 Well, I work at Rapid7 and the strategic services team. I suck at CTFs, but I still enjoy them. And you'll be glad to know that I don't work in the penetration testing team at Rapid7, because that would be a really terrible thing for me to say. So in strategic services, we get to see a lot of different companies. And we look at the maturity levels of their security programs and what actually works and what doesn't. So I figured it would be great to tell you what we see in the real world that happens. So you can compare that to what you're going to see this weekend. So before we start, I'd like to know a little bit more about who's in the room. So in a few days, some of you will be just ripping their hair off. I'm sure Robert won't, though. And if I do, I'm going to look like him in a few days, because you're going to be working on some problems. It's going to be really hard, and you might get pissed. Some challenge makers, they just they want to see your nose bleed. You'll probably hear that a few times here. And these guys, they want to be sure that everyone has something that they can work on, and they want to be sure that everyone has something difficult to work on. So raise your hand if you're participating in a CTF this weekend. All right. So I was afraid that I'd have a lot of people who are only here for the conference, so that is really good. Now keep your hand up if you have less than three years of experience in security or if you're a student. All right, so there's a few. So the reason I'm asking is because you learn the theory, you probably have a little bit of experience, and you're going to see practical events like Nordsec, and then maybe when you get to the real world, it's going to be kind of a letdown. You're going to be surprised by what you see, and things are not necessarily as they seem in a captive flag environment. Who's got a lot of experience in security but never did a CTF? Is there anyone? All right, a few shy dudes back there. Who works more on the defensive side than offense? Raise your hand. All right. And who works in compliance? All right, there's like one guy there. Hey, don't laugh. Like, he's the only guy who works in compliance who thought that this was actually useful enough for him to show up, so there should be more. Round of applause. Now, who thinks your corporate network is pretty safe or better than what you're going to see in a CTF like Nordsec? More secure. Does anyone think that? There's one guy there, but I know he's just messing with me, so. All right, so now I know a whole bunch of you are going to be in a CTF, so we don't have to do this one. Now you can rest. So first, what's a game? CTF is a game. So Wikipedia says a game is basically something that we do for fun that can also be used to learn things, and that's typically distinct from work. So obviously, there's a few exceptions, like a lot of people would consider professional sports to be a game. A lot of people have the same hobby as their jobs, but we get the basic of that. It's pretty simple. So first, a game can be fun. I don't think anyone would be there this weekend if they didn't think it was going to be fun. Maybe it's not your main reason for being there. Maybe you think you're going to learn stuff, but this is definitely one of the reasons why you're going to be there. It can also be challenging and difficult. If you're going to learn from it, it's got to be challenging and difficult. What I find hard in a CTF is definitely not the same thing that Laurent right here would find hard. So there's different levels, but it's going to be challenging and difficult for everyone. It can also be competitive. So in a workplace environment, people are sometimes competitive with other people they work with, other companies. In a CTF, especially if you're good at it, people will try to win and really think that seriously. In my case, I typically try not to lose. That's the bar I set for myself. Or last year, my goal for my team was just to beat Miquel from Morgan Stanley. Where is he? We beat him by one point, so I was really happy. And sometimes it can be frustrating. So you might get stuck on some challenges, and you might just feel like you're not making much progress. So the thing is, in a workplace environment, when you have a frustrating problem, you can probably spend more time on it. You can ask different people. If it's a bug with a product, you can call your vendor. When you're going to be there this weekend and you're just trying to break an application, reverse engineer it, do some crypto challenges, the pressure can get pretty rough. So on Sunday night, some of you will be swearing that that's what I meant by my talks in French. And on Sunday night, some of you might think, well, this is just a game. Like, my real network is not like that. Like, of course we hacked like a bunch of things, but yeah, Monday morning I'm going to be at work and it's not the same thing. Like, it's going to be sicker. Like, don't worry about it, guys. I hope no one's going to think that, but I know some of you will. And this is why I'm giving this talk right now. So why is frustration not a really big deal and why being delusional can be dangerous? Because some people are delusional. So first of all, those of you that don't have a lot of experience in security or offensive security, if you get frustrated during the CTF this weekend, don't worry about it, we're going to show some examples. And just because you're having a hard time in a CTF doesn't mean you wouldn't even have a hard time being a penetration tester in the real world. I also want to convince anyone who's in denial that thinks their environment is way more secure than what they see in a CTF. And I know everyone's thinking, yeah, that applies to everyone else in the room but me. So yeah, yeah, sure, everyone, not you. And for managers, I want you to take what you've learned or what people in your team learn during the CTF to see what you can really do to improve your security program for real, not just for check box security reasons and things like that. So first of all, what do we see in a CTF? We see different types of challenges. Freddie often will see web vulnerabilities, forensics, crypto challenges, reverse engineering of software, sometimes hardware. You need to build some exploits. You do some network security. You do some hacking under the influence of beer. And sometimes there's trivia. So how does that compare to the real world if you're working in security? The web stuff, I think there's a perfect match right here. Every company has a web presence. Almost all of them have some web developers or higher web developers and all of them have vulnerabilities. So pretty much everything you're gonna do this weekend related to the web, you can take that to work Monday morning and apply it directly. Forensics, most companies above a certain size have some kind of forensics capabilities. The difference is you don't necessarily get to learn about the same different technologies that you're gonna see this weekend. So maybe in a corporate environment, you have a team that uses tools like commercial tools like NKs and they have a really strict process like what to do when someone gets fired or whatever. This is gonna be more, you need to keep your mind open and think outside the box but you can still apply some of that. Crypto challenges, where do you work if you are breaking crypto? Like unless you work at like the NSA or maybe a company that makes encryption software, you probably won't see a lot of that at work. And reverse engineering software or hardware. Typically that's above the maturity level of most companies that we see as clients at Rapid7. It's not really cost effective for you to be breaking the stuff that you buy when you're still struggling not to use the default passwords on it. I mean, you need to think of what's the low hanging fruit first? So not a lot of people do that. Some people do have teams working specifically on that so we see that in bigger organizations. Exploit building again, pretty rare. Raise your hands if you develop exploits at work. All right, now keep it up. If you don't work for a security company or the security consulting team of a non-security company. All right, so there's one that's really interesting. Now that slide would really have backfired if everyone kept their hands up but my point is in the organization that doesn't do information security as a living that's not how they make their money. Most of the time it's not cost effective to do exploit development. Network security, pretty much everyone does it even though they're still using SNMPV one and stupid things like that. And if you laugh at that, if you have like 300, 400, 2000 devices can guarantee you have a lot of that stuff left but a lot of them are still convinced that security is just firewalls and they need help to think that security is more than just that but that also is going to apply well. It doesn't mean that most companies are good at network security but still they do it. Hacking under the influence more about coffee than beer and the trivia is more like drama in a company typically. So here's a few parallels between what you're going to see in a CTF. So typically a CTF like North Sector is going to have something for pretty much everyone. You know there's going to be easier flags for the beginners also to take you to more challenging flags. In an enterprise you have legacy, you have a lot of junk and you have a lot of technical depth. So you have a lot of low hanging fruit which you could compare that to the easy flags you're going to get in a CTF but most companies are just either they don't have the budget to deal with that or they're too big to deal with all of it. Most CTFs are heavily Linux based. Reasons for that are they're already hard enough to set up as is without having to deal with Windows, to licensing reasons and many other reasons but most old school enterprises rely on Windows a lot especially for desktops and laptops but also for a lot of servers. Plus they're stuck with a whole bunch of old Java stuff. They also have some old Unix environments, Windows endpoints with a whole bunch of junk on them and a total lack of hardening. So when you compare that and compound it back by the fact that most companies are really bad at segregation between different environments using firewalls properly to limit the connectivity that goes between each environment, you get an attack surface that's super wide and super easy to attack while in your CTF you have some pretty specific things that you're attacking that are vulnerable on purpose maybe someone built bugs into what you're going to be attacking but typically the CTF organizers know how they want you to break something. You might find a different way. When you're looking at commercial software you're gonna find like 16 different ways and none of them were intended to be. Now you might say oh yeah but in a CTF there's no defense team especially if it's a challenge based CTF like that. It was like there's no one looking at what you're doing to try and prevent you from doing it, right? Northsector's like you're looking at stats but there's no one who's doing incident response on people trying to break stuff. In my company I do that. I would say that most enterprises have a very expensive SIM but do not have an effective defense team. The reason that happens is people buy the big SIM for compliance reasons and they say yes I keep my logs for five years, what do you do with them? The answer is typically we don't do anything with them except we keep them or we have like this super short useless list of events that we actually do something about. So I would say that the CTFs and the enterprises are pretty close when it comes to that. No one's gonna do anything about you trying to attack them. And unlike a CTF most organizations have active directory which gives you single sign on which is really interesting when you're doing a penetration testing or you're trying to secure your environment because once you break that you get everything and they have a lot of users with a lot of vulnerable software and the thing with users is they're typically most companies have really bad security awareness program. The endpoints are not really hardened and that's really hard to replicate in a CTF environment but in the real world you always have to deal with that. So sometimes in a CTF you'll see cross-site scripting attacks and sometimes social engineering but you can't replicate like 5,000 employees of a bank that would just click on pretty much anything. And when we do spearfishing attempts with clients we typically see a super high success rate getting them to give us their passwords and when I say super high think like 75% or something like that you get a lot of people who put their passwords in and their actual passwords because we compare to make sure that they're the good ones and I would say if you don't get that level of success when you're trying to do a campaign like that it's just because you're not getting your end user well enough. So what happens? So in a CTF like last year at NorthSec there was I think Marc-André made that challenge. Where's Marc-André Méloche? He's right there, okay. So it was an encrypted Linux image and there was a clue saying something like the password to decrypt this is like a sentence from the most popular hacker movie or whatever. That was pretty much it, right? Marc-André was a sentence from the movie Hackers. In a real company, WTF, half your users use a company name and a password and the other half is password one. We really often break a majority of corporate passwords in 24 hours. So let's say a company with 5,000 users really often will break like 4,000 in a day and that's not using like some crazy cloud service to do it, it's like one machine with as many GPUs as we could throw at it. So why did the CTF give a clue to what you had to do? Well first of all because password one is just boring. No one's gonna have fun guessing a password that's password one. To force you to think outside the box and not just use like the first dictionary file you're gonna find in John the Ripper and you just let it run for two minutes. And probably also because they wanted everyone to download these movies over a bit time to see if the network was stable enough, right? If there's something similar, I recommend you use the scripts. Much easier to use a script than watch the movie but a few people watch the movie. I did last year because I wasn't sure the script I had was accurate so I was just checking a few things so I bought it on iTunes from the conference and then I checked that out. So if you're cracking passwords here and you hadn't done that before maybe because you're working on the defensive side, what did you learn? Well first of all password policies almost useless. Yes during the CTF you got a clue but the password was still way better than what you'd see in your corporate environment. You learned like don't care about compliance. It doesn't mean anything. I mean maybe you checked the box but PCI is still about seven characters in passwords. And when I tell you we break almost everything in 24 hours a lot of them are way up from what compliance requires. So forget about that, it's almost useless. In fact I think it's more than useless, it's dangerous because it gives people a false sense of confidence. But you probably learned about some new tools and new things you can do and if you work in defense I think what you need to take away from there is okay so I was at NorthSec, I used some tools to try and break some passwords, what can I do now? And what I tell you is instead of relying on password policies and things I have, break your passwords. You work in defense, you need to know what passwords are vulnerable in your enterprise and then you need to train your users to be better about that and it's not just about the end users, it's also your systems administrators, it's also the people who configure your service accounts because people are really bad at giving good passwords to service accounts as well. So when you go back to work, maybe you wanna speak to your legal department before you do that but be more practical about what you do instead of relying on a policy, just break your passwords. We have a bunch of clients doing that and the success rate and the improvements they get in the security of their passwords is like 10 times better once they can actually find the users that use weak passwords and get in touch with them and tell them why that was a bad password. So learn the tools and go back to work on money and use that. Pro tip, call it auditing the strength of the passwords if you're talking to the CEO, don't go, hey, like I'm gonna crack all the passwords because that might sound a little bit weird but you're just auditing the strength of the passwords. So another example, Shal, I don't know if he's here. He likes making some challenges with things like SQL injection. So that was an interesting one that he explained at Montreal hack. What was that, like six months ago or a year ago, whatever. So that's the kind of stuff you'll see in a CTF because it's interesting. He built like a bunch of crazy blacklists in there to make it challenging and then you just, you're gonna be banging your head on your desk for a few hours and then maybe you're gonna find it, maybe you won't but at least the whole time you know there's probably a vulnerability in there because it's a CTF and it's a challenge so you'd have to be a real douchebag to not put a vulnerability in there. So and then you get like these crazy queries and maybe you succeed, maybe you don't but the thing is in the real world, what we see is if companies are not advanced enough to be just using parameters in their queries, they typically don't use any like hardcore blacklists because even though that fails all the time, people don't even bother with that. So what we see is, hey, you're showing SQL errors and a stock tool like SQL map just worked or the super advanced turbo version is, oh yeah, you blacklisted quotes or something like that. So what you should be learning from that is, go see your developers and train them to use these tools and these techniques that you'll have used this weekend but start from the beginning and if you're a manager, ensure that you have strict process to make sure that stupid mistakes like that don't happen. I mean, in a CTF, you see something like what Shao made. No one's gonna do that by mistake, like make this super elaborate blacklist or whatever because it's actually more effort than just not using blacklists and using a white list and using parameters but teach your developers how to use these tools as well because it makes it way more visual. So you might be thinking, yeah, all developers know about that stuff. I can tell you that when we have clients that have a lot of developers that maybe they've been working on COBOL for 28 years and they just started doing web, they're really good developers, they've been making software since before I was born but they don't really know about that stuff, they just heard the term. So when you see these challenges, try to replicate that in your corporate environment and what you'll find is probably, you'll find a lot of stuff that's much easier in your corporate environment. So good news, if you struggle this weekend and you can't get any of the more advanced SQL injection or any type of injection because we might see some different stuff, well, the good news is you can probably practice a work because it's gonna be much easier and don't tolerate laziness once you've seen these errors. There's no excuse for having that kind of stuff in a production environment. So in 2013, Nordsec, so there was a writeup written by Okeok, so thanks for that, I just summarized it for the slide. Basically what you had to do was take a card, set up in on it, then go read it, look at what the data is in there and then do route 13 on it and that was your flag. In the real world, when we do physical penetration testing or anything like that, it's more like, yeah, there's an entrance that you're not really monitoring and we just went through or we did some tailgating and we got through. However, which you'll learn after you do the physical security or the smart card hacking or the physical batch hacking at Nordsec is you should assume that your physical environments are not secure, especially those of you that are working in a regular office environment. Most office environments are not built to be secure, you've got visitors, you have people showing up to work, people think you have a badge but someone scans their Metro badge and it does the same sound as you're walking behind them or whatever, so assume that your physical environment is not safe because now you know even the badge can be hacked but honestly, typically we don't even need to do that. Remember that the next time you're thinking about doing things like encryption on hard drives, we have a lot of clients that ask us, oh, should I encrypt the hard drives on my desktops as well? They're all encrypting the laptops because what if someone forgets it in a car and someone steals it or whatever, but no one would ever steal a desktop in the office, it's a secure environment, we have badges. Remember that even if you have a badge, it can be bypassed but maybe you should just be encrypting it and not worry about best practices or anything like that, just do what you have to do to secure your environment. So in the CTF, you're gonna see many crypto challenges. There's gonna be vulnerabilities in how the crypto is implemented. They're gonna be put there on purpose but they're put there on purpose by people who know what they're doing. In the real world, what you're gonna see is first, everything's in clear text because oh, our security policy says that within this environment, we don't have to encrypt. Like who cares about your security policy? Someone's gonna hack you and not look at the stuff because your policy says you can keep it in clear text. Doesn't matter. When things are encrypted, typically people are really bad at managing the key so you can find the actual keys to the data and it's much easier than actually breaking the encryption but most of all, when you buy software, especially software for specific purposes. So for example, you have an application for legal case management and it's been written by lawyers. They'll use encryption in a really terrible way and it's actually going to be a little similar to what you would see in a CTF but sometimes it's just gonna be yes sir, we're encrypting our stuff with Bay 64, so it's secure. These are things, this is something I've seen in a legal case management thing that had medical data in it or just blah, blah, blah, bang grade, military grade security and then you just leave the keys right next to it. So what you should do is ask a lot more questions from your vendors when they say they're encrypting stuff and push them really, really hard. Typically, they might not want to answer right away but when you push them really hard, they'll give you the answers that you need unless they really suck at this stuff. Never assume that because a vendor says they're encrypting something in a database that they're doing it properly and actually that's one of the areas where I would actually encourage you to go and break the stuff just like you did in a CTF because it's easy to test, it's easy to do in a test environment. So you have like a medical file management software, just ask for a copy of it, try to break the encryption in there, you might be surprised at how easy it is. The only disadvantage is you might not know that there's a flaw in there but I would tell you if it's like a software in a specific vertical, it would be really amazing if there's none. In fact, you know, at Rapid7 and Strategic Services, sometimes we see something that's really amazing and our first reaction is I talk to the other people in the team or they come to me and they're like, dude, I've seen this thing, it looks like really good, am I crazy? What did I miss? We just don't believe it and it's really, really rare. So you'll find interesting things and it's gonna be just like the CTF. But most of all, if you're doing clear text, you should take care of your clear text addiction right now. Don't start breaking the encryption of your third parties before you even enable the features. So why is there so much stupidly insecure stuff out there? People just started caring. In many cases, people just didn't care at all. A few years ago, some just started caring. There's still a lot of people who don't care but it's changing pretty fast. We see pretty marked change in the last two years. People are more and more concerned about real security than just compliance, so that's good. Security was not a core requirement of projects. So even those that started caring, all the old stuff that was built is still there and you can't just rip it off. So that's why the environment is actually way more insecure than a controlled environment like a CTF. And then there's magical thinking, right? People who say who would ever do that. So probably someone who wouldn't hack something or people who say, oh, but that's on our internal network only. People who think they don't have at least one machine that's compromised in their corporate network. You're crazy if you think you don't. But someone would have to know about this. So who can say that other than someone who never fired anyone or someone who underestimates their attackers? So we see a lot of, we have an incident response team at Rapid7, we have metasploited. So we see a lot of things about real life vulnerabilities being exploited and you can't underestimate your attackers and say, oh, but they won't find out about this or they'd have to know what our SSID is or something stupid like that. But we hear that from time to time. Or my favorite, it's PCI compliant. Said everyone who ended up on Crabz on Security the next week. But then there's still some people who say, but isn't the CTF easier? It's made to be broken. Again, I'll tell you, the only thing that's gonna be easier about it is the stuff that was made to be easy that's gonna be there at first. But also the fact that you know there is something to be broken. So you can work on something for eight hours that might be hard and maybe it's gonna pan out and you're gonna get a flag that's worth a lot of money after that. In a corporate environment when you're trying to break something, you never know. Like maybe there's no vulnerability in there. Maybe you're doing a pentest and you have like a really limited scope and maybe it's sicker. You just never know. So in a CTF you do, so if you get frustrated, I mean just reset your brain, go for a beer, talk to someone in your team, maybe exchange like who's doing what or whatever. You'll eventually get it. You know you might waste a few hours but you're gonna learn a lot in the process. So if you work in defense, on Monday, before you forget about it because probably you'll be drinking a few beers during the weekend so I don't think your long-term memory's gonna be that good. Think about everything you broke during the weekend. Start from like the easy flags you started with. Break it down by categories. Then look at your internal network and think about what you have in place that would prevent something like that from happening because we know the vulnerabilities, similar stuff or easier to break stuff exist in your environment. Just think about what you can do to detect someone that's doing that because maybe if you work in defense you can't just get everything fixed but you have tools that give you visibility into what's happening. So for example, if you're building use cases for detection or whatever, everything that you've done, a lot of that will translate to what you do for a living during the week in your defensive role. So build your detection around how people really break into networks and not into what my auditor thinks is good or whatever. And then if you have to argue with an auditor, if you're doing a good job at security then arguing with an auditor that what you do should be compliant, that should be your second concern. So really think about how you would detect that. And I say that in most corporate environments people are just flying blind. A lot of people don't have visibility into many facets of their network except for a little bit of perimeter of security things and that's pretty much it. So I will wish you good luck in your CTF on Saturday and Sunday. Does it start Friday night or? All right, so you're gonna work hard, you're gonna have fun. Does anyone have any questions on other things that we see in the real life? Do we have a few minutes left for questions?