Security Campfire Stories

It's five o'clock somewhere, time for the security cocktail hour. I'm Joe Patti.

I am Adam Rothman.

Hi Adam, how are you doing today?

I'm doing incredible, you?

Awesome, me too. So it is summertime and it's a little warm out here now and we are actually recording this in the evening and so, as planned, and this was all your idea, we are going to be moving from the virtual out to the virtual campfire. And we are going to tell some scary stories of amazing data breaches and how they happen, basically. So everyone is maybe not scared, but might learn something and learn something they hadn't heard about some of these famous breaches.

Wait, is this campfire also being done in video?

This campfire is being done. This is not our first video, but we did that unboxing, but this is our first regular podcast episode that we're doing video with, too. So now everyone can see us all the time.

They can see me in my bathing suit. I put a bathing suit on for this.

Oh, dude, if you're wearing a bathing suit, you're wearing a black t-shirt. Are you like wearing the Three Stooges 30s bathing suit where it's like a whole outfit?

I can take that to another place. I'm going to be a good boy today.

No, don't, don't, don't take that. We gotta, we gotta get through this. All right. Okay. Now, of course we will be drinking for this. That is a, you know, that's, that's part of the show at this point. Um, so, you know, I've never actually been camping, believe it or not, but I certainly wouldn't do it without drinking. So I can't imagine, I don't know what the hell else you do in the woods all night. So.

I kind of wish I had some marshmallows or was roasting it by the campfire. It'd be nice.

Well, that would be nice. And I know you wanted to do this outdoors, but I'm like, you know, for our first video, maybe we should try something a little simpler technically besides like, you know, a location shot and outdoor lighting and everything. I don't think we're ready for that. Not even close.

When we get, when we get to our, let's, let's, let's make a deal, right? When we get to our hundredth episode, we're going to do it outside by a campfire.

Okay, cool. We'll do another campfire. We may do a few before then, but we'll do that one actually outside. We are drinking scotch today, are we not?

Yes, sir.

And you got the really good stuff. You got the fancy stuff. You got the blue label. Wow. What do I got here? I got some Glenlivet. I don't know where I got this from. I'm not a huge scotch drinker, but you know, sometimes you gotta do what you gotta do.

I'm not a huge drinker at all, but by the time I finish maybe this one glass, I'll be telling stories you don't want to know.

Well, that's the thing. We got to watch ourselves. But you know, that's the show we got to be true. Whoa, that stuff is strong. I can smell it already. All right.

Cheers.

Cheers. Okay. Cheers, everyone to the to the show to video to the campfire. There we go.

So that's good. So why campfire stories, Joe?

Why campfire stories? Well, you know, they're like, you know, monster stories, scary stories or everything. And, you know, we're going to tell some scary stuff and explain why it's scary, not just with so much for the people who experienced it, but what it means to everyone else, which would be kind of interesting. So we'll see. And, you know, we don't try to scare people with security. That's, you know, a lot of people say, oh, we've got to scare them and everything. But, you know, hey, this sounds like a good hook. So let's go with it.

Yes, sir.

Yes, sir. Okay. So what a lot of what we're going to be talking about are TTPs that are really important to attacks and that's a pretty technical term. So Adam, why don't you take it? You are the more technical guy. Tell us what the TTPs are.

Well, TTPs, it's kind of funny. I don't think it's really new to cybersecurity, but it's basically tactics, techniques and procedures, how things are done. what people utilize and what protocols they follow in order to compromise something. So in cybersecurity, we have TTPs, tactics, techniques, and procedures. And one of those frameworks, which is one of the most well-known frameworks, is MITRE. And that kind of gives you a little bit of an understanding of what the threat actor does and how they go about doing it. And the reason why that's important is when we start looking at some of these compromises, you're going to want to understand how they do it, and why do they do it, and how do they go about setting up their victims for these attacks.

Right. Well, that's why we study compromise. Well, we study them because it's fun. Because it's scary and we'd like to say, oh, thank God, that wouldn't have happened to us. But kind of more to the point, more seriously, we study them because it is really important to see those techniques. It's not just about would that breach have happened to us? Would we fall for that and everything? But what were the hackers doing? And this whole thing about TTPs, tactics, techniques, and procedures, that's a lot of what you get from your intelligence and from these breaches. That's a big reason why they're studied to say, hey, what are the hacker is doing now because they always have new tricks. And every time we put out a defense, they come out with something around it. So this is always a big area of research and is really important. And, you know, the things we're going to be looking at today we're talking about are not cutting edge, but they do really illustrate some really interesting ones that we're still worrying about to this day.

And sometimes cutting edge is actually not the best thing, right? You know, sometimes the basic, simple TTPs are really good. I mean, sometimes you got to go back to basics. Yeah.

Yeah, well, you know, it's like it's like the Statue of Liberty play, you know It's like you got to be worried about the most advanced stuff and all those things But you know, I got to make sure you're still protected against some of the classics So someone can't trick you with one of them. It'd be like what did they do? You know, that's so old-school a lot of people get hit with old-school attacks and so you got to make sure you got that you got the basics covered because it's not only a matter of attackers being clever and But there are so many automated scanning systems going on that if you have a weakness, even if it's old one, they're looking for all the old weaknesses They're gonna find them and you're gonna get hit. So you got to deal with them all what stuff and let's not forget about reconnaissance, right?

There's a lot to learn just by looking at people's profiles, whether it's Facebook, more importantly, probably LinkedIn, and even some of the stuff that's published on websites. You and I know, right? We've spoken to some of these companies that do these red teams, blue teams, purple teams. And sometimes they literally just go on somebody's company website to gain intel, to gain reconnaissance information. You know, like, oh, we use, you know, this vendor or that vendor, or we use this type of product in order to provide great service to our organization. Yet what you're doing is you're revealing what products you're using and then those threat actors look for the vulnerabilities in those products. So there's a lot to gain by reconnaissance.

Yeah, absolutely. And reconnaissance is typically the first step of an attack, not even just the technical reconnaissance of doing, you know, scanning and looking for vulnerabilities. But yeah, seeing if you can just Google and say like, you know, hey, this company did a press release or did a testimonial for this security company. So, you know, that's what they're using. for stuff. You know, I always find it funny, you know, as a security manager, remember when we get those calls, like someone gets phished or whatever, they get some, you know, a scam call, like a business email compromise. And I say, how did that person get my phone number? You know so much about me. And depending on the place you're in, sometimes you say, like, it's kind of on our website, or you gave it away in this article a few months ago when you did a talk or something like that. Like, oh, yeah. They will use everything, everything they can find.

especially if you've ever been on the internet looking for a job, your resume's a great source. Whether it's back in the day, Monster, but now LinkedIn. If you have a LinkedIn pro account, whatever they call those accounts, where you're looking for people to fulfill an organization, I'm pretty sure those nation states have those accounts to gain intel.

No, of course, it's easy. So before, let's just backtrack a little bit. You talked about MITRE and the MITRE attack map. You know, MITRE, you might have, it's M-I-T-R-E. You might have heard of it. It's kind of a, I think it's a private company, but it's kind of a pseudo-government organization. I think the government totally funds it. They do a lot of stuff, mostly defense as far as I know. And a lot of it is actually security research. And they came out with this, Great just, you know taxonomy, which is just this classification of all the different You know the stages of an attack and all the different things that hackers will do, you know It says, you know, they're gonna bring the scan this way. They're gonna use this attack. They're gonna do that and it's a really convenient way of setting them all out so that you can say oh this is we see this kind of attack it's this it's that everything and one of the big things um these days is you know designing your your defenses and maybe you're monitoring or monitoring around that so you can see hey i got everything covered you know because it's just like you know this whole big thing where you can say yeah i got everything covered Or, you know, that's not important, that it's important, helps you make decisions. So that's what MITRE is. It's, you know, not some kind of soil you get from the Holden Depot or nothing. We're not just making this stuff up.

Oh, yeah. It's not a MITRE store. Though I would take a MITRE store if somebody's willing to give me one. But, you know, I'm actually looking at the map and I'm looking at, you know, it goes from reconnaissance and resource development to initial access, and then all the way to the end to exfiltration and impact. And the reason why that's important is if you understand what the threat actors are doing, And we both know this, right? Then you can use certain products to kind of fill that gap. And what's also interesting is some of these EDR and security companies have their own additional TTPs that they add in addition to what the MITRE framework has. It's very, very encouraging. A lot of products are starting to integrate to help I guess, stitch together all these products from MITRE. So it's really, really a good thing to learn and understand.

right and you know adam you just mentioned something you kind of really quickly went through the stages of an attack see this stuff is so natural to us we got to remember not everyone knows this um you know kind of what adam described is uh the stages of an attack from like you know we're talking about reconnaissance gathering information then there's the you know i'm doing this off the top of my head but then there's the you know the exploitation you get in then there's lateral movement then you know there's uh finding a way out uh you know getting getting persistence, which basically means making sure you can get back in, making your connection there persistent. Then there is a term we've used before, data exfiltration. Fancy word for getting the data out that you want to use and things like covering your tracks. So there's all these different stages of an attack that an attacker will go through and kind of the stages of the attack. And they're also often called the kill chain. Which is a little optimistic sometimes with the ideas that, well, if you can disrupt one of them or one or more of them, then the attack will fail. It's typically not so simple because attackers are tough and they will try other things and move around. But those are some of the things, you know, we look at just to start to give you a feel for, like, you know, how we look at the attackers. It's, you know, it's not the case of, you got to remember from their perspective, they don't just say, oh, This company we see this we see it has this vulnerability so we so we do that and then boom we're done and we are no they have to take a whole bunch of steps to compromise you that's a little more a little more complicated and when they go in they are. To a certain extent, making it up as they go along, they got to see what works, what doesn't, what they have to work with. And as they're moving around the network, we also call that living off land, um, where maybe, you know, they're not introducing malware or their own tools, but they just get into the network. And they start to see what tools you have. It's like if someone breaks into your house and they start saying, OK, let me move around, start looking for a safe and then like go into your garage and basement, say, OK, what kind of tools have you got to open it up? They'll do stuff like that.

So that's, you know, it's interesting you bring that up, right? One of the things that you and I saw was a certain organization was talking about living off the land, which, again, like you said, is using tools that are already on the network. uh, converting regular operating system tools. And we saw, uh, an organization, uh, review the whole entire, um, attack of using the windows windows Linux subsystem and how, because they were able to use the Linux subsystem, it's wrapped in such a way that the, the EDR or antivirus wouldn't even know those tools are there because it's not part of the Windows OS, it's part of the Linux OS that's built into the Windows. Or I should say built in, adding it to it.

OK, we've got to explain that one too, because that's a lot you just went through. So on Windows, of course, you have Windows. And you may know what Linux is. Linux is another operating system. It's the free open source one, which is a whole other set of terms. And it's a Unix-like operating system, if you know what Unix was from a little while ago. Windows is interesting, because Windows came out with something Microsoft came out with something for Windows a couple years ago where it lets you run Linux inside of Windows. It's actually really interesting the way it works because it's not virtualization. We've talked about that before. It's not like VMware where you get a whole host and a whole separate machine running it. It's actually this subsystem with some actually pretty clever technology that lets you run Linux within Windows. And it kind of runs as a, you know, they call it a subsystem. It's kind of like a Windows application. As Adam was saying, one of the problems is you have the tools of virtually a whole other operating system. And a lot of the tools that we'll put in to monitor Windows itself cannot see that stuff and will not notice it. So hackers may look at something like that and say, OK, maybe here's something. This is a way I can hide. They see that and say, OK, there are a lot of tools here I can use. And maybe this is something that they won't notice. So those are the kind of things that they do. The hackers hide in the gray areas. They don't do obvious things. They look in the places where and try to use things. We're like, maybe there's not being looked at so much.

And as David, our friend has said, that's called living off the land-ish. Living off the land. Land-ish.

Land-ish.

And what that means also is, oh my God. A certain person, which I won't name, Dan, was picking on me during one of our conferences, one of our video conferences, and I decided to use one of our EDR tools, again, living off the land-ish.

An EDR tool for everyone is an Endpoint Detection and Response. It's basically, I know, you got to remember the audience. Sorry. Basically, it's like antivirus, but it's antivirus on steroids. It's security software that goes on your desktop or on a server that will detect a lot of advanced attacks like malware and like a lot of these things we're talking about. So sorry, but so look at the EDR tools.

So Dan, which was one of my colleagues at the time, great guy, smart guy, you know, we love to play with each other. We love to, you know, can I do this to that person? Can I shut them down? We probably shouldn't be doing it on our production network. However, you know, he was kind of muting me on Zoom or something and I was getting kind of fed up. So I lived off the landish by, he thought by disconnecting from the network, from the VPN, For that moment, he thought he was safe. And I used our own EDR tool to shut down his system and cause it to be unstable where he got kicked off the Zoom call. It took him quite a few minutes to get back. But the point I'm making is if a threat actor can compromise your EDR console, they can do whatever they want.

Yeah, well, that's kind of cheating too, because yeah, what? Yeah, well, yeah, well, well, cheating is what bad guys do, too. But you know, what I'm saying is what he did was, you know, we were, this was at a point where the, his victim was actually remote was somewhere, you know, somewhere else, probably working from home or something, as many of us do these days. And so he was connected through, you know, through VPN. And so we thought, oh, he realized Adam was probably going to try to poke at his machine, probably because Adam told him he would. So he disconnected from the VPN. They said, haha, I'm off. Well, it ends up a lot of these tools, they're designed to protect the machines, not just when they're connected to a VPN or when they're on the network, but also when they're on the Internet. So Adam still had a way in to go and mess with the machines. But that actually shows you the importance of, if you have security tools, you got to make sure they're secure. If a bad guy gets into your security tools you're using to secure the machines, or even if they get into your management tools, the tools that you use to you know, that like your administrators or your, you know, help desk people use to log into them, you know, to log into machines or to push software to them or to, you know, move files and stuff. That's what they're looking for, stuff like that. Those are the things they're going to try to get into.

Like any weapon, it can protect you or it can hurt you. So let me ask you a question. I have a quiz for you.

Oh, you're giving me a quiz? I'm always quizzing you.

My quiz for you is this.

All right.

What is, speaking about my name in the third person, right? I think it is. What is Adam's favorite compromise? Favorite attack? What do I talk about often? Do you remember?

Okay, this is tricky because, you know, Adam is playing with me here because Like we have actually notes the things we're gonna talk about, but I don't know if it's one of those two or if it's something else completely. It's one of those two. It's one of those two, and it's not the one we're going to talk about first. You are a devious guy. It's, it's Stuxnet, isn't it?

Stuxnet. And I'm sorry, I'm just bringing you up the course. That is one of my favorites.

You set me up from the time we started mapping out this episode. Well played. There we go. All right.

I just wanted to bring it up. Here's to you.

Well done.

Thank you, sir.

You got to be a little devious when you're in security. That's why it's cool.

You got to, you know, you got to keep people on their feet. But we can go to the previous one. I just wanted you to know.

No, no, no. Let's talk about Stuxnet. That's a, that's a, it doesn't matter.

That's a great attack. Stuxnet is James Bond-ish or Jason Bourne-ish or any of those, um, agents, because not only was it conducted from a cyber warfare standpoint, but it was you, it was allegedly using, um, human assets to help compromise. It is an invasion.

Well, it really is a spy story. And you're right. It combines both cyber and also human elements to it, which is really interesting. So you got a point there. Now, as far as I know, there were not any, you know, guns and... No, there was. Was there really?

At one point, they actually killed one of the nuclear scientists from that country.

Are we supposed to say allegedly? I don't know.

No, it was, he was killed. I don't know who did it, but he was killed.

Somebody, somebody killed him.

Somebody killed him. And I think, and I, if I understand correctly, and no one knows the exact motives, but since they were killed, um, it made it harder for that country to, um, maintain. their nuclear program. For those who don't know, the idea behind Stuxnet, and Stuxnet is not the actual name, I think it was called Olympic Gates, if I remember correctly.

Operation Olympic Games.

Games, games, I'm sorry. And Stuxnet was derived from two gentlemen from from Semantic, they were reviewing the code and they pieced together- That wasn't derived, it was discovered by them.

They didn't make it, they discovered it.

No, they didn't derive the thing, but they derived the terms from seeing a piece of code, I believe. I watched one of their movies a couple of times, but whatever the case is,

No, no, they had seen the code in the wild they got samples of that's a lot of what security researchers do they get Malware they get bizarre code and you know semantic is a security company They make a lot of you know antivirus and a whole slew of other stuff. They're huge and that's what security research That's one of the things security researchers do is they get this code that's kind of dodgy or that disinfecting machines and they try to figure out what it's doing so they found they found Stux and they found net and they put it together, but Oh, really? I actually didn't remember that.

So the idea behind Stuxnet was to control the centrifuges and to make them spin both so slow and so fast, it would make the centrifuges unstable and cause them to warp or to cease to function. And there's a whole story behind how they did that, right?

Well, let's just say what a centrifuge is for those who don't know. The attack for this was supposedly, well, not supposedly, but really, the Iranian nuclear program. And one of the things, if I do not know a tremendous amount about nuclear technology, however, one of the things you have to do is refine or enrich uranium, which I think is to get the isotopes that are actually fissionable, that you can build a bomb out of. It's like some small percentage of it, and they use centrifuges for it. As you can imagine, they're pretty sensitive. They need to run correctly. So these things futzed around with the centrifuges, basically.

So centrifuges, and I don't remember what they stand for, what the PLC stands for, but centrifuges, let me Google what PLCs are.

No, those are programmable logic controllers. They were messing with the electronic control systems of the centrifuges. See, I know a few things too.

Oh yeah, definitely, absolutely. what the understanding behind it was, if you can get new drivers for these people, new control software, yeah, new control software, new sorry, drivers is control software. When you install your keyboard, you need a driver, which is control software, when you install your mouse, you need a driver. So what they did was, they were able to work with assets to get into, into like... Human assets, you mean?

Yeah, human assets.

Yes, absolutely. Maybe I'm drinking a little bit too much. Maybe I'm not explaining myself.

No, I think you just love the spy stuff. You gotta remember that. I do, I do. Not everyone knows all this stuff, you know?

So these human assets were able to get into kind of like these safes below ground or rooms below ground that are heavily protected. And they were able to get into those servers because that's allegedly the only way you can get to them.

They were not connected to the internet. They were smart enough to say they don't just put this stuff on the internet. They were isolated.

And we're not talking about the servers in the Iranian storage yet. We're talking about the drivers or the certificate servers, the ones that say that this software is valid software. They were able to get into the safes.

Oh, so this was even the stuff to test the software, to make sure that it was valid, to verify it.

Yeah, so when you go to install an application, and let's say it's a camera on your machine, and you have to install a driver, which is the software that controls it.

The software to run it, yeah.

When you go to install it, it says like authentic, you know, it's almost like going to a website and it says this driver is authentic or signed. Signed, you'll explain that in a second, by Microsoft, signed by whoever it is.

You've all seen it. It has some encryption, some cryptography that verifies that it is what it's supposed to be, basically.

So they were able to get assets to manipulate the software and to believe in it was valid so they would install it correctly.

Ah, there we go. Yes. And that is not easy. Cryptography works.

Yes. So what happens when you don't have something that's signed? It pauses, it requires validation, and it can't do it.

Well, yeah, under normal circumstances, you get the little pop-up that says, you know, this is not trusted. Do you still want to use it? And everyone says yes, but in a high security facility, they might be a little more careful with that.

They got these software drivers, they signed them correctly, they were installed, and it tricked the Iranian, it tricked the people in Natanz, the nuclear facility, into believing legitimate drivers, nothing wrong with them. Oh, that the software was good. Yeah.

Nothing wrong here.

Nothing wrong with you.

Okay, so let me just stop. So already, we've had like, you know, two phases of the attack, right? But we haven't even talked about the reconnaissance because they figured out what they were using. They managed to get a human act, you know, actors to get the software in and get them out or whatever. And they were able to defeat the systems to, you know, to allow it to run. So they haven't even run the thing yet. And we already have a couple steps in this.

So the delivery method is also like great, right? To deliver these drivers, these applications, into changing the centrifuge. It had to be delivered. It was on an air gap network. What's an air gap network, Joe?

An air gap network is when, well, it's not a network at all. It's when you have systems that are not actually connected by a network. The term is kind of funny because it comes from the old days when networks are only wired. So we'd say, oh, we have an air gap, the space between them was just air, there's no network. But it also refers to when there's no wireless network.

And sometimes, yeah, sometimes people call it sneaker net. And there's a reason why they call it sneaker net, is you're literally taking the... Yeah, you're walking from one to the other. Yeah, one machine to the other and plugging it in. So they had to get... that software into an air gap network that's not connected to the internet. And the the story is that they did it by tainting USBs.

The USB thumb drives. Yes.

which is amazing, right? So now we have assets getting applications onto USBs. We have assets getting into, you know, into a, what do you, I don't know, it's not a safe, it's like a- Into a secure facility.

I mean, this is, and you know, we're starting out with something crazy. This is an, you can tell already, this is an extremely, Difficult multi-stage attack everything's a multi-stage attack but this in particular is really tough to pull off using a total big mix of techniques and going through tough barriers now insert key term here they Compromised these net these networks once they got in there by using zero days Zero days, yes

And supposedly, I don't remember the amount, the number, I'm sure somebody's going to end up giving us feedback on this. Supposedly, it was multiple zero days, maybe three, four, five or more, I don't even know. And to have that many zero days on an attack, if you're a bug hunter or whatever you want to call them, these zero days are probably a minimum of a quarter of a million dollars if you were to sell it on that

So somebody so we're talking about millions of dollars probably worth the zero days that nobody knew about Right, so a zero-day attack is an attack where basically it's not Generally known it's known only to the people who who discover it and you know And you may see in the news when they say oh, there's a zero-day attack against this vulnerability patch. Oh, well, they're freaking out because You know, they figure out that you know, I The good guys, the vendor, whoever just discovered it, but they realized that someone's already been attacking it. So that makes it really dangerous. Well, there is also, well, it was always speculated for a long time that certain intelligence agencies had a lot more zero days that they were just stockpiling, that they weren't telling anyone about. But that was a little bit of a conspiracy theory. Until until this came out and it ended up that it appeared to be correct But also but those things are really valuable as Adam was saying they're really valuable to attackers, but they're also really valuable to intelligence agencies Because you know, they're they're unknown. There's no defense against them because nobody knows about it. They're hard to even even detect When you get when you get hit with them unless they do something really obvious that that you're going to notice and And they don't like to use too many of them because there's also a finite number of them. We don't know how many there are at any given time, but they're not endless and they're very difficult to find.

So they use multiple zero days. They use human assets. They targeted one of the individuals from the nuclear facility and offed him. Is that the correct term? Offed him?

Offed him, whacked him.

Whacked him.

But that's a mob term, not an intelligence term.

Well, I was trying to be a little bit more non...

Liquidated, is that what they say in the movies?

I guess they can say that. They liquidated the asset or they made the asset no longer important. I don't know.

No longer alive. We're joking. This is serious stuff, really. This is talking about these things.

And they even were using reconnaissance. My understanding was, you know, there were times when Iran was showing some of their capabilities and The assets that were targeting the Iranian power plants were looking at the reflections and the screens and counting the array and figuring that number out. But once they were able to determine what type of centrifuges they were, they had to target those centrifuges. And they wanted to target the centrifuges in such a way that it would only compromise those centrifuges at that location without compromising or causing issues to anybody else in the world. And the, and then not only that, but the, the, um, the vulnerability or the compromise or the malware had to stop working after a certain period of time, and it never did command and control. It never called in. Command and control, for those who don't know, means the software reaches out to a certain IP on the internet and waits for instructions. Well, this did it. This had a life of its own. It had its own instructions and did what it had to do. I guess that whiskey's good, huh?

Yeah, it's smooth. Yeah, that's really good. And when they establish command and control, that means they can do stuff on it. But this particular one, because of the nature of it, especially because it was going into an air gap system, where there were no connections outside, once the malware got in, it was on its own. And so it had to operate by itself, which again is a sophisticated attack. They do that because they had to in this case, but also When you're on the, on the defense side, one of the things that we look for is, uh, you know, that communication out, um, the command and control that something is talking out to a place that's dodgy or it's doing some things, um, that look funny that they, that they shouldn't be doing. That's a big part of part of defense. And again, talking about the kill chain and that's further on, um, you know, a bunch of things have happened, but we can still catch someone and get in and detect them.

So yeah, exactly like that. With command and control, if you're able to stop the connectivity out to that IP, you can possibly prevent that additional compromise or additional...

The IP, which means the address they're talking to, their command and control server.

Well, I'm not good at this at all.

Well, you are good at it. You just got to remember, you know. I'm breaking it down for the people. This is for the people, not for us geeks.

I just wish I'd get some fan mail and then people say, Adam, we love that you throw those words out there.

Well, it sounds, you sound cool, but we got to make sure people know what's going on, you know?

Yeah, well, you know.

Besides, people are getting drunker and drunker as they listen to this.

I hope so. Let me take another drink.

All right, keep going.

So not only does the command and control work through this IP connectivity, But if you know the IP it's connected to, you might be able to determine, and I know you're gonna tell me this term, attribution. So for those who don't know, attribution is connecting the attacker to the attack. You know, who's the attributor?

Figuring out who did it.

Yes. Well, that's a simple way of doing it, right?

That's the simple way of saying it, yes. Yes, that's attribution, which is extremely difficult in many cases.

But even more difficult if it's not reaching out, right? So then what these researchers did is they pulled apart that malware and they tried to do attribution through that, through the reverse engineering of the malware, which is not an easy task. And as people started ripping it apart, they started realizing that this is not a regular attack. This was an attack that was extremely sophisticated that probably went across multiple governments, not one. maybe not even two, possibly three governments were involved in this attack. And they state that this attack was done in order to prevent the loss of further lives by using troops and having countries attack this nuclear facility. They didn't want certain countries to get involved in that. So this was done more in the dark than it was done overtly.

Right. Well, well, this is a spy story. And the only reason this got out, uh, it's actually kind of interesting is that, you know, as you said that it was designed to be very tight, it was designed to not, uh, go anywhere. It's designed to only, um, you know, hit specific things, but someone made a mistake and it did get out. And that's why it got noticed. And that's how this whole spy story started to unravel and into the public. And. that illustrates another thing that you know as we're saying these guys are who did whoever did this they were a players let me know who did it but you know they were a they were a players um very good top of the line very difficult attack but even within that um you can have a mistake And, you know, there are some consequences to it. You can expose yourself, it can cause attribution and make attribution easier. But it can also have some, you know, some other unintended effects, which can be unpleasant. In this case, I don't believe there, you know, it was known that it got out and, you know, Symantec found it apparently. at least according to the story, but it wasn't, this one wasn't actually destructive. Was it because it was so targeted for a particular, for those particular things?

That's how it was written. It was written in such a way that the PLCs look specifically, I mean, the malware looks specifically at certain PLCs, whether it was serial numbers or model numbers or however they really did it. And so it only targeted those for that facility, how they got those model numbers and how they got specifically to their IP range. Just amazing.

So this is a case where, you know, it got out. It was You know, discovered by someone with a keen eye, whatever, not probably not, as I recall, not super not destructive on the outside, in the wild, as we say, when something gets out, we say it's in the wild out there. However, there have been other cases where things, you know, malware things that were maybe created by some intelligence agencies. For their use, they have gotten out and have been quite destructive. And that's actually quite a big, you know, point of discussion of, you know, these are powerful tools and, you know, they haven't yet broken, well, Don't think there's yet been a case where it's broken into the physical space where it's really hurt someone but but we have had things like You know, we looked it up the the the eternal blue You know exploit that was believed to be from a three-letter agency Got out there and the bad guy started using it and pulled off some big big ransomware attacks on it well, this is why this this attack is one of the

One of my, when I say favorite, I'm not saying that I advocate for what was done.

It was your intellectually fair. You can look even if you're. on the side of the victim, who many of us listening to this will not be. But even from that side, you have to respect just the achievement. This is one of the most impressive attacks in history all around.

And anybody can correct me if I'm wrong, this is the first time publicly that we know about an attack that went from the cyber world to the physical world. And this has real life consequences. What if this was a natural gas manufacturing plant and they decided to, you know, movies have done this, they decided to blow up that plant. You know, what movies have, movies reflect, you know, nonfiction, right? I mean, or, or, or, or they, or they eventually become nonfiction, but what if some country decided to attack the utility, shut down that utility in such a way that it caused, and I, and I understand we could talk about Ukraine and their nuclear, I mean, their, their power has been shut down and caused issues in other countries too, but what if they were able to, blow up those plants in such a way that people got hurt. Horrible, horrible, scary stuff.

Oh, yes. You know, reprogram systems or disable safety systems, fire control system, other safety type things cause, you know, again, something to, I don't know, overheat. whatever, overload the warp core, you know, stuff like that.

Yeah. I mean, God forbid, uh, one of those ships or traveling to warp eight and boom blows up right during the war.

But this is, but this is for real. And unfortunately it seems like we're edging closer and closer to this kind of stuff. Um, and it makes it all the more important that, well, that we defend that on our side, we defend against it adequately for when our adversaries do it for us. But also that, you know, on the on the offensive side for if and when we're doing it ourselves, you know, that it be done in a careful way where it not only doesn't cause loss of life or excessive loss of life or civilian loss of life, but then, but that those things don't get out and can't be used against us.

And that's the point, right?

So they are becoming weapons.

We're moving from kinetic wars. And for those who don't know what kinetic is, is using physical attacks to more into the cyber of the cyber arena, and the cyber...

Yes, kinetic war is normal war. Yeah. Bombs and guns and all that stuff.

And now we're moving to cyber, and can you just imagine one day somebody gets upset, a nation state decides they've had it, and you don't see those missiles coming, you don't see the troops marching, you don't see the planes, You don't see anything. All you do is wake up and boom, that's it. And this is why I, when we talk about campfires, we talk about ghosts and we talk about, you know, people walking that are headless and, you know, all this scary, you know, fireside, you know, stories. This to me is one of those campfire stories where, you know, for those who were interested, The ramifications and the end result is beyond scary to me.

Yes, I think, I think you're right. And I will also posit it to you and to everyone that, um, you know, lately the past few months here, we've been talking about AI and, you know, the possibility of AI getting under control and even the Terminator stuff, and they're becoming more real than we thought. Um, this threat though, this situation is actually much more immediate and, and much more real, I think. as far as the existing technology goes and what's actually happening. So this is gonna get us all, well, I don't wanna say it, but I would say this is a bigger and more realistic and more immediate threat right now than any of the AI stuff. This is really real. I mean, we've talked before, one of the things that Adam's really interested in is the connection between physical security and cyber security. And, you know, I never had a great appreciation for it until we started thinking about, you know, connecting building management systems into, you know, a network, you know, a network to control them, to, you know, look at them and everything. And we said, oh, what's the big deal? And, you know, from the places we've worked, yeah, suddenly the idea of someone hacking into the, The air conditioning, or the heating, or the elevator control systems, or the fire suppression systems in a 50-story building in Manhattan, or wherever else we have tall buildings, or London, or the Middle East, wherever they have these things. That's, that's for real. That's really upping the stakes. And it's, you know, it makes a strong case for really improving our security across the board, not even getting into the exotic AI stuff. This is just the blocking and tackling in the game we're used to playing.

So I need these IoT or these Internet of Things devices. And that's basically anything that's connected to your network or internet. They usually have less security. So you can literally, possibly be in a place where nobody's around. Not only is it dangerous that you can compromise these devices to hurt people, but they're also point of entries, or you have the ability to introduce yourself into these systems through these less secure devices and get to the rest of the network. So there's a lot of things that can be discussed here. And yes, I know they were done in many TV shows and many movies. It's not beyond reality.

Um, well, including in, um, you know, not to get too scary, but you know, it is true even in cybersecurity that, uh, life imitates art. Um, it's amazing. Um, some of these things that people think up, yeah, they're actually trying it and even scarier stuff sometimes.

And so I know we should probably move on to one more case, but I'll tell you this last thing. Let me really scare you. Let me talk about the elephant in the room.

The pink elephant? Because I'm starting to see pink elephants.

I see green and red polka dots.

You got to change your lighting in there.

So my understanding is that most top nation states already have access to those facilities and they plant those malware in there and wait for the day that they might have to use it. So in essence, it's almost like saying, I'm going to put a nuclear weapon that I can control remotely in another country by dialing it up on a cell phone, but instead now it's malware sitting in a nuclear power plant. We can have a nuclear breakdown or it's in electrical plant.

You really think they have that?

Absolutely.

100%. Really?

Wow.

That's, that's devious and frightening, man.

Well, I, I hope people, uh, you know, guess what we're talking about on regular news now that we believe we really do have aliens. on our planet. It's finally come out. We all talk about the boogeyman and aliens coming down, ha, ha, ha, very scary. And now we have people, officials that were involved in that saying, we really do have aliens and aliens are on this planet. And I know that sounds totally absurd to people, just like it's totally absurd to have malware in nuclear plants, in electrical plants, in dams, in control systems, in everywhere where they can be remotely detonated and cause havoc. So you never know. Maybe it is a story.

You know, I want to say it's a little crazy, the whole alien thing. That is a whole other story that just came out. But, you know, the other day, you know, we were in the midst of this. Well, it just ended that whole wildfire thing. I walked out of a restaurant at lunchtime, you know, in Manhattan and looked up in the sky and it was orange. I thought the world was ending. And I said, You know, I said to the person next to me, I said, I've seen a lot of weird stuff in New York, but I've never seen this. I thought four horsemen were going to come out of the sky.

So, I don't know.

I saw them. They went to Staten Island first, right?

Yes. So what do you want to talk about next? What's the next one?

Okay, let's talk about something now. a little less exotic, but it actually really shows a lot of the same things, the whole things of, you know, how an attack progresses and how you get in. And it's something that even impacted me personally. And that's the target breach. So why don't you tell us about that one?

Well, my understanding is you were upset because you couldn't get the sale on target stuff. That was what I heard about, but I don't know.

No, actually, my, well, this is interesting. My, I had, I remembered I had used a credit card. They're in there saying if you use your credit card, it probably got compromised and everything. So, you know, what do I do? I call the credit card company and I say, look, I was at a place, my credit card got compromised, you know, issue me a new one, cancel it. And the credit card company actually told me, they said, look, the phones are ringing off the hook. We have millions of people doing this, you know, just sit tight. We'll take care of it, which they did. But, you know, that alone, Drove home the scope and the impact of this and you know, they were not, you know dealing with nuclear reactors Or anything, but you know, this is a serious you know, even if you couldn't care less about target or whatever, you know, this is a Serious drain and had a many thousands or maybe even tens of thousands of people running around doing a lot of work who deal with this they could have been doing other things um unfortunately so these things do have impact so we spoke about hvac right we spoke about iot devices with with target it looks like iot iot is internet of things i did say it earlier i did say it earlier did you yeah this episode yeah i did no that that's when you have like you know in Not necessarily computers, but computers built into things like lights and control systems and little doodads you're pulling in your house, all that stuff.

So this is a little bit different, right? We're not talking specifically about the IoT devices, but we're talking about the fact that there was a third party company that was connected to Target that maintained the HVACs. And unfortunately, one of those employees clicked on an email, opened an attachment, was subject to a phishing attack and that individual allowed the threat actor to get into their network and then move laterally into the target network.

Well, we shouldn't necessarily say allowed. I mean, it's not like they

Well, they didn't get permission, but they didn't get permission.

They were the point of, as we call it, the intrusion vector. The point where, I'll use a big word, okay? The attack vector. They were the point where they got in. So it was, you know, the thing is, you know, we talk about, oh, someone got phished, they got phished, they clicked a link somehow or got on their machine. And then bad things happened on their network. Well, it ended up that the bad guys actually got on their network, but then they went to Target. Then they went to one of that company's customers that they had access to.

Yep. So from there, malware was dropped. And what happened there, Joe? You tell me. How does your credit card feel?

That's my credit card feel. My credit card was very upset about this. This was an interesting one because when I first heard about this, I said, well, they must have gone into servers or something. They couldn't possibly have. Gotten it onto all the the point-of-sale systems the POS systems Which are you know, the credit card swipers and things that that you have and if I'm not mistaken with this breach They actually did they were that they were that good So basically all them every time you swipe the credit card or whatever boom was sending the information back to the back to the attackers and you know There's another one, pretty impressive, but scary. And again, a multi-stage attack where it wasn't just one hit. And this one actually, the way that they ended up, and we even described it more simply, when they first got the phishing email and the malware ever compromised the vendors machine, there were even a couple of steps after that that allowed them to get into the target network, pivot, move around, do all that, and eventually get to the point where they could start grabbing credit card information. So again, not something at the level of Stuxnet, but it shows you what these guys do. And That's not even sophisticated anymore. This is, you know, this is very routine that they will, you know, once they once they're in, you know, and you get it ends up we talk about living off the land. Once you get into the network, it ends up you have a lot to work with as an attacker. And that's what and that's what these guys do.

Yeah, so. Basically, we talked about in the past episodes about skimmers, right? You put a skimmer on a device, you put your credit card in and it reads your data. This in essence is like an electronic skimmer. Every time data was written or data was read from point of sale systems, they were able to get that data and then use those credit card data to do things. And it's not necessarily a sophisticated attack. But it's an attack, nonetheless, that at the basic core of it is so simple, it just works. And that makes people a lot of money. So the motivation for the first attack, the Stuxnet attack, was more political in nature. The second one was financial in nature. People just wanted money. Yes, absolutely. And that's important to also differentiate. Why is an attack happen? Is it activism? Is it politically based? Is it I just want cash?

No, there were a couple interesting things about the target attack. And it was that, you know, one was that apparently, and they caught a lot of heat from this, that apparently there was an alert that somehow triggered And it wasn't acted upon and you know you hear that and this is where we got to stick up for our brothers and brothers and sisters and you know security where you say oh, they should have gotten it but You know, it's not necessarily so easy, you know, security systems generate, um, you know, millions of attacks or millions of, uh, you know, events a day with stuff. It's very hard to get down to, um, the ones that are really significant. And sometimes the ones that trigger that might be an indication of an attack. Or actually low severity, you know, don't come up as boom, someone popped a machine or boom, this big malware got on. There could be something very small. I don't know what it was in this case, but, you know, going through all that, all that chaff and getting to the ones that are really significant, um, is a real challenge and something that the bad guys take advantage to, um, You know, the other thing was that they went to the point of sales systems. And one of the, I think one of the issues that they said was this could have been prevented, and this is a few years ago, remember, they said it could have been prevented if they had had credit cards with chips in them, which we all have now. Of course, this was a few years ago, credit cards with chips, they say, like they have in Europe. Well, this was also a case where, you know, the business needs bumped up against it, where, you know, at Target, because of their business, they said particularly the holidays, the holidays, making the lines move quickly was important. So anything that slowed it down and poor customer experience, possibly, you know, people just walking out of the store, you know, lost business saying the line's too long, it's too crowded, I can't do it. And, you know, when you're a security manager, when you're a chief security officer, it's really tough when you say, look, we have this and we don't know what the discussions were internally about it and exactly how it shook out. But, you know, those are can be really tough discussions when you're saying, yes, we have an exposure, something big can happen. I say, yeah, but This is going to potentially cost us a tremendous amount of money in our core business. But again, that's something that the bad guys ultimately were able to take advantage of. They found it and they exploited it.

Yeah, they had a little bit more color to it. So for those who are interested, the target breach, the malware is called Black POS, but it's also known as CAPTOXA. And it's a point of sale malware that was designed to be installed on point of sale systems. And what it basically does is it scrapes the data from the credit cards or the cards that are used. The attack happened in 2013. But the amount of surface area you have to protect, I always say this to you, Joe, and I know you don't like to hear it. It's not a matter of if, it's a matter of when. Everybody's gonna get compromised. Every organization will eventually get compromised or has been compromised, or they're not talking about it. And yes, you have legal responsibility to declare it. But if a nation state, pretty much wants to get you, they'll find a way. They might not get all the way in, they might get partially in, but you might get alerted to it. But pretty much some of these nation states have a ridiculous budget, sometimes more of a budget than some of these companies do. It really depends what the reason for this attack is. And I'm not saying this had anything to do with Target. I'm just saying that from a political standpoint, nation states, you know, they're pretty good.

Oh yeah. Those may be the final set of scary thoughts that tie this together. Yes, if the nation state wants to get you badly enough, they have a lot of resources and a lot of incredibly smart people and a lot of determination. And as we've said before, they will get you. They have the toughest adversaries. On the other side, more on the target side, It may have been, I don't know, that they made a very concerted, very thoughtful risk decision that, okay, we want to take this risk. We want to do it. We understand it. We're now putting in everything we can. But, you know, one of the tough things about being in security and, you know, nobody likes to lose and nobody likes to get hacked. It's that even if you've done all your risk management and said, we're making this decision, we've talked to the business, we've decided, you know, this is the risk posture we want, and we're going to take this risk. When you come up snake eyes, it's no fun. And it is a possibility, it's gonna happen to someone statistically, and it might be you. So, Adam, that's scary enough for you?

I think so. I would love to get some feedback if people feel this is really scary, or if they have more questions about this. Whatever the case is, I know that this is only the beginning. Even though we hear about cyberattacks all the time, they're only going to get more sophisticated and more dangerous and cause more harm.

We should also probably say, you know, we're not really trying to scare you, but we are trying to drive home some of the reality of this, that the that the challenges are difficult and that they're not easy to solve. They're very difficult. And they're not just about technology and saying, I'm going to do the best job I can and do all this well. It's quite a bit more complicated than that.

My disclaimer here is I'm not trying to sensationalize this for our listeners. This really does scare me. This really does keep me up at night sometimes. I think about it and depending on the organization I'm working for, knowing some of the vulnerabilities or what's going on, it does keep me up at night. And I do think of ways to protect against it. So yeah, I'm not just trying to get listeners. Joe, you know me, right?

I really- Well, we are trying to get listeners, but not by being sensationalists.

Yeah, I'm not trying to be sensationalist. I mean, don't get me wrong. I want more listeners. Please listen. But if you ever been to a campfire and they're telling stories about ghosts and stuff, To me, even though it's fun to hear the stories, this to me is much worse. This to me is- Well, this is real. This is real.

This isn't the Jersey devil or anything. This is real.

And I said to a couple of my friends the other day, I go, we're living through some really tough times, really tough times. As you look at the posturing of all our countries, the top countries in the world and where they are and what they're doing, there's a little bit of anxiety there for me. So just being honest and being transparent.

Okay, well, fair enough. You're a thoughtful guy, and that's good.

Yeah, sometimes.

Yeah. Okay, well, you know, I don't think we actually have a last call at the campfire. I think you just kind of say, that's it, we're done.

Well, if anybody wants to donate s'mores for the next campfire,

I love s'mores.

But yeah, I'd love to have some s'mores and maybe something else. Maybe something a little bit more sweet for my next drink. Sit by the campfire, have a s'more drink, tell some really bad ghost stories.

There we go. Well, you know, we will have many more stories and you know, maybe we'll do this again before the summer is over. It's still early. Yes, sir. This was fun.

Thank you.

All right, Adam. Always fun. Good hanging around the the campfire with you. And in fact, I got to check my air conditioning because I feel like I'm sitting next to a fire here. I don't know what's going on. I know, right? Someone must have missed. While we're doing this, did you hack into my thermostat and like turn up the temperature? I don't know.

I still have my flipper zero. That's all I'm going to say.

There we go. All right. That's good to know. Okay. All right. Thank you. Thanks, everyone, for listening. Adam. Thank you very much. Bye. Take care, everyone.

Bye!