Over Fail the untold truth behind the magic of cybersecurity
10-minute talks during hack.lu to present (the/your) biggest failure in cybersecurity you’ve ever experienced and what have you learned from it.
It’s Samion’s first week in the digital forensics team of the company he has been working at during the last two years since he graduated. Before joining the super hounds, a pseudonym given to his teammates after helping the organisation uncover a year-long operation by a well-known, sophisticated threat actor, he was a mere SOC analyst. After a few months weeding through useless alerts, responding to run-of-the-mill scam reports, and occasionally coming by something that looked worth investigating only to pass it to the super hounds, as dictated by the playbook he had to strictly follow like a worker in the assembly line of the Ford T model in the past century, he started experiencing the dreaded analyst fatigue.
Samion is a smart, curious respectful human being that did not need a code of conduct to behave. He felt his mission, as boring as it may seem, was important so the super hounds, the legendary forensicators of the organisation, can concentrate on saving the business from really mean cyberattacks. However, his yin overgrown his yang and he decided it was time to act before his misery needed the company of a huge, toxic dose of cynicism. So he asked for a training and after a positive answer, went to it, studied at night for long hours and made some really nice experiments in his home lab. He passed a forensics certification with flying colours and even had a lethal forensicator coin alongside the other trainees he worked with to solve the difficult challenges given by their instructor.
When he went back to work, he asked to join the super hounds. Given his loyalty, dedication and overall performance, his wish was granted and here he is, with the first disk copy he needs to analyse to make progress in a case where an employee in a subsidiary on the other side of the real world was apparently spear-phished and an unknown malware installed, spotted thanks to some strange network connections.
He opened the freshly delivered parcel containing the drive and was puzzled to find out it was in its original package, shrink-wrapped. Being the new kid on the block, he did not dare ask his coworkers. Maybe the local security officer at the subsidiary, who was given very clear instructions on how to clone the disk of the compromised endpoint, went out of his way or was simply a perfectionist.
He took the drive out of the package, plugged the cables, ensured the write blocker was working and plugged it to his forensics workstation. He then started to look for the MFT, the volumes within the drive, but there was nothing at all. He called one of his seasoned coworkers for help and after twenty minutes of trying different tools and methods, the verdict fell. The disk was indeed brand new. So Samion got the security officer on the phone to ask him about how this mess came to be. Sounding uneasy, the security officer admitted he sent them a fresh drive of the same make and model than the one which was in the endpoint after the user, who was the CFO of the subsidiary, gave him a bad time and refused to hand it to him for a few hours to copy the evidence.
This is not fake news, apart from the name of the main character. Cybersecurity is riddled with such epic fails. Some even say incident response and forensics are more than 80% fails for little, true successes. And that’s probably true for other cybersecurity fields, be it research, red teaming, or even risk assessments.
And while there are more cybersecurity conferences than days in a year, speakers mostly describe successes and so-called cutting-edge methods and tools, which sometimes sound too good to be true, to the applause and shoulder-patting of the audience. But we, at hack.lu, think it is time we give the stage to the untold truth behind the magic of cybersecurity by making a call for failure.
Did you get flagged by the blue team for a dumb mistake during a red team engagement? Have you brought down an important application in the course of a pentest or while researching a vulnerability? How about some blockchain, artificial idiocy, machine burning, Big data gotten small or cyber threat intelligence where the intelligence part was left out?
Do you have a Simion story to share with the other hack.lu attendees in ten minutes or less? Then submit to our call for failure and help us dispel the magical and BS side of cybersecurity! The human knowledge has been built on regular failures. So be proud and share your failures in a 10-minutes session which will take place during hack.lu.
The event is open to all participant of hack.lu and the accepted speakers for the CfF 0x0. The event will take place the Wednesday 23th October 2019 during the hack.lu conference from 19:00 until 21:00. Talks will be 10-minute max.