Skip to content
Sign In Subscribe
videoOT.SEC.CON. 2025OT Cybersecurity

Attack Surface All The Way Down An Attacker’s Perspective on OT Environments

 and  CYBR.SEC.Media
32 min read

Presenter:

Ray Blasko

Transcript:

I want to introduce, Ray Blasco. The technical director of offensive operations at Break Point Labs and red team operator with the U.S. Army Corps of Engineers. DoD certified red team specializing in attacking and defending OT and IT environments. And with a focus on national security, extended environments. He's a regular speaker at many DoD conferences and OT red teaming engagements.

And, as a recovering red teamer, I'm really excited to hear his talk. And, without further ado, the floor is yours, sir. All right.

Thank you. Hi, everyone. Thanks for coming. I saw there is an AI. I talk going on right now, and I was like, oh, good. Not too many people are going to come to mind. You realize you're talking to an empty room. So, hopefully it's productive and I can help, hope you can take something away from this and bring it back to your organizations.

So I'll talk, surface all the way down. The attacker's perspective on OT environments. So we'll go over. We'll have a quick introduction. We'll talk about some of the, like the traditional T attack surface that I commonly see. Talk about how attackers see attack surface and how that differs a bit from how defenders usually see it.

And then we'll talk about some specific attack vectors, at least at a high level and some defense defenses. What you can do about it. So I'm Ray Blasco, I'm the technical director over offensive operations at Break Point Labs. We do penetration testing, red teaming. We also have a blue side defensive side of the house. I also act as a red team operator on a decertify red team on a 13 teams.

We're our team specifically is tasked with, assessing and securing ice skate environments, to prove, national security. So I've had the opportunity to do everything from Pentagon, DoD, Health and Human Services, securing national health care infrastructure all the way down to small town hospitals, and utilities and everything in between. So I've been able to see a lot of different environments.

And that's why I do a lot of this, this, information for this talk is seeing what happens within those environments. And some of the common patterns that I come across. A caveat before we go through this, make sure you know your environment. I'm going to generalize a lot of things. And every organization is going to be different.

You're going to have a different history, different capabilities right now, different possibilities moving into the future. I can't tell you exactly what's best for your organization up here, because every organization is going to be different. But if you know your organization, you know how to defend it and you know an attacker's perspective, which we'll talk about today, I think that's going to set you up for success and help you not only know your current security state better, but be able to prioritize improvements and changes moving forward.

All right. So let's talk about traditional o t attack surface. And bear with me with all the little cartoons I've gotten here. Many of you have probably heard of the idea of turtles all the way down. Essentially, it's the earth sits on top of a turtle, which is on top of a slightly bigger turtle, on top of slightly bigger, bigger turtle.

And if you ask where the turtle, then the answer is it's turtles all the way down. It's a, mythological idea. It also has some you can do some philosophical discussion around it with infinite regression and stuff. We're going to use it to take a look at attack layers. I don't recommend going to the turtle model. Stick to the Purdue model, but this will hopefully simplify a little bit for our purposes today.

So this is what we traditionally see. We've got our external assets underneath those. You've got your IT network underneath that. And you got your own more of a management network. And then you've got your data assets, your to use PLC's, all those fancy acronyms. And then at the bottom you've got your physical assets, whatever you're protecting your utility and maybe power, gas, water, maybe health care.

You that's what it is, though. It's something to do with the physical world. You've got something physical to protect as well. And this is what we typically see. So we've got our I've got a laser here. We've got our attack alligator up here. I do have to apologize. When I put together this presentation, I did not know that the Florida Gators were going to be at the University of Houston and the NCAA championship.

This is not intentional. You're going to see this Gator a few times and not trying to rub salt in any wounds. Here's the bad guy, though. He's the villain in this story, so that helps a little bit. My sister is going to the University of Houston Southern Forum to, we've got our attack alligator up here.

He's he can and anyone can touch your external assets right there. External. So he's trying to get through your external assets, get all these other turtles so you've got your perimeter defenses, keeping anyone from getting in. If someone does get into your IT network, you don't just want to give him the crown jewels right away. So you've got your iPod segmentation, and hopefully that's all big enough to read.

And those two layers of defense are extremely important. I don't want to understate them at all. You should definitely be doing a lot there. But a lot of times this is kind of where it where it stops. That's where a lot of the focus is within these environments. You see, there's not as many layers of defense down here.

And once you get to the OT side, I also want to talk about phishing a little bit. Phishing is a good example of our evil gator from Florida hops into his. I can't get through the external assets, so he opt into his phishing spaceship and says, okay, I'm going to bypass those, go directly into the IT network.

We're not we're going to really talk about phishing today. Again, it's kind of a known known thing. You know, people are trying to fish you all the time. Phishing defenses actually gotten a lot better in the last few years. It's very, very hard to get in. But attackers have unlimited time and opportunities. Of course, they just keep trying until they do.

But everyone has those defenses, has a protections in place as well. So we won't be talking about that today. Do want to talk about a couple mistakes I commonly see with these the external perimeter and the idiot segmentation. External access is bad for other vendors. We all kind of know that. But it still happens very, very regularly.

And if you do actually have to do it, maybe it's out of your control. As talked about in the keynote, it shouldn't be on 24 over seven. Don't just leave it open. Coordinate with the vendors. Open it up. Only if they need specific access. Close it immediately when they're done. Do everything you can to restrict any external access.

Osint open source intelligence. Another thing. Attackers use a ton that defenders don't generally think about as much. When I'm going to attack an organization. I'm going to look and see what's available about them, what kind of information I can get just from the open internet. So that could be something from job postings. It could be from blog posts, could be from social media.

I mean, no matter how cool your OT operations are, don't let the social media manager come in and video it all and put it on Instagram. Because attackers are going to see that they're going to be able to get some information out of that. I don't know how many times I've, I've been setting up to attack an organization and I go to their job postings and I see, oh, you should have experience with carbon black.

Like, okay, well, as an attacker, I now know what EDR they have. I can set myself up to be prepared to get in there. Abuse that EDR. How many people here use carbon black? Don't raise your hands. That was a test. This is gone on the internet. Don't expose any information. So just think about what you're putting out there and what attackers can get to idiot segmentation mistakes real quick.

We have to think about attack pass with attackers. So if in fact, it gets into your IT network, they're going to compromise that environment. Try to move to the Oti network from there. And usually they can't just because at least good attackers can because they there has to be some kind of path over there to ie to OT for administration management.

And they'll just abuse that that legitimate path, which it's just nothing you can, you can avoid. You got to have that right. But what do they gather while they're going through the it network. They're going to get all the credentials, all the authentication that they can. If they get into your OT network and you have domain trust between it and OT, suddenly you've got domain authentication right away.

As an attacker. Same with password reuse. If I take all this say I go into your OT domain and I see, oh, there's a user over here. Joe Smith, he's a domain admin and there's a Joe Smith domain admin over here in the IoT network. I've already got that password credential. I'm going to go use it in the LTE network.

If it works then I've got domain administrator right away as soon as I get it. Same with, network infrastructure. I gather all the credentials for your network infrastructure, routers and such on the IT side or the OSI side. And those all work. Now, I've got domain administrator and I've got access to all your network infrastructure. It's game over.

From there I can do whatever I want. Yeah. Have you heard of the process to do a comparison between Azure?

Not specifically. It's probably something you have to do manually if there are attacker processes to do it. I guess some of those might work. And we do generally recommend sometimes people go to, if you want to test something that attackers might do, then just go do it yourself, like the attacker would. But yeah.

Preventative. I'm not sure of anything specifically or I'm not, I'm not sure. But that that would be a good idea for sure. Yeah. So just make sure that they're if they go through your IT network, any information they get, they're going to be able to use it on the OT side as well. So just make sure that there's not a lot of crossover.

So it can't just be logically segmented. It has to be you have to segment access controls privileges authentication as well. Outbound DNS is another common one. And I think a lot of places know this. But don't think about it too much or don't care in some places probably just don't know. Outbound. So when attacker gets into an environment, they want to maintain access some way, a lot of times they'll do this through like Https communication maybe.

SSH. Depending on the environment, that's, it's going to blend in for an IT environment that's going to blend in. It's going to be just fine. It's going to be all encrypted and safe. And they can maintain access to the network that way. With OT you can't do that at least. Hopefully you can't do that. You can't allow Https outbound.

So what they figured out is, is you can use DNS. Basically you encode, encrypt, a little piece of data, put it in a DNS request as a subdomain to a domain that you control as an attacker. Send that outbound that gets routed to your name server. And now I've got that little piece of data. I do that a whole bunch of times.

And I have communication back and forth into the OT network remotely. Or it can be used to exfiltrate data. Same thing. You're just sending data out and it's getting out through those DNS requests. So just make sure you don't have any outbound DNS allowed in your environment. It's way too common that I, but I see that happening in OTP secure update processes.

I don't have to talk about that much. Everyone has secure processes. Make sure you're following them. Don't make exceptions. That's where errors come in.

All right so back to the traditional OT attack surfaces perimeter defenses idiot segmentation. Hopefully you have those done. Hopefully they're as good as they could possibly be. But is this what an attacker sees as well when he thinks about your attack surface. So this is what we've seen. And these are the things that we're going to talk about today.

We've got supply chains, attacks, physical compromise, insider threats and nation state sophistication and zero days. These are all pretty scary. There's a lot of unknowns, and they can be very difficult to detect. Difficult to prevent. And the extra scary thing. Look at all those access points. Those entry points. If you're doing phishing, if you're coming from your external assets, you're getting directly into the I.T network, but you still got to get over to OT, right?

All of these types of attacks, they can get directly in at any point, and you don't know where they're coming in. You also don't know what privileges they're going to have when they get in. You might have an insider threat that just has full knowledge of everything, administrative privileges everywhere. How are you going to be able to defend against that or physical compromise if they can get physical access to your physical assets?

They don't need to go through all these different layers to get there. They can just go directly there. So we're going to talk about each of these, how attackers see them and then what? You can do it at least at a high level, what you can do to, to help yourselves and to, to stop them from getting their goals.

All right, so let's take a sidebar. Talk about, defense in depth. Everyone's heard defense in depth a million times. I you're going to hear it a million more times. It's just that important. Like I said, attackers can get in at any point. They could have any level of privilege. You don't know where they're going to come in.

So that's why defense in depth is important. Because there's not they're not always going to be stopped when those traditional layers. That's why you need defenses at every level. You need monitoring at every level. The incident response plans at every level. Because if they get in at any of those layers, you need to be able to stop them from that point and do everything you can to prevent them from doing anything malicious there.

A term we like to use in offensive security is assumed breach. Just assume that someone broke in. Even if you think you're very secure, you think they're not going to get in. Assume that they did. And then what is it? Game over. Do you have anything left to stop them, or is it. Do you have no hope from that point?

Nothing is ever going to be completely secure. There's one exception. I did an exercise once. We are the red team element, and there's a bunch of blue teams that came in, and they were protecting simulated OT environments, and, we're attacking them. We're having some success against these teams. And one of these teams, we just couldn't see anything.

We're like, we can't even find them on the network. Do they have some super secret way to keep themselves from being even discovered? And so finally we go to them. We're like, okay, we give up. We can't find you. What are you doing here? And they said, oh, you're never going to hack us. We turned off all our machines and they were right.

Like we couldn't get in if they turned off all the machines. I mean, the power utility that they were running wasn't delivering power to anyone. I don't think their customers are very happy, but that's the only way to be completely secure is this take everything, not just offline. You got to turn it all off. Wouldn't recommend that.

All right, so let's get into some of these attacks. Supply chain attacks. And again, very, very difficult. It could be coming in from anywhere. It could be hardware. It could be software. It could be an update that comes in that's backdoored. You never know where it's going to come in. It could be a vendor. Maybe a vendor gets compromised and they use that as a path to get into your network.

And so again initial access, it could be anywhere. It could be any of those different layers. It doesn't necessarily have to be the IT network could be anywhere along that chain. And supply chain attacks have gotten a lot of attention in the last few years because of some new high profile attacks that I'm sure none of you want me to mention.

You never want to hear about it again. And there are a lot of, attempts to solve these problems, and it's it kind of feels unsolvable sometimes. But you should be doing something about this. You should be aware of them. You should have some processes. You should have, something that you're doing to try and prevent these, to try and detect them, to try and work against those attackers that are coming in through the supply chain.

Vendor standards are very important. Make sure you have those standards. You're holding the vendors to those standards, develop good relationships with them. That always helps. Principle of least privilege is also important, too, because, those vendors, when you give them trust, you're giving them some kind of access, some kind of trust. If an attacker gets into their environment, then they inherit that same trust and then they jump over to you.

They've already got some privileges there. Make sure you're not giving them administrative level privileges. Don't make them a domain admin. I see that way too often. Don't give vendors domain admin and make sure they have as little privileges as they can to do what they need to do. Know it's in your environment. You do this through asset inventories, other plenty of places of software that can help with this.

Make sure you're validating things as well, because things do change over time. Do physical walkthroughs, look at what's in your environment. And there's a couple of reasons for this. One, if there is some kind of supply chain attack, say this, this certain vendor is attacked or a certain software is attacked, you know, instantly what you have and where it is.

You can respond to it very quickly, very efficiently. If you're like, oh, this this vendor got attacked. I know we have a contract with them. We have them somewhere in our environment. But I have no clue where your life is going to be held for a little bit, because you're going to have to figure out where all that is.

After you already know you've already been breached. So just being prepared there is going to help a lot. Then second, I'm going to talk. I'm going to say a lot of bad things about vendors. Not all vendors are bad, but vendors are one of the most common ways that the environments get compromised. So I'll give you a story.

We had a we're doing a physical walkthrough of a critical infrastructure client, and we go into their server room and we see a little device on one of the server racks with a couple antennas coming out of it. And we're like, that's, that's weird. And they're like, I don't know what that is. And we follow it back. It's connected to a server that's kind of hidden between a couple racks.

Like we don't know what this is either. That server was plugged directly into their firewall. They're like, they're panicking. They're like, we have no idea what this is. What it what happened here? Eventually it turns out we figured out that it was a vendor. That was kind of a remote side, a little bit out of town.

A vendor had come in. They are tired of coming on site. So they threw these devices in there, hooked it up, kind of tried to hide it a little bit. And the customer is like, oh, that vendor hasn't been out here in two years. And now, you know, why does that have been just sitting there exposing them to unnecessary risk for two years?

And I don't think there's anything malicious. It seemed to just be laziness. But that was an unknown attack surface at the customer had no idea about. And they're exposed to that risk without knowing at all. So doing those acid inventories, those physical walkthrough, sometimes you can catch things like that and then data defense and spoiler alert, I'm going to say defense in depth for every single one of these because it's that important.

All right. Physical compromise. So as an attacker and as an authorized attacker that has no chance of going to prison if I get caught, physical compromise is by far the most fun. One is just like I mean, you get to a place that you're not supposed to get to. It's exciting. It's a thrill. You feel like you're in a movie.

You. And to it, it's often really easy. Way easier than you'd expect. And very eye opening to the customer to. They have all these digital offenses, and then you walk in and get access in 30s and they're like, well, we just spent millions of dollars trying to defend this. And you just, you know, walk ten steps and get in, and ot because of that, that physical environment, you have a lot of risk here.

Right. So you've got you've got remote sites. Lots of times those remote sites are not manned. I'm telling you right now, if I had a gun to my head and they said, you have to get into this environment right now as fast as you can, the first thing I'm going to do is I'm going to go find a remote site that's unmanned and get in that way, and we'll talk about an example in a second.

Attackers will look for exposed network ports, try to get their device in on the machine, or try to get access to some device that they can get to, access controls, RFID card readers, those we attack those all the time. Same with just, like, default, cheap locks. They they're usually easy to pick, easy to get past.

I'm not an expert out of that. I'm not an expert lock picker by any means. But, just being an amateur, I can get past a lot of the default locks pretty easily. Physical defenses. Sometimes you have a physical defense in there and you think, oh, I'm safe. And it's really easy to bypass. And then USB drops.

Everyone knows not to plug USBs in if you put you right. 1 billion in Bitcoin on a USB, someone's going to plug it in. Just in case you never know. But everyone knows they shouldn't be doing that. But attackers have gotten creative. It's more than just USB sticks now. I recently heard about a story where attackers were sending USB cables to, a victim and saying, hey, these are these are free samples.

Go ahead and use them. And those were they were backdoored I seen it with, like vape pens, the ones that you plug in into your USB port to charge. I've seen someone weaponize those. They can weaponize pretty much anything. Now that they can plug into a USB port. And I have some. You're probably thinking we block USBs.

We don't allow them. There's ways around that. We'll talk about one in in just a second. But just don't forget that it's more than just the USB sticks itself. There's anything that can be plugged into a USB port. It could be weaponized.

All right. So here's an example. So I was doing a physical security walkthrough with, another customer. And he took us out to one of the remote sites. It was a water utility took us out to a water tower, and he said, okay, we're it's not manned. We can't man it. But we have pretty good defenses here. So we've got, a fence around the whole thing.

We have a gate that lets vehicles in. It has three locks on it. That's because we have three different organizations that have to get access to this environment sometimes. So they each have their own lock and key kind of separation privileges. I like the thought process behind that. We've got locks on the water tower at the bottom where you access the ladder to go up, as well as at the top to get access to the water.

I've got a lock on the door. It's always locked. There's a camera looking at it all the time. So this is this is pretty secure. He sees. He sees a bunch of defenses here. So what do we see as attackers controls. We see a bunch of ways in. Right. So these three locks again I like the idea behind that.

But that gives us three chances to pick one of these locks and get in. These were all just default master locks, padlocks. Those are real easy to pick. Takes about 30s for someone who's not good at it, like me. Same with the locks on the water tower. They're both just default locks. You buy it at a store.

They don't have lock picking protections that more, more expensive locks would have. Really easy to get in. Same with the door lock. Took about 30s to get past. Or if we don't want to be seen on camera, we've got this big gap under the fence that an adult human can slide right under. Maybe we don't want to get dirty.

It wasn't a tall fence. Six, seven feet maybe. No barbed wire, anything at the top. We could have just climbed. It got over easy enough. Or if we're being extra lazy, there's this five foot wall next to it. Climb on that hot down the other side. We're inside both of these locks. I mean, again, they would have taken about 36 to get past.

They weren't even locked. They're just left unlocked. And then there's a back door to this building that was completely unlocked as well. And what do you know? We walk inside, there's a router, they're connected to a PLC cabinet. We plug our machine into our laptop, into the router. We have access. Not only did everything digital on this side, but we had a connection.

You can see everything in their main environment. So from a defender standpoint he sees we have all these defenses in place. We're secure from an attacker standpoint. We see all these gaps, ways we can get in. And we were able to abuse those. It took less than a minute to get access to not just all the digital assets, but the mail, the main offices, all the main hot stuff back there, as well as the water itself.

If we wanted to do something malicious there, we could we could have been in that water tower in just a couple minutes. I mean, that's often how I talk a lot about the difference between defenders and attackers. I'm not implying at all that defenders are dumb. Or attackers are better in any way. It's just completely different skill sets.

How I like to think about it is, defenders like to look at strengths, and attackers like to look for weaknesses. And so as a, as an attacker. And it goes the other way too, like if I was trying to defend something, if I was trying to do OT operations, I'd probably do a few things right and screw up a lot of things, like I just don't have that training, I don't have that knowledge and experience.

And same with defenders. When you're looking at something, you're thinking, is this secure? You don't think to look for the weaknesses like an attacker would because the attacker has that training, has a background, has those skills and knowledge, and there's completely different experience. And that's and that's part of why I'm doing this is I want to communicate some of the attacker mindset to you so that you can apply it to your organizations.

And when you're trying to defend them. So he's seeing all these strengths. We're seeing all these weaknesses. And what do you do here. Because physical security is kind of tough, especially when you're constrained by funding by budget. Easy way to an expensive way to do it. So upgrade these locks. And a lot of this is like deterrence, too.

It's not just are they never going to get in? Probably not any good lock picker isn't going to get past any lock eventually. But if I'm an attacker and I know I see a master lock and I'm like, I can get in that in 30s, I'm probably just going to go for it. If I see, a abloy lock.

Those are pretty hard to, to pick. A very good lock picker is probably going to take at least 10 or 15 minutes. Does he want to be standing out there for 10 or 15 minutes messing with a lock in view of anyone coming past? And you have cameras? Probably not here. Probably. Look for another way in. Same with the fence.

Like the if there's barbed wire on top of the fence, I'm a little less inclined to try to hop over it. I don't want to get all scratched up. The gap under the fences. There's no excuse for that. Just you know, fix that thing with unlocked back door. Cameras. Cameras are another good deterrent. Like, if there's one camera, it's real easy for me to avoid it.

If there's multiple cameras from many different angles. Do I really want to get caught on camera? Probably not. Lighting as well. Like if there's a bunch of cameras, but there's no lighting, then I'll just go in at night. They won't be able to see much to maybe not see me at all. Not a big deal. If I'm going to have to stand out here for 15 minutes picking a lock in view of a camera with this bright lighting on me, I'm a lot less inclined to attack this location.

And of course, it's way more than you could do. If you do have the funds to do it, you could have all kinds of sensors, all kinds of alarm systems, depending on what your resources are. But just do everything you can and think about. Is an attacker going to see this as an obstacle? It's going to deter them, or is it not really going to bother them at all?

All right. Let's talk about wireless for a second. So I think wireless everyone you know generally frowned on in OT environments. I think about devices a lot of devices unfortunately will have, you know, Bluetooth, Zigbee, sometimes just straight wireless built in and turned on by default. Make sure when you're deploying that that it's getting turned off. You don't want any kind of wireless.

It's just opening up attack surfaces. You often have radio communications from remote sites. Usually that's the best way to do a lot of communication. It can be very secure. It's not necessarily a problem by itself. Make sure you're checking those things because they can go out of date pretty quickly. Something's five, ten, 15 years old. It's possible that that protocol has been broken and it's not really that secure anymore.

So just make sure that if something, especially when it's been around for a long time, we know that happens in OT. Make sure that it's still secure. Review it regularly, then wireless mouse and keyboards okay, so this is one of my favorite attacks as well. Where do I put that now. Put in the pocket. Yeah okay. So you see this little tiny dongle with the star on it.

The same one that's up there. This is a just a dumb dongle. And this one's for a mouse and I can send it with a $30. I got this for like 3 or 4 bucks off Amazon. And this is the default one. I don't do anything special to this. I have like a $30 RF dongle, that antenna that will attack these and send it keystrokes and say, hey, I'm a keyboard, execute these keystrokes on the machine.

This dumb dongle is going to be like, oh, okay, sure, it'll pass it through to the machine. Even though this is for a mouse, it doesn't make any sense. And it's a lot of the big brands, too. Logitech is probably the worst offender, most Logitech mice that you can get up to up until a couple of years ago were vulnerable to very, very easy attacks like this.

So as an attacker, there's kind of two ways to compromise these things. And one is to compromise one that's already there. If someone's in there using a wireless mouse, I can just send keystrokes to it and it'll execute it. If I'm within like 30 to 50ft, obviously I have to have that physical access or set up some kind of relay within that distance that I can then get to, or if I can get temporary access to an environment for just a few seconds, I can plug this into a machine.

And I mean, look how thin it is. Like, would you even notice this plugged in anywhere? Unless you're trying to go plug something in there, you're not going to see this for a while. I can plug this in, go 30, 50ft away, or sort of relays whatever I need to do and then maintain persistent access to that environment.

It's a great way to get into air gapped and very, very secure networks because I don't rely on internet, I don't rely on any connections to other machines. I can just go directly to that machine with this. And it's, very difficult to detect and prevent it because it looks like a keyboard. It looks like just someone's typing something into that, that physical computer.

I highly recommend not allowing any wireless devices, any wireless keyboards, mice, anything like that. Sometimes people will try to bring them from home just because they're convenient and, you know, just do what you can, just be vigilant and try to look out for those and make sure that people aren't using those wireless devices. This also bypasses USB controls.

So if you block USBs, what you're really doing is you're blocking drives from being connected and moving files over. But you've got to allow hit devices, right? Like people have to have a mouse, they have to have a keyboard to interact with the computer. So you can't just block those. And that's how this communicates. It's just it just acts like any other mouse and keyboard.

So USB attacks, this is a great way to do it. I've seen these things get hidden in the cables as well, again in the regular USB sticks. And they maintain that attackers will maintain that, that, communication, maintain access to an environment through these tiny little dongles. They're so dumb. I hate them.

All right, so defenses, we've talked about them a little bit, but just at a high level. Again, every organization is going to be different. But I have high level of just have good, strong security practices when it comes to visitors or vendors coming on site. Anyone coming on site, have training, make sure that employees know if you see something suspicious, you know, it could be someone trying to do something malicious.

Here's how you report it. Here's who you go to. Here's what you do. If you see something, secure and validate your port security and your network access control so no devices can join the network. And the validation is very important because oftentimes I see they say, oh, we have port security. All the all unused ports are disabled.

I plug into a port, I get into the network and they say, oh, well, that was open like a year ago for some testing. We just forgot to close it. So make sure you're validating those regularly as well. Physical security we talked about a little bit. Do as much as you can and think about it from an attacker's perspective.

Try and think, are there any weaknesses here? How would they attack this? How would they get in or are we deterring them enough access controls. Same with the radio communications, RFID cards, those access controls, protocols will go out of date in 5 or 10 years. So if you have something that's ten plus years old, chances are it's been it's been broken that protocols been broken.

And it's not keeping you as secure as you think it is. Of course, defense in depth and then physical security assessments doing those types of walkthroughs like I've talked about. Those can be valuable because you see things that you don't, you don't realize are there. All right. So let's take a sidebar real quick. Talk about security assessments. Obviously I work for I mean, I do security assessments for a living.

We try to provide a lot of value and make sure that it's actually driving improvement. There are a lot of good companies out there to do these assessments. There are a lot of rip offs to do these assessments as well. A lot in between. But I can't stand up here and say that you have to hire an external team like mine to do these assessments.

You can do these kinds of things internally, especially if you're going after something specific. Like if you're if you want to hire an external team, you say, okay, just get into our environments, make it very broad scope, you know, within reason. And they can find ways in if you're trying to test like your RFID controls, you have someone on your team that is an expert in RFID and has some experience with attacking.

Let him go for it. Let him go. Try and get and try and break through that protocol. Or maybe they have some interest in it. Give them a little bit of training, a little bit knowledge, let them go after it. That could be you can target these during and, you know, specific things that you're concerned about in your environment and try and do it internally.

Save some money that's valid to remember these are a tool. They're not a weapon. You shouldn't be using these to punish people. They shouldn't be witch hunts. If employees are worried about getting punished and they're going to hide things, they're not going to cooperate. You're not going to have the improvement that you're looking for. Once.

If you do find people making mistakes, it's a great opportunity for training. And then you hold them responsible for that. But make sure that these are not used as a weapon as a punishment. Make sure you're mediating things or fixing things when they're found. I can't tell you how many times I've gone into a place, done an assessment, said, hey, you've got all these critical problems, here I go.

In a year later and they fix 1 or 2 of them, like, what's the point of doing this if you're not going to fix these issues? So just make sure you're fixing things, validating that they're fixed. And oftentimes I recommend doing these cooperatively. The attackers and defenders working together and saying, okay, how can we actually improve security? One that's going to that's going to give you, a much better insight into, like the actual operation defensive, that specific organization, it's going to be able to help you work together better.

And it's also going to be a lot more cost effective. I mean, I could spend hours attacking a firewall, trying to, you know, find holes in it, or I can sit down for ten minutes with your engineer and go over the firewall rules and get the same result. There are times for unannounced assessments. Usually when you're a lot more mature, but a lot of times you can get a lot of value out of these cooperative assessments, insider threats.

This is one that we don't really like to think about, because none of us wants to be paranoid and think, oh, my coworkers are out to get me. They're working. They're foreign spies. They're trying to do harm to us. They don't want to think that way. Right? I mean, it could be anyone. It could be someone from the OT side.

It side could be. It could be executives, could be a janitor. It could be vendors coming in. It could be anyone that has access to the environment. As any kind of insider knowledge. It may also be unintentional. It may not be voluntary. It could be there's they're being tricked into doing something. It could be that they're being blackmailed or threatened, and that's what's making them do it.

And I think it's not a happy thought by any means, but I think I like to think about that better and helps me hold in my mind the idea of an insider threat. If I think, oh, you know, my coworker Joe is not he's not a bad guy, but maybe he's being tricked into doing something bad, or maybe he's being forced into doing something bad.

Again, another not a happy thought, but it for me, it helps me keep that that in my mind that this is a possibility anyone could be an insider threat voluntarily or in voluntarily. And what can you do here? Again, they can come in at any point. They have any start with any kind of privileges. You don't know where it's going to happen, but if you know that it's a possibility, I think that's step one.

And then of course, defense in depth. Wherever they come in, you should have some kind of monitoring, some kind of defenses, some kind of plans. Something goes wrong. Be able to respond to it. And then training, same as a physical security, trained people to look out for suspicious things and have a process for them to report it if they think something bad might be happening.

All right, one more sidebar about training. I think this is the last one. No one likes training. I'm a security person, and I hate mandatory security training. Everybody hates it. It's always the worst. But that that awareness that it brings, it's infinitely more valuable than ignorance. If someone goes away from your phishing training saying, I hated that fish and training, you know, at least they know what phishing is now like.

They know what the word means. That's something. So just try to make it simple. Try to make it as you know, as un painful as possible. Make it consistent, regular. Doing it repeatedly. It keeps it in people's minds. And I find it's, it's most impactful if you say the why behind it, it's easy to say don't come phishing emails.

But when you say don't click on phishing emails because even just one sentence, like, because, the attacker could compromise will help the attacker compromise your machine, steal your information, and attack your coworkers and your company. Like it's not super complicated. I don't need all the details, but understanding the why is going to make it a little more impactful.

Help them internalize a little better. Hi. Last but not least, nation state sophistication. Zero days. Sometimes life is just not fair. Like you could do everything right and a nation state level actor gets in a zero day pop to you. Even though you have the most, you know, you've done everything you could have done for it, but you don't know what's out there.

You don't know if there's no patches yet. There's no awareness of it. Sometimes they just get in, and these nation states, they have to have a lot of resources. They can they can do a lot of things that are just not public knowledge. They're also very good at avoiding detection. They're good at using different kinds of communications, like the, the wireless mice, like they can get access to air gapped networks, very secure networks.

They can maintain that access. They'll you they'll put together a bunch of small vulnerabilities and turn it into a big attack chain that has a major impact. They're very, very advanced and very good at what they do. They're also good at manipulating humans, getting insider threats, either willingly or unwillingly, doing things that will and manipulate the human element of it as well.

And sometimes that even if you have perfect security defenses in the digital side, you can't protect against some of those attacks. So what can be done about this? I would recommend trying not to lose sleep over nation states and zero days because it's, you don't know what you don't know, so what's the point in stressing about it?

Focus on the basics first. I do give you permission to lose sleep over the basics. Lose all the sleep you need until those are fixed up. But if you if you're in a nation state and you have a sophisticated zero day every time you use it, there's a chance that that's going to get burned and you're never going to be able to use it again.

So if they're going into a target after a target, they're going to look for an easier path in. They're very good at finding the path of least resistance, right. So if you have bad external assets, you have you're vulnerable to phishing. Maybe there's remote sites everywhere. They have an operating area and go take over from there.

They're going to find the easiest way to get in without having to use those zero days. So first focus on the basics. Make sure you're doing all the things that you should be doing that's going to help protect against them as well, and accept that there's going to be some unknowns. You're never going to be able to stop everything.

You have to have that. Yeah, that assumed breach scenario. And if they do get in, if they get initial access, if somewhere you had no way to prevent, you've already planned for this. You've done those assume breach scenarios. You've assume that someone got in and what what's going to happen from there? You have your defense in depth.

They're not going to be able to just move around, do whatever, because you have nothing there. They're going to still have to work hard to actually compromise things and move around and do whatever malicious action they're looking to do. So if you have those assume breach and defense and death practices, you're going to still be prepared, even though you can't stop them from getting in.

All right. Summary defense in depth. That's it. Just do it. All right. Just kidding. Better summary. Fence fencing, depth training, security assessment and validation. Making sure that you are in the secure state that you think you're in. Add all those together. You have a much more secure posture. You're going to be able to defend yourself a lot better to attack surface is to an attacker.

To attack surface is just everything. There's a ways to attack everything. It's attack surface all the way down. As a your job is to determine for your organization. How are you going to defend it? You're going to have to prioritize. You're going to have to think like an attacker and think, okay, I can't I can't prevent everything, but what can I do right now?

It's going to help me the most. Based on what I know about my organization, my capabilities, defending networks as well as this attacker mindset of what they're going to look for and what they're going to attack again soon, breaches your friend. Even though it sounds a little scary, if you assume that someone gets in, you'll be prepared.

If they actually do get in. That is, in general, be proactive. I'm a very you know, very big proponent of proactive protection. Proactive security. You don't want to be good at security because you got popped in, someone got in, you were forced to do it. Just do it ahead of time. They're not going to get in. You're going to have a lot less troubl

Related

Latest