Austin, Texas, is a city filled with music, vibrant nightlife, and some legendary BBQ. It is also one of the great tech hubs of the southern United States, home to a wide variety of tech innovators like Indeed, SolarWinds, and Amazon's Whole Foods. It is simultaneously home to one of the largest tech events in the world, SXSW, as well as many smaller tech events, including BSides Austin 2023.
Like other BSides, Austin had informative sessions, a number of training opportunities, and several villages, including capture the flag, lockpicking, and more. Here are just a few of the highlights from this year's excellent event.
Multiple local communities in one room
One of the sessions that really stood out was a panel discussion consisting of several local tech communities. Each was given a chance to explain their mission and how to get involved and invite attendees to join in some of their upcoming events. I have yet to see this at another tech event, and it is something I hope we see more of in the future.
The panel consisted of:
- Latinas in Cyber
Their mission is to increase the number and presence of Latinas in the cyber workforce.
- DEF CON local chapter 512
They have a goal of uniting all hackers, new or old, to gather, drink, and listen to Defcon-style presentations.
- ISSA Austin Chapter
One of the oldest security communities, working to promote a secure digital world
- Women in CyberSecurity, WiCyS Austin Affiliate
They are a community of engagement, encouragement, and support for women in cybersecurity.
- OWASP Austin chapter
Meeting locally to help us all make more secure applications.
- Austin Hackers Association
Their goal is to help members become better public speakers. The meetings consist of short “turbo-talks” from anyone that would like to speak on a topic for anywhere from 5 to 10 minutes.
- Longhorn Lockpicking Club
Their goal is to provide a safe and responsible atmosphere for hobbyist lockpickers to share knowledge and experience while practicing their hobby.
All the representatives agreed joining your local community is a great way to network. Tech work, and especially cybersecurity work, can be very isolating. Meeting up in person with folks who share your passion for tech can make it an easier journey.
Joining a local tech community has career benefits as well. One of the attendees spoke up and said, "As a hiring manager, I always look for folks who are volunteers as well as folks who have local community and non-profit involvement." No matter where you live, the panel encourages us all to look into local chapters of these organizations and get involved.
Helping the whole organization stay safe
In a perfect world, everyone throughout any organization would be as safety minded as the security team. Things that might seem common sense to anyone keeping up with CVEs and the overall threat landscape might not be as obvious to the less technical members of the org. Shannon Pfohl Williams Principal, Senior Security Advisor at Soteria gave us some practical advice on keeping everyone safe in her talk "Mind the Gap: Are your security controls effective?"
While security teams work to lay out security controls to keep everyone safe and the company compliant, it is very common to find users working around those controls. Shannon laid out a number of reasons why this is the case.
- Productivity - Everyone just wants to do their job. They are not choosing to be unsafe just for the sake of it. Any workaround was likely well-intentioned, with a goal of efficiency in mind.
- Too strict or not strict enough policy - The stricter the policy, the more likely it will be perceived as an obstacle and lead the team to avoid interacting with the security team at all costs. On the other end, not defining the acceptable paths clearly enough will allow people to get "creative" in their approach.
- Going above the users' technical ability - Not everyone is as quick to pick up new technology. People tend to go back to something similar to what they had done before. For example, they might start using personal email accounts to move PDFs externally instead of using the new secure portal that requires MFA.
The key to fixing these workarounds is building trust, and it must be established both ways. Remember, your coworkers are the subject matter experts in their day-to-day work. Their goal is always to be as productive as possible, so take an interest in their goals.
Give them a no-reprisal path to give you info about how they see security getting in their way and how they arrived at any workarounds. Often, the lack of trust between departments brings fear of reprisals, which leads to people getting help from alternative channels. These other channels can include peers who have their own way of doing things to "speed things up." Often those same peers are the ones who get asked to verify things like phishing emails, spreading the attack rather than reporting it to the right team, again driven by fear of getting in trouble.
She also stressed the importance of a judgment-free educational approach. Instead of reprimanding them for doing something like writing down passwords on a sticky note, ask to get their buy-in on a better approach. For example, "Instead of hand typing the passwords all the time, would you be interested in a tool that could manage these for you and auto-fill them when needed?" She said most people would welcome such a change to their workflow, but they simply lack the language to ask for a password manager. Instead of just turning on MFA and forcing the change, ask them their opinion of "something you know and something you have and the security benefits that could bring to the whole organization." Most people will get it if they are given the chance to think it through.
Lastly, she said it is vital to get leadership buy-in. If the managers ignore security best practices and use workarounds, their departments will as well. Ultimately security is everyone's shared responsibility. You are only ever as secure as your weakest link.
Understanding rising threats
One of the biggest benefits of going to a security-focused event like BSides is hearing about the latest research into new threats and vulnerabilities. Beyond just learning about the new risks, the presenters include paths to staying safe. Here are highlights from just a couple of such sessions.
In his talk "Containing Smishing Incidents: You won't always have a MDM" Dan Schmidt, Sr. Security Operations Manager at Box defined "smishing" as a phishing attempt that targets a user's cell phone rather than email. There has been a huge increase in these kinds of attacks over the last few years, with three out of four companies reporting they had encountered smishing attacks in 2022.
In a typical smishing attack, the victim will be sent a convincing-sounding SMS message that has a link that looks surprisingly close to a legitimate website. Once there, the user is asked to log on to a particular service, thereby giving the attackers their credentials. Dan said this is proving a successful approach to gaining unauthorized access to corporate networks.
At Box, they set up fake users with no permissions or access to any resources in their system. Dan said they sometimes use fictional characters from pop culture, such as The Avengers, or Lord of the Rings, to make them easier to identify. The actual names don't really matter, so long as they do not match the names of real users. Just as critical, the whole team needs to be aware of the fake accounts and share them via the incident playbook.
When a new smishing attempt is reported, the incident response team clicks the links and provides these canary account details. When those same user credentials are used from unexpected IP addresses, then they know where the attack is coming from and what to filter for when looking for which real accounts might have been compromised.
This is similar and related to how GitGuardian Honeytoken work, minus the need for pop culture references. Honeytokens are decoy credentials that go to real AWS accounts but have zero permissions or access to any services. But when someone tries to use them, they set off alarms and give you an IP address, the user agent, and what the user was attempting to do.
What ports are attackers scanning?
It should come as no surprise that attackers are always scanning the internet looking for resources they can exploit. In his session "From Honeypots to Hunt-a-pots: Tracking the Trails of Adversaries," Nick Roy, Director of Sales Engineering at GreyNoise, shared his research into exactly what these scans are looking for and what their end goals are.
While most people are familiar with the common ports like 80, 22, or 3000, many other ports exist. Unless you block access, anyone can access these other ports. There are many malicious actors who try to exploit any open port to inject some executable.
In his research, he set up honeypots, servers that did not contain real data or anything of value. He would block outgoing traffic after leaving all incoming ports open. He said the most common goals he found for the malware were to use the server as part of a distributed denial of service, DDoS, and for crypto-mining operations. He said what he found most surprising was the large percentage of hosts would just sit there after their initial setup and never try to execute a single command. He soon found out that those bots were keeping access so that someone could sell it to the highest bidder.
These schemes range from selling access to Digital Ocean droplets with SMTP ports open, for SPAM operations, to DB access for companies of all sizes and descriptions. There are illegal sites that sell this ill-gotten access to just about any service and company you can imagine. He found a book on the dark web that promised a monthly profit of over $12,000 with a start-up cost of as little as $40 a month, as long as you were willing to ignore the law.
He said the number one way you can stay safe is to always apply the latest security patches. Exploiting known and, in some cases, very old vulnerabilities is how almost all attacks of this nature succeed. Just as importantly, only trust default machine images if you know they are patched and have been vetted by a security team. For example, the latest Linux images on AWS are likely safe, but a Windows 2008 Server image from a no-name host is likely going to be hacked immediately. Also, if you are not using a port, go ahead and block it. As we move to a Zero Trust posture, ideally, all ports should start out blocked and only open if absolutely needed for your project or product.
How to build a SOC
While I have heard a lot of talks about best practices in a Security Operations Center, SOC, I have never heard anyone discuss the logistical steps of setting one up and staffing it before. Nick Gipson, the founder of Gipson Cyber, has a lot of experience in building SOCs, as he was the person who set up the SOC for the US Cyber Command. In his session "Hook, Line, & Cyber: A Fisherman’s Guide to Building a Security Operations Center," he shared not only his first-hand knowledge of SOCs but also his passion for fishing.
Chart the course
Nick said the most important element for success was good documentation. Specifically, there must be a well-thought-out Incident Response Plan, a holistic approach to how SOC will run on day to day. He refers to this as the "North star for the analysts." All other founding documents, such as the Continuation of Operations Plan, Disaster Recovery Plan, and the various Service Level Agreements between security and the rest of the organization, all need to refer back to the Incident Response Plan.
An Incident Response Plan is different than an incident response process, which deals with how you react to individual situations, such as a phishing attempt. Your incident response processes should be contained in playbooks, which you can think of as "little bibles" that explain exactly what to do and should be followed by analysts in all situations.
Ask the local fisherman or pay a guide
Nick believes that the best source for finding fish is either asking around the bait shop for what's biting or paying for a local expert who can give you trusted advice, especially if you are in an unfamiliar area. In cybersecurity, you can either ask the open source communities about the threat landscape or pay for a commercial service to give you the same information.
Free and open communities include:
Paid sources include:
The biggest difference is that commercial options often have dedicated research staff to validate information, ensuring it is up-to-date and accurate. Open source options are very reliable as well, but given they are community volunteer based, it is always a good idea to cross-reference them for validation. If they all agree, then it is likely good data. If they disagree, you have more investigation to do.
Find the right location
The location of the SOC is critical to the overall success. He sees virtual SOCs as having clear advantages over local, on-prem choices.
Virtual distributed SOCs offer you:
- Much more flexibility in hiring talent.
- The ability to 'follow the sun' without requiring overnight shifts.
- No impact from local weather or disasters.
- Better work/life balance for employees.
- Lower turnover rates and less burnout.
- Better Analyst to client relations, as regular working hours can help build rapport.
Find a fishing buddy
Nick thinks the secret to his success in building and retaining great teams comes from focusing on an "anti-burnout SOC staff structure." to achieve this, he thinks the optimal team setup is a minimum of 12 analysts and 3 SOC leads. This lets you have 3 shifts with 3 analysts and 1 lead per shift.
He also has 3 hard rules for scheduling:
- No 12-hour shifts.
- No overnight in that person's time zone.
- Never on for 7 days in a row.
He also said he does not believe in the concept of on-call shifts. This burns people out quickly as they can not really be 'at home' during those hours. He wants people at work when they work and at home, relaxing and recovering when they are off work.
These simple rules, as well as clear and transparent career goals and compensation structures, have helped him maintain a 95% retention rate over the last 5 years he has been managing his current team.
BSides == Community
Just as with BSidesSF, this event flew by and was over in what felt like the blink of an eye. Special thanks to GreyNoise for sponsoring a wonderful community afterparty at Punchbowl Social, where we kept the conversation going about how we can all apply the lessons we learned in our own companies and communities, as well as GitGuardian Honeytoken, which was at the center of my talk. It turns out a number of folks from the BSides community will also be at Texas Cyber Summit in September, and I can't wait to see them, and maybe you, there.