 Oh, yeah, I need a little thing. Action! Action! How'd they get hacked? Episode 5? Tom Lawrence? Xavier Johnson. More re-snash. All right. And we have not a sponsor of Arizona, but we're reading the ingredients list. The ingredients list on this Arizona, nothing about end point security. Pwnage! Yeah, that's not really smart, Arizona. I love you, and I've been giving you $1 bills for quite the time. Me too. And I'm just sad that you haven't at least taken $0.30 on every buck to put into end point protection. That is a great, great point. That's a great point. So, yeah, we realized that if you didn't know Arizona T got hacked, they got crypto-lockered, like so many other people. And yeah, unfortunately for them, it sounds like they didn't have a good plan in place. But maybe that's how they keep the prices low, because it's been $0.99 for a long time. Or maybe it's just water and leaves. Right? Like, maybe tea leaves and water. Don't take that much money to make. Maybe the margins are just there. Maybe they thought that just tea leaves and water don't need to be that secure. Yeah. I don't think their ingredients are all that secret. No one wants to compete with the $0.99 tea company. I'm going to throw it out there, because even your Pepsi and everything else has a lot more money. Right. Not enough sugar. Not enough sugar. Not enough sugar. We actually buy these Arizonas in bulk here at the office. There's like a stack of them over there. Yeah, so this is unfortunate. This is another one of those. I mean, you guys already know we're going to go with this, right? The fence in depth, detective controls, regular backups, hygiene. These are the ways that you avoid. Okay, so let's say you do get crypto-lockered. Right? You run into a ransomware attack. You know, you can't find a key. You can't go to nomore ransomware.org. And you can't go get a key, right? So what do you do? Well, in Windows, you go to that restore point. You go click the button. You go, okay, now my system's back to normal. So you have to have that mentality about all of your other systems, right? Yeah. Your file server. Your email servers. Your email servers. Every single server you have, you need to be making an image of regularly, if not daily, weekly, if not weekly, at least monthly, right? Because otherwise, you'll be like these guys. And now, now, Arizona's going to be more expensive, right? This is why we can't have nice things. Yeah, or pay more for things. Well, we might not get Arizona because they have been down for a couple weeks. Yeah, it's not going well. They can't process orders. They can't even sell Arizona tea anymore. I'm glad I have a stockpile of it because now the value is more than $0.99. Oh boy. Because the stores will run out. I read that their systems are only back up by 60%. So that's not so bad when you think about it. But if one of them is that ordering system, it's really bad. Call us. We'll get that together for you. It's estimated millions. It's estimated millions a day. We'll work for tea. We'll work for tea. Well, I don't know about that. A little more than tea. A little more than tea. A little more than tea. Now, I link, this is all going to be in the show notes here. Something interesting happened at the Mar-a-Lago Resort where President Trump goes and visits a whole lot. Oh boy. Yeah. And the news loves to spin everything out there. And we can all sit around speculating. But one of the things I wanted to link to is exactly what happened. And it's the official Secret Service report. And it's, I'll just read the basics of it. So on March 30th, 2019, physical screening was conducted by the Secret Service once Mar-a-Lago staff determined an individual was to be granted access to the property after a first physical screening. Mar-a-Lago staff transported the individual by shuttle to the next screening. Checkpoint individuals are prohibited from disembarking the shuttle between screenings and the route monitored by the Secret Service personnel. So there's like two levels of screening to get these people in there, it sounds like. And the first one's like, ah, you look like someone who belongs here. And then the Secret Service determines officially whether or not you're someone who belongs here. So the news tries to make it like there's an attack and they're digging up every article of everything on there. And that's all great and all. But let's talk about what actually happened. Now, we don't know for sure if she was actually there to do good or bad or if she was just someone with an infected thumb drive. Definitely suspicious, but there's not a lot more information. But we do know that throwing USB drives around is highly effective because people can't resist plugging them in. So those are things that we do know as a potential vector. We also, interesting that she's a, it sounds like she's a Chinese national and had a lot of reasons that weren't adding up as to why she was there. Claiming she attended events and things like that. So those are all some of the facts that we do know about it. But it is an interesting bold attack, but it feels too bold to be a national security agency like China. She was naming people that weren't even there. Yeah. So it's kind of shady. I find this to be one of those situations where for one, I don't want to speculate on it. Because it's way too scary. Yeah. If I start to speculate on it, it gets really, really creepy. Because let's talk about a situation where maybe Russia and China together are covertly trying to work together to penetrate our systems. And maybe Russia has the payloads and has the abilities and the capabilities and China may have the people and the relationships to be able to get certain people into certain areas. And it's also one of those questions that I have is related to it. Is it the classically you see in the movies, you toss the coin and see what the security guards do when you hear a noise. You drop someone in who really doesn't know anything. So there's no potential like this. We're just burning this person. You drop out there and you just watch what happens. You watch all the who comes out of the woodworks, what protocols were used because we're testing those protocols. But you know what as a red teamer, I can't say this and any other red team that's watching this can hear me out. I don't run angry IP scanner until like I'm very finished with everything that I need. I've already gotten everything off of the network. I don't go loud until I'm actually trying to be found. So like for me to get to the point where you know, I throw the coin to see what security does, I've already penetrated them to a certain extent. So even then this is really, really bad because how deep are they into our system. I can't go to Mar-a-Lago and get past the first layer of security. I'm a good guy. So yeah, it's interesting. Yeah, I thought it was interesting because like I said, there's a real physical component to these cyber attacks and it's about getting deployments. In reality, as no matter what the news says, based on Secret Service Report and everything that we know about this, they were far from and at the time there was not, there's always probably some related staff there because it's a business that Trump owns, but it's not, I hate all the speculation when they do the mental gymnastics and do this and this. Remember back when this happened or you used an insecure phone? Yeah, it doesn't seem like they're going to shove a USB in the phone. That's probably not the attack factor they were working on here. You can, I know. But it seems more likely that this was to try to gain access. Shut out the Daring Kitchen and the Hack 5 and the Rubber Ducky because that attack factor on the Soulverse that if you plug it into a phone, it does things. But I think we're going to see more of the cyber, we are seeing more all the time and it makes me want to read some of the Cold War books because these tactics aren't exactly new, they're just being applied to new platforms. It's still spy games, the Cold War changed. It sure ended between us and Russia, but now there's a different type of Cold War where there's not as much guns involved, it's just cyber security attacks. I wouldn't even really call this cold, Tom. This may be one of the hottest wars ever that's been going on for the last 10 years and we've been very unaware. And I think over the last five years it's gotten a bit warmer because of our political climate. And after things like Stuxnet comes to light. There's a whole book out on Stuxnet of how our government participated in this. And I think that if we weren't the first people to do it, then we're already losing the war because we're the first people to make it to the moon. So hopefully this is because we've inspired the rest of the world to make cyber arms and not the other way around. Because if we're behind, then that's not good. Yeah, I think we're a little behind on it. We're getting there. And we'll ramp up quick to it, hopefully. But it's the Israelis, I'm sorry, they're on top of it. We play second fiddle to their cyber security stuff. They're just, it's part of their military. It's like an open piece. We have the NSA. They have, I can't remember the name of it, but it's a special unit of the military that's... I'll find a link in the show notes to discuss that. There's a great Dark Neck Diaries episode that just covers how the, how Israeli works their military into their cyber security as one unit. It's brilliant. It's... Unit 8200, if you want to go look into that. Yes, unit 8200. Dig into that. And it's just, wow. This was, it's security related because it's your data. We already know Facebook, basically, and nothing has said more about Facebook, but if you've had your data on Facebook, it's been pwned at some point. It's been dumped somewhere. Your password's just, if you're going to be on Facebook, change your password every now and then, because who knows if they still have it in plain text, but this is... At least every three months. At least every three months, because it's Facebook. Who knows what they're doing with that password? Don't reuse it anywhere, because they have copies of it. But anyways, which they said we're sorry for. Whoops. Yeah, they always say we're sorry. That's it. But this is something interesting, and Facebook is starting to slowly address all of its issues related to elections and everything else and buying ads for political things, but now carting as a service. Wow, if you want to buy illegal things, Facebook Marketplace turns out no problem there. Facebook's only recently decided to start taking this down. So peddling wares, peddling access, peddling your credit card number, and people selling it, I'll sell this credit card, I'll sell this bulk of credit cards. Publicly, on Facebook Marketplace, and there's a link here of all the screen shots, and it's only by these big agencies, such as Talos and Krebs Unsecurity, both covering this, that Facebook goes, oh, well, I guess that probably shouldn't be on the Marketplace. I mean, the Marketplace does say not to do illegal things, but no one's actually enforcing it. Have you ever visited the Facebook Marketplace? You know it's items on there that shouldn't be there. And so that kind of puts me in a weird situation, just because I understand where they're coming from as Facebook, excuse me, but didn't we have two dudes just go to jail for running back page? Yeah. They're giving people, put things on the website that they had no control over, not to mention they worked with federal agencies to be able to, you know... To investigate it, yeah. This is really interesting that Facebook is just getting... Because of the facilitator, and it's more or less being actively... How do they not know? People are literally, you can type in credit card numbers for sale. It's not like they're doing anything, they're not even using code words here. Right. So I thought that was... Yeah. And this is how you get hacked, right? This is how... Because you put all your personal information on Facebook. Yes. That gets harvested for one. And then that goes back up to sale on the very platform from which it was harvested. Yeah. And then they add on your credit card number, and then they have a little bit more personal information about you, because they sold your social security number or whatever, and they'll probably sell a link to your Facebook profile at the same time. So you can now answer any security questions that come up, because, oh, look, they posted pictures of their dog, Rover. What's their dog's name? Rover. They posted where they went to high school when they went to kindergarten. I see it all the time. I see it all the time. Rover. Good old Rover. Complete social engineering attack, because you surrounded all your data there. Now, this is... This was an interesting showdown search, and it's taking a little bit... It's finally gaining a little attention, but more than 13,000 misconfigured iSCSI storage clusters accessible via the public internet. And, wow, if you're not familiar with how iSCSI works. So iSCSI is a data protocol for managing or mounting a hard drive. It's often used in things like... And I have a few videos on this where when you set up a virtualization server, whether it be VMware, XCP, or other ones, you can use an iSCSI target. And it's basically hard drives mounted across a network. Network. Not the internet. Could you do it across the internet? Yeah, it's a routed protocol. Why is it open to the internet 13,000 times? I don't know. And in this, if you follow this article, the show notes here, they show they mounted them all, and these are people's backup drives. There are all kinds of things in there. So you mount them just like a hard drive, and you can see that hard drive. They're just completely exposed, and specifically the showdan search. We already know there's a bunch of encrypted ones. These are all the unencrypted ones, where there's no username or password. The showdan search is port colon 3260, and then you put the can-answering and equals no-auth. That is all you have to do, and it will dump and list them. That's all in there. And I went and looked today. There's more now than when the article got posted the other day. Wow. As of before I said down right here an hour ago, there was like another thousand of them out there. Whoopsie. So cool that showdan is scanning for that. That's interesting. Crazy that there's that much out there. So how do we get around this misconfiguration? I don't know. One of two things. Either someone is just a complete blithering moron, or Lois Bitter. Lois Bitter got the security job. Lois Bitter. There we go. That explains everything. Yeah, because who opens up the hard drive directly to the internet? About 13,000 people. Plus, we're pushing 14,000 as of right now. And maybe more by the time you watch this video. Just a lot of information. Yeah, so that was, it was little things that I was just face-pulming about. I never thought to use showdan to search for ice, because neither did anyone else until they did. And they're like, then they started mounting all the drives, and you're like, wow, I'm just mounting hard drives all over the world. I think we only have about 8,000 of them, or 5,000 in the US. It gets a little smaller when it's here in the US. So, at what point is this illegal, Tom? Because if I go and I mount your hard drive, I didn't go read it. I just mounted it. I didn't take any data. I didn't put any data. It's on the internet. It's publicly accessible. I mounted it. That's legal, right? Come on. I mean, I know, I don't know, wait, disclaimer. Is it a mounting part? Disclaimer. We aren't giving out legal advice. Yeah. This is not legal advice. But I'm just saying, hypothetically. Because it's, you know, it's like accessing a website. I'm pulling data from it. So, if you pushed it public on there, where does that log in? I'm not logging in. I'm not typing admin and admin. I didn't guess a weak password. Right. No credentials for you. There's no credentials. I'm just going on there and reading just like a website. And you publicly exposed it. So, I think that opens up, and I don't know, maybe somebody who has better experience and can cite which law we would be breaking or not breaking. Meet us in the comments. Thank you. Yeah. Meet us in the comments. That is a nursing aspect of there because if I didn't pull all that. Now, this is also, because this case got heard here locally. There was a local computer store that swapped computers because the guys were morons and they got sued over it. But turns out other person being in possession of data is not illegal. It was only illegal if that person does that. And the people were not nefarious. It was just a mistake by these other computer company who had had two similar computers and swapped them to the different wrong people. So, now all that personal data is in someone else's hands, but that doesn't break the law because the company, there was no intention of doing it. So, here's the thing. If you do it and you do have a bunch of information, as long as you're not intending to do anything, does that fall into the same category? This is interesting stuff. And this is why cyber is so fun. Yeah. And unless you're the one that's setting the case precedence, then it's really you're going to have a bad time. Is that a call? Johnny Cochrane. Oh, wait. Yeah. Rest in peace. And next article I have here is Michigan practice forced to close following ransom attack. And I actually have a client that just told me that was his plan. If HIPAA showed up, he's going to retire. And this wasn't my client that this happened to me. That was a Michigan company. Basically, they got ransomware attacked. They didn't have backups. They didn't have proper the proper ways to mitigate this and no way to restore. So they said, we're just going to close the practice. We're thinking about retiring. We got our perfect excuse to retire. Wow. Talk about your golden parachute by way of crypto locker. Yeah. It's like retiring now. The patients are not happy. It also creates another problem because the data is encrypted and they apparently, if I understood this correctly, doesn't look like any data was exfiltrated. So they're not in violation in terms of having to notify patients of breach. It's more of, we lost all your data. And it's kind of sad because this has come up before. There's a few companies I know that we've tried to get them to be more conscious of backups. They're a backup failure away from going out of business too because they don't have proper redundancies for things. It almost took out this other accounting firm we dealt with. Nothing bad happened in terms of security, which is a shock, is they use the same password everywhere, but the hard drive failed and he had no backups because he didn't feel like paying the bill. He was using his own backup software and he didn't pay the carbonite so he didn't renew it and it quit backing up because his credit card expired and he ignored all those notices and then when it died, he had to pay teams of people because his backup plan was he printed lots of corporate returns. So someone had to key all those corporate returns back in. So it cost him a lot of money because the hard drive was shot. There was even the data recovery people were like, yeah, that's broke. I mean, there should be a big warning to small businesses. I mean, I know sometimes they don't have the funding to do such things, but it's very important. Because it could cost you a business in the end and that's more important than a couple thousand. Yeah. And a lot of them, we've got so many clients like that. You know, it's like, they're rolling in a Mercedes C-Class in a parking lot and you can't sell them on a $200 a month backup solution or like, whoa, whoa, whoa, man. Great point. I mean, I couldn't get the C-Class then. I just had to pay $400 for my little change. Yeah. I don't want to pay you for your $200 service. So with so many things, we figured we're going to wrap this show up with walking through some of the layers of security. This is, people ask us about remediation. So obviously you two factor, things like that, we always say that, but we have a little board over here. So if you see our eyes glanced over here, it's because we actually made a list so it can be concise. But we're going to start with first layer, end users. We all want to complain about them working in a tech world. We know that they're the people who clicked on the stupid link and got the stupid prize and you want to choke them. You want to be aggravated with the end user that did it. But you also need to do everything you can to protect those end users. So we'll start with a couple of suggestions there. One of them is Know Before. If you haven't heard of it, it's Kevin Mitnick is involved in this. It's a company that does training and it does cybersecurity training and it does phishing training. So you bring your users in, you run them down the list. It's not boring. They have some pretty cool plans in there and you're like, hey, let's go ahead and train you on this or what does a phishing email look like? And then you send out sample emails to them and they give you templates. So you as an IT person can use these templates and test your users. So you craft these to try to get them to click on links. And if they click on the link that's a phishing one, they win more training. You know, and you work with HR to implement policies. So it's kind of fun. I know they do this at my friends who work at universities. There's nothing more fun than getting a professor to click on a phishing link because they're way smarter than anyone there. Just ask them and they're willing to proclaim this while they have to go through more training and have to click on phishing emails. There's a local university that maybe we all know about. Did you hear about the invoice attack? No, I did not. So someone started sending out phishing emails with invoices attached. Now, my friends who work somewhere like, why as a professor would you ever get an invoice from the university? And they go, well, that's what we were wondering too. So we all passed around and opened them. And they wouldn't open. And we went to other computers and tried to open them. So they just basically made a mess of things. And so you want to focus a lot on who they trust, making sure they have a clear escalation path, process for them. Right? Like this is, this is the steps you go through as an end user. Here's the question. Here's like red flag questions like, are people asking for your password? Because IT does not ask you for your password. Never. Was it IT that's calling you? Or was it outside? Look at that extension. Call IT back. You know the number. You know, really train them on that that someone may be after them. That's, because they are, because that's the, from a hacking standpoint, how is it the end users? That were you pretty much, you go to the IT department and where are you going to get in there? The end users, the first person after the first. Yeah. You're going to walk in there with an ID badge that says I'm from the power company. I'm from Concast Cable. You're going to walk right past them. No need to get to the hacking and network part. If I can just get the password from one of the end users. Yeah. And just go straight in. That is like your, you can't, you can't express how much time you should be spending. Almost as much as, you can have a cool fancy firewall in the back. Yeah. And then, and then Bob in accounting goes, he said he was from Concast. He let him sit down on my computer. He needed to test something. What do you mean? He took all the bank account information. What do you mean? He's the man in the middle. Protect sensitive data. You know, you go drinking at the bar, leave the laptops locked up somewhere. Don't leave him in your car for someone to break in your car and steal it. Or if you're going to do that encrypt your hard drive. Yeah. Encrypt the hard drive. Do everything you can, but I would say the end user is almost more important than the firewall. Almost. You know what I mean? Because the end user is a trust monitor that goes behind the firewall often. Yes. So if I can get on to, you know, some host that's owned by a person who has access, then I'm going to be able to have, you know, persistent network access. And then I'll be able to laterally move and get on the scanner and now I have a beach head. Yeah. And it's like all your scanners. Yeah. You'll end up with whatever that user's permissions are and that's that edge that they're looking for. And making sure that's your end users understand the consequences. Like you are in trouble. If you didn't check that guy's badge that says from Concast. You're in trouble and you swipe someone in under your door access card. Nobody tailgates. And we've mentioned Jason Street before. No tailgating. That's one of his number ways, number one natives in, you know, he shows up just like an old man in a wheelchair and he's like, yeah, I'll do that. Trust no one. Trust no one. Because you feel sorry for him or he's limping because he's walking with a cane because he's faking it. And he goes, oh, can you hold that door for me and he has a badge that looks right and you're like, oh man, that guy, poor dude's got his leg hurt. Let me just swipe for him real quick. He didn't have a badge. You just let him in. Or I'll be the dude that just stands outside of your office with a sign that says we'll work for food. And you know, I have a badge corner that's right on me and a Wifi pineapple. Yeah. You got to watch closely all this. But like I said, focusing that's like one of those really big things. Next thing, physical layer, locks and door access. Kind of that same thing though. Making sure you have everything automatically locking. So I like when I go to some of the clients and I was at a hospital, every door locks behind you. They don't leave, even me, even though I'm a vendor coming in there and I'm being escorted by the IT, they don't leave me in IT rooms. They will lock the door, just stand next to it, lock the door and then they'll go get something, come back and unlock and I go back in. That level of access, hey, I completely don't question it. It was inconvenient for me, but it's one of those, they do everything right. I'm fine with that. And make sure you're used to train like that. Who never just prop a door open with a, whatever, kick the door open, you set something in there because I got to get back into this room. That door open once, that's that in, that door to the comm room. Make sure those comm rooms are locked. We just did some relocating for school because they thought they were secure. Oh boy. You know, they put the, because it was convenient, there was a room big enough that where all the IDF was mounted for all the switching, they made it the teachers slash lounge and they don't really check who goes in there because there's a, they go outside and smoke. So there's an external egress there to get in and out and it's not even a locked rack. We talked to them into putting a locked rack in, but it was just like, you could just reach up it. I mean, granted, it was about, though, the bottom of it's like six foot off the ground because it's up high, but it's just like a lounge where they're all hanging out and drinking coffee. And I'm like, you can just plug in anything there. You're on the network right there. No, just exposed wires, no door or anything on there. You got to look at some of those physical layers like that because that's another spot. I'm going to look, if we're doing a red team pentast, you're going to look for ports to plug into, things like that. Also related to that physical layer, turn off ports that aren't in use. Turn them on as needed. If you do that, if you're running any corporate network and you're running a managed firewall, do you turn off all the extra ports that are plugged into, because you had the area's wired, do you just go in? Is anything in any of these ports? Start turning them off. You'll find out if they're needed because someone will go, hey, I plugged into, you know, room 12 B13 port. It doesn't work. Go back and turn that one because you know you need to now. Verify, of course. But turning everything off, and what you're really trying to do is reduce your threat service. Reduce where it is. There was a, someone on Reddit was doing a breakdown, and as they said, above their pay grade is where it landed. They found the Raspberry Pi plugged in in their network because someone had access to the wearing closet. They figured out who it belonged to, and it's a great read if I could find it, I'll throw it in there, but it found a mystery device on the network. It was the Reddit title, and the person found out that the keys and the door access they had, that some guy, a contractor who had left, was granted for reasons unknown to him 30 days after his departure access to things. They didn't turn his door card off for 30 extra days. Wow, that's a long time. Well, it was long enough to go in there and drop a Raspberry Pi in, and they're really not clear on what all it was doing. He did some reverse engineering and figured out at least some of the sniffing it was doing, but that's the kind of stuff that happens. You plug those things in. You have it sitting in a network and think about how small a Raspberry Pi is, and now you're sitting there exfiltrating data and things like that either via VPN out, but it becomes part of the network infrastructure. My favorite is the Lantertl personally because it has the Out-of-Band 3G. Out-of-Band 3G. They knew they were proximity because they were using a Raspberry Pi with Wi-Fi. Oh boy. So that's how it hide itself from the network was because it's Wi-Fi, but they know it's getting picked up somewhere local. Gotta go out of band. Yeah, you go out of band like that. Cool point-to-point that just goes four or five miles out. Point-to-point, there's an option. But even 4G is cheap now. Yeah. You can get a 4G and be in someone's network and have cell phone signal what you're going to listen for a cell phone signal in network. I wonder if there's one going off right now in my network. Right. There's so many cell phone signals that's a really hard one to find. Yeah. So that's big on the physical layer. Think about it a lot. It goes right hand-in-hand with the end users, keeping them secure. And this is what some of the red teams do. They really focus around that. Now, we'll get into the software layers a little bit now. The firewall. Every Hollywood movie, that's what they do. They pop the firewall. They pop the firewall. Now, granted, there's clearly some firewall misconfiguration going on when we see ISCSI 13,000 of them is publicly facing. Right. Yeah. We know that there's some firewalls misconfigured. We know those are methods of breach. But it's not the most common way. If you're assessing a target and you're trying to get into that target, yeah, cool. You want to know what's on the firewall. You're going to look for things like RDP open, what VPN do they use and stuff like that. But then you're going to jump back to the end user because, okay, I know RDP, but now I have to get an end user's password. A good firewall is nice and it should have a good IDS IPS, so intrusion detection, intrusion prevention system. But that's for people who are just spraying noise at the firewall and blocking them because they're saying things out. They're angry IP scanning you and things like that. That's not how someone who's targeting you or looking closely, they're not going to be noisy. Noisy is what you do at the end of the game, at the beginning. Right. So frequently things don't even trip up your IDS IPS. It just becomes there. Now, what's really helpful and I'm going to be doing some videos on this and I was having some conversations with the people over at the security union because we're looking at putting this in for a client. The security union helps a lot with that logging side of the firewall because this is where you do want to spend a little bit of money and the logging is important because we want to walk you through a scenario. You have something that trips off your intrusion detection system. You're like, okay, this computer communicated with this IP address. Then you start going through your metadata logging. What other computers? The next thing you know, you're like, wait a minute. This trips something because they did something but there's a whole history of this IP address talking to lots of different computers. That provides you that investigative part you need for that. And granted, that's a reactive side of things but sometimes that reactive side because they may not have triggered in your way a pattern of what they're doing in there. And Security Onion is popular, Alien Vault, is another... OTX, Open Third Exchange. Security Onion is one of my favorites. I love, love, love, love Security Onion. It's just got a very no-nonsense open-source approach about it. And I've even deployed it out in AWS and I've been able to get some data into some really fun visualizations. Yeah. And if Security Onion comes completely built as a... It's a free download. You can get this with Kibana and everything configured on there. So it lets... And one of the things it does with the whole search system it has because it also uses Bro and a few other tools all pre-configured out of the box. You can have this thing stood up and running following your instructions in about 15, 20 minutes. I mean, it takes longer to download than it does to get a basic setup of Security Onion so you can start playing with it again because once something trips, they may not have gotten in but now you have that forensics information you're looking for. And then we come back down to the endpoints. What should you have there? So antivirus. Antivirus, because they're all signature based and we've talked about how these things get missed all the time, it's still reactive but it still helps. It helps. It's another piece because they frequently will use like we talked about MemeCats that would be caught by most any modern antivirus. So clearly there was a gap between Starwood hotel line in the fact they had that installed. So, yeah. Web filtering to help block out websites that goes hand in hand that's something we do on the endpoints. There's a couple things that come with web filtering and as opposed to doing it from the firewall when you have it at the endpoint level you have an SSL set installed so the web filtering software can understand it. I've mentioned before I use the solar wind product but there's a lot of other products out there, web root and things like that that offer some information and it's I believe referred to as an EBR solution but Hunter Slabs what they're running and there's other companies CrowdStrike makes a really cool product for this too there's a handful of them out there what they do is they look at the endpoint and go all right what is on here in the startup what is running and if anything pops up in there they alert right away something new added to startup and if it's not something they've ever seen before if it's a completely normal app and they use all signature based on this if this app is asking for network connections they start logging immediately they go this is a new app for some reason wants network connectivity when it starts up if companies like oh let's say Target would have had those on their systems that were running because they added startup applications to monitor the credits processing that was going on so whenever they reviewed the service for an update they just came right back those applications are running and doing what they've offered by CrowdStrike that's that really focused endpoint now there are open source versions of this there is OSEC and Wazoo they're very similar Wazoo is a little bit easier to handle OSEC hard I took the time to learn it a little bit it can be a good way to use a series of signatures to understand behavior and stop something from happening matter of fact because I wasn't editing the table in a SQL database through the normal method I had jumped into it just wanted to use PHP my admin and turned it on and did it it's seen me as an attacker and locked me out of the complete system right away instead of an alert and I'm like oh I'm the attacker first I get a panic so I get an attack notice and I'm like that's me so it did I'm like you are a great attacker I'm like why are you so I'm like I'm so I'm like you're a great attacker of something that I'm like what's the biggest thing and it does even have some kind of original issue and it's something really simple It's a lot of things including the wazoo platform, but you can also stand up wazoo by itself once again fully open source And has a cool interface on there. There's a complete virtual machines I believe you can download of it So if you just want to play with it in your lab environment at home and test it out You can stand up a server pretty quick. It's quick to get set up I would say harder to get deployed because lots and lots of tuning because you have to figure out What's gonna send an alert what on your daily use case? You know, we don't really touch on this enough actually a lot of you security tools that we talk about takes a lot of tuning Yeah, and that's the reason why we're security into a security engineer, right? So You know the the splunks of the world right the log analytics and though those sorts of tools are not very Simple you have to make sure you got the queries You got to make sure you got the visualizations Make sure the connectivity is there make sure you have everything spec'd out right for storage like security Security and take some storage. Oh, yeah If you want to put security in an environment I'm you're talking about building bare metal not virtualized a hardcore server to run it like it'll be modern fast lots of processors Lots of RAM and if you want to do full Logging like you do with your purchase a port mirror of so you take all the data coming in your van and you may or Over so security has visibility in all of it You have to be able to handle the volume of data and the storage that comes along with it Based on how long you want to do because it's going to do a full packet capture and full p-cap But you may only have enough of that to handle maybe let's say seven days worth Storage because it depending on the size of the pipe coming in and how much data flows across and then after that It stores the metadata information But sometimes by the time you get to the metadata it you're starting to lose some of the forensics integrity when you do that But it comes down to how much can you afford to send because what you're doing is you're actually mirroring every piece of data Going in and out of your office to log it to that You have to find that happy middle and this comes back to if you segment your network into different segmentations Which I didn't really cover but I guess you could say at the software level you definitely want to not have a flat network You want to create a series of least access do these people need access to that? But when your network is segmented off like that you can say okay I only really want securing in to watch this segment of my network Right and it can be very enlightening because you may only want to watch like a special server side of your network Or you can even send some different security onions because it has a master slave system So you can set up different nodes or sensors as they refer to them So you can have some of the smaller sensors feeding back to the main system Yeah One of my favorite things to do and this is a project that's going to take some heavy lifting if you want to replicate it It's to put security on in on honeypots. Oh Or put the assets set up the network so that security onion is actually Looking at that vlan in which my IOT cameras are on that may still have default credits, right? Yeah, because you get to see some really really interesting traffic People are scanning for those sorts of things you will see a lot of malware these malware's won't do things with you know They do the small things like dropping right? So it'll come along. It'll go. Okay. You need to do a W Get to this shady URI to go get this package that's made for MIPS and then you know execute it But yeah, I mean it's it's it's interesting. It's definitely interesting tool I think that if you have any amount of time on your on your hands, you should go check it out because yeah It's very well thought through enterprise ready Enterprise great. We're looking I mean the discussion reason I was talking to security people is looking at enterprise deployment They're they're all for a free open source, but they have a security engineer So they help you stand up the product and get it all going in there And they help you spec it out and things like that and then once you're done We'll do the consulting on the regular basis of fine-tuning and some of the other things What it's just this the size and scope of the company. I'm doing some consulting with is quite large and it's gonna go across numerous sites 17 public-facing firewalls 17 17 installs. Yeah, so there's just a lot going on to make this for that site, so Sweet. Yeah, so hopefully it's helpful I leave links to all these things where you can get them and most of these tools you can get for free and Maybe we'll do another episode on honey potting to if there's some interest to let us know on that because that could be a fun topic Yeah, let us know. Um, I got some friends over at a Tivo Shameless plug. They are the leaders in deception right now I would love to get them in here and do some discussion. Maybe they'll sponsor episode Yeah, bring us some of Tivo beers or something. There we go But what's that other one the T-Mobile AWS honeypot? We can probably talk. Oh, yeah T-Pot. Oh my god T-Pot is awesome. Yes, you heard me right T-Mobile and it's the T-Mobile honeypot called T-Pot So, yeah, you know what T-Mobile is doing really really good stuff They're like the next Netflix when it comes to open source softwares and capital ones doing some really cool stuff But T-Mobile has something called pack bot PC BOT check that out That's your policy and access control bot It actually goes through and tells you over permissive policies over permission roles, etc And then capital one has another really cool project open source software. It's like taking off. Oh, yeah, huge companies are like investing They have something called cloud custodian And it actually goes through and helps you clean up resources and keep resources in the compliance state In AWS those are two things that I would suggest you guys go check out that it's pretty fun Yeah, like I said, it's it's crazy some of the it's all open source I mean when you look at the enterprise and that's how I got into some of this consulting for this company It's because my open source background These guys these companies are excited about it because they don't mind paying to have the security engineers come out and set it up But at the end they enable these huge license fees and everything else like before paste that up But then we get to own the code and if we ever want to contribute back to development in there's some interesting dynamics there So that's why these companies are realizing open source. I mean in a we just the is it How do you pronounce it the new the NSA reverse tool G? Geedra, I don't know Yeah, I don't know I pronounce the Geedra Geedra. I think that's actually how I said I think he's right They just released all the source code to that. So I mean that's fully open source now That's a reverse engineering tool by our tax dollars at work here I don't mind government tax dollars towards open source project. I can justify that I'm a little more comfortable with that So I've always believed if it's my tax dollars going towards the code the code that should be open source Even though it's a reverse engineering tool written by the NSA, right? I think they're just trying to win brownie points with the world and it's a good PR move to open source it But hey cool, they did I'll take the tools and I think it's also one of the things more and more people reverse engineering things with those tools Means more and more potential people that they go. I'll hire you Exactly. All right. We're out. Have fun. Thanks for joining us. See you next time leave comments and suggestions below as always We do read the comments. Peace. All right later