 Hi, thanks for coming. I can't believe I'm with people here. I'm totally stunned. So it's early for a Duffcon You know, there's ATM jackpotting going on there in another talk. There's a there's a playmate of the year or something, right? It's That's fine. I saw her though. She's not that cute. So And what else so that I mean it anyway, I was really surprised with people here So thanks for coming and I was like optimistically the room will be empty Everyone who can't get into Barney Jack's talk will then be like, well, what the hell do you know and they might wonder in but Yeah, thanks for coming Okay, so this talk and I warn you it's it's there's probably too much material So I'm gonna probably end up skimming stuff, but I'll make the slides available online So if I gloss over something you're more interested in check out the slides and see so this talk is supposed to be a Sort of a fictional story of So, you know, I travel around and give talks on the world And so like what would happen if like one day I was you know visiting some foreign country and you know next thing There's like a bag over my head and a couple hours later. I wake up and I'm in you know, beautiful downtown you know some city in North Korea and Kim Jong-il and you know his friends are there insisting that that I helped them build a cyber army to attack you So this is the story so and and when you're in that situation, you know what you say, right? Yes, sir, right? There we go. Here's my my Korean military uniform Ready to fight. Yeah, so who's with me, right? Okay So, yeah, that's well, that's what you say. Yes, you know devoted leader. Okay, so So what am I gonna talk to you guys about so a little about me normally I would just skip that but this talk is all sort of like, you know, like BS and all that so I want to sort of convince you I know what I'm talking about and then some background stuff strategies. I would employ Potential attacks things that my son would have to do things I could imagine defensively the US or whatever country we were attacking would try to do and why it wouldn't work and then Exactly how I would I would have the army, you know who would be in it What kind of people how much would cost that sort of stuff Then how long I would need to set up what exactly I would do and then you know conclusions and lessons learned. Okay so So why am I talking about, you know cyber war so out of the blue some guy from NATO calls me like three or four months ago He's like, hey Charlie, we'd like you to come to Estonia and give us a talk about cyber war I'm like, well, you know, I'm really good. You know, I'm like a low-level tech guy I don't know what I like break into computers and stuff like that, but I don't really know much about, you know cyber war So I don't know, you know policies. I don't know, you know, what country has what or you know, anything like that I just know how to break into computers and I sound like sorry, you know, I'm gonna have to decline But then the more I thought about it and then I started reading like, you know, Richard Clark's book I was like, man, you know, most of people who are talking about cyber war They don't really know they might know what they're talking about, but they don't really know like the details like I know, right? So I thought I'd be kind of fun You know, and I was like, well, what do you really want me to talk about and he's like, well, anything you want I was like, well, you know, I'll talk about what I know, which is offense. So I so so he convinced me to come I gave the talk and you know, there were some technical guys there most of like policy types. There was a ex-former Cyber czar of the US was there watching my talk and apparently she was like, you know, didn't like it or something That's your boss Yeah, maybe it's not too technical that like, you know, my talk of black cat had like hundreds of slides with like assembly No, no assembly in this talk. Okay. So anyway, I was like, well, I'd like, you know Where else can I get this talk besides to these natal guys? I was like, well, guys a deaf guy might appreciate it So that's why I'm here All right. So whom I I'm teaching math worked for a year Reading firewall logs. I used to work at the NSA for five years I'm a consultant now and that's basically what this talk is about. So it's it's like a proposal So I do this all the time as a consultant. So, you know, I'm good I'm good at a you know, breaking in things and then be figuring out like how much stuff's gonna cost how much time It's gonna take so that's really what this this this talk is It's like a proposal to to a country to build some army. I did some other stuff, too Okay, so so what about you don't hear much about what people say what they did the NSA And for good reason and I can't talk about either but there I can't tell you bolts from my my resume that they approve So these are things I can talk about without further comment So these are things I did well at the NSA to show that like maybe I know I'm talking about so perform computer network scanning in reconnaissance Executed numerous computer network exploitations against foreign targets. Like I can't believe they allow me to say that but they do Network intrusion analysis designed and developed network intrusion blah blah blah so anyway So I did some cool stuff as a as a you know, I don't say guy Okay, so so onto the basics By the way, it's cold in North Korea. I didn't know that I didn't pack for it All right, so so you know the bottom line and all this stuff is money, right? So if you have enough money, you can do pretty much anything you want So just for some comparison of what people are spending on this sort of stuff So the US military spends, you know a crapload of money just on cyber alone They spend a hundred five million dollars a year and these are all the things I found on Google like again I said I'm not really an extra on this North Korea spends five billion Which is a ton for for their little country on cyber warfare alone. They spend a fifty six million. So that's a lot So, uh, let's see Iran by comparison you wouldn't think they would have one they actually spend more 76 million And so what I'm gonna propose is actually a bargain 49 million dollars and I can take down any country Okay, so cyber warfare, what do I think it is right everyone disagrees so since I'm talking I get to say what I think It is it's collecting intelligence controlling other systems So, you know making them do what maybe you don't want to do maybe just want to make or people can't use the systems that they want to use You know and you know, maybe general Hayden my old boss would disagree But you know the general idea is you want to cause harm like if you you launched missiles and stuff without actually having to Go through that trouble of doing that Okay, some more statistics just to get kind of get a Realm on on you know some your head around some of these numbers because you know We're used to at least me as a pen tester or we're used to like, you know Corporations or something so it's like it now our target sort of like the world so so what sort of numbers are we talking about? It's like lots of you know a few billion IP addresses in the world Two billion personal computers 41 million iPhones, so it's a lot iPhones What about botnets you hear about how big are they compared to you know all the computers in the world? Well, they range anywhere from like, you know three to ten million Computers and so if you think about it as a percentage of all computers It's still a fraction of 1% so you know very small percentage of computers And if you think about like all the people you know that have computers that have no idea how they work It's amazing that it's not larger actually Okay, so here's a word I throw around so just to make sure we're all on the same page It's the remote access tool rat So it's you know, you can give it like a root kit or like, you know The equivalent of like a really advanced interpreter or something so it's something that that you're going to put onto a computer That you've compromised the lie you continue to access allow you to then attack other computers You know basically a way to to to contact this computer that you've broken into at some point And I like it so it should be hard to detect. Yeah, no kidding Okay, so now a little divergent in the zero days and I'll try not spend too much time because you know This audience probably understands what is your days and why they're important where the guys at NATO Like I don't know if they really I wanted to really emphasize like hey You know, there's these things called your days. So, you know as you know for a bug that that there's no patch available for So so then I want to emphasize to them that these exist and you know, you guys find out that but just for some stats So 2005 so these are most of ones. I know about since you know, I know about stuff. I do so 2005 I found a bug in Samba. It was around for two years. So that's a long time for a bug There's this one this J big to Adobe reader vulnerability Discover 2008 this is discovered by a bad guy this time If you I mean, I'm wearing a military uniform from Korea. So maybe I'm not want to speak about who's getting who's bad but this is like a real bad guy and So he found in 2008 and it didn't get part patched until March, you know, people knew about it So, you know, these new days are floating around upon them one year I found a bug but I didn't use it because you can only use one so I kept the second one for the next year So a year went by that happened And of course, I guess I dropped a zero-day Adobe reader one and blackout. So or a few days ago this week. So zero days exist Okay, what about like how long they're around because it's gonna be kind of important because you know, I'm gonna have my army You know finding these zero days. So I want to know, you know, what their shelf life is So these stats come from Justin. I tell you CEO of immunity the company that may that brings you, you know Canvas amongst other things. So anyway, the average lifespan she says from from her statistics 348 days are just under a year and the shortest one that they've ever had 99 days and the longest one was almost three years So that they'll give me an idea of how long you can expect to use your to surround And then you know from the defenders perspective, it's pretty tough to find zero days because you know, you don't know what they are This this little dialogue box is like I think it's pretty funny story. So I had the zero day and you know, we were doing something with it for someone else, right? I can't say more than that. But anyway, we're nonetheless We were testing it against lots, you know, lots of different targets and I was like, well, you know What about we're trying to find all the windows boxes we could I was like, oh, you know, what about the secretaries? We haven't tried hers. So, you know through the zero day against it. It was like boop little Pop-up. It's like buffer overflow blocked. I was like what? McAfee detected my zero day. There's no way So I would yeah, it really worked Except like the only like small piece of solace I had was if you read the description It's like oh, there's a buffer overflow and I was like, ah, well wasn't actually a buffer overflow But still they detected it. So sort of sort of made me sad. But then of course You could you know get around it But um still it you can detect zero days just by using heuristics and stuff Okay, so next up strategies They don't eat good either in North Korea. They eat some weird stuff. So So here's my strategy is dominate cyruspace. I'll go into more of these in detail. You have to work in advance You got to rely on getting lots of research intelligence gathering and then this thing you have to decide when you're gonna throw your zero days When you're gonna throw your known exploits Okay, so What's this what's this thing I mean when I say dominate cyruspace? This is something that came up on the daily Dave mail-in list that kind of got me interested So the idea I think it's a good idea So the idea is you want to control as many devices in the world as possible before you're ready to sort of launch your attack and The idea is that if there really was some sort of you know cyber attack or cyber war whatever you want to call it Presumably the internet would be kind of degraded at least in places And so if you control lots and lots of devices, then you can still perform your attack Even if you can't connect to say the target anymore So so that's one good thing. The other thing is there's this problem with cyber war about attribution, right? So attribution is who did it? So, you know, you may be a computer from China's attacking But really that computer is some some Russian dude who's logged into that computer, right? So you can't tell if it was Russia China So the idea is with this dominate cyruspace is if you have, you know, all you know Tons and tons and tons of computers located all throughout the world under your control Then it's you're in a better position to decide who's attacking you because maybe they're attacking from one of the boxes You already control in which case you can you know easily backtrace it If not, maybe you're at least located in a computer nearby, right in the same, you know Same subnet or whatever. So anyway, you have a better idea and also on the opposite side It's gonna make attribution like really hard for your opponent because you're gonna be able to attack from like a thousand different places And from all over the world, and they're not gonna know who you are And the other thing is if you already happen to have all these boxes throughout the world under your control Then just by luck sometimes, you know, Kim Jong-il is gonna be like hey Charlie Yeah, you know, we really want to get on to this network and I'll be like, oh, you know as a you know As a matter of fact, I'm already on that network. Ha ha so and then of course the final point is that if you want to do something, you know sort of Loud like a denial of service. Well, you're gonna need a lot of computers to do that So it's good anyway So the idea is for this is you want to just go out and just you know control lots and lots of computers This is the other reason why it's good to be North Korea as opposed to the US because you know There might be like laws and stuff that say you're not supposed to just take over everybody's computer for no reason But like North Korea, they're cool with that Okay, so the next thing is and that was already sort of talking about this is advanced planning So if you're gonna try to get to like a really hard network some military network or you know some you know The network of the stock exchange or something like that it's gonna take you know So you're not just gonna be able to wake up and do that no matter how many guns I get pointed at my head I'm gonna be like it's gonna take me some time So The other thing is it's gonna be easier to not be detected if you go slow So it's a key part of of my thing is to take your time and do everything else So and likewise part of taking your time is figuring out what you're doing and doing research and Figuring out additionally what defense is a minor in a place so that you don't get caught so it's like everyone who talks about you know the Aurora tech right and and app and all that stuff and You know I've had so many people tell me all that Aurora tech man I was sophisticated right and it was like no it's not because you know if I was doing that attack I wouldn't get caught so it's not The other question is so you know at some point I'm gonna have this stockpile of zero days and a stockpile of known vulnerabilities When am I gonna and I want to get on somewhere? Which do I decide to use and so it's gonna be something you're have to decide case by case, but Basically if you if you choose to use You know a known vulnerability known exploit then you know the advantages are you can just look like some you know Teenage hacker and also if you get busted who cares The zero days are gonna be way harder to detect so you might want to use those for you know the harder targets to get into But the problem is if you do get caught then that's that's a lot of resources You've used to find that zero day and and to weaponize it and so it's gonna be expensive and time and money to replace Okay, so there's some other things you might consider doing So like Richard Clarke is huge on on like oh logic bombs logic bombs So like I hadn't read that word since you know my I read hacking exposed 15 years ago or something But he loves it and so the idea is that you get into you know Like the hardware of the other guys and you plant these things and then you just turn a switch and like the whole world ends But I think I think it's kind of stupid. So I that's not in my strategy The other one is like and part of mine is like oh, I'm gonna build up this botnet and so it's like well, why don't I just pay off some criminal who already has a bonnet and Use his right save save some time or whatever and so I say for that. I don't go for that either because a they're criminals so you can't really trust them and be There's There was another one. I swear, but I can't think of it. Anyway, so I'm not gonna do that I guess it's only just there that you know You just can't deal with those guys and and they're you know Not only can you not trust that they're not just gonna take it back or do something else But but you want to keep this sort of secret, right? You don't want to be telling all these guys The other thing is you could have like you know Pay a Microsoft employee 50 grand to go put a bug in and our back door and some some IE code or something Or Cisco or whatever so you could do that and it would be it'd be easier But again, you kind of have to worry about that getting out at some point. Okay next You can see I was like having fun with Photoshop one day So And I'm not I'm not actually that good at it either So so what's my what sort of things do I see? Attack so so like first off Like you know, I'm just I'm doing whatever Kim Jong-il tells me to do at this point, right? And I don't really know what his plans are he's not like totally like right in the mind So I'm just like okay I'm gonna prepare for everything you could possibly ask for and then I'm you know when you tell me to do it I'll just hopefully already have that in place to do it So so what are some like crazy things that he might come up with you know, hey Charlie? I want you to shut down the internet. It's like well, you know, I'll do my best And I'm no Dan Kaminsky so So other things I might do is financial markets, you know air transportation and power stuff You know, maybe break up the communication the military You know cell phone networks This is like really easy to because I haven't been able to use my phone in like a week here in Las Vegas Okay, next up tasks, so these are the actual things that I So so the last the last bit was what he might want me to do And this is the things I'm gonna prepare to do and hopefully these things will allow me to do the things He wants me to do and yeah, everyone loves my book there in North Korea All right, so these are the things I want to do communication redundancy So I want to make sure that if parts of the internet go away that I can still You know do my job Which is to destroy the US capitalist pigs get distributed now service I want to be able to get into like really hard targets like we'll turn that works I want to take down core infrastructure and then there's these like air gap networks I want to talk about and how I would attack those Yeah, so I mentioned this already So I want to have redundant communication to all these computers that I'm launching my attack from throughout the world So the idea is that the people so not just the computers But I want to have people like station throughout the world too, right? So if I don't want to have like all my my cyber army like hold up in a bunker in North Korea Right because then all you got to do is you know snip the cables going into North Korea There's probably like two and I'm gonna be shut out So I want to have like people, you know all over the world and in this case on attack in the US So like have them all over the US as well And likewise I want to have communication to those people and to like other, you know Computers that I own through lots of different ways So instead of you know, so I'm assuming the internet at some point is going to be difficult to use when I'm doing all these things So I want to have like be able to talk over the phone lines over like satellite phones, you know anything I can think of The idea is even if the internet like somehow like became completely unusable I could still communicate with with these computers to continue the attacker or you know I could actually stop the attack if I wanted to Okay, so what next well, you know, this is like I really even hate to bring it up because it's so like anti It's so dirty, right and and messy, but you know The great leader says he might want it. So I need I need to be prepared. So it's an aisle service. So, you know, you flood too much traffic And the point to make here is like if the internet would go away or if you know Google went away or or you know Gmail or whatever like North Korea is just fine with that like that The average person in North Korea could care less if the internet is function or not where like other countries might have to actually worry about this but I don't Okay, and then you know, how am I gonna get this botnet? Well, basically, I'm gonna just use you know A crap load of I mean basically how the bad guys do it and and the idea to me is like man if these bad guys are you know they're I'm not saying they're not smart, but You know, they're not they can't be that organized. They you know, they can't be more than a handful people I would guess Doing, you know, what you know a particular botnet and I'm gonna have if you when you see my size like hundreds of people And you know train people like with like management and stuff So I don't see why any reason I can't make like way huge your botnets and they can So the idea is I just collect a bunch of boxes Make sure that no one else is on them clean them up as much as you can and move on and for this task I'm not going to use any zero days because obviously when you look at the size of botnets, you don't have to So what else do I want to worry about as far as the North Korean botnets? So so I want to make sure that I use different botnet software for different botnets I want to have them make sure they're there, you know the same thing that normal botnets have so they're not essentially controlled So you can't just like take out one one computer and then all of a sudden I can't communicate with my botnets I'll make sure they're all over the current all over the world So again, if you like snip off communications to one country, it doesn't really affect it and all over the target country too So like even if the target country, you know disconnects itself from the internet or from parts of the parts of it from the internet And I can still keep doing my denial of service And the idea is to make it just humongous like a hundred times bigger than anyone we've seen so far This is just a picture to show like the diversity of I'm talking about so even in the US I have like, you know, however many seven different botnets like all different code all different communications So if you take out one of those colors, you can't it doesn't really affect the overall picture of things And they're you know throughout the world and the country All right, and then there's gonna be these, you know hard targets like you know He's you know game jungle is gonna roll in one day and I'm you know happily typing away. He's gonna be like yeah, Charlie I need to get into you know Wall Street computers do it. I need to get into, you know You know and it says top secret network, and I'll be like, okay, so So so so these are hard, right? and the idea is The way I differentiate a hard target from like, you know an easy target is that they actually have a security team they actually have You know dedicated security devices and that sort of thing and that's what makes it hard if you look at botnets and You know how big they are and the sorts of nodes they have there might not actually be a hard target like there's As you know computers that are owned like all over and all companies and stuff But still I imagine there'll be some that'll be harder than others to get into So the way I do this I'm not gonna spend too much time on this But the idea is is this basic like pen testing. You just take your time do research You know gain trust get in somewhere and then spread your your your control This is you know the so-called apt right except I just do it in a very advanced way So this is like somebody hears me spreading throughout. This was like way cooler to NATO than you guys, but This is like spreading throughout Corporate network So the only thing that's cool about this is it's it's like the Cisco safe diagram So that was that was a secure secure network, right? But like you obviously you can still break into it So then what what's next? So, you know like I said Dan already coined that he broke the internet with DNS So I got to be able to do something to DNS the other things I'm gonna care about is like core routers So what am I gonna do that to like DNS servers and core routers? Do not services one option, you know, there's been specific attacks against you know poison writing tables So this is like happened accidentally so I'm doing a purpose and then You do the hard target approach so I find out, you know Who's the admin of this particular core router and I break into his computer or is like sister's computer or whatever And you know slowly trace it back to figure out, you know what he does and then of course, you know, I'm you know I'm I consider myself like a bug finder, right? That's that's my my specialty and so so this part is like really exciting to me It's like oh, I get to have all these like really smart guys looking for bugs And I'll instead of looking at and you know reader all the time I'll be looking in like, you know, Cisco iOS Although I don't know if they called that anymore because iPhone bought that or something Juniper stuff like in the bind of limitation and Microsoft DNS and the thing that that's really exciting about this is you don't actually Necessarily have to control this right and take it over. It's it's good enough to just find it down service Which is usually like pretty easy to find so if I can just keep crashing like a core router That's pretty good. If I want to you know make things hard All right, so I talked about these air gap systems earlier So what is it? So if you have like a really if you want really you want to have a secure network So they're like, you know a nuclear power plant or something, right? You don't necessarily want this thing plugged in the internet because you don't want some guy and you know You just lobby attacking you or something So the way you do that is you just you just make sure you're not plugged in the internet, right? And then you don't have to worry about that and so examples of this is like, you know Some top secret network electrical grids that sort of thing The idea is that you know, it's not impossible to attack this. It's just a lot harder and the example is this military network Called jwix was compromised because someone plugged a compromised USB stick into it So there's ways to get into these and I'll talk about My approach so I know there's there was an approach in and the past that talked about Having malware that would sort of like save up information and then is wait wait wait And then if ever it saw it was on the internet would hurry up and like punch it all out But that's not the approach I take See approach I take is to try to put these systems back on the internet And and and this is going to take people right? It's not you can't my plan isn't all just sitting around it with computers It's gonna take people out doing stuff. So the idea is you got to get someone inside this network like physically somehow So I'm gonna have these like North Koreans or maybe I you know my sleeper cell You know people in college in the US or something You know join these companies or pay off people pay off a janitor or whatever And so I get them into this network and I start plugging in devices into to you know their computer So maybe you know modems to to dial out over the phone line or some in some other way the idea is to just get Get away that I can start to remotely attack this this this network that is not supposed to have internet access And I've had people come up to me about this and be like oh, that's impossible I miss or network and I know as soon as someone plugs in a USB stick in any computer and I'm like well You know that's bullshit right if I walk if I have if you give me like unlimited physical access to your network I'm eventually gonna be I'll have a way that I'm gonna have you know a computer or a device on your network And you're not gonna know about it. So anyway, it's just a matter. I think of time and you know effort to do that All right, so it's the defenses. I laugh at defenses. We all we all had a good laugh about this All right, so so what are the things that a target country could do? To to try to stop this this attack, right? They're like, oh shit, Charlie Miller is working for the Koreans We got to like figure out what we're gonna do So so some some ideas I've already sort of mentioned is you could try to segregate yourself So the US might not be able to do this so easily But like a smaller country like South Korea, which would also be a favorite target of the great leader They could just say like screw you guys. We're just gonna be our own internet for a while The other thing is you could try to you know put out IDSes and try to catch us You could do like, you know typical Akamai anti-daw stuff and then I already mentioned the airgaping systems all right, so So for segregating you could either like physically cut the wires or you could just put such aggressive filters on it that almost nothing gets through and the way that I get around this is Again, I said I've already prepositioned everything presumably before any of the you know the stuff is going down So yeah, okay, you cut off yourself from the internet But I still have a bunch of compromised computers on your your network that that before it's been cut off And I can still communicate with them through ways besides the internet so I can still attack you even if you Cigarette yourself. So thanks, but that's not gonna work The next thing is filtering so you know like the US is working on this this so-called Einstein IDS thing right so obviously they think that this is a good idea But I don't think it's that great. So the the botnet clients that I'm shipping their communication The the exploits I'm using these are all custom things. So there won't be Specific signatures for them. There might be some generic ones But as you see I'm going to test against all the antivirus and stuff that I can get my hands on So it's gonna be really hard with with a filtering device to catch this And the other thing is because I'm using one so I don't just like use the same, you know one piece of bot code or the same one You know rat or whatever. I have lots of different versions of each one that are each different so if by chance, you know my guy totally screws up one day and He gets caught and then they ship this off to all you know McAfee and Symantec and all this stuff and they have signatures and and all that so it doesn't it's not like Hey, we call we caught this guy Google. Oh crap We also see that the same thing is being used here here here and here, right? So that's not going to happen because I'm going to have so many different versions of all my software And what about you know in for the now service case, you know, they really really want my house I go to be up so they hire I can I or they set up their own sort of sort of system And so I would say well because I have this first of all I have this enormous botnet and second of all It's geographically diverse. So That's the main thing that they use to stop you and so it won't actually help you here And then I already mentioned air gap systems. Well, for one thing you can't actually air gap every system Or else the internet is like doesn't exist, right? And the other thing is I already mentioned that I would try to own air gap the ones that are Okay, so now let's talk about that's what I want to do and why I think it Will be hard to defend against and now let's talk about exactly what I think I'm going to need Do you see me in this picture? It's like a where's Waldo. I'm on my iPhone in the background I Must be in the doghouse at this point. I'm not up by the leader Okay, so these are all the guys I think I'm gonna need I don't know if you can if you can see it I'm gonna go through each one. So so you don't need to worry about it for now So these are all the different like job titles when so they'll be like, you know advertising on threat post or something Hey seeking, you know Person willing to develop vulnerabilities. All right, and then part of this too is So I had a conversation with someone about like, how are you gonna get these people, right? I guess I'll get into this later. So let me just just talk for now about this So you're gonna need people who can find bugs, right? Because you gotta have your zero days So I was saying it's gonna be tough like this isn't something you're gonna start with like take a high school kid And then train them to do it, right? You're gonna probably have to find some people who already know what they're doing So you're gonna try to hire all these people and then there you're gonna set them to have their tasks to be fine bugs and browsers fine bugs in like core services like DNS and HTTP servers and you know core routers and then you know, maybe phones whatever and then you're also gonna want them looking for bugs in kernels like Tavis and Julian. So These bugs will allow you to all the privileges allow you to bring out sandboxes that sort of thing The next thing you're gonna need is people to take those vulnerabilities and turn them into exploits So used to be that, you know, basically The the same person who did that who found bugs could find could write exploits, but now it's getting so hard You pretty much it's almost a different skill set For example, I'm like way better finding bugs than writing exploits So these guys are gonna be you know be writing exploits for no vulnerabilities and for for zero days That's you know, it takes a lot of skill with all the defenses that are put in place by by operating system vendors these days They're gonna be all have to write it for you know, all you know windows Linux Cisco, whatever They're gonna have to be able to feed a slurred up sandboxing whatever they run into. That's hard So these are those are the guys who are gonna be writing the exploits The next are gonna be the guys who are trying to get nodes for the for the botnet right in case like, you know I personally will try to recommend him not doing that because it's so so yucky, but he might want to do it so For this I'm gonna, you know Be using the client side exploits that that my exploit writers are writing and these are like I already mentioned These are gonna be for known known vulnerabilities and then You know just do the same thing that the stupid criminals do oh And I'm also gonna have yeah, I'm gonna have servers that are you know serving out these exploits So I have to maintain those And then once I have this like gigantic botnet I'm gonna have people who are in charge of making sure that it's always up They're gonna test that it works make sure that it's diverse that sort of thing Also, you know occasionally people are gonna like reinstall their system by new computers that sort of thing So this is gonna be their job to make sure that the the botnet as is is you know continues to be useful Next are gonna be the guys who are basically like the pen testers who are gonna be getting into these hard targets So they have to you know research networks, you know be able to use exploits obviously You know figure you know figure out how to expand within a network Install things whatever then these the remote personnel are gonna be the guys who are sort of physically spread out throughout the world trying to Make sure that we have this redundant communication trying to get jobs You know important places and you know bribing janitors, whatever And then I'm gonna have to have a bunch of developers who are gonna be writing my tools for me So like you know writing a botnet is just software you can get any developer to do that if you you know Pay them adequately and put a bag over their head or whatever So What else that we're gonna need tools for everybody else Where some of this stuff is gonna be like root kit, you know in the colonel, so we're gonna need some kernel developers And then it's not it's important although I hate to admit it, but like testers are really important So they're gonna have to test exploits are all our tools make sure everything's functioning And they're gonna buy like every IDS on earth and make sure none of our stuff's detected You know check that periodically And then you know if you take a guy like mark dot he's you know the smartest guy that I've ever met But still he doesn't know about skater or about you know, whatever us little very particular niche That that we care about so we're gonna have to have consultants come in and and you know tell us what to do as far as if We want to take down these you know very specific things like skate systems or something And then we got to have you know your your system ends to keep things running That's it. So these are different job titles Let's see 15 minutes. I think I have some time So next is how much I think that these are gonna cost how many people I think I need for each of these All right, and then for costs like I only talk about Harbour software and people like I don't know like how much I'm assuming that North Korea has like some buildings set up and stuff And you know they already have like support staff to you know You know make sure we have electricity and that sort of stuff and You know that they don't people know if you don't really need health insurance in retirement. So that's an issue So so this is what I was alluding to earlier. So, you know, you're not gonna really you know I in my story they got me, you know the old-fashioned way, right? They Kidnap me. So Not everyone's gonna go for that, right? You're not gonna be okay now like a thousand people. So So you're gonna like how are you gonna get people to do this cyber army thing? So there's a couple ways first. I like pay them pretty good, right? So pay is always good, but still no matter how much you pay someone they might be like really patriotic or they might be like Well, I'm sort of worried about after the cyber attack. Like what are you gonna do with me? So So it might be hard to get people to do this, right? So, you know originally when I talked at NATO I didn't really talk about this subject This came up in the question-and-answer part So I was just like well, I'm just gonna pay him a lot But but there's other ways you could do it and you know like various movies plots, right? So you just have lots of hire all the consulting companies give them one little piece. Hey, I want you to develop this piece of code It's kind of like a you know piece of bots off or whatever or I want you to find you know I want to buy a zero-day X-Play from you Whatever and so between all that you get enough tools to do the things you want to do And it's better like so this was something else to point out to me I was like well, you know by your cyber army you are hiring up all the best people, right? And like all of a sudden next year a black guy. There's like nobody there. So People are gonna notice there's something going on, right? And I was like oh that is that is true So that that it's better if you can figure out a way to sort of you know do it do the consulting route or something Okay, so So here's what here's a number of people what I think it'll cost. I'm like we're kind of quick You can check out the slides for details. So Born-Billing analysis like basically what I consider myself. So someone who finds bugs So you need like ten guys that you're gonna like, you know pay very very well to find all the bugs I think it's hard, but I'm biased because that's what I do And then like ten just like CS majors, right guys You know who just graduated, but they don't necessarily know much and so three million dollars a year for these guys Exploit developers. So these are the guys who are figuring out so you got first you got ten guys who are like, you know Super elite dudes who they know how to get around they can they can figure out new ways to get around mitigations So there's sort almost like the theoretical guys and and they're also writing some exploits Then you've got 40 of these guys who basically know how to write exploits, but they're not like You know rocking the world with their research or anything and you just got like 20 dudes to kick around too So seven million bucks for those guys So these are all US dollars too like you can probably do it way cheaper in Korea But I don't I don't know what Korean currency is like so and then these guys These are the guys who are basically like the current criminals, right? the guys who Get nodes for the for the botnet so 50 50, you know good guys 10 like little I always like to have like 10 guys that kick around so four four million dollars Then the 200 so this is like the majority almost half of my workforce I think are these guys these are guys who just try to maintain this like huge huge button that make sure it's still working test it that sort of thing 200 guys who had like degrees in computer science and then like 20 other college kids 12 million dollars These are the pen tester guys 50 of those guys because there's gonna be like a lot of networks They're gonna want to get in I like for comparison the company I work for is like 12 guys. So this army is like way huger than mine Yeah, 10 10 guys kick around these are the guys that are like wandering around the world trying to get jobs and stuff I said, I don't actually pay for them because I figure like, you know, it's not really a technical job Right, the North Korea probably has people who are already good at this So these are the developers so these are the guys writing the code for us right in the botnet that sort of thing 10 like really skilled guys 20 just like, you know, straight out of college and then 10 10 kicker around her guys Testers and then these are like everyone else. So these are the consultants So I'm on the drop two million dollars a year on people that tell me how escape systems work and how, you know The Wall Street systems work and that sort of thing And again, maybe I'm biased because I'm a consultant Sys admins and then managers like as much as I hate managers, I end up sending a fortune on them. So six million dollars Okay, what kind of equipment do I need? Well, I don't think I need that much equipment really so a couple computers for people to work on Like a like a real kick-ass lab with like all equipment that like, you know, core routers and that sort of thing switches Phones whatever and then of course, you know, the mandatory software you would need And what about the servers that are gonna host our exploits for collecting bots and we'll just take those over. We don't need to actually buy them All right, so in all the my my cyber army 600 people You know fit 45 million in salary So it's you know, not a bad average salary and three million in equipment All right, so so here's the pie charts. Yeah, I'm truly this is like my in my slide deck I would resent to the great leader so You get on the left is is how many people and on the right is how much it caught they cost So you can see like the biggest pie chunk is the guys who just are maintaining the bottom That's and then the sort of like super advanced people are the kind in the top so on the yellow is the They're like the pentesting type guys and the green or the exploit riders and in the middle The little blue pie slices the the guys who find bugs. I have sys admins for that That's that was a sys admins. I don't know where they are on here. They are They're red. They're the teeny little sliver next to the the the operators. So Yeah, you know, they're willing to work for us today. I'm sure All right, so then this is uh, I can't just roll this out like immediately So I have to take some time to get everything wrong and I have a two-year plan and this is it Okay, so what am I gonna do so and I assume like I have like base I'm not counting the part where it takes like hire everybody and you know get everyone sitting at their desk and stuff or whatever But like when we're ready to go For the first three months, we're gonna get our remote guys, you know, blown out the world starting to set up their equipment trying to get jobs More middle of the Analyst guys start looking for bugs exploit developers start writing and polishing exploits for known vulnerabilities the developers start writing their their bot software and their rats and There's just some basic research done. I like who do we you know, who do we think the hard targets are gonna be? You know what sort of systems they use is very basic research at this point So three months down the drain and Kim Jong-il is like, okay, we're ready to roll, right? Yeah, yeah And we haven't really done anything yet, but trust me two years. We're gonna be ready to rock Okay, next three months We you know, hopefully the bug finder guys have found a couple zero days some DOS bugs and you know, like DNS servers or whatever We start to the since there's the exploit riders start writing since you're the exploits based on those bugs they found Or bot or whatever. We start to collect botnets hard targets You know, we were all not like typical pentesting trying to get trust established and You know that sort of thing Robin saging it so to speak Okay, next three months We start to get into the hard targets with our zero days we start to clean up and Collect so we set our bot now at this point of summer like, you know 500,000 hosts or something which is by cybercriminal standards like pretty small I got all of our remote communications all set up Or we're still writing some software because remember we can't just have one We need to have like ten copies of ten different versions of every software we use So after one year's gone by this is like a huge investor, right Kim Jong-il has spent $50 million and he's he's wanting to know what's going on Well, we're sort of in some hard networks. We're not like, you know controlling them like totally yet Got five million hosts, which is like a pretty large botnet by today's standards not like, you know blow you away But so it's big We've got zero days Exploits available for most things that we would want, you know, sometimes some of these are gonna get patch We'll have to have new ones. So we have multiple of each and we're inside, you know, some some critical systems Maybe we've an air gap to couple Get six six more months by now Like the hard networks are basically totally owned like it's gonna be really hard to ever get us out Our botnet is getting pretty enormous at this point. So a hundred million hosts We've got lots of zero days and we we've we've on air gap to much of systems and are starting to compromise those Finally after two years, we basically like all the hard targets. We thought we would care about we'd like totally own them Maybe we've gotten caught a couple times, but for the most part we're in good shape We've got like this is like I would love to see if this is possible 20% of personal computers owned by us Like it sounds like a lot, but if you think about like how many grandmas and stuff are out there it seems reasonable and And then of course and then the air gas systems Okay, so then one day, you know Kim Jong-il walks in with his his generals or whatever and he's like, okay, Charlie Today's the day that I paid you for today's the day we attack right somebody pissed me off So this is this is the kind of things I can imagine doing and the bottom line is if given the two years You know advanced notice. It's uh, you know, it's it's pretty much a done deal at this point Okay, so conclusions Yes, so they never stood a chance against me and me and the leader Although he prefers champagne and I like beer Okay, so so what what lessons can you draw from this? So like as much fun as I had thinking this up like I went to NATO forgot six, right? So it couldn't have been that evil, you know I was hoping that some some like good would come from it and there's not there's not much you can really do but there's there's some stuff you can do so The idea is that with enough patience and money and time it's gonna be really hard to stop a skilled attacker This is the typical defenders of the llama And again, like, you know, the caveat is I play offense only so maybe I'm sort of biased that way The other thing is like I spend all my money on people. I think people are way more important than equipment for this and Taking down the the whole internet, you know, I don't know about that But the point is it'll be even harder if you want to take down parts of the internet and not your own But for me, I don't care as a North Korean citizen There's lots of talk about backdoor and everything you see in the media I don't think North Korea could really easily do that and you and I don't even think it's necessary So I don't I don't think that will be part of the plan The other thing is that my cyber war plans involve people being around the world and doing things It's not just something you can do totally remotely So so what about defense the only thing that you can really take away from this I think defensively is that you have time, right? So so when when when Kim Jong-il walked into my office after two years like the US was screwed There's nothing that was gonna stop me at that point, but for those two years I was building up that would have been time you could have tried to detect it and stop it. So So that's sort of that. I hope the takeaway is that It's gonna take time and you're gonna have a chance to catch the people early But but by the end it's gonna be too late And then I go on my little rant about how vendors need to write better software and and how and that sort of thing But that was mostly for the NATO guys. I even took out a whole slide about that Okay, thanks to the guys who who gave me an early brief or early read of this because again It's like I usually feel more comfortable with like assembly language on the screen because no one can argue that what XOR does But you know, this is sort of a lot of opinion. So I wanted to make sure I was sort of on base And and that's it. So happy. I guess I'm had had enough another room or Can free one one two if you want to chat about building the cyber army or check out my crane