Security of the Cloud - Part 2: White Hat edition Artwork

Cloud Coffee Talk

Cloud Coffee Talk is a podcast by cloud professionals for cloud professionals. These are relatable, deep dive, unscripted discussions, where technical talk is mixed with the real world challenges of people, process and technology. Each episode features a different domain discussion with 1 or more guests who are passionate about cloud and technology.

All Episodes

Cloud Coffee Talk

Security of the Cloud - Part 2: White Hat edition

August 08, 2021 • Darren Weiner • Season 1 • Episode 6

This is such a great discussion with Greg Foss, Threat Intelligence Researcher extraordinaire, ethical hacker, pen tester, and all around nice guy that you want on your side of the security discussion. We cover a wide range of cybersecurity-related topics, such as Ransomware trends, being banned from AOL, the elegance of malware, why you should never trust public wifi, the speed of a hack, security culture challenges, and much more.

[0:00:15] Darren: All right, so welcome to Cloud Coffee Talk. These are real world problems, solutions and thoughtful discussions about working in the cloud. This podcast is meant for cloud professionals at every level of the organization, from the executive team to those with their hands on the keyboard, putting out fires and making the world a better place.
Once again, I am Darren Weiner, the owner of CloudButton, an independent IT Consulting company. This week's discussion is security of the cloud, it's part two and this is the White Hat edition. I'm super excited about the guest I have on the show today. I was trying to think about how to introduce him and all I can come up with was the metaphors - the Mario Andretti of cybersecurity or the Tony Hawk or since it's you know the the Olympics now the Katie Ledecky of cybersecurity. But I'm going to let him introduce himself first. Greg, Greg Foss, why don't you tell us a little about yourself?

[0:01:06] Greg: Thanks so much for having me on there. And you give me far too much credit. So I am happy to be here and discussing cloud security with you. A little bit about my background. I came from a government space initially where I did offensive security, ethical hacking penetration testing and red teaming and that kind of thing. Then moved over to the blue team side of things where I ended up getting into the security research space a bit before I established Global Security Operations program and threat research program at a former employer. From there went to the endpoint space most recently coming from VMWare Carbon Black, where I worked on basically a lot of the rules that you see across that product line today and now working for a startup based in California called Lacework as a security researcher.

[0:01:59] Darren: Yeah, you've done it all. You've done the ethical hacking, the pen testing, you've done physical break ins too, right, as part of what you've done. I think I saw you speak a little about that.

[0:02:06] Greg: I have, yeah. Used to consult a bit and those were fun times.

[0:02:12] Darren: definitely fun times for sure. But you also like a really nice guy which is like I was thinking about like I really want you the one telling me I've been breached. You know you're so mild mannered. You're like "Yeah you been breached. All your data is encrypted and it's been exfiltrated and it's being sold on the dark web and your backups, they've been purged. You're access keys have been revoked". And I'd be like, "Well thanks for letting me know Greg I really appreciate that."

[0:02:37] Greg: There's no good way to deliver that kind of news, I think. It's too hard.

[0:02:42] Darren: But I want you delivering it though. Talk about how you got into security. It's obviously you're really passionate about what you do, you're really good at it, so how'd you get into it?

[0:02:52] Greg: Yeah, it's an interesting story, like I've been interested in computers ever since I was a kid. I was very fortunate, both my parents worked in technology, so when I was pretty young, I was able to get a computer to play with at home and eventually ended up building my own computer. The security space is real interesting. My buddy who - he runs his own web development firm now - him and I actually were a bit of troublemakers back in middle school and that was where I had my first taste of the security space. We were back in the AOL era and my friend and I, we would just go on there and we were very interested in just figuring out how to mess with people online and started with playing with each other - We would trick each other into opening files and links and stuff. Like we're using Netbus and all those kind of things. My favorite was the cup holder, a little trick where it opened cd rom drives back in the day, but it escalated from there. We started going into chat rooms and stuff and writing javascript that would mess with everyone in the room and freeze computers and things. It got to a point where, you know, long story short, I cannot use AOL or their services today - since I was in middle school and I mean it hasn't had too much for impact, fortunately.

[0:03:52] Darren: No? That AOL ban hasn't hurt you too much?

[0:03:54] Greg: No, no, So it is interesting - so I had always been interested in computers and this kind of thing, but when I was going into college, I actually started out as a psychology major because I was very interested in that side of things - how the mind works and social dynamics and that kind of thing. So that was what I initially majored in in college. But then I realized, I might have to go on to get Masters or something like that like to actually do something with this. So I took my minor, which was computer science, I made that another major at the time, so I ended up doing psychology and computer science. Fortunately, I shifted a lot more to the computer science. Once I really dove into those classes and realized: okay, I could actually do this for a living, This is pretty cool.

[0:04:54] Darren: So you actually have a fairly strong development background then.

[0:04:56] Greg: Oh yeah. So that was kind of my core. My mom was a math major and my uncle taught math and so that's always been kind of a strong area, fortunately. But I was always afraid of that. I was always never as good as they were at it. So I was afraid of that side of it. But then when I realized: Oh, I can just write programs that do a lot of this for me, that kind of shifted the tide of it. But it was really when I saw Chris Nickerson and his show, I don't know if you ever watched Tiger Team back in the day. It's pretty good. They actually have the show on YouTube and it was back when no one was doing this kind of thing. But I saw this - it was on Discovery Channel at the time - and the cool thing is he's based in Denver, his whole company is based out here. So he's one of the people that's really cool to meet once I got into this space. But I watched Tiger Team and they were like physically breaking into these buildings, figuring out how to bypass alarms, bypassing security systems. And I watched this was like, no way this is, this is a job? You can do this for a living? And it blew my mind and then ever since all I wanted to do was that kind of thing. So I was very fortunate coming out of college getting in to working for the government, doing web security. While I was in college, I wrote websites basically used Drupal and stuff just made like crappy little CMS websites for local businesses. But it was enough to teach me enough to pass their tests in order to make it into a position within the government where I got to actually get real training on how to hack web applications and it kind of just grew from there.

[0:06:46] Darren: Very cool. You really were born to do this, holy cow. From a cybersecurity standpoint. What keeps you up at night?

[0:06:54] Greg: I mean a lot of things are, are pretty scary, right? The latest stuff that's been pretty awful is just these ransomware attacks we're seeing just all over. It's come to a point now where, it's an insane level of attacks happening all day every day to all sorts of different companies. Just last week, I was talking to a friend of mine who works for a pretty prominent incident response firm, and they were saying that every single day they're getting about five new ransomware cases every single day and it's awful and it's not these companies, they end up in the news, like the massive meat packing plants, hospitals, it's these little mom and pop shops. It's people that just have like 30 computers and the ransomware isn't even the whole encompassing aspect of the attack, that's the last component of it. This part that scares me is everything that's happened up to that point. People have been in their networks for, often times, a month if not longer and it's not even one person, it's usually someone breaches the company, they'll go in, maybe steal some stuff, they'll sell access to someone else, then they'll sell access to someone else, they'll sell personal information, stolen credit cards, all these kind of things. So it's that whole underground crime aspect of things that's happening on top of the ransomware that kind of freaks me out because that's the stuff you don't really see on these forums and stuff. But you know all that information is being shared and the ransomware is devastatingly impactful in and of itself. But the thing is that's kind of just the last component. That's just the person who decided to say, hey, I'm going to execute this Ransomware As A Service that I just bought on their system. As we saw to with Kaseya, they have this large scale attack that can take out hundreds of companies at a time. So it's far reaching and devastatingly impactful. That's that's kind of what scares me right now.

[0:08:43] Darren: And the level of sophistication is just getting ridiculous. It used to be "ransomware"...and now it's ransomware and we have your data and we're going to sell your data and as you said, they're they're in the systems and they're probably crypto mining, right? It's all sort of coming together now, as the sophistication level goes up, it is kind of a scary time in that regard.

[0:09:01] Greg: Exactly.

[0:09:03] Darren: Can you think back a little bit to the first big breach - the first time you were like, oh crap, like this is a this is bad. Do you remember a specific incident like that?

[0:09:15] Greg: Oh yeah. I know all too well, my first incident. I will never forget it and it was actually my first job in the industry when I was working for the government. We were breached by China back in the day and it was crazy because I never worked anything like this. I never understood what the reality of being on the other side of this thing looked like. But we were hit by a nation state adversary that was going through all of our systems in terms of an espionage attack. The craziest thing to me was reading Mandiant's report on this because they were kind of the first company out there go through and document one of these large scale breaches in such a way, because they hit so many different government entities. And so the APT1 report - it was like a few months after we cleaned up from our mess, I was reading through that. It's like oh man they did this to us, They did this to us - like every kind of thing in that report was all too real. That was one of the things that put Mandiant on the map because they kind of highlighted this side of the industry that people don't really see unless they're working in places like, doing government security and focusing on these things directly. But that was intense. The level of the breach was so severe that half of my teams systems were backdoored. So we had to isolate their systems and some of the smartest people on my team, the people I looked up to, they had their computers hacked and so these people were no joke in what they were doing and sophistication.

[0:10:46] Darren: I think about that a lot. I mentioned this in the last podcast that I did with Tyler Warren how, when you think about all these malicious programs and these breaches: There are really smart people that go to work every day and what they do is figure out how to hack, how to breach, how to exfiltrate. Really smart people. And so do you ever look back and look at a particular breach or malware and appreciate the elegance of it?

[0:11:13] Greg: Oh yeah, I mean that's kind of why a lot of us are in this space. Right? Being a coder at heart, seeing some of the mechanisms that we found in pieces of malware, some of the ways they leverage different tooling. At the Cloud Security Alliance we were kind of touching on this, how malware authors, I kind of think actually coined AI and ML - at least used it - before any of us on the Blue team side had even started looking into it because you had these worms back in the day, they would pop a system, gather information learned from that, move laterally to another host. So spreading mechanisms are incredibly, incredibly powerful and that's something we've seen with some of these ransomware attacks as well. Like the NotPetya attack was devastating. How they took the shadow brokers leak of the EternalBlue tooling that came out of the NSA. It was like a month after that, they had it baked into their malware and they were using it to spread through Windows environments. The speed and efficiency at which some of these groups can operate is definitely devastating. And like you're talking about: some of these people that this is their whole job. When you look at North Korea, the Lazarus group, that is their whole job there. They're like some of the group of 300 people that's actually allowed to touch a computer in that country. So they have to perform or who knows what happens. .

[0:12:39] Darren: A little pressure. They have different KPIs than you or I do I think.

[0:12:42] Greg: Yeah exactly. I wouldn't like that job pressure.

[0:12:47] Darren: So how do you stay sharp and up to speed, given the pace of all this changing. Not just in terms of the tools but also the threats?

[0:12:57] Greg: Yeah it's tough, right? It varies a lot depending on industries or verticals I've worked in within the space. So like you know always listening to podcasts like you know listening to this podcast, listening to various other podcasts. That's kind of the things I do when I go running and biking and stuff. I like to kind of multi task like that. But also just reading kind of everything that I can get my hands on. All the newsletters that kind of try and condense down a lot of the different articles, I've found really helpful. Especially coming into the cloud space, I had very minimal experience in cloud before coming to Lacework. I'd done kind of high level cloud stuff. So coming here, I actually went out and I signed up for some certification courses and just started going through that content. And then just learning from my team. I think the thing that's been real helpful for me is just being open with my new team now about like, hey, I don't know anything about this. Like: show me your ways kind of thing and just being open and willing to learn about it because it changes so fast in this industry. That's kind of one of the nice things about it though. Like we're not ever going to get bored. The hard part is focusing.

[0:14:09] Darren: Absolutely, just keeping up with it. That's interesting, because you were focused a lot on endpoint and everything else so the cloud is a relatively new space for you.

[0:14:20] Greg: Yeah. A lot of like reversing and pen testing and stuff before that and like cloud is a whole new vallgame, like coming into here. Like there's whole new tool kits and stuff that I've never heard of before in cloud and it's pretty cool. That's kind of why in the talk that I was doing at Cloud Security Alliance I was comparing what we saw in the endpoint space to how that overlays in cloud. So I think there's a lot of people that are in security that haven't really dove deep into cloud yet and kind of underestimate the complexity of it.

[0:14:53] Darren: It it is hard to appreciate the differences if you don't understand it. I've dealt with a number of CISOs where they just don't quite get it. They bring a lot to the table, but things are different in cloud and you need to adapt for sure.

[0:15:06] Greg: You think like, so that's handled by the cloud, right? No, you put those controls there, you manage all those still. So it's a lot more complicated.

[0:15:16] Darren: It really is. You mentioned tools earlier. What're some of the coolest tools in your tool belt that you use?

[0:15:25] Greg: I mean lately, just digging into cloud stuff, I want to say the AWS command line interface itself, you know? That's something I've been digging into. Just trying to figure out like, so I've been trying to write scripts around it to automate different components of doing security assessment sort of things, like trying to figure out how to do automated privilege escalation using AWS Identity Access Management because it's kind of cool when you look at that compared to a Windows environment or Active Directory, it's kind of like the same thing. It's just one is cloud, one is on-premise or a traditional kind of environment. But that's the main thing I've been playing with of course, all the other tools that tie into AWS CLI are pretty cool too. Like Paku is a real new one. I think the folks are Rhino Security created that one. Kind of like a Metasploit framework for AWS.

[0:16:19] Darren: Have you messed with boto3 at all?

[0:16:21] Greg: I haven't.

[0:16:23] Darren: It just a little bit nicer if you're using the CLI a lot, check it out - boto3 python framework, just makes things a little bit easier.

[0:16:27] Greg: I've seen that it's actually in the lambdas, right?

[0:16:34] Darren: Yeah, exactly. I mean, you can do it local, you can do it wherever, but it just becomes a little bit easier. It's a true development language instead of the CLI which is just a CLI.

[0:16:41] Greg: Interesting, because I've always seen it, I never really knew too much about what it actually was.

[0:16:46] Darren: Under the hood the CLI is python and I'm pretty sure it's boto3 under the hood. I listened to a few of your podcasts, and you did some really great presentations, not just podcasts on wireless. I want you to tell listeners and try to keep this short if you can, just give people a sense of why it's such a bad idea to connect to an unprotected wireless. So I'm at DIA. I just have to check my email real quick. Discuss the specific steps a hacker who's sitting in the airport does to basically compromise you.

[0:17:21] Greg: Yeah, wireless is a whole other spectrum of so many different attack potentials, especially in a public space like an airport. One of the best attacks I would say is the evil twin attack and that just relies on you connected to this public access point before, soyou don't have credentials, you don't have authentication, but you're in a public space or you know, somewhere where your phone just has wifi on or your computer just has wifi on. All I have to do is imitate that wireless device that you connected before. All you have to do is change the name of the access point after your system will automatically connect to it as long as I've configured by access point to to allow that. And now you're sending all your data through an access point that's controlled by an adversary. So I can do all sorts of things like I can downgrade your communications, I can force you to not use encrypted connections if it's possible. Like over your browser back to standard http...sniff everything that's going across the wire. So wireless attacks and that's something that still to this day, that's such a big problem. And so many people inherently trust a lot of these. Also, even just the access points themselves, these public access points, you don't know who has access to those. You don't know if that access point has been back doored. One very prominent attack was the dark hotel attack, where a targeted adversary went after a specific hotel, they knew their target audience was going to be staying at, hijacked the wifi and all they did was actually embed a piece of malware that when you brought up the prompt, like the login, it would actually download malware on your system - it was like a fake adobe pop up kind of thing and they use that to trick them and they just thought they had to install this to use the login portal. So something we've seen a lot of adversaries leverage and in real world breaches as well that have had a significant impact.

[0:19:14] Darren: You know what's interesting about this is how easy it is and most people just don't know, they don't even, it doesn't even cross their minds. I think about my kids and the next generation who are just consumers of technology, but they don't really understand technology at all. Not to mention the older generation that also doesn't right. And, and so it's one of those things where you're just kind of doomed, really. What do you do when you travel for wireless protection? What's your approach?

[0:19:43] Greg: Yeah, it's tough, right? Like you're saying it's easy for someone to stand these up now. You can get a Hak5 wireless Pineapple for 100 bucks, hook it up to your phone. It doesn't even have to look like you're running this antennas or whatever people think hackers look like. When I travel, when I go to conferences, especially if I go to Defcon Black Hat, you know those places where there arelegit criminals that's for sure. There's only so much the hotel and staff and everything can do. But really, you know, I never connect to wifi, I leave bluetooth off now and when I'm connected through my GSM network, I use a VPN when I'm in the hotels and stuff like that because you never know like people have been standing up the, what are they called? The mobile-like antenna units. They're illegal to have but easy to build, so to speak. But you can intercept mobile communications with those. But what are they like Stingray or something? I think they're called. Yeah, I mean, so there's a lot of different protocols, not just wireless that are, that are under attack now, especially if you become a target, right? Like there's the SIM swapping attacks that people can target your phones with in order to steal multi-factor. Like if you have SMS based multi-factor. So those are all the things that kind of run through my mind when I go to, not like general traveling, but if I was going to like Black Hat this week, these are things I would I would do.

[0:21:00] Darren: Stressful travel experience, isn't it?

[0:21:02] Yeah, like the first time I went there I was all paranoid and stuff and now I've been there and kind of forgot about it a couple of times like, oh my stuff's on. Oops.

[0:21:22] Darren: Maybe you just need to read magazines the whole time, you know, just bring some Wired magazines and just read those. Stay off...

[0:21:27] Greg: Exactly. I assume that whatever I'm doing, I'm okay with everyone seeing it. So...

[0:21:36] Darren: What percent of your time is spent on the dark web and what do you do there?

[0:21:40] Greg: I try to spend, I want to say like 20% or so of the work they kind of looking at some of the content there and I don't really go into it a lot like browsing and things like that. I have a lot of scripts that I go through and I've set up to go pull content. And we go through third party intelligence agencies as well. So I try and directly touch as little as possible in that space just because there's a lot of kind of sketchy stuff there. Like it's not as crazy as people think. It's not all like the hitmen for hire and stuff and all that that people make it out to be. Of course there are those things, but I'm pretty confident those are like sting operations and things like that. But the stuff I'm real interested is like, you know what new malware is coming out, what new exploit kits are being shared? Are there new vulnerabilities being leveraged? You know - what are the most common exploits that are being sold and leveraged on these darknet markets? Also what kind of information and systems are for sale? So that's a lot of what I curate my scripts to pull - is a lot of that. We have alerts set up now if anyone is selling amazon root keys, Azure root keys. Being in cloud space, that's like a devastatingly impactful credential to get. So we try and monitor that, and see if this is any of our customers? Is it something we can proactively warn them about, are we able to get a hold of some of these? And a lot of that we actually do hunting through GitHub and VirusTotal and things like that as well.

[0:23:13] Darren: Talking a little bit more about malware and about the level of sophistication where this is going and that there's smart people on both sides developing these systems and talking about the speed of security versus the speed of a hack. You did a presentation a couple weeks ago at the Cloud Security Alliance. And one thing that came to my mind is, you know, if I'm a bad guy and I actually am able to breach a system, I have my scripts ready to go, I have my run books right, for hitting hard. And so the challenge of not just detection but remediation becomes so challenging as these things become more and more sophisticated. The whole idea that on the security side you have to get it right 100% of the time, the bad guys only have to get it right one time. So talk about - obviously there's a lot of vendors playing in the space - you work for one of them. Talk a little bit about what you've been seeing happening there.

[0:24:12] Greg: Yeah and that's kind of the game right? Like how how do we get ahead of these attackers in our environments. When you look at traditional kind of computing infrastructure, like talking about like a Windows, Linux kind of on-premise sort of environment, A lot of these groups you would see get - some of the fastest ones will be able to go from zero to ransomware in a matter of hours, maybe like 5 to 7 hours. But a lot of the other groups will take their time, some of them will stay in for months and some of them are not even going to be the same group that breached versus the same group that deploys. So there's that window in time and it always comes down to how do we make it difficult for them to go from compromised asset A to getting domain admin, getting full access to the environment, getting access to sensitive data like source code, customer data. The things that they're probably going to look to leverage for exfiltrating out of the environment and maybe using as an additional ransom. So the big thing is like how do we make them trip as many bells and whistles to get to those little nuggets as possible. That pays dividends over time. But also security teams have to have the ability to respond directly. All too often companies I've worked at, companies I've consulted and helped with, the security team is simply monitoring. They don't have that ability of block and tackle, change permissions to lock accounts out and stuff like that. They have to go through this change management process. And so it ties their hands in these scenarios.

[0:25:47] Darren: That's a great segue into the next piece I want to talk about. Every episode that I done so far, for me the culture of organizations play such an important role and you really just hit on one of the big ones, right? The culture of security at companies and what works and what doesn't. There's always a sense that security gets in the way too much. And then of course, you, you brought up a whole other side of it where they can't respond because they have to go through this onerous change management process. Obviously there's a whole idea of DevSecOps, but I think it has a long way to go at a lot of organizations. So how do we solve for that? What do you see happening in organizations?

[0:26:30] Greg: Yeah. And I think the move to DevSecOps, it's naturally going in that direction. The hard thing is so many companies have just always done it this way, so hard for them to shift everything. And then, of course people are getting toes stepped on like, hey, this is my piece of the pie here, now you shouldn't be able to do that. And of course there's concerns with that too. How do we know the security people aren't going to block something and take out business services and things like that? And of course those things can happen. Moving forward, some of these kind of issues like that are worth it in the long run. If it could prevent something that's even more devastating down the line. And I think cloud provides a perfect opportunity for this because so many of the teams we look at today that are doing cloud and then really focused on like having so much of their business in cloud. They kind of have taken on that role where they're running the operations, they're writing code for it. And there are a lot of them are doing their own monitoring and so that kind of puts them in the cockpit and they are in charge of this whole environment. So if it goes down, that's also on them. But if it stays running then their their baby is fine. So I think that is going to open the door for us to allow for more of this kind of more response from these teams that have that vested interest. Especially important when you look at some of the attacks that can happen in cloud, like when we were talking about ransomware in cloud, we know something I've never seen before until we started playing around with this in our lab, Like you can run, I believe it's like seven commands and you can encrypt an entire cloud environment in AWS in under 30 seconds and there's literally nothing the target can do if they haven't backed up to cold storage and say like Arctic Vault and stuff like that. There's really no way to revert from it other than paying the ransom because Amazon doesn't even have those keys. You generated them locally and done the encryption locally. So this is kind of crazy dynamic and I've never seen something that can happen that quickly and that officially just to destroy the company's entire data set. And so I think it's going to open the door to why we need to have that ability to respond and have more people with those keys to do so.

[0:28:44] Darren: I do agree that obviously all the cloud capabilities, in terms of the things you could do, the whole idea of security being job 0 - Cloud really does enable that because you can build up systems as code and you can build up infrastructure and design things in a way that okay, we've well-architected this from the beginning, but again the culture in the organization, organizational sort of friction still ends up get injected into the process and so I think we still a bit of a way to go. In fact in my research for this podcast, I saw a report from VMWare CarbonBlack and they talked about how - this was I think a couple of years ago - but it was: "IT and Security teams appear to be aligned on goals, but 77.4% of survey respondents said IT and security currently have a negative relationship". So a long way to go right? Obviously it is changing and needs to change. I just hope it changes fast enough to keep up with all the things that are happening out there.

[0:29:43] Greg: No, I completely agree. I mean it was such a problem in a past job that I had. I was running a security operations team at the time and my team did not get along with IT, IT didn't get along with us. Nobody liked each other. So my boss the CSO and the head of IT, we actually were just like: no we're going to force all of you to sit by each other. So they physically moved us to to their building we sat by them and it actually helped. We ended up getting to know them like oh there are people there it's not just this person behind a keyboard kind of thing. But I think it is a big problem and I don't know how to solve it in most organizations. It's tricky.

[0:30:22] Darren: Obviously need to keep talking about it. Keep talking about things like DevSecOps and you know what we're trying to achieve and, and everyone needs to understand the capabilities that are out there now. Because as we talked about earlier, the security folks who maybe have a more of an on-premise sort of mindset, which is important and it's important to take some of those ideas, but they need to really understand the cloud component and be educated on that and those people in the cloud need to understand that hey, some of these traditional security concepts, maybe not the exact implementations, but the concepts: security-in-depth, you know, for example, zero trust all that. It goes across all these boundaries.

[0:31:00] Greg: Exactly, exactly. And at the end of the day, security is everyone's job. So many people want to say, oh, that's on security to solve this. But like, no, like you could get phished like anyone else and that's the kind of thing I think people don't pay attention to, it doesn't matter where you are in the organization. I mean if you're say a janitor in a very large organization, you could definitely be a target because you have access to all the rooms in that building, you might have a computer account that they could use. There's all sorts of reasons anyone at the company could be, could be a target for any reason.

[0:31:33] Darren: So we talked about the mom and pop shops that are getting impacted by ransomware and I want to go back to that a little bit in terms of, given how overwhelming the cloud is in general. And then the fact that there's all this malware out there, what are you seeing happening, how to start ups keep up on the security front? How do they possibly obtain subject matter expertise? What's a good approach for them?

[0:31:58] Greg: That's tough. I mean, so many startups, it's a cost center for these organizations to have a security operations person, let alone a team. And so a lot of that ends up being someone who's wearing a lot of hats and a lot of times that person is doing a lot of the operation stuff as well. Previous role that I was the security guy for a while and it was because they didn't have a security team in this company, we had the research team I was on, it was kind of doing security a little bit. I was like, no, we need someone like dedicated to look at some of this stuff because we were getting phished constantly and stuff. So it's a big, big problem. You have to find someone who's going to be passionate about it, take it seriously. And people don't like the security people often at the company. So you kinda have to be the bad guy a little bit because you put you're taking all the fun stuff from people sometimes, you know, disabling certain things, forcing people to change passwords, sending phishing simulations.
[0:32:15] Darren: Yeah, you have to be that guy: "Change your password"!
[0:32:18] Greg: Exactly. And at small companies, they don't have these overarching program and management kind of mandates to force them to do it until they get to the size where they have to start passing audits and have accountability for the sensitivity of data, which I think cloud helps with that tremendously now. You can't get customers without being SOC2 compliance. You have GDPR concerns. And so all of that is kind of a driver for, okay, you do need security people at least checking the boxes in a compliance sense.

[0:33:29] Darren: I do think that where the SMBs, the Mom and Pops, technology companies for sure can certainly leverage a lot of these third party vendors like Lacework, you know, the companies that are out there now, I think it's sort of inevitable because you just can't have that subject matter expertise in-house all the time. It's just impossible.

[0:33:50] Greg: Exactly. And that's one of the things I like with Lacework because it kind of takes a lot of the, like we bake our knowledge into it. So it kind of makes as many of the decisions as possible for endusers you don't have to go and be an expert in Amzaon or Azure or things like that to get value out of the tool. And so that's kind of one of the things I really like about what we do here is helping those kind of companies by presenting them with: Hey, here's something you should be concerned with. They don't necessarily have to be an expert in the space to understand that this is a concerning thing and to follow it kind of down to a T.

[0:34:25] Darren: What's one of the, now that...I want to say the other side of Covid, but whatever...we're in the middle of Covid...what's one of the attack vectors that have really strengthened since Covid?

[0:34:36] Greg: Yeah, the big thing was people going after VPN concentrators and network devices. So all the things where these companies stood up infrastructure now to dramatically and rapidly shift people to working from home, all of those kind of devices now, like a majority of the attacks we're seeing, were against specific VPN providers and that was something like a lot of it came down to insecure configurations, people standing this up and not patching them, and then people just going out and hunting for zero days in these products and then eventually developing exploits for them. That, and going after home users, One of the things we saw in the crimeware forms, there's a lot of uptick in home router attacks, especially things that are exposed to the internet, they have the management interfaces so they could get him remotely. So it was a big shift in those types of attacks. And of course, you know, attacks against end users were at an all time high, just everyone getting phished every which way through mobile devices, through personal devices and through their work devices as well. So it just kind of changed the attack landscape.

[0:35:42] Darren: And the devices now, because of Covid and the rush to to work remotely and everything else. I think you're seeing more and more with this highly remote workforce. You're seeing more people use all sorts of systems, their phones, their personal computers, were computers all to do work related things. To switch gears a little bit: It seems to me that...and then you have all these endpoint security tools that can be installed and enabled and it seems like privacy is maybe being compromised a little bit like you just can't move at this pace, at the pace that The world has moved in the last 18 months and expect that people are thinking about that.

[0:36:23] Greg: Yeah. And privacy is always going to be a cost to security in a sense. It's one of those unfortunate trade offs that take place when people add more monitoring to devices that people are working on, Yes, one of the things like any work device, you should consider that like anything I'm doing on this laptop, I assume...

[0:36:46] Darren: ...but that's the thing: it's not just about the work device anymore, right? Because of the way people are connecting and I think about things like - it used to be that, oh, every time somebody starts working at a company they get a laptop. Well now there's all these companies doing more and more offshoring, you don't know what's being used on the other end of it necessarily. There is a lot more due diligence that's needed. And even then there's just this leakage because people are checking their email on their phones and they're clicking on links and doing all sorts of things that are work-related.

[0:37:13] Greg: I'm glad you mentioned that because that's one of the things that has always concerned me with, you know, you can connect to our VPN with your personal device. We're just going to push all this stuff to your device. You don't tell the people what it is, they don't tell what it's doing, what visibility it has into their system. And a lot of this, I mean I used to work for an EDR company, and you can see everything, all the processes, every parent process, child process, you can see keystrokes happening on the command line, all sorts of components that people have no idea is being captured by these security devices. And so it is a very concerning thing in terms of privacy. But also there is still that gap, A lot of these companies don't push security tooling to personal devices whereas I think they should give people an option. Like if you have some antivirus products for corporate, it would be great if you could offer them to have like a personal device protection on the side, maybe that doesn't have visibility into the company in some way, so they can protect like five of their own personal devices, but I don't think we're there yet as an industry and plus there's a cost to doing so it's kind of a tricky problem to be in. That's why going after personal devices still such a great boon for attackers because they know a lot of these aren't going to be protected like corporate asset would.

[0:38:31] Darren: And if they are and if the if there have been endpoint protection push those systems usually and I know because I've been on both sides of this, you're signing a document that says: And we have the ability to remotely wipe your phone and we can do that if we want to. Just really challenging because it's also everything is so fuzzy. It's kind of this big soupy mess.

[0:38:51] Greg: Oh yeah. And then that's being on the other side of it, we had to remotely wipe personal devices because disgruntled employee kind of situation and it can be devastating for these people because they maybe don't have it backed up. They didn't sandbox the app, the communication protocol they used didn't allow you to sandbox the app kind of thing. So it's a weird dynamic we live in and that's why I always think if companies are going to force you to have a phone and be reachable and stuff, they should provide a phone that's a work phone, you can separate the two physically. It's easier said than done.

[0:39:28] Darren: Yeah. Who wants to walk around with two phones. We've all done it. It's awful.
So, let's try and talk about something, I don't know, Good. Since Covid, what would you say when it has been one of the best things that's happened in the security space?

[0:39:43] Greg: Yeah. Now we all can work from home. I mean, we didn't have to go anywhere to do this podcast, which is great. I think it's really opened people's eyes to the fact you don't have to physically be in an office to do a lot of jobs, nowadays - people can communicate and work pretty efficiently remotely. And I think it's really highlighted that. In security, it's tricky because now monitoring has shifted, everything is distributed. So it's forced people to figure out how do they monitor things more efficiently and that, to benefit of companies like what we do, it's forced a lot of companies to adopt a cloud model where I would say a majority of organizations now, whether they were in cloud or not before, they now do have a cloud presence simply because they have to have assets available to people regardless of where they are. It's much easier to configure that and that sort of model than a traditional datacenter.

[0:40:36] Darren: So the best thing since Covid is more cloud.

[0:40:39] Greg: Yeah, yeah. More cloud

[0:40:42] Darren: It's good for business, Good for me. So that's great.

[0:40:44] Greg: Yeah. Yeah. Well I think it's the natural progression of things, right?

[0:40:48] Darren: Yeah. Well it's I made a decision about 10 years ago to to focus on cloud because it's clear. So we talked about privacy a little bit. I'm going to switch gears a little bit and we'll spend a little bit of time talking about this, the idea of compliance versus security. So in your world, I'm sure you've seen a lot of this, where you have companies that are focused really hard on getting compliant. But are they really secure? This is a little bit of an awkward, uncomfortable sort of space. But can you talk a little bit about some of your experiences there?

[0:41:23] Greg: Yeah. I always say like compliance is not equal to security. It's good, right? It helps you get the baseline and helps you understand where things are and it ensures that you do some level of due diligence. But the end of the day, a lot, if it really comes down to being able to collect insurance in the event, you do get compromised. And if you look at the majority of these companies that have been compromised, all of them were compliant to some standard. These major corporations, all of them had done due diligence with compliance. They had segmentation. They had, you know, all the check boxes were checked by multiple different third parties. But at the end of the day, real security is looking for, oh you know you're compliant over here in this environment. But there's this weird little thing over here. The shadow IT Device. Okay. There's default password there, I'm going to get in there. Oh some system admin. Well I've been to here how I can pivot in. And then it kind of burst the bubble on the rest of the program. That one of things I like with with where we're going now with attack surface management tooling. Some of the companies that I've seen come out with these these new approaches to looking at it, because so many people have done vulnerability management from the inside out. Like I'm going to scan all the things I know about and I'm going to make sure those are patched and stuff and I mean even that is difficult and they're hitting like maybe 80% there. But it's these shadow IT components and looking at other types of devices like some of my friends over at Randori, they're crazy smart group of hackers over there and one of their favorite things is getting in through phones like old school phones and just laying persistent on conference bridges and things like that because no one is looking at those networks, they're not looking at the phones are not able to secure those and it allows them into the rest of the network. And so they are one of these attack service management companies that kind of take that mindset of like here's what real attackers will do and how the approach your company. I like to see kind of that approach shifting because you do need to have that real adversaries mindset and viewpoint in order to defend against modern adversaries today.

[0:43:37] Darren: Yeah. And that's a lot more work than just being compliant with a particular regimen. It's a very different thing. I don't think a lot of companies realize...

[0:43:45] Greg: ..and compliance is hard, too. Compliance is a giant process and it's important people have to go through it. I think it's I think it does show a level of security, but it's looking at it not from like I did the check box now I'm secure but like: what's the real world impact here and how do I verify that.

[0:44:06] Darren: We're going to start wrapping up now. So I wanted to finish up with what I call flash questions, I don't know what to call them...but these are totally just answer the questions - you can give context, you don't have to give context, it doesn't matter at all...except for the last question, is something more..giving words of advice. I hacked your computer earlier and you're going to get shocked if you get any of these wrong, OK? So don't touch the keyboard. Okay so you ready?

[0:44:35] Greg: I guess so.

[0:44:37] Darren: Mr. Robot or WarGames?

[0:44:39] Greg: Mr. Robot

[0:44:41] Darren: Stuxnet or NotPetya?

[0:44:43] Greg: Stuxnet

[0:44:45] Darren: NREL or NOAA

[0:44:46] Greg: NREL

[0:44:47] Darren: That was an inside one. We both worked there.

[0:44:48] Greg: Yeah I like that one.

[0:44:51] Darren: Public S3 bucket or public ssh port?

[0:44:54] Greg: Public S3 Bucket.

[0:44:57] Darren: The data. Get the data.
Port 22 or part 3389

[0:45:01] Greg: 3389.

[0:45:02] Darren: So easy isn't it?

[0:45:04] Greg: Oh yeah

[0:45:05] Darren: Shorter, super complex passwords or long passwords that are easy to remember?

[0:45:10] Greg: Long passwords, easier to remember.

[0:45:12] Darren: In what day in August does Skynet become self-aware?

[0:45:16] Greg: Oh what is the date? Uh 20th? I'm going to guess 20th. I don't know.

[0:45:24] Darren: 29th. And I didn't realize it was 1997. Like holy cow.

[0:45:27] Greg: Tht's Crazy. Wow.

[0:45:30] Darren: Jack Ryan or 007?

[0:45:33] Greg: Jack Ryan

[0:45:35] Darren: Okay, and then if you can teach your kids one thing about cybersecurity, what would it be?

[0:45:41] Greg: Oh one thing, the big thing I do teach my kids is to not trust anybody online, Even even their friends could be messing with them online so.

[0:45:48] Greg and Darren: Don't trust anyone.

[0:45:55] Greg: Yep

[0:45:58] Darren: You know some advice has not changed over the years, has it? Whether you're online or not.

[0:46:02] Greg: It is scary now with kids and uh accessibility of everything. I mean I'm glad I didn't grow up with FaceBook around.

[0:46:11] Darren: Me too. Me too. Seriously, so Greg, thank you so much. This was a lot of fun. Can you provide your contact info for anyone who might want to reach out to you?

[0:46:24] Greg: Yeah, definitely. Well thanks so much for having me on, Darren. It's been great chatting with you today and yeah, people can reach out. I'm on Twitter @35Foss - It's a play on words for if you know the intel groups in the military. And then my emails just greg<dot>foss<at>lacework<dot>net, so feel free to reach out and connect, always happy to chat with people in the space.

[0:46:51] Darren: Well, thanks Greg, I hope we can connect sometime again soon.

[0:46:55] Greg: Likewise

[0:46:56] Darren: And to our listeners: Thanks for tuning in to another edition of Cloud Coffee Talk. You can find us at twitter at @cloudcoffeetalk. Until next time, have fun in the cloud.