1 00:00:14,759 --> 00:00:21,259 My name is Ben Johnson I'll get to my back in a second I think Rob kind of covered it I am on Pacific time 2 00:00:21,570 --> 00:00:27,950 This is my first conference wearing glasses I have 47 slides and I got in at 1:00 a.m. So let's see how this goes 3 00:00:29,070 --> 00:00:34,430 But I'm really excited to be here throughout. Hunting incident response summits the challenge is 4 00:00:34,980 --> 00:00:39,830 What do I talk about we have a whole slew of great technical talks deep dives 5 00:00:40,470 --> 00:00:41,550 vendors 6 00:00:41,550 --> 00:00:45,050 The keynotes meant to be a little bit more high-level, which is good because then 7 00:00:45,050 --> 00:00:48,110 I can just say stuff that's neither right nor wrong and you can figure it out later 8 00:00:49,320 --> 00:00:53,360 So let's just dive in mmm and thanks to san putting up with my late 9 00:00:53,820 --> 00:00:57,110 Late slide submission and and all that they can you know kick me later 10 00:00:58,380 --> 00:00:59,760 so 11 00:00:59,760 --> 00:01:01,680 agenda real simple 12 00:01:01,680 --> 00:01:05,360 state of cyber I'll give you a spoiler it's not great and 13 00:01:06,210 --> 00:01:09,259 Then maybe we can look a little bit into entrepreneurship 14 00:01:10,680 --> 00:01:17,720 Are, there some lessons we can take from entrepreneurship and apply that to our efforts to hunt and then, we'll wrap up 15 00:01:18,299 --> 00:01:20,299 my general approach to 16 00:01:21,090 --> 00:01:25,880 Presentations is to throw as much at you as I can and just hope a couple things stick 17 00:01:27,090 --> 00:01:32,330 you can take all the pictures you want I will happily give you all these slides so you don't have to take any pictures if 18 00:01:32,330 --> 00:01:34,330 you don't want to 19 00:01:34,890 --> 00:01:36,890 So as Rob mentioned 20 00:01:37,320 --> 00:01:42,649 got my start in the Intel community and I say went to man Tech worked with Rob Phil 21 00:01:43,770 --> 00:01:50,240 Henry I think I see mark you know a bunch other people intrusion operations division it was unbelievable 22 00:01:50,909 --> 00:01:52,280 Stuff, I would have done for free 23 00:01:52,280 --> 00:01:56,210 I think we all would have done for free and we got paid for it so so there we go 24 00:01:57,720 --> 00:02:03,349 Ultimately ended up leaving government world did a couple years in finance actually went back 25 00:02:04,080 --> 00:02:08,508 Helped found carbon black helped write the first version and then ended up 26 00:02:08,729 --> 00:02:14,659 Jumping on planes for several years to talk to people like yourselves so up to 600 organization and my goal 27 00:02:15,360 --> 00:02:19,459 excuse me was quite simply to absorb learn and then hopefully I can 28 00:02:19,590 --> 00:02:24,229 Contribute something back to the discussion and then I get the start again so I moved to Southern California 29 00:02:25,620 --> 00:02:32,480 Started obsidian we're about 35 people last year, we were about 5 so it's been kind of a wild year and being in Southern California 30 00:02:33,049 --> 00:02:36,319 you'll spots of slides with beaches and stuff just so I can rub it in a little bit 31 00:02:36,450 --> 00:02:38,599 but if anyone wants to come visit please come visit 32 00:02:39,239 --> 00:02:47,209 Speaking about entrepreneurship I really love the startup journey so I'm on all other boards different stages different types of companies and I taught 33 00:02:47,459 --> 00:02:52,639 Entrepreneurship at University of Chicago to the Masters in computer science program, so that's where some of this stuff comes from 34 00:02:53,970 --> 00:03:00,589 So today's goal and I always throw this slide in there you'll see if you've seen me present before you'll see a few slides that 35 00:03:00,660 --> 00:03:02,660 maybe you've seen multiple times 36 00:03:02,849 --> 00:03:09,619 Reuse right why not but my goal for a presentation is always just to get you to think I just want you to contemplate 37 00:03:10,379 --> 00:03:16,069 Hopefully the alerts are shut off the phones on airplane mode don't have meetings you just hear all in one room 38 00:03:16,410 --> 00:03:19,789 absorb think contemplate and hopefully you walk away with something 39 00:03:21,989 --> 00:03:23,910 Another reason my 40 00:03:23,910 --> 00:03:25,769 Being up here is a little crazy is 41 00:03:25,769 --> 00:03:33,739 I'm in the middle of a physical world Incident Response where I have to in my Chicago house that refused to leave and 42 00:03:34,500 --> 00:03:38,179 I've been talking to all of these yes including SWAT team 43 00:03:38,910 --> 00:03:41,418 over the last week I was in Chicago till last night 44 00:03:41,609 --> 00:03:44,059 Mmm, they're all their stuff still there they finally left 45 00:03:44,060 --> 00:03:46,280 What their stuff is still there and they have a lot of stuff 46 00:03:46,280 --> 00:03:51,229 So yeah kinda like a cyber incident response right there's all these different 47 00:03:51,989 --> 00:03:58,459 Groups not necessarily having the same information different incentives so I move fast so I move incredibly slow 48 00:03:58,859 --> 00:04:01,939 But anybody snuff about that just just thought that was interesting 49 00:04:03,569 --> 00:04:05,569 The state of cyber 50 00:04:06,810 --> 00:04:08,869 You probably all sick of the headlines 51 00:04:09,540 --> 00:04:14,959 Breach fatigue headline fatigue we in this room care that's why you're here 52 00:04:15,539 --> 00:04:18,019 But to be honest I don't even up this slide 53 00:04:18,539 --> 00:04:23,598 Because you don't really care what the headlines are the point is it's not pretty and 54 00:04:25,530 --> 00:04:28,460 What's maybe a little bit sobering is getting better 55 00:04:29,430 --> 00:04:34,370 Now we're becoming more and more connected more digital so just in pure 56 00:04:35,070 --> 00:04:39,619 quantity there's going to be more, breaches but it's just exploded and 57 00:04:40,920 --> 00:04:46,580 Even the cloud which I truly believe is an opportunity for us to be way more secure is 58 00:04:47,310 --> 00:04:49,670 Leaky is causing more problems 59 00:04:51,120 --> 00:04:56,810 This is also probably outdated by now but there's just a lot of leaks whether it's compromised, whether it's an open s3 bucket 60 00:04:57,630 --> 00:05:00,590 it's too easy to to leak data and 61 00:05:01,590 --> 00:05:08,119 A variety of adversaries and what would a talk be without a threat scape slide so you get minerals hacktivists 62 00:05:08,850 --> 00:05:10,410 Nation-states 63 00:05:10,410 --> 00:05:13,820 insiders you get financial crimes usually maybe making a statement 64 00:05:14,790 --> 00:05:22,069 Espionage maybe election interference other aspects of nation states and insiders but the only reason I put this slide up here 65 00:05:24,030 --> 00:05:26,030 Is the insiders 66 00:05:26,460 --> 00:05:28,289 people forget about 67 00:05:28,290 --> 00:05:31,249 Insiders and I'm not talking the person sitting next to you 68 00:05:32,070 --> 00:05:35,480 They might be an insider sure but I'm talking about their access 69 00:05:36,180 --> 00:05:38,180 because what are the first three after the 70 00:05:39,090 --> 00:05:41,090 First thing they're after is access 71 00:05:42,390 --> 00:05:43,979 then they 72 00:05:43,980 --> 00:05:49,939 Try to focus on their objectives they need that maintained persistent access and a lot of times, that's through 73 00:05:50,790 --> 00:05:53,779 employee access credential access blending in 74 00:05:54,810 --> 00:05:59,239 So, I want us to keep that in mind and there's a challenges 75 00:05:59,940 --> 00:06:01,920 so 76 00:06:01,920 --> 00:06:08,900 to me there's no debate that there's a skills gap the reasons for the skills gap maybe people have different opinions HR has bad 77 00:06:09,330 --> 00:06:14,300 Descriptions or the pool is too small, whatever it is there's not enough qualified butts and seats 78 00:06:15,750 --> 00:06:19,250 Then you set up your tech stack your security stack and you 79 00:06:19,590 --> 00:06:24,258 Have deploy and decay it gets worse over time you don't have enough people giving it the care and feeding 80 00:06:24,420 --> 00:06:29,059 Sort of brushing its teeth all the time so environments change adversaries change 81 00:06:29,520 --> 00:06:32,659 maybe your detection rules prevention rules your configs stay the same 82 00:06:33,210 --> 00:06:35,210 You're going to get decay 83 00:06:35,820 --> 00:06:39,679 then attackers bad guys, whomever they're having success 84 00:06:40,500 --> 00:06:46,190 So they get encouraged to do more or their friends like any market it drives competition 85 00:06:46,620 --> 00:06:48,150 they dive in and 86 00:06:48,150 --> 00:06:51,440 Then finally huge data I don't even know if that's a real term but 87 00:06:51,510 --> 00:06:56,719 It's so easy you click a button you copy terabytes of information to the cloud everything syncing all over the place 88 00:06:57,300 --> 00:06:59,750 every copy of data is a liability 89 00:07:00,300 --> 00:07:02,300 And we're copying it all over the place so 90 00:07:02,760 --> 00:07:04,020 essentially 91 00:07:04,020 --> 00:07:08,180 the summation of that is this lack of cyber self-esteem 92 00:07:09,120 --> 00:07:11,840 now people in this room actually probably have the most 93 00:07:12,449 --> 00:07:17,329 Cyber self-esteem you actually think you, can make a difference and I love that I think we can too but 94 00:07:17,330 --> 00:07:20,330 When you travel the world you talk to lots of organizations whether it's at sea so? 95 00:07:20,490 --> 00:07:26,090 having little faith in their team whether it's the team having little faith in the executives or the culture or whatever 96 00:07:26,850 --> 00:07:31,279 It's tough, we need mr. Rogers to come out and give us an after-school special 97 00:07:34,620 --> 00:07:36,739 So hunting rob 98 00:07:36,740 --> 00:07:43,370 Was just talking about what's the definition of hunting to me it's pretty simple and I'm not saying this is the end-all be-all definition 99 00:07:43,680 --> 00:07:45,829 You can detect all of the things 100 00:07:46,740 --> 00:07:48,740 tools don't 101 00:07:49,020 --> 00:07:56,299 So there's a gap there's a gap where we need human minds critical thought human time manual efforts 102 00:07:57,570 --> 00:08:02,029 to me that's hunting finding the stuff that lives in that gap and 103 00:08:03,510 --> 00:08:06,829 Ideally we all have the equivalent of the predator drone 104 00:08:07,740 --> 00:08:09,740 fly it to the target 105 00:08:09,780 --> 00:08:11,780 take these nests 106 00:08:11,849 --> 00:08:14,269 But reality is never ideal 107 00:08:15,120 --> 00:08:20,060 We might not even have a weapon we might not even have time to hunt and in fact that's a lot of this talk is 108 00:08:20,060 --> 00:08:22,729 Just trying to do maybe a little bit even if you don't have much 109 00:08:25,440 --> 00:08:32,808 So ken hunting be formulaic can we come up with a formula do we just you know add X headcount throw some tools in there 110 00:08:33,330 --> 00:08:35,330 Get some buy-in and you're done 111 00:08:36,360 --> 00:08:38,360 No, there's no formula 112 00:08:39,390 --> 00:08:46,009 Sure maybe you can find the Rambo or the Wonder Woman or that sort of badass technical hunter 113 00:08:46,770 --> 00:08:51,620 Cool those are not scalable to find they're probably mostly in this room 114 00:08:52,680 --> 00:08:54,680 there's not many of them in the world 115 00:08:57,840 --> 00:09:03,230 So entrepreneurship sort of set in the stage entrepreneurship who here thinks they're an entrepreneur 116 00:09:04,950 --> 00:09:11,240 Come on I get I get a couple hands few come on all right we'll come back to that 117 00:09:12,900 --> 00:09:14,900 So what's the formula for startups 118 00:09:15,570 --> 00:09:20,180 Do you just have an idea throw some work at but maybe raise some money and you're done your profit 119 00:09:22,530 --> 00:09:28,610 It's incredibly hard incredibly hard there's no formula 120 00:09:30,960 --> 00:09:35,720 But maybe we can start thinking about how startups have a little bit more guidance 121 00:09:36,540 --> 00:09:43,939 So Toyota in the 70s or 80s invented something called lean manufacturing and some people, even think it was in the 30s 122 00:09:45,540 --> 00:09:53,420 Quite simply they said we're gonna reduce waste eliminate waste and what is waste waste is anything that doesn't directly contribute to 123 00:09:53,730 --> 00:09:55,819 value for the customer and 124 00:09:57,090 --> 00:09:59,090 there's lots of ways you might have waste 125 00:09:59,430 --> 00:10:04,310 You might ship things and an inefficient route you might have workers on a factory floor taking too 126 00:10:04,310 --> 00:10:09,919 Many, steps you might do too many quality control X it doesn't really matter for this purpose but 127 00:10:09,920 --> 00:10:13,098 What matters is there's a lot of waste and we all have waste 128 00:10:13,920 --> 00:10:16,848 we all do things that don't Altima add value at the end 129 00:10:17,940 --> 00:10:19,650 and 130 00:10:19,650 --> 00:10:21,120 so 131 00:10:21,120 --> 00:10:27,410 thinking about that thinking about reducing waste and focus I just want to throw out there one of my favorite books and 132 00:10:27,720 --> 00:10:31,579 Actually have a book section at the end because if you take nothing else away other than a book recommendation 133 00:10:31,680 --> 00:10:33,888 I think it's still a successful day 134 00:10:35,430 --> 00:10:39,049 Essentialism is about finding your greatest point of contribution 135 00:10:39,570 --> 00:10:43,640 Basically what's the biggest ROI of your time and? 136 00:10:44,580 --> 00:10:49,009 I've done lots of presentations on this kind of topic because we all have the same amount of time 137 00:10:50,040 --> 00:10:52,248 86,000 and change seconds per day 138 00:10:53,760 --> 00:10:55,410 How do we spend it? 139 00:10:55,410 --> 00:11:00,379 How do you get the biggest ROI and we talk about throw our instant response how are you getting the biggest bang for your buck 140 00:11:01,130 --> 00:11:02,220 and 141 00:11:02,220 --> 00:11:04,220 these kinds of ideas 142 00:11:04,500 --> 00:11:10,669 Led, to something called the Lean Startup methodology and a lot of you have probably heard some of this before maybe you know it way 143 00:11:10,670 --> 00:11:17,839 better than me that's okay, but Lean Startup is about how can you get your product and service into the hands of 144 00:11:18,480 --> 00:11:24,380 Customers faster and how do you reduce uncertainty know that you're building the right thing 145 00:11:30,420 --> 00:11:34,490 Only like four people raised their hands when I asked where entrepreneurs were 146 00:11:35,580 --> 00:11:37,699 Entrepreneurs everywhere it's a mindset 147 00:11:38,880 --> 00:11:41,330 even if you work for a big company you can be an entrepreneur and 148 00:11:42,030 --> 00:11:44,030 sometimes they close intrapreneurs 149 00:11:44,910 --> 00:11:46,650 But it's just about identify 150 00:11:46,650 --> 00:11:51,858 And trying to solve it trying to build something to solve it doesn't mean you have to go raise money or something like that 151 00:11:52,440 --> 00:11:56,299 but a lot of it is you got to think big you got to think about solving something worthwhile 152 00:11:56,880 --> 00:11:59,210 but then you start small you take that first step and 153 00:12:00,330 --> 00:12:05,330 Then ideally move fast scale fast and I love quotes you'll see quotes throughout mouth we'll talk 154 00:12:06,420 --> 00:12:09,020 The day before something's a breakthrough it's a crazy idea 155 00:12:10,410 --> 00:12:11,459 and 156 00:12:11,460 --> 00:12:17,509 So hopefully in your heads and we'll start to tie this a little bit more directly to hunting but hopefully in your heads you can 157 00:12:17,510 --> 00:12:22,910 See, where some of this is going in terms of things like hunting incident response security in general 158 00:12:26,220 --> 00:12:29,000 Another topic in another principle in 159 00:12:30,480 --> 00:12:32,480 Lean Startup methodology is 160 00:12:32,970 --> 00:12:34,200 validated learning 161 00:12:34,200 --> 00:12:40,219 Basically how fast can you learn there's another question you might ask which is when you raised five million bucks 10 million 162 00:12:40,220 --> 00:12:42,500 Bucks, what did you learn from spending that money 163 00:12:43,320 --> 00:12:49,039 It's not just about product output, or whatever it's about learning as a company as a team as a business, whatever and same here 164 00:12:49,560 --> 00:12:51,560 how quickly can you learn 165 00:12:51,900 --> 00:12:59,269 create hypothesis we're an experiment analyze the results repeat to me that sounds a lot like hunting and 166 00:13:01,870 --> 00:13:04,559 All I do is basically work family and then read books 167 00:13:05,530 --> 00:13:07,530 Or watch TED Talks and stuff 168 00:13:08,080 --> 00:13:11,670 Reading a book right now called rocket men amazing book haven't finished it yet 169 00:13:12,280 --> 00:13:17,490 But they had this quote they said are you learning in gulps or sips it's a very simple way to remember it 170 00:13:17,640 --> 00:13:19,240 Are you learning in gulps or? 171 00:13:19,240 --> 00:13:24,839 Sips in your work are you learning in gulps or sips during instant response and you're learning in gulps or sips 172 00:13:25,420 --> 00:13:30,360 So a big part of Lean Startup methodology is how fast can you learn is this the right thing 173 00:13:30,700 --> 00:13:35,069 the right feature the right product the right color the right price and 174 00:13:37,300 --> 00:13:43,529 So what Lean Startup methodology did was then create a cycle because everyone likes cycles and 175 00:13:44,680 --> 00:13:47,998 it's really simple to remember build measure learn 176 00:13:49,660 --> 00:13:56,100 Build something go deploy it run it it whatever but you have to be able to measure it 177 00:13:56,770 --> 00:14:01,259 Then learn from it if you can't measure it you can't optimize it 178 00:14:03,550 --> 00:14:10,649 So you go through this cycle and this is very common in startup and this is really what agile software development and agile 179 00:14:11,260 --> 00:14:17,850 Methodology tries to follow, which is very iterative can I do something every sprint or every every day even that improves things and 180 00:14:18,430 --> 00:14:21,029 if we're talking about loops doodle loops 181 00:14:21,940 --> 00:14:24,930 You probably have uh de loop fatigue if you come to a lot of these 182 00:14:25,270 --> 00:14:29,009 But the whole point is in the US Air Force they came out with 183 00:14:29,620 --> 00:14:34,380 Something called odo loop, which is in military dogfighting whoever can observe? 184 00:14:34,930 --> 00:14:38,519 Orient, decide and act the fastest as a pilot 185 00:14:39,640 --> 00:14:41,319 Welwyn 186 00:14:41,320 --> 00:14:44,790 Can you observe your environment orient yourself to the environment 187 00:14:45,790 --> 00:14:47,790 Decide and then act 188 00:14:48,280 --> 00:14:55,050 Go through that loop and I have to say decide is tough sometimes you've got to be comfortable making decisions just as like a tip 189 00:14:55,330 --> 00:14:56,590 right 190 00:14:56,590 --> 00:15:01,499 The thing I still have to do all the time is make decisions and sometimes very quickly without information 191 00:15:04,450 --> 00:15:06,450 MVP Minimum Viable Product 192 00:15:07,090 --> 00:15:08,920 part of 193 00:15:08,920 --> 00:15:10,920 entrepreneurship part of Lean Startup 194 00:15:11,650 --> 00:15:14,850 This is what they're trying to get across what we're trying to talk about 195 00:15:15,160 --> 00:15:17,560 Which is what's the smallest thing you can build it adds value? 196 00:15:18,980 --> 00:15:22,300 get that out there get that in the hands of people and 197 00:15:23,240 --> 00:15:25,240 See if it's working see if it's valuable 198 00:15:26,209 --> 00:15:30,698 So start to think about what MVP you thinks may be necessary so 199 00:15:32,569 --> 00:15:38,709 Maybe slightly slightly more interesting I hope I'm keeping everyone awake. I know it's early 200 00:15:40,850 --> 00:15:42,199 So 201 00:15:42,199 --> 00:15:44,618 talking about applied lean hunting 202 00:15:45,379 --> 00:15:48,309 and I call it just hunting 203 00:15:48,920 --> 00:15:55,180 Because I think we should be hunting more than threats we hunt a risk and a risk is an overloaded term but 204 00:15:55,790 --> 00:15:59,560 Aspects of your environment to contribute to a higher likelihood of compromise 205 00:16:00,350 --> 00:16:04,810 So sitting here can you all think about what can I build 206 00:16:05,689 --> 00:16:11,049 To start helping hunting in my environment maybe you have a great hunting program. I'm sure it can be better 207 00:16:11,899 --> 00:16:14,469 Maybe you have zero what can you do to start 208 00:16:15,439 --> 00:16:17,439 So what is your pain point 209 00:16:17,750 --> 00:16:22,000 when you sit down and you say you know what I want to hunt what is your pain point and 210 00:16:22,339 --> 00:16:24,818 Start to think about what would you build is a product 211 00:16:25,939 --> 00:16:27,079 service 212 00:16:27,079 --> 00:16:30,218 piece of information whatever it is who is this for 213 00:16:31,399 --> 00:16:33,399 what is this for it's 214 00:16:33,829 --> 00:16:35,829 a pretty common 215 00:16:35,839 --> 00:16:38,708 Example, which is are you building a painkiller or a vitamin I 216 00:16:39,230 --> 00:16:45,009 Like vitamins but they're not that necessary when you need a painkiller you need a painkiller and you will pay for it 217 00:16:46,699 --> 00:16:48,500 And 218 00:16:48,500 --> 00:16:52,689 Einstein said this or at least people think he did that's up for debate like most things 219 00:16:53,000 --> 00:16:58,149 If I had to spend an hour solving a problem that's been the first 55 minutes thinking about the problem 220 00:17:00,199 --> 00:17:05,858 Do you understand your pain points when it comes to hunting what's truly preventing you from doing more hunting or doing better hunting 221 00:17:06,890 --> 00:17:08,890 can you think about that 222 00:17:09,980 --> 00:17:11,980 So 223 00:17:12,309 --> 00:17:15,089 When you think about hunting or at least when I think about hunting 224 00:17:16,569 --> 00:17:18,749 you're kind of choosing left or right and 225 00:17:19,660 --> 00:17:22,739 Then you need to figure out did you make the right choice or not 226 00:17:23,799 --> 00:17:30,059 But if you made the wrong choice you need to figure that out very quickly we all pull those threads 227 00:17:31,090 --> 00:17:36,990 during analysis during investigation and go down a rat hole and lose days weeks whatever 228 00:17:37,870 --> 00:17:39,928 And find nothing or learn very little 229 00:17:40,690 --> 00:17:45,929 so can you very quickly fail and realize hey, I went down the wrong path 230 00:17:47,080 --> 00:17:48,520 let me 231 00:17:48,520 --> 00:17:50,520 course-correct pivot go the other direction 232 00:17:51,490 --> 00:17:55,109 And you kind of do that over and over again until you get to what you're looking for 233 00:17:56,290 --> 00:18:01,229 So how quickly can you do that and can you learn from that can you start to realize why did you make that decision 234 00:18:02,169 --> 00:18:04,949 was it just sort of gut flip a coin whatever 235 00:18:05,110 --> 00:18:11,010 Why'd you run this query why'd you decide to look over here can you start to understand maybe a little bit more data or science 236 00:18:11,010 --> 00:18:14,129 Behind that so that next time you get better and better and better and better 237 00:18:16,299 --> 00:18:18,190 And 238 00:18:18,190 --> 00:18:20,190 You might have seen this slide before 239 00:18:20,559 --> 00:18:26,129 but a lot of it starts with visibility a lot of hunting is you have tons of logs tons of data 240 00:18:26,320 --> 00:18:33,570 If you have a data like a sim bunch of tools whatever and you're querying you're searching you're looking at stuff cool 241 00:18:34,210 --> 00:18:38,220 But if you don't have the information what are you doing how are you hunting not, saying it's impossible 242 00:18:39,100 --> 00:18:41,100 But it's gonna be a lot more 243 00:18:41,410 --> 00:18:46,410 retrieving and waiting for things to come back so if you can collect information the better and 244 00:18:47,200 --> 00:18:53,939 Can you collect the best information can you collect things that are already enriched or can you enrich information before you start using it 245 00:18:54,610 --> 00:19:02,129 What is this IP address who is this user what are the relationships between these people are these events that's super valuable information 246 00:19:04,929 --> 00:19:06,929 You've got to try to start with that and 247 00:19:08,650 --> 00:19:11,519 Then utilize open source and ap is 248 00:19:12,250 --> 00:19:14,250 Hunting isn't necessarily 249 00:19:14,350 --> 00:19:21,780 Programming software engineering but I have to say the best security teams out there that I see are basically all software engineers at this point 250 00:19:23,169 --> 00:19:27,909 they try to automate the crap out of everything and then they write code for anything new and 251 00:19:28,820 --> 00:19:32,799 a lot of teams do a great job of combining commercial and open source 252 00:19:33,710 --> 00:19:40,929 some products maybe it makes way more sense to do the commercial version but there are some pretty cool open-source tools out there and 253 00:19:41,750 --> 00:19:47,650 Guess what maybe you can prove out your point with an open source tool that doesn't require a procurement 254 00:19:48,289 --> 00:19:51,879 Because I know that's a pain point that's a block to hunting sometimes and 255 00:19:52,940 --> 00:19:54,940 just to call out a specific example 256 00:19:55,549 --> 00:19:57,819 One of the coolest things i've i've seen 257 00:19:58,190 --> 00:20:05,020 It's just a sort of slightly thinking outside the box is like honey cards or honey credit cards kind of thing where teams 258 00:20:05,450 --> 00:20:08,080 just spend like a thousand bucks on some 259 00:20:08,870 --> 00:20:13,928 prepaid credit cards sprinkle those credit card numbers throughout your environment and documents and 260 00:20:14,210 --> 00:20:16,809 then if you ever get a charge in any of those cards 261 00:20:17,659 --> 00:20:19,839 it's a very high signal-to-noise ratio 262 00:20:20,870 --> 00:20:25,629 You might never get a hit so you can't just count on that but very high signal-to-noise ratio 263 00:20:25,880 --> 00:20:30,249 Those are the kinds of things you can start to deploy without a lot of effort without a lot of cost 264 00:20:33,110 --> 00:20:34,789 And 265 00:20:34,789 --> 00:20:40,869 In thinking about this you know my original thought for the talk was because I wanted to get you riled up 266 00:20:42,049 --> 00:20:44,739 Our threat hunting an instant response the same thing 267 00:20:45,590 --> 00:20:48,399 And I still asked myself that and I still think maybe they are 268 00:20:49,520 --> 00:20:51,520 We hunted, bin Laden but that 269 00:20:51,520 --> 00:20:58,209 was really Incident Response if if we're InfoSec they're sort of hunting my tenants in Chicago but 270 00:20:59,330 --> 00:21:01,330 sort of Incident Response there too 271 00:21:01,760 --> 00:21:03,760 so 272 00:21:04,220 --> 00:21:05,740 You know I don't know but the point here 273 00:21:05,740 --> 00:21:11,049 Is when you start thinking about your pain points maybe how you can contribute to improving hunting 274 00:21:11,510 --> 00:21:19,270 Improving some aspects of maybe Incident Response triage there are different stages you know hunting may be a little bit more exploratory 275 00:21:21,080 --> 00:21:27,938 Discoverable events and then usually you still have to do some triage before it's a full-blown investigation or maybe what people call true incident response 276 00:21:29,840 --> 00:21:35,530 Where are you helping? Where can you provide value can you take capabilities from different parts of the spectrum and 277 00:21:35,750 --> 00:21:37,750 help and use tools for different things 278 00:21:38,090 --> 00:21:40,090 Can you use a hunting tool for? 279 00:21:40,649 --> 00:21:43,698 investigation probably can use an investigation tool for hunting probably 280 00:21:44,789 --> 00:21:50,028 So just be thinking about that how do I use stuff. I already have people already have 281 00:21:51,899 --> 00:21:53,789 And 282 00:21:53,789 --> 00:21:56,959 then entrepreneurial journey you have to sell 283 00:21:58,769 --> 00:22:00,769 How many people in the room are salespeople? 284 00:22:04,289 --> 00:22:08,148 How many people who didn't raise their hand consider themselves like they sell stuff 285 00:22:10,049 --> 00:22:11,759 Well I'll give you a 286 00:22:11,759 --> 00:22:15,439 Spoiler here when I was teaching my entrepreneurship class and the class 287 00:22:15,440 --> 00:22:20,480 was pretty cool is 10 weeks you come in with nothing you make teams and at 10 weeks it's like Shark Tank you pitch to 288 00:22:20,480 --> 00:22:27,349 A whole panel and you know here's my idea. Here's my MVP there's you know customer feedback etc. Is awesome I really enjoyed that 289 00:22:27,870 --> 00:22:31,458 But I asked one of the teams what are you selling they said oh we're not selling anything 290 00:22:31,460 --> 00:22:36,379 I'm like no you're always selling. I'm selling you guys right now on these topics on 291 00:22:37,110 --> 00:22:40,339 me on my company on everything can you sell 292 00:22:41,519 --> 00:22:43,579 your company on new spending 293 00:22:44,460 --> 00:22:46,409 can you sell your 294 00:22:46,409 --> 00:22:48,829 Organization on freeing up time to hunt 295 00:22:50,580 --> 00:22:53,029 Can you sell the culture on? 296 00:22:53,580 --> 00:22:55,110 helping you improve 297 00:22:55,110 --> 00:23:02,839 efficacy or other aspects of hunting and it's in response for example if everyone would just listen to music on their phone instead of installing 298 00:23:03,029 --> 00:23:06,888 Spotify and everything else on their laptop you'll have fewer events to look at 299 00:23:07,919 --> 00:23:12,559 the culture can truly make a difference in how easy you can hunt or how effective you can be 300 00:23:12,990 --> 00:23:15,439 So you have to learn how to sell 301 00:23:16,830 --> 00:23:18,809 I'm a huge introvert 302 00:23:18,809 --> 00:23:23,329 Technical geek guy and I have to do all sorts of stuff and go ask for millions of dollars and things like that 303 00:23:23,600 --> 00:23:26,299 it just helps if you learn how to sell and 304 00:23:27,870 --> 00:23:33,018 Then competition you know you don't want to completely focus on competition when you're building a product 305 00:23:33,720 --> 00:23:35,720 but if you're a practitioner 306 00:23:36,179 --> 00:23:38,479 Your competition is other 307 00:23:39,600 --> 00:23:40,980 activities 308 00:23:40,980 --> 00:23:45,019 Everything is grabbing at your time trying to steal your time 309 00:23:46,769 --> 00:23:54,169 And some of its waste like we talked about so can you look at comput mission hunting competition and 310 00:23:55,080 --> 00:23:58,250 Figure out ways to create more leverage involve other people 311 00:23:59,040 --> 00:24:04,969 Automates that kind of thing so then you free up. Time the other thing I want you to do is 312 00:24:05,760 --> 00:24:10,520 Beat up your vendors and I'm a multi vendor time person so I can say that 313 00:24:12,300 --> 00:24:17,539 When you figure out something that should be done in your environment or something that would make your life easier 314 00:24:18,420 --> 00:24:24,229 build it yourself but at the same time can currently ask your vendor join a customer advisory board 315 00:24:25,320 --> 00:24:28,010 just provide some feedback go to user groups whatever it is 316 00:24:28,650 --> 00:24:30,650 It doesn't hurt you to ask 317 00:24:31,800 --> 00:24:35,389 Could they add this one field could they output it in JSON instead of syslog 318 00:24:35,460 --> 00:24:37,790 whatever it is there's a whole bunch of stuff just ask 319 00:24:39,060 --> 00:24:42,259 Ask as a vendor we crave 320 00:24:42,900 --> 00:24:46,129 Feedback, we want to hear what makes your lives easier? 321 00:24:47,340 --> 00:24:54,169 So, yes build stuff yourself the best teams out there are building things themselves but they 322 00:24:54,170 --> 00:24:56,839 also push hard on their vendors 323 00:24:59,580 --> 00:25:02,480 So wrapping up and ranting even more than I already am 324 00:25:05,760 --> 00:25:12,319 So one of the TED Talks I was watching I can't member even which one but the absence of disease does not mean health 325 00:25:12,840 --> 00:25:15,169 And I think that describes 326 00:25:15,930 --> 00:25:17,930 InfoSec very well 327 00:25:17,940 --> 00:25:22,880 the absence of a PT or the absence of compromise or pick your term 328 00:25:23,100 --> 00:25:28,669 Does not mean you have a great environment. I think everyone would pretty pretty quickly 329 00:25:28,670 --> 00:25:31,339 Agree with that so when I talked about hey 330 00:25:31,340 --> 00:25:34,220 I consider hunting not just thread hunting but like other stuff 331 00:25:34,410 --> 00:25:37,550 Other things you can go look for is a human to try to improve things 332 00:25:38,520 --> 00:25:43,280 Can you figure out where your entropy is or where different aspects of risk are 333 00:25:44,490 --> 00:25:49,609 Can you when you hunt a successful hunting outcome why not be finding 334 00:25:50,430 --> 00:25:52,430 apt, or pick your terminology 335 00:25:53,190 --> 00:26:01,130 Sophisticated thread actors or even run-of-the-mill, malware it might be finding misconfigurations or lots of configuration drift 336 00:26:02,220 --> 00:26:04,020 that kind of stuff 337 00:26:04,020 --> 00:26:05,200 and 338 00:26:05,200 --> 00:26:10,139 You know us thinking about this and I was like you know what I'm gonna you know we talked about upstream downstream 339 00:26:10,360 --> 00:26:16,379 I'm gonna make a chart or a graph that says hey risk is a slope and the more risk you have the steeper the slope 340 00:26:16,380 --> 00:26:20,670 and then your environment is sitting at the top and it's just kind of sliding down into 341 00:26:22,480 --> 00:26:24,400 Compromise 342 00:26:24,400 --> 00:26:28,440 So can you lower the slope decrease the slope 343 00:26:30,730 --> 00:26:32,730 Reduce risk reduce the slope 344 00:26:33,340 --> 00:26:34,780 and 345 00:26:34,780 --> 00:26:36,780 So one thing that's really 346 00:26:37,300 --> 00:26:40,408 really common is something called identity creep 347 00:26:40,840 --> 00:26:48,570 privilege creep pick your latest buzzword of the year kind of thing but everyone has access in this room everyone has access they don't need 348 00:26:48,820 --> 00:26:53,609 100% guaranteed I've bet a lot of money on that our percent we have 30 people 349 00:26:54,490 --> 00:27:00,180 We have people that haven't used AWS for 238 days now that's my CEO who is busy doing other stuff 350 00:27:02,470 --> 00:27:05,220 But even we at 3030 351 00:27:06,640 --> 00:27:07,990 have 352 00:27:07,990 --> 00:27:09,990 accounts we don't need and 353 00:27:10,210 --> 00:27:13,260 Then it is hard I dumped our AWS 354 00:27:13,960 --> 00:27:18,570 schema they have a way to dump it your security settings and policy settings in JSON 355 00:27:19,450 --> 00:27:21,450 30. People not doing anything crazy 356 00:27:22,150 --> 00:27:27,959 20,000 lines of JSON so it's a hard problem figure out who has what permissions I am roles etc 357 00:27:28,660 --> 00:27:34,830 The point is when you're hunting you might find some of this stuff can you go find accounts that don't need to exist 358 00:27:36,040 --> 00:27:42,420 It's not just about malware we're gonna get a lot of great talks on worse engineering and network packets and stuff, that's awesome cool 359 00:27:42,420 --> 00:27:44,879 We need to know that stuff but it's not just about that 360 00:27:47,020 --> 00:27:49,020 Can you right size your surface area? 361 00:27:49,090 --> 00:27:51,040 can you find either it could be 362 00:27:51,040 --> 00:27:55,560 Accountants be accounts it could be systems we've all heard of the server that everyone thought was unplugged and that 363 00:27:55,560 --> 00:27:58,708 Was the one that got compromised no one even knew it was still in the network 364 00:27:59,350 --> 00:28:03,208 Can you shrink your surface area reduce your risk 365 00:28:04,030 --> 00:28:05,649 and guess what 366 00:28:05,650 --> 00:28:08,369 it gives you a more focused area to hunt in 367 00:28:11,530 --> 00:28:16,170 It's like if you shrink the size of a football field and you're playing defense you're probably going to have a better time 368 00:28:17,330 --> 00:28:19,330 Because you don't have to run all over 369 00:28:19,460 --> 00:28:21,460 Defending the wide receivers and stuff 370 00:28:21,920 --> 00:28:23,920 and 371 00:28:23,990 --> 00:28:28,479 Look we're talking about lean we're trying to do more with less and and just you know reduce waste 372 00:28:29,270 --> 00:28:31,270 talk to a 600 person company 373 00:28:31,820 --> 00:28:35,530 Just in three services they're wasting 35 K a month 374 00:28:36,110 --> 00:28:38,139 They can't hire headcount the the C 375 00:28:38,140 --> 00:28:44,170 So has actually just left because he couldn't get any headcount that's like 400 grand that's plenty of headcount there 376 00:28:45,200 --> 00:28:47,230 Or at least that's a start will say 377 00:28:47,720 --> 00:28:55,030 So in your hunting there might be different outcomes the point of all this is it's not just about things like malware or compromised 378 00:28:56,390 --> 00:28:58,989 find things that contribute to waste 379 00:28:59,810 --> 00:29:01,810 find waste and 380 00:29:02,030 --> 00:29:06,999 To rant a little bit more I think Phil and and Rob mentioned there are 60 381 00:29:07,520 --> 00:29:11,589 60 talk submissions I was on the I'm on the advisory board for this so 382 00:29:11,720 --> 00:29:15,430 Thank you for all the submissions I really enjoyed reading them and voting on which ones I thought 383 00:29:15,830 --> 00:29:19,448 could get picked and and if you didn't get picked to come come yell at me or whatever 384 00:29:19,690 --> 00:29:21,910 It wasn't just me it was a group of like ten of us or whatever? 385 00:29:22,460 --> 00:29:24,640 probably blamed Phil or Rob the most though 386 00:29:26,120 --> 00:29:28,120 but 387 00:29:28,610 --> 00:29:30,610 60 submissions I 388 00:29:30,830 --> 00:29:33,429 Think three or four were on cloud I 389 00:29:34,040 --> 00:29:37,989 Was blown away we got to think more about cloud cloud is here 390 00:29:38,570 --> 00:29:40,570 cloud is here 391 00:29:40,670 --> 00:29:45,310 IT is going from zero to 100 and leaving cloud security in the dust when it comes to cloud 392 00:29:45,530 --> 00:29:47,530 We're blind to all these SAS accounts 393 00:29:48,680 --> 00:29:50,680 50% of IR 394 00:29:50,810 --> 00:29:54,009 For rapid seven or at least this team at rapid seven is 395 00:29:54,740 --> 00:29:56,240 office 365 396 00:29:56,240 --> 00:29:57,980 50% that's a lot 397 00:29:57,980 --> 00:30:04,120 And we have 300 AWS accounts and no governance sure no one has that problem in this room 398 00:30:05,270 --> 00:30:10,389 And I just like this quote hackers don't break and they log in but the point is I hope next year 399 00:30:11,090 --> 00:30:13,090 We talk a little bit more about cloud 400 00:30:14,090 --> 00:30:22,090 AWS forensics hunting and slack I don't know pick your pick your topic but it's here it's here 401 00:30:23,390 --> 00:30:25,160 even the big 402 00:30:25,160 --> 00:30:28,269 Conservative financial institutions they've been around a hundred years are 403 00:30:28,900 --> 00:30:33,609 Moving I've talked to the intelligence community they're like we want to use slack but 404 00:30:33,610 --> 00:30:36,669 We don't know how to use it because we can't really monitor it 405 00:30:37,910 --> 00:30:40,660 It's here we need more talks on cloud 406 00:30:43,310 --> 00:30:48,190 So wrapping up here, where's the waste where's the extra risk where's the entropy 407 00:30:49,190 --> 00:30:50,900 when you hunt 408 00:30:50,900 --> 00:30:52,900 Can you find that kind of stuff 409 00:30:53,660 --> 00:30:57,729 where can you spend your time when you actually do get time to hunt 410 00:30:59,300 --> 00:31:01,300 Can you find time to do that? 411 00:31:02,570 --> 00:31:05,049 Identify what's providing value and? 412 00:31:05,960 --> 00:31:07,610 focus on that and try to reduce 413 00:31:07,610 --> 00:31:12,399 The other time you spend we all have to experiment and try things but as soon as you realize this isn't actually 414 00:31:12,920 --> 00:31:16,810 increasing our capabilities to haunt do instant response overall cyber defense whatever it is 415 00:31:17,480 --> 00:31:19,839 get rid of it or Park it for a bit 416 00:31:22,880 --> 00:31:24,830 Build measure learn 417 00:31:24,830 --> 00:31:32,499 I think everyone will remember that but go build something even if it's just tying a couple api's together 418 00:31:33,260 --> 00:31:36,280 See if that helps you write a little bit of python 419 00:31:37,190 --> 00:31:40,119 Python, never killed anybody as far as I know maybe I'm wrong 420 00:31:41,240 --> 00:31:43,240 think big start small act fast 421 00:31:44,630 --> 00:31:47,320 Be the hunter that your environment needs 422 00:31:47,990 --> 00:31:55,630 There's a quote from Guy Kawasaki a legend in Silicon Valley a chief evangelist at Apple be an entrepreneur being an entrepreneur is a state 423 00:31:55,630 --> 00:31:58,810 of mind not a job title and I'm pretty certain 424 00:31:58,810 --> 00:32:01,178 I'm not the first person to say this but I don't know who who 425 00:32:01,180 --> 00:32:05,889 Did so I just put my name there being a hunter is a state of mind. It's not a job title 426 00:32:10,310 --> 00:32:15,700 So I told you I like a lot of books I could give you tons and tons of recommendations I 427 00:32:16,850 --> 00:32:18,939 love these books I read them multiple times 428 00:32:20,510 --> 00:32:26,440 Rocket men is one I'm reading right now about Apollo 8, which is really exciting space race between Russia and the u.s 429 00:32:27,950 --> 00:32:30,009 Essentialism team of teams about how 430 00:32:30,830 --> 00:32:33,639 JSOC had to reform themselves to fight al-qaeda in Iraq it 431 00:32:33,640 --> 00:32:38,140 Was just really interesting on extreme ownership all about some some lessons learned from 432 00:32:38,630 --> 00:32:42,160 really high combat areas really cool stuff 433 00:32:44,610 --> 00:32:47,330 So the goal sparked contemplation 434 00:32:48,150 --> 00:32:51,619 And I know I threw a lot at you and some of it you're like why the hell, did we learn about that 435 00:32:52,770 --> 00:32:54,090 well 436 00:32:54,090 --> 00:32:56,090 keynotes are like that 437 00:32:57,030 --> 00:32:59,869 But Reid Hoffman founder of LinkedIn Silicon Valley God 438 00:33:00,360 --> 00:33:06,889 If you're not embarrassed by your first version your first product, you've shipped too late the point here is you can take a small step 439 00:33:07,680 --> 00:33:15,619 Towards better hunting capabilities without a lot without a lot you have some data already you have some api's already you have some skills 440 00:33:16,530 --> 00:33:19,399 Go connect them in the right way think about it more like an 441 00:33:19,400 --> 00:33:24,259 Entrepreneurship how can I build my case how can I build my case to get funding even if that funding is just time 442 00:33:27,480 --> 00:33:30,530 So what can you do today to upgrade your hunting 443 00:33:36,810 --> 00:33:38,810 Thanks 444 00:33:53,570 --> 00:33:55,570 You