The UNSECURITY Podcast is pleased to welcome John Strand from Black Hills Information Security as a guest on episode 130. Along with Brad and Evan, John chats candidly about his path in security, what Black Hills is working on, the different pockets of security people, why it’s important to work together as information security vendors to improve the community, and so, so much more. Give us a listen/watch and send your questions, comments, and feedback to firstname.lastname@example.org.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:23] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the Unsecurity podcast. This is episode 130 the date is may 4th 2021 joining me is my good friend as usual, Brad. Hi Brad.
[00:00:37] Brad Nigh: Hello.
[00:00:38] Evan Francen: All right. And I’m super excited. This is actually the first time I’ve met him and but you know, you probably have heard of them before, John Strand is here with us today from Black Hills Information Security, John welcome.
[00:00:51] John Strand: Thank you so much for having me, I’m excited to be here.
[00:00:54] Evan Francen: Yeah, yeah, I can’t believe it. You know, I’ve been in this industry for a long time. You’ve been in this industry for a long time. I think you have, you’ve done some really cool stuff. Um but I can’t believe it’s the first time we’ve met.
[00:01:10] John Strand: I, I kind of do because like security has these weird vin diagrams of like, like spheres, right? So for years my sphere was the sands Institute. Like I got started as an instructor there and I went to those conferences all the time and when other conferences came up, People like, dude, you’re gonna be a smoke on them. Like f No, no, I’ve been doing, I do 15 to 20 conferences for the sans institute. I’m not going to get on an airplane and go hang out in D. C. With Bruce and Heidi potter. No, there’s just no way. And then I started kind of going out to like def con and schmuck con and black hat and some of these places and I realized that there’s all these different groups and security and they overlap a little bit, but you don’t really get into a situation where like there’s really strong overlap across all of them, right? There just isn’t, it just doesn’t exist. So, you know, once I kind of broke out of that echo chamber, started doing more stuff with paul security weekly and getting out some of these conferences, you started meeting all of these different people and all these cross sectional analysis of, of where these men diagram circles all hit each other. And it’s beautiful because you have like the B sides group, right? You know, Jack started up that kind of decides or some core people and that kind of became a scene and Derby khan became a scene. Uh God bless Derby Con and schmuck on is its own scene and it’s cool for me, like I’m becoming like one of the elder statesman in the industry, you know, we’re all becoming Jack slowly over time. And it’s kind of cool now that I’ve been lucky enough to hit multiple different scenes. But there’s still places I just, you know, circles and things that I just haven’t really met people and that’s one of the things I’m missing horribly with Covid is getting out meeting new people.
[00:02:54] Evan Francen: Right? So in your Venn diagram, are there different colors?
[00:02:58] John Strand: Yeah, there are, yeah. Right. What color
[00:03:00] Evan Francen: I want, what color my end? I want to be like blue
[00:03:04] John Strand: or green. You’ve got to, you got to be So like there’s the red and there’s the blue predominantly, right? So like you got those cons that are very much like the blue side of the house and you’ll have like sands is very much blue. It’s a lot of defense. There’s some offensive stuff there. Uh, steve Simms that’s gotta, you know, myself were definitely the reds in that blue. Then you go to defcon and oh my God, that was like dark red. Right? And then you have these different things and they bleed into these different colors to different shades of purple. But now it’s getting to the point where deftones defense and offense and all these different places are blending, which is where it should have been for years.
[00:03:41] Evan Francen: Yeah, I can’t take me in a box.
[00:03:43] John Strand: Can’t do box. Nobody my kids, I’m like, I’m completely original and my daughter’s like, dad, you go to conferences, your jeans, black t shirts and talk security with people and uh, and you’re like, have a beard, you’re exactly like everyone else there. And I’m like a lot of my opinion
[00:04:03] Brad Nigh: a
[00:04:06] John Strand: little bit too close to home there,
[00:04:07] Evan Francen: honey. It’s funny how like our, our careers take us down all these paths, uh you know, I took because, you know, we’re running in this right now brad with uh you know, um Oscar who leads, you know, the text services part of fr secure, where I came to a realization that I can go stay in my technical route or I could go a management route, that was kind of what was in front of me. And You know, I started my career cleaning boot sector viruses off of Windows three boxes. And eventually I went, well, I’m gonna go to management around. So now I do all this management stuff, but I don’t fit really well there in terms of like how I look how I talk, I’m kind of a I’m kind of a jerk, you know, that some of them um you know, so I don’t look like a C. So
[00:04:58] John Strand: very
[00:04:58] Brad Nigh: well, they’re not just sitting here
[00:04:59] John Strand: you know, it’s kind of weird. So so it sucks because like, in this industry there’s this huge thing of like, how do we talk to the C suite and you see these presentations and they’re like, here’s how you talk to the C suite, you use these secret handshakes, you get the right watch, you got people like, well, you know, if you’re gonna talk to a C suite, you gotta dress in the suit, you gotta do that like after that, you know, honestly, um I spent a lot of time talking to people I’ve presented executives with executives in Dubai and Saudi Arabia and europe and all over the place and it comes down to one consistent theme. Actually two first consistent themes be yourself, right? Like as soon as you start trying to talk to somebody and you start using words like synergy and leverage um they can pick up that you’re uncomfortable. That’s number one, number two. And the second thing is analogies, how can you effectively communicate highly technical and complex issues in a way that anybody can understand them. And if you do that right, you’re gonna be fine, you’re gonna be fine.
[00:06:02] Brad Nigh: Well I like to say that clearly I must be good because they let me get away with something like this.
[00:06:08] John Strand: Uh Yeah, that
[00:06:10] Brad Nigh: would be a lot.
[00:06:10] John Strand: Dude, I’ve got I’ve got companies that, you know, we have had employees that have tattoos and stuff and like I’ll talk to the company and a sales call and they’re like just do you know if anybody shows up with tattoos, they’ve got to make sure that they’re covered at all times because that’s kind of unacceptable at our company. It’s like we moved to no bid because I don’t want to work with those a holes and my big thing right now is don’t party with a holes. Um That’s the way you isolate them. That’s the way you get away from them and yeah, if you’re looking at somebody and you’re making a termination like when I was at accenture and Andersen consulting their big thing was management hates beards. It looks unprofessional and I don’t work there anymore. So
[00:06:48] Evan Francen: that’s why I left, that’s why I left us bank and Wells Fargo in all those places because it was the same thing. The most depressed I’ve ever been in my entire life maybe was when I worked at at U. S. Bank, now they’ve gotten better, right? So no knock on us bank, but I had to wear a suit every day. Yeah. No,
[00:07:11] Brad Nigh: your point. I mean what we don’t have to work with, there’s so many companies that need help
[00:07:18] John Strand: it with someone else. It’s so funny like people talk about the concept of competition in the industry. Um like they’ll see Dave Kennedy and I, and we’ll be at conferences and we’re like groping each other and I’ll hang out with kevin johnson mike poor from in guardians like uh tim Nadine is like one of my best friends and people like, aren’t you a competitor? You know, they get like swimming with sharks and Wolf of Wall street’s like you had to kill your competitive dude. It’s a game of hungry hungry hippo and the board is completely freaking field with marbles. There’s no like, like, you know, we got to compete with each other through that we’re all just trying to get through this and it is something that we need each other to get through. Absolutely
[00:07:57] Evan Francen: and that’s cool because you know, watching you from a distance watching you know how you’ve run and built, you know, Black hills, you know information security to from where we are. We’re in Minneapolis, you’re, you know, physically anyway you’re in uh South Dakota. And just to hear you say that, I think it’s so cool because we need more of that. We say around here, You know 20 we fight over, you know, in terms of that competition thing, 20% of the market While 80% of the market just sits there. It’s like why don’t we work together and go get that 80 rather than fight each other.
[00:08:33] John Strand: There was a firm that we were talking to. We were at a booth. I can’t remember where the hell we were. I think it was like a C. I. I. C squared conference or something and this guy came up and he’s like yeah yeah you know I’m responsible for our company sales in the in the Illinois region. And I’m also out of like, you know, baton rouge? And he’s like weird towns. He’s like, so how are you guys penetrating baton rouge in the medical community? I’m just like
[00:08:57] Evan Francen: I have
[00:08:59] John Strand: no idea what you’re talking about. Like that just doesn’t make any sense to me. That’s not that’s not how that works because yeah there’s just so much work to do so much work,
[00:09:09] Evan Francen: I know that I can’t take it anymore if I take on one more thing, my admin who happens to be my wife, by the way? I think she’ll kill me.
[00:09:18] John Strand: Yeah. Yeah. Yeah. Uh My wife is the CFO of our company and it’s like we’re gonna start another company. She’s like, dear God, why? I’m like, well, I need at least four shell companies to create up these companies with the I. N. So I can create Companies with Microsoft so I can do domain fronting and bounce. She’s like screw and like my tax accountants just like so many companies to start this year. I’m like 50. He’s like, this sucks like why are you doing this to me? It’s like that. I need it. So
[00:09:47] Evan Francen: Yeah, in 2017 we split off one of our things. So what we’ve always been known for is how we do risk assessments, right? Not vulnerable assessments. Not necessarily, penetration testing. That team is getting very, very solid, but it’s uh it’s risk assessments. And so we’ve made, I don’t know, millions of dollars at our first secure. And then in 2017, I said, Well, I want to take this and I want to give it to our competitors, uh you know, so we built another company. So now we’re running two companies and like, I don’t know if that was a smart idea. And now the I’m starting a nonprofit, so I don’t know what the hell I’m doing
[00:10:27] John Strand: dude, then you’re doing it right, right? You know your ph d s we got the motto probably sucking at capitalism. They come up to me and they’re like that there the dude, you’re, are you a socialist and communism killed. Like all of these people don’t, you know about the great leap forward and Stalin. It’s like, yeah, I read history, but you know, whenever we say probably sucking a capitalism, it doesn’t mean that I hate capitalism. It’s just whenever you read books on how to run a business, they lie and we suck at capitalism because we give away tools, we give away methodologies, we give away trading, we give away this stuff all the time. And the reason why we do that, what we’ve noticed is the more you give in this community, the more it comes back. So like I’ve had VC funding, people come to us. I’m like, here’s all of our open source projects and all these things and this is what we’re doing. Like, well you must be close to going out of business. I’m like, oh, no, no, no, no, no, that’s not. So you have these people, right? If they, if they get an opportunity of working with fr secure, who’s given back to the community or they can work with a company. I’m not going to name any names. It’s a big five consulting firms that do Jack for the community, they’re going to be there working with companies like ours all the time because it’s a trust game and that’s all security is, is a trust game.
[00:11:40] Brad Nigh: Yeah. We get to like, people are like, wait, you have, you’re giving away the incident response plan template.
[00:11:48] John Strand: Why wouldn’t you play your policies? Right. Yeah. And when they get hacked or something, it’s like, we’re going to call the template. How about these guys right here, Right, Margaret, What happened in that light? Please go ahead. No,
[00:12:07] Evan Francen: I love it man, This is cool. This is better than what I thought it was going to be john So this is uh, I love it because I was, I’m not allowed to for the last three years, I’ve been banned for uh about talking pricing.
[00:12:22] John Strand: Oh, pricing is, I think it’s stabilizing. Yeah. I think that, I think it’s standardized in the industry, but I think that firms like ours, I still think that were about maybe 50 to 60% of what the very large firms are. Because like you can have a company like booze come in and they can demand twice what companies like ours charge. And the reason why is the executives are like, oh yeah, well, you know, Pricewaterhousecoopers that’s going to bring that in And I always tell people, it’s like, dude, I have no problem with those companies. I trained all the people that work there. Uh the exact same time, you know, that, you know, they just don’t feel like they get the quality. Um that they do with the boutique company. Um, so
[00:13:05] Evan Francen: your stuff away,
[00:13:07] John Strand: you know, never even presentations a lot of the people that work there hate working there because they’re like, I can’t talk about anything I do ever.
[00:13:15] Brad Nigh: So the differentiator is, is, you’re not just a number when you work with firms like ours, right? You get people that really care. There’s a reason the people that work for our companies work for the companies,
[00:13:31] Evan Francen: right? Yeah, totally. So what’s going on in black hills? What’s new? Uh, what are you guys excited about? I know you’ve got the, see what you can, which I love, you know what you’re doing there?
[00:13:41] John Strand: Well, so that holds everything. Um, uh, that whole thing was just, so it all started by mistake, right? So if you look at last year, you look at Covid, um, you, you guys remember like you go back a year ago, a little bit earlier when this started kicking up and they started shutting everything down. You know, you, you have payroll Evan, you know, you’re, you’re terrified. How am I going to continue to feed my family and the families of people and a bunch of us just went, there’s two ways that you can go, you can go into a crouching defense mode and there are companies that like laid off, like a third of their employees, like right away, they’re like, oh Covid, it’s bad. It’s what it says, half like 30% 40% fire everybody And I think that that was the wrong approach. And then there was firms out there that are like, here we go, we’re gonna try a bunch of stuff, right? It’s just we’re gonna be monkeys throwing poop at a wall and see what sticks. And we start out with chris Brenton Who’s a partner of mine and active countermeasures and he did this free network threat hunting training and it got 5000 people registered for its blew the doors off. It actually broke the platforms for doing webcasts, like go to webinar, like looks at you like, no effing way, we’re not even gonna try who does that. And it kind of morphed into doing this pay what you can training and the pay what you can training is just worked out really, really well and I can get into like why we set it up and how we set it up that way. But it just exploded. So our training and the cons and everything. Um and I got a group of people that are just running that stuff, making sure it continues to work because there’s such a huge need in the industry right now. So like I said, instead of crouching and being like, well, let’s cut our payroll as low as we can get it, survive through it. We’re just gonna go, we’re going to go for the fences, if I go out of business from Covid, I’m not the only one. And while my employees to know that I tried the absolute best I could save the company and it worked and that’s just, that’s just this last year was a record breaking year for us, which is weird. Shouldn’t have been that way for a lot of firms.
[00:15:44] Brad Nigh: Yeah. I think our Q4 was sales was a record in our deliverables was I think we had a record in Q4 forever.
[00:15:54] Evan Francen: Yeah. It’s nice to know that there are other companies that, you know, it’s reassuring because sometimes, you know, you’re out there doing the things you do and I questioned my own sanity sometimes, you know, in my, am I crazy? I mean everybody else is doing this, but I don’t feel like doing that.
[00:16:11] John Strand: Yeah, I think that that’s, I think that that’s some type of sanity, right? Like if you’re, if you’re second guessing, you know, kind of what you’re doing and you’re looking at what everyone else does, you’re like, no, I’m going to try something different. There’s definite places like rolling your own crypto that’s a bad thought to have. But if you’re running a company And I know that you guys run this to where you have these companies are like, we just got $20 million $20 million dollar loan and they took a huge chunk out of your company and you’ve lost control, you’ve lost your own destiny. And that’s not the way I want to go. So you have all these people, I don’t know if you get it like what’s your exit strategy? It’s like f you, that’s my exit strategy. I have no desire to like find a place where I can sell everything. And how would I do with my time? Like I love doing this, right?
[00:17:03] Evan Francen: It’s exactly, it’s exactly the same way we there is no exit strategy.
[00:17:07] Brad Nigh: You
[00:17:08] John Strand: know,
[00:17:09] Evan Francen: there’s there’s no exit. There’s no we’re certainly not taking investment because I don’t want to answer to somebody. You know, we have a mission to accomplish its always mission before money. We had this, uh, you know, last year, um, we had a new, we hired a new CFO kind of the end of the year before last and she comes from a banking world, right? Where things are a lot more conservative. And uh, we had so many conversations, she’s like, we really need to lay off 20% of our staff and I’m like, why? Well, because we’re gonna lose money and go, how much She’s, you know, probably two, million. I go, okay, what’s our cash? We got cash. Okay. So why do I care if we lose money?
[00:17:56] John Strand: Yeah. What you gonna do with it? Right. Everything like what is it like the joker in the Dark Knight um where he’s like, you know, I like knives and gasoline and these things are cheap and in computer security, it’s like, I love playing with like open source software and computers and switches and routers and these things are my hobbies and they’re cheap. It’s not like the role, you know, you don’t you’re not gonna get that sailboat. Oh jeez, that’s not the way we were wired. Right? Right. Yeah.
[00:18:27] Brad Nigh: In her defense, she has come around and realized it, but it was hilarious for watching her kind of like struggle with like wait. Uh huh. Why would you write?
[00:18:39] Evan Francen: Uh And then she and then she was like I said, so how much cash do you have on hand? And she said something like some number of months. I’m like, I’m used to like, how many days?
[00:18:50] John Strand: Yeah,
[00:18:52] Evan Francen: what the hell? I’ll spend it. Let’s
[00:18:54] John Strand: go. Oh my God. So years ago um Uh we we had somebody that was doing some contract stuff for us. I had shoulder surgery and things kind of all went off the rails at the exact same time. And you know, have found out it’s like, you know, we like our cash on like hand after payrolls down to like $5,000. And we had like at that time like 10, 15 employees. But you know that’s not a good cushion And we were able to turn that around and keep going, but you’re right. It’s like, You know what your survivability for accounts payable and cash on hand. And you’re like, yeah, we can survive for the next 45 days, you’re like, hell yeah, that’s great. Let’s do this. This is this is really cool. Um, but now is your company matures right? It gets to the point. It’s like if we win no more business from now on and we go out of business, our end of runway is like March of next year. And that’s that’s cool for the, you know, the employees like that. They’re like, okay, cool. And I’m going to have some stability and that brings assurances for the whole company. That’s rare. Yeah,
[00:19:58] Evan Francen: absolutely. I think are work in progresses. God knows what it’s huge. But the uh, but even the cash thing, I mean, right now, just yesterday or this week or whatever the hell. We were talking about cash. And I asked him, you know, again, how much cash do we have? And they told me, and I was like, why? What the hell does that do? I mean? It just sits there. We
[00:20:23] Brad Nigh: just hired Manchester. We’re looking for another one. We’ve got to consultant positions. You
[00:20:27] Evan Francen: Winning forward, we got, we got 80% of the market that we’re still out there to try to get, let’s go get it. Well tell these people
[00:20:35] John Strand: your hardest problem is finding good people. And, and I know there’s a lot of hard workers. Like I get people all the time. Like I’m willing to learn on my hard worker and I spent a lot of time telling people like what that means to me is nothing. Like if you just come to me and you’re like, I’m a hard worker now, if you come to me and you’re like, I’m doing hack the box and you can try hack me. I did a holiday hack challenge, I did this, I did this that tells me that you’re a hard worker and you’re willing to learn just saying that doesn’t mean a damn thing to me at all. So trying to find people, it’s weird. I don’t hire people that are unhappy. So if somebody is like, oh my current job sucks and probably if they hate where they’re at, they’re going to hate when they come to you. So I like fine and happy people. Like I’m happy where I’m at great, I’m going to steal you, right? Because those are good people. But dang finding like, especially for like pen testing type roles, it’s really hard to find like, like the good people that you need to put in front of your customers, I can find bodies all day long. But people that mesh with the culture and they do it, that’s the hard stuff right
[00:21:37] Brad Nigh: there always turn people down that were absurdly qualified because you’re in a whole
[00:21:43] Evan Francen: year decade, we only knew here no decades,
[00:21:47] John Strand: Oh my God, but that’s, that’s a carry over. You remember the way this industry was like, if we go back like 15 years ago, maybe even 10, like you look at the offensive community, we were horrible. I was definitely one of them, right? There’s no question about that, but you know within this community back in the day it was like this piss and bravado of like you know, I can hack that, I can hack that, I can check that and you know if you’ve ever written a zero day or and all this garbage and there was toxic as hell, like it was just tough and we still get those people, they’re like, you know, I consider myself to be one of the best pen testers walking the planet. I’m like no, I know those guys, you’re not them. Um and I don’t know who you are so sorry that that spot’s taken, you’re not in that spot and it’s just that attitude is just so trash. And there’s some, I don’t know if you if you picked up on it, but there’s some key phrases that they almost always say like one of the things I’ve heard like 10, 15 people say to me that where a holes were like I was doing object oriented programming in high school or it was a thing. Um and it’s like okay, yeah, I’m just burning your resume right now, I’m done with
[00:22:57] Brad Nigh: the fun part is the people that you want don’t have to tell you that stuff.
[00:23:02] John Strand: That’s true. That’s very true.
[00:23:04] Brad Nigh: As soon as you start saying, well I do, I’m like okay tune out. Yeah, I just when we do the interviews it’s conversations like is it a culture fit first and foremost.
[00:23:14] John Strand: Yeah cool. We had this
[00:23:16] Evan Francen: interview with people, sorry go
[00:23:18] John Strand: ahead. I was going to say we had an interview with Daniel um Tokyo neon who came and joined us and the interview literally was a conversation on like golden ticket attacks and Kerberos and all this stuff and what ended up happening is through that conversation like talking about new possible avenues of doing the attack, we had to call tim bodine and ask him a couple of questions and and it’s just like it wasn’t an interview right? It was like this this conversation is give and take this back and forth which is like this is this is a fit like this is gonna work
[00:23:48] Evan Francen: totally 100% and you’re interviewing with I mean don’t forget you’re interviewing with security people, you don’t think we did some oh set
[00:23:56] John Strand: oh my God yes. And then you end up calling people, it’s like you worked with this with this guy, what do you think? He’s like oh no, no it’s not gonna it’s not gonna work, it’s not gonna work at all. No,
[00:24:09] Evan Francen: so you don’t really need to tell us what it is that you’ve done. We probably already know.
[00:24:13] John Strand: Yeah
[00:24:14] Evan Francen: if we don’t, we’ll ask for questions to fill in the gaps
[00:24:17] John Strand: and and there’s there are some quiet people that are just stealth and they’re amazing, you know, and those are good people, those are good people.
[00:24:23] Evan Francen: I love the humble quiet people because they’re, they kind of freaked me out a little bit too though. Yeah. You know like what are you really up to? I’m not really
[00:24:32] John Strand: sure.
[00:24:33] Brad Nigh: It’s a weird balance because you don’t get the good without having some sort of ego right? Like we all know we’re good at what we do, but you have to, it bounces with being humble and knowing I don’t know everything and there’s people who don’t know a lot more than me. So it’s a really fine line between cocky and arrogant and yeah, I know I’m good, but I know, I don’t know everything,
[00:24:58] John Strand: but you know, and that is such a fine line, right? Like you can get your head wedged so far up your own ass, you just can’t see anything. And that’s something, you know, we always dealt with at the sands Institute with instructors is you get into the point where you’ve taught hundreds of times and there’s very rarely anybody that’s going to ask you a question that you haven’t answered dozens of times and then people are just like, oh my God, how did you know that? You’re a genius. It’s like, it’s like that quote from Groundhog Day where it’s like maybe God isn’t God, maybe God is just somebody that done it a lot and so like some of these people, you look like you’re at God and eventually you start believing that shit and I remember there’s always this trajectory and I went through it too. I remember I had like let’s go to some mike poor pulled me aside about your four, I started teaching and they’re like you’re starting to get a big head that’s okay, that happens and you need to stop like and we can kind of start picking that crap up on instructors and there’s always this little point and I pulled aside instructors and I’m like dude you’re talking like your shit don’t stink and you need to, you need to like what does that check yourself before you wreck yourself and but you
[00:26:03] Evan Francen: can check yourself
[00:26:04] John Strand: Yeah, because because it’s difficult right? Because when you’re teaching you have all these people and you know you’re you’re sharing knowledge and it’s kind of like it’s helping and then you start believing it. But no, you got to find that way to stay humble or at least try to stay humble. Um otherwise you end up losing yourself and that’s very, very difficult and it ends up in a bad place. So
[00:26:26] Brad Nigh: that’s what my kids are for the last time I design, I do like a tv interview and all the stars whose I was 14, I was like what are you doing, Blah Blah Blah microchips in the rain, nobody
[00:26:38] John Strand: cared. Okay, wow exactly. So my favorite humbling thing that happened was with my son. I was teaching at a conference and we had covered uh like wireless attacks and things like that. And one of the wireless attacks that we showed is with N C. Ph dot CPL on windows. You can go right into the wireless profiles, go to the wireless network and then click the box show password will show you the clear text password. Well, my son was using the hot spot on my phone and I typed in the password for him and we covered that section. And sure as hell he got that passport for my wireless hot spot. And then we’re going on the class and then we’re talking about using name check and then taking a user ID and doing a search with name check to find all the different sites that you that you have that user id. So my son does that with with my strand Js uh user id finds all these different places and for a lot of things, I use random passwords. I use last pass for like banks and really important things. But then there’s things like, you know Pandora, what the hell? Like I don’t care right? And you know, somebody is going to be like, well if I have your Pandora account, here’s how I can ruin your life. And uh yeah, so at any rate he goes through about all of the different like sites that I had the exact same password and he’s like I’ve got access to this account and this account, this account and this account, an FBI agent in the front row, here’s him like giving me shit when this is happening. And he’s like going through, he’s like, you know, oh my god. So the FBI wasn’t got a coin and gave it to my son is an award. Like a whole bunch of agents showed up and I’m like congratulations Logan. You hacked your dad. Oh my god. I feel like an absolute turn. That’s that’s that’s humility I guess.
[00:28:26] Evan Francen: I love that. Well it’s the people around you that you know keep you humble. Right? I hear a lot of crap from people that I don’t I don’t want to hear. But thank god I heard it because I mean I’m my own worst enemy had destroyed myself.
[00:28:42] Brad Nigh: Yeah. Well the other thing I think heaven is peachy Nazi I. S. P. Class and realizing, oh my god, I forgot all this stuff. I don’t
[00:28:51] Evan Francen: know that son of a bitch. Yeah. Every time. Every single damn time. So we uh john I don’t know if you we do this C. S. Sp metro program. We started in 2000 and 10. Yeah it was six students. We had two employees then. I don’t know. It’s just weird. And so this is the 12th year. And we had what? 6400 some odd. Yeah registrations uh but every year you do it and you’re especially now when there’s nobody like in front of you oh my God teaching this and you’re like I have no idea if any of you understand a damn thing I’m saying I can’t see your faces. Yeah.
[00:29:30] Brad Nigh: Yeah. And Evan hates me because he gave me the security models two years in a row. You try taking Bella padua to a computer screen.
[00:29:39] John Strand: Yeah. Yeah. Oh my God. And then. Yeah. Yeah. Yeah. But you know what, you know that certain has legs like I I just don’t know like what God they found favor in um But like uh it’s funny the amount of hate that circuits like people ripping up all the time but I keep telling people you hate it or not doesn’t matter. It’s irrelevant like seriously if you want a job in this industry there’s no certain the world that gets you as many hits and clears HR hurdles better than the C. I. S. S. P. Like like seriously? I
[00:30:15] Evan Francen: think you hit the nail on the head to right? It’s it’s about including an HR hurdle. It doesn’t speak anything to what you can actually do on the job. Yeah. You know you passed the test, you got you got your past HR it’s
[00:30:27] John Strand: nowhere and that’s and that’s kind of one of the things you know were you mentioned at the beginning my pay what you can training and I started going down that route and and you know we talked about it with Covid but you know how he came to pay, what you can is we were talking about doing it for free. And that’s hard. Like whenever you’re giving a VM to people and you have amazon costs to get the labs and everything that’s pricey to just give it away for free. And um, then we’re talking about making it really, really cheap. And then there was this concept of scholarships and this gets weird. But I hate scholarships and I want to explain why because I know some people kind of freak out whenever I say that it’s like in this industry there, you’ve seen it where they’re like, oh, we need more women, we need more minorities. And they always reach for that, right? They’re always like, well, we’re gonna go in, we’re gonna, we’re gonna give out scholarships. And while I think that that’s showing your heart’s in the right place. And I think that that’s helping that particular individual and it’s great for that individual. It doesn’t fix anything, right. It’s not an actual structural solution to the problem. It’s basically for a lot of organizations. It’s a way that it can be like, see, look, we’re not sexist, we’re not racist and I
[00:31:36] Evan Francen: virtual signaling
[00:31:37] John Strand: virtually, you know, and we all virtual signal for everything. Like I wear pants. And I’m signaling the fact that I think your pants, right? But you start doing that and it doesn’t change a damn thing. And it makes me mad. So one of the things we did is let’s just destroy the gates completely. Just obliterate them, where it’s pay what you can, if you can show up and you can pay $495 do it, you can pay 1 95 awesome, you can pay 20 great five, awesome. You can’t pay anything. Shoot me an email, tell me where you’re at in life and where you want to go and you get a discount code where you get to take the class for free and I don’t care what color you are. I don’t care your religion, I don’t care where you’re from. I don’t care about your hair color, nothing. I don’t care just come and that’s systematically destroys the gates across the industry because right now to get in, you know, C. I. S. S. P. Is a great gateway stir. It’s awesome because it’s attainable for a lot of people. But a lot of these stuff like coming from the sands Institute, if somebody wants to get involved in security, are you going to take a san sir to get started? No way in hell, you’re gonna drop eight grand. And for a lot of these jobs they want someone that has assert that costs $8000 in order to get the job, you have to have the circuit to get the search. You gotta have a job that’s willing to pay for the free concert. So it becomes this gate, so destroy the gates for everybody across the board. I don’t care where you’re coming from. We’ve got people from Dubai, um we’ve got people that are coming in from cool and pour. We’ve got people coming from India from Russia. It’s just amazing. And I just don’t care. And it’s just amazing because we have these people show up, they’re all eager to learn. They’ve never had the opportunity to have like world class training before. And now all of a sudden they have like world class training and I know that that’s a bit egotistical, but damn it. I did this for 17 years. Um I have thousands of emails, I feel pretty confident in saying that we’re pretty good at what we do. And it’s been amazing. Like I get these emails from people like I took your class and I put it on my resume and simply because I took your classes, I got this job and it’s just like really awesome and that’s all I ask. I think that people want that opportunity, they want to be able to attack this stuff. But if you’re working three jobs to make ends me, you can’t pay for that stuff. So by creating that opportunity and you know, I have people a lot, they’ll bring up sands and they’ll be like, well you’re competing with the place that God just started. I don’t look at it that way sands traditionally sucked a two day training, they just never could get it off the ground? And for me successes? If somebody gets a job that pays for his answer, goddamn! That’s great success. That’s that’s that’s getting that person to that point where their career can now start to take
[00:34:19] Brad Nigh: off. That’s all the time. Like free. Really? What what’s the catch? No catch here. Here’s the catch. We’ve gotten really good employees of taking the class for free to work for you. Yeah. I don’t even if we didn’t get any just getting back and you know, giving people the opportunity honestly, I didn’t have coming up. It’s worth it. But yeah, that’s a benefit like something get good people coming to you.
[00:34:50] John Strand: Yeah. And how many times before the before times, right in the before four times whenever your attic on how many times you have people come up to you and like shake your hand and even give you hugs because that was the thing that got them started and got them rolling through. And I know that that’s that altruistic thing that’s hard to quantify and I know it’s stroking your ego, but that’s a good thing and you know what if I can die and I know that I actually helped a lot of people make their lives better. I’ll take that action every day to work. 100%. You know?
[00:35:23] Brad Nigh: Yeah. Those emails when, when they’re like, I pass the test, you know, can you? How do I how do I get? Uh Oh my gosh, I just got the word, like
[00:35:35] John Strand: words. Yeah. The validation for me is that one of the coolest things, signing it for them um And then sending it in. Yeah, that’s that’s that’s where it’s at, right? Um Yeah,
[00:35:49] Evan Francen: but we have this mission, I mean the mission is to fix the broken industry, you know? And so I’ve had so many people ask me, well, is that even possible? And I’m like, I don’t know, but it’s hell worth dying on and it keeps us honest. I mean we’ll always do. There’s also a rule that if you do something to the customer, if you sell something the customer doesn’t need, I’ll run you over with my truck. Yeah and I have enough to 50 so I can get over some big people,
[00:36:16] John Strand: that’s a big truck. Um But you know you talk about making things better um years ago that schmuck on the last time I think it was that Wardman park during the Snowmageddon it or was it Snowmageddon? I can’t remember schmuck on. And we were all snowed in for like three days and it was probably one of my favorite experiences, my wife and I were there with security weekly team and chris nickerson got a room, like a conference room and we got all these people together, you know? Dave Kennedy myself, kevin johnson um It was kevin johnson’s first time ever seeing snow. So that was cool. And one of the things that, that nickerson did and nickerson’s nickerson, right? Like if you’ve ever met him, you never forget him because he’s like, look, we suck, like in this industry, we suck. And there’s a lot of stuff that we don’t have the ability to fix. But one of the things we can start doing and start treating each other with some respect. And he started talking about social media back then, social media was really kind of like taking off like a rocket and all these petty tribal things were popping up and people were sniping each other and ripping on each other and it was creating these wars where lines or john and basically what he talked about is there’s people in the room that are big enough and name and have enough influence and a little vin diagram circles that we can talk to people within our group because hey, you’re being an a hole. Yeah, but this guy is wrong. It’s like, it’s okay, okay, they’re wrong, be wrong. It’s all right. And we kind of started having these back channel conversations to simmer the conversations down and I think that that work, but that’s a small thing, but it made this industry so much better because if I was on the outside coming in, people were ripping on each other for a variety of just stupid damn reasons, you know, okay, you know, so, so what was it? A two sec was one person that was kind of harsh against somebody that I knew and then I can’t remember who was ripping on paul. Um Noel DEv null or something was ripping on paul all the time and it was just like, it was just this negativity and it got better but it got better in increments, right? And you talk about these boutique firms like your form B. H I S secure ideas, trusted second all these, it’s like the more that we support firms that are doing the right thing, the more we define what security consulting is and it’s not being defined by like Mcafee Dell secureworks or um like all of these huge companies and it’s going to be better and it’s always these increments, like it’s C I S S P class helping someone will pay what you can class helping out and we’ve got to be doing a little increments everywhere that we can and over time we are going to get better. Now there’s some people who would disagree, they say, oh my God, it’s still a dumpster fire and it is from time, but by and large is better than it was.
[00:38:54] Evan Francen: So when your face or something like that. So let’s say it is a dumpster fire. So then what are you gonna do about it? You just gonna sit there and let it burn. Are you actually gonna at least try to put it out? Maybe you have a glass of water, it’s not going to put the fire out, but maybe it makes a buys you a second or two everything implodes. I don’t know.
[00:39:14] John Strand: Yeah,
[00:39:16] Evan Francen: kids are sit and watch it
[00:39:18] John Strand: well and you know what, there’s fires that we have in the industry right now. Like I would say one of the big fires that we have, this pendulum goes back and forth in the industry where offensive is cool and everything is offensive and blue becomes cool and everything is blue and, and right now like one of the big fights that happens is, you know, the offensive tooling community where you release a tool on GIT hub and then all of a sudden it’s used in an attack and then people are like, wow, if you hadn’t written this tool, then the Russians would have lost its, that’s garbage. Um, and I also think we’re missing the point sometimes and I think that it needs, we need some older gray beards to kind of come in and you know, kind of bring some sanity to this because I’ve talked to some people Navy community 12 years ago when I was talking about bypassing antivirus engines and they’re like, how dare you. And I’m like because our adversaries are doing it and, and I’m not showing them anything like they know how to do this, but to actually counter program, excuse me, vendors that are saying, oh my a v has zero false positives and it detects everything. Ah it isn’t. Um and here we can prove that those are important lessons and we’re looking at the offensive community. I gotta be honest. Blue Team folks. If if your biggest concern is a tool that’s released publicly out on GIT hub and that tool can bypass and it’s its source code is all there and we can’t detect that we’re in big trouble. Let’s be honest about this.
[00:40:43] Brad Nigh: I’m trying to think. I don’t think there’s any advanced Ai machine learning whatever to get Evan going because he hates those words in point. You know, it’s
[00:40:55] Evan Francen: my face turning redder.
[00:40:56] John Strand: Yeah. Actually it is to be honest with you is so we’re
[00:41:03] Brad Nigh: working I. R. S. There. Every single vendor has not caught things. I mean you can’t just trust that. Well yeah adversaries know this.
[00:41:13] John Strand: And one of the things that I think that that showed this in clear contrast was the miter attack evaluations where minor went through and evaluated a bunch of vendors and they evaluated silence and crowdstrike and defender and R. S. A. And all these different companies right? And every one of them had things that they missed. Okay. And that in and of itself is not interesting to me. I know that they’re going to miss things. But what’s really interesting to me is up until the first one. I think they started with like a B. T. Three or a PT one. Um and what’s like I think A B. T. 29 up until they release that you could use cobalt strike and you could bypass a lot of those products. Just a few small tweaks and modifications. But because they used cobalt strike and because they used Power Shell Empire, all those vendors got real good at detecting cobalt Strike and Power Shell Empire right after that. And that’s what they were freaking detecting. And you know, and then every vendors like we won this, I’m like you missed 36 detects. You didn’t win a damn thing um, in this. So I think that it’s important to show people that and say look everything has weaknesses. Don’t believe the hype from the vendor. Don’t believe the hype.
[00:42:27] Brad Nigh: Yeah. Yeah. And then now with everything running and encoded power shell and memory, you know, launching through caliber note pad. They’re not catching that stuff because it’s not running a signature that they know
[00:42:42] John Strand: well and you still come back to signatures, right? I mean I think my favorite example was silence. I think it was silence. I might be getting this wrong, but silence got in trouble because they were uploading things to virus total. Um, and the reason why is because they didn’t have that history of a massive virus database that they could lean upon because they were a new company. So they were submitting all their crap the virus totals. Try to get those traditional signature based detection based on hashes and things like that because you can’t do it with just artificial intelligence. I always tell people go look at Microsoft tay when Microsoft released a on the twitterverse they’re like, here’s a twitter about the more you talk with tae the better take gets at talking in less than 24 hours. It was spewing like nazi propaganda and some of the hormone system in the world. And that’s because artificial intelligence can be trained the wrong stuff. I mean it just can. And anybody who knows this stuff season
[00:43:38] Evan Francen: I mean even at the very beginning right, there’s gotta be some beginning inputs into A. I. And those are biased. All right. Whoever developed ai is biased. So it’s like, what was it this week? Last week I think there was some senate testimony. I like watching senate testimony because I like watching kind of the Bs that goes on. But you had twitter youtube, I don’t know who else would you Tristan Harris was there from you know center for Humane Technology or whatever they were talking about. You know, the algorithms behind you know what you see on facebook and and the thing that the thing that always seems to win here is logic. I think through, you know you talk about gray beards. Uh there was a day when life was a lot simpler than it is today and it was a lot easier to secure things. It was a lot because we understood them. You know, I understood how my network work because I built the damn thing and every line of every line in the config I understand what it does and then we continue to add more and more complexity and more and more complexity and now people are way out here on the Fringe talking about endpoint and all these other things and they don’t even know what it is that are trying to protect Yeah, what do you have? You can’t protect what you don’t know you have once you start there.
[00:44:59] John Strand: Well dude, whenever we started with a critical controls years ago, um you know when alan paller kicked this out and now it’s pretty much being ran by James and kelly, terrible. It enclave. So full credit and props to them. Um whenever that started out, the first two controls were inventory or software, inventory of hardware. And and we always said that we started with those first two because they were the most important and as much as we, you know, get on your soapbox and we talk about that, it’s amazing to me how much of the industry is still like Yeah, no, uh no that looks hard. I mean it’s so important. I think it’s rumble, that’s where HD moore is right, Like automatic inventory and asset identification. I mean that HD moore, one of the smartest of us, right? Like we’re talking dan Kaminsky level security superstar and he’s in the game of inventory management that says something, right? Because you honestly can’t protect. You think about Ir how many times you working at IR gig and you know that something’s popped on the network is generating alerts like where is this I. P. Address and like, oh no. Oh my gosh.
[00:46:06] Evan Francen: And when you do and then when you do find it, it’s like who owns this system? I don’t know what does it do? I don’t
[00:46:13] John Strand: know what the hell.
[00:46:15] Brad Nigh: Oh, Oh
[00:46:16] John Strand: my shot that, hold
[00:46:18] Brad Nigh: on. That’s my favorite. You have cobalt strike we’re seeing and it calls to the Netherlands. Can we quarantine? No, it’s no, no, no, no,
[00:46:25] John Strand: no, no, that’s production. Yeah. Good God. Like really?
[00:46:29] Brad Nigh: You’ll get a kick out of this tomorrow. I actually doing a webinar and it was framed me by marketing. Thank you. Marketing as a the highest projected protecting the crown jewels. Okay, I can, I can get behind that turns out the topic that I got was data science and cybersecurity.
[00:46:49] John Strand: Oh well you know what dude, that’s fun right? Like as long as you’re approaching it, but I hate it like the artificial intelligence thing. But there’s so many cool algorithms that can help you. Um but good night. Like Yeah. Weird. You’re going to find this out brad. When you give that presentation, you start talking about like k means clustering and buys in and all that stuff. There’s gonna be people that you’re gonna present to be like, never once has a vendor ever told me what they were actually doing. Just having that breath of honesty about data science and computer security, people’s minds just explode. They’re like, that’s cool. But why aren’t the vendors telling us that? What’s
[00:47:29] Brad Nigh: fun? Is it the other person that will be on there is a vendor that does data science with machine learning. So that could get,
[00:47:40] Evan Francen: we’re not allowed to call them out
[00:47:42] Brad Nigh: and now I’m just saying it’ll be fine.
[00:47:43] Evan Francen: Oh dude, I’m going to leave. I’ll call it out on the shit show.
[00:47:47] John Strand: I’ll probably, I’ll tell you a story. So I was talking about K means clustering versus um like madmen, medium average distribution that I mean at a conference and the vendor had actually sponsored the sessions dark trace and uh I was, I was talking about the problems with K means clustering. K means clustering allows you to find consistencies in data patterns. So we talk about it and beacons so we can look at interval if you have a consistent interval. Um, let’s say back door that beacons out once every 10 seconds. K means as your algorithm right? It’s going to be able to find that consistency. Um and I went through and I was talking about campaigns and I was like, you know, K means is great for this. But as soon as you start getting a dispersion, let’s say a jitter plus minus 20% or if it goes quiet if the system gets powered off for eight hours and then it powers back on K. Means completely misses the plot. Here’s all the problems that means clustering and it’s good for these things. Not good for these things. That’s how all machine learning algorithms go. They’re good for some things, not for others. And we use Mad Mom, which does a statistical distribution and you can actually find jitter and things like that. And I go through and explain all of this right? And like a lot of vendors say that they’re doing K. Means you see it in Splunk and you got this, you got this, you got this and well what stuff you’re using K means to do this. It’s just a train wreck freaking vendor from dark Trace gets up And his presentation is how they used a means for their for their analysis. And I’m like I just did 20 minutes on how campaigns doesn’t work for like 95% of what you’re doing and then he gets up their campaigns is awesome. Here’s what we’re using and it’s like Oh God they paid for this. Um So yeah, you know you gotta watch that. But the cool thing is sometimes with vendors, you know they’re kind of oblivious uh what you’re talking about. It just got there. You pull the Elmo string on the back and they go into presentation mode. Um And just open the best.
[00:49:41] Brad Nigh: Yes it will be fine.
[00:49:43] Evan Francen: Dark dark gray Cisco public in London on the London exchange. I think today I think yesterday oh,
[00:49:51] John Strand: so
[00:49:52] Evan Francen: I’ve had my issues with our trace. But you know, things are anything is good if you’re using it for what it’s built for right? A hammer is good. Hammer is good for hitting a nail. It’s not good for having
[00:50:07] John Strand: a piece of wood. I agree. So like if you’re looking at dark trace dark traces awesome. Like I actually sat down and talked to some of the data scientists um I think I was in um Vancouver, I was up in Vancouver East side of Vancouver and I was presenting there and they had a bunch of their engineers and I went up to the table and we started talking algorithms um because I like those things and their engineers like lit up and they’re talking about all their algorithms and how they’re like profiling network traffic on the inside for East west movement and what they’re doing. And I’m like that’s really cool and we’re writing things down and a lot of these, a lot of these engineers are like in their twenties and it’s funny because there was like a manager there and I’m sitting there and I’m talking about all this stuff and kind of sharing what we do and rita um and how we do our beginning analysis and you know, uh talking about it and then finally like one of the managers just like steps in and it’s like this conversation needs to be, I’m like, what he goes, yeah, this needs to be over like this is all patented and I’m like, that’s bull. Like every algorithm you’re using was released open source in the seventies man, come on. And, and, but no, he’s like, no, no, no, we’re done. Um but you know, dark Trace, I look at dark trace and I think it’s really cool, right? An extra hop is really, really cool. The thing that gets me is it’s complicated to implement in a lot of environments takes a lot of data to get it right. And holy God, is it expensive? Super expensive? Like, you know, I’ve had customers, one box is like 100 grand. Like there’s a company that does cruises and they have a cruise ship that has it up and running 100 grand for a simple box and that’s, that’s really freaking pricey to actually do that. Um and then ultimately, the thing that really makes me mad is a lot of them, um if you’re looking at what they do, they’re like trying to detect lateral movement and they’re trying to do, it’s still on network and I believe fundamentally the best way to detect lateral movement is in your active directory logs. Um because your data is going to be tied in active directory, you’re gonna see the logs when they’re doing Kerberos to see if somebody has access to certain files. You’ve got artificial intelligence algorithms, you can throw in your active directory logs that do Stacked analysis. Like this user is logged into one workstation. No big deal. This user is logged into 5000 workstations. Okay. That’s not a big deal. We need, we need to investigate that. And it’s not like it’s hard math, but you can do it. Um so it’s cool. But I think if you’re gonna spend money, you should run your money on detecting lateral movement and active directory logs before you’re doing something that’s really, really super expensive. And you know, if you’re looking at extra hot, extra hot is awesome. But I don’t know like N top seems like it does a lot of what extra hop does and it’s free to cheap. So I don’t know, it’s just like a vendor with a better marketing budget. Seems to do this stuff and I’m gonna have these people hate mailing me. Um and that’s okay, That’s fine.
[00:53:04] Evan Francen: But and that happens because they do, you do need to be called out one thing we don’t want customers doing. He’s not going out and buying things that you don’t understand that you’re not capable of using correctly. You know, there’s a progression, there’s a maturity that, you know, there’s a reason why they, you know, our industry has been using this term maturity for so long.
[00:53:23] John Strand: Well, you’re absolutely right. Like if you’re an investment firm and you have zero tolerance for any risk who go talk to dark trace, go talk to Vectra right? Like right now go talk to them right? If you’re a small to medium sized business and oh maybe there’s a whole bunch of other technologies that you can buy that are cheaper or implement before you get to that point. Um When you
[00:53:47] Evan Francen: some asset management,
[00:53:48] John Strand: Well maybe some asset management, right? Or maybe I’m just throwing this out there. I was freak out. Companies like have you thought about implementing application, allow listing by just directory? Um I can bypass it as an attacker but it shuts down like 95 plus percent of drive by attacks like that’s cheap. Let’s do
[00:54:06] Brad Nigh: that well. And that’s really all right.
[00:54:10] Evan Francen: Well that’s a risk management right? The goal, you know, and we advise this all the time. I don’t know how many times we’ve talked the csos large large companies down to small companies. The goal is not risk elimination. Stop trying to go there. It’s risk management, right?
[00:54:25] John Strand: Yeah. And I dude, I have companies you due to that, they’re they’re going for risk elimination and they’re willing to throw the money at it. And like we have one customer that does a full rip and replace of their entire network stack to make sure it’s at the newest stuff every five years which is cool because we get their old stuff. Um Whenever they’re running vendors like they actually have licenses for like all of the major Eddie. Our vendors, they got a sandbox multiple pen testing companies coming in evaluating bypassing and coming up with mitigations for this stuff they have, I think 100 and 20 employees and six of them our full time security professionals. And they’re working with consulting firms around all of this. So they’re playing that game right there, trying to go as fast and as hard as they can because they know from a reputation perspective, one hack, they’re out of business like that. Zero tolerance that they actually have in their organization and everybody is on board from the ceo, all the way down to the mail boy, right? They all get it and they’re like, we’re gonna make things harder on you because we have to be secure and but that, but that’s think about how rare that is. That’s not possible, right? That doesn’t scare, you just can’t do that. So
[00:55:39] Evan Francen: that would be a lot of stress to work under that environment because you’re being asked and you’re trying to do what truly is impossible. Mhm. Well, I mean, no matter how much money you throw at it, you know, you’re not gonna stop everything,
[00:55:53] John Strand: but the guy that runs it, you know, he has a good relationship with the sea dash shows and they get it, they understand that they’re going to get compromised and they understand that it, you know what’s going to happen and they want to know how much can they limited? How quickly can they detect it. And then the other thing is, do they have a narrative in the story that they can go to their customers? Basically be like look this is all that we’re doing and we got hit by like a solar winds level attack where it was a nation state attacker. And that’s what they want to push, they want to push it. You have to be at a nation state level or higher to come at this firm. They don’t want the embarrassing up. There was equal injection on this particular web portal. Oops. Um so that’s kind of the narrative. RdP was open. Yeah. Are the people was open with the password of company name 123. Yeah that
[00:56:43] Evan Francen: never happens. Well in the, it’s funny you mentioned solar winds too because I have a beef, I always have beef or something but I think that’s what keeps me busy. You know kevin Mandia, you know the kevin Mandia I think uh brad smith and George kurtz were called, you know to their senate testimony. And one of the things, you know the senator Wyden who’s uh from Oregon asked this question and uh it was kind of that hon it was cool to see that they actually ask a good question but it was you know the I. R. S. Had or I am installed in the I. R. S. Uh you know had restricted or Ryan’s ability to communicate with anything outside, right? It didn’t need the ability to communicate with the outside world. So essentially, you know, a properly configured firewall, right, ingress, egress. Uh and so he posed the question to these guys would a properly configured firewall, meaning basically the only thing that’s permitted to talk to this firewall is permitted traffic. Would that have stopped this attack or mitigated this attack? Not all the other potential attacks because that’s not the point. This particular attack. And the answer is yes. But the answer you got from, you know, like Mandia was um Well we do 600, you know Firefighters, you know, red team uh exercises every year and the firewalls never stopped us. But that wasn’t the question. The question was a properly configured firewall and there’s always a bypass. But the question was also wouldn’t have stopped this particular attack. So you already have a tool if you had locked it down and the answer, you know, truly would have been yes. Could you have gotten around it? Yes, absolutely. But the way the attack actually worked and played out, there was no command and control them.
[00:58:40] John Strand: So I think that there’s a couple of things, I agree with that sentiment, like but my fear is that, you know, in kevin’s absolutely right. Like, you know, the amount of times that were caught by a firewall is like not that’s why we released data. Um that’s why that’s literally why we really straight up because for C two data exfiltration, it’s like well what can we do? It’s like you’re screwed. Um And I hate that answer. So I’m like, here’s a free tool that we’ve written that allows you to detect that in your Z clogs. So Kevin is 100% correct and the issue is that that properly configured is a scary thing. Right, because what does it mean? What does it mean that, like how would you actually baseline where all the patches and the updates actually come into for a specific application? Especially whenever you’re looking at a lot of people using akamaI uh to distribute patches, I mean hell, even Microsoft is using a comma and you got that, you got that as a problem with C D N S um So that is somewhat of an issue. And then if you layer domain fronting on top of it, it gets even more complicated to try to deal with it. So I don’t know, I mean it’s not an easy answer. Right. It’s
[00:59:56] Evan Francen: a if you have a server that doesn’t require communication to the internet to function, why would you allow it to communicate
[01:00:02] John Strand: with the updates? Right, patches and updates? But there
[01:00:05] Evan Francen: are other ways to apply updates to, I mean I don’t believe that as an open firewall rule indefinitely,
[01:00:11] John Strand: but we can’t go back to the days were literally downloading our patches and installing them manually, I mean that just know it’s just really hard complexity. And then the final thing is DNS um a lot of these different tools, they’re going to use DNS and whenever you’re looking at how most environments actually run DNS and a local system is going to go to the domain controller in the domain controller is going to make the DNS request out to the internet, your external resolve, er you know? Yes, you know, good luck. Um you’re using DNS as a command and control situation in that doesn’t mean that your firewalls not properly configured. Dammit. I don’t know because I I think that there’s always a way and I think you said that right, Evan you said that there’s always a way and you’re gonna run into that but it gets, it gets dicey really fast. When you’re dealing with updates, you’re dealing with DNS, how do you actually stop that from happening? And the way that we approached it with Rita is we basically we can detect it. Um Yeah, sure as hell, as soon as that HTTP beacon fires up with solar winds and Orion. Yeah, it lights up. It’s using cobalt strikes http control and we can detect a DNS back doors, we can absolutely detect those but stopping it, that’s like right at the beginning, That’s real hard because then it becomes a data science problem, which requires a large collection of data versus a blocking problem which are trying to make a decision on a packet by packet uh basis. It’s hard, it’s really hard
[01:01:37] Brad Nigh: and I think a little bit of background too, because when you mentioned that white asked the fire I
[01:01:44] John Strand: representative,
[01:01:46] Brad Nigh: our solar wind represented,
[01:01:49] Evan Francen: does this
[01:01:50] Brad Nigh: product require internet access to function in this, in the way it was being used? And he said no, And so that’s where it led to. Well, if they do, why do they get access if he just said it doesn’t need access to actually work,
[01:02:04] John Strand: but he’s completely wrong, right? Like he’s wrong, I mean, and the fact that the attack happened shows that he’s wrong because how the malware got on the Orion box was through the updates, so like the
[01:02:16] Evan Francen: member wasn’t functional, there was no command and control, then yeah, there was no having of malware there,
[01:02:22] John Strand: yep, totally. Right, right. But then we’re back to that, we’re back to that thing, you know, try to try to stop me from pivoting out of an environment and the Russians are getting really, really good at this, right, and you hate it because they use some of our tools and it’s just you absolutely, if you can talk to like that 1% of the industry that you can say, hey, we need to lock our firewall rules down, they get it, they know what it means, right, and they can do it at such a fleetingly small percentage and I think it ultimately comes down to an education problem, back to what we started talking about at the beginning,
[01:02:55] Evan Francen: We need 100%, I agree with that too. And one of the things, you know, Bruce Schneier, you know, it’s always wrong, truth For me, you know, since the 90s, when, when I first heard him say it, you know, complexity is the worst enemy.
[01:03:07] John Strand: Absolutely, yeah.
[01:03:09] Evan Francen: And so, you know, we’ve made our environment so damn complex that you’re right, firewall blocking back in the early 2000s. It’s totally different than what it is today. It’s a lot more of a challenge. It’s harder to do. But at some point where does this end, if we just continue to add more and more tools, more and more complexity more, you come up with you. It’s crazy,
[01:03:29] John Strand: dude, we’re screwed. And I hate to try to end this thing on a downer, but have a good thing. Yeah, we’re done everybody, it’s hopeless and it kinda is right. Like if you’re looking at the complexity is the is the is the enemy of computer security, um are complexity from the technologies that we’re dealing with their exploding, and we’re just now getting to the point where we can deal with active directory level attacks, okay? But everybody’s migrating things to the cloud. So now you’ve got like a sure you need to aws you have all these a P I S you’re moving. And most security people, like, we have no idea how Docker and kubernetes works and we containerized security. None whatsoever. Like a like a virtual machine, right? And and it’s it’s we’re hosed and the developers, they don’t even know how this stuff works and they’re not implementing security because if you actually know what you’re doing with some of these things, you’re like, oh my God, like default api creds like showing up all over the place or opening up management interfaces and and that complexity is just exploding. And that is a massive concern that we have for all of this. And but like I said, don’t don’t be depressed about that because job security for a good long time, like you’re not going to be on, you’re not going to be in a bread line any time soon. Job
[01:04:52] Evan Francen: security, but just just unplug your own shit,
[01:04:55] John Strand: yep. You unplug everything as the kids are like daddy, why can’t I play Xbox and like go to Snapchat because it’s evil.
[01:05:03] Evan Francen: Stay away. You know, I’ve got, I was telling, you know, I’ve always had, I’ve had this countdown, you know, September 15 2023 is the day I retired, which means I’m kind of sidelining. I’ll do nonprofit stuff. I think
[01:05:14] John Strand: more, but
[01:05:15] Evan Francen: That’s 864 days. So I keep telling these guys just hold this shit together for another 864 days
[01:05:21] John Strand: please
[01:05:23] Brad Nigh: every time you say that it gives me
[01:05:24] John Strand: heartburn. Well I I I’ve talked about like the same thing. It’s like eventually eventually I’m gonna have to go off into the sunset. I don’t know what I’m gonna do but there’s gonna come a point where I’m like you guys remember that your boss is way way way back in the day and they’d come in and they’d be like yeah I remember back in my day with turbo pascal and COBOL and they tell you this long story that was completely irrelevant to anything that you’re talking about. I’m afraid of becoming that where it’s like all right so now we’re gonna fire up Net cat, everyone starts snickering. They’re like net cat really
[01:05:59] Evan Francen: hell is never
[01:06:00] John Strand: heard of that. That happened probably five years ago for me. So that those days are coming where they’re gonna put me out to pasture and give me a nice pile of grain to keep me occupied. You
[01:06:11] Evan Francen: know the good thing maybe john maybe you can go here except I think this is kind of where I already settled the basics the fundamentals so things haven’t changed. No they’re still saying
[01:06:23] John Strand: And the thing that sucks is new people are trying to jump into there like Okay so I need someone to explain spectre and meltdown to me. It’s like no no no I really don’t. Like you know we can talk about speculative execution and ring -3 and you know like all these six. How about we learn TCP iP and operating systems first and we’ll work because you go back to that firewall thing properly configured firewall. If you don’t understand TCP I P. You don’t understand UDP, you don’t understand DNS you don’t understand S. C. T. P. You don’t understand Q U I C A quick protocol, you’re gonna have a bad day. Um but it comes back to education every
[01:07:03] Evan Francen: time when they’re dangerous, right? I mean when you don’t get those basics, those foundational fundamental things and I put tools, you know, in front of you, you don’t know how they function, You start breaking things, you know, and then we have legal issues and God knows what else. Absolutely.
[01:07:21] John Strand: Well gentlemen, I’ve got to get running, Yeah,
[01:07:23] Evan Francen: let’s let’s finish this up, john how do people find your pay? As you go,
[01:07:28] John Strand: Oh dear God. So if you just google john Strand Pay what you can um it’s going to take you to Wild West had confessed and you get a Wild West had confessed website, go to training, it’s there and of course on the twitters because my whole entire life is completely hooked and how many people follow me on twitter because that’s the way the world works today. I’m Strand Js on twitter um I try to announce all that stuff, I can.
[01:07:50] Evan Francen: All right, cool. We wrap this up. Thanks for listeners for tuning in. You thank you john for, for you taking time to, to spend with us. I learned tom it was cool to listen to a lot of things you shared uh if you want to get social john just told you how to get ahold of him. I’m @EvanFrancen brad is @BradNigh, um, that’s, that’s it. It’s a route.
[01:08:11] John Strand: All right. Everybody take care.