WEBVTT 1 00:00:00.160 --> 00:00:03.200 So I was actually just looking at my phone this morning, 2 00:00:03.919 --> 00:00:07.240 checking emails, you know, texting my mom, the usual routine, 3 00:00:07.240 --> 00:00:10.519 All right, the usual, and it hit me. We always 4 00:00:10.560 --> 00:00:14.839 talk about connectivity like it's this purely benevolent force. Yeah, 5 00:00:14.880 --> 00:00:17.760 we really think everything is smart, everything talks to everything else. 6 00:00:18.399 --> 00:00:22.120 But there's this flip side that we don't usually discuss 7 00:00:22.199 --> 00:00:25.000 until it's way too late, which is that connectivity is 8 00:00:25.079 --> 00:00:27.359 basically just a synonym for exposure. 9 00:00:27.399 --> 00:00:30.039 Oh absolutely, that is the reality nobody puts on the 10 00:00:30.039 --> 00:00:30.839 marketing brochure. 11 00:00:31.079 --> 00:00:31.320 Right. 12 00:00:31.519 --> 00:00:34.320 Every connection is a door, Yeah, and the more doors 13 00:00:34.359 --> 00:00:36.799 you have, the harder it is to make sure they're 14 00:00:36.799 --> 00:00:39.119 all locked. Used to be that security was just for 15 00:00:39.600 --> 00:00:42.560 you know, the IT guys in the basement protecting the server. 16 00:00:42.399 --> 00:00:44.560 Ax right, the guys with the physical keys exactly. 17 00:00:44.600 --> 00:00:48.679 But now if you have a log in or even 18 00:00:48.719 --> 00:00:51.119 just a key card to get into the building, you 19 00:00:51.439 --> 00:00:53.000 are part of the security. 20 00:00:52.600 --> 00:00:56.000 Perimeter, which is a terrifying thought, considering I sometimes completely 21 00:00:56.000 --> 00:00:59.119 forget my own Netflix password. Most people do, but I 22 00:00:59.159 --> 00:01:00.960 mean that's exactly what I were doing this deep duck. 23 00:01:01.039 --> 00:01:06.040 Today we are tackling cybersecurity fundamentals, and before anyone listening 24 00:01:06.120 --> 00:01:08.159 rolls or eyes thinking this is going to be you know, 25 00:01:08.519 --> 00:01:09.400 dry tech. 26 00:01:09.239 --> 00:01:11.159 Support manuals Pleazon't you now yet? 27 00:01:11.519 --> 00:01:14.599 Yeah? Hold on, we are decoding the actual mechanics of 28 00:01:14.599 --> 00:01:17.799 how the digital world breaks. We're pulling all our insights 29 00:01:17.840 --> 00:01:21.200 from the CCNP and CCIE security Core score three fifty 30 00:01:21.280 --> 00:01:22.879 seven to one official CIRT Guide. 31 00:01:22.920 --> 00:01:24.359 I know it's a bit of a mouthful of attich 32 00:01:24.480 --> 00:01:26.959 a massive mouthflow, but it really is the gold standard. 33 00:01:27.000 --> 00:01:30.599 It's the literal playbook that high level security architects use. 34 00:01:31.319 --> 00:01:33.280 And what's great about this source material is that it 35 00:01:33.359 --> 00:01:36.560 moves way past the buzzwords, right Like we hear hacker 36 00:01:36.680 --> 00:01:39.359 or firewall or malware on the news all the time, 37 00:01:40.040 --> 00:01:43.439 but we rarely stop to ask how does that actually work? Yes, like, 38 00:01:43.560 --> 00:01:46.719 how does a literal line of code physically steal money 39 00:01:46.719 --> 00:01:47.319 from a bank? 40 00:01:47.560 --> 00:01:50.079 And that's exactly my goal today. I want to move 41 00:01:50.200 --> 00:01:52.799 past the headlines and understand the actual machinery. 42 00:01:52.920 --> 00:01:53.439 Let's do it. 43 00:01:53.519 --> 00:01:56.599 But let's start with the basics, because I think I 44 00:01:56.599 --> 00:01:59.680 think I've been using two terms interchangeably that are actually 45 00:01:59.719 --> 00:02:04.439 quite different, information security and cybersecurity. Are these just corporate 46 00:02:04.519 --> 00:02:06.280 synonyms or no? 47 00:02:06.560 --> 00:02:09.120 There's real distinction, and it matters a lot in the 48 00:02:09.159 --> 00:02:13.400 industry information security, or INFOSEC. That's kind of the old guard. 49 00:02:14.039 --> 00:02:16.599 It's strictly about the data itself. Think of it like 50 00:02:16.599 --> 00:02:20.479 a secret recipe in a physical safe. INFOSEC is obsessed 51 00:02:20.520 --> 00:02:22.159 with what we call the CIA. 52 00:02:21.879 --> 00:02:24.319 Triad the intelligence agency No. 53 00:02:24.319 --> 00:02:28.759 No, it stands for confidentiality, integrity, and availability. Okay, So 54 00:02:29.120 --> 00:02:33.360 is the recipe secret? That's confidentiality. Has anyone changed the 55 00:02:33.479 --> 00:02:37.000 ingredients without asking? That's integrity? And can the chef actually 56 00:02:37.000 --> 00:02:39.080 get the recipe when he needs it? That's availability. 57 00:02:39.680 --> 00:02:42.360 So INFOSEC is basically just locking the safe. 58 00:02:42.120 --> 00:02:45.639 Right, But cybersecurity is the whole factory around it. It 59 00:02:45.639 --> 00:02:48.960 includes infosec obviously, but it zooms way out to protect 60 00:02:49.039 --> 00:02:51.719 the actual operations that rely on that digitized data. So 61 00:02:51.759 --> 00:02:55.680 it's bigger, much bigger. It's about securing the delivery trucks, 62 00:02:56.039 --> 00:02:59.400 the power grid running the ovens, the third party vendors 63 00:02:59.400 --> 00:03:03.800 who supply flower. If your flower supplier gets hacked and 64 00:03:03.840 --> 00:03:05.120 sends you poisoned. 65 00:03:04.840 --> 00:03:07.759 Ingredients, you're safe, is totally fine, but your business is 66 00:03:07.840 --> 00:03:08.840 dead exactly. 67 00:03:09.319 --> 00:03:13.680 That is a cybersecurity problem. It's defending every single ingress 68 00:03:13.680 --> 00:03:14.599 and egress connection. 69 00:03:15.080 --> 00:03:17.919 That helps a lot actually, so, cybersecurity is about the 70 00:03:18.000 --> 00:03:21.840 resilience of the whole system, not just keeping a file secret. Right, 71 00:03:22.199 --> 00:03:25.000 But if you're trying to secure a factory that complex 72 00:03:25.280 --> 00:03:29.000 with thousands of employees and devices, where do you even start. 73 00:03:29.039 --> 00:03:31.879 Do you just start like patching holes randomly? 74 00:03:31.960 --> 00:03:35.039 Well, that's the wild West approach and it almost always fails. 75 00:03:35.280 --> 00:03:38.360 You need a map, a set of guardrails. Yeah, and 76 00:03:38.400 --> 00:03:41.319 that's where frameworks come in. This source material leans heavily 77 00:03:41.400 --> 00:03:44.080 on two big ones, NIST and ISO. 78 00:03:44.439 --> 00:03:46.840 I've definitely heard of NIST. That's the government one. 79 00:03:46.719 --> 00:03:49.360 Right now, Yeah, the National Institute of Standards and Technology. 80 00:03:49.400 --> 00:03:50.879 It's under the US Department of Commerce. 81 00:03:50.960 --> 00:03:53.360 To be honest, when I hear government framework, my brain 82 00:03:53.400 --> 00:03:56.719 immediately goes to bureaucracy and endless red tape. Is it 83 00:03:56.800 --> 00:03:58.680 actually useful for a private company? 84 00:03:59.039 --> 00:04:02.719 Surprisingly? Yeah, it's a voluntary set of standards. But the 85 00:04:02.840 --> 00:04:07.639 NIST Cybersecurity Framework is incredibly practical. It breaks everything down 86 00:04:07.639 --> 00:04:12.520 into just five simple functions, which are identify, protect, detect, respond, 87 00:04:12.560 --> 00:04:13.039 and recover. 88 00:04:13.199 --> 00:04:15.599 Identify, Protect, detect, respond, recover. 89 00:04:15.759 --> 00:04:18.959 Okay, it gives everyone a common language. So if I'm 90 00:04:19.000 --> 00:04:21.639 a chief information security officer and I have to go 91 00:04:21.680 --> 00:04:24.079 talk to the border directors. I don't bore them with 92 00:04:24.160 --> 00:04:27.839 code then fall asleep exactly. I say, here's how we 93 00:04:27.920 --> 00:04:30.839 detect a threat and here's how we recover. It's a 94 00:04:30.839 --> 00:04:34.680 way to manage risk cost effectively without getting bogged down 95 00:04:34.680 --> 00:04:35.639 in the technical weeds. 96 00:04:35.680 --> 00:04:36.560 And what about ISO. 97 00:04:36.959 --> 00:04:40.519 So ISO is the international standard, specifically the ISO twenty 98 00:04:40.560 --> 00:04:41.560 seven thousand series. 99 00:04:41.639 --> 00:04:43.279 Okay, how does that differ from NIS. 100 00:04:43.360 --> 00:04:45.879 If NIST is the playbook you use internally to get 101 00:04:45.920 --> 00:04:49.720 your act together. ISO, specifically ISO twenty seven to seven 102 00:04:49.839 --> 00:04:52.879 zero one is the actual certification you get to prove 103 00:04:52.920 --> 00:04:54.600 to the rest of the world that you're secure. Oh, 104 00:04:54.639 --> 00:04:58.680 I see, Yeah, it's specifications for information security management systems. 105 00:04:59.040 --> 00:05:02.199 And then there's ISO seven zero zero two, which is 106 00:05:02.240 --> 00:05:05.439 more like a code of practice, but generally ISO twenty 107 00:05:05.480 --> 00:05:07.600 seven zero zero one is the stamp of approval you 108 00:05:07.600 --> 00:05:10.160 put on your website to tell clients, Hey, we actually 109 00:05:10.240 --> 00:05:10.759 know what we're doing. 110 00:05:10.879 --> 00:05:13.600 Okay, so we have the rulebooks down, now let's talk 111 00:05:13.600 --> 00:05:16.839 about what we're actually fighting against. The guide breaks this 112 00:05:17.000 --> 00:05:23.480 down into basically an equation risk equals threat times vulnerability. 113 00:05:23.160 --> 00:05:25.959 Sometimes with impact thrown in there too. Yeah, right, I. 114 00:05:25.920 --> 00:05:28.319 Want to drill into the difference between a threat and 115 00:05:28.319 --> 00:05:30.720 a vulnerability, because I feel like I use those words 116 00:05:30.759 --> 00:05:33.399 to mean the exact same thing in everyday conversation. 117 00:05:33.720 --> 00:05:37.079 Most people do think of it this way. A vulnerability 118 00:05:37.240 --> 00:05:39.680 is a weakness. It's an unluck window in your house. 119 00:05:39.920 --> 00:05:42.000 In tech, it's a flaw and a piece of software 120 00:05:42.040 --> 00:05:45.480 code or even a hardware design error just passive, entirely passive. 121 00:05:45.480 --> 00:05:48.759 It's just sitting there waiting. In the industry, we use 122 00:05:48.879 --> 00:05:53.399 cvees Common Vulnerabilities and Exposures as the standard ID system 123 00:05:53.480 --> 00:05:56.240 to track these flaws and the threat. The threat is 124 00:05:56.240 --> 00:05:59.800 the potential danger. It's the burglar walking down the street 125 00:06:00.120 --> 00:06:05.600 checking those windows. A threat is latent until it's actually realized. 126 00:06:05.759 --> 00:06:09.079 Okay, So a vulnerability without a threat isn't really risky. 127 00:06:09.240 --> 00:06:11.240 Like if you live on a desert island, you can 128 00:06:11.319 --> 00:06:13.480 leave your front door wide open, exactly. 129 00:06:13.839 --> 00:06:16.600 But in the digital world, you are never on a 130 00:06:16.639 --> 00:06:20.439 desert island. The threat is always there. Risk is just 131 00:06:20.519 --> 00:06:24.439 the probability of that threat actually exploiting that vulnerability. 132 00:06:24.920 --> 00:06:28.519 The source material mentioned some specific hardware vulnerabilities that sounded 133 00:06:28.560 --> 00:06:31.720 like straight up sci fi movie titles Specter and Meltdown. 134 00:06:31.800 --> 00:06:35.399 Oh, those were huge earth shattering for the industry. And 135 00:06:35.439 --> 00:06:39.399 they weren't software bugs. They were hardware vulnerabilities baked into 136 00:06:39.439 --> 00:06:41.839 the actual computer processors. 137 00:06:41.360 --> 00:06:43.439 Which means you can't just download a patch to fix 138 00:06:43.480 --> 00:06:44.199 the code. Right. 139 00:06:44.360 --> 00:06:47.680 Well, they made software mitigations, but the flaw was physical. 140 00:06:48.040 --> 00:06:51.399 They exploited something called speculative execution aculative execution. 141 00:06:51.560 --> 00:06:54.519 That sounds pretty intense. What does it actually mean for 142 00:06:54.560 --> 00:06:55.519 a CPU to do that? 143 00:06:55.800 --> 00:06:59.920 It's actually speed hack. Modern processors are so insanely fast 144 00:07:00.319 --> 00:07:02.160 that they literally try to guess what you're going to 145 00:07:02.199 --> 00:07:06.240 do next. Wait really, yeah, they execute instructions before they 146 00:07:06.279 --> 00:07:08.879 even know if they're actually needed, just to save a 147 00:07:08.920 --> 00:07:12.120 few fractions of a millisecond. If they guessed right, great 148 00:07:12.360 --> 00:07:15.839 things run faster. If they guessed wrong, they just discard 149 00:07:15.879 --> 00:07:16.240 the work. 150 00:07:16.360 --> 00:07:18.160 So the computer is trying to be psychic. 151 00:07:18.319 --> 00:07:21.399 It tries, but Specter and Meltdown found a way to 152 00:07:21.480 --> 00:07:24.920 snoop on that discarded work. They could trick the processor 153 00:07:24.959 --> 00:07:29.319 into speculatively reading secret memory like your passwords, and then 154 00:07:29.360 --> 00:07:32.279 reading the tiny physical traces left behind on the chip. 155 00:07:32.439 --> 00:07:35.399 That is wild. It proved that even the silicon chips 156 00:07:35.439 --> 00:07:36.920 themselves can be vulnerable. 157 00:07:37.079 --> 00:07:39.759 Okay, so you have the vulnerability, the chip flaw. You 158 00:07:39.839 --> 00:07:43.199 have the threat, the bad actor, and then the exploit 159 00:07:43.319 --> 00:07:46.000 is the tool they use to actually connect the two precisely. 160 00:07:46.439 --> 00:07:49.720 The exploit is the crowbar. It's the specific tool or 161 00:07:49.759 --> 00:07:53.240 technique written to take advantage of that specific weakness. And 162 00:07:53.319 --> 00:07:55.720 here's the really scary part. What's that You don't even 163 00:07:55.759 --> 00:07:57.319 have to write your own exploits anymore. 164 00:07:57.399 --> 00:08:00.399 Yeah, the guide mentioned something called exploit dB. It sounded 165 00:08:00.399 --> 00:08:02.680 almost like an Amazon marketplace for hackers. 166 00:08:03.120 --> 00:08:07.279 It's a massive archive, the exploit database. Security researchers actually 167 00:08:07.360 --> 00:08:10.399 post exploits there to help companies see how the flaws 168 00:08:10.399 --> 00:08:11.480 work so they can fix them. 169 00:08:11.480 --> 00:08:13.639 But I'm guessing bad actors use them too. 170 00:08:13.600 --> 00:08:16.160 Oh constantly. You can literally pull up a command line 171 00:08:16.199 --> 00:08:19.079 tool called search bloit and just search the database like 172 00:08:19.319 --> 00:08:22.319 show me an exploit for Windows ten boom, here's the 173 00:08:22.360 --> 00:08:23.399 exact code you need. 174 00:08:23.720 --> 00:08:27.279 So the tools are completely democratized at this point, which 175 00:08:27.319 --> 00:08:31.519 brings us perfectly to the who the adversaries themselves, because 176 00:08:31.560 --> 00:08:34.399 I think pop culture still has this stubborn image of 177 00:08:34.440 --> 00:08:37.519 the thread actor, as you know, a lone wolf and 178 00:08:37.519 --> 00:08:41.440 a hoodie drinking a monster energy drink and a dark basement. 179 00:08:41.360 --> 00:08:43.840 And I mean that guy does exist. We call them 180 00:08:43.879 --> 00:08:44.639 script kitties. 181 00:08:44.679 --> 00:08:45.399 Script kitties. 182 00:08:45.480 --> 00:08:49.240 Yeah, they're relatively unskilled individuals who just download those existing 183 00:08:49.279 --> 00:08:52.679 tools from places like exploit dB and fire them off 184 00:08:52.840 --> 00:08:55.480 without really understanding how the underlying code works. 185 00:08:55.559 --> 00:08:58.200 So they're dangerous, but maybe not the main problem. 186 00:08:58.399 --> 00:09:01.639 They're annoying and they cause dan image, but they aren't 187 00:09:01.679 --> 00:09:05.240 the biggest danger. The biggest danger is organized crime. 188 00:09:05.240 --> 00:09:07.320 Like digital mafias exactly. 189 00:09:07.399 --> 00:09:09.879 This is big, big business. They run actual call centers, 190 00:09:09.919 --> 00:09:12.919 they have HR departments, they have profit sharing models. They 191 00:09:12.919 --> 00:09:14.480 are motivated purely by money. 192 00:09:14.639 --> 00:09:16.879 Wow. And then there are nation states right. 193 00:09:16.960 --> 00:09:19.840 Right governments, and they are usually looking for a quick 194 00:09:19.879 --> 00:09:24.000 buck from stolen credit cards. They want intellectual property, state secrets, 195 00:09:24.440 --> 00:09:27.759 or they want to plant malware in critical infrastructure for 196 00:09:27.840 --> 00:09:30.080 future espionage or defense. 197 00:09:30.200 --> 00:09:32.639 Their tools must be on a whole other level. 198 00:09:32.519 --> 00:09:37.240 Custom built, highly sophisticated, and then kind of occupying a 199 00:09:37.279 --> 00:09:40.320 weird middle ground between all these, you have activists and 200 00:09:40.440 --> 00:09:41.240 terrorist groups. 201 00:09:41.440 --> 00:09:44.840 Activists are they the ones who view themselves as kind 202 00:09:44.840 --> 00:09:46.600 of digital robin hoods. 203 00:09:46.519 --> 00:09:49.759 In their own minds. Maybe they're motivated by political or 204 00:09:49.799 --> 00:09:52.879 social causes. They want to embarrass a target or leak 205 00:09:53.000 --> 00:09:56.159 data to make a point. And then terrorist groups similarly 206 00:09:56.200 --> 00:09:59.879 are motivated by ideology, usually aiming for disruption and fear. 207 00:10:00.639 --> 00:10:02.200 So we know who they are and we know they 208 00:10:02.200 --> 00:10:04.679 have exploits ready to go. Let's talk about their weapon 209 00:10:04.720 --> 00:10:10.320 of choice, malware, the Fund's duck. The guide distinguishes between viruses, worms, 210 00:10:10.360 --> 00:10:12.639 and trojans, and I have to admit I just call 211 00:10:12.799 --> 00:10:16.440 literally everything a virus. What is the actual mechanical difference? 212 00:10:17.039 --> 00:10:19.600 It mostly comes down to how they spread and operate. 213 00:10:20.159 --> 00:10:21.799 A virus needs a host. 214 00:10:21.519 --> 00:10:23.720 File like a word document exactly. 215 00:10:23.840 --> 00:10:27.320 It attaches itself to a spreadsheet or a document. But crucially, 216 00:10:27.919 --> 00:10:31.240 a virus needs human interaction to work. You have to 217 00:10:31.279 --> 00:10:34.399 actively double click the file to trigger the payload. 218 00:10:34.799 --> 00:10:37.799 Okay, so if I don't click the attachment, the virus just. 219 00:10:37.759 --> 00:10:41.480 Sleeps, right. It relies on you making a mistake. A worm, 220 00:10:41.519 --> 00:10:43.919 on the other hand, is entirely different. It's kind of 221 00:10:43.960 --> 00:10:46.360 the stuff of it nightmares because it does not need 222 00:10:46.480 --> 00:10:46.960 human help. 223 00:10:47.039 --> 00:10:48.320 It just moves on its own. 224 00:10:48.480 --> 00:10:51.960 Yes, Once a worm breaches a network, it replicates itself 225 00:10:52.080 --> 00:10:54.799 and spreads to other vulnerable computers automatically. It just crawls 226 00:10:54.840 --> 00:10:57.879 across the network connections. You be fast asleep and a 227 00:10:57.919 --> 00:10:59.679 worm is systematically infecting. 228 00:10:59.360 --> 00:11:03.039 Your entire That is genuinely terrifying. And the trojan, like 229 00:11:03.039 --> 00:11:04.960 the trojan horse, exactly. 230 00:11:04.600 --> 00:11:08.200 Like the myth, it relies entirely on the uninformed user deception. 231 00:11:08.759 --> 00:11:11.639 It masquerades is something you actually want, a free game, 232 00:11:12.120 --> 00:11:14.399 a PDF invoice, a software. 233 00:11:14.039 --> 00:11:15.840 Update, so you willingly install it. 234 00:11:15.919 --> 00:11:18.799 You invite it right through the front door, but inside 235 00:11:19.279 --> 00:11:24.120 it carries a malicious payload. The source specifically highlights rats 236 00:11:24.559 --> 00:11:26.120 or remote access trojans. 237 00:11:26.559 --> 00:11:28.600 That sounds extremely bad. 238 00:11:28.759 --> 00:11:31.960 It's the worst case scenario for a user. Arat like 239 00:11:32.000 --> 00:11:35.519 the famous poison ivy toolkit, for example, gives the attacker 240 00:11:35.679 --> 00:11:37.399 total control over your machine. 241 00:11:37.480 --> 00:11:38.720 Define total control. 242 00:11:38.879 --> 00:11:41.399 It's like they are sitting in your computer chair. They 243 00:11:41.440 --> 00:11:43.799 can turn on your webcam, they can record your keystrokes, 244 00:11:43.879 --> 00:11:47.840 browse your files, move your mouse. You've essentially become a puppet. 245 00:11:48.039 --> 00:11:51.120 There was a specific physical delivery method mentioned for these 246 00:11:51.200 --> 00:11:54.919 prosians that really stuck with me. The poison Apple. Uh yeah, 247 00:11:55.000 --> 00:11:56.559 it sounds like a fairy tale, but it's actually just 248 00:11:56.639 --> 00:11:57.480 a USB drive. 249 00:11:57.679 --> 00:12:02.159 It's a classic, incredibly effective social engineering attack. An attacker 250 00:12:02.240 --> 00:12:05.840 just drops an infected USB drive somewhere obvious, a company 251 00:12:05.879 --> 00:12:07.919 parking a lot, cafeteria. 252 00:12:07.320 --> 00:12:09.039 And they make it look tempting exactly. 253 00:12:09.120 --> 00:12:12.080 Uh, maybe they label it executive Salaries twenty twenty four, 254 00:12:12.600 --> 00:12:15.200 or they put it on a physical keychain with a 255 00:12:15.320 --> 00:12:17.039 cute photo of a puppy attached to it. 256 00:12:17.080 --> 00:12:21.200 They just wait, and human curiosity becomes the vulnerability. 257 00:12:20.679 --> 00:12:24.639 The strongest vulnerability we have. An employee picks it up, 258 00:12:24.799 --> 00:12:27.200 their curiosity gets the better of them, and they plug 259 00:12:27.240 --> 00:12:29.759 it into their work laptop just to see what's on it. 260 00:12:29.919 --> 00:12:30.440 And that's it. 261 00:12:30.600 --> 00:12:33.639 The moment they plug it in, the script auto runs, 262 00:12:33.840 --> 00:12:37.039 the RT installs, and the attacker is inside the network. 263 00:12:37.799 --> 00:12:42.120 No million dollar firewall can stop a curious employee from 264 00:12:42.120 --> 00:12:43.720 plugging in a piece of plastic. 265 00:12:44.080 --> 00:12:47.080 That is so simple and so devious. But okay, that's 266 00:12:47.120 --> 00:12:50.080 how they get in. Once they're inside, what are they doing, 267 00:12:50.360 --> 00:12:52.960 because lately it feels like the answer in the news 268 00:12:53.000 --> 00:12:54.440 is almost always ransomware. 269 00:12:54.720 --> 00:12:59.200 Ransomware has completely upended the entire economy of cybercrime. It 270 00:12:59.320 --> 00:13:01.879 used to be all about quietly stealing data to sell 271 00:13:01.919 --> 00:13:04.320 it on the black market. Now it's about holding the 272 00:13:04.399 --> 00:13:05.840 data hostage in plain sight. 273 00:13:05.919 --> 00:13:07.639 Because they encrypt your files right right. 274 00:13:07.679 --> 00:13:09.879 They scramble all your documents so you can't read them, 275 00:13:09.919 --> 00:13:12.279 and then they demand a massive payment for the digital 276 00:13:12.279 --> 00:13:13.039 decryption key. 277 00:13:13.480 --> 00:13:16.399 But the guide talked about a specific evolution in ransomware 278 00:13:16.399 --> 00:13:19.639 that I found really disturbing us. Ransomware as a service. 279 00:13:19.919 --> 00:13:23.200 This is that industrialization of prime I mentioned earlier. In 280 00:13:23.240 --> 00:13:25.519 the old days, a hacker had to be somewhat of 281 00:13:25.519 --> 00:13:28.600 a genius. They had to write the complex encryption code, 282 00:13:28.919 --> 00:13:31.879 build a secure payment portal in the dark web, manage 283 00:13:31.919 --> 00:13:34.240 the decryption keys. It was a lot of work, it was. 284 00:13:34.600 --> 00:13:38.399 But now you have highly skilled developers who build the ransomware, 285 00:13:38.440 --> 00:13:41.559 groups like the ones behind wanacry CONTI your dark side, right. 286 00:13:42.360 --> 00:13:45.240 But they don't actually use the tools themselves. They rent 287 00:13:45.240 --> 00:13:45.639 them out. 288 00:13:45.840 --> 00:13:48.960 So it's literally a franchise model, like opening a fast 289 00:13:49.000 --> 00:13:49.720 food restaurant. 290 00:13:49.759 --> 00:13:53.200 It's exactly like that. You the criminal affiliate sign up, 291 00:13:53.320 --> 00:13:55.720 You get a sleek dashboard, you get a two four 292 00:13:55.879 --> 00:14:00.000 seven tech support hotline, and a built in payment processing system. 293 00:14:00.080 --> 00:14:02.200 Tech support for criminals unbelievable. 294 00:14:02.279 --> 00:14:05.360 You conduct the attack, the victim pays the ransom, and 295 00:14:05.440 --> 00:14:08.919 the developer software automatically takes a twenty percent commission off 296 00:14:09.000 --> 00:14:11.559 the top before routing the restu. 297 00:14:11.279 --> 00:14:14.399 Which means any random person with bad intentions and a 298 00:14:14.399 --> 00:14:17.679 little bit of cryptocurrency can become a high level thread actor. 299 00:14:18.080 --> 00:14:21.559 It lowers the barrier to entry to almost zero. That's 300 00:14:21.600 --> 00:14:25.320 exactly why we're seeing such a massive, sustained spike in 301 00:14:25.440 --> 00:14:28.919 attacks on targets like hospitals and school districts. It's not 302 00:14:29.000 --> 00:14:34.039 usually masterminds, it's unskilled affiliates using rented military grade tools. 303 00:14:34.279 --> 00:14:38.799 Okay, let's pivot slightly. Let's say the attacker isn't using ransomware. 304 00:14:39.159 --> 00:14:42.519 Say they want to quietly steal secrets, maybe a nation 305 00:14:42.720 --> 00:14:45.960 state trying to steal blueprints for a new jet engine. Okay, 306 00:14:46.080 --> 00:14:49.000 they're inside the network, how do they actually get that 307 00:14:49.080 --> 00:14:52.679 massive amount of data out without the company's security team noticing? 308 00:14:53.000 --> 00:14:55.279 The guide calls this exfiltration, right. 309 00:14:55.159 --> 00:14:57.440 Yeah, xfiltration, And this is where we get into real 310 00:14:57.559 --> 00:15:00.320 high level spycraft. If you just tried to eat email 311 00:15:00.360 --> 00:15:04.120 a terabyte of proprietary data to evildash haacker dot com, 312 00:15:04.159 --> 00:15:07.399 the corporate firewalls could catch it and block it immediately, obviously, 313 00:15:07.679 --> 00:15:10.240 so they use a technique called tunneling. They hide the 314 00:15:10.279 --> 00:15:14.519 stolen data inside normal traffic that the network explicitly allows wait. 315 00:15:14.399 --> 00:15:17.919 Allowed traffic mean like just regular web browsing exactly. Take DNS, 316 00:15:17.960 --> 00:15:21.000 for example, the domain name system. Every single time you 317 00:15:21.080 --> 00:15:23.919 type Google dot com into your browser, your computer sends 318 00:15:23.919 --> 00:15:26.759 a tiny request out to a DNS server, asking, Hey, 319 00:15:26.799 --> 00:15:28.960 what is the IP address for Google dot com? 320 00:15:29.039 --> 00:15:31.159 Right, it's the Internet's phone book. 321 00:15:31.080 --> 00:15:35.519 Exactly, and the server replies, no, company blocks DNS requests 322 00:15:35.759 --> 00:15:38.679 because if you block DNS, the Internet effectively stops working 323 00:15:38.840 --> 00:15:39.759 for your whole company. 324 00:15:39.960 --> 00:15:42.919 Okay, but how do you hide a massive jet engine 325 00:15:42.960 --> 00:15:45.279 blueprint inside a tiny phone book request? 326 00:15:45.480 --> 00:15:48.519 You chop the blueprint up into tiny, tiny pieces, then 327 00:15:48.559 --> 00:15:52.080 you encode those pieces into the web address itself. Oh wow, 328 00:15:52.159 --> 00:15:55.039 So the malware on the infected computer sends a DNS 329 00:15:55.159 --> 00:15:58.200 request for something like secret dash part dash one dot 330 00:15:58.279 --> 00:15:59.679 evildash hacker dot com. 331 00:15:59.720 --> 00:16:01.840 Ah. I see, so the company's DNAs server just thinks 332 00:16:01.879 --> 00:16:03.480 it's looking up a normal website, right. 333 00:16:03.480 --> 00:16:06.039 It dutifully forwards the request out to the Internet. But 334 00:16:06.120 --> 00:16:10.200 the attacker actually owns the domain evildashacker dot com. So 335 00:16:10.240 --> 00:16:12.679 when that request hits their server, they just love that 336 00:16:12.759 --> 00:16:15.000 first part secret part one and send back a fake 337 00:16:15.039 --> 00:16:15.679 IP address. 338 00:16:15.759 --> 00:16:17.480 And then the malware sends Part two. 339 00:16:17.360 --> 00:16:20.000 Secret Part two dot evildashacker dot com. They do this 340 00:16:20.159 --> 00:16:21.559 thousands and thousands of times. 341 00:16:21.879 --> 00:16:24.919 It's like smuggling a massive dictionary out of a prison 342 00:16:25.320 --> 00:16:28.080 by asking the guard to mail one single letter of 343 00:16:28.120 --> 00:16:29.320 a word every day. 344 00:16:29.519 --> 00:16:32.720 That is a perfect analogy to the guard the firewall. 345 00:16:33.120 --> 00:16:35.320 It just looks like someone really likes looking up long, 346 00:16:35.440 --> 00:16:39.360 weirdly named websites. But effectively you are tunneling gigabytes of 347 00:16:39.440 --> 00:16:41.039 data right through the front door. 348 00:16:41.399 --> 00:16:44.000 That's incredible. And the guide mentioned tools for this too, right, 349 00:16:44.120 --> 00:16:44.879 like iodine. 350 00:16:45.000 --> 00:16:48.200 Yeah, iodine is a popular tool for DNS tunneling and 351 00:16:48.279 --> 00:16:52.120 for HTTP or TCP tunneling. Attackers use tools like netcap. 352 00:16:52.399 --> 00:16:55.279 So if the malware is that sneaky, how does the 353 00:16:55.519 --> 00:16:59.399 blue team, the defenders, how do they catch this stuff? 354 00:16:59.399 --> 00:17:00.960 How do you even figure out what a piece of 355 00:17:00.960 --> 00:17:02.240 malwaar is programmed to do? 356 00:17:02.440 --> 00:17:04.480 You have to capture a sample of it and dissect it. 357 00:17:04.559 --> 00:17:04.759 Yeah. 358 00:17:04.759 --> 00:17:07.599 We generally use two main methods. First is static. 359 00:17:07.359 --> 00:17:09.480 Analysis, static meaning it's not moving. 360 00:17:09.759 --> 00:17:11.920 It's like an autopsy. You don't actually run the code. 361 00:17:11.960 --> 00:17:16.279 You use decompilation tools like ida pro or Gidra, which 362 00:17:16.400 --> 00:17:19.400 fun fact, was actually developed and released by the NSA. 363 00:17:19.480 --> 00:17:21.720 Really, the NSA gave away a hacking. 364 00:17:21.480 --> 00:17:23.519 Tool, well, reverse engineering tool. Yeah. 365 00:17:23.599 --> 00:17:23.799 Yeah. 366 00:17:24.079 --> 00:17:25.480 You use it to look at the DNA of the 367 00:17:25.519 --> 00:17:28.079 virus to see exactly what is programmed to do, looking 368 00:17:28.079 --> 00:17:29.720 for recognizable functions or. 369 00:17:29.720 --> 00:17:32.000 Strings of text, and what if the code is scrambled 370 00:17:32.079 --> 00:17:33.960 or you can't tell just by looking at it. 371 00:17:34.039 --> 00:17:37.200 Then you move to dynamic analysis. You put the malware 372 00:17:37.200 --> 00:17:41.160 in a sandbox or a secure virtual machine. It's basically 373 00:17:41.200 --> 00:17:44.759 a fake isolated computer environment that looks real. Then you 374 00:17:44.799 --> 00:17:46.799 actually execute the virus and just watch what. 375 00:17:46.759 --> 00:17:49.319 Happens, like putting it in an interrogation room. Does it 376 00:17:49.359 --> 00:17:51.720 try to delete files? Does it try to phone home? 377 00:17:52.000 --> 00:17:56.880 Exactly? But malware authors are smart, they know all about sandboxes, 378 00:17:57.279 --> 00:18:00.519 so modern malware often has anti sandbox feed is built 379 00:18:00.559 --> 00:18:00.839 right in. 380 00:18:01.000 --> 00:18:02.920 What does that mean? It knows it's being watched. 381 00:18:03.079 --> 00:18:04.960 It wakes up and does a quick environment check. Yeah, 382 00:18:05.000 --> 00:18:08.000 it asks, is my hard drive remarkably small? Is the 383 00:18:08.119 --> 00:18:11.640 user's mouse moving in a perfectly straight line instead of naturally? 384 00:18:12.160 --> 00:18:16.240 Does my network card have a generic virtual sounding MSc address? 385 00:18:16.440 --> 00:18:18.759 It literally checks to see if it's trapped in the matrix. 386 00:18:19.160 --> 00:18:21.200 That's exactly what it's doing, and if it detects that 387 00:18:21.240 --> 00:18:23.119 it's in a virtual machine, it just plays dead. It 388 00:18:23.119 --> 00:18:26.160 does absolutely nothing malicious. The analyst looks at it and says, oh, 389 00:18:26.200 --> 00:18:28.480 this is totally safe and lets it through. 390 00:18:28.559 --> 00:18:30.839 And then when it gets onto a real employee laptop, 391 00:18:30.960 --> 00:18:36.440 it detonates. Man, that is devious. Okay, we've covered the network, 392 00:18:36.559 --> 00:18:39.440 the hardware, and the malware, but we have to talk 393 00:18:39.480 --> 00:18:42.279 about the web. We basically live in our browsers. Now, 394 00:18:43.000 --> 00:18:45.920 what are the big technical threats there? Because the guide 395 00:18:46.000 --> 00:18:48.440 went really deep into SEQL injections. 396 00:18:48.480 --> 00:18:52.640 Golah. Yeah, this is the absolute granddaddy of web vulnerabilities. 397 00:18:53.119 --> 00:18:55.759 It targets the database sitting behind the website. 398 00:18:55.920 --> 00:18:58.680 The guide used the snow example, which I found really helpful. 399 00:18:58.759 --> 00:19:01.880 But let's try to visualize for the listener. Say you're 400 00:19:01.920 --> 00:19:04.799 at a normal login screen. It asks for a username. 401 00:19:05.160 --> 00:19:08.359