Open in app

Sign in

Write

Sign in

56 — Greg Linares

Shiva Maharaj Kontinuum
Cybersecurity: Amplified and Intensified
Published in
33 min readMar 10, 2022

Greg Linares’ professional career in cybersecurity began in 2006, when he joined eEye Digital Security as a Security Researcher. During his tenure, he was accredited with the discovery of several vulnerabilities in major vendors such as Microsoft, CA, Yahoo, Bitdefender and AFLAC, as well as doing development on the Retina Network Security Scanner. Over the next several years he performed many lead roles in reverse engineering, penetration testing, malware analysis, threat intelligence, and security software development. Currently he is a heading up a security team at a Venture Capital firm in CA and has a passion for helping and supporting others at all stages in their cybersecurity career.

This episode is also on YouTube: https://youtu.be/uy8_bAo9UxU

Shiva Maharaj Kontinuum 0:00
Good morning ladies and gentlemen. Welcome to another episode of cybersecurity amplified and intensified. And today we have with us Greg linearis. What’s going on?

Greg Linares 0:09
So, yeah, thanks for having me on the show. Really appreciate it. Um, yeah, so a bit about myself. I started professionally in cybersecurity. Way back in 2005. Five I believe is where I joined. I was lucky enough to join ei digital security back in the day where everyone remembers they were the original Rockstar security group. I might have been one of the very last researchers there. I was actually hired inside at r&b Jack’s desk. So when he left Yeah, so big shoes to fill, rest in peace. Great. Great team there. Lots of respect to everyone there and I worked worked alongside a lot of the, like, the rock stars like Derek Sodor ug Ukai. Andre Protoss. Ryan, let’s see. There’s so many like, like so many like rock stars there. The Red Two who wrote portal right now and blink and Matt. Oh, Bata reverse engineering people. And it’s It’s always, it’s always good to remember like your roots, I think because a lot of those people like went before that I was I was writing software. Actually, I was a I was a developer for Massage Envy back when they had like 1313 stores actually wrote their back end software. So I came from a software development place. I was just writing exploits and putting on middleware. And then he I reached out to Matt, even though you can get hired for that, for that kind of stuff.

Shiva Maharaj Kontinuum 1:49
And hired for anything. Yeah, it’s true.

Greg Linares 1:53
And then, and then since then, I’ve joined I joined a lot of other places. I was I was at, I was at silence. I was principal Software Architect of silence. I was at spectra bead researcher over there for research engineering, I was at Syrah point of me i and now I work for a large venture capital. I’m in charge of cybersecurity part large venture capital in the San Francisco Bay Area. And during that time, I’ve done almost every every, you know, possible point of cybersecurity, you can imagine I’ve done research, engineering and vulnerability, discovery, reverse, reverse engineering of patches, software, hardware, threat, intelligence, red teaming, blue teaming, purple, teaming, black, teaming, whatever, you know, whatever, whatever you want to call things these days. There’s a, there’s been, it’s been quite an adventure. And I’m very, very lucky and happy to be here. It’s still a very awesome community. Very awesome, exciting job to this very day. And it’s never boring. So is always fun.

Shiva Maharaj Kontinuum 3:02
Very cool. What’s it like working for VC, where, as far as the outside world is concerned, they have unlimited budget, even though they’re probably more fiscally responsible than most internally?

Greg Linares 3:15
It’s a very interesting question, because when i i started my how I got this job, as I used to be the red teamer for about six years. And

Shiva Maharaj Kontinuum 3:28
since then,

Greg Linares 3:29
I’ve watched them actually advance in every year, it was getting harder and harder. So from a standpoint there, there it is, strictly, like some of the best it Blup ever look with work here. And they understood problems. And they had an extremely small cybersecurity group and team, and just watching them all get together and actually make huge changes throughout the years. And getting to the point where, you know, where they, they were, you know, still, you know, still I was still successful every year, with with red teaming. But watching them advance and knowing that they actually cared about security. I was like, that was actual, that was actually a good point for, you know, for me to join with them. And working with venture capital with but budget wise, resource wise, it’s honestly like almost every other company out there. I mean, I’ve done a lot of a lot, a lot of threat intelligence for a large, Forbes 1050 companies and watching watching them handle securities, very similar to venture capital. It’s making sure that they identify their actual threat and put appropriate resources behind them. And a big, you know, working for venture capital, you have a lot of very interesting threats, because we deal with everything from bio to games. Crypto, we actually do a lot, you know, using crypto, so, and a lot of tech of course, and so it’s It’s, as you can imagine, the threat landscape and the possibilities are endless up. This is actually one of my first jobs to deal with what we call hybrid security, where we’re dealing with both physical and actual electronic standard, your typical cybersecurity, we see those threats blended in, together. So it’s, it’s a lot of really interesting problems. So it’s, it’s really, it’s really fun. Still,

Shiva Maharaj Kontinuum 5:29
I’ve always thought that if a threat actor could get into the financial world, that would be there. I don’t want to call it a low barrier to entry. But that would be a really nice entry point because they can come in one vector of attack would be being an investor whose money’s managed by that by any financial firm. So that gives you a certain level of insight into acquisitions, potential, potential acquisitions of technology. Yep. And then you can follow that up with some type of cyber activity, or social engineering or you know, anything to get in these days, because I would assume there are a lot more deals that don’t get done that do. But the amount of data that they’re collecting are the keys to the kingdom.

Greg Linares 6:16
Yeah, absolutely. I’m getting into what we call the playbook. It’s pretty much the end goal for I imagine most of our most of our threats. And it’s not a it’s absolutely a point of opportunity, or many threat actors out there. And, yeah, you’re also like you mentioned, it’s a great pivoting point for identifying deals, potential deals, and even even picking up you know, technology, stuff in there, because it’s being evaluated by, you know, by investors and investment teams and growth teams like that. So it’s, it’s great, it’s a great opportunity for attack,

Shiva Maharaj Kontinuum 6:58
especially if they want to step outside of tech. And I mean, us being in tech, we think that’s the world and everybody only wants to go after the newest technology as it relates to you, I guess, cyber and computers, but you’re talking biotech, agriculture. You know, I think agriculture is one of the most slept on industries. For cybersecurity. Oh, absolutely. Outside of the Monsanto, Monsanto is and the guys who have real budget.

Greg Linares 7:23
Yeah, absolutely those. I’ve worked for threat intelligence for some agricultural areas. And they absolutely have some very unique problems and very interesting threats that. And they, I actually compare them similarly to hospitals, in the sense that they haven’t realized that they were actually targeted, a lot of a lot of cases haven’t realized it, or they were targeted by cybersecurity incidents, and they have a lot of areas of opportunity that aren’t adequately secure. And they’ve been, a lot of them have been attacked successfully without them even knowing. And attackers have been in those environments for a very long time. And exfiltrating data for years, it’s been, it’s been cases I’ve seen,

Shiva Maharaj Kontinuum 8:13
speaking of exfiltrating data, and this is one of my hot topics. So if you don’t want to talk about it, just shut up, we can move on and go talk about scooter. Those of you listening, if you don’t know who’s what scooter is, I have no words to express my disappointment for you. It’s a band, but

Greg Linares 8:30
almost for a scooter shirt. I was thinking might been a bit much. But yeah,

Shiva Maharaj Kontinuum 8:35
not at all man. Like you got 36 views on that video, and I’ll post Greg’s YouTube link in the description here. I probably account that 35 I’m just like, that’s fair, that single video that you posted this morning.

Greg Linares 8:48
But I it’s a they’ve been, they’ve been a guilty pleasure of mine since I was about 14 years old. incredible, an incredible.

Shiva Maharaj Kontinuum 9:00
I will say what scooter songs through your video you that I caught that you shared yesterday, the memories that had brought back and the happiness. It’s I haven’t felt that way in over a decade. So I thank you for that. And I don’t want to get on to that too much because this is supposed to be a cybersecurity thing. Yeah. One of my hot topics that really bothers me in our industry is DLP. Ah, yeah. And I, Microsoft, in my opinion, had a pretty decent product that they sunsetted on April 1 of last year, which was Azure Information Protection and completely screwed the pooch with whatever it is now.

Greg Linares 9:45
I am very familiar, painfully familiar, man. I

Shiva Maharaj Kontinuum 9:48
actually got the previous iteration to work and it worked pretty well. I don’t want to say it was great, but what are your thoughts on the industry moving to some better type of DLP to deal with data that’s

Greg Linares 10:00
been exfiltrated. To me, DLP is in the same areas, AV. And ERP is and, you know, everything else at this point, it’s a cat and mouse game. And I have spent a lot of time demonstrating how bad DLP is, and because there’s millions of ways to exfiltrate data, and I was just recently involved in a project and they’re painfully, they’re painfully aware of, I’m painfully aware of how these, these products I was evaluating multiple and how they, you know, either running two or three of these on top of each other, they don’t provide adequate ways for your attacker, like attackers are going to get data out. And I do not think it’s great to have, you know, the protection layers here, just get your defense in layers. And that’s what I see it as your DLP is not going to be the thing that generally says, you know, Hi, I’m here, I found I found the problem, you need to have different layers in place to find attackers, pivoting, initial access, moving around your network moving around your, your devices, and then finally, you know, your, your attackers exfiltrating data. And you know, when your DLP actually triggers off attackers very often, honestly. Usually, that means that if they, if they’re at that point in your DLP buyers off in my, in my experience the attackers have already, they’ve already compromised multiple devices. If they didn’t get that data with your DLP stock, they’re gonna find they’re going to quickly move on to another way to get it out. Yeah,

Shiva Maharaj Kontinuum 11:54
you know, the way I look at DLP isn’t necessarily to stop the actual loss of the data. The way I thought about it was, and using going back to 365, because that’s where I learned who the former version of Azure Information Protection, okay, you take my data, I go in, I adjust the settings for that sensitivity label, to hopefully render it useless to you. Yes, that is a bad post. It’s almost like an assumed breach posture,

Greg Linares 12:22
I would say exactly. And that’s, that’s the absolute best way to handle into G operate with your DLP is to the gesture labeling, and just your, your containing options in it so that it does make your data the fact that we use this to get to the attacker. So I thought that I was supposed to turn this on vibrate. That’s right. Life happens. Yes. So as I was saying, I’m a attackers, attackers, you know, using getting your data out is obviously bad. But the segregating data, labels compartmentalizing. And, you know, for me in where I work, we do with almost like, a lot of security labeling as well as, like, your privilege levels. And so I think I think that’s a huge deal to make sure that your users get the appropriate access, and, and making sure that if people XYZ can pardon, you know, department don’t have access to data they don’t need and an attacker pops their box. That’s, that’s honestly, if I can recommend that for for most shops, that’s, that’s a huge, that’s a huge deal. I can’t tell you how many places that bread cheap. And even though I, I popped, you know, someone in accounting, I was able to get access to data that was not related to accounting just because that someone complained one time, and they gave them permissions to some share or something like that. And that is that is honestly, it’s always like, I think one of the best things that’s been added recently time, timed access to a lot of these DLP and protection data, you know, data protection services, and we’re because as an administrators I see it so many times are exactly that condition where employee request access for something or needed access for something, they got access, and it never was revoked, and attackers exploit that many many times.

Shiva Maharaj Kontinuum 14:34
Have you ever seen DLP attached to Pam? Um, yes.

Greg Linares 14:44
I wouldn’t say it’s the successfully or a best the best method. But I think at that point, it’s just it’s too many layers attached to each other and too many too many options. noise, the noise level gets too high at that point and it gets lost a lot. And so yeah, I would say yes. But not successfully. I guess it’s

Shiva Maharaj Kontinuum 15:16
just before we hopped on here, I saw a tweet from the ex underground pose guys put out some pretty nice stuff.

Greg Linares 15:22
I’m a huge fan, huge fan. And

Shiva Maharaj Kontinuum 15:25
I’ve been using a product that I never knew was hosted in Russia,

Greg Linares 15:29
and Oh, yes. Anyone? And yeah, yeah. And that’s the it’s funny, because I received a lot of DMS this morning about the same, the same issue was, we’ve been sending all our analysis to individuals in Russia. And yeah, some of us didn’t know. And, and, yeah,

Shiva Maharaj Kontinuum 15:53
I was absolutely clueless.

Greg Linares 15:54
Yeah, yeah. It’s interesting, because we working we have a, we have a team whose sole job is to literally identify where resources are for every third party that we use and evaluate at. And they’ve been working overtime, as you can imagine, the last couple of weeks. And currently, we, you know, anyone, it’s not a not a product that we use. But I remember when they came out with, they always come up with cases product ends, we have, you know, multiple other companies to switch to and, and to evaluate or to compare. And I remember when we were looking at sandbox options, and and that was they came up there and it was in western Russia. And I was like, Oh, I did not know that. And so yeah, when it came up again this morning. It was a reminder, great service, though I honestly it’s, it’s they have they put out a solid product. And it’s unfortunate that they are dealing with current events. And that many people are going to have to switch over move migrate, or hopefully they get there. They get past Russia, they the great Russian firewall, or great Russian disconnects, but

Shiva Maharaj Kontinuum 17:13
that there’s always a great round. And yep, we all we’re all pretty well aware that these Yes, yeah. Being a pen tester, or red Seaver, have you? Were you a pen tester?

Greg Linares 17:24
I’ve been a I’ve been both. I’ve been I’ve done a lot of pen tests in my career. I actually, before I was even before I was even in professional cybersecurity, I was doing pen tests where, like, for friends who are running cybersecurity companies all the way since 2001 Or two.

Shiva Maharaj Kontinuum 17:45
Oh, yeah. Yeah, only imagine what the mean,

Greg Linares 17:49
I can remember my actual very first pen test was a law firm. And we, we get in there. And no, I’m finding default passwords everywhere, scanning everything, like back in the day with like, super scan. And like, like, like, like Nessus SEMO, like back in the day and nap straight up. Like NMAP I can’t remember the old school version, I think I think Windows was you know, barely ported over by by Ryan at that point. I could be wrong. But I just remember it was it was super scan and using all kinds of Pat like packet tools with keeping with gooeys you don’t even ever even exist anymore. But we were there. And man, we found out that the IT guy there was actually hosting a torrent of movies inside the law firm. And then was taking all the like all the cease and desist notices from everything you can imagine. He’s like Napster back in the day, you know, like, and he was taking all the cease and desist letters from the mail and hiding them. And and then he actively tried to, you know, block our investigation, of course, and we found it and we and we showed the owner of the law firm, all the evidence and it is arrested on site. I was like, literally like my first pen test was getting someone fired and arrested. And, yeah, I’m probably the worst case at you know, results of a pen test you could possibly have.

Shiva Maharaj Kontinuum 19:27
The reason I asked about you being a pen tester or red Teamer. We go back to the beginning of COVID. Everyone said Not everyone, a lot of people in the IT world slash cybersecurity said okay, everyone’s work from home. Let’s forget about the perimeter. Let’s just guard the identity. What are your thoughts on that? Because

Greg Linares 19:51
100% on I am I’m a I’m a believer of that. So I’ll be quite frank. Since COVID has is create a such impact and work from home is now working at the office effectively. I have seen attackers go after the individual at this, at this point attackers who were making the effort to, to actually attacked offices. And as I mentioned, we see a very high level of suspects, this very sophistication in attacks. And a lot of this is hybrid attacks, where physical devices are dropped off physical attacks are leveraged. And we started seeing those attacks against homes of individuals, devices, being planted, devices being mailed to people as an Amazon package. We saw attackers targeting home network devices I just recently was involved in in analysis of a building,

Shiva Maharaj Kontinuum 21:00
I wanted to ask you about that I saw a tweet.

Greg Linares 21:04
That was a huge that was a huge deal that originated from a good friend of mine, they were experiencing very interesting. Very interesting, continue events on their, on their, on their laptops, and on their router. And they got to be changed ISPs multiple times. And this individuals worked with internet internet privacy in the past, they work for very well known companies and groups that do internet privacy. So they have a unique threat model. And when they first start describing it, I was like, I wasn’t sure it was an actual attack. It just seemed like hardware failure, or maybe neighbors causing interference with networking. And we spent a couple weeks looking at packet dumps and reverse engineering, like a lot of interesting conditions on their, on their, on their router and taking a look at logs. And we’ve got a brand new router in there and we watched it get popped, we watched the tax leverage on there. And then we started looking further noticing it was the it building switches to this. This area, it’s downtown San Francisco. And we noticed the building in the switches inside of it were popped. And attackers were actually loved during attacks, actively editing networks out of the lands some moving themselves into local areas. And getting access into home users devices old network network was completely flat at random points of the day where it so attackers can move around and intercept and do man the middle attacks.

Shiva Maharaj Kontinuum 22:50
Was this a building with a rental building or like a condo Co Op?

Greg Linares 22:55
Say it was it’s um, it’s interesting, because the company that owns this building those fellas and we were able to validate that those kind of facilities that this attack was being leveraged. And so yes, this is a this is a condo facility. And it’s it’s it the people there. I was I was went through the building directory, like as a red Teamer. I am it grabbed off, you know, grab all the names off the building directory, started looking and there’s quite a bit of individuals who work in tech, very, you know, very well named, well versed companies in San Francisco. Any of them could then ideally targeted by this are all

Shiva Maharaj Kontinuum 23:40
correct. And they’re a big funnel take up and yeah, wait for later.

Greg Linares 23:44
Yes, that’s the the dragnet. You know, a lot of a lot of tackers will collect all this data, and then later if someone becomes more famous than they are now, it’s a blackmail from, you know, six, seven years ago,

Shiva Maharaj Kontinuum 23:57
and I get those emails on my Gmail almost daily, we have video of you doing bad things, and I’m like, You know what, go ahead, release it. If it was cold, you know, Pornhub pays 5000 To show my face 15. If you do, either way, I’m good. But the reason I asked if it was a rental or a condo is I mean, it’s kind of moot but I’m assuming the building just provided free internet or internet included with the rent or internet included with the cam fees. To me that is attractive to

Greg Linares 24:28
actually not in that case. And the building had basically allowed you to plug in they partnered with a couple of of ISPs and the area. They didn’t provide it or at least for on my on my friends lease, it wasn’t provided. You can choose between several of the ISPs here and but the building they provide the in, in in Unit, Ethernet cable, Ethernet plugs and and so on. Everyone who’s using those was likely effective.

Shiva Maharaj Kontinuum 25:03
Was that I’m assuming it’s a newer building if there’s in there, correct. What about the ICS? condoles? Was it all on the same?

Greg Linares 25:13
Yes. And there was evidence of individuals looking at K annex protocol. If anyone’s unfamiliar, here’s my here’s my free tip for all you, if you’re unfamiliar with K annex protocols, and you’ve never had a fun project to do, and you wanted to get involved into ICs, building controls H back controlling, look into K annex, it is a terrible mess. I want to do talks on it for several years. But unfortunately, I just hadn’t had a time, Canucks devices are actually affordable. Now you can do about okay, so affordable is is a relative term, they used to be like multiple 1000s of 1000s of dollars, you’d get him for like $400, for starting about now. And you can play with them. They control everything from eight tracks, elevators, fire control systems, doors, windows, and this building does have that. And there was absolutely Canucks protocol being thrown out. And we saw individuals attempting to look at it. So that was, that was always fun and exciting.

Shiva Maharaj Kontinuum 26:20
You know, one of the cool ways of I hate to say it this way, but I don’t know how else are the cool ways of abusing an ICS system in a residential building or a corporate building is you’re forcing a service call to bring an individual on site. And I’m assuming you being in cybersecurity, you probably have a good understanding of what you have at home, where it is, what the average person who works in an office, and now that they’re working from home, if someone has to come in, they have corporate assets strewn all over the place, and they probably don’t even know what they have outside of their laptop.

Greg Linares 26:58
It’s true. Absolutely, we were we’re talking about a bad kind of attack. And you have the malicious made, you know, involved in that as well where a unit says, you know, they trigger an alarm on the unit. And now after they go after they go fix the unit. You can later do a physical attack with the front desk probably and say, Hey, I was hired by this individual or no contract buts individuals go into this unit to go check for that back call to happen or that issue or that happen. And I’ve used I’ve used similar attacks and red teaming before, I do a lot of hybrid red teaming, where physical is absolutely part of the game. And let me tell you, you have a clipboard and you have a ladder and you have a uniform. That’ll get you to nine out of 10 buildings are not in a

Shiva Maharaj Kontinuum 27:48
CatCard even if it works or not. Yep,

Greg Linares 27:50
yep. Yep, exactly. Yep. Yep. Or FOB, that suddenly

Shiva Maharaj Kontinuum 27:57
there’s this vendor and I don’t want to name and shame. They are giving out these free network scanning devices. Okay. To AV installers IT people say, Hey, we’re giving this to you for free. So you can map your clients networks drop it in?

Greg Linares 28:12
Oh, oh, no. Oh, no.

Shiva Maharaj Kontinuum 28:16
Personally, and these things are pervasive. And on my side of the industry, that’s putting a jump box in to people’s little bit absolute. As Lulu, I can’t tell you how many times I’ve gone in for assessments. And assessments for me are typically they want to get into IT provider. So we go and we do our song and dance, we look inventory. And for the most part, we rip and replace. We do everything our way, whatever that means. But I can’t tell you how many of these devices we found. I have them in a closet over there. That’s just sitting. Because I don’t even want to take the chance to look at the data coming out. But I’m pretty sure it will be interesting. If you want want to be more than Elvis.

Greg Linares 29:01
Awesome. That’s a that’s a great talk. That would be a that’d be an ideal talk at any conference. I would I would

Shiva Maharaj Kontinuum 29:07
I would if you want offline, give me an address. And I’ll mail it to you. I’m telling you don’t plug it in at home.

Greg Linares 29:12
I don’t go, Oh, I’ve an individual who runs I have I have two ISPs at my house I have on three ISP and I’ve clean ISP and I run everything like that from the 30 ISP. And yeah. Let me tell you, I have I’ve had some interesting, interesting hardware assessments in the last year that I worked for venture capital. It’s everything from random GPS devices being found in in attached to thanks to exactly what you said. device that was found in a you know, a company that was being invested in and all sudden they’re like, Hey, what’s this? We don’t know what this is. Okay.

Shiva Maharaj Kontinuum 29:52
When you do these assessments for companies that are being invested in because I’m noticing a trend here, that when a private equity firm EC Are any of those big financial guys or the firepower those financial guys there? They tend to do real assessments now of IT systems because they don’t want to inherit risk with an investment. Absolutely. Up is that something that you guys do internally free for the companies your employer is looking into or do you outsource that stuff?

Greg Linares 30:25
Internal only. And we we do everything from evaluate source code by with software, evaluate ideas, you know, obviously, the tech no one wants to invest in the snake oil. And a lot of a lot of companies are getting better and better at marketing, snake oil, and even to you know, VCs are looking to invest. So a lot of things I do is look into Hey, is this actually real? This is this is real. This is actually work.

Shiva Maharaj Kontinuum 30:53
Is it white labeling someone? Yeah,

Greg Linares 30:54
yep. Yep, exactly. Or is it stolen tech? That’s another one. We that’s a that’s actually comes across more often than you think where has this been done before? And that company’s not is like a stealth company somewhere else? And you know, taking this idea and they’re just the loudest people about it, or I was a question

Shiva Maharaj Kontinuum 31:12
for you. Sorry, good. But so based on stolen Tech, I you know, if you brought that up, I can’t not ask you about Vidya those two new certificates

Greg Linares 31:24
will be in Samsung everyone there with everybody someday. Yeah. Samsung is, is do I can’t say what’s in the Samsung dump. But everyone needs to look at it. Everyone needs to look at it. There’s there’s some juicy gems juicy gems in and in the Samsung one. And it’s not just it’s not just for mobile devices and their their products. There’s potential for a lot of interesting devices and a lot of my internet

Shiva Maharaj Kontinuum 31:53
connected monitor the I’m looking at an internet connected TV.

Greg Linares 31:56
Oh, yeah. I did the knocks but a lot of stuff from knocks on there. So that’s, that’s always interesting and fun. But yeah, everyone, if you haven’t like, I did tweet this one, if you haven’t looked at Samsung, look, go spend some time on it’s a lot. It’s a lot. It’s much larger than video. But yeah. And like you were saying the video with the stolen stolen certificates. And sold certificates isn’t a new problem. I’ve been, I’ve been yelling about stolen certificates for quite some time. Matter of fact, there’s a I won’t name and shame but there’s a terrible AV company whose magically their certificate gets stolen. And

Shiva Maharaj Kontinuum 32:37
I’m talking about Webroot like that. I don’t know if that’s what he was talking about. That’s just my there two companies. I really go you know what, I don’t not like Webroot. But they could say as the other one, not a fan of what they put out

Greg Linares 32:53
is a it’s actually neither of those. But the other company has a shell office and and I believe it’s Boston, and they’re boring company. But I can’t tell you how many times that their products have with malware signed with actual active drivers, driver, drivers and certificates stolen from them and used in targeted attacks. A lot of a lot of those attacks do not come to the light of day, unfortunately.

Shiva Maharaj Kontinuum 33:21
Did you see that? Recently, it came out that Russia or Russian hackers used a legitimate front company and paid them to buy a legitimate cobalt strike license for them.

Greg Linares 33:34
Absolutely. And it’s we’re gonna see, or maybe not all of us will see, but a lot of us did raise our hands, I have a couple of groups that I’m part of, and we do, we’re all x, or current threat intelligence, big pants, and we do a lot of everything global threat intelligence. And these are attacks that we have seen and methods that we have seen. And it’s interesting whenever one of these games comes to light day, because then it’s like, oh, we can I can talk about this or someone can talk about this. And that is a tactic that a lot of people are, you know, it’s the bribe, bribe packets that we’re seeing. And to go along with this, so a lot of the ones that we’ve personally have seen are the SIM card related bribery, access and where individuals are, have ended it worth frets for actors have individuals on the inside of ISPs and cell phone providers and others and they pay them large amounts of money to sip slop and do those get access to those or to have an engineer on the call. Call don’t have someone calling as XYZ customer and words that engineer to overlook certain protections in place. And that has that an absolutely a tactic that’s being Use,

Shiva Maharaj Kontinuum 35:00
that’s actually pervasive in Dell out of their, their call centers that idea.

Greg Linares 35:06
As someone who actually had personally had a attack on their own Dell account, it doesn’t surprise me. I remember about three or four years ago, someone put $5,000 on hardware on my, on my Dell account, and I’m calling up Dell. They were like, oh, yeah, they validate everything is you? And I was like, I can’t even validate this data myself. Like, I don’t even like I don’t even know. It’s like stuff I don’t use anymore. And, like, I’m one of those people who don’t, you know, like, like, but you know, mother’s maiden name has like, six numbers in it, you know, random, you know, you’re actually

Shiva Maharaj Kontinuum 35:43
using real information now ever decide on Facebook? Yeah, no,

Greg Linares 35:47
that’s it. Let me tell you, if your average user, you know, listen, you know, listening in on this, one of the things you can do is easiest thing you can do is do not use real information and make up your information and keep it stored in memorize look up somewhere else.

Shiva Maharaj Kontinuum 36:03
I keep it in my password manager. So for that record, under the notes section, yeah, it’s in there. But at least it’s,

Greg Linares 36:11
it’s better than a pseudo cryptid. Yeah, they usually are. There’s been a lot of good a lot of good researchers have looked at a lot of these them, they’re generally pretty good.

Shiva Maharaj Kontinuum 36:20
Your go to Password Manager, top title.

Greg Linares 36:23
I’m a LastPass, LastPass kind of individual, but all the other ones there. They’re all in my opinion. It’s just who you invested it, where you put your, your, your current effort, what UI you like, better, what features you like, honestly, I don’t care which one you use, as long as you’re happy and you actually use it. That’s why I tell them all my users like you can use any of them. As long as you actually use it, you’re happy with it and allows you to to get your job done. So

Shiva Maharaj Kontinuum 36:56
what kind of trends are you seeing in the in the industry these days in terms of attacks and threats coming out? In the last, let’s say two months? Since the your soda?

Greg Linares 37:05
Yeah, like, like we talked earlier about hybrid attacks, where attackers are not taking the opposite anymore. They for blue teamers out there. Let me tell you, in the last last, I’ll say last six months, I we have seen attackers dropping off devices outside your C levels, offices that are attacking their Wi Fi that are intercepting their devices. They’re everything from pineapples to no hack RF and other things that they’re using those two men middle to deploy exploits. We see an attackers literally portrays ISPs coming in and place hardware. That is absolutely you know, your ISP. Oh, you know, we heard that you’re having issues Oh, no person says, I don’t remember scheduling something today of like, maybe it’s your husband, maybe wife, someone else, you know, no one wants to lose internet. No one wants to lose internet. And especially when you’re working from home, and they go in and full device replacement. And with the router of the game of you password, and they say, Hey, this is your new password. You can log it in, they have their DNS change. That’s the easiest one, their DNS is somewhat modified go somewhere else.

Shiva Maharaj Kontinuum 38:15
How are you guys securing? Or how would you recommend securing work from home laptop? I mean, using the identity? I guess, yes.

Greg Linares 38:23
Zero trust as you know, as much as a buzzword that that is lately. It is assumed all devices are insecure. So you can validate security. VPNs Absolutely. Everything has to be and make sure it’s it’s hard trust to be a VPN or whatever term they call it these days. It’s where if the user cannot connect without a VPN, that they then they don’t connect. We’ve seen attackers downgrade or stop the VPN access and a lot of policies. It’s like VPN fails three or four times that connect anyways, because no one wants to disable work. SIEM attackers

Shiva Maharaj Kontinuum 39:06
use out seven. How do you force that hard, trusted VPN for cloud process assets? That is far from It’s easy, right?

Greg Linares 39:14
It’s Yes, right? Yeah, exactly. Um, I You’re out. But you’re at the the mercy of the cloud. As we have the Sibyl the cloud that we use here. An old mighty cloud Gods whatever they whatever options they are. Without without revealing what cause simply use I really can’t say, but I know ours has an option for that. I can’t say that all of them do. But I mean,

Shiva Maharaj Kontinuum 39:43
that’s dependent on the end SAS product, right, right, just using Salesforce as an example. Correct. They have to be able to integrate and work with let’s call it some kind of broker gateway.

Greg Linares 39:52
Yes. So that in when you deal with all this, you have to make sure all the components all the way support And then you have your other, you know, other technologies like aka and stuff like that. And if you’re getting real fun, you’re getting your your cloud base 802 11x certificates, which is, those are that’s a fun. That’s a fun environment. If no one’s ever built one of those

Shiva Maharaj Kontinuum 40:18
up. Those I haven’t done one of those in 20, probably 20 years. Yeah, 20 years. Now, it’s all a weak, very weak, pre shared key that people can easily regurgitate. And which is pretty bad.

Greg Linares 40:32
Yeah. Um, so but yeah, they’re 802 11 11x certificates. And identities over the cloud exists, that’s an option. And, and so I’ve been to multiple shops that have actually got rid of the entire Windows domains, because that was like the last thing that they needed was to get your HSM next triplicates based off your, your domain information, neat. Noble said the cloud now. So yeah, it’s really interesting, big environments where there’s no Windows domain.

Shiva Maharaj Kontinuum 40:59
Now, are they using something like an Azure AD?

Greg Linares 41:02
No. Oh, yeah.

Shiva Maharaj Kontinuum 41:05
Yeah. Yeah, exactly. That’s just we’re talking about, I guess, something like an octave being an IDP.

Greg Linares 41:12
Correct. Correct. Yeah. And that’s fun and exciting. Let me tell you that it provides different approach different types of threats and different type of models, but it’s exist and it’s possibility. Now let’s catch

Shiva Maharaj Kontinuum 41:24
up. Right? The the attackers have to play catch up to exploit something of that nature. Whereas, as rady is pervasive throughout the world, at this point,

Greg Linares 41:32
let me tell you watching attackers get into these environments, and then all of a sudden, looking for certain things that do not exist. If you just imagine the operator, no more Kerberos tokens. Yeah, they’re like, What, Where’s all this information? Well, how does this work? What do I do hear? So yeah, that’s actually that’s actually been seeing active attackers, and those environments, and literally stopping and then like, an hour later, just bailing out because they’re like, I don’t know what to do here.

Shiva Maharaj Kontinuum 42:03
That’s an interesting concept. Because now, as you said, you’re to live off the land. What you’re used to living off of doesn’t exist. Yeah, you can no,

Greg Linares 42:13
you can literally watch an attacker run their, their their script that they’ve done for the last 20 intrusions that they’ve done for the Latin in a month, and all sudden, nothing happens. And they’re like, I you can tell that the operator goes back runs it again, that looks at over the output. And you can tell that they talk to like another co you know, another co operator, and they’re like, oh, run these three commands, and they run this three commands, and they’re like, there’s, this domain is different. I don’t I don’t know what to do here. And then it is bailout. I’ve actually watched that happen in real time. It’s been

Shiva Maharaj Kontinuum 42:46
pretty interesting. You know, Mike, I do agree with protecting the identity. Yeah, it’s very important, especially when everyone’s using SSO. And yes, versus these days. It’s one key to the kingdom, so to speak. But I’ve always had this thought in my head, okay, you can protect the identity, but you should also be protecting the network. Because if they can get onto the device, they can go pull tokens, they can pull what they need to escalate.

Greg Linares 43:14
Yes. And, like a lot of environments that I’m familiar with have not just you know, peers and you have your printers, you have your IoT devices, everything from devices that manage like, meeting meeting management, IoT devices, is something I’ve seen a lot of environments, and those are being targeted. A lot like imagine your conference room, and you have those devices outside the conference room that oh,

Shiva Maharaj Kontinuum 43:40
boy devices, I’ve always said easiest way to get in they haven’t been updated since they sold from the factory.

Greg Linares 43:47
Yes. Or even, you know, bought from your already compromised sales. Sales group. That’s, you know, that’s been

Shiva Maharaj Kontinuum 43:56
bought on Amazon, because Oh, no, sorry. Buy it on eBay, because it’s cheaper.

Greg Linares 43:59
Oh, yes. Let me tell you there i followed. I followed a group that specifically was doing that for several years. And we were purchasing their devices to identify what they’re implanting in them, and then release them to groups is the same for intelligence teams that I was I was talking to you that we reverse engineer those type of Taksin many years and that that’s absolutely a thing. We didn’t see it at certain Best Buy’s where it compromised. Whatever Best Buy is purchasing at and these Best Buys will wear large companies in the area around go buy their USB devices or suction. That’s

Shiva Maharaj Kontinuum 44:42
our, you know, we will say two to three months ago. Across all of my clients. We only allow USB whitelisting. So if it’s not whitelisted it’s not getting access to the systems. And that goes for keyboards, mice.

Greg Linares 45:00
And, oh, VSA does that does that do your hardware to Yeah,

Shiva Maharaj Kontinuum 45:03
everything like it? Because all device what precipitated this? And I don’t want to put this company in there, but I think it was razor, or one of those companies a few months ago had an issue where you can escalate through their installation. Yes, yep. So

Greg Linares 45:19
another another free, free, free tip for anyone who’s listening. Look at your gaming pro reveal companies, they are lots of vulnerabilities. And those lots of I’ve only recently looked at a, I stopped because it was everything was bad. But it’s not just razor, it’s a lot of the gaming companies. They all have a PE gamer just wants their microphone their, their, you know, their, their, their mouse serial mouse, their new monitor, you know, to work while the box and there is a lot of terribleness in those Oh, I imagine a lot of privilege escalation, a lot of them right to app data or, you know, insecure folders, get their updates at that folder. And you can easiest when I say a lot of vulnerabilities is they get their updates, put it to that folder, and you just do a replacement of that before the actual update installs. Game over.

Shiva Maharaj Kontinuum 46:24
It’s a scary world out there. Yep. I mean, when you really start looking at what you’re plugging into, or it’s, it gives you time for pause. So

Greg Linares 46:33
it’s hard to be secure these days. It’s hard. And it’s not even no matter what you’re doing. It’s it’s always like, you always have to look at what’s there. It’s like, is it the cloud cloud provider who now whose employees are accepting bribes from attackers to get to your data? That so that was an actual attack, I saw very much string beginning of, of COVID, where a certain domain provider who is terrible and you should never use, but they definitely don’t have to others oh two works combined as one for their company name. They, they are terrible. And they had an employees who absolutely accessed your data, and then changed your data and gave that information to third party attackers and let people change Domain systems and such like that that’s an attack. That’s an attack vector.

Shiva Maharaj Kontinuum 47:28
You know, there’s a buddy or a colleague that I have every time he signs up for service. It’s he creates an alias for them. So let’s say you had a company, we’ll be laughing Mantis at his domain.com. Yep. So when stuff comes to that email address from Not, not from you, or your company, he knows it’s either been sold or breached? Yep, absolutely. Absolutely. I laughed at him for years for that. But now I see the brilliance and the genius in it.

Greg Linares 47:55
Yeah. And like the other the other thing is like, like, what you do is like for instance, with your your providers. Like if you’re, if you are signing up for a company that that provides something to install in your clients, never put your actual real client list up there. Myka, make your your lookup list. I got like a like a translation list. Like, let’s say your, your sea level, it’s actually named Jim on there. And then when you put it in your third party client list for that, to look up, don’t put his real name in there put their their alternate name in there. So So you have video translation list locally for that. I can’t tell you how many times you start putting fighters get pop. And then the attacker is like, Oh, I know who sea level is. I know what they’re all that I can look this up now from this third party.

Shiva Maharaj Kontinuum 48:42
But I mean, most of that’s already out there, thanks to experience with their just

Greg Linares 48:48
over the OPM hack, which I everyone seems to have, you know, OPM hack was huge for many individuals.

Shiva Maharaj Kontinuum 48:55
People have a very short memory for a lot of these hacks and breaches. And you know, I saw something this morning that Chinese hackers are just scraping the forums for as much data as they can get. And they’re just putting it into these databases and collating and waiting for opportunity

Greg Linares 49:12
at the guy went absolutely mad. That’s, that’s something they’ve been doing for quite some time. That’s and it’s the the level of effort that attackers portray and use, doesn’t even surprise me anymore. I’ve seen a lot of shocking levels of effort, and I’ve seen a lot of shuttles of effort attackers have done. And it’s, it’s always fun and exciting.

Shiva Maharaj Kontinuum 49:43
That’s it, you know, I always say there’s a low barrier to entry. And people make it really easy for anyone to get their info. So and so they want to stop doing that. We’re gonna have a lot of these problems. So yes, yep. But we are coming up on time and I do want to be mindful viewers, anything else you want to close out with?

Greg Linares 50:00
Um, I don’t know, if there’s, there’s, it’s for Blue Team Red teams out there, it’s hard. There’s purple teams, whatever, whatever team or color of the week you want to be. There’s, it’s there’s a lot of resources there, we have this waiting inside of here, there’s never been more a better time to have resources. It’s really awesome that the community is coming together. And however, you know, there is a lot of attacks going on there. And a lot of it is in the things that you’re going to be saying that’s not the forefront of the news. A lot of people are focusing right now currently, with Russia attackers, and the Ukrainian, Russian Ukrainian conflict. Your attack is not going to come from there. And attackers are absolutely using that smoke screen to roll out what they’re what they’re doing. So remember, the loudest attack and the loudest noise isn’t where the attack is gonna come from? The look that attackers are going to absolutely use that or are there appointments further? Further, smokescreen? Sounds good.

Shiva Maharaj Kontinuum 51:18
Well, I like to thank Greg for coming on today. And if you guys have any questions, he’s on Twitter at laughing underscore mantis. And go check out his YouTube channel. If you ever need some good high energy, music and videos that go along with it. Highly recommended, and a good link will be down in the description. Thank you all

Cybersecurity

--

--

Shiva Maharaj Kontinuum
Cybersecurity: Amplified and Intensified

Written by Shiva Maharaj Kontinuum

0 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams