Si: Friends and enemies, welcome to the Forensic Focus Podcast. Today Desi is far, far, far from home on the other side of the world, on the other side of the hemisphere.
Desi: Yep. Which is most places for me.
Si: Yeah, to be fair yeah. In a small town that I mispronounced earlier called Tosen, Towson, Towsen…?
Desi: Towson.
Si: Towson in Maryland. Where you have been enjoying the hospitality of Towson University and the International Conference on Cyber Warfare and Security.
Desi: Yes.
Si: …room service!
Desi: Well, yeah, funnily enough. So Towson University, where they held it, they held it at their, I think they call it the Cyber Collaboration Center, but the campus is kind of like broken up over Towson into like different campuses. And this one was an old Marriott Hotel, and you can kind of tell…it looks like it when you, kind of, like, pull into the driveway, because it’s got one of those little semi-circle driveways.
Si: Oh yes. Yeah.
Desi: It’s still got the, like, awning out the front that looks like when you walk in into a Marriott. That was funny. And all the rooms still look like hotel rooms because they just kind of refurbed the inside. They haven’t really changed anything architecturally.
It was a pretty nice venue for the conference, like a modern uni kind of feel with, like, all the nice fancy technology for screens and having, like, mics and different points of the room. So, this conference was the 18th conference that they’ve done. And because of Covid, they had run it virtually for a couple of years. I think they came back last year and they ran it so that they had the virtual stream, which was the same as the on-premise stream. And they had some issues with that because of, like, without high end recording equipment, it’s hard to hear presentations and questions and all that kind of thing.
So, this year what they did was they ran it on site here in Towson and they did the keynotes on the two days and sent those…they had a virtual stream as well. But then after that the virtual stream and the onsite stream were completely different. They had different talks. The onsite people, if they wanted to, they had quiet rooms set up, so you could go watch some of the virtual streams.
And obviously all the papers and slide decks were available. We’ll put this in the show notes if you do want to go have a look, because it is open for anyone to read the papers. It’s very similar to, I guess, the DFRWS for any of our listeners that went and looked at the website for that and read some of the papers. Very similar format in terms of the papers come in, they review them. They have their own, kind of, journal that will help publish some of the papers as well.
Si: Is it not (I was gonna say I was, I was looking at this earlier), is it not part of IEEEE?
Desi: It might be. So the journal is the Journal of Information Warfare. So Leigh Armistead is one of the joint editors, I’m pretty sure. It’s a double blind peer reviewed paper, you don’t have to pay to be published, which I think is a really good thing. The way you get access to it is, it’s subscription base (obviously). It is indexed into other, kind of like, journals or platforms where you would go search academic papers.
And there is an opportunity…so any of our listeners that are interested in being reviewers of, like, using their experience and being reviewers of papers, you can reach out to the journal and see if you can become one of the reviewers. So, I’ll put that in the show notes as well. And I think…I spoke to Leigh and we’re probably gonna try and get him on the podcast a bit later. They’ve got a European, an ECCWS, so it’s the same conference but in Europe. That’s on later this year.
And there’s also potentially one in Australia that I didn’t know existed, but it might have merged into a different conference now, but it’s in Perth and that’s in December. So, we’ll get Leigh on before either of those…or especially the European one happens to kind of promote that and give us a chat about it.
Si: But the international one, this is…I mean it really is international isn’t it? Because you, sort of, talked about last year, that was in Islamabad, I think from what I saw earlier. And next year, as you said is somewhere in South Africa.
Desi: Yeah. So, the international one is generally US based. The European one moves around Europe a bit more. So, I…like, I guess in terms of being more international, it’s probably the other one that’s more international because it moves around.
So this year it was in Athens, or this year it is going to be in Athens, sorry. And next year it’s in Finland, next year. And then this international one, which is predominantly US based, has kind of formed a trend that every fifth year (obviously from however they’re counting it because it’s the 18th one at the moment), every five years now they have it in South Africa and they collaborate with one of the universities in Johannesburg. So yeah, it’s heading back there next year. I think they said it’ll be a little bit later in the year.
So what we’re in, like, March now, I think they potentially talked about pushing it to May. But keep an eye out for that I guess if people were interested in heading to Jburg. And I’m not sure what they’re doing with the conference next year. So, they might try and push some of the on-prem stuff to be more virtual because the bulk of the ICCWS are US people who…like, US citizens, who are interested in this kind of stuff. Yeah.
Si: Cool. Okay. So, what you’ve been there three days? Two days? Two days.
Desi: So, it was three days. I didn’t manage to make it to the first day, but the first day was a…they did a workshop and talking to some of the attendees that did go to the workshop said it was quite good. But it was…I think it was, I’m probably gonna get this wrong, but we’ll post up the events in the show notes as well. I think it was on…no, I’ll butcher it probably, but it was, like, a thought experiment on cyber warfare and the effect of something in it.
Hang on, here we go: “How cyber warfare and information operations are changing everything.” So Dr. Leigh Armistead headed that up. But that was, yeah, like a…I think it was like a four or five hour workshop on the Wednesday and then the conference actual started on Thursday and then ran the Thursday and Friday. Yeah.
Yeah, lots of…yeah, the two streams that, kind of, I checked out there were recordings of all the virtual ones that I haven’t gone back to. So, some of the virtual ones looked pretty interesting. But yeah, they had three time slots per day, so pretty standard, four to five talks within each one. They also had a Master’s and PhD stream. So, they had, like, PhD and Masters posters up around the place, and the students were submitting papers and they had their, kind of, like, own little colloquium and they announced, like, winners for the best papers, and…
Si: That’s nice. That’s good. It was free for you to dip into the PhD stream if you fancied it? Or was it restricted?
Desi: Yeah. So yeah, it was free to dip in and they also had separate PhD Master streams on, again, both the virtual and physical. So, there was only three…there was a lot less, there was only three here in person, but there was a lot more online presenting as well. So…and all their papers are available to look at on the website to see their research afterwards as well.
Si: Excellent. I look forward to that. Good stuff. So, what did you go and listen to? What was it that grabbed your attention and drew you in?
Desi: Yeah, so I will admit some of the titles definitely caught me. So, I read a book by its cover sometimes. Because I probably did not do as much preparation as I should for these conferences where I should go and read all the papers first and then decide what I want to go have a look at. So there was some…
Si: There’s an inherent risk in that though because some people, you read the paper and then you turn up and they tell you exactly what you’ve heard in the paper! And therefore you’ve just wasted an hour slot. So I have, I definitely have some…
Desi: The downside to that was I did turn out to a few talks and the talks were not what I thought the title was at all. And probably wasted that slot as well. I think the good thing was…it was probably good and bad, but the slots were only (what were they?) they were like 20 minutes. So it was a 15 minute talk with 5 minutes for questions and answers at the end, which was good if you got to a talk where you were like, “ah this isn’t kind of really what I want,” because then you’re only there for 20 minutes. But then on the flip side, I think a lot of people that had really good content to present struggled with presenting their, kind of like, a year’s worth of work in 15 minutes.
Si: Yeah, I mean we struggled to get, you know, an hour’s worth of banter into an hour, let alone, you know, presenting something competent in 15 minutes! I mean, that sounds terrible.
Desi: So, I question our competency, but I don’t think we’ve ever managed to hit an hour in any of our stuff really. Or maybe Zoe just does a really good job at editing us down so people don’t get sick and leave, because they’re like, “why is this going on for two hours?”
Si: So dear listener, our über editor, Jamie, sent a little message one week, which went…he just wrote (what was it?) it was something like, “six and a half minutes”. And he wrote it in the chat and I was like, “six and a half minutes of what? What are you talking about?” And he just left it there. And then he came back to us. I…it may have even been six and a half minutes later just to wind us up, I’m not entirely sure. And said, “that was how long it took you guys to get to a point, not the point in the last podcast.” Yeah, I mean, fair enough.
Desi: I mean, we’re not in control of editing, so if they’re leaving…
Si: Yeah, we’re really up to the point. They actually pad us out and make it longer. That’s what it is!
Desi: (There probably was a lot more than six and a half minutes in the actual recording, so that was all right.) But yeah, in terms of, like, what I went to go see, so I definitely did…I guess a little bit of background is this conference, like, I’ve wanted to go to this conference since like I was a small boy in cyber in 2017, which when I kind of first found out about it when I was in the RAF and joined kind of the instant response. It was in something that I was reading and I was like, “wow, this sounds, like, awesome to go to”.
So yeah, big thanks to Forensic Focus for helping me get over here and look at this. And then I went and saw some talks that were, kind of like, up the interest of what I wanted to go on and look at. And then also it had a good mix of stuff that like we cover here on Forensic Focus as well. So, I guess the more so the digital forensics than E-discovery or law enforcement side of things, which is, which is okay.
But yeah…so, day one…what have I got here? I’ve got some notes because we’re definitely going to try and get some of these people…I’ve already had two agree to come on and chat to us. So, one of them is Dwayne McDaniel who’s from GitGuardian. He…one of his presentations…so, he did a couple but the one that really caught my eye was he was talking about, kind of, forensic investigations for GitHub breaches.
So, it’s kind of like the bread and butter of what his company does, but they essentially scrape public repositories and then it’s how that’s used in looking for secrets. So, they do (I’ll check this in the show notes), but they did a wrap up of last year’s…all the exposed secrets that were found in publicly available, kind of, GitHub repositories. But it’s also how you do investigations when you’re looking through that kind of data. Because it’s just…I guess it’s how you handle large volumes of data, which is the issue. It’s not necessarily that it’s difficult to look for things once you’ve got a thread, but it’s that threat hunting piece and then how you do forensics and put it all together.
Si: Am I right in thinking that you are doing a reciprocal arrangement with him and you are going to go onto his podcast?
Desi: Yeah. So, yeah, for sure. Yeah, I dunno what I’m gonna talk about yet. So theirs is kind of more of a generalist cybersecurity podcast. So, I guess from my background I’ll end up just talking about incident response. But yeah, like, I’ll be on their podcast as well.
So, I’ll let the listeners know if they want to check that out when I’m on it to probably get an insight to what I do day to day, which is what I’ll end up talking about rather than kind of all the stuff that we get to talk about here. And then…so, the other one that I’ve confirmed already is (I might butcher this name), but it’s Saminu Salisu. So, he did a talk on blockchain forensics and how to do investigations that way.
And I know, Si, we had a good back and forth the other day on, kind of, cryptocurrency and blockchain, so it’ll be interesting to get him on and talk about…what I’m hoping is that they’ve done some investigations and get to talk about some of the stories of how you trace it and I guess the key is how you trace that money when it comes out of the blockchain. For, I guess, criminals trying to get their money out.
Si: Yeah. And I I think blockchain…our little debate on the side was to do with blockchain and cryptocurrency and we should dedicate and we will dedicate a whole podcast to that. But the bottom line is that like so many things it has to interact with the real world at some point. And very often that interaction with the real world causes the whole anonymity issues to start to fall apart.
You know, the same with buying a gun on the web, on the dark web, you know, it’s anonymous up until you have to pick the damn thing up. At which point it suddenly becomes very, very obvious who the owner of that weapon is. So, you know, it’s that kind of thing. But yes, it a fun and interesting thing and I look forward to doing that. If I’ve got the right profile, he’s from a UK university, or has been through a couple of UK universities.
Desi: Yeah. So he’s through a UK university and he’s also works for a startup that does this stuff. So that’ll platform that kind of graphs it all. But I guess the…what I would like to dig into is how does someone, particularly an investigator, if this came across their desk, like, how do they start? If they don’t have the tools that make it easier? Because it is just publicly available data. So yeah. Where do you start? How do you do it? Like, I guess the basics to get you off the ground and I’m definitely keen to hear how, like, I guess they’ve made it easier and or how they see they’ve made it easier in their sense. Yeah. So I think that’ll be really cool.
Si: I think also, I mean one of the (certainly in the cases that I’ve worked on) one of the biggest issues is trying to get that explanation out to a jury. Blockchain is quite a complex concept when you first come across it, even with, you know, a technical background, blockchain is quite a complex concept when you come across it the first time! Trying to get that over to a jury of people who (being kind) have limited IT skills is challenging. And if he’s got some tips and tricks on that, I’d be very interested to hear what they are. And I noticed some of his academic papers appear to be to do with the representation of…sorry…that’s one of them…where did it go? Yeah: “temporal sense making in intelligence analysis” and things…so, “time sets for uncertainty visualization”. So I think you may well have some interesting things to think about to do with visualization as much as anything else, which would be fun.
Desi: Yeah, definitely keen. Looking forward to him. And he agreed this morning when I was messaging. Another one that I’m chasing at the moment that I haven’t got a confirmation is Michelle Bowen. She was from Checkpoint Security. She did a really interesting talk, kind of, was one of those talks that I think she had so much content but it was so hard to fit within 15 minutes.
But the one that stuck with me most is she was talking about deep fake technology, which is something that we’ve talked about. And did mention cases where voice deep fakes were used…because I think the general topic of the talk (and I’ll specifically call out the work in the show notes for this one) but was on, kind of like, biosecurity measures and how deep fake technology is used to get around that and the worries around that.
So, there was two cases she mentioned where voice deep fakes were used to defraud a company because someone high up in the company had that set up and they were able to initiate banking transactions to steal money away from that company. So, I think….yeah, some, like, insight into that and, kind of, how it’s done and how the technology has come along from someone who has more experience than both you and I messing around with ChatGPT!
Actually, they tried to make ChatGPT more taboo because everyone talks about it, but then I think nearly everyone mentioned it. That was still the hot topic. But yeah, it’d be great if we can get Michelle Bowen on the show to talk through some of those cases as well.
Si: Yeah. I can see fitting that into 15 minutes would be a distinct challenge, so yeah…
Desi: Yeah. Getting her…and I mean she…I think she would be really good. She’d fit really well into the banter that we have! So, it’ll be more than six and a half minutes of banter at the start and getting really interesting content.
Si: Excellent.
Desi: Yeah, Jamie will let us know how much banter we’ll have with her in the chat.
Si: Yep. Perfect. I look forward to that.
Desi: Other than that I do…there was one other. So, there is one other that’s potentially coming. I spoke to one of the participants there. She was working or, is working for…who was it? It was, I haven’t written it down. But it was like a rotational position that she was in and part of her research was, like, government work that she couldn’t talk about, but essentially it was like network forensics on submarines, which is…sounds amazing and really cool! And it’s a shame that like…
Si: I would hope that the network forensics on the submarine was relatively straightforward because it should be air…well, water gapped, basically.
Desi: Yeah. So, well I guess, like, at a high level, right, like the sub’s internal communication system…because it’s all IP based, right? Like most of those systems, they communicate that way because it’s really easy but it’s proprietary. But when they surface they replay that onto shore. So it’s, kind of…and that’s…I know at a high level, that’s how they download some of their data as well.
So, once they dock and, like, and breach water at shore, they will push, like, mission data to the subs. So the question is, is there an ingress point to inject packets into that? And I guess that was the point of the research was to see, kind of, what does the network traffic look like? Like, is there possibilities for vulnerabilities? That kind of thing.
Si: That would be fun. I did a little bit of work once upon a time with regard to some systems that did similar sorts of things from helicopters and basically pushed data…pulled collated data and then pushed and pulled it as and when. Yeah. So, I can see, I can see that could be fun.
Desi: Yeah. So, that could be really interesting. But she did promise to chase up someone at John Hopkins University here in Maryland from, I think, it was the applied physics lab, which do more kind of unclass open research.
And they’re definitely trying to push out more broadly what the research that they’re doing. So, hopefully in the next week I’ll get a name of someone there that we can get on the show to talk about, I guess generally the kind of projects that they’re doing that would be interesting to our listeners. And maybe from there we can dig down further into the actual researchers who are doing the work and get them on the show as well.
Si: Yeah, we’re onto quantum computing forensics anytime soon.
Desi: Yeah. I think one of the people there one of their projects was was that kind of stuff, like, quantum…no encryption that was safe from quantum computer cracking
Si: Quantum proof computer encryption stuff. No, it’s fascinating. Also way past my mathematical capability.
Desi: Oh, normal encryption is way past my mathematical capability!
Si: Yeah, no, that’s fair! Same here.
Desi: I do crypto challenges and I’m just like, “This is gonna take me weeks!” So there’s hopefully…well there’s definitely two upcoming that are going to be super interesting to our listeners and hopefully some more coming out of that.
So, yeah, overall my impression of the conference was really good. I thought the caliber of research coming out was awesome. I think like all academic conferences, they suffer a little bit (and this is not the conference, it’s more of like the niche academics that happens) is that they start to talk about stuff in academia that is out of touch from the real world and that causes problems because then when you have a view of the research, it’s either too generalized because…so for example, like a couple…there was…actually a lot of talks on ICS, so industrial control systems and OT, operational technology.
One was on biosecurity, so they were talking about, like, how farms are now smart farms. And then another talk was on adding edge device monitoring to, kind of, traditional OT stuff. So they call it IIOT, so industrial internet of things. But they were talking about adding that to, like, power plants for example, so that you can monitor and then you can affect change back into the system and increase, kind of like, production speed of whatever you’re doing in the plant sense.
Now, both of those, because they were both very academic and their thought process was good, and their methodology was good, it was a little bit out of touch when…because they started talking about cybersecurity threat vectors and vulnerabilities. And I think that’s where it becomes out of touch because then it just becomes generalized and they’re just like, “here’s a list of all the threat vectors that you have”, and it was everything under the sun. Now it’s kind of system specific, but it’s also, like, attacker capability, which may or may not exist in that field. But I guess that’s just because there’s no industry experience there and it’s not like the research isn’t targeted on a particular industry.
Si: You and I both have the advantage that we’ve seen intelligence supplied threat assessments.
Desi: Yes.
Si: A lot of people haven’t, and therefore there’s none of that application of capability and application of…and resourcing and all of the other good information that comes out of an intelligence led threat assessment against something. So, yeah. But yeah, I mean, you know, they’ve done what’s required from an academic standpoint, which is list everything that could possibly happen! And then, you know, and then you’ve ticked enough boxes to get your paper through, so…
Desi: Yeah, exactly. And it, like…and it’s definitely not, like, it’s not a…I’m having a go at them at all. Like, it’s definitely there. I think academia and industry can definitely align itself better because I know, like, for my company and a lot of other big companies that are there, like, we’re vendors, right? Like, we’re trying to sell something.
But the tech research that’s coming out in those tech blogs is valid and it’s good because incident responders and digital forensics practitioners use that information when they come across something that is in that field. So, it’s valid research, it’s just not…because it’s not an academic paper, it can’t, like, they don’t…it’s never referenced. And I think where we’ve seen with DFRWS, what they’re doing is trying to introduce tech and assess tech blogs and tech papers into their process, which will allow them academia to draw from that knowledge, is I think a really good step in bridging that gap between academia and industry.
And then what industry can do, which is something that I’d like to push with my company, is we write white papers, but how do we push those into, kind of, journals and journals that we don’t have to pay for? Because, like, personally I don’t think you should have to pay for the privilege of giving information…
Si: Exactly. Yeah!
Desi: Yeah. And the information warfare journal could be a good first step for some of our, like, really good tech focus research that you see from the front lines of what you’re responding to. And I think bridging that gap will then just help researchers that aren’t, kind of, being funded by companies that are in the industry produce…well not produce better work, but enhance the work that they’re already doing. Yeah.
Si: Yeah. It’s an interesting relationship between academia and industry and it always has been. I think certain universities that I’m aware of are stepping that up and actively engaging more with industry. We’re going to have a guest on later, and we’ll have a conversation about that as well because the University of Southampton, for example, is engaging…they refer to it as enterprise rather than industry, but, you know, they have strong engagement there and that’s something we’ll have a chat about later.
So the conference as a whole, you know, it’s an academic conference. Was it heavily biased to the warfare side or was it a fairly even split across, sort of, security and forensics and incident response? I mean, or was it…or actually “no, this is incident response when a third party nation state attacks our our infrastructure”?
Desi: Yeah. It was, it was interesting. I think it’s the flavor of the year, so it’ll probably, like, the research is affected by what’s happening in the world around it. It was definitely very heavily biased towards US-centric problems, which is fair enough, like, it is (even though it’s called an international conference), it is a US conference. And particularly in cyber warfare, like, if we look at the coalition of powers between even our three countries, right? US is the ones that are being actively attacked all the time, being kind of at the top of the chain. So, a lot of the research is driven out of that. I don’t think there was a bias particularly towards cyber warfare. I think the two keynotes definitely were from the people that were speaking. And they were (let me just read their names off), so, Justin Fanelli, who is the Technical Director of the Department of Navy spoke on the first day.
Si:…or we hate him! No, probably it’s not fair. Was the Department of the Navy who were involved in that, but is probably not him by now.
Desi: So yeah, he spoke about, kind of like, zero trust or what they were doing prior to zero trust within the program that he was working on to…he kind of works as a strategist, but then getting that into implementation. So, that was really interesting. But again, like, US Navy, so very US focused. And the other one was Dr.
George R Lucas, who has a very detailed history in military ethics. So, he spoke on, kind of, the ethics of AI into the loop. And he had one comment that really struck with me that I (he left too quickly and I didn’t get to ask him about it), but, so, he’s written a lot of books and he was saying that like.
He writes these military ethic books which I’m going to try and grab his latest one and, and have a read of. But he was saying that he does all this research, which is cutting edge for ethics and what’s happening with technology now. But by the time the publication cycle happens and it comes out, it’s a dulled edge because technology has already moved on from what the military is using, what they’re looking at, how they’re employing it.
And a good example of this is, like, how (and it’s one of the things that he spoke about in the keynote) is how Ukraine is using Starlink to then automate potentially drones to then fire on tanks. Now, the more automated that becomes, or the more AI (I guess) that they put into it, is where’s the ethical and moral line for that in using against forces? And not only that, but if you are developing the technology and then it gets sold on and used back against your country, is that causing an issue?
And he did call it something, and I can’t remember what, it was essentially like “inside threat”, but it was, like, you sell to a trusted country, but then there’s corruption and they sell it onto another country that’s bad. And the cycle of usage goes from there. But back to the original thought on that kind of content that’s coming out, and I guess relates to academia in general is, like, you spend so much time developing these papers and then it goes through review and publishing and it takes so long to come out that by the time it comes out that your research is no longer valid.
The benefit of a tech blog is that you can see something, write about it and people benefit straight away. So, is there a better way for academia to (especially for people who are established as researchers), is there a better way for them to push out their content faster? So that it’s in the hands of people to use quicker and it’s valid at the time. So, could they create their own YouTube channels and kind of present their research and then that is accepted to then be referenced within the community, kind of thing?
Si: It’s an interesting one. And it probably comes down to things like historic copyright problems. If you, as a university member, quite often your contract (even as a student), quite often your contract with the university basically dictates that all of the intellectual property created while you are at that university belongs not to you, but to the university.
And thus, you know, putting it out in an academic paper way that is understood by the university is an accepted, sort of, form of sharing of that intellectual property, especially seeing as it has the university title at the top of it somewhere. Usually. If you are moving to a…and also you have this lovely buffer of liability of peer reviewed. So that if somebody then, you know, takes your paper, you can say, “well look, we did the best that we could, two other people peer reviewed it, three other people peer reviewed it, they did the best they could and they didn’t see any errors in it at the time.
Subsequent knowledge has gone forward and we figured that out and, you know, there’s a problem now we know this.” Versus, “I wrote it on a tech blog”, there’s an issue with it. All of a sudden, where’s the liability lie if that’s been used by someone to do something? Now personally in the field of forensics, I happen to think that if you haven’t verified it yourself, it’s not worth the paper it’s written on anyway.
Desi: Yeah.
Si: And therefore, you know, taking some information as a starting point, verifying that it’s true and then using it. I mean, you know, I look at YouTube channels as much as the next person does. It seems to me to be a very valid way of…I’ve certainly cited, in expert witness reports, I’ve cited online content as a source! So, you know, it’s not impossible to do, but yeah…
Desi: And it’s like you see companies like, when Microsoft has had breaches to do with their technology and they’ve had rolling tech blogs and they just provide on the one page, they provide updates and they’re like, “this is the information as we know it”. And the next update they could come out could contradict that update, but that original stuff is still there.
And they say, “here’s the new information that we have. Here’s where we were wrong, here are the new indicators to kind of go look for”. So, I mean, hugely reputable companies like Microsoft can do it and people will reference that. Could be done. But I guess it’s adopting a different model and probably a model that quite a lot of money is built around for.
Si: Well, that’s it, isn’t it? It’s difficult. If we are in an information society and the assets that we have to profit from is information, giving it away for free in a timely fashion is not conducive to profit. Now, what’s interesting is that given that the most popular operating system on the face of the planet is free, basically (Linux and Linux derivations), you know, obviously an open source and the sharing model works, and, you know, when you look at the market capital of something like Red Hat, you can see how well it works, because there are ways of monetizing information without directly charging for it.
You know, you charge for support, you charge for…you know, all of those kind of things. So yeah, I mean, maybe the industry doesn’t need an uplift in how we address it, but as with all things, you know, it’s, we’re talking about overthrowing so centuries of traditional commerce in selling something off the back of a wagon versus, you know, a new world order (he says carefully choosing his words).
Desi: It’s funny because I always remember the tip of, like, if you’re really interested in someone’s research, just message the author and they’ll probably send it to you for free.
Si: Yeah.
Desi: It’s hilarious, right? Like, because the authors just want to get the…especially the people who do all the work, they just want to get the information into the hands of the people that actually want to read it and give feedback or use it in some way. So, I know that’s kind of like an unwritten thing that…like, my university professor always said that to me. So, like, “if it’s not on our platform, but you wanna read the paper, just message the author and they’ll probably give it to you”. And it works. Like, I got like three papers when I was doing my thesis, just from messaging the authors and going, “hey, I really want to read your paper.”
Si: Yeah. I’ve not written a lot, but anytime someone’s emailed me, I’ve been more than happy to answer questions about whatever it is that they’ve wanted. Because why not? You know, you didn’t write something in the public eye for keeping it safely stashed behind the sofa and so nobody could see it, did you? So…
Desi: Yeah. Anyway, I’ll shut up about what I think about academic papers because…and we best release this after I get back home because I don’t want them to come after me and…
Si: I think that’s fairly safe! You fly Sunday, Monday?
Desi: Monday, yeah.
Si: Monday. All right.
Desi: So, as long as we publish after that and I’m home on Australian soil and safe, all good.
Si: All good. Good stuff. Yeah. Okay. So, would you attend again next year, South Africa, given the choice?
Desi: Yeah, definitely. I think, yeah, beforehand I’d definitely read all the papers first. And now that I know that, that the conference I guess is in potentially Australia but also Europe…yeah, I mean, like, like all conferences…because I can sit at home, watch recordings, read the papers. I think the huge benefit is the networking. Like, there would definitely be one of the talks that we probably wouldn’t eventually have on here because it was through just meeting a participant.
But also just the networking with the people here that I think were beneficial with both the podcasts, but, like, I also got benefit in my work. Like, I got to meet one of the incident responders from CISSA, which is a big government organization that deals with responding to critical infrastructure. And so we had a kind of great chat with…just about, like, the tool sets that we’re, like, trying to (like, not in depth), but definitely the tool sets that we’re trying to work with and how we respond to large scale incidents.
Like, that’s just someone that I wouldn’t have met if I hadn’t…and I probably never would’ve come across them in my life if I hadn’t come here and done the networking. So yeah, I can say that’s the same for every conference that I’ve ever been to that…yeah, it’s definitely the networking that is the biggest draw and biggest benefit, I think when you go. But…and I don’t know whether you are saying that you’d agree with that?
Si: I was going to say I…the conferences that I’ve been to fairly recently, yeah, I would agree. It’s nice to sit and hear somebody talk, but you can do that equally as effectively (although asking the questions after the talk is slightly harder online, but, you know), it’s much of a muchness, you are effectively watching a YouTube channel just live, you know, it’s kind of the difference between going to the cinema and going to the theater is, you know, it’s either pre-recorded or live, you know, but you still get the same…if you’re watching McBeth, you still get the same lines. It’s not anything else, but it is that water cooler, coffee machine, queuing for the loo, kind of conversations that ends up having value, especially, you know, especially from creating those interpersonal, kind of, relationships.
And again, you know, I wasn’t at a conference, I went to a competition up in London recently. It’s called Cyber 9/12, it’s a cyber strategy competition. I took a group of students up there and they competed to try and come up with a working strategy for an imagined scenario. Very good competition, and we’ll be having a chat probably with a guy called Rob Black (or we will be having a chat with the guy who has definitely called Rob Black) about the competition and bringing students into cyber at a later date in the future.
He’s agreed to do that. But during that process, I met and bumped into, first of all, a bunch of other academics who I now, you know, know and are friends with, but also there are a number of vendors who are there supporting this, and I’ve made some interesting contacts there. Not least with the guys who run British Telecom’s physical testing team for security. So, you know, they ran a lock picking workshop, so went and had a play.
Desi: Oh, sweet.
Si: But yeah, so that would be quite fun. But actually, I’ll get in touch with the guy and see if he’d be willing to come on and talk about it, because his background was fascinating. He was a US citizen and ex Department of Homeland Security, so he may well be an interesting person to have a chat with. But yeah, absolutely, so you make those acquaintances and you…it’s those conversations offline that are very valuable.
So, no, I agree. And they don’t work well online. We’ve sort of…or I’m not sure we’ve figured out a way to do them online yet, which is funny because, you know, there are plenty of online communities where people who don’t don’t physically meet, interact, and make friends and communicate on a regular basis. But it doesn’t seem to work quite so well in the…
Desi: I think it’s the same as job hunting, right? Like putting your resume in is hard, but soon as you have an interview and you make that rapport, it’s easy to kind of get across your point and get across your value. And I think as humans, we, like, even though we’ve gone to a lot of remote work and everything…and, like, for an example, like my company, we have a rule that you have to turn your camera on.
Like if you have talks with people, because having that visual cue and the body language, even though you’re not in the room with someone, you can still gain whether someone’s being attentive and paying attention and you can see whether they’re thinking or just ignoring you, kind of thing. But yeah, definitely, like, reaching out to people, almost like cold calling when we’re trying to get people onto the show when we find something really interesting that we want to do, getting that initial traction to just get on a call with that person and not record anything, but just get on a call and be like, “hey, here’s, here’s what we think for this process, here’s what we want to talk about.”
I think when you get to that point, you’ve, kind of, got them and it’s easy to then keep building on that rapport and have them on the show. Yeah, like, personally, I agree. Like, I definitely struggle with just the messaging back and forth. Like, it’s very easy to kind of get ghosted in a sense, where they’re just like, “yeah, I’ll come on”. And then you never hear from them again. And you’re, kind of, like, just chasing them up and you feel like you’re bothering them at that point. But if they, kind of, agree early on to, kind of, get on a call and talk about it, then it’s a lot easier. And then again, like, if you’re at a conference, like, they know you, they’ve kind of already talked to you, it feels a lot more comfortable than jumping on, kind of, like, a podcast with at least one person that they know.
Si: It’s overcoming that initial barrier to entry really, isn’t it? If you know one of the people at least, and you have built some form of relationship with them, then yes, it’s a lot easier to turn up and have that conversation. I certainly found that, you know, last year with a couple of people who we interviewed, who I’d met in person at one of the conferences. I didn’t arrange the interviews or anything, but going into them, it was really nice to see them again. I actually felt genuinely…you know, it was “oh good. You know, it was you!” sort of thing. So yeah. That was good. So yeah, I totally agree with you on that front.
Desi: Can I just say that it was also the most British thing ever to say, “no matter whether you go to cinema or the theater, it’s all the same McBeth”. Like, the fact that you use McBeth as a reference there: so British!
Si: Yeah, well can’t help it. Sorry!
Desi: That was awesome though.
Si: Cool.
Desi: All right, so I’m done talking about the conference. Was there anything you wanted to talk about before we jump off, Si?
Si: Yeah, just one thing. So we talked a week ago now. And we’ve both just done a LockBit investigation.
Si: LockBit Ransomware.
Si: LockBit Ransomware, yeah.
Desi: …for anyone listening.
Si: So, in both cases we’ve gone and done an incident response, an organization has been attacked in some way, shape, or form. Different vectors for the two of us, but nonetheless, it was done. And then the attackers, once they had gotten in, turned out to be quite incompetent. Okay. I think that’s fair to say. They certainly were on my side. And you sort of alluded to a similar feeling about the ones that you had! Do you think that we are seeing a resurgence of script kiddie, where the attacker skill set is dropping off again?
Because historically we started off with (you know, in the very beginnings of computer crime), we started off with skilled attackers, and then we ended up with script kiddies who just used skilled attackers’ scripts and tools to carry out attacks. And then we saw some very competent ransomware attacks. But now with ransomware as a service (RAAS), which is exactly how LockBit advertise it themselves, LockBit 3.0, they advertise themselves as ransomware as a service. Are we seeing the resurgence of the script kiddie, and does this actually reduce the risk substantially?
Because the LockBit ransomware operates effectively on two levels. One is that they lock up your stuff and stop you from accessing it, and that’s a pain in the arse. Two is that they download a bunch of stuff and then try and blackmail you with it for not releasing it to the public. With a good backup routine, you can get round part one, that’s not a problem. And with incompetent attackers, part two doesn’t exist. So, it fundamentally removes that problem.
And certainly in the organization I was working with, they had no reason to even contemplate paying any ransom, they restored their backups, they lost no work because of the time of day that things happened there, and the days…the time their backups ran. Their backups ran at 11:30, the encryption event happened at just past midnight. So, they had full backups of everything offline, nicely set aside, and they restored without…with no changes having been made.
No data was exfiltrated because the people were completely incompetent and thus, you know, they were laughing, basically. I mean, relatively speaking after the heart attacks had subsided. Is this something that we are now facing? I mean we talked about the, sort of, models of banking malware and stuff with someone slightly earlier (and the link to that will be in the show notes, but I can’t remember his name).
Desi: Alex Tilley.
Si: Yeah, Alex Tilley. But are we effectively seeing a high probability of a low-impact attack, do you think, coming up?
Desi: So, I think there’s probably a few factors, which is probably, like…I think it’s confirmation bias on what we’re seeing. So, I think logging and monitoring within organizations has gotten better and having EDR and alerting tools and obviously like the biggest alert is “all your stuff got ransomware” and that’s what you’re seeing. But there has been cases that I’ve worked on in the past where we’ve caught script kiddies early on, either digging around the network or potentially going to release ransomware and it’s been stopped. And they’ve just been incompetent and being caught during that process.
I definitely think proof of concepts are on the rise, so it’s easier for people (and obviously even ransomware as a service), it’s easier for people to get their foot in the door. But we’re still not capturing the access brokers, so the ones that are selling the credentials. That’s not being caught. It’s…they’re selling those credentials for next to nothing really, like a couple hundred US for some credentials. That may or may not work, but the risk is, kind of, worth the reward for the criminals. Though they’re not being caught, so the good adversaries are definitely still there.
The opportunity for then people to buy a service…and where the good actors, so, like, the LockBit developers, there’s less risk for them if they offer the model for people to go and do it. Because even if a criminal gang isn’t successful, they’ve still sold the toolkit for $2,000, $5,000 US. If they have people repeatedly paying that they have constant money flow, like it’s not a lot, but it’s (however big their team is), it’s enough to live off, right? So, I definitely think it’s on the rise, but I think it’s only on the rise…oh, and the other point is, I think people are reporting more because governments say that you have to.
And so, I think that’s why it’s confirmation bias. We’re seeing it more because it’s being reported more in the public, and it’s being reported more to us as investigators. So, it may not hit public, but we do see it a lot. And the login monitoring’s there to detect it even when it’s not ransomware. So, we’re seeing that incompetence and it’s getting caught and we’re going, “ah, okay, cool, it’s just like some script kiddie in here”. But if they didn’t have the monitoring, how we would’ve caught it would’ve been ransomware.
So, I think the confirmation bias there is that those factors combined just make it feel like we’re seeing more, but I think they’ve always been there. Like, I don’t think potentially the proportion of attacks have changed or the percentage over the year has grown probably linearly. But even from looking at the releases of zero days and proof of concept code coming out has actually exponentially increased.
So, I’m actually surprised we’re not seeing more attacks. So, people are kind of settled on just buying stuff that they can just use off the shelf and then attacking. But, like, personally I don’t see, like, a new attack come out and then all of a sudden everyone’s trying to…like, I think the exception there was the Microsoft Exchange compromises, like, a couple of years ago.
That was unique because it was a very easy remote code execution exploit. And the proof of concept early on was pretty close to complete, so it took very little effort. And people were just scanning for it. Like, governments and criminals alike were just scanning for it. And there was two in a row. I think that’s when we saw a spike of people just like…because I remember we responded to that and we were seeing people just drop shells and that was it. So they were dropping shells and just, like, you couldn’t really see the commands, but they were probably just doing some recon, and then companies were shutting it down really quick.
But, like, if that was a sophisticated gang, you would’ve seen them drop a shell, move really quickly and then ransomware the network or something. But we weren’t seeing that. We were seeing basic shells dropped, maybe some tools, maybe some reconnaissance. But the downside to that was you would then spend two to three weeks with the company threat hunting.
Because you weren’t sure. Like that was the issue. You weren’t sure whether they were sophisticated or just someone that was poking around. And that’s just my opinion. I’m sure our listeners, if you’ve got opinions on this, if you work in the field and you think that it’s not confirmation bias and that script kiddies are definitely on the rise, like we’d be keen to hear and have that discussion.
Si: Yeah, definitely. It just struck me, I don’t do nearly as much incident response as you do but it just struck me that it was of a particularly low quality compared to things I’d seen in the past. And I was just wondering if it was a trend.
Desi: Yeah. I think ransomware as a service in general is definitely on the rise. Like the gangs these days over the years have got more sophisticated in their modeling and how they sell their products and their products are now hitting a wider range of stuff. Like it used to just be Windows, right?
Si: Yeah. I was deeply impressed by the LockBit website when I went, and how well laid out it was and the FAQs and the number of mirror sites to prevent denial of service attack. I happened to be (owing to the timing of the attack on the company I was working for) I happened to be on it at the time the Royal Mail stuff dropped in the UK, and they’d failed to pay…failed…chosen to not pay the ransom, which obviously is the right thing to do, for them at least. It’s definitely the right thing to do. And yes, how quickly it was all released and they, you know, it was a very slick top of the top of the chain. Very slick indeed. I was actually impressed. Quite nicely designed website, you know, it’s all good stuff!
Desi: Yeah. And for them, like, the customer service is there, because they want repeat customers, so…
Si: Yeah.
Desi: Yeah, it’s a proper business now and there’s a few other players in the game and when one gets taken down, the other one just pops back up. It’s a really hard thing to play particularly, like, for people in our position, right? Because, like, we’ve got no power in fighting back, because that offensive side is governments.
Si: Yes.
Desi: And you see, like, the US involved in taking some of the stuff down, but then one gets taken down and another one pops up, so…
Si: Yeah. Whack-a-mole I think is the term, isn’t it?
Desi: Yeah. So…and, like, I mean it’s not really gonna stop until the cybersecurity hygiene or the security hygiene in general of companies just increases. And it becomes unprofitable for the general criminal gangs who are developing this, it becomes unprofitable for them to sink time into their development to develop exploits to get in. But yeah, I think the real key is detecting those access brokers. Because so many cases that I’ve ever been on, you never find out how they actually got in. You see someone VPNing in with legitimate administrator credentials through the firewall, straight to a file server, domain controller.
They’re there for like an hour and you’re like, “there’s no way they’re fishing someone laterally moving, dumping creds and going from there in that amount of time”. And I mean there probably are actors out there that are that good, but on a case by case basis, someone that good’s not going to be on every case. So, they’re buying credentials from somewhere and then getting in. So, I think improving the detection and, kind of like, insider threat detection…and when I say insider threat, I don’t mean, like, someone who you’ve hide in your company, but someone who has legitimate creds that…
Si: Yeah. Somebody coming in and then acting outside of the normal parameters of their operational role.
Desi: Yeah. Finding that early and stopping that is, like, huge in stopping every other breach for your company. Because who knows who they sell those creds to. Could be someone big, could be someone really good, or it could be the script kiddie, which I guess is a lot of the jobs that you and I have seen.
Si: Yeah. No, and like you say, yeah, it was definitely a legitimate set of credentials that came in and…yeah. That was a straight sign then, so…yeah. See it’s getting…figuring out where that middle man is, working and taking them out of the chain.
Desi: Yeah. Because I think, like, clearly the credential brokers are much better. Like, and who knows what other jobs they’re doing. But yeah, they’re just taking it, selling creds.
Si: Yeah. Okay. Well, interesting stuff. So you are back to Oz on Monday, so you got a nice long…?
Desi: So, I fly out Monday and then it takes me like three days to get back. So, I think I touched down on Wednesday night sometime. Because I lose all my time going back. So, coming over, I left at like Monday afternoon at 3 and I arrived Tuesday at 9…yeah, Tuesday at like 7:00pm. It wasn’t too bad.
Si: Okay.
Desi: So, it was like a day and a bit. But then I had like a 17 hour layover in Singapore, so, like, that’s reasonable, but then coming back it’s like, I only have a 3 hour layover, but I’m still like losing three days of my life!
Si: Yeah. Oh, that’s nice.
Desi: Fun times. But yeah, I’ll be back on Australian soil on Wednesday, which will be nice to be home.
Si: Yeah. Good stuff. Yeah. Well, safe trip and…
Desi: Thanks mate.
Si: Have fun. Enjoy your last 48 hours in this lovely location of yours. Towson? Tosen?
Desi: Towson in Maryland is lovely. I really like it. The weather has been…when I looked it up, it doesn’t look that cold, but the wind chill factor over here is ridiculous. Like, it pushes it down to like one or zero degrees just with the wind. So, coming from an Australian tail end of summer in Brisbane is tough.
Si: Brutal, yeah. We had snow here for the first time in a while. So, it actually settled a little bit and have some sort of pictures of snowy landscapes to show for it.
Desi: Nice. Get you to camera and take some photos?
Si: Yeah. Hang on, let me just…where is it? There. Share screen. Yeah. So, can you see that one?
Desi: Oh yeah.
Si: That’s…this is from the snow the other day. This is sort of this sort of landscape that we were looking at.
Desi: Ah, yeah. Nice.
Si: So yeah, it was pleasant….pleasant: it was minus two and…! This visibility level is heavy snow coming down, not fog. It was quite fun being out in it (Other ones? This one is essentially the same.) Yeah, so it was an interesting little sojourn around the local countryside getting cold, wet and taking photos.
Desi: Alright mate. Well, thanks to our listeners. Thanks for sticking with us through to the end today, or whenever you’re listening to this. Hopefully we’ll have some awesome conversations for you coming up from the conference, but also from other connections we’ve made. And also I think we’ve got Cellebrite one that’ll come out after this as well.
Si: We’ve got Cellebrite, we’ve got a conversation hopefully coming up with Amped Software. They’re going to give us a talk through of Amped Authenticate, which I’m really excited about on…off the back of all of our deep fake conversations. That will be a really exciting piece to go through. So yeah, it moves on a pace and this year we’ll build and pick up from there on, I think.
Desi: Definitely. But again, if you’ve liked what you’ve heard today please like and subscribe, put comments on whatever platform that you listen to us on. We’d love your feedback and we love your support, so…yeah. Thanks for listening to us and our banter, and we’ll see you next time.
Si: All right. Thanks very much everyone.
Desi: Bye.