Hi everyone. How's everyone doing today? Hopefully everything is going fantastic for you all. It's a pleasure to be here and I'm talking about one of the fun things that I enjoy doing. I am a big gamer. I've been a gamer for many, many years. I know I look very young and how could I, you know, but, so even today I'm playing Dune Battle of AR Rakus, which is a really old game from the early eighties and it's a lot of fun, but it's very interesting.
But what I do is in order to keep my skills fresh, because our technology changes so frequently, so I mean six months time we'll be having something new to deal with and it changes. So for me to stay up to date, for me to stay fresh, I use gamification to keep my skills fresh, to keep my knowledge current, to understand the threats and understand the tools that's being used out there.
So this session's all about how to use gamification in order for you in order to improve your skills around identity security.
So for me, one of the things I feel like all the time is that our day job is almost like a game of space invaders. We've got the attackers coming, they've coming with their DDoS attacks, they've got their business email compromise, we've got phishing, social engineering ransomware coming through and constantly we're having to defend with different technologies. We're using ITDR, we've got E-D-R-X-D-R all trying to defend your organization.
So sometimes it just feels like on a daily basis, and this is what the UK hospitals are feeling right now, is that they're under attack and this is what it looks like. You've got attacks constantly coming. So one of the things in order to do, in order to keep your skills fresh and stay current in order to keep up to date, I use gamification.
I use it in order to make sure I understand about what techniques attackers are using, what techniques work. And it's been used in lots of industries.
It's been used in the healthcare industry in order to keep doctors up to date with actually technologies in order to diagnose. It's been used in aerospace in order to teach pilots how to fly new planes. So gamification and simulation has been heavily used across the world and it helps you if you do it in the right way, you can quickly accelerate your employee's knowledge and at the same time, you can have fun. You can make it enjoyable. And you know, sometimes in the cybersecurity space, it's a very scary place to be in, but sometimes we need to actually make it fun.
We need to make it enjoyable. So you can use gamification to do teaching in order to improve your skills, to do development of new technology.
Whether you want to learn about the latest single sign-on technologies privilege access or you want to learn about multifactor authentication, you can use all of these simulations, gamification to do that. Now there's many gamification platforms out there. They all come with different types of benefits and different advantages.
You've got gamification platforms like Hack the Box, which is really that it's, it really puts your skills to the test because it's the exploratory one. You're not giving the answers. You have to find the answers yourself. You've also got the walkthrough ones with things like Try Hack Me will give you the step by step by step so you can actually simulate and just go through it. We'll actually navigate you through very easily. You've also got basically ones that focus around the OS top 10 things like the Juice Shop.
You've got the web applications that you've got the instructor, that ones like cy.
So there's lots of different platforms that all have basically different values in order whether you want to have instructors or whether you want to actually get your team to do Capture the flag events in order to learn specific things you may want to be looking at, let's say how to do identity forensics, how to collect evidence of identity attacks, how to look for indicators of compromise in order to understand about how certain vulnerabilities work.
So you can use all these different platforms and you have all different values and benefits and you can start small. You can start with small basically step by step by looking at specific types of attack techniques, whether it be in privilege escalation, or even just simple things like password cracking. How does password cracking work? How do they actually create word lists? How do they use those techniques in order to compromise credentials?
Now you can either go small with some of these platforms or you can do what I did this year go big. So going big, this is Lock Shields.
Lock Shields is a major event that's held yearly held by nato. And this event, it actually was happened in April. It's the world's biggest cyber live fire event. You had 40 nations participate, it's the 14th year. There was over 18 teams, 4,000 participants. I was in the team, Ireland and South Korea. We convert together that we had a team of two. So over a space of two days, we built a team of 200 people to defend an organization of a thousand employees and 200 systems just to have a game. We actually received over 8,000 cyber attacks over that two day period.
So it kept this constant trying to make sure to keep our systems up and running.
And there's a lot of things, even for me as a seasoned professional, I learned a lot from the techniques of the red team. They're coming in, coming up with new ideas and it's not just about cybersecurity, it also incorporates different skill sets. You have legal teams who are responsible. What's your legal response for things like GDPR or Cyber essentials or ISO eu AI Active was also part of this as well. You also have strategic communications, you've got social engineering, you've got user simulation.
You have to make sure that the users who are actually using the system are able to use it. So incorporates the complete 360. These are some of the images that was taken from the event. You actually build a live real power station with scatter controls and PLCs that when you actually lose your power station, sparks fly out of those little boxes in the right hand side.
You can see in the middle the red team showing all of the websites that have compromised.
And up on the left hand side, that was my team, that was the part of the Irish Defense Forces and Basin in Dublin at the NCSC headquarters that were all coming together in order to defend our systems and we're working together using our knowledge in order to make sure that the users were able to keep performing that or defense systems, 5G Networks, gas energy and so forth. Now to show you a simulation, I always like to show you demos. I always like show kinda what it looks like. So I've got a demo here. This one is to show you what it looks like using gamification in order to practice.
For example, password cracking or looking at weak credentials. So this particular one is using Hack the Box. And you can see here from the command, I've already compromised a initial access.
I've already got a user, I've gone in the system and now what I'm doing is I'm doing reconnaissance looking around the system to try and find another way to elevate up to gain access to a higher level privileged user. Here I've found that there's actually a contact information that includes a ticket database. So looking at the strings of the database, we can see basically all the readable text.
And then here you can see that there's actually a hardcoded password, but that password's encrypted. So it teaches you about the ability to go and start identifying what those passwords are. So we can take that hash, we can actually go and actually run it against hash id. Hash ID shows us that this is actually either Blowfish Walter lab or a B crypt. After analyzing and looking at it, I've actually determined that it's a B crypt.
And then using John the Ripper, I can actually go and run it through a word list and eventually after going through this I can start cracking it to the clear tax credential. So this is showing you why quick credentials are a bad thing and why it's important to start really moving them into the background and stop having people choose and create passwords. So you can see the password here is SpongeBob one, not a very great password, but it's something that this person easily can remember.
I can go back to the Compromise Machine, do pseudo Joshua and then put in the password and now I have become that user. So this is a assimilation to really show you some of those techniques, some of the ways that passer cracking works and why, why today that attackers are still, you know we, we talk about the acceleration of ai.
The great news is that AI has accelerated mostly in the cyber defense area. We've actually done improvements in significance for cyber defense capabilities, but the attackers, they're still using what works.
They don't need to use I AI because the basics are still working, they're still able to correct passwords. People are still using credentials that are brute forceable. We still reuse passwords across multiple systems. So it's really important to understand about the techniques that work and what things you can do to put in place to make it more complicated and more challenging for the attackers. So moving into another example, I've got one here which basically is compromising active directory.
So I've got a machine and I've been able to basically use what's called a sharp pound in order to extract information about that machine. And this is again using Hack the box. And this particular machine is the egotistical bank.
So it's a fake bank that they set up that has basically certain vulnerabilities that you need to explore in order to basically compromise the bank. So what I've been able to do is extract the collectors or the actual information about active directory and then I have to try and find a path from the user that I've compromised to become domain administrator.
So in this particular example, I've actually exported the collector, put it into bloodhound, and now what I can do in bloodhound is I can go and find the domain group. So I'm looking for domain administrators. I can look for the shortest paths from the user that I've compromised and it will actually map out all of the kinda ways that I can move between the environment. I can see here that the little one with the skull, so here is the, the user account that I've compromised.
I can see that it's actually gotten associated with the actually domain at statistical bank and the path to domain administrators. What we can find out here that there's a misconfiguration in active directory and that misconfiguration is GI changes all with that. It allows me to go then and perform what's called as a DS sync attack. So I can use dsy and here right in Bloodhound it gives me the command line that I can simply use, take that, move it into using things like packet or secret stump. And that will allow me to then use this account in order to dump the hashes.
So it'll, it doesn't allow me to get basically the passwords, but allows me to dump the hashes from, for example, the domain administrator. And with that hash I can either do one of two things. I can either do a pass the hash attack and start moving around the network with the hash alone or I can go back and actually run that again using a password cracking tool such as Hash or John Ripper to try and then get the ClearTax password.
And if it is something that humans created, I can guarantee that it's only a matter of time before my system will crack it.
'cause we are not great at choosing passwords. We have to realize that and we have to find ways in order to make sure that we can move passwords to creating systematic complex ones so we don't have to. So hopefully this is a bit of an educational. So what's the key takeaways? What things can you do in order to kind of, maybe you wanna take this back and start using it in your own organizations? What I think is I suggest focusing on specific topics. If you wanna learn something, maybe you want to do an instant response practice assimilation.
And in instant response you might want to see about, well how do I move around? How do I collect evidence? How do I find indicators of compromise?
How can I actually gather the audit logs, how can I analyze them? So there's certain tracks you can actually go and there's specific tracks that will teach you in instant response. There's specific tracks that will teach you credential compromise. There's specific tracks that will go and teach you about domain privilege escalation.
So you can go through and look at those and specifically I suggest start a bit smaller, but look at specific topics of interest that will help you improve your skill sets, improve your team skill sets, I'll suggest get a mentor. That was probably one of the biggest mistakes I made when I started off doing capture the flag was that I didn't have a mentor.
I tried doing it all alone and it was only after probably a couple of years of me going solo and many long weekends hitting my head against a table trying to figure out something for myself was that I found people that was interested in the same thing and it would made it much easier for us to share our knowledge and share our skills.
So I got mentors to help me basically and improve my areas much faster by actually going to, to people who not knew much more than I did.
I also just suggest when things like Log four J comes out or print nightmare or other vulnerabilities like move it last year, there's lots of actually simulations already that have those vulnerabilities built in. And I suggest you use the gamification and simulations to learn about the vulnerability, to learn about how it works because these simulations allowed you to do it in safe environments without actually trying to do it in your own area. It actually recreates it for you so you can go through and explore it in a safe way.
So, but I suggest learn about the vulnerabilities. Don't just go and try to patch them and basically think about that's enough. If you learn about the vulnerability, you can learn about how it might be unique to your environment or what risk it might expose and the gamification and simulation allows you to do, to do that.
I suggest do practice in simulations, practice, practice, practice, practice. Don't wait for, for example, an attack to happen to try and do an in instant response because you will not be ready.
And that's why using these simulations, gamification, you can practice instant response techniques. Don't be afraid to ask for help.
Again, going back to one of my lessons is that going, trying to do it solo, I actually started getting, finding people who were actually interested in the same area and asking for help to try and understand about areas that I can prove. I do suggest practicing documentation and writing up you're actually findings. One of the things that I've done a really good job of is actually documenting all of the games, all of the techniques that I've learned. And it makes it 'cause my, my brain is not as good a memory as I am, as what I maybe about what I used to be when I was younger.
But by writing it down, documenting understand it, I can now quickly go back to something and actually quickly understand about something I did maybe a year or two ago. And it's all because I do the writeups when I write it down, it triggers those memories much easier and I make it much easier to search. I also just suggest practicing between both automation tools and manual. There's a lot of automation tools out there. Things like wind peas that allows you to do windows privilege escalation or exploit suggester or line.
There's lots of things that will help you actually do enumeration and gathering and they will do it in an automated way. But I suggest practice doing it the manual way as also. 'cause you might find things that those automation tools don't do and it also allows you to understand about how to change the parameters and change the results that you give back.
And it's also paying being patient as well. These things take time in order to perfect and to get the value out of it.
So I highly recommend that this is something that while they start small, do it in smaller teams, have specific topics, but be patient because over time it will make a difference if your organization does become a victim, you will be ready, you'll be much better prepared and you'll be able to react faster with a higher knowledge. And 'cause that's what makes a difference between your organization struggling after an attack, to being empowered to basically make your organization resilient and be able to recover quickly and fast with minimal impact. So that's gamification in a nutshell.
I hope it's been interesting. I hope that you find this valuable and I do highly recommend if you're interested in learning more, I'm available for the next couple of days. Do grab me if you're interested, I can walk you through some of the simulations, even some of the more challenging boxes I've done recently and I can take you through some of those steps. Thank you. I'm happy to take questions if we have time and hopefully this has been enjoyable. Take care and stay safe.
Thanks Joseph. A question, there you go.
How can you convince the management of the companies to do this gamification?
So it's a, it's a great question. One of the things is, is that convincing management is, is that you want your employees to be more know knowledgeable tomorrow than they are today and you want them to enjoy the process as well. Doing the traditional type of training and education we've done historically isn't effective. It's very time consuming, very costly. This thing is, you can focus really specifically into specific types of skills and topics.
So if you wanna learn more about, for example, enumeration and AWS or Azure or other cloud environments or other types of technologies, this is a great way to do that. It's, it's worse to not invest in training your employees than it is to spend the time to do this. So I highly recommend that.
Yeah, it's, it's definitely, it's, it's worse not to invest in your employees than it is to, to leave them with the skills that they have today. 'cause it's not gonna be in our industry, our skills today is not enough to protect tomorrow.
True. Well thanks again. I think we have a break now until 5:00 PM 5, 5 30
Thank you. Five
30. Thanks.