SecDataOpsCast – Cloud Hacking & Security
June 4, 2024
For the second episode of the SecDataOps Cast, Neal and Jon dive into cloud security with diversions into data...lagoons? And tanks.
00:00:14:17 - 00:00:35:47
Neal Bridges
Good morning, good afternoon. Good evening. I did have to look over there, make sure I did not have the microphone on mute today, which I do not. Thank God, that's how you know it's going to be a good stream, is you don't mess up the microphone. How's it going, everybody? Welcome, welcome, welcome to the May 30th, 2024 episode of the Security Data Operations Stream.
00:00:35:52 - 00:00:51:24
Neal Bridges
We made it two weeks and two weeks in a row, a kind of two weeks in a row. We did two streams. We did it two weeks ago. Either way, I'm super happy to be excited, as always, to join you as well as my co-host, Mr. Jonathan Rau. I had to find the button on my stream deck. And how are you doing today, buddy?
00:00:51:28 - 00:00:56:17
Neal Bridges
I'm. I am doing good, man. Good. can I look at things? Go on. How are you, bro?
00:00:56:24 - 00:00:59:01
Jonathan Rau
I'm good, I'm good. It's,
00:00:59:06 - 00:01:10:56
Neal Bridges
I again, like, it's always a good day when you turn on the stream and you remember not to to mute the mic. I do want to keep our intros short today. Oh, actually, they're saying.
00:01:10:58 - 00:01:20:17
Neal Bridges
Oh, look at that. We've overcorrected on your volume, Jon. What? Now? There's. Okay, that's it. That's on me, guys. That's on me. Let's fix that. Let's bring you right down. That okay?
00:01:20:31 - 00:01:22:25
Jonathan Rau
La la la la la la la la la.
00:01:22:25 - 00:01:27:03
Neal Bridges
No no, don't don't do that. Don't don't do don't don't don't do that. Like that's that's a stream no no.
00:01:27:03 - 00:01:33:11
Neal Bridges
We don't sing on stream. Somebody's going to clip that. And it'll be like being all over the internet. And then you're going to be doomed
00:01:33:16 - 00:01:34:26
Jonathan Rau
No, it’s going to be a meme.
00:01:34:38 - 00:01:36:57
Neal Bridges
It is going to be a meme. Yes.
00:01:37:02 - 00:01:38:45
Jonathan Rau
That’s how I feel when someone talks about cloud security.
00:01:38:50 - 00:01:46:12
Neal Bridges
Shh. Not yet. Not yet. Save it. Jon. Save it. I know you got to get it out.
00:01:46:12 - 00:02:10:49
Neal Bridges
You're just dying to go. Let's. Okay. All right. We're going to keep intro short today. We do got a lot to cover. And we kind of did the intro last week. But I do have some housekeeping items I always touch on these. Housekeeping. Honestly, I think it's super important for all of our viewers, to, to, to understand we are streaming live across LinkedIn, Twitter slash X, we got tons of viewers on Twitter slash, let us see everybody hanging out over on Twitter.
00:02:10:54 - 00:02:28:03
Neal Bridges
You can add us over on Twitter and we will get your questions over on Twitter if you over there. Twitch, YouTube, LinkedIn. We tried to do Instagram, but we had some video issues on Instagram. So we'll continue to work on that. For everybody who is listening across all the platforms, thank you so very much for tuning in across all the platforms.
00:02:28:03 - 00:02:46:57
Neal Bridges
We really do truly appreciate it. We do have moderators in chat on all the platforms, and moderators are here to keep chat free of racist, sexist, misogynistic, just general toxic behavior. The only toxicity that hopefully you'll see is Jon and I kind of being toxic to each other and probably to the industry as a whole, but that that that's a different story altogether.
00:02:46:57 - 00:03:06:33
Neal Bridges
But moderators are here to keep Chad, Jon, this is your favorite saying a safe space for everybody to share their cybersecurity ideas on. Whatever Jon and I having to talk about freely and openly. They're not here to stifle chat. We're definitely very like, you know, you know, freedom of speech, you know, share the share your, your thoughts and everything openly.
00:03:06:33 - 00:03:25:30
Neal Bridges
We do believe in civil discourse. Do chat with your fellow practitioners across whatever platform you happen to be in. We do truly appreciate it. if you do have a problem with moderation, please reach out to a moderator in Discord, you can kind of see Amoeba’s got like this green little sword next to his name. He is a moderator and you can spam him on Discord.
00:03:25:30 - 00:03:47:53
Neal Bridges
And this is a fantastic opportunity to hit that exclamation point discord to get that second thing, Jon, and I know this is your favorite part. We highly encourage questions throughout the stream. Absolutely. We love questions. Jon may seem scary. I promise you. He's really not. He's a he's a cuddly bear. He's a cuddly bear. Look at him. Everybody everybody drop a bears in chat for Jon.
00:03:47:53 - 00:03:49:07
Neal Bridges
I promise you, he's little cuddly bear.
00:03:49:09 - 00:03:49:55
Jonathan Rau
Oh thank you.
00:03:50:03 - 00:04:08:05
Neal Bridges
Anyway, if you hear Jon or I say something that makes you think of a question, the best time to ask it is right then when you think about it. We don't want you to forget it. I promise you, the moderators are grabbing questions, they’re grabbing comments that you see in chat, and they'll push one on screen, the magic button just kind of like that, and you'll see it pop up on screen.
00:04:08:18 - 00:04:20:53
Neal Bridges
And Jon and I can look at that, be like, oh, somebody is a fan. We love it. We're glad to see it. We'll answer the question. We'll do our absolutely best to answer them. You don't have to wait for a Q&A at the end. As a matter of fact, we prefer you not to wait for the Q&A at the end.
00:04:20:53 - 00:04:24:37
Neal Bridges
That way we can answer your questions in line. We do truly appreciate it.
00:04:24:50 - 00:04:25:48
Jonathan Rau
And leave early.
00:04:25:53 - 00:04:34:55
Neal Bridges
And no leaving. No, no, I got you here. I got you here for an hour. You're mine. You're mine for an hour. You ain't going nowhere.
00:04:35:00 - 00:04:38:45
Jonathan Rau
Hmm. Makes me feel warm and fuzzy .
00:04:38:50 - 00:04:42:53
Neal Bridges
Speaking of moderation, Jon.
00:04:42:58 - 00:04:43:30
Jonathan Rau
What did I do?
00:04:43:35 - 00:04:47:27
Neal Bridges
You and I gotta talk, dude. You and I gotta talk.
00:04:47:32 - 00:04:52:22
Neal Bridges
I think you set a new record last stream two weeks ago.
00:04:52:26 - 00:04:53:44
Jonathan Rau
That was our only stream!
00:04:53:55 - 00:05:03:05
Neal Bridges
Yeah, yeah, yeah, it wasn't for viewer count which I wish, which I wish it was. I think you did. Do you have any. Guess what? You're what the record was that you said for me last week.
00:05:03:07 - 00:05:06:14
Jonathan Rau
Well, first off, only 12 people watched it, so.
00:05:06:19 - 00:05:19:20
Neal Bridges
Yeah, that's not that's not entirely true, Jon. I mean, marketing may have told you that so that you didn't feel like any imposter syndrome showing up on stream, but that that's definitely not how many people were watching.
00:05:19:25 - 00:05:21:10
Jonathan Rau
All five of you.
00:05:21:15 - 00:05:35:19
Neal Bridges
You you you set a, you set a record for the fastest time I've ever had a producer message me and tell me that we've got to take content offline because of something you said.
00:05:35:23 - 00:05:46:45
Jonathan Rau
How much things that they clip out, how? You know, they hit me with that Stalin, bro. They. They erased me. I got information warfare. How many erasers did I go through on that one? 5 or 6?
00:05:46:45 - 00:05:56:42
Neal Bridges
I have no idea. I was not involved in that. I just know that I got the call that was like, can you take the video down now?
00:05:56:47 - 00:05:57:50
Neal Bridges
So for those of you,
00:05:57:50 - 00:06:00:25
Jonathan Rau
Was it because of the …
00:06:00:30 - 00:06:13:49
Neal Bridges
For those of you who reached out to me after the fact, we're like, hey Neal, where's the VOD at? I'll have one of the marketing guys give me the link for the VOD and you can go do it. There had to be some post education, which is why it's important to tune in live.
00:06:13:54 - 00:06:15:44
Neal Bridges
Why it's important to tune in live.
00:06:15:45 - 00:06:18:22
Jonathan Rau
Yeah. Come for the pre gulag content.
00:06:18:22 - 00:06:19:01
Neal Bridges
That's right.
00:06:19:01 - 00:06:19:41
Jonathan Rau
Stay for the memes.
00:06:19:41 - 00:06:32:54
Neal Bridges
That's right. In all seriousness, listen. And Jon and I, Jon and I are very adamant about this. And so I'm putting on my most serious face possible. Jon, put on your mean face. Your serious face. Right. You may see the Query logo in the graphics.
00:06:32:54 - 00:06:45:53
Neal Bridges
Jon and I are super grateful that Query, you know, has agreed to let us take some time out of our very busy days to chat with you all. I want to remind you, and Jon wants to remind you we're very, very adamant about this. Jon and I are lockstep on this. This is not a show to sell you on anything Query.
00:06:45:58 - 00:07:05:38
Neal Bridges
As a matter of fact, you'll rarely hear us talk about Query whatsoever. Jon and I have a shit ton of experience. A crazy amount of experience. We're very vocal. We love to to talk shit to to about the industry that we're in because we we find it very cynical and there's a lot to talk about. We want you all to to benefit from that.
00:07:05:43 - 00:07:17:28
Neal Bridges
And so take this time to ask us questions about any of the topics, anything, whether it's something we're talking about or not. And we'll do our absolute best to answer. Jon, I'm not sure if you want to piggyback on that, since you were the one who got censored two weeks ago.
00:07:17:28 - 00:07:19:36
Jonathan Rau
Yeah, I know I'm always getting censored for stuff.
00:07:19:36 - 00:07:38:16
Jonathan Rau
The impersonation was funny, though. It was kind of a drop of the hat thing, but I don't know if it's between my yapping and well, all I do is yap. So. But yeah, I mean, I'm surprised you even named the our employer here. Even though they're forcing us to be here, they're in our walls. Marketing. I know you're watching this.
00:07:38:21 - 00:07:41:47
Jonathan Rau
I'm coming for you. Marketing?
00:07:41:52 - 00:07:44:32
Neal Bridges
They are they are watching. They are watching.
00:07:44:32 - 00:08:03:05
Jonathan Rau
Yeah. Everywhere. And they will be at re:Inforce, so. But no, I mean, it's 100% right. Look, I think too many of these streams, casts, whatever you want to call it, get turned into yapping sessions about selling or maybe like a psyops way of selling psychological operations of, like, oh, wow.
00:08:03:19 - 00:08:10:16
Jonathan Rau
Here's a hard problem. Wouldn't it be great if there is a company that could solve this? I'm sure you love that, Neal, watching vendor casts.
00:08:10:16 - 00:08:18:35
Neal Bridges
Yes, I every day, every…everybody who's a typical cyber insecurity viewer knows that that is my most favoritist thing ever.
00:08:18:40 - 00:08:21:44
Jonathan Rau
Absolutely. Yeah. But not this stream.
00:08:21:49 - 00:08:24:27
Neal Bridges
So anyway, ask your question any time we do have a question in chat.
00:08:24:27 - 00:08:50:10
Neal Bridges
I do see that one. I'll get to that one here in a little bit, since it is about Pentesting. I do want to jump right into Jon because Jon, your post yesterday on LinkedIn kind of talking about today's cast kind of started the the shit posting early if, if, if that is if that is even possible, right? I know you have extensive thoughts about cloud pentesting, especially since you led teams doing that.
00:08:50:10 - 00:08:59:21
Neal Bridges
Can you kind of talk about what your role was in terms of leading some, some pentesting, you know, some cloud centric pentesting teams and kind of what was involved in that?
00:08:59:25 - 00:09:13:33
Jonathan Rau
For sure. I am sure that one of our, one of my former coworkers over there would probably not like that you used the word pentesting. But no, I took over our offensive security team, which I think there's a little bit of a distinction.
00:09:13:38 - 00:09:32:40
Jonathan Rau
And really, it wasn't me Harple Palmer, wherever you are, bro, even though you're an Oilers fan, love that guy. He kind of let our red team operations and renting targeting ops, really. And kind of one of the reasons that we built our cyber risk craft product over there, and I’ll yap about that probably later because if we start talking about graphs and security,
00:09:32:45 - 00:09:56:17
Jonathan Rau
we'll be here forever. But yeah, I don't know. I don't feel that cloud pentesting cloud security as a whole, all that stuff that isn't a role that say it, well, first off, it's a whole damn department. But really, it's more of a mode of operating. I don't think that the cloud outside of, you know, specific SaaS or specific service implementation is really any different than any other environment.
00:09:56:17 - 00:10:08:59
Jonathan Rau
I mean, you got virtualization, you got servers. Yeah, they’re sitting in some guard dog protected place in Herndon, Virginia somewhere. You can go look on Liveleak to go see or not. Liveleak, err, Wikileaks. Liveleak is for…
00:10:09:08 - 00:10:12:19
Neal Bridges
I was gonna say let's let's let's not send people to Liveleak, please.
00:10:12:24 - 00:10:17:15
Jonathan Rau
Let's not go there even though you go to Telegram now for that sort of stuff.
00:10:17:15 - 00:10:41:18
Jonathan Rau
But. Yeah. No, I mean, I, I know how you feel about this too, but to me, it's like any ex-pentesting or ex-security engineering or ex-security architecture, I, I think it's important for like distinction for flavor. If it's like a specific role you're hiding for like, yeah, I'm probably not going to go and hire the IoT security guy to run my frickin Azure security engineering shop.
00:10:41:23 - 00:11:07:21
Jonathan Rau
But at the same token, if I have somebody who is good at penetration testing or is any tier of SOC analyst, I would feel totally comfortable hiring them for a cloud pentesting role. But, yeah, I led a red team for a little bit. It was fun. We broke some stuff. We found stuff outbound that was broken. In fact, we found more like outbound partner stuff that was broken than internal, which I guess is a good metric to have, but ideally wouldn't be broken.
00:11:07:21 - 00:11:11:16
Jonathan Rau
And especially not a law firm that like, I don't know, what's your take on it?
00:11:11:21 - 00:11:20:42
Neal Bridges
I mean, I mean, here's here's the thing. I think, I think you hit the nail on something I feel very strongly about too. And I think that that's that's what I want to kind of kind of dive into here in a second.
00:11:20:42 - 00:11:35:31
Neal Bridges
But I want to ask you first, because audiences love stories. Everybody who listens to us love stories. So I have to ask you, tell me a crazy cloud story. What's the craziest thing you found? doing a pentest.
00:11:35:36 - 00:11:47:08
Jonathan Rau
You know, this one isn't isn't too crazy. So at the beginning, right. when I took over the directorship at IHS Markit, which was a, I know it was a big company.
00:11:47:08 - 00:12:10:44
Jonathan Rau
It was made of IHS and Nitrio and Markit. Jane's Defense, and technically Carfax as well., right? It was huge. I got hired, like, right when, like, the pandemic lockdown started. So I showed up to 33 Water Street or wherever we are in downtown Manhattan by Chelsea Piers. They like, pretty much slid my computer across the desk and be like, get out of here.
00:12:10:49 - 00:12:27:35
Jonathan Rau
Drove my happy ass back across the bridge in New Jersey, where I was living at the time and night, and 48 hours later, they're like, hey, new cloud security guy. You're the cloud guy's a security guy, right? I'm like, oh yeah, that's me. They're like, we have a contractor that like, took over the super important fraud account. What do we do?
00:12:27:39 - 00:12:47:51
Jonathan Rau
I know you got to be shitting me, like I just started here, but, man, like, everything that I've seen, like, just totally wacky on the cloud has. I don't want to say it's because it's like user error. It's not following best practices or it's completely, you know, novel, or at least it's novel at a time or everything's a novel.
00:12:47:51 - 00:13:10:15
Jonathan Rau
Everything's a zero day until it is, and everybody copies it over. But yeah, this was one of a disgruntled employee, you know, the, happenstance, like the economic, kind of aftershocks. And the pandemic necessitated a lot of layoffs, and they laid off, from what I understand, like an entire SRE Cyber Reliability Engineering. platform engineering type team.
00:13:10:20 - 00:13:28:32
Jonathan Rau
One of them had, keys to the kingdom, right? This was there's still, like, you know, per root user, MFA. I think AWS is either going to change that or they have changed it already, where you can have kind of one key to rule them all, which is also dangerous. But it was a YubiKey hardware, which is great.
00:13:28:32 - 00:13:46:02
Jonathan Rau
That's the best practice until the person who has the freaking thing is big mad at you. And, they took over the accounts and it's like, you know what telemetry do we have? Do we have a SIEM? Do we have CloudTrail logs going out? So we could see what he’s doing? Do we have any GuardDuty events. GuardDuty should be spitting out alerting and it's like, oh, maybe.
00:13:46:02 - 00:14:03:14
Jonathan Rau
I think we have some of it in this data log lagoon. I think they called it in Azure blob. And then we have to decompress it and download it. And I'm like, why are you putting AWS in Azure? You know, like I don't I don't I'm not trying to like talk too much smack about like the, the architecture and central IT team back there.
00:14:03:19 - 00:14:23:01
Jonathan Rau
You know, love all the folks that I worked with. I'm sure they did not love me saying no and yapping about a bunch of stuff. But yeah, that was the craziest thing I've seen just because of the circumstance of it. As far as like, boom, second day and here is like a, I don't know, kind of a boneheaded worded thing that you always hear about, about protecting the creds
00:14:23:01 - 00:14:37:36
Jonathan Rau
And then somebody took it over and, luckily they didn't really know what they were doing. And also they told somebody about it, like they got fired and, like, texted their buddy who was still there and like, oh, I'm going to go and destroy their cloud environment and try to take a bunch of actions we saw in the cloud trail.
00:14:37:36 - 00:14:59:26
Jonathan Rau
But SCP service control policies and other resource based policies in the AWS cloud specifically will block the root user, so the best thing to do is kind of have a canned deny-all or only allow like a weird action, like allow a list account or allow, I don't know, Samarian in the last somebody to create a Samaritan scene, which is a VR application service.
00:14:59:33 - 00:15:17:54
Jonathan Rau
Weird one. Just deploy that to lock them out of it, but ideally you have some sort of, like, just in time provisioned SSO, but you're the real IR guy here, not me. And you're also the real CISO. I'm not the CISO anymore. What’s the craziest thing you've seen on the cloud? It could be public cloud or SaaS.
00:15:17:59 - 00:15:36:57
Neal Bridges
I, honest, to be quite honest with you. Like, I think you hit the nail on the head like it's really around APIs and and external access and I you touched on it a little bit. I want to put some finer points on it, right? And it's back to the basics. I've got an article that I want to talk about with you because I think it kind of hits on some of this, right?
00:15:36:57 - 00:15:58:37
Neal Bridges
Is, it was almost like people forgot how to do cyber security 101 when they stood up an instance in AWS or Azure, GCP or whatever the case is. Right? Like, oh, hey, cool, we've got this fancy new AWS instance. Let's give you a password, password 123. And it was like but but, but but on the corporate network you don't do that.
00:15:58:37 - 00:16:16:40
Neal Bridges
So why would you think it's a good idea to do it in the cloud. And, and so I think that a lot of my early cloud IR stuff and a lot of my early, you know, early work that I did, you know, building red teams and stuff like that for, for cloud. Were really focused on. Cool. Let's kind of see some of these default configurations that people were leaving open.
00:16:16:52 - 00:16:32:22
Neal Bridges
Dude, I, I'm sure you've seen this one before. Like when what was the the service that, that AWS bought. Not LightSpin? Not LightSpin. No, no, no, it was, where you could, like, click a button, like almost. free
00:16:32:27 - 00:16:33:14
Jonathan Rau
You mean LightSail?
00:16:33:16 - 00:16:39:05
Neal Bridges
LightSail. Thank you. LightSail, where you could click a button and stand up like a WordPress instance and guess what?
00:16:39:10 - 00:16:43:58
Neal Bridges
All the frickin default WordPress stuff was on there by default.
00:16:44:03 - 00:17:17:59
Jonathan Rau
It still is. I think there's, like, whole research wings, dedicated to stuff like that, where the, like, they pull down public armies to find sensitive details like pull down public GitHubs to find AWS creds. But yeah, I mean, you're totally right. It's all about just I won't say it's all about, but I think from my experience both working at AWS, like as a TAM having to help, like, what they called zipline teams at the time, which is like a pro serv special missions unit, if you would, for like cloud IR are working with the IR teams from either customers
00:17:18:04 - 00:17:42:15
Jonathan Rau
directly hired under enterprise support or ones that were in my cluster or kind of external, right, because I had kind of a rotation based, sort of like, hey, if you need help. But anyway, all all the bullshit, you know, jobs that I've done, right, it's always, you know, kind of weak password shared password, shared creds, sharing IAM access keys, putting them somewhere they shouldn't be leaving.
00:17:42:15 - 00:17:58:41
Jonathan Rau
You know, kind of like flat assume roles and then publishing your account ID publishing, like, all the parts of a secret or something dangerous. And then. Yeah, insecure defaults on a network, right? Which goes back to my earlier thing. And you know that one. I know that you believe in strongly that, hey, you know, cloud security is just regular security.
00:17:58:41 - 00:18:19:36
Jonathan Rau
And I'm sure somebody will correct me, like it’s all just cybersecurity, or security. I don't know I it pays the bills, it pays the bills, it pays the bills, it gives me money. And to quote my favorite, MMA fighter, Money Moicano, Money Moicano needs money. And so do I. I guess my tastes are more expensive than his.
00:18:19:48 - 00:18:20:28
Neal Bridges
I was going to say.
00:18:20:28 - 00:18:33:54
Neal Bridges
I mean like like I don't think audience. I don't think chat understands like when Jon talks about his taste being more expensive. Jon wants a tank. Like you saw my you saw my EoD post on LinkedIn. I'm not joking. Jon wants a tank.
00:18:33:59 - 00:18:40:58
Jonathan Rau
Yes, I do want a tank. I, I don't want to turn this into like, a whole, I don't know, ITSAR sort of thing.
00:18:41:03 - 00:19:02:31
Jonathan Rau
But, as a U.S. taxpayer, my money goes to making machinery of death. And if I wanted to like, I don't know, use one, like hey government, since I paid for you to build this thing, can I, like, buy it back from you and get triple taxed essentially, because I would also have to get an NFA tax for the gun barrel, because it's a destructive device.
00:19:02:36 - 00:19:20:53
Jonathan Rau
I can't do that. But I could import a whole T-72 with the freaking 45 KVP that they have to plasma cut them off to reactivate it. But anyway, I could get that, for not a lot of money, but, I mean, it's a decent amount of money. It's a little bit harder now, given that there's something going on in Europe.
00:19:20:53 - 00:19:25:29
Jonathan Rau
I don't know what it is, but it's causing the tanks to disappear.
00:19:25:34 - 00:19:38:35
Neal Bridges
So, Chad, if you're listening, if you're listening and you need tank advice, hit that exclamation point guest in chat and get Jon's LinkedIn and reach out to Jon for how to get a tank.
00:19:38:39 - 00:19:45:20
Jonathan Rau
Yeah. on the real I forget what the forum is called, I think it's Steel Soldiers, you know, remember back when people used to use
00:19:45:20 - 00:20:09:00
Jonathan Rau
internet forums. Before Twitter and all that stuff. Yeah. there is a process that you have to work with, Department of Agriculture, ATF or BATFE or whatever they want to call themselves nowadays, as well as a, I think, Department of Treasury for ITSAR, but there's a bunch of forms when it comes to, like bringing in foreign war material, into the country.
00:20:09:05 - 00:20:22:47
Jonathan Rau
It's really the freight that's expensive because, you know, tank kind of heavy, ocean kind of big. Uh-oh. And people have a really bad habit of crashing tankers and the things they shouldn't like bridges and canals. It's weird. I wonder why that happens.
00:20:23:01 - 00:20:27:23
Neal Bridges
Okay. All right. Pivoting back over pentesting pivoting back to
00:20:27:23 - 00:20:29:44
Jonathan Rau
Marketing is like, ahh, stop him!
00:20:29:49 - 00:20:50:01
Neal Bridges
Hey, mods make a note that we need to spend some time doing a mute button for Jon, or at least like a stream delay or something, but but yeah, like I do. Listen, I, I want to let me, let me hit on the article because I think that the article is important for context to what Jon and I are saying, right?
00:20:50:01 - 00:21:08:57
Neal Bridges
There's a recent report, Jon, I don't know if you I'm sure you have. You pay attention to news just as well as I do. Right. Dropbox, got popped. I mean, as if that's news, like, there's like, 50 of those that happen in a day, right? But there was a vulnerability that was exposed in their e-signature platform this month where hackers were able to obtain usernames, email addresses.
00:21:08:57 - 00:21:47:16
Neal Bridges
They claim to have obtained hashed passwords, authentication credentials, but some of the key ones were API keys, OAuth tokens, MFA tokens, but allegedly it came from compromising a service account in the back end infrastructure of Dropbox. Specifically, what Jon and I are just talking about some service accounts, right? And so I have to I have to put a really, really fine point on this, Jon, when we see people in our industry say you have to be a cloud pentester, would somebody who had a cloud pentesting background next to their name been able to have identified this versus a regular normal penetration tester?
00:21:47:21 - 00:22:09:03
Jonathan Rau
I hope so. With the people with the fancy titles. You know how it be sometimes. But, no, I mean, a regular pentesting firm. You know, I don't care who you engage with or if it's just somebody, like, on a 1099 that you're getting, or if you have an internal pentesting team, if your organization is that big, that actually necessitates you have one.
00:22:09:03 - 00:22:25:20
Jonathan Rau
Maybe you're building threat models, or maybe you just need to check a box, to cash the check that your mouth is writing when it comes to, like, controls, like, oh yeah, we totally actively pentest everything on the SOC 2 report, right? So yeah, I mean, they would have been able to figure that out, right? It's all about secure defaults.
00:22:25:25 - 00:22:45:25
Jonathan Rau
And I keep saying it's all about, but secure defaults is really the name of the game. I mean that's if you boil down really any best practice, any cloud well-architected framework, any cloud service. security architecture reference guide, you know, SARG I guess or SARGE whatever you want to call it. A WAF, not a real WAF even though you should probably use a WAF, right?
00:22:45:29 - 00:23:15:07
Jonathan Rau
It's going to talk like those are the first things we're going to talk about. Like, you know, IBM identity entitlement access management need to know minimum necessary. Don't use password password, don't use default passwords. In fact, you shouldn't use any password based off use modern, you know, kind of like FIDO2, OAuth things. Hardware tokens are great until the person who controls the hardware, you know, gets merc’d and they're like, give me your frickin Yubi keys, stab them in the face, which I, I, I
00:23:15:08 - 00:23:21:04
Neal Bridges
Have you had somebody have you had somebody on the streets of San Francisco mug you and ask you for your Yubi keys?
00:23:21:09 - 00:23:26:33
Jonathan Rau
Um, no, but I had to poop. Just not during RSA. It's weird. Where do they
00:23:26:33 - 00:23:28:53
Neal Bridges
Mute, mute, mute, mute
00:23:28:57 - 00:23:41:06
Jonathan Rau
Oh, no, I did it again. Marketing, if you keep forcing me on here, I'm going to force to say more crazy things, but no, that actually did happen. I had a job. I don't want to say which one it is.
00:23:41:10 - 00:24:04:20
Jonathan Rau
But one of the roles that I had taken after I gotten there, I came on board with a bunch of other folks to kind of build out the security program version two, because in the past, they had a lot of lacking controls, right? This is Office Day. So, you know, the VPNs could be shared passwords, it was shared usernames sometimes authenticate to it, the different ways to get into the buildings.
00:24:04:20 - 00:24:25:09
Jonathan Rau
It wasn't like a card or fet-based pass in. And then even if there were at certain locations, you could just turnstile and get into the building and get in the elevator and access different rooms. But, somebody had taken some stuff they shouldn't have taken, particularly I don't know if they're going to try to sell it or whatnot or if somebody told them to do it.
00:24:25:14 - 00:24:46:59
Jonathan Rau
There was actually a whole, you know, state and federal level investigation. And really the comeuppance was like, hey, go implement, you know, hundreds of these frickin tools and, and whatnot. But yes, I, I hadn't seen or nobody's come up to me, but there have been opportunity for not opportunities. There have been occasions that I personally know of where somebody was targeted because of that.
00:24:46:59 - 00:25:09:19
Jonathan Rau
And, I mean, it happens every day because what is really cyber security than just a subset, superset, I don't know the grammar behind it of regular old security. And that comes down to, you know, operational security, right, or personal security that you should be doing every day, right? Use strong passwords, you know, change up your usernames, don't use your real phone number, use a freaking burner or pick up another cell line and register it to your grandma that lives in Idaho.
00:25:10:58 - 00:25:19:06
Neal Bridges
Okay, okay okay okay, good. Okay. We're not we're not escaping from from, terrorists overseas. Like. Like we don't have to worry about all that.
00:25:19:11 - 00:25:25:43
Jonathan Rau
Hey, you know, you never know. Like, people follow you to ATMs now, like, drive thru ATMs are some of the sketchiest things you could do.
00:25:25:44 - 00:25:27:16
Neal Bridges
They actually really are. yeah.
00:25:27:29 - 00:25:46:56
Jonathan Rau
Maybe follow just to secure defaults. And, and I think those are the most important ones, right? This is coming from somebody who wrote a cloud security posture management tool that spits out, you know, hundreds of freaking checks. But most of the checks are like situational. The the more important ones, there's like maybe five that are like really important.
00:25:47:05 - 00:26:02:34
Neal Bridges
What are what are those five that are like really important like, chat, this is one of those times where like in between all the B.S. that Jon and I do like, this is Jon's going to drop five important checks that I think are are important for all you cloud, whether you're a pentester or practitioner, a blue team, or like this is something definitely pay attention to this one.
00:26:02:34 - 00:26:04:10
Neal Bridges
So what are those five Jon.
00:26:04:15 - 00:26:17:44
Jonathan Rau
Yeah. And I'm going to ask you the same question. After I'm done. They'll probably overlap. But really I mean, depending on if you're looking at it from a pentesting, obviously this is stuff that you want to look for that they don't do. But the more important thing, right, is just it's all around identity.
00:26:17:44 - 00:26:43:58
Jonathan Rau
I feel like it's, you know, have a…use MFA, right? Use MFA or some strong authentication. I don't care what it is, but use it especially on the administrators. And ideally you're kind of forced funneled in through an IDP. AWS SSO was so back in the day and the other SSO platforms for like federation for using like service initiate or service provider initiated or identity provider initiated SOC.
00:26:43:58 - 00:27:09:12
Jonathan Rau
But now between Okta OAuth, AWS Identity Center, Etcher ID, Azure AD, whatever you want to call it. And you know, the built in directory services or use AWS SSO, but Google has one even though Google really wants you to use workspace, and I mean, hell, you could even service initiate SSO through Salesforce, you could use Salesforceas your freakin…
00:27:09:12 - 00:27:13:13
Neal Bridges
Oh my God. Isn’t that wild that you could do that with Salesforce God
00:27:13:13 - 00:27:21:52
Jonathan Rau
Do that with Salesforce man. You know what else you could do in Salesforce? You could do a lot of things with Salesforce. It's odd, but yeah, so those are that's two in one right?
00:27:21:54 - 00:27:22:07
Neal Bridges
Yeah.
00:27:22:07 - 00:27:36:01
Jonathan Rau
Use MFA or other strong authentication I don't care. I believe the OMB or maybe CISA who should be disbanded, created a kind of strong authentication like, hey, there's MFA, but you should use these MFAs.
00:27:36:01 - 00:27:55:32
Jonathan Rau
Whatever, you know, whoever made that I’ll have to dig it up. But I think, Microsoft in their documentation has, like, a phishing resistant MFA. Here's one of those, right? So not an email, not a password, not something that you could lose control of. Probably not a text message unless you're rotating phones, but even then that could be sketchy.
00:27:55:37 - 00:28:13:40
Jonathan Rau
Use SSO if you can, right? I mean, I have for my own sandbox, right? For like ElectricEye, not back end, but for some of the more public facing assets of ElectricEye, which is the CSPM tool that I write that has, that will generate like the HTML reports and whatnot. I have a Google Workspace business account that I got with some of the domains.
00:28:13:40 - 00:28:28:44
Jonathan Rau
So it's like seven bucks. And you could do that for as many users, set it up to be just in time. So I think that's also important that whatever there's going to be a higher level than your IDP. I think a lot of people get focused on like, oh, I'm going to Bloodhound the shit out of the directory.
00:28:28:44 - 00:28:29:04
Neal Bridges
Yeah.
00:28:29:11 - 00:28:31:15
Jonathan Rau
Something is populating that directory.
00:28:31:15 - 00:28:50:10
Jonathan Rau
Some person, some team. It's probably an ERP tool, right. An enterprise resource planning tool. Some people call it Atriis, human resources information systems, Workday, Bamboo, a spreadsheet somewhere, a log book, right? Somebody is going to be, you know, logging in,
00:28:50:10 - 00:28:54:17
Neal Bridges
And over and over and over test CISO that's doing it all by hand.
00:28:54:22 - 00:28:57:56
Jonathan Rau
Yes. Yes, yes or or CISOs by CPOs or CIO.
00:28:57:56 - 00:29:21:20
Jonathan Rau
How are you doing. So yeah, that would be the third thing is like making sure that it's coming just in time from upstream. Right? So if somebody gets put on a movers, levers, joiners, the moving teams, or joining the, the joining the organization, they're on a riff list. they've been notified or not notified. And this goes in a lot in the detections, like, insider risk investigation and interdiction teams as well.
00:29:21:20 - 00:29:30:42
Jonathan Rau
I'm sure you know about that a lot from, you know, health care and running SOCs for investigations like this. And then also on the fed side, fed, and fed friends,
00:29:30:56 - 00:29:35:29
Neal Bridges
I, I have…I have recanted my fed status, thank you very much.
00:29:35:34 - 00:29:40:13
Jonathan Rau
That is very true. but you know, making sure that that that's tied in, right?
00:29:40:13 - 00:30:03:03
Jonathan Rau
And then having controls around people moving and leaving next is like secure defaults, right? So if somebody is and this is really broadly specific but have as small of a, you know, attack surface as they call it as you can, meaning that instead of, you know, you have app servers that I don't know have some app, right?
00:30:03:03 - 00:30:32:06
Jonathan Rau
Like your, I don't know, Bumble or something or Tinder whatever. And instead of having all those Tinder web apps, you know, freaking accessible from the internet, tinder.com should be fronted by a CDN, right? Like that's what we mean by attack surface. And if it's connected to databases, cash, streaming services, data warehouses, ODBC drivers, analytics workloads, ML endpoints that should all be fronted by the minimum amount of network infrastructure that you need to front it.
00:30:32:06 - 00:30:58:50
Jonathan Rau
Essentially. And then if there's connectivity back to the office using a VPN. I particularly like you to release client VPN. but that could apply to other things as well. So, you know, a good network footprint. And then also another top five, which is a bunch of things in one that isn't exactly, you know, easy to do, but, you know, from a software assurance or information assurance, I guess we would call it on the government side.
00:30:58:50 - 00:31:22:00
Jonathan Rau
Right? You know, looking at those AMIs like, don't just pick up some of these freaking WordPress AMI, build it securely yourself, hide that thing behind the network. Don't just have network shares and whatnot that you can log into from the internet. You want to make sure that everything that you could define and software securely, you know, sanitize the freaking endpoints, don't allow somebody just to, you know, change like a slash-2 and then all of a sudden be able to login.
00:31:22:00 - 00:31:27:34
Jonathan Rau
That was the AT&T breech wasn't it. Where somebody figured out that they could just swap swap to the number…
00:31:27:36 - 00:31:27:52
Neal Bridges
Yep.
00:31:27:52 - 00:31:32:36
Jonathan Rau
…on the salt and then look at somebody else's profile. That person got like hard federal time to it just
00:31:32:38 - 00:31:35:45
Neal Bridges
No no it wasn't AT&T was it? It was T-Mobile. That was T-Mobile wasn't it?
00:31:35:45 - 00:31:36:18
Jonathan Rau
Oh, T-Mobile?
00:31:36:18 - 00:31:38:02
Neal Bridges
It was T-Mobile.
00:31:38:07 - 00:31:39:19
Jonathan Rau
I don’t know, it was one of those two.
00:31:39:19 - 00:31:47:34
Neal Bridges
It was one of those two. But yeah, it was like, yeah, I remember that because like, they they tried to responsibly disclose it, but then it ended up backfiring in their face.
00:31:47:39 - 00:32:00:35
Jonathan Rau
Yeah. So yeah, I think those are my five. I know three of those are like more process, big picture governance oriented, but at the very least, use SSO. Use a phish-resistant MFA.
00:32:00:39 - 00:32:18:41
Jonathan Rau
But, what are yours especially I know I didn't I kind of touched on it from a pentesting side. Right? Like if you're a pentester, like the first thing on the engagement, it's like, what are you doing for best practices before you start doing The Bloodhound and the end map and all the other shit?
00:32:18:45 - 00:32:20:26
Jonathan Rau
So you know what, what’s yours?
00:32:20:41 - 00:32:48:44
Neal Bridges
So, so I love that you focus on identity. Right? And I think identity is, is a very underrated control. you you summed it up well. I'm trying to think if there's something that I could add to the identity conversation, but I definitely, most of the attacks that I've seen that have been successful could almost always come back to a failure of misconfigured identity strategy, right?
00:32:48:56 - 00:33:04:10
Neal Bridges
Whether that's, I can remember one of the first incidents that I worked at Abbott years and years and years ago. And I don't mind saying that because this was like 2016. So it's been, you know, close to ten years since it happened. Wasn't an identity sourced. attack. There was a…they were using Ping as a, as an SSO.
00:33:04:10 - 00:33:24:55
Neal Bridges
And I can say that again cause they're not use a Ping anymore. but they were using Ping to federate their SSO across a bunch of our applications, and there was a, a cookie that was persistent. That was that was, used to facilitate a good user experience with their federated apps, specifically Exchange, you know, Exchange Online, right, and things like that.
00:33:25:00 - 00:33:46:43
Neal Bridges
And so, you know, identity I think is, is hands down especially in the cloud, the most overlooked attack surface issue that exist out there. So I'm glad you hit on that. I agree with the SSO. I obviously agree with the the MFA. I, I think, I want to hit on one and I want, I want your opinion on this one.
00:33:46:43 - 00:34:13:51
Neal Bridges
So there's kind of two. I'm, I'm going to do two in this one as well. I think APIs, and just general programmatic interfaces, I think are are also huge. I also think shared, shared trust between applications and cloud environments, I think are two overlooked, you know, you know, issues. I think you probably tangentially relate both of those back over to API.
00:34:13:51 - 00:34:36:10
Neal Bridges
Yeah. I mean, not APIs, but identity. and then I think, I think baseline controls, like, I think just just fundamental cyber security hygiene 101. I think gets you every single time. Right. You know, patching your vulnerabilities, you know, monitoring your inbound and outbound traffic, having a WAF or a firewall in place for, again, you know, I like the limited attack surface comment.
00:34:36:10 - 00:35:15:09
Neal Bridges
I think when people hear that, they're like, oh, God, you know, I gotta do you, the attack surface again. But yeah, if you can like, reduce the amount of, of external machines that you've got facing the internet, that will always make an attacker's job a lot easier. But, let's let me dive into the shared trust conversation because you and I bantered around a threat model, I think was earlier this week, maybe a little bit into last week, where we talked about if an attacker had, say, you know, two pieces of, of information that existed between, you know, you know, you know, a company that had infrastructure in the cloud and a vendor
00:35:15:13 - 00:35:33:52
Neal Bridges
could an attacker use that shared piece of information to gain access to it. And I think we were both on different sides of it. I think I was on the side kind of, you know, similar to the take that you and I may have had in the military where it was like, hey, you've got two non sensitive pieces of information that if you put together could represent, you know, a risk or a compromise to the enterprise.
00:35:33:57 - 00:35:42:12
Neal Bridges
And I think you took more of kind of like a and the likelihood is so low I don't see the risk. Do you kind of want to like dive into that a little bit.
00:35:42:17 - 00:35:49:29
Jonathan Rau
Yeah for sure. I think, you know, it's not like this is a new thing, right. Like SaaS apps have been around since the public cloud was around.
00:35:49:29 - 00:35:59:07
Jonathan Rau
I think, you know, a Cloud Guru or whatever the educational platform was. I forget if, if Pearson and Pluralsight acquired them,
00:35:59:12 - 00:36:01:34
Neal Bridges
It was Pluralsight, yeah. It was. Yeah.
00:36:01:34 - 00:36:10:51
Jonathan Rau
Yeah, I would tell you that, like what the cloud was created in, like 2006, 2008 with the S3. It wasn't even S3, I think it was SQS or SWF on the AWS side.
00:36:10:56 - 00:36:27:20
Jonathan Rau
And I keep referencing AWS because, well, I used to work there and that's my strong suit. I and my favorite cloud. Unfortunately, for better or worse, not unfortunately, I, I enjoy AWS if you get around the craziness. I liken it to a Golden Corral right?
00:36:27:25 - 00:36:30:35
Neal Bridges
That's a that's not a great analogy, Jon. I don't think…
00:36:30:36 - 00:36:31:30
Jonathan Rau
It's a great analogy!
00:36:31:30 - 00:36:34:21
Neal Bridges
Have you been to a Golden Corral lately?
00:36:34:26 - 00:36:50:05
Jonathan Rau
Yeah, well, not lately, but when you're a broke freaking army, like, you know, E4, right? Going to like, your third freaking duty station. You ain't got no money because you just had to spend it all moving all your, you know, your prized possessions, all your frickin combat shirts, you know.
00:36:50:05 - 00:37:09:29
Jonathan Rau
Golden Corral is awesome. So it's like there's a bunch of different options, where like, Google is very, you know, kind of like developer centric, where it's like, I want to stream pub sub, I want messaging pub sub, I want a broker service pub sub, I want a pub sub service. Cloud functions.
00:37:09:33 - 00:37:47:58
Jonathan Rau
But, anyway, SaaS has existed there. You mentioned Dropbox and then also regular Box ubiquitously named and I believe even Apple iCloud right are all S3 underneath. I'm sure it's a lot different now, but at least back in the day, at least until, you know, probably 2018 as far as I know, we're all S3 underneath. So, you know, SaaS implies that shared trust of like, I'm trusting you to use these credentials to access this environment, which is why, you know, you have things like external ID, adding nonces, you know, that's a kind of a cryptography 101 thing, adding nonces for some secure modes of encryption.
00:37:48:02 - 00:38:22:59
Jonathan Rau
Right, and why we don't use things like electronic code books or, you know, these, like cesarean ciphers. But when you take that out of, like, the mathematical, like basic, I mean, encryption is kind of like security. Not it's not easy. It's, basic, but like, you know, it's like the raw security where it starts to go into the math world, but, you know, it's really kind of a, I want to say indemnification, but it's not, you know, there's some entity there, but you should, you know, look into that too, or indemnify yourself for identifying them as forget what it's supposed to be and or legal counsel.
00:38:23:03 - 00:38:28:30
Neal Bridges
Yeah, yeah, I know this is this is this is this is why we have lawyers. Jon don't even try to to dissect it.
00:38:28:35 - 00:38:34:35
Jonathan Rau
Yeah. You know, but, I can't be a lawyer because they, they force you to eat a puppy before you graduate.
00:38:34:35 - 00:38:40:26
Neal Bridges
Ohhh, and there goes the marketing guys looking for another story to…
00:38:40:26 - 00:38:46:06
Jonathan Rau
I’ll strike that one. You know, we were trying to close business…
00:38:46:11 - 00:38:54:15
Neal Bridges
No, I think it was more the puppy comment that it was anything else I don't I'll tell you I got I got a story that I could tell you off stream that'll, that'll make you laugh about that.
00:38:54:15 - 00:38:59:01
Jonathan Rau
Yeah I have one related too.
00:38:59:01 - 00:39:02:27
Neal Bridges
But shared trust, I think the point that you're trying to make though, right, is that shared trust has existed forever.
00:39:02:27 - 00:39:09:56
Neal Bridges
And I don't think the people are thinking about that shared trust when they're thinking about either how to how to attack clouds or even how to defend against them.
00:39:10:00 - 00:39:22:42
Jonathan Rau
Yeah. I think it's, you know, from like a pentesting red teaming perspective. It's like, hey, that's an avenue in. Right? So it's like, let's say your infrastructure is all good to go, but, you know, I could pop a Salesforce cred or a come in from the reverse.
00:39:22:47 - 00:39:43:32
Jonathan Rau
Your dev has a script that they wrote to support the business, to pull a specific table out of ServiceNow or Salesforce or to some other main SaaS and maybe inside of those platforms, there's other bits of information you could piece together to get back to even a higher level platform. Maybe this is coming from a data warehouse and you have a bunch of customer data right there.
00:39:43:34 - 00:40:02:15
Jonathan Rau
There's a lot of implicit connectivity, and that brings you back or brings us rather back to your API comment. And that's right. I would include that in like the reduction of attack surface, but APIs can get a bit sketch especially, you know, again an AWS example. But it could be anywhere where not only is the application programing interface, you know where you're able to.
00:40:02:20 - 00:40:22:48
Jonathan Rau
that's how applications communicate to each other, whether it's a RESTful or I guess, a service service orientated, you know, SOA, or if it's using GraphQL, you know, you're submitting information back that app could understand and then it's in turn talking to other things and those other things that it's talking to, there has to be some sort of shared trust there.
00:40:22:57 - 00:40:54:15
Jonathan Rau
Maybe it has access to your vault environment, to Azure Keystore, to Google, you know, to Google Secret Manager, Google Artifact Registry, Artifactory. It's trusting you to pull down a package to make it download, to grab a file, accessing a database, accessing a warehouse, accessing a customer relationship management, a CRM tool like a HubSpot does these APIs right, can essentially, you know, cascade into accessing a bunch of other things, and you're trusting that it's like, hey, this is the point to crack right?
00:40:54:15 - 00:41:08:16
Jonathan Rau
So from like an attacker perspective, yeah, obviously I want to get into that from Pentesting perspective, from an assurance perspective, governance perspective. I mean, if you really think about a governance team is like a pentester right out the keyboard, essentially, right. Like they're asking these procedural…
00:41:08:31 - 00:41:12:41
Neal Bridges
You hear that? You hear that my GRC folks, Jon just coined you a pentester.
00:41:12:41 - 00:41:20:56
Neal Bridges
Now you can go out there. You could piss off all all of the cyber influencers on LinkedIn and say that you've been called a pentester because Jon told me.
00:41:20:57 - 00:41:33:59
Jonathan Rau
You're welcome. I mean, in a way, I think like the ultimate pentesting business model would have like a really strong privacy person, a really strong governance person, and then obviously a pentester too.
00:41:34:12 - 00:41:51:46
Jonathan Rau
Maybe they're a cloud pentester or an IoT pentester or something. I think the only people befitting of that title, or somebody who uses like, shit like, you know, car frickin, pentesters, right? They're running around with hack RFs, they’re running around with freaking blade RFs. Blade RF is the way to go because you get 60MHz of bandwidth.
00:41:51:51 - 00:41:53:57
Jonathan Rau
That's a story for another…62 technically
00:41:53:57 - 00:41:58:55
Neal Bridges
Until the FCC comes in and, you know, cracks down on you for popping up your, your, your own…
00:41:58:59 - 00:42:06:38
Jonathan Rau
You're just not allowed to decode. But if you have, you know, permiso then you’re good to go. And so you're…
00:42:06:43 - 00:42:16:21
Neal Bridges
I was thinking about I was thinking about that that first time that somebody dropped an NC catcher at Blackhat and turned it on for like, 3.5 seconds, hoping that the FCC wouldn't come in.
00:42:16:25 - 00:42:21:36
Jonathan Rau
Yeah. No. Well, the police department could do that for no reason. You know, why can't I, right?
00:42:21:51 - 00:42:25:04
Neal Bridges
And anyway, Jon, anyway, Jon…
00:42:25:09 - 00:42:41:45
Jonathan Rau
DragonOS! No, but really, if you guys are like, interested in so like RF pentesting, you know, whether it's for cars, IoT, intercepting things like, LoRa long range, which is on 925 and I believe it's on 833MHz.
00:42:41:50 - 00:43:00:45
Jonathan Rau
That's used a lot in IoT for communications. That's great to practice with because it's low energy radio direction finding, radio astronomy. Look at DragonOS. The guy who makes it, I think, we have to find is YouTube. Cemaxecuter7783 or something like that, but just look up DragonOS on YouTube and he has a bunch of stuff.
00:43:00:54 - 00:43:18:20
Jonathan Rau
He also has a lot of ATAK stuff, right. You know, go check the pro using some ATAK out there. But that's besides the point. But yeah, I mean, APIs, I think are the single most dangerous thing. and now it sounds like we're an API security frickin company, and I'll talk about secure access. Oh, guys, don't worry.
00:43:18:26 - 00:43:21:36
Neal Bridges
Don't say sassy. Don't say sassy.
00:43:21:36 - 00:43:24:21
Jonathan Rau
Sassy. Sashay!
00:43:24:25 - 00:43:38:00
Neal Bridges
Well, let me ask you this because one of the things that I do like about this show that you and I are doing is that you are much more programmatically centric than I am. Like I, I definitely admit that the extent of my programing is, you know, a bunch of bash scripts and maybe some Python, you know, here and there.
00:43:38:13 - 00:43:56:21
Neal Bridges
But you've got a lot more of that dev and that DevOps experience. What if you had to give like your top three kind of like API do's and don'ts for other people who are thinking about programing or even like, you know, hey, if your API pentesting you want to get into API Pentesting, here are the three things you should be like looking at.
00:43:56:21 - 00:43:59:24
Neal Bridges
Like what would you what would you pass on to people?
00:43:59:24 - 00:44:17:07
Jonathan Rau
Well, one try not to make all of them frickin public, right? Or make a public, right, like, you know, there is a distinction between an internal API. Right? And we have a lot of that at AWS where, you know, an action that you take because, surprise, surprise, every cloud platform is built on their own cloud platform, right?
00:44:17:07 - 00:44:37:51
Jonathan Rau
They have the dog for, you know, to work well. But, you know, the first thing is if it's supposed to be internal, if it's like only to orchestrate some sort of automation, you know, maybe it's the age of a record, maybe to reregister something, you know, think of when you connect to Microsoft Defender for Endpoint and Microsoft Intune, right.
00:44:37:51 - 00:44:57:53
Jonathan Rau
Defender for Endpoint is there. EDR or XDR extended detection response tool, whatever you want to call it. It's an AV agent. And then you have Microsoft Intune which is an MDM, which is a weird word because it's mobile device management. It should be and it's sometimes called MEM, right? Microsoft Endpoint Manager or mobile enterprise management or something mobility and whatever.
00:44:57:58 - 00:45:18:33
Jonathan Rau
And you get the point there. They’re two different tools that you could connect them because Intune is supposed to be where you have your configuration profiles, where it's like, hey, you could use as BYoD device, or hey, you have to have these, updates installed or you have to have this configuration for like your net capture filter, you have to use, fire locker, vault lock, whatever.
00:45:18:33 - 00:45:34:55
Jonathan Rau
You know, the Mac OS one is I should know that because I have a mac, I think it's EVault. Evault? Yeah. Yeah. Right. So that's what Intune is. And then you could connect it with Microsoft Defender for Endpoint, such that you could bring in coverage data to have within Microsoft Defender for Endpoint like hey, this is on our directory.
00:45:34:55 - 00:45:50:59
Jonathan Rau
This is registered to this person. They don't have Defender for Endpoint. That either means that your Intune scripts are broken and you suck and I hate you, which was me when I was a CISO at LightSpin but I never used Intune or any of that stuff outside of like just, oh, I got to go get Defender data. So let's figure out how to use this API, right?
00:45:51:04 - 00:46:22:52
Jonathan Rau
So that's an example of an internal API. If it's something that you use for yourself, not for the customer, don't make that thing public. Don't have your documentation out there. Don't have the endpoint beheadable right, hide that thing behind a WAF and then the second thing would be, you know, strong security, right? Not just MFA, but, you know, API tokens or if you have an OAuth endpoint or especially like if you're sharing, you know, session data, somebody logging in, they're coming in from SSL encrypt the JWT, have a way to deauth it, have a way to age it out.
00:46:22:52 - 00:46:51:20
Jonathan Rau
Have a way to track the sessions. just overall session management of the security is, you know, very important. And then, I guess just, you know, safety. Right. if you have, like, say, a poster of API again to update some record in a database to make sure that that swiped that conversation you have on your dating app or on LinkedIn or whatever, you shouldn't be advocating conversations on LinkedIn, actually.
00:46:51:35 - 00:46:59:42
Jonathan Rau
But I'm sure if they added a dating functionality, a, a bunch of people would use it. just put it out there like it was my idea first.
00:46:59:42 - 00:47:04:09
Neal Bridges
Marketing is making another note.
00:47:04:13 - 00:47:15:49
Jonathan Rau
That one’s not that bad. Games and that that's the next thing that the dumb LLM Oh God, oh god. I never going to put the dating app in it if people already use it as a dating app, it's
00:47:15:49 - 00:47:17:44
Neal Bridges
Oh, I know it's it's it's nuts.
00:47:17:44 - 00:47:34:12
Jonathan Rau
LinkedIn is full of perverts. And it's also people who are loud about it too. Go ahead. They're going to cancel this on the stream. But I gotta say it, I gotta say the ones who are very, very loud about like, oh, you know, I would totally never offer mentorship under the guise of, you know, for dating on somebody.
00:47:34:12 - 00:47:37:17
Jonathan Rau
Oh, who would ever do that? Those are the people who are the predators.
00:47:37:22 - 00:47:46:12
Neal Bridges
Oh, God. Okay, okay, okay. Jon. Jon. Mute. Mute. Jon has strong opinions about LinkedIn
00:47:46:16 - 00:47:48:21
Jonathan Rau
Anyway. Yeah, yeah.
00:47:48:26 - 00:47:57:56
Neal Bridges
This is this is this is the best. This is the best response right there. SecITguy: Now I want to take a detection engineer and put them in charge of a dating app.
00:47:58:01 - 00:48:13:06
Jonathan Rau
I mean, you know that that's probably a good way. There's a bunch of, then questions about, you know, people asking like how to get in. But I think the most important thing to get in is getting your mind in the way of thinking. So if it's like, you know, if I was in a pentesting engagement for this app, what would I do from the outside?
00:48:13:06 - 00:48:33:02
Jonathan Rau
And that's where the bug bounties are too, right? There's a bunch of people who pay their bills and then some. Yeah, just like bug bounties just going through like, you know, is this input correct? Yeah. Can I fuzz this? Right? Can I submit something? Can I ask it something? This API says it's for posting. Can I try to delete from this API endpoint?
00:48:33:02 - 00:48:54:42
Jonathan Rau
Right? Is there safety in the methods? Is there safety in input sanitization. Is there safety in just you know, it's doing what it said it should do? And can your users get themselves into trouble. And that's a whole esoteric AppSec sort of question and not my strong suit. I've never ran an AppSec team. I don't know a whole lot about, you know, OWASP other than what's OWASP.
00:48:54:42 - 00:49:05:49
Jonathan Rau
But if somebody asked me in an interview like um what’s an OWASP thing, and I'm like, okay, close lost. Close lost.
00:49:06:03 - 00:49:19:01
Neal Bridges
I love that. But I mean, listen, listen, Chad, I hope I hope you're taking a bunch away from this. And I and there have been some questions, Jon and I do want to I do want to get to them here in our last few minutes, because I have I have noticed that the mods have been pushing them them all to to the queue.
00:49:19:05 - 00:49:37:49
Neal Bridges
I hope chat you guys have been taken away just kind of like the the various amount of amounts of skills that just kind of like come from being exposed to this stuff, having it in your repertoire, being able to practice it and, and really you just kind of like move in the direction I would say that the, the industry kind of takes you and Jon
00:49:37:49 - 00:49:51:29
Neal Bridges
I want to kind of like this, this question. I thought this is a priority question from our one of our Twitch viewers and I, and I thought it was pretty valuable because I think that I think this is worth mentioning again, right? And and the question really is, is what is the goal of these talks every other week?
00:49:51:29 - 00:50:10:28
Neal Bridges
What should we be looking to extract from this more knowledge is is is more better. That sounds like that's something somebody went to your your high school for English. But just just curious the actual goal. I think I would answer this, Jon, by saying like, hey, listen, more knowledge is more better. And from my perspective, I don't like to write.
00:50:10:28 - 00:50:33:54
Neal Bridges
I'm glad ChatGPT is here and I can like, stick a bunch of of freaking, you know, prompts inside of ChatGPT and have ChatGPT write for me. But I love to speak, right? I love to to talk at conferences. I love to to talk to people in the community. And so like for me, any opportunity that, A, I get to talk to people about cybersecurity, which is the whole reason why we started Cyber Insecurity four years ago when we started it, I think is a huge plus.
00:50:33:54 - 00:50:58:22
Neal Bridges
I think what adds to the excitement for me, Jon? And again, don't don't feel obligated to to piggyback on this because I know that, that's a natural human tendency to get to share the stage with somebody who is as polar opposite of me as Jon with different perspectives, different personalities, different skill sets, and to be able to bring that conjoined amount of, of knowledge to an audience.
00:50:58:26 - 00:51:21:29
Neal Bridges
I think the goal of this is, can we educate you all on doing more cool stuff in your day to day and then the final piece that I’ll make, the reason that this is SecDataOps, is because I do fundamentally have a belief that we are failing our security operations teams. I've seen it since I've built my first one in 2016, and I've watched it deteriorate over the years.
00:51:21:40 - 00:51:46:22
Neal Bridges
And I think that there is there is more data. There was more data in 2016. I don't think we've done anything other than watch that shit, you know, explode through the roof. And I think we are losing the battle with not just the Dropbox breach, but every frickin breach that ever comes up. We are losing the battle hand over fist for how to protect our, you know, protect your data, protect everybody else's data.
00:51:46:36 - 00:51:59:52
Neal Bridges
And I see this as an opportunity to bring the conversation around having a more data centric approach to security operations. And I fully, wholeheartedly believe in that. Jon, that's enough rambling for me. I'll flip this one over on you.
00:51:59:56 - 00:52:11:56
Jonathan Rau
Yeah, I mean the… So for me personally, when I was kind of getting into this, you know, I, I've always been an introvert and, I only got into like computers and networks and stuff because I used to play a lot of MMOs with my old man.
00:52:11:56 - 00:52:27:29
Jonathan Rau
Even though he couldn't do it for a long time because he runs his own business, he does contracting construction, New York City. But we used to play an old dead MMO called Actions Call. And that's really what got me into, like, networking. And, you know, how does this work? And why the frick can I connect to this?
00:52:27:41 - 00:52:43:49
Jonathan Rau
And then that got me into like, computers and learning Linux and C and C++. But the big thing and I don't even know who told me this was probably some teacher somewhere in public school. Like, you know, the best thing you could do for yourself is, find out three things that you didn't know about. And hopefully that's the, takeaway, right?
00:52:43:49 - 00:53:05:52
Jonathan Rau
Where between me yapping and Neal actually having some, like, lucid eating things to say more, you know, an easier stream of consciousness to follow rather, is, you know, if it's like, three things or maybe it's just one thing that like, what the heck is an AppSec? Or what's a SecDataOps or what's a DevSecOps in fact DevOps is a shitpost I made it.
00:53:06:03 - 00:53:10:10
Jonathan Rau
A bunch of people are using it though. You know where my royalties at guys?
00:53:10:11 - 00:53:17:52
Neal Bridges
We should we should we should do an episode about like, what is a shitpost and how a shitpost turns into a following,
00:53:17:57 - 00:53:27:06
Jonathan Rau
I guess. I mean, it's memetic energy, but yeah, the idea is just to take away something some term, some technology. something.
00:53:27:13 - 00:53:47:48
Jonathan Rau
Right? I mean, it's hard in this format when we're just talking, to be like, oh, wow, write that down. I better go do that today. Especially when you ask me, what are the top five things and I named like four processes and all of them were processes even, right? Like turning on MFA. That sounds great when you're a startup of 17 cats, but what if you're at a company with 33,000 freaking employees of various states, right?
00:53:47:48 - 00:54:09:05
Jonathan Rau
Some are 1099. Some are corp to corp. Some are full time employee. Some are a long term contract, contract to hire, partners, executives, all sorts of different walks of life. Right? Or not walks, or walks of life. Yes. But you know, all of the things, you know, take process. I think that's the thing about security is that we want instant gratification as an industry.
00:54:09:19 - 00:54:25:46
Jonathan Rau
We just want everything kind of given to us. And I don't think I think that could be the show for it. But personally, I don't know, in the past, like at AWS when I was like full like DevSecOps, right? Like, let's put all the frickin detections in the pipeline and let's scan all the things. Then you got to change the volume.
00:54:25:46 - 00:54:34:16
Jonathan Rau
We got to stop your app for going live. If you ask 2016, you know, Jon, or 2010, Jon. I was a junior in frickin high school in 2010.
00:54:34:21 - 00:54:35:03
Neal Bridges
Oh, God.
00:54:35:03 - 00:54:40:29
Jonathan Rau
God, yeah, kind of young, young bro. You know, I mean, anybody could do this shit, right? Like…
00:54:40:29 - 00:54:41:36
Neal Bridges
Yeah.
00:54:41:41 - 00:54:44:32
Jonathan Rau
And that's really what the, what the takeaway is.
00:54:44:32 - 00:55:05:33
Jonathan Rau
But I do echo that, right? Every day. That's why I picked up data. You know, when I was writing blogs about using Sumerian and using early NLP and IP insights and ML models and analytics and, your favorite word, and, you know, haversine distance, and euclidean models of, oh, oh, you know, I didn’t I never went to college, bro.
00:55:05:33 - 00:55:22:56
Jonathan Rau
I didn't go to college. You know? I didn’t get a college degree. I think I maybe took like five college courses through like Capella or something once upon a time and I was like this is freakin bullshit. Like, I'm not learning anything except for Java Maria DB. Not to put people down with a degree. But I don't know. I think we're kind of past that finally.
00:55:23:01 - 00:55:31:18
Jonathan Rau
But now we need to get past the whole need just for like, oh, I want to know something that'll get me in to pivot, to get me a bunch of money right away.
00:55:31:18 - 00:55:31:26
Neal Bridges
Yeah.
00:55:31:41 - 00:55:40:22
Jonathan Rau
It's not it's not that it's all a process. And I hope that the takeaway is that this shit takes time. You could do this from any, anywhere, any starting point.
00:55:40:22 - 00:55:46:58
Jonathan Rau
That's the good thing about this. And, I don't know, have some fun, you know, chill out, have a beer and shit.
00:55:47:03 - 00:55:57:48
Neal Bridges
I think I think this is this is one that I want to highlight on because, like, I think I think this comment is it is important. And I think this is kind of the root of the question that you asked,
00:55:57:52 - 00:56:28:59
Neal Bridges
Doc G, right? Is, is I'm not as hardcore. The data engineering skills need to be crazy adopted by security folks. Like the stuff that Jon does is effing magic, dude. The stuff that Jon does in AWS and in GCP is effin magic. I don't think security dudes need to be at that level, but I do think there is a convergence of data that I do think, you know, security folks have stuck their head in the sand about.
00:56:28:59 - 00:56:35:51
Neal Bridges
And I think this the goal of this stream is really about bringing that to light and having that conversation.
00:56:35:56 - 00:56:36:34
Jonathan Rau
Yeah, maybe not the…
00:56:36:46 - 00:56:38:28
Neal Bridges
Go ahead.
00:56:38:32 - 00:56:53:23
Jonathan Rau
No, I want to touch on that. You know, maybe not the skills. Right? I know how you know, because we talked on this on the first episode, right? And I it was my mistake that to ask you like, you know, how much more you felt about it than I, I'm almost done with my whole crusade of, like, you know, security people.
00:56:53:32 - 00:57:09:18
Jonathan Rau
I did a couple shit post up with the dark with the uh dark kermit, like, now make the frickin security people learn PySpark. Which is interesting to me, right? I think it's a skill that you could pick up. Like if you could write a Python script, you could write a frickin PySpark script to run that shit on EMR, right? It'll be expensive.
00:57:09:23 - 00:57:25:01
Jonathan Rau
But yeah, I do think that there is, you know, here's another one that there's a crossover between analysis, right? DNA analysis, security analysis. And it all kind of starts at the same point. Right? I think the good thing about our compatriots on the data side of the House is they think interoperability first and they think out outcomes first, right?
00:57:25:01 - 00:57:42:53
Jonathan Rau
Yeah. It's like, okay, we need to make a report for this business, for this demographic. I think I use the example in the last stream, you know, how do I work backwards from this with the minimum amount of data necessary, with the minimum amount of touchpoints necessary. And I think that's naturally also a security thing, right? Like there's a whole concept of DataSecOps, right?.
00:57:43:02 - 00:58:03:18
Jonathan Rau
Like data security protecting the security and transit in motion and use, right? Polymorphic, whatever. So there's also that yeah, maybe you don't need to learn SQL but I think we're getting to the point that you probably will just like a lot of cloud security, you know, cloud security engineers, AppSec folks, vulnerability folks probably didn't think that they had to learn like, Splunk Query Language.
00:58:03:18 - 00:58:21:11
Jonathan Rau
Right? And then all the sudden people are putting everything into Splunk. The natural thing is going to happen now, where are you going to have to learn how to use a power BI tool. Or maybe learn how to use a notebook, though if they do it right, you shouldn't be writing frickin SQL queries against the data warehouse to begin with. But yeah, I know they'll learn some SQL. It’s fun.
00:58:21:38 - 00:58:39:49
Neal Bridges
Yeah. Hey, this is a good question. I do want, especially since you came from AWS and you've got like, you've got a pretty good perspective about that mix of, of these two kind of crossovers. But how many entry level cybersecurity practitioners do you think are aware that DevSecOps is even a role in the marketplace?
00:58:39:53 - 00:59:04:17
Jonathan Rau
I think a lot more now, right? Like DevSecOps is kind of still, you know, at the not the forefront, but was forming rather in like 2017, maybe a little bit before that. But that was in the whole state management, config management, everything is code. But then it morphed into for more of like a governance top down function to, you know, version control everything to let’s just put all the security into the pipeline.
00:59:04:17 - 00:59:26:06
Jonathan Rau
So it's almost like a dead meme now, but a lot of people use the rolls, and I've never seen it executed particularly well. I think it's now called product security or staff security engineering embedded within a product team because the whole like, oh, we just got to teach all the devs how to securely code. It's like, yeah, maybe they should know when to, you know, sanitize queries and use walrus operators or whatever.
00:59:26:06 - 00:59:50:37
Jonathan Rau
But they shouldn't be, you know, learning how to build a whole full stack, secure application. But DevSecOps is good in a way that cloud security is good, that it's a broad departmental sort of view of the world, right? Where it's you could slot in to different things, I think application security and all its parts, vulnerability management, what else, Neal?
00:59:50:37 - 00:59:53:41
Jonathan Rau
Keep me honest here. I mean, there's a bunch of parts of DevSecOps.
00:59:53:41 - 01:00:19:22
Neal Bridges
I mean, so, so, I'm slightly cynical on DevSecOps in the sense that, like, like you, I, I well, I don't think it's very well-defined. I think I think this, this question here in kind of like to, to SecIT Guy’s point like I think we all thought that there should be some embedded security in dev DevOps roles and just in, in engineering, you know, efforts to begin with.
01:00:19:27 - 01:00:59:11
Neal Bridges
And I think we fundamentally have seen that fail, I think is probably the most direct way to put it. And I think it is resulted in like DevSecOps should exist, but it doesn't it's kind of failed in practice. And I think that that's why we've now kind of come to back again to your shitpost of, you know, SecDataOps, where it's like, hey, like we wanted to get security baked into engineering in 2016, 2017, 2018, around the time you guys failed at doing that, you gave us a bunch of run around, a bunch of excuses why I wasn't possible, stopping workflows, limiting the ability for engineering to get code to production, just handle it
01:00:59:11 - 01:01:19:40
Neal Bridges
on the pentest and submit a bug report for it afterwards. Blah blah blah, you know all the shit that that that goes along with that. And so now you've got this vast sea of applications and SaaS applications and other applications that have access to data. I don't even want to talk about the AI, you know, you know, disaster that's happened in the last 12 to 18 months, right?
01:01:19:40 - 01:01:47:04
Neal Bridges
And now all the sudden it's like, yeah, yeah, yeah. And so it's like now you've got no security in the dev function, no security in the data management function. To your point, they're always focused on the outcomes. And the outcomes don't have anything to do with security whatsoever. And that has basically culminated into exactly the problem that we have now, which is why I think the SecDataOps, while a shitpost, has turned into a very valid movement, probably one of the more impactful movements that I've seen over the last 20 plus years.
01:01:47:09 - 01:02:11:47
Jonathan Rau
Yeah. No, I think, you know, the question how somebody get into DevSecOps, I think like a, a prototypical DevSecOps engineer, even though I'd call them a product security engineer, you got to learn kind of all three parts of that acronym, right? That's what it was intended for. It was some development. Even though the development side of security is going to be, hey, you got to write CloudFormation and Terraform and and Saltstack and Pulumi and Tofu, whatever it is.
01:02:11:52 - 01:02:34:39
Jonathan Rau
So pick up a scripting language. At the very least write kind of understand the SDLC process. People skills off skills I think are a lot more important, right? Because you're going to need to be explaining to general managers and software dev managers why what they're doing is bad. You know, but also learning the skills because you're going to have to be, you know, building out fricking, you know, infrastructure as well.
01:02:34:39 - 01:02:59:37
Jonathan Rau
Infrastructure services, everything's defined as code. The security part of DevSecOps is very AppSec vuln management focused. Are you securely configuring things? Is network security working? Can you define the WAF rules? Are you patching? Are you monitoring if the patches failed, restarting. And then can you also reconcile that against like hey, the software is staked to this specific version.
01:02:59:37 - 01:03:24:02
Jonathan Rau
It has to use this version of Pandas or this version of frickin Pi MySQL or whatever, right? And then the operational part of it, which I think is the one that gets lost in the sauce, is running all these tools. And because of the DevSecOps moment, that's why we got crap like the CNAPP, and ITDR and NDR and we have all these DR., you know, application centric tools that say they're app centric, but they're not.
01:03:24:17 - 01:03:45:57
Jonathan Rau
Right? They they have no context into the team, into the governance, into the processes behind it. So getting into it is really just kind of perfecting all the skills, you know, up and down, that stack and finding this. And I think what you'll find is that you're going to specialize an area like, oh, I actually really like this application security thing, right?
01:03:46:10 - 01:03:52:17
Jonathan Rau
Or I really like being a vulnerability manager. And then you'll end up getting into that by accident. Yeah.
01:03:52:22 - 01:04:06:27
Neal Bridges
Jon we we ran over, but it was it was an amazing conversation as I go. I'm not complaining I think I think more you know, your boss or my boss might complain. I think you know, more than anything else. But hey, parting thoughts for for the community.
01:04:06:27 - 01:04:18:21
Neal Bridges
Kind of like, you know, you know, if they if they need something to dream about, you know, between now and the next time they see you and I on camera in two weeks, like, what do you want to leave them with?
01:04:18:21 - 01:04:30:59
Jonathan Rau
You know, show time sensitivity. Yes. Yes. Invest in tanks and ammunition. but, no, I mean, think of small problems first, right?
01:04:30:59 - 01:04:48:46
Jonathan Rau
Whether it's in data, cloud, AppSec, pentesting. I think just, you know, we're looked on, security folks are looked on or put too much pressure on themselves to have to solve for everything, right? Nearly everything that Neal and I talked about, nearly everything that Neal and I've done in our career have been like big rocks that you got to chip at, right?
01:04:48:46 - 01:05:14:45
Jonathan Rau
So focus on the smallest minimum necessary thing that you could do to affect a good outcome. You know, and my boss, the CISO at IHS Markit, Eric, you know, always framed it as the what, the so what, and the what next. And if you can't clearly articulate that, if you can't write a one pager about it, then it's probably not worth doing or you don't understand the problem space enough to actually, you know, be effective in it and don't put pressure on yourself
01:05:14:52 - 01:05:17:14
Neal Bridges
That that is that is incredibly well said.
01:05:17:14 - 01:05:35:34
Neal Bridges
And the folks who are long time listeners of Cyber Insecurity have heard me say something very similar. I did not prime Jon for that. It was pure Jon intellect right there. What, so what, now what? I think with that, Jon, let's get back to work, sir. We’ll see you all…in two weeks.