:18.959 --> 00:01:20.680
<v Speaker 2>Months nine months of undetected access.

28
00:01:20.760 --> 00:01:23.280
<v Speaker 1>Yet nine months, just think about the kind of damage

29
00:01:23.319 --> 00:01:26.879
<v Speaker 1>that causes. That is more than enough time to steal

30
00:01:27.040 --> 00:01:29.640
<v Speaker 1>pretty much every piece of sensitive data you own, to

31
00:01:29.680 --> 00:01:32.920
<v Speaker 1>set up persistent back doors, maybe quietly map out your

32
00:01:33.040 --> 00:01:35.959
<v Speaker 1>entire environment for I don't know, a future ransomware attack.

33
00:01:36.480 --> 00:01:39.280
<v Speaker 1>When an adversary has that kind of unchecked dwell time,

34
00:01:39.799 --> 00:01:42.040
<v Speaker 1>it's not just a security failure anymore. It's like a

35
00:01:42.079 --> 00:01:43.920
<v Speaker 1>potential business extinction event.

36
00:01:44.000 --> 00:01:44.480
<v Speaker 2>It really is.

37
00:01:44.719 --> 00:01:46.560
<v Speaker 1>And that number two hundred and seventy so it was

38
00:01:46.560 --> 00:01:48.879
<v Speaker 1>only down slightly from two eighty seven the year before.

39
00:01:49.200 --> 00:01:51.519
<v Speaker 2>Right, It basically tells you the status quo is well

40
00:01:51.640 --> 00:01:54.959
<v Speaker 2>static failure. It's not improving meaningfully. That two hundred and

41
00:01:55.000 --> 00:01:58.879
<v Speaker 2>seventy seven day metric just confirms it. Waiting for your firewall,

42
00:01:58.959 --> 00:02:02.319
<v Speaker 2>your basic endpoint tool to flag an IP address that's

43
00:02:02.400 --> 00:02:06.079
<v Speaker 2>obsolete thinking, and that's precisely why we need this actor

44
00:02:06.120 --> 00:02:09.000
<v Speaker 2>defender concept. Now, they aren't launching counter attacks, let's be clear,

45
00:02:09.080 --> 00:02:12.840
<v Speaker 2>that's illegal, it's unwise, but they are cultivating that hacker mindset.

46
00:02:12.840 --> 00:02:16.120
<v Speaker 2>They use the offensive knowledge, the attacker techniques to understand

47
00:02:16.159 --> 00:02:19.759
<v Speaker 2>the adversaries thought process even better than the adversary understands

48
00:02:19.759 --> 00:02:20.479
<v Speaker 2>their own defenses.

49
00:02:20.560 --> 00:02:23.439
<v Speaker 1>Okay, let's unpack that the core philosophy here. We need

50
00:02:23.479 --> 00:02:26.199
<v Speaker 1>to define this hacker mindset because I think for most

51
00:02:26.199 --> 00:02:29.599
<v Speaker 1>people that word conjures up some figure in a hoodie

52
00:02:29.639 --> 00:02:32.080
<v Speaker 1>and a dark basement like on TV. What are the

53
00:02:32.199 --> 00:02:35.319
<v Speaker 1>key traits that security pros actually need to adopt.

54
00:02:35.439 --> 00:02:39.719
<v Speaker 2>Yeah, it's definitely not about the attire or any dramatic flare.

55
00:02:40.520 --> 00:02:46.800
<v Speaker 2>The mindset. It's really defined by maybe six essential traits curiosity, creativity, patients, persistence, agility,

56
00:02:47.680 --> 00:02:51.479
<v Speaker 2>and maybe most importantly, nonlinear thinking. The defender has to

57
00:02:51.479 --> 00:02:54.159
<v Speaker 2>stop being satisfied with just getting an answer. They need

58
00:02:54.199 --> 00:02:58.400
<v Speaker 2>to start relentlessly asking why, why not? What if they're

59
00:02:58.479 --> 00:03:00.240
<v Speaker 2>constantly trying to make the system do something it was

60
00:03:00.240 --> 00:03:01.719
<v Speaker 2>explicitly designed not to do.

61
00:03:02.039 --> 00:03:05.639
<v Speaker 1>Right, And you found some incredible historical examples of that creativity,

62
00:03:05.680 --> 00:03:07.960
<v Speaker 1>didn't you. Let's talk about the freakers, the original sort

63
00:03:08.000 --> 00:03:10.680
<v Speaker 1>of tech hackers focusing on phone networks way back like

64
00:03:10.800 --> 00:03:11.759
<v Speaker 1>sixties seventies.

65
00:03:11.919 --> 00:03:15.759
<v Speaker 2>Oh. Absolutely, that's just pure brilliance born from curiosity. They

66
00:03:15.759 --> 00:03:19.800
<v Speaker 2>didn't just stumble upon a secret code. They spent incredible

67
00:03:19.840 --> 00:03:23.639
<v Speaker 2>amounts of time pouring over really obscure, really technical documentation

68
00:03:23.960 --> 00:03:26.719
<v Speaker 2>stuff put out by the phone companies themselves, just trying

69
00:03:26.759 --> 00:03:30.000
<v Speaker 2>to understand the deep inner workings of call roading. And

70
00:03:30.039 --> 00:03:33.280
<v Speaker 2>their creative breakthrough it came when they realized that generating

71
00:03:33.319 --> 00:03:37.759
<v Speaker 2>a very specific audio tone twenty six hundred hertz could

72
00:03:37.800 --> 00:03:40.919
<v Speaker 2>trick the phone line, make it think the line was idle,

73
00:03:41.199 --> 00:03:43.599
<v Speaker 2>which then let them make free long distance calls.

74
00:03:43.879 --> 00:03:47.280
<v Speaker 1>And the legend, the famous part is that specific tone

75
00:03:47.319 --> 00:03:49.599
<v Speaker 1>could be made by a toy whistle, one found in

76
00:03:49.680 --> 00:03:52.639
<v Speaker 1>cap'n Crunch cereal boxes. I mean, that level of just

77
00:03:52.800 --> 00:03:57.199
<v Speaker 1>lateral creative thinking. It's exactly what most security processes seem

78
00:03:57.199 --> 00:03:57.879
<v Speaker 1>to lack today.

79
00:03:57.960 --> 00:04:00.960
<v Speaker 2>Absolutely, and that right there it immediately highlights the huge

80
00:04:00.960 --> 00:04:04.000
<v Speaker 2>difference between linear thinking and what we're calling graph thinking,

81
00:04:04.520 --> 00:04:07.159
<v Speaker 2>which is really the core of this active defender concept.

82
00:04:07.199 --> 00:04:10.439
<v Speaker 1>Okay, so how do traditional security teams usually miss that

83
00:04:10.439 --> 00:04:13.080
<v Speaker 1>that lateral thinking. Are they just stuck in a very specific,

84
00:04:13.400 --> 00:04:15.639
<v Speaker 1>maybe restrictive way of processing information.

85
00:04:16.000 --> 00:04:18.800
<v Speaker 2>They often are, Yeah, the traditional defender. They're usually taught

86
00:04:18.800 --> 00:04:21.879
<v Speaker 2>to think very linearly. You know, if A happens, then

87
00:04:22.000 --> 00:04:25.160
<v Speaker 2>check B. Follow the steps they become excellent at following.

88
00:04:25.240 --> 00:04:28.480
<v Speaker 2>Checklists could be internal hardening guides, maybe the CIS controls,

89
00:04:29.079 --> 00:04:32.199
<v Speaker 2>or a defined flow chart like the sans's incidant response process.

90
00:04:32.240 --> 00:04:35.079
<v Speaker 2>It's all very step by step, a straight line, and.

91
00:04:35.000 --> 00:04:37.800
<v Speaker 1>That linear thinking. It just misses the bigger picture completely,

92
00:04:37.839 --> 00:04:38.279
<v Speaker 1>doesn't it.

93
00:04:38.279 --> 00:04:41.360
<v Speaker 2>It only sees the individual steps, the trees, It misses

94
00:04:41.360 --> 00:04:46.079
<v Speaker 2>the forest. The attacker, however, thinks in graphs, in connections.

95
00:04:46.240 --> 00:04:49.319
<v Speaker 2>Their actions aren't usually a straight line towards one single goal.

96
00:04:49.600 --> 00:04:52.480
<v Speaker 2>It's more like a mesh, a network of potential connections

97
00:04:52.480 --> 00:04:56.720
<v Speaker 2>and pathways. They are deliberately looking for relationships between seemingly

98
00:04:56.759 --> 00:05:00.839
<v Speaker 2>disparate data points that no single checklist, no flowchart could

99
00:05:00.839 --> 00:05:03.519
<v Speaker 2>possibly anticipate. It's almost holographic in nature.

100
00:05:03.720 --> 00:05:05.959
<v Speaker 1>So okay, if I'm a defender trying to focus on

101
00:05:06.000 --> 00:05:09.319
<v Speaker 1>the graph, what's a tangible example in security? Like when

102
00:05:09.319 --> 00:05:11.800
<v Speaker 1>am I just seeing versus when am I truly observing

103
00:05:11.839 --> 00:05:12.360
<v Speaker 1>that graph.

104
00:05:12.480 --> 00:05:15.519
<v Speaker 2>That's a great question. So you see a single event, right,

105
00:05:15.680 --> 00:05:17.759
<v Speaker 2>a dot on your dashboard, let's say a log in

106
00:05:17.839 --> 00:05:20.439
<v Speaker 2>fail you're alert from a user in accounting. Okay, noted,

107
00:05:20.879 --> 00:05:24.480
<v Speaker 2>But you observe the graph when you realize, HM, that

108
00:05:24.560 --> 00:05:27.639
<v Speaker 2>log in failure happened exactly thirty seconds after a weird,

109
00:05:27.720 --> 00:05:30.519
<v Speaker 2>non standard port scan was logged against the database server,

110
00:05:31.240 --> 00:05:33.480
<v Speaker 2>and then maybe ten minutes later, a completely different but

111
00:05:33.600 --> 00:05:37.800
<v Speaker 2>legitimate admin account suddenly queries in an unusually small, very

112
00:05:37.839 --> 00:05:41.319
<v Speaker 2>specific data set from that same database. See. No single

113
00:05:41.360 --> 00:05:45.000
<v Speaker 2>alert there is necessarily critical on its own. But the graph,

114
00:05:45.319 --> 00:05:48.480
<v Speaker 2>the connection between the odd timing, the port scan, the

115
00:05:48.519 --> 00:05:52.639
<v Speaker 2>specific data query that reveals the attackers underlying patterns, their intent.

116
00:05:52.959 --> 00:05:55.279
<v Speaker 2>It's exactly what Sherlock Holmes meant, right, You see, but

117
00:05:55.319 --> 00:05:56.040
<v Speaker 2>you do not observe.

118
00:05:56.279 --> 00:05:59.079
<v Speaker 1>Wow, okay, that makes the distinction incredibly clear. Thank you.

119
00:05:59.560 --> 00:06:03.800
<v Speaker 1>A passive defense is so demonstrably well ineffective. Why are

120
00:06:03.879 --> 00:06:06.079
<v Speaker 1>organizations still so stuck? Why is that two hundred and

121
00:06:06.120 --> 00:06:09.120
<v Speaker 1>seventy seven day, twelve times so stubborn, so hard to

122
00:06:09.120 --> 00:06:09.639
<v Speaker 1>bring down?

123
00:06:09.800 --> 00:06:13.319
<v Speaker 2>Yeah, it consistently seems to boil down to two really

124
00:06:13.360 --> 00:06:18.720
<v Speaker 2>heavy forces holding organizations back organizational inertia and internal culture

125
00:06:19.439 --> 00:06:22.040
<v Speaker 2>and inertia. Is that classic really frustrating? Well, that's just

126
00:06:22.040 --> 00:06:24.680
<v Speaker 2>how we've always done it a pitfall for decades, security

127
00:06:24.720 --> 00:06:28.839
<v Speaker 2>meant perimeter defense, build bigger walls, stronger firewalls.

128
00:06:28.279 --> 00:06:32.480
<v Speaker 1>Right, a totally nineteen nineties approach for a twenty twenties world.

129
00:06:32.639 --> 00:06:35.639
<v Speaker 2>Exactly, that model just completely falls apart when your employees

130
00:06:35.680 --> 00:06:38.519
<v Speaker 2>are working from home from anywhere, and your most valuable

131
00:06:38.600 --> 00:06:42.040
<v Speaker 2>data it's living across three different cloud providers. Maybe more.

132
00:06:42.920 --> 00:06:46.600
<v Speaker 2>Inertia also shows up in how we misuse tools. Organizations

133
00:06:46.600 --> 00:06:52.639
<v Speaker 2>spend millions, literally millions on passive protection tools SIMS intrusion

134
00:06:52.639 --> 00:06:56.439
<v Speaker 2>prevention systems. They're designed sure to give consistent protection, but

135
00:06:56.480 --> 00:07:00.160
<v Speaker 2>defenders often end up relying on them exclusively just watching the.

136
00:07:00.199 --> 00:07:04.040
<v Speaker 1>Dashboard, which leads directly to that infamous tunnel vision. Right.

137
00:07:04.319 --> 00:07:06.879
<v Speaker 1>You're only looking at that specific dashboard, only reacting to

138
00:07:06.879 --> 00:07:09.240
<v Speaker 1>the specific alerts the tool decides are important enough to

139
00:07:09.279 --> 00:07:09.680
<v Speaker 1>show you.

140
00:07:09.839 --> 00:07:13.800
<v Speaker 2>And the result it's inevitable alert fatigue mass burnout. If

141
00:07:13.839 --> 00:07:17.800
<v Speaker 2>you're getting bombarded with say, ten thousand low priority alerts

142
00:07:17.839 --> 00:07:21.399
<v Speaker 2>every single day, you physically cannot look for that critical

143
00:07:21.439 --> 00:07:24.720
<v Speaker 2>graph pattern. You stop trying and compounding all this is

144
00:07:24.759 --> 00:07:29.040
<v Speaker 2>the financial inertia, the reality that cybersecurity is still overwhelmingly

145
00:07:29.480 --> 00:07:34.000
<v Speaker 2>viewed as a cost center. Really so organizations are chronically understaffed.

146
00:07:34.199 --> 00:07:37.439
<v Speaker 2>They often won't commit money to essential validation activities, things

147
00:07:37.480 --> 00:07:41.160
<v Speaker 2>like active threat hunting or frequent realistic penetration tests, and

148
00:07:41.199 --> 00:07:44.399
<v Speaker 2>that lack of investment just reinforces the passivity. It's a cycle.

149
00:07:44.560 --> 00:07:48.720
<v Speaker 1>And beyond the money, beyond the tools, the culture itself

150
00:07:48.800 --> 00:07:53.600
<v Speaker 1>often seems to breed passivity, specifically through siloing, right, departments

151
00:07:53.639 --> 00:07:54.279
<v Speaker 1>not talking well.

152
00:07:54.319 --> 00:07:58.480
<v Speaker 2>Siling is devastating, absolutely devastating. Think about it. Crucial observations

153
00:07:58.519 --> 00:08:02.079
<v Speaker 2>made by say a networking engineer about some unusual traffic patterns,

154
00:08:02.560 --> 00:08:06.120
<v Speaker 2>or maybe a developer noticing some bizarre latency in an application,

155
00:08:06.600 --> 00:08:10.000
<v Speaker 2>that information might never reach the security team. Why Because

156
00:08:10.040 --> 00:08:11.920
<v Speaker 2>they don't have a shared framework or maybe even a

157
00:08:11.920 --> 00:08:13.800
<v Speaker 2>shared goal. They operate in bubbles.

158
00:08:13.920 --> 00:08:17.120
<v Speaker 1>And then there's the flip side, the shadow it problem,

159
00:08:17.160 --> 00:08:18.639
<v Speaker 1>which is always a great point of friction.

160
00:08:19.800 --> 00:08:22.560
<v Speaker 2>Users get frustrated, right, yeah, central it is too slow,

161
00:08:22.639 --> 00:08:24.720
<v Speaker 2>too rigid, So what do they do? They just employ

162
00:08:24.759 --> 00:08:27.839
<v Speaker 2>their own tools, Trello for project management, maybe WhatsApp for

163
00:08:27.920 --> 00:08:32.159
<v Speaker 2>quickcoms outside of any central control and boom. This drastically

164
00:08:32.159 --> 00:08:35.720
<v Speaker 2>increases the attack surface in ways it doesn't even know about. Now.

165
00:08:35.759 --> 00:08:39.000
<v Speaker 2>A passive defender sees shadow it and their first instinct

166
00:08:39.000 --> 00:08:42.559
<v Speaker 2>to just shut it down, block it. But the active

167
00:08:42.559 --> 00:08:45.360
<v Speaker 2>defender they see shadow it and they ask a different question,

168
00:08:45.639 --> 00:08:48.519
<v Speaker 2>why why did the user feel they needed that tool?

169
00:08:48.679 --> 00:08:52.159
<v Speaker 2>What legitimate business function was it? Maybe preventing or making

170
00:08:52.240 --> 00:08:55.480
<v Speaker 2>too difficult. They use that discovery as an opportunity to

171
00:08:55.639 --> 00:08:58.720
<v Speaker 2>maybe streamline the official processes, not just play whack a

172
00:08:58.799 --> 00:08:59.720
<v Speaker 2>mole blocking things.

173
00:09:00.000 --> 00:09:02.440
<v Speaker 1>The shift and perspective is so crucial, isn't it moving

174
00:09:02.480 --> 00:09:06.120
<v Speaker 1>from security as just a roadblock to security as an enabler.

175
00:09:06.440 --> 00:09:08.639
<v Speaker 1>I really liked the analogy used in the source material

176
00:09:08.720 --> 00:09:11.279
<v Speaker 1>comparing security to driving a high performance racecar.

177
00:09:11.559 --> 00:09:14.120
<v Speaker 2>Yeah, it's the perfect summary. I think of the cultural

178
00:09:14.120 --> 00:09:17.039
<v Speaker 2>shift that's needed. If you think about security controls as

179
00:09:17.080 --> 00:09:19.759
<v Speaker 2>the brakes on that race car, Well, the brakes don't

180
00:09:19.799 --> 00:09:23.039
<v Speaker 2>actually make the car go slower overall, they're what allow

181
00:09:23.120 --> 00:09:26.039
<v Speaker 2>the car to go faster safely. They let the driver

182
00:09:26.120 --> 00:09:29.559
<v Speaker 2>take deliberate, well managed risks while still maintaining control through

183
00:09:29.559 --> 00:09:32.039
<v Speaker 2>the corners. Security has to be seen the same way,

184
00:09:32.240 --> 00:09:36.480
<v Speaker 2>enabling the business to move faster, smarter, not just introducing friction.

185
00:09:37.000 --> 00:09:39.559
<v Speaker 1>Okay, so we know we need this fundamental shift. It's

186
00:09:39.600 --> 00:09:43.240
<v Speaker 1>clear how does an organization or even an individual defender

187
00:09:43.399 --> 00:09:46.480
<v Speaker 1>actually transition go from being a passive monitor to an

188
00:09:46.480 --> 00:09:48.799
<v Speaker 1>active defender. It sounds like it requires a kind of

189
00:09:48.919 --> 00:09:52.440
<v Speaker 1>immersion into the very culture you're trying to defend against.

190
00:09:53.039 --> 00:09:56.399
<v Speaker 2>That's exactly the starting point, immersion, and maybe the first

191
00:09:56.480 --> 00:09:59.200
<v Speaker 2>hurdle to jump is just getting over that media portrayal

192
00:09:59.480 --> 00:10:03.000
<v Speaker 2>of security experts, you know, the myth of the solitary

193
00:10:03.399 --> 00:10:06.440
<v Speaker 2>extraordinary genius savant like you see in shows like Mister Robot.

194
00:10:06.840 --> 00:10:09.039
<v Speaker 2>You don't need to be some reclusive genius coding in

195
00:10:09.039 --> 00:10:11.639
<v Speaker 2>a basement. You just need to be willing to engage,

196
00:10:11.679 --> 00:10:14.039
<v Speaker 2>to listen and to learn from the people who actually

197
00:10:14.080 --> 00:10:16.960
<v Speaker 2>specialize in breaking things. The offensive community.

198
00:10:17.519 --> 00:10:21.000
<v Speaker 1>So where do we find this community, this offensive security knowledge.

199
00:10:21.000 --> 00:10:23.159
<v Speaker 1>It's not all just lurking in hidden forms on the

200
00:10:23.200 --> 00:10:24.720
<v Speaker 1>deep web business, No, not at all.

201
00:10:24.759 --> 00:10:27.559
<v Speaker 2>It's actually very accessible surprisingly, So yeah, one of the

202
00:10:27.559 --> 00:10:30.759
<v Speaker 2>best entry points is probably local communities. Conferences like security

203
00:10:30.759 --> 00:10:33.600
<v Speaker 2>b sides are fantastic for this. They're often free or

204
00:10:33.639 --> 00:10:38.000
<v Speaker 2>really inexpensive, and they were specifically created to be less corporate,

205
00:10:38.159 --> 00:10:41.720
<v Speaker 2>more intimate, more about sharing knowledge than say the huge

206
00:10:41.720 --> 00:10:45.519
<v Speaker 2>commercial events. Also look for local security meetups in your area,

207
00:10:45.840 --> 00:10:49.240
<v Speaker 2>groups like infosex seven sixteen or hashtag mee sec or

208
00:10:49.279 --> 00:10:51.720
<v Speaker 2>just a couple examples, places where people just get together

209
00:10:51.840 --> 00:10:54.960
<v Speaker 2>share what they're working on, what they're learning, really openly.

210
00:10:54.919 --> 00:10:58.720
<v Speaker 1>And beyond the physical meetups, I imagine online communities are

211
00:10:58.720 --> 00:10:59.519
<v Speaker 1>pretty key too.

212
00:10:59.440 --> 00:11:04.759
<v Speaker 2>Oh, absolutely huge online communities on platforms like discord, Slack,

213
00:11:05.480 --> 00:11:07.840
<v Speaker 2>and yes, Believe it or not, even Twitter, which is

214
00:11:07.879 --> 00:11:11.440
<v Speaker 2>currently kind of the primary pulse the main platform for

215
00:11:11.840 --> 00:11:15.279
<v Speaker 2>real time info sharing in the offensive community. The learning

216
00:11:15.279 --> 00:11:18.480
<v Speaker 2>there is practically instantaneous if you follow the right people.

217
00:11:18.639 --> 00:11:21.720
<v Speaker 1>Okay, so once you're tapped into that knowledge stream that community,

218
00:11:22.360 --> 00:11:26.000
<v Speaker 1>what's the first proactive activity and active defenders should undertake?

219
00:11:26.120 --> 00:11:29.559
<v Speaker 1>You mentioned ocent open source intelligence exactly ocin.

220
00:11:30.559 --> 00:11:33.279
<v Speaker 2>It sounds fancy, but it's simply using any data you

221
00:11:33.279 --> 00:11:37.080
<v Speaker 2>can find from publicly available, unhidden sources. The magic isn't

222
00:11:37.080 --> 00:11:40.039
<v Speaker 2>really the data itself, everybody can find it. It's learning

223
00:11:40.080 --> 00:11:43.279
<v Speaker 2>to view that public data through the attacker's eyes, understanding

224
00:11:43.279 --> 00:11:45.080
<v Speaker 2>what intelligence they can gather about you.

225
00:11:45.120 --> 00:11:47.399
<v Speaker 1>Just by looking around online, right, that's what the analysis

226
00:11:47.399 --> 00:11:49.039
<v Speaker 1>comes in. Give us an example, how does that public

227
00:11:49.120 --> 00:11:51.960
<v Speaker 1>data turn into like actual attack intelligence?

228
00:11:52.200 --> 00:11:55.759
<v Speaker 2>Okay? LinkedIn is a gold mine, an absolute gold mine

229
00:11:55.759 --> 00:11:59.159
<v Speaker 2>for attackers. They look at employee job titles, their certifications

230
00:11:59.159 --> 00:12:02.039
<v Speaker 2>listed on profile. If they see, say five of your

231
00:12:02.039 --> 00:12:07.200
<v Speaker 2>employees listing certified Palo Alto firewall administrator on their profile,

232
00:12:07.440 --> 00:12:10.480
<v Speaker 2>well guess what they know? Exactly what perimeter technology you use.

233
00:12:10.519 --> 00:12:13.679
<v Speaker 2>They can start researching specific vulnerabilities for that platform and

234
00:12:13.759 --> 00:12:17.159
<v Speaker 2>that information. It provides the perfect pretext, the perfect hook

235
00:12:17.399 --> 00:12:21.000
<v Speaker 2>for crafting a highly targeted, very believable phishing email.

236
00:12:21.240 --> 00:12:23.679
<v Speaker 1>And beyond social media, you mentioned tools like showdan that

237
00:12:23.759 --> 00:12:26.279
<v Speaker 1>shows more physical or I guess network exposure.

238
00:12:26.600 --> 00:12:29.559
<v Speaker 2>Yeah. Shodin is basically a specialized search engine, but instead

239
00:12:29.559 --> 00:12:34.080
<v Speaker 2>of websites, it finds Internet connected devices, things like servers, webcams,

240
00:12:34.320 --> 00:12:37.679
<v Speaker 2>even industrial control systems that are accidentally exposed directly to

241
00:12:37.720 --> 00:12:40.960
<v Speaker 2>the Internet. An attacker uses this to scout for open ports,

242
00:12:41.360 --> 00:12:44.879
<v Speaker 2>maybe find misconfigured systems, default credentials. And we see it

243
00:12:44.879 --> 00:12:49.080
<v Speaker 2>constantly too, developers accidentally leaving sensitive stuff like source code

244
00:12:49.399 --> 00:12:53.200
<v Speaker 2>or API credentials public on sites like gethub, These are

245
00:12:53.200 --> 00:12:57.360
<v Speaker 2>often the attacker's very first steps reconnaissance, and the active

246
00:12:57.360 --> 00:13:00.519
<v Speaker 2>defender's job is to replicate those steps, find those exposures

247
00:13:00.519 --> 00:13:01.679
<v Speaker 2>before the real attacker does.

248
00:13:01.759 --> 00:13:06.120
<v Speaker 1>Okay, so moving beyond just intelligence gathering, the active defender

249
00:13:06.240 --> 00:13:10.000
<v Speaker 1>must prioritize active testing. Right. You can't just install defenses

250
00:13:10.039 --> 00:13:12.879
<v Speaker 1>and assume they work, or assume your backups are actually restorable.

251
00:13:12.960 --> 00:13:15.600
<v Speaker 2>Absolutely not. Assumption is the enemy here, and we need

252
00:13:15.639 --> 00:13:17.960
<v Speaker 2>to be precise when we talk about testing. It's important

253
00:13:17.960 --> 00:13:22.480
<v Speaker 2>to distinguish between attack simulation and attack emulation. They sound similar,

254
00:13:22.759 --> 00:13:23.360
<v Speaker 2>but they're different.

255
00:13:23.519 --> 00:13:24.840
<v Speaker 1>Okay, what is the difference then?

256
00:13:25.080 --> 00:13:28.200
<v Speaker 2>So an attack simulation is usually where you test individual

257
00:13:28.240 --> 00:13:32.000
<v Speaker 2>specific techniques in isolation. You might use open source tools

258
00:13:32.080 --> 00:13:34.879
<v Speaker 2>something like Atomic Red Team to test if your defense

259
00:13:35.000 --> 00:13:37.879
<v Speaker 2>is catch a specific action, like say running one particular

260
00:13:37.919 --> 00:13:40.879
<v Speaker 2>malicious script. It tests a point solution does this control

261
00:13:40.919 --> 00:13:44.200
<v Speaker 2>stop this action? But attack emulation is much more advanced.

262
00:13:44.320 --> 00:13:49.279
<v Speaker 2>It's about mimicking a specific known adversary group, their intentions,

263
00:13:49.320 --> 00:13:52.120
<v Speaker 2>their goals, and the entire chain of procedures they would

264
00:13:52.159 --> 00:13:55.559
<v Speaker 2>likely use to achieve that goal start to finish. Emulation

265
00:13:55.759 --> 00:13:59.519
<v Speaker 2>tests your security program's ability to detect and respond to

266
00:13:59.559 --> 00:14:02.600
<v Speaker 2>an entire evolving narrative, not just one single event.

267
00:14:02.840 --> 00:14:06.360
<v Speaker 1>That narrative testing that seems to lead naturally into deception technologies,

268
00:14:06.679 --> 00:14:09.399
<v Speaker 1>which you mentioned are a more sophisticated tool, maybe for

269
00:14:09.440 --> 00:14:10.840
<v Speaker 1>the advanced active defender.

270
00:14:11.039 --> 00:14:14.840
<v Speaker 2>Yeah, deception tech is fantastic, especially for detecting adversaries who've

271
00:14:14.840 --> 00:14:17.279
<v Speaker 2>already gotten past the perimeter, which let's face it, the

272
00:14:17.320 --> 00:14:22.919
<v Speaker 2>stats show they often do. You deploy decoys, things called honeytokens,

273
00:14:23.080 --> 00:14:26.720
<v Speaker 2>or maybe entire fake systems called honeypots. The goal is simple,

274
00:14:27.159 --> 00:14:30.720
<v Speaker 2>create an attractive looking asset that no legitimate employee should

275
00:14:30.720 --> 00:14:33.000
<v Speaker 2>ever have a reason to touch or access.

276
00:14:33.080 --> 00:14:36.039
<v Speaker 1>So it's basically like setting up a digital tripwire.

277
00:14:35.600 --> 00:14:39.679
<v Speaker 2>Precisely a high fidelity tripwire. For instance, you could create

278
00:14:39.799 --> 00:14:42.799
<v Speaker 2>a decoy user account in your active directory, make it

279
00:14:42.840 --> 00:14:45.279
<v Speaker 2>look like some old forgotten service account, give it a

280
00:14:45.279 --> 00:14:48.399
<v Speaker 2>fake service principle name an SPN. This account is never

281
00:14:48.519 --> 00:14:51.360
<v Speaker 2>used by real people or real services. It just sits there. Now.

282
00:14:51.440 --> 00:14:54.519
<v Speaker 2>If anyone attempts to access that account or maybe query

283
00:14:54.519 --> 00:14:58.240
<v Speaker 2>credentials related to that specific fake SPANA technique often used

284
00:14:58.279 --> 00:15:01.360
<v Speaker 2>in curber roasting attacks to steal passwords hashes, boom it

285
00:15:01.399 --> 00:15:05.000
<v Speaker 2>immediately triggers a high priority, high fidelity alert. Accessing that

286
00:15:05.080 --> 00:15:08.080
<v Speaker 2>decoy is basically a dead giveaway. You know with near

287
00:15:08.120 --> 00:15:10.639
<v Speaker 2>certainty you have an adversary active inside your network.

288
00:15:10.679 --> 00:15:13.320
<v Speaker 1>Okay, this is fascinating. Now let's move up the stack

289
00:15:13.679 --> 00:15:17.519
<v Speaker 1>to the highest level of defense planning. You said passive

290
00:15:17.559 --> 00:15:20.840
<v Speaker 1>defense often waste time focusing on easily change things like

291
00:15:20.879 --> 00:15:24.919
<v Speaker 1>IP addresses or file hashes, right, indicators of compromise. So

292
00:15:25.759 --> 00:15:28.759
<v Speaker 1>if the active defender wants to truly frustrate an adversary

293
00:15:28.840 --> 00:15:31.399
<v Speaker 1>make their life difficult, what should they focus on instead?

294
00:15:31.799 --> 00:15:36.200
<v Speaker 2>They absolutely must focus on tactics, techniques, and procedures. Ttpis,

295
00:15:36.480 --> 00:15:38.519
<v Speaker 2>we need to move our thinking beyond just detecting a

296
00:15:38.519 --> 00:15:42.000
<v Speaker 2>specific tool and focus instead on the attacker's broader goal

297
00:15:42.120 --> 00:15:44.320
<v Speaker 2>and the methods they use to achieve it. We can

298
00:15:44.399 --> 00:15:46.639
<v Speaker 2>kind of visualize this as a pyramid, the pyramid of pain.

299
00:15:46.720 --> 00:15:49.080
<v Speaker 1>Okay, So at the top, the highest level of value

300
00:15:49.080 --> 00:15:52.039
<v Speaker 1>for the defender, we have tactics. That's the adversary's overall goal, right,

301
00:15:52.080 --> 00:15:54.240
<v Speaker 1>like credential access exactly.

302
00:15:54.279 --> 00:15:57.320
<v Speaker 2>That's the why. Below that, you have the technique, that's

303
00:15:57.320 --> 00:16:01.000
<v Speaker 2>the general method used to achieve the tactic credential access

304
00:16:01.159 --> 00:16:04.159
<v Speaker 2>A technique might be dumping all SaaS memory, trying to

305
00:16:04.159 --> 00:16:07.519
<v Speaker 2>steal credential stored in memory. But the most valuable level

306
00:16:07.519 --> 00:16:09.679
<v Speaker 2>for the defender to focus on, the place where the

307
00:16:09.679 --> 00:16:13.840
<v Speaker 2>active defender really concentrates their efforts is the procedure. This

308
00:16:13.919 --> 00:16:17.240
<v Speaker 2>is the specific implementation of the technique. For example, is

309
00:16:17.279 --> 00:16:20.320
<v Speaker 2>the attacker using a well known specific tool like mimicats

310
00:16:20.639 --> 00:16:23.600
<v Speaker 2>to dump LSAs or are they maybe leveraging a native

311
00:16:23.600 --> 00:16:26.720
<v Speaker 2>Windows process, something already trusted by the system, like using

312
00:16:26.759 --> 00:16:30.879
<v Speaker 2>Rundel thirty two dot ex with commsvcs dot dll to

313
00:16:30.960 --> 00:16:32.840
<v Speaker 2>achieve that same memory dump outcome.

314
00:16:32.960 --> 00:16:35.639
<v Speaker 1>Okay, why does that distinction matter so much? The difference

315
00:16:35.679 --> 00:16:38.879
<v Speaker 1>between the tool mimicats and the procedure using Renneal thirty two.

316
00:16:39.240 --> 00:16:41.360
<v Speaker 1>Why is that key for the active defender?

317
00:16:41.600 --> 00:16:45.919
<v Speaker 2>Because attackers fundamentally don't care about using one specific tool

318
00:16:46.000 --> 00:16:49.600
<v Speaker 2>over another. They care about the outcome. They want this credentials.

319
00:16:49.799 --> 00:16:52.720
<v Speaker 2>So if a passive defense tool like an anti virus

320
00:16:53.240 --> 00:16:57.519
<v Speaker 2>blocks the procedure of running the mimicats executable file, well,

321
00:16:57.559 --> 00:17:01.159
<v Speaker 2>the traditional defender often stops there. The block maybe close

322
00:17:01.200 --> 00:17:04.160
<v Speaker 2>the ticket threat contained, right, But the active defender, they

323
00:17:04.200 --> 00:17:06.599
<v Speaker 2>understand the attacker isn't going to just give up. They'll

324
00:17:06.640 --> 00:17:09.839
<v Speaker 2>simply pivot. They'll try what we call a procedural synonym,

325
00:17:10.519 --> 00:17:13.119
<v Speaker 2>just the different way, a different procedure to achieve the

326
00:17:13.160 --> 00:17:17.160
<v Speaker 2>exact same technique, the same outcome exactly. They'll just try

327
00:17:17.240 --> 00:17:20.880
<v Speaker 2>running runnel thirty two dot ex with the right parameters instead,

328
00:17:21.240 --> 00:17:25.240
<v Speaker 2>it achieves the same goal dumping credentials. The active defender

329
00:17:25.519 --> 00:17:28.960
<v Speaker 2>uses that initial failed mimicats attempt not as the end

330
00:17:29.000 --> 00:17:31.680
<v Speaker 2>of the investigation, but is the first data point on

331
00:17:31.720 --> 00:17:34.839
<v Speaker 2>their mental graph. They will then actively look for that

332
00:17:34.880 --> 00:17:38.799
<v Speaker 2>subsequent suspicious behavior, look for those connections across the network,

333
00:17:39.039 --> 00:17:42.279
<v Speaker 2>hunting for the procedural synonyms, regardless of what specific tools

334
00:17:42.319 --> 00:17:46.480
<v Speaker 2>are being used. That deep focus on understanding and detecting procedures,

335
00:17:46.799 --> 00:17:49.799
<v Speaker 2>not just tools or basic indicators, is the key feature

336
00:17:49.920 --> 00:17:51.839
<v Speaker 2>that truly separates the active defender.

337
00:17:52.000 --> 00:17:53.880
<v Speaker 1>So, wrapping this up, what does this all really mean

338
00:17:53.920 --> 00:17:56.599
<v Speaker 1>for you, the person listening, the person responsible for defense?

339
00:17:56.960 --> 00:17:59.240
<v Speaker 1>It sounds like the active defender is less about buying

340
00:17:59.240 --> 00:18:02.119
<v Speaker 1>the next shine, any security product, the next magic box,

341
00:18:02.200 --> 00:18:06.680
<v Speaker 1>and almost entirely about adopting a persistent, analytical, curious mindset,

342
00:18:06.880 --> 00:18:10.359
<v Speaker 1>one that focuses on outcomes on patterns, on procedures. It's

343
00:18:10.400 --> 00:18:13.640
<v Speaker 1>really an investment in curiosity over just compliance checklists.

344
00:18:13.960 --> 00:18:17.920
<v Speaker 2>Absolutely, and this proactive procedure focused approach is becoming absolutely

345
00:18:18.000 --> 00:18:21.440
<v Speaker 2>critical when you look at the emerging threats, threats targeting

346
00:18:21.519 --> 00:18:26.559
<v Speaker 2>the really foundational layers of our operating environments. Consider something

347
00:18:26.599 --> 00:18:29.119
<v Speaker 2>like the blackloadus UA five bootkit. It was found in

348
00:18:29.160 --> 00:18:31.720
<v Speaker 2>the wild, operates at such a low hardware level below

349
00:18:31.759 --> 00:18:34.960
<v Speaker 2>the OS it can bypass secure boot even on fully

350
00:18:35.000 --> 00:18:39.240
<v Speaker 2>patched Windows systems. Traditional patching, passive monitoring, they're simply insufficient

351
00:18:39.279 --> 00:18:41.680
<v Speaker 2>to detect or stop that. And we're also seeing this

352
00:18:41.839 --> 00:18:45.720
<v Speaker 2>huge increase in highly sophisticated software supply chain attacks and

353
00:18:45.799 --> 00:18:49.319
<v Speaker 2>things like BYOVD attacks bring your own Vulnerable Driver where

354
00:18:49.359 --> 00:18:52.519
<v Speaker 2>attackers use legitimate sign drivers with known flaws to gain

355
00:18:52.599 --> 00:18:53.599
<v Speaker 2>kernel level access.

356
00:18:53.720 --> 00:18:57.519
<v Speaker 1>Wow. So these low level, potentially high impact future challenges,

357
00:18:57.559 --> 00:19:02.440
<v Speaker 1>they absolutely demand that constant situational awareness at holographic graph

358
00:19:02.480 --> 00:19:04.119
<v Speaker 1>based thinking you mentioned.

359
00:19:03.880 --> 00:19:07.640
<v Speaker 2>They absolutely do. Only by actively engaging with that offensive

360
00:19:07.640 --> 00:19:10.920
<v Speaker 2>security knowledge, the knowledge that reveals the procedures used by

361
00:19:10.960 --> 00:19:15.240
<v Speaker 2>adversaries at every level. Only then can defenders really hope

362
00:19:15.279 --> 00:19:18.200
<v Speaker 2>to stand a chance. So maybe your homework this week

363
00:19:18.240 --> 00:19:20.519
<v Speaker 2>as you start thinking about your own journey towards becoming

364
00:19:20.559 --> 00:19:22.920
<v Speaker 2>an active defender is to really look at the systems

365
00:19:22.960 --> 00:19:27.319
<v Speaker 2>you're responsible for protecting. Start researching what hardware specifically and

366
00:19:27.400 --> 00:19:29.839
<v Speaker 2>what kernel mode drivers are actually running in your environment.

367
00:19:29.920 --> 00:19:31.720
<v Speaker 2>Right now, you really need to know what you are

368
00:19:31.720 --> 00:19:35.759
<v Speaker 2>truly protecting at that foundational level, because increasingly that's precisely

369
00:19:35.759 --> 00:19:37.119
<v Speaker 2>where the attackers are aiming next