on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing...
Transcript of on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing...
![Page 1: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/1.jpg)
O N C Y B E R
T H E G R U G Q @ T H E G R U G Q
i’m going to talk about the game, how the game change, strategies and tactics for the game.
![Page 2: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/2.jpg)
I V E B E E N I N T H I S G A M E F O R Y E A R S
I’ve been in cyber security industry since 1998/99.Some of you have too. Some of you are just starting. I’ve seen the changes that have come down the roadwhen I started, cyber was fun.
![Page 3: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/3.jpg)
H A C K I N G I N T H E 9 0 Ssomething like this…
![Page 4: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/4.jpg)
10 FIND 0DAY20 HACK THE PLANET30 GOTO 10
the game used to be fun. hack boxes at night, code during the day, wait to get a job somewhere
![Page 5: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/5.jpg)
T H E G A M E
a corporate job / CERT / AV or hug security / security researchpredictable; deal with vulnerable software, deal with securing a network against opportunists or low skill criminals trying to make some money
![Page 6: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/6.jpg)
T H E G A M E : C Y B E R S E C U R I T Y 2 0 0 0
• Cleanup after breaches
• Usually by script kiddies w/ egg drops
• Clean up malware
• Sometimes by cybercriminals
• Coordinate vulnerability disclosure
• (At least this one has been solved)
the actual job was pretty exciting and challenging. Everyone was cleaning up after script kiddies, cleaning up malware, coordinating vuln disclosures (thank god thats solved)cleanup breaches, cleanup malware, cleanup vuln code; basically internet janitor.
![Page 7: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/7.jpg)
T H E N , O N E D AY…
![Page 8: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/8.jpg)
T H E G A M E G O T W E I R D
then one day the job got weird. this was about 2010 plus or minus a year or so (def by 2011, stuxnetscript kiddies, viruses, cybercriminals, … KGB? PLA? NSA? WTF?
![Page 9: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/9.jpg)
T H E G A M E G O T B I G
the great game is the global espionage business that all nation states engage in to one degree or another.
![Page 10: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/10.jpg)
T H E G R E AT G A M E
![Page 11: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/11.jpg)
A P T
more accurately, the Great Game (espionage) that had always been happening was suddenly now also happening online. in cyber. the Asia Pacific Threat got sufficiently capable to operationalise cyber espionage(Shanghai Jiao Tong University)
![Page 12: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/12.jpg)
A L S O A P T
the russians were early to the game (see the Cuckoo’s Egg, over 20yrs old)They are extremely capable now, huge resources to draw on from their unchecked cybercriminal citizenry
![Page 13: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/13.jpg)
B E S T A P T
massive investment in tools and technology, plus decades of experience. See “the Morris worm, 1988”“SIGINT at rest” stolen from CIA
![Page 14: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/14.jpg)
I N E V I TA B L E
the merging of cybersecurity and espionage was inevitable. espionage is about collecting information, all the information is on computers
![Page 15: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/15.jpg)
I N F O R M AT I O N W A N T S T O B E F R E E D
spies collect data. data is on computers. spies collect from computers. QEDthis is how it always has been… remember: morris worm 1988, cuckoos egg 1989. “they haven’t gone away you know”our world has collided with their’s, which means
![Page 16: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/16.jpg)
T H E N E W N O R M A L
all the stuff that used to matter still matters: malware, vulnerabilities, criminals, kiddiesbut we share the space with nation stateswe’re players in the great game; particularly the people that are doing APT research, they’re active players in the intelligence space and making their decisions in the marketing dept!
![Page 17: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/17.jpg)
W E ’ R E H E R E
![Page 18: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/18.jpg)
N O W W H AT ?
we’re living in a global espionage free for all where everyone is a potential targethow do we live with this? watching the emergence of a new strategy and
![Page 19: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/19.jpg)
T H E G R E AT C Y B E R G A M E
![Page 20: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/20.jpg)
C Y B E R W A R
cyberwar is not a thing that is happening. there is global free for all cyber espionage, and cyber conflict, and cyber crime, but it isn’t war.it is more interesting than that…
![Page 21: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/21.jpg)
T H E O R Y
smart single skilled hackers would battle it out in a game of witsthe most highly skilled hacker with the most knowledge would “win”, would be heroes
![Page 22: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/22.jpg)
R E A L I T Y
reality sucks.
![Page 23: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/23.jpg)
W E L L T H AT S U C K S
![Page 24: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/24.jpg)
W H Y S O V E R Y W R O N G ?
everyone seems to have gotten cyber wrong. this is because the theory was developed by people who had no experience (no one had experience)
![Page 25: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/25.jpg)
N E W D O M A I N S O F C O N F L I C T
![Page 26: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/26.jpg)
A R E I N F R E Q U E N T
there have been 3 in the last 100 years (which is more than in the last 100,000 years)domains: land, sea, air, space, cyberspace hasn’t had open conflict, so a lot is still theory. just air and cyber are active, “hot” domains
![Page 27: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/27.jpg)
H A R D T O P R E D I C T
![Page 28: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/28.jpg)
T H E O R Y M E E T S P R A X I S
![Page 29: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/29.jpg)
T H I S H A S H A P P E N E D B E F O R E
![Page 30: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/30.jpg)
A N A N A L O G Y
all analogies are wrong, but some analogies are useful…
![Page 31: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/31.jpg)
A N E W D O M A I N O F C O N F L I C T
the last time humans created a new domain of conflict and then evolved the theory tactics and strategy while engaged in active conflict
![Page 32: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/32.jpg)
A I R P O W E R 1 9 1 5
![Page 33: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/33.jpg)
A I R P O W E R 1 9 1 5 : T E C H N O L O G Y
• Airplanes were basically motorised kites
• No weapons
• Used for reconnaissance
• Critical to accurate artillery fire
“without [airplanes], artillery is blind”
![Page 34: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/34.jpg)
A I R P O W E R : TA C T I C A L T H E O R Y
• Highly skilled pilots
• Highly manoeuvrable planes
• Battle for supremacy in bouts of skill and daring!
• Takeaway
• Build highly manoeuvrable planes
![Page 35: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/35.jpg)
P R A C T I C E …
![Page 36: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/36.jpg)
A I R P O W E R 1 9 1 7 : E X P E R I E N C E
• Practical rules for air war
• Boelke Dicta
• Similar rules from Western aces
• Proven in the crucible
• Concerned only with winning, not chivalry
• Takeaway
• Fast planes that can climb high
turns out the only thing that actually matters in a dog fight is who starts out higher up and who can get in and out fastest.
![Page 37: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/37.jpg)
D I C TA B O E L K E
• Secure the upper hand before attacking
• Always continue an attack you have begun
• Only fire at close range, when target is in sights
• Always keep an eye on your opponent
![Page 38: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/38.jpg)
D I C TA B O E L K E C O N T.
• In any attack, attack from behind
• If opponent dives on you, turn to meet the attack
• When over enemy lines, never forget line of retreat
• Attack in groups
![Page 39: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/39.jpg)
A I R F O R C E S AY I N G
“There are two types of planes: fighters, and targets”
![Page 40: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/40.jpg)
F I G H T E R
the Fokker M5K. It had terrible performance characteristics, really abysmal. But it had a forward facing gun. No one else could hit anything, so the Fokker reigned supreme. Germans had air superiority.
![Page 41: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/41.jpg)
TA R G E T
![Page 42: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/42.jpg)
eventually it reached a local maxima of perfection. a set of tactics (the dicta), along with aircraft that were functional enough to work, and sufficiently skilled operators to implement the tactics properly.NOTE: airplanes have only offence capabilities, like cyber.
![Page 43: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/43.jpg)
O V E R W H E L M T H E W E A K
![Page 44: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/44.jpg)
G O I N Q U I C K
![Page 45: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/45.jpg)
H I T H A R D
![Page 46: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/46.jpg)
G E T O U T
![Page 47: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/47.jpg)
TA C T I C A L C Y B E R
![Page 48: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/48.jpg)
C Y B E R W A R 2 0 1 5 : I N T H E O R Y …
really awesome skilled individuals battling it out in bouts of extreme skillactual operators are less skilled than the toolchain developers (usually). the real skill is in the tool development stage
![Page 49: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/49.jpg)
C Y B E R C O N F L I C T 2 0 1 5 : P R A C T I C E
• Experience has produced some basic rules about winning
• Hit the softest targets the hardest
this is about achieving mission objectives, not scoring cool pointssuccess is the the only criteria that matters
![Page 50: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/50.jpg)
TARGETED ATTACK DEMO
![Page 51: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/51.jpg)
![Page 52: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/52.jpg)
Q U A N T U M
• Why does NSA hit browsers?
• Targeted
• Easy*
• It works
NSA is privileged in how much traffic they have access to. Other nation states don’t have such access, they need to “go to the mountain, because the mountain doesn’t come to Mohamed”There are Quantum boxes for a single nation (e.g. Iran, etc) but not Internet scale.
![Page 53: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/53.jpg)
A P T
• Why does Asia Pacific Threat do spear phishing?
• Targeted
• Easy
• It works
![Page 54: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/54.jpg)
E V E R Y O N E
• Why do all* nation states use phishing?
• Targeted
• Easy
• It works
phishing is built on existing national intelligence agency competencies: recruiting people is what they do (assessment and recruitment are core espionage skills)if you can persuade someone to betray their country, persuading them to click a link is easyhard to detect and block, never gets patched. obfuscated malware installers
![Page 55: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/55.jpg)
W H AT W O R K S
• Client sides
• Spear/phishing
• Browsers
• USB
• Web Apps
• Other:
• Interdiction, telnet sniffing, big boy stuff…
80/20… client sides for everyone, then other more obscure stuff for hard targetsUSB for air gapped networks (usually)web apps mostly only to then use that web app for launching browser attacksinterdiction, etc are the long tail of cyber…
![Page 56: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/56.jpg)
C Y B E R TA C T I C S
go in like a fucking freight train
![Page 57: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/57.jpg)
O V E R W H E L M T H E W E A K
go after the weakest targets (client sides [optionally: against non security staff computers])
![Page 58: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/58.jpg)
G O I N Q U I C K LY
![Page 59: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/59.jpg)
H I T H A R D
![Page 60: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/60.jpg)
G E T O U T
![Page 61: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/61.jpg)
C Y B E R O P S
![Page 62: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/62.jpg)
O P E R AT I O N P H A S E S
• planning
• preparation
• execution
• finish
very basic highlights of the phases that an operation goes through.
![Page 63: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/63.jpg)
S P E C O P S
• simplicity
• security
• repetition
• surprise
• speed
• purpose
no one buys an exploit, they buy a capability. something that allows them to achieve their purpose.
![Page 64: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/64.jpg)
C Y B E R W A R 2 0 1 5
it looks like this. notice he’s using kali.
![Page 65: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/65.jpg)
A D V E R S A R I A L O R G A N I S AT I O N S
organisations are organisations. they have bosses, budgets, missions, constraints. they are just like other organisations.
![Page 66: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/66.jpg)
C H I N A
![Page 67: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/67.jpg)
R U S S I A
![Page 68: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/68.jpg)
I N D I A
![Page 69: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/69.jpg)
N O R T H K O R E A
![Page 70: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/70.jpg)
T O O L C H A I N S
• An investment and an expense
• Constant maintenance
• Tools, Techniques & Procedures are Commitments
toolchain maintenance and development. once you commit, you’re committed. changing is expensive.developing a new toolchain is expensive, but then add in retraining costs…
![Page 71: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/71.jpg)
if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost.lower productivity, lower performance, retool costs, retraining costs, etc. etc.less efficiency and lower productivity is a serious problem.
![Page 72: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/72.jpg)
S T R AT E G I C C Y B E R
![Page 73: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/73.jpg)
– T W O S TA R G E N E R A L , C Y B E R C O M M A N D
"data packets are like bullets and your walls of fire are like the armor that repels them."
http://malwarejake.blogspot.kr/2015/10/were-making-our-military-leaders-stupid.html
![Page 74: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/74.jpg)
we don’t really know what strategic cyber means… there has been stuxnet, there has been espionage, but what is strategic? replace “air” with “cyber” on this page, and you have the best overview of emerging cyber strategy…
![Page 75: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/75.jpg)
W H AT C A N H E L P ?
![Page 76: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/76.jpg)
how do you stop a targetted attack by a nation state?
![Page 77: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/77.jpg)
your job kinda sucks now
“the long walk” — IRA bomb
![Page 78: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/78.jpg)
Y O U W I L L B E D I S A P P O I N TS E C U R I T Y V E N D O R S ’ S O L U T I O N S
security vendors. don’t actually deliver what they promise.
![Page 79: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/79.jpg)
S T U N T H A C K I N G
security conferences have really amazing stunt hacking. sometimes spectacular stuff, sometimes “look at this debug port debugging”the industry is stunt hacking with selfie sticks while the internet burns
![Page 80: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/80.jpg)
D I S A S T E R T O U R I S T SI N F O S E C I N D U S T R Y
the cool thing about this cyberwar is that it is a lot like disaster journalism by tourists… you got all of the infosec industry taking selfies (blog posts + hot takes) while everything burns.“lol, read my hot take on Target and buy my service”
![Page 81: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/81.jpg)
G O O D L U C K W I T H T H ATC I S S P
securing your critical infrastructure with CISSPs? Good luck with that…
![Page 82: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/82.jpg)
D O N ’ T L O V E Y O UN A T I O N A L I N T E L L I G E N C E A G E N C I E S
![Page 83: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/83.jpg)
they have more important things to do anyway, contest other national intelligence agencies
![Page 84: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/84.jpg)
this is what a malware looks like, we saw one once.new AV based on “this is what they looked like last time we found one”…
![Page 85: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/85.jpg)
W H AT W O R K S
![Page 86: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/86.jpg)
E A R LY D E T E C T I O N
early detectionextreme examples of this are available from some vendors, i won’t name: instrument the enterprise, e.g. el Jefe
![Page 87: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/87.jpg)
ideal network architecture. known ingress egress points. self contained.
![Page 88: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/88.jpg)
but it looks like this
![Page 89: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/89.jpg)
C O M PA R T M E N TA T I O N
impact containment
![Page 90: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/90.jpg)
T I M E I S O N Y O U R S I D E
a lesson from bank vaultsyou can’t stop a bank robber (man with a gun does what he wants)so you make it resource expensive w/ the only resource that is scarce, timethis isn’t how you stop bank robberies (not exactly)
![Page 91: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/91.jpg)
this. it is impossible to access any serious number of locked boxes inside of 2 minutes.
![Page 92: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/92.jpg)
good news is, with all that, you might just catch… the A team.
![Page 93: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/93.jpg)
E N J O Y T H E V I E W
but anyway, this is an exciting time to be alive.
![Page 94: on cyber cyber.pdf · if you train 500 guys on how to develop, send and exploit spear phishing attacks, switching to browsers has a cost. lower productivity, lower performance, retool](https://reader035.fdocuments.us/reader035/viewer/2022081611/5f02b0947e708231d4058525/html5/thumbnails/94.jpg)
T H A N K Y O U