 All right, ladies and gentlemen, welcome back to our panel of Red Team Black. So I'm going to start with a few questions dedicated to our two speakers. And then I'm going to go more into general Red Team questions if we have time. So I will start with you, Olivier. We had some questions about RDP. Of course, RDP is very well used in the industry. It's built in on Windows. You can use it on Linux. You can use it on Mac. The question was, are there better alternatives to RDP? I would say wrap RDP in an SSH tunnel. But that might not be convenient. That might be a bit of a troll. No, I think this is the standard. It's really efficient. So there are some proprietary alternatives. And the problem is you need to control the server and the client. You need the flexibility, you need the deployment. So it kind of makes sense that it is in Microsoft's control. So it's a difficult question. And I think it relies on a lot of things. But let's say I would be, I don't know, I just don't. I control all my computing. I don't care about anyone. And I don't need to because, let's say I'm a CSE, something like that. They are a secret service. Then OK, just use something else and enforce it. And make sure you audit it properly because RDP has been audited a lot. But if you are anyone else than secret service, I mean, you must pretty much use RDP. And using something else, it might not have been scrutinized as well as RDP. So no, I think my advice to this still holds is wrap it in something else, wrap it in VPN, keep monitoring it, and maybe speak with the evolution. And I know I'm plugging a vendor here, but they really understand it. And look at what they're trying to do to make sure that it's secure. And if you can't do VPN, or if it's too conky, too complicated, but there are also other vendors doing that. But if you want to avoid additional costs, I think just VPN and making sure that nothing is exposed is a good step. And key patching, key patching. All right, thank you for Rola. Do you have insights on which type of domains, like big tech, large orgs, brands, that you got the most amount of emails from? I don't want to single out any single provider, but I will say that in general, it's a number's game. So the more keystrokes and the more attempts, I guess, to communicate with the domain name system, the more likely you're going to land on a typo squat. So the longer the domain, the more likely it is that there's a typo in it. And the more, in this case, emails are being sent, the more likely it is one of those is going to be a typo. So I would say think about the big providers that have millions and millions of emails going through every second, every minute. And typically, the longer the domain, the more likely it is there's going to be a typo in it. OK, yeah, cool. Next one for Olivier. In your research, I don't know if you read about MS remote desktop services which encapsulate RDP into HTTPS. Do you know if it resolved many of the problems you presented today? I honestly thought that this was RD gateway. So I think it is RD gateway. Does the person who has the question still here? Because if it is RD gateway, then it was in my future work slide. So if it's not RD gateway, then I want to hear about it. But no, honestly, I think this is the remote desktop services. You can enable a gateway which encapsulated in HTTPS. And so for the NLAA, NTLM attack, it means yes. But now, how have they implemented it? If they have implemented it by just layering HTTP on top of it, then as soon as I get to implement that in PRDP, I'll have access. And if they haven't changed anything and they have no reason to have changed the underlying protocol, it's just another encapsulation. I believe that our attack will still work. But right now, it doesn't because we need to do that HTTPS decapsulation. And to be honest, that code is so complex. The guy, are they still here? That code is so complex and hard to maintain that if I ever keep up with it, I might attack it. Or I'll need other interns to do it for me, because I'm not that bright. OK. It's sad, but I'm aging. So Neckrishan would be for Orola. So you mentioned how to do typosquatting. But let's say you are being typosquatted. So what would you recommend to blue teamers in the room? Sure. Yeah, that's a really good question. I think the first thing is to be aware that it's happening. It's really easy to look around DNS. There's lots of good tools out there. DNS Twist comes to mind. It's a free Python script on GitHub. You can find it for free. There's a lot of web implementations of it as well if you're not into running Python. So just being aware that it's happening to your domain is interesting enough. And then you can start filtering for it and looking for instances of it. You can use tools like dig, nslookup, and just see what kind of records are on that domain name. If there's an MX record, that's a red flag. Just being aware that it's there. And you can do a lot to protect yourself and your users from reaching out to that domain. But it's really hard to police everybody on the internet from looking for that domain. So I guess the next best thing is depending on who you are and how much leverage you have and where the domain is registered, you could try to do a takedown request if it's a brand infringement. I think the key is first understanding if somebody's doing it, simply, I would recommend looking at a tool like DNS Twist. It's probably a good place to start. Okay. May I add an additional question? Do you know if they are provisioned to, so we know that you can't purchase Nestle because it's a brand that is a trademark, right? But do you know if typo squatting kind of falls under the trademark infringement stuff? I'll say that from what I've seen, there are definitely efforts out there to police it, but I think it's on a registered by registered basis. I think it's gonna depend on the TLD. There's a lot of factors at play, but generally if it is being policed, it's not being policed very well. I think it's incumbent on the trademark owner to actually fight to go and have that domain revoked, and they do have a lot of power. There's a lot of levers in place for brands to protect their trademark that way. I think it's a mixed bag about whether or not you'll be allowed to register at the first place. But so you, sorry, Martin, you typo squat pretty big names, right? Yes. And you got nothing. You, like no one kicked your door or, you know. Not yet. After the talk, maybe we'll see what happens, but no, not yet. For 45 days, so I'll say that those domains have been registered and active for a lot longer than what I started working with them. Okay. But there's a lot of conversations now about what do we do, what's the responsible thing to do with the domains. So I'm open to discussions. If anybody has ideas, I have ideas about it as well, but yeah, so far, got away with it. Okay. I'm gonna jump, I had some, I had a pocket question about, you know, legal concern of your research. So I'm gonna, I'm not, I'm just gonna jump on this question. So are there legal concerns about doing typo squatting on a specific company? Is it considered as attacking this company? Yeah. That's a really good question. And I've lost a lot of sleep over it recently, especially knowing that I'm gonna present it in a very public forum. I think yes. I think depending on what you're doing with it, I don't think owning the domain is necessarily enough to call it a criminal act or an illegal act. I think depending on what you do with it and how you use it, maybe, is it illegal to steal mail from somebody's mailbox? Is this the same thing? I think there's a lot of questions about it. I think intent is important. I mean, if I'm in front of a judge and saying, I really wanted those e-transfers, that's one thing, but if it's for security research, I would like to think anyway, that we have a society that wants us and encourages us to point these things out and try to correct them. So I mean, in my case, it's a risk I'm willing to take. I'm not gonna share data with anybody. I'm not gonna talk about personal information. And I would discourage anybody from trying this. It's already been proven you can do it. You don't need to do it at home. In the case of a red team engagement, it's a great tool. I think awareness is probably key. So I think, yeah, it should be illegal, but how do you enforce it? How do you police it? Those are the bigger questions. I agree. And would you like to add on this? No. No, thanks for asking, though. But it was a very good question and it's a very difficult situation. I agree. I agree too. Okay. I work a lot with the CyberTreat Intel team and most of the companies are based there of security prioritization based on threat actors, documented activities. So I was wondering if you have, for your both research, used such Intel, have you seen attacks like that been made by, for example, ransomware or publicly known groups in their campaign, in their TTP? Wanna go first? Go ahead. Yeah? So recently the OCTA breach, which we heard about was RDP. So yeah, I removed that from the slide unfortunately, but I mean, it was just a screenshot saying, hey, RDP is important, OCTA. But yeah, no, so RDP is attacked and there's a lot of IPs out there and some of them are my honeypots. So I'm increasing the number of exposed RDP systems, but it's used then, it's a low hanging fruit and it's brute-forcible. So of course, and the ransomware groups, they're going after a low hanging fruit, but in the OCTA case, they purchased credentials on a forum and then you leverage them and there are RDP credentials for sale on forums. So yeah, yes, it's real, it's used and it's not gonna go away, but I mean, stop exposing RDP. In my case, what I can say for sure is that there are a lot of, I mean, I spoke about it a little bit in my slides, just from the three sample domains I looked at, I think it was over 400 different domains with active MX records that were nonsense domains that don't have real services that I'm aware of behind them. The bigger question is who's behind them and what are they using them for? I think the part of my talk that was most interesting and I think impactful for me is that it's a passive technique. I can stand up a mail server completely anonymously on a VPS anywhere in the world and I can receive these emails. What I do with them, I think as an attacker, I think that's something that needs to be researched, maybe canary tokens and sending things out to these addresses and just seeing what happens. I'm really curious about that question as well and I don't know who's behind them. It would be interesting to see, I don't know of any known cases other than other research I've seen on the subject, but I don't doubt that it's happening. Would be my take on it. Okay, thank you. A quick question for Olivier about RDP. Do you know if two factor authentication or multiple factor authentication would mitigate what you just presented this afternoon? So I think it depends on how it's implemented and I haven't looked at implementations. I would be interested in knowing popular free ones because I don't wanna pay for service to just attack it, but let's assume that it's a pin added at the end of your password. Then the net and TLM capture would work, but the hash would potentially be harder to crack unless you know what that is, the NIP appended and then you add that to your cracking rules. So this would still work, but is this how they implement two factor for RDP? I don't know, I'm sorry. No, no, no, but I mean, I needed to ask but I think it's a fair answer. Now we're gonna talk about Honepods because it's a field that is growing in the cybersecurity industry and there are some companies that really make products that make it easy to deploy Honepods. So I think PRDP is a great project to build Honepods. There will be probably something to do with your work, but do you think it would be a great idea to use PRDP for Honepods and literally have, let's say, sophisticated actors with breadcrumbs, you put some hints, you put some password on the network and have them reach your server and monitor it. What do you think about that? I think this is what I'm doing right now. No, but the problem is that lately we had actor interact with our Honepods and some of the attacks, they kind of stopped doing them and then I was like, why is so? And looking at the replay, I was like, okay, they're transferring a large amount of files. So I reproduced it and it turns out we have a bug. So the transfer really slows down. I'm not sure quite what this is, but I think that we're so eagerly fetching client-side files that even on a stat system call, so the equivalent of a stat system called like, I wanna know the size of the file and I wanna know the permissions, for example, we are grabbing the file. So if the person mounts a drive with a lot of stuff on it and then drops with thousands of files, drops a folder, well, explorer.exe will do a stat on all these files in order to just show how long the transfer will be. But Pyrdp in the middle is doing just like, whoop, whoop, whoop, whoop, whoop, whoop, whoop, whoop, I want all of them and so we have issues to work on regarding that. So unfortunately I haven't caught, but we know, so we've seen the minor, crypto minor stuff being transferred and stuff like that, but we do have scalability things to look at. Also, for example, like on a typical week, we'll have like 17,000 replay files to look at. So I really have a triage problem. The problem with those replay files is that they are all unique and binary, but they are all unique and even if you hash them, they're all unique because they are time stamped in that protocol. So I need to find a way, and Lisandro was working on that actually not so long ago, but we need a way to factor out all of the time stamping and the bits of the protocol we don't care about and then focus on the interesting things because the other thing I want to do with those honeypots more so than finding threat actors is finding also attacks like potential zero days or blue keep and stuff like that. We do have blue keep detections and we do have detection for a couple of them built in, but like why did the protocol fail or who is this, what tool is this guy using that is creating this kind of interaction at the protocol level. So we're all looking at that, but it's a shit ton of work and I have a small team and we're not making money with any of this so this is why it's slow. Makes sense. All right, I'm gonna jump into more high level questions about red teaming, the field in general. Just do your best guys. I think it's gonna be fun. So my first question would be based on your work. What do you think is the cyber security industry's best next move? That's a really kind of big question I think. The next best move for the cyber security industry I think is train more people. I think there's a lot of need in cyber security and not necessarily experts of a super high caliber but there's a lot of work and just grant work that goes into research, whether it's going through honeypot files or looking at stats and email collection there's a lot of work that can be done and I think there's a lot of interest in the field and I think hire more people is probably the first thing I would say is the next best thing we can do. Train more people. I'm glad you finished, but with train because hiring more people is stuff right now. Okay, I'll try, this is super accurate and good. I'll try to go in a different direction. Okay, so during the pandemic, something that I was not doing a lot that I started doing again is play D&D, Dungeon and Dragons, and I'll link it with cyber security. So one of the first things, not the first, one of the latest offerings of my company is tabletop exercises for threat simulation and so what I liked when I heard that is that we are now in a state where we are assuming breach. We no longer think we're gonna protect them. We are assuming breach, but now we are testing you. How are you gonna react? And what's the drill? Do you have plans? And this can be done in a simulated way without much cost. And what's interesting is that you can go deeper and then validate it one day. We'll have red teamers validate the plans, but for most organizations, and we deal with medium-sized company and smaller companies, but for most of them, sitting down with smart people who play some corporate D&D. Okay, let's simulate like, oh, this user received an email and clicked on that link. What's your visibility? It was downloaded. What do you have on your endpoint? And then you just go through this mental exercise and then eventually you say like, oh, the computer is getting encrypted. What are the map drives that are accessible to that computer? And you just played, you even could roll some dice if you want. Like, oh, the N drive was encrypted. I had eight. I'm making this shit up. And I'm not doing the service that it probably doesn't look like that at all, but to me, it sounds interesting. And then you can, this is very effective in low cost because it's just a long half-hour, half-day meeting of simulation. And then imagine the client has a long list of stuff to look at. He was like, I couldn't answer half of the questions. And so then you come back and then you iterate. So I think we are at a maturity level where we can get a lot done and effectively done to get better by knowing how long to spend and then buying the things that will protect us, but not buy first because you have a capex, you know, use humans to buy intelligently products instead. And I think this is where we should go. Awesome, awesome answer. I was gonna talk about purple teaming. I think the industry really needs purple team exercise. They shouldn't pay for big red teams just for having a surprise and a big report that showed them that they have some mistakes. But I really like your answer. I would love to be invited to such a dungeon and dragon game. So another question, not an easy one, but anyway. What's the best way to use a red team for companies? Again, based on your work, if you can. Like, should it be to shake, to rattle the company's cage to show that security is important? Should it be to ramp up the technology, the process, the humans? How do you see red teaming in the industry? It's a really good question. And I think a lot of times red teaming, penetration testing is misplaced. It's the sexy thing to do, right? We're gonna hire some hackers and they're gonna show us how they broke in. I think it's often mistimed or maybe not conducted in the right frame of mind, in the right context. If we used an analogy earlier, if I take my five-year-old and bring her to the Taekwondo arena and I say, test her. What's the result gonna be? I don't know if it's a very productive exercise to just do red team engagements without first taking the baby steps before you're ready for it. I think purple teaming is a great use of red team assets to work alongside and train blue teams, train against each other. And I think that red teams are a great validation tool and I think when you reach a certain maturity in your security organization, that's when a red team is really valuable. But I think you can start with basics and not necessarily need a red team to introduce you to the basic best security practices all the time would be, I guess, my opinion on that. Thank you. And it's also kind of a bloated term right now, like everyone's a red teamer. I don't know, man, I'm sure you're not. And if you have a scope, are you really a red teamer type stuff? But I think this is the definitions and we don't have, do we have a standard bodies that defines what are these or we're just like... The problem is that there are many definitions. If you follow spectrographs, you have their own definition of red team. If you read someone else, it's something else. I think it's a language abuse. So red team is usually used for offensive security or just pen testing, ethical hacking. In my opinion, red teaming is really about, you know, training technology process humans. I follow more the spectrographs definition. So it's about simulating a threat actor based by using several TTPs to create training opportunities for a blue team. But in the industry, it's used for anything, you're right. Yeah. Good answer, Marc-Tain. No, but I just want this to be clear, right? He is the one who should answer those questions. So this guy manages a red team at a large institution and he, like I am a director of research and what about you? I didn't read you. I like red teaming stuff, but I'm not a red teamer either. I'm interested in it, but I'm definitely not at the caliber of either of these guys. But I don't need to be to pull off an effective attack either, which is sort of what I was getting at is we don't need the best hacker in the world to prove that you're fundamentally insecure. So I think there's a time and a place to conduct these exercises and again, you know, my white belt five year old is not going to stand a chance in a sparring session against a trained, yeah, exactly, there you go. So I think context matters and time and place and asking yourself, why are we hiring a red team? For what, to embarrass us? Are we doing it to actually improve our security culture? I think that's what it comes down to. All right. That's gonna be my... So the next red team questions goes to Marc-Tain directly. Do you want me to read it? Okay, I'm gonna try, but... Or we'll have like us and then you. That's nice, I think. Well, I was gonna say it's my last question. We have just a few minutes left, but I will try to answer it. And it's, I like the... It's the worst question because I know it will raise a debate, but... Nice. It's about red team, the R-T-O-S-T debate. So red team open source tools. So a lot of people care about sharing. They say that sharing is caring. You should publish your open source tools. You both have very awesome research. It can be good, it can be used for the good but also for the bad. And so what do you think about publishing all your work? You said, Roland, before that you wouldn't publish your data, but maybe you will publish tools to accelerate this work. So what do you think about this debate and would you publish your job? I'm a little bit biased because I'm a net beneficiary of open source tools. I'm not a net contributor. I think there's a lot of value in open source but I do respect the fact that people will spend a lot of time developing techniques and developing tools for themselves. Personally I'm on the side of open source. I think if you discover a vulnerability you should disclose it and do a course. I think putting tools out there that people can take advantage of. They're great learning tools, as you say. I tend to be on the open source side of things. But again, I'm biased because I haven't spent hundreds of hours developing a tool that may be obsolete three days after I release it. You want me to answer first? Oh man, I'm kind of a philosopher in my times. And I think we lack perspective. Like, pirate re-existed and was authorized or happened without no one doing anything against it. Because it was, you know, all countries were separated. But then eventually the pirates did so much damage that the countries had to get together and create this international zone and then fucking kill them, you know, get rid of them because they were losing so much money. So I think we're at the era, like basically we're creating firearms, okay? I wouldn't, like, this is not Gozegir's opinion of anything. This is my own here, okay? I think we're creating firearms and I don't think you're allowed to create firearms right now, right? I don't know, to be honest, I don't know. I know people tried to pre-treaty print them. Maybe we're allowed, and in Canada and the US it's probably different. But I think that we lack this perspective. So for now we're doing it, we're having fun. But eventually, 100 years for now, if climate change didn't kill all of us, we will look at this and be like, these guys were crazy. Like, they were allowed to create destructive tools and put them online, whereas the defenders were not sharing, right? That's the asymmetry of it right now. And now the blue team folks now are sharing. Twitter accounts with IOCs automated and stuff like that. And there's a lot of blue team talks, good blue team talks now. When I started, that didn't exist. Blue team were kinda like, this must suck. You look at IDS all day. I'm bugging the pentas badass. Now blue team is sexy, which is good, which is very important, which is part of education that is going on. But they still have sharing problems because the organizations that they are in don't understand that they should share. It's not the fault of the blue teamers themselves, it's the fault of their organizations. And so this asymmetry is not helping them. And so the red team, they collaborate, they create patreons, they have tools you can now have like paid for offensive tooling that eventually becomes free, like the Porchetta Industries guys, which are very good. They're actually really, really good with RDP right now, following all that stuff. And at one point, maybe we'll be like, you know what? And it will be an incident. Something will get hacked that it's so fucking bad that we'll be like, okay, you know what, it was a bad idea. The whole thing of like, cause they'll use fucking Cobalt Strike and stuff like that. And so, and sorry if I'm talking against you, you'll have time, you'll be retired by then. But I don't think it makes sense if you think of it from far enough. And last thing, I told you I was a philosopher, okay? So think about this, at one point, fire protection, you had to pay for it, okay? You had a badge on your house. It was like up in with money. And if you didn't have that, the firemen would come and water the house that had the little badge, but the other house would burn, right? So eventually it became so much of an issue that it was nationalized or municipalized. I'm not sure which, but like it's part of the things that we need as a society. And so I think eventually government will be so pissed off that it costs so much money to so much companies that there will be like, you know, AV and ISP protection and security in general will be mandatory, like built in the things and which means that, and if it's regularized, it will mean like anything trying to be against that will be outlawed, maybe. I don't know. I'm just a philosopher. I should write a book. We just need to finish on that. That was an amazing question. So thank you, everyone. I hope you enjoyed. I wish you a lot of flags this weekend. Pray with me for a Windows track, maybe. It would be fun. And that's it. Thank you, everyone.