Hi welcome to salted hash the show where we talk about security that matters no Fudd no, hi just a little bit of snark
I'm familiar sheet senior writer Seattle on line and here my colleague Steve, Reagan today
We're going to talk about attribution AI and legal hacking
Welcome to episode 4 the new hope hey Steve hi
How are you feeling I'm hopeful how about you?
The puns are strong with this one
Always looking forward to that good news the silver lining
So I'd forgotten how short the the the intro deck was because I thought I'd have enough time to check my expenses before
I hear you do the new hope line and I'm like that fantastic it. Also you like hi Steven. I'm like crap
It's been one of those days guys, that's that's that's that's all I'm gonna say about that one hello everyone
It's good to see you again, and it's definitely been one of those days. I mean all we're hearing about it attacks
We're hearing a bad preacher
It's just one on top of the other so I want to ask you Steve, but this is something. I actually wrestle with sometime is
We always talk about this is what happened
This is how it would done, and then there's a whole group of people who died who did it who did it?
we want to know who did it and
Me I'm sitting here Mike have another pride. I don't care. I don't care who did it?
No, I mean attribution matters. We're not
We're not gonna throw attribution out the window, but I think the immediate
In the immediate vicinity of incidents like once you get engaged an incident response, and you start working out the problem
Attribution is less important than knowing what happened when it happened, and how it happened
Who will come you're going?
Yeah, you're gonna figure out who that's once you start answering these other questions. Who is probably gonna pop up
Because you know depending on on what you're doing you may have actually seen this type of attack or an act
or you know something before and
What you're experiencing somebody else in your industry might know of or you're gonna do once you're sharing information somebody
I got that thing going yeah, or you're gonna be working with a vendor it goes
You know we had two other clients experience this and oh look. It's a fuzzy not a
Fuzzy koala panda bear from you know
And the funny thing is at this point, I don't know what bears what?
Yeah, I know we have like a couple of pandas. There's a few bears here. Here's my thing
Where's the turtle can't we get like a threat actor turtle I mean if we're going to atribute to something. Let's call it
You know late, let's let's just call it. You know like the
Prancing turtle don't we have a cylinder. I mean I think they've started ripped out at some point
I would be shocked if there was a salamander
But I know there's no turtle and I'm a little disappointed at that also
What about wombats? We have a security vendor named wombat, so why don't we get a thread actor named Juan?
That would that not be hysterical because then oh the marketing nightmare yes, see
Why bad security if you're listening? I'm sorry
But that's that again. It's one of those days. You'll have to forgive me
It's a thing that we're you know
Attribution seems to be more marketing in some cases than it does actual value
I don't I
Don't think your seaso cares who hit you I think they just want to know how the hell you got hit and the fact that
you know
some vendors and some
I'm gonna use a very offensive term. I apologize thought leaders seem to
Seem to very you know they just want to focus on attribution and miss the other stuff
I think you're missing the bigger bigger picture in that regard I mean attribution is important, but I think in the short term
What you need to know is you know who what win or not the who but what when why?
Yeah, why does this attack happen when did this attack happen how did this attack happen?
What do we do now you know and you you focus on those and then eventually?
Who's gonna spill out you're probably gonna run into it?
And that's where walk back my initial statement where I was saying it doesn't matter who I think the category is helpful
The category of knowing that okay, this is an actual financially motivated this is more
Idealism motivated. I think knowing the category is helpful in determining some of your response
Under why so the category would come under why why did this happen it's a financially motivated attack
Why did this happen somebody wanted the plans to your new Gidget? Whiz Moe you know?
Meeting yeah. Oh yeah the insider threat beware
We're gonna sell you have to seat, but you only need Bob from accounting
So I mean it's the don't laugh keep a straight face remember. We're supposed to rely for on camera
There you go Bob from accounting says good job its
Currents keep that on film cuz that was amazing just making her laugh at random is just awesome
So I mean that's that's the thing I think for me the why does with the style of attack and that is actually very
important I think
That is a type of attack surface that every organization should know you should know if a financially motivated attack hit your company
What are they likely to target to pull that off if it is a malicious insider?
What's the data that an insider in a given department or whatever? What's most valuable to them? What are they gonna steal from you?
You know and there's no reason why you can't make plans to address all of these
I mean, that's that's just to me. It seems very smart you know and you know risk assessment risk management
You know what?
What's what and what's where I mean I write for the FBI the law
Enforcement they want to know who and I totally get that that's their job description I think that
That's not that's not an IT. Yeah, that's that's that's law enforcement
They operate on a different plane in fact if you're doing your IR right when law enforcement
Comes knocking and you give them
You know the the what the wind the why the how and you've Cheryl that law enforcement might look at you go
oh, well, it's blah tada attribution and
They may have very good reasons for giving you you know that kind of name because they've seen these titi feeds before and and so
That would make sense but to just like randomly go out and say up I see a Russian IP address Russia hacked us
No, no homie. They didn't you could just sit down did a couple years ago there was all that?
Confusion about some water utility and it turned out the contractor on vacation in Russia
On vacation Russia check this you know you check this email
That tripped all kinds of alarms and boo-boo-boo Russia's hacking and water utility another not do check this yahoo account okay calm down
That story blew up like people were just all up in arms over it is this like
No, this is actually a very good lesson when you're on vacation don't check your work stuff
That's easier said
I'm een we go we had that you know like the end of the year the little mini-vacation thing and stuff i'm still working
Instant I can't not work. It's it's habit. It's just but I mean that's a that's a valid point
You know I mean you should know that
You know troy from development is on vacation right now, and if Troy's in a hostile area
Maybe maybe check in with troy just say hey, hey, buddy
Yeah, and say what are you doing right? Now you work in yeah, okay?
Great just needs a check on that otherwise. It's like um. No. I haven't left yet, so you're not in Russia right now
No, all right. That's a problem. We got a problem
Talk to you later click, and you know you've run and scream like everybody else would
But I don't know I mean
I'm not against attribution. I just don't put a lot of weight on it now. I would much rather know why how when
Really easy to get wrong and once it's out there you get more convulsion more fun to the point of distraction
If you screw up the attribution part of an investigation when you're going public and ahead you messed that up you're done
Nothing you do after that's gonna matter because everybody's gonna remember that one screw
And if you're if you're trying to accuse another company, or you know
Got forbidden nations state that could be even an even bigger mess to deal with
So I mean I
Was actually thinking about this it's like okay?
Both of us seem to be on the same page attribution valuable, but we care more about why?
Now that kind of makes me wonder. It's not always easy for us
Sifting through all that information figuring out who did it what it is what I'm looking at so
I'm gonna use the most favorite marketing buzzword here AI
AR insecurities
Are we ever gonna use a eyepatch abuse? I?
hope not
Why not even a Idaho Lee girl?
no because attribution revolves around a subset of incident response called threat intelligence and
To automate or rely on a machine that doesn't have analytical skills okay next yeah context
Context is the principle mm-hmm?
Basically the the real big issue here is a I will never have contact
So I hope it never goes to that because if it did we're all in trouble. We are I mean the the thing is
Trying to get context onto a given piece of information that comes out you know when you're running a threat intelligence program
That's hard enough. Now. You got to train a computer to do it
I think not it's just not gonna happen at least not easily and not anytime soon
But that won't stop vendors from selling that little silver bullet that won't stop you know
Again with this offensive term
I'm sorry thought leaders from talking about it and in trying to make it the end-all be-all of some sort of security
lifecycle, but I just I don't know I don't I don't agree that a is going to -
Well, I just hope AI doesn't have anything to do with attribution any time soon help, yeah, what I
Have a new hope for you and
Here it is the the fact is if we have to shift AI I think what we need to do is get better at
patterns and
Context like building in context around certain patterns because what will happen is
You know what happens if you get you get this AI running on your network and suddenly somebody ports came to you
Behind a proxy in you know Korea. Are you suddenly gonna say South Korea's like attacking you
Because you're AI might
Issue is like people don't really think about okay, why?
So here's the thing we know why it's a terrible idea
But it's gonna happen people are gonna keep talking about it
Give me your wish list I have my personal of how I want AI insecurity to look like
What is your idea like?
What would you like to see security and AI eventually be able to do so we talked about this?
actually on Tech Talk a couple weeks back and I
Really like the stuff that Cisco's coming out with what? I want to see AI do is automatically adjust
policies and
Other security settings based on the ebb and flow of the network based on a user's workflow so that you get your security
But the users not going to be impeded
You know they're going to be allowed to do what they need to do when they need to do it
But nothing else and frankly, I think that's exactly the way it should be there should be a constant
monitor and a baseline that's being set to where if
You know my job routinely means I have to access this type of data, and I have to be on these systems
And I have to access these resources
That's what I get access to but if something changes in my job the network knows that the network is aware of that it
understands that things have are
Dynamic, and so I get moved into a new group
or you know temporarily I get access to this and I
Think that kind of automation is going to be where we see security going yeah
So I'm gonna ask you because I think we're part of like the same old world you remember Eliza the chat bot
Wow yes that's what that's what I want to see ai and security
I want first line of defense being the security Eliza in handler
Did you actually do this password change? Did you actually do it? It does all of that first time and then I said okay?
I've no idea what's going on. I'm gonna now escalate you that's where I want to see I going I want you Liza
Theta care I think Marcus carry on Twitter theta care they actually created this this
security assistant called violet
it's almost a I and III absolutely think small IT shops would totally benefit from that I think it's
It's just fantastic
The thing that I really got when I watched that demo video of a violent in action. It was like she went from
Violet check my my firewalls to we're running like a whole scan to violent
What is phishing really so that means?
Yeah, so everything. You know you you get this this wide gamble and and or gambit
I should say you you you you have this this nice curve that you know an
Experienced administrator can have violet do some things, but then a novice can ask basic security questions and get answers
Alexa
Yeah, kinda Alexa for security, but you know I mean we can't use Alexa. I don't think they can use Alexa
I think that's copy written
But see going going back to your Eliza thing though. I mean the first thing popped in my head was like
Back in my day we didn't have court Anna
Well we had was
Actually had a similar tool where they do on flap
where they automatically get all the alerts from there like stem and stuff like that and
They actually release a chat bar on fire and things the employee hey, we just noticed a login attempt
Did you just fight like right? You're fired and wrong and the user said, I'm fuck yes
I did and the bot like okay. Good clothes. It's a ticket. We're done or the users like no
I haven't tried to login alright now. We can escort, so I see examples of this happening, and I'm really excited about that
That I can get behind that a hundred percent because there's nothing wrong with just checking on someone. The only problem is is
How how quickly can that bot respond?
So let's say that the bottling gets the the notice on the wire know hey this this password failed
But that's because it's just now picking up the first failure because I fat fingered the past, but that's okay
I've already compromised to your account hey the bots talking to me. What spot what what really no
I I I just messed up my password. Sorry about that. Oh great. Thanks, and then off you go
You know no time you're definitely critical. They're all about timing in that case, but I still think that's a brilliant idea of course
That kind of ties companies to slack, but I mean that's not necessarily a bad thing
I mean, I think a lot of companies already are tied to slap unfortunately
You didn't hear that
And Chris could edit this part out, so it's all good dan
Athena saw the mailman and therefore it was time to scream at him
The only thing is the mailman it's like you know halfway across the parking lot like way way way over there. Good timing right yeah
Is just funny, so I had to mute my mic, and I'm like Athena hot I looked at my camera like oh, I'm still talking
Yeah
Don't oh
No see the male mints right there, but now there was a kid walking up the street
I live on a busy street
So like there's people everywhere and that
This time of day the dogs are just like you know super happy to talk to everyone especially when daddy's on the phone
And daddy's ignoring them, okay, all right. Sorry man that didn't mean to drag us off oh
My apologies but to go back to the AI thing so
One of the things about AI that frankly scares me is
I
worry about adaptability
you know
All right, so let's say we have AI and it works for like a big enterprise like Ford okay
and
So the AI knows it can in the AI is running for the production line and the AI is running for like the the in
Office enterprise and everything like that
Does that a I scale down to a small office like ours at IDG would it?
Could it you know how does it add app to changes in the environment to where suddenly you know the AI was?
Monitoring for 30 people, but we just got bought up, so now it's 30,000. How does that work?
That's the kind of education for the AI that's a bit of a shock for that AI yeah
I mean would that be like a complete culture shock what happens you have to a is it different
Have you called your shop don't love it Wow but I mean
It's possible why hey if we're gonna soom AI could run the entire security department
Why can't we figure out that it would have culture shock because?
That means my AI is not going to probably play well with your AI why is that I?
Mean yeah, I know I'm kind of dipping into the whole you know
You know the movie where the robots you know comes alive ai takes over
There's some well you talk about Skynet. Yeah, I'm gonna get my key card. I'll I'll cut that up now
I'm gonna let you earn it back with my next question
So this is actually a really common discussion that keeps happening on security Twitter
So we're gonna talk about legal hacking our company's allowed to hack back our company's allowed to say hey you attack me
so I'm gonna do something and
I mean the reason I'm bringing it up it The Daily Beast
Recently did a story about how companies are already doing it, and I remember Jeff Daniel basically being like why'd anyone surprised
this is reality I
So I'm not surprised to find out that there are companies that are hacking back
But I think when you you you used the term hack back. There are a lot of they're not a musical
Yeah, there's a lot of meanings, and there's a lot of open
Interpretation like you know some of these companies that are hacking back aren't really hacking anything. They're you know like you know so I
Talked to one company who reflected packets one time
I'm like that's you know that's great and all but you know how do you know that the person attacking?
You wasn't actually using a victim's computer
Not a dumb being about that. Yeah, you just refit the mice to another another victim
Congratulations. I mean you defended your network woohoo, but
You have to be really careful, and that's I don't I don't agree with it. I don't think
Well so let let me rephrase I
Don't agree with it everybody. I think if you're going to do it. You need to be absolutely clear about what you're doing
What was not yep, and the idea of having kind of like a letter of marque from the FBI stating
Here's the the clear. Here's the scope of what you're allowed to retaliate
Talk about how we shouldn't have scope
Know so we're talking about scope on pin tests engagements and that's absolutely correct
I don't believe you should have scope at all if you're gonna do red team engagements
But you know that's kind of where I come from so naturally that is my line of thought
But when it comes to like scope for hacking back absolutely
For example if it's determined that your targets a medical center of any type, I think that should be off-limits. Oh yeah definitely
So then where do we draw the line for like schools?
See these are things that we have to iron miners. We have okay
So so if you want to have these type of engagements you want to make that legal, that's fine
But if it's not narrowly defined where you know what when where why and how you?
Shouldn't do it. If you
Re aware if it is info SEC team decide they want to hack that they need to be talking to their corporate lawyers oh?
Absolutely if legal is not involved in this decision
You're already starting off on the wrong foot because again
And also you know this is why I say you have to have some sort of like you know and I use a term but
I mean it could be whatever a letter of marque from the FBI because the fact no matter is
According to our own laws here in this country the minute you go to take action
You are technically committing a crime even if it would then your network doesn't matter well if it's within your own network
But the thing is we're not talking about hacking back within your own network
Anybody who's using hacking back? They're talking about going up the trail and following the trail following the money. You know
Oh, that's that guy C&C server
let me just take it down real quick because you know it's vulnerable to this or vulnerable to that or
Let me knock it off line a few packets of my own
All of those are crimes
It doesn't matter how well-intentioned is all of those are crimes, and so that's that's the thing that the companies have to be
very cognizant of and they would
absolutely need to have a lawyer for and I get that's why it's like even if it's
Something that companies are doing. We just hear so little about it
I mean um what company wants to admit that they're engaging in the same pattern
absolutely none
especially if engaging in those kind of tactics opens them up for further attack and that's another problem with this if you go to
Animation yeah, but it's it's cross-contamination
So imagine imagine you decide you're gonna hack back, and you track everything back to me, so you're you're coming out
And you attack me the thing was I was a victim in the first place, but I see you attacking me
And I'm like oh hell no and so I start coming after you right
so now you've got this this in a feedback loop almost and that's
Chaos you don't want that you
Absolutely do not want that you have to be certain and the problem is in our world. There is no certainty
I mean that's kind of goes back to what we were talking about with attribution like if you don't actually know who it is
It's really hard to say with definite certainty that nope I did not make a mistake
This is really you. Yep, and of course you get the the other thing. You know like what happens if like
You go to respond, and you get it completely wrong and then that person responds back
You know meant that I feed a little thing I was talking about
But they come to find out that you know you were right all along
Because you know they really were attacking you now, what what do you do there, how would you handle that situation?
It's so new that you know these types of
Hypotheticals no matter how absurd they may sound?
These are things that absolutely could happen because we don't know where the limits are on this. I think it I think the hack back
Hack back is very risky, but like Jack said it's a very real, and it does happen
And I mean it's one of those where I think we're also just figuring it out
Whether it's with on what's on the law what the law says?
What our companies like lawyers are even comfortable with it's just a lot of things would just still figuring out
So
Though thanks for tuning in next time. We'll talk about
more tough insecurities and
Remember the salt and salted hash is something you know
