In this podcast, Justin Elze, Mick Douglas, and Sean Martin discuss the importance of understanding networking concepts for effective cybersecurity, the need for a structured approach to learning, and the significance of a standard body of knowledge in the field.
Guests:
Justin Elze, CTO at TrustedSec [@TrustedSec]
On LinkedIn | https://www.linkedin.com/in/justinelze/
On Twitter | https://twitter.com/HackingLZ
Mick Douglas, Founder and Managing Partner at InfoSec Innovations [@ISInnovations]
On LinkedIn | https://linkedin.com/in/mick-douglas
On Twitter | https://twitter.com/bettersafetynet
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Edgescan | https://itspm.ag/itspegweb
___________________________
Episode Notes
In this new Redefining Cybersecurity Podcast episode, Justin Elze, Mick Douglas, and Sean Martin delve into the importance of understanding networking concepts in the realm of cybersecurity. They discuss the misconceptions surrounding networking knowledge and how it often becomes cumbersome for people to learn. They highlight the underappreciated areas of networking that are frequently encountered in enterprise environments, such as DNS issues, virtual machines, VLANs, and more. The conversation also touches on the OSI model and the need for a structured approach to learning and adapting to various enterprise environments.
The episode highlights how the shift to cloud-based solutions and remote work has made certain aspects of networking easier while also changing the landscape of network security. The discussion examines the importance of understanding and implementing effective security controls based on the organization's needs and threat surface rather than relying on outdated or ritualistic practices. The trio further explores the concept of abstraction versus understanding the intricate details of IT security policy and controls.
Justin and Mick also talk about the need for a standard body of knowledge for cybersecurity professionals when it comes to networking concepts. They emphasize that while it's not necessary to be a networking expert, a deeper understanding of core concepts can significantly improve the effectiveness of network defense. By fostering a better understanding of networking within the information security community, professionals can better identify and address potential vulnerabilities and misconfigurations within their environments.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllQZ9kSG7X7grrP_PsH3q3T3
ITSPmagazine YouTube Channel
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
voiceover00:15
Welcome to the intersection of technology, cybersecurity and society. Welcome to ITSPmagazine You're listening to a new redefining Security Podcast? Have you ever thought that we are selling cybersecurity insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people process technology and culture to drive growth and protect business value. Knowledge is power. Now, more than ever.
sponsor message00:53
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com
voiceover01:09
Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk and remediation guidance, virtually false positive free. Learn more at edge scan.com.
Sean Martin 01:37
Hello, everybody, you're very welcome to a new episode of redefining cybersecurity here on ITSPmagazine. Show where I try to help folks understand how security technologies can be implemented operationalizing the security to call it in the context of the business. So it's not just about deploying tech for the sake of deploying tech and buying it because we have a budget but how are we actually going to get a good return on our security, investment and drive business value and protect it once we do. And talk about all kinds of topics. Today we're going to be looking at networking. And this was a topic driven by post from Justin LZ. And MC Douglas jumped on the on the bandwagon in the thread. And I was like, this could be cool to talk about. So here we are, we have Justin and Nick on thanks, guys for being part of this.
Mick Douglas02:35
Thank you. Thanks for having us.
Sean Martin 02:38
And so we're gonna get into kind of the, I mean, the point of the of the thread was that we need to understand the basis basics of networking, if we're going to have any chance of succeeding and in information security, which obviously runs across the network. But before we get into that, a few words from from each of you and a little bit about your background and and why would this i This was something you wanted to connect on socially, and just, we'll kick it off with you.
Justin Elze03:11
Sure. So Justin Lz, the CTO at trusted sec. So you know, mostly focused on offensive security and research. I'm also ions faculty member, the networking piece of this for me, you know, in a former life, I was a network engineer for large ISP and switch digital video and all that stuff. And I've been able to kind of pull all those pieces into, you know what I've done on the offensive side over the years. Nice,
Mick Douglas03:39
MC, everyone. My name is MC Douglas, and I'm the founding and managing partner for InfoSec innovations. We're a boutique security consultancy. And we're primarily a defensive organization, we take your existing infrastructure and really elevate it and make it do strange and interesting detections. And I'm a member of the faculty as well. And I'm also a Sans instructor. And the reason that I'm all about networking is my degree is in communications. And I did telecommunications and networking as my study in college and my first three jobs that I kind of was either working at phone carriers or ISPs. And so networking is who I am and it's what I do
Sean Martin 04:31
is just a bit of networking there in those, those environments. Networking for networking. So let's um, thanks for sharing that both of you. So let's go to the tweet. I have a bunch of questions but let's just start with the the catalyst for this conversation. So just need to put a note out that has quite a number of engagements here on Twitter, and it says from it to InfoSec understanding networking concepts like Nat, and VLANs, and ACLs, and IP routing, they're all under appreciated and often skipped over. And even battling some migration stuff last few days that everything ended up being network related. I don't want to you to share anything that would put anybody at risk, of course, but what what was going on that that made you say, I need to share this with folks? And perhaps, yeah, so.
Justin Elze05:30
So, you know, over the years, we've, we've trained a bunch of different people, and I've worked with a bunch of people. And, you know, I think networking, when if you say, you know, learn networking in this space, people are like, Oh, go get like a CCNA and learn everything. And that becomes really cumbersome. And kind of overbearing, so my point of the, at least the original comment was that, you know, there's a handful of aspects of networking, especially in the enterprise space that, you know, should you should do a deep dive on, you know, the root causes so many problems, you know, DNS is always an issue, enterprise environments with virtual machines, VLANs, and things like that become an issue. But I was just trying to highlight the fact that there's a bunch of underappreciated areas that people touch on a regular basis, they don't, you know, get taught you in the background of like offense or defense. And, you know, what, I've, when we started typing this conversation, some more people were jumping in with discussing, like the OSI model, and different ways to learn, and you know, what's relevant? And I think really taking like a structured approach to, you know, what's a normal enterprise environment look like? What are the technologies you encounter in that area, and kind of focusing in on those and making sure that those are core components of, you know, offensive defensive training.
Sean Martin 06:44
And for those watching, not just listening, you have the pleasure of seeing all the facial expressions from Mick is Justin saying all those things? I mean, make the Justin said, Yeah, traditional networking environment within the organization. What, what is that? I mean, has it changed over the years? I mean, it's still?
Mick Douglas07:07
Well, it is it isn't. So like, the thing that's a little weird. Now that things are so Cloud forward, and we have a lot of people working from home, I feel that some of the predictions that were made 1015 years ago about how the day when you can count on perimeter, firewall being a primary defensive control are going to end. And that's, that's proven true. But once you're inside the networks, things are a lot more normal ish. You know, I gotta say, it's becoming a bit easier to do networking, we've got a lot more options. I mean, my goodness, when I was getting started out, like the things I would have done for some of the way and acceleration technologies that we have available now, I mean, my gosh, the, the, the single way I kind of jumped into Justin's thread was that I see a lot of people that sometimes in the IT security space, kind of do things from a ritualistic perspective. And a lot of times we see controls that are being suggested that they're not bad, but they might not be the best bang for your buck. A lot of times organizations are doing things just because that's the way we've always done it. And there we go. And if you have a more nuanced view of networking, you might be able to say, like, hold up, we can do this and have comparable results on a lot less effort. Perfect example of this. And this might be too far afield, but forgive me is, I see a lot of times organizations wanting to take a very robust and strident posture against things like people bringing in rogue devices. And that's great, right? I want to be clear, you don't want rogue devices on your network. But what's crazy is how the security team suggests I, even this year, I had a client that was telling the networking team that they needed to hard code, the MAC addresses of the devices at the switch layer. And my God, you don't need to do that. And then they said, Well, okay, then fine. We're gonna make everybody use neck and I was like, Well, what about sticky Mac, you know, you can just set like the sticky Mac value to two. In this particular organization. They still are using the voice over IP hard phones. That's one Mac on that switch port, and then they plug their laptop into that. So that would show up as the second if you do a sticky Mac value of two, you just plug plug done. And it just learns now when any new device gets added, unless they're doing something like spoofing the MAC address, that device won't be on the network. And it's like such a more elegant approach. And like, the networking team was like getting ready to, like, murder people in the security team was like, Oh, wait, that's, that's a thing. And it's, it's weird in the, this kind of speaks to the success of networking it used to be, you had to know a lot more about networking to be really deeply into computers. Now, barring a few things like you don't have to be that aware of like how things are actually pieced together. And usually, that's actually okay. It's just in some cases, you do need to know those details.
Sean Martin 10:37
And I often find that, I mean, we try to abstract everything in our lives. And in our work, right, we don't want to get into the nitty gritty details, we just want to turn this dial and flip that switch and, and perhaps even at some point, just say it verbally, and the systems do it for us. And I kind of that's kind of where I want to go with this to Justin is the concept of abstraction versus understanding the details and how things actually get done. There's IT policy, there's security policy, there are the controls that map to one or the other, both of those, and then the implementation that says, I don't know, talk to me a little bit about that, and how this concept of we don't understand the network enough, kind of really gets your sense.
Justin Elze11:28
So your MC brought up a good point with the phones, right. So, you know, if you're a security tester, or you're a defender, right, like, the concept of having a phone on the desk, having a separate port for your computer, you know, most of the times, let's say that Cisco or some other company, you know, you're using VLANs, there, there's the opportunity there to configure something wrong in the VLANs, jump from one to the other, you might have your phone network be some, you know, network where you keep a bunch of out of band management stuff and things like that. So there's like a lot of concepts there where like, you may vaguely understand the concept of VLANs. But like the abuse there, you know, things that can be broken things that can be attacked. The, you know, that's a good area for a deeper understanding in this space. And I think people don't necessarily appreciate that as much. I helped a coworker a few weeks back with doing some VLANs, you know, at his home. And he, you know, he thought he had a good understanding because well, we don't we see Cisco phones, we do this, but like the concept of like trunk ports and moving VLANs from here to there, and things like that. Those are those are lost in a lot of people. And that is what I would consider a core technology, you know, that and that and just a couple other areas. So when I say like learn networking, I'm not saying you know, you need to be an expert on OSPF, you need to be an expert on this over here, this over there, like, let's, let's take, you know, a couple average networks, a couple of average environments and see what you know, what, you know, what technologies are built on and kind of build training around that for more people, the same thing with, you know, helping socks, kind of do build outs and things like that, you know, if you're an MSSP, and your primary customers or, you know, hospitals and things like that, that networks are going to be very similar, the underlying technologies are similar. So trying to, you know, build a general level of understanding of what the low bar for that is, is something that needs to have make its way into security. You know, obviously, we're all very good at rapidly understanding a technology, that doesn't necessarily mean we understand all the security risks of it. So
Sean Martin 13:30
make any thoughts on any of that? Yeah.
Mick Douglas13:33
From a defenders perspective, the one thing that you probably don't realize is just how easy it is to abuse misconfigured things like VLANs, Jason Oh, stream buddy of mine hate Jason, he wrote a tool called void popper years and years ago, and it's still wicked effective, you just plug it in, and it sends a couple different types of packets. And like Cisco Discovery Protocol, and like, Link local discovery protocols, and, and based off of the telemetry, it gets back, it's like, Oh, hey, here's the, here's the VLANs that can hop into you, you hop into those VLANs, and you're on the phone network, or you're on that management network. And it's rock solid, like it works, it works well. And a lot of times, unfortunately, people have these, you know, to your point, you said, you know, we make these abstractions, they're great, you need to have those abstractions. The problem is when you abstract too much, and your attacker is hitting you with ground truth reality, and you aren't taking into account some of those issues. And so, you'll see that they will be able to just devastate your network.
Sean Martin 14:48
So I mean, we can go a bunch of different directions with this, either a broader view of some of the some of the technologies that that people should be aware of and understand a little bit more can go deeper into this example and hopping VLANs and exposing, compromising them and exposing them. And doing it differently? How would you do it differently? Which way? Do you want to go? Guys? Want to take the deeper dive and then go back out again?
Justin Elze15:19
Yeah, I mean, we can Yeah, we can we can take the deeper dive. I mean, I think, you know, we, I think Michael agree with me on this. One is we always talk to clients about, you know, segmentation and things like that. And, you know, you'll see people build a bunch of different subnets, maybe, and maybe use some VLANs. And then they pay, we're doing segmentation. And then you find out that the routing everything between all the subnets, right, so, you know, this is generally a full lack of understanding about the big picture, right? You got some concepts, you read a report, you know, let's do this, do that. And then you're like, cool, everything's segmented, you're like, What am I actually stopping here? Like, maybe I should be trying to stop, you know, north south traffic and things like that. So I think that the big picture is often lost on the minutiae of detail. So like the example he gave with, you know, what are we trying to prevent with rogue devices? And we're using NAC are using sticky mechs? What what is our threat? Surface? What, who we're really worried about, are we worried about the dev team plugging in a, you know, Wi Fi access point to do something, you know, easier for them? Are we worried about a nation state? Like kind of, where are we what are we trying to solve and then kind of, you know, step through what attackers would be doing based on that. And the segmentation thing's a really good example. Because it's always preached that, hey, we'll segment different business units by risk. So you know, HR opens PDFs all day, let's make sure that they're kind of quarantined off here. So they can't get to critical systems. Well, we put them on their own subnet, but we never did anything to stop their traffic to get in and out of a router to a different subnet, things like that.
Mick Douglas16:56
Yeah, I think that a lot of this sounds kind of bizarre, but a lot of, first of all, I agree entirely. I think that a lot of it is that organizations don't actually QA the what they set up. So you have the segmentation going, but there's no enforcement. And so in the kick in the teeth, is that it's actually not that difficult to add that, that actual true segmentation versus, hey, we've just got subnets. But everybody can talk to everyone else. For most organizations, when we go in, and we see that that's taking place, they're like, oh, my gosh, this is gonna be, you know, a huge effort, because it's spent, it took us so much time to build this subnet out, you know, and make everybody migrate. And I'm, like, cool. This, this will take like a month or less, and they're like, No, we're a global organization, that's going to be super hard. And like, nope, here's how, you know, when you just get monitored for a little bit. And you say, Alright, here's who really needs to be talking with you. And then now it's enforced and, you know, simple firewall. And routes.
Sean Martin 18:09
Yeah, cuz he brought up QA and QA then assumes, well, I guess you can blindly test stuff. What they're doing is doing what I expected to do. But I guess it's that second point that what's what do I expect it to do? You kind of have to understand this, what Justin was saying as well. So how, and I think Mickey pointed pointed out here that if if you don't know what you're trying to accomplish, from a business perspective, but you you know, you don't want certain things to happen at a networking perspective, you might implement something that, quote unquote, works, but doesn't solve for the business problem. So how do we get to balance that story, for the business with the policies and the workflows that we expect the systems to follow to the implementation of the the controls and configurations of all this all the gear that we're doing? And of course, we in there as the details down at the gear level, the app level networking level, versus a tool that again, might extract stuff? So I don't know who wants to go with that?
Justin Elze19:24
I'll just take a run in at first, I think so I think there's two ways I think that the, if you've talked to most organizations, security teams on the network side, usually start and stop with a firewall. They'll like have a form of security, people that do endpoint, do all this stuff and are like, what's your who's your networking guy, they're like your girl, whoever they're like, Oh, it's this firewall, person in the corner here. They kind of get left out of the whole rest of the networking piece, right? All the layer two stuff, all the switching all the rest of those pieces. And I think that maybe it's because firewalls are usually vendor specific you have training and they're experts on that thing. You just don't see a lot of people kind of have the general breadth of knowledge and the networking space to do that. So from my view, I think that it's a lot of, you know, moving our space towards realizing that work is important. Picking a set of core concepts and making sure that those are kind of taught across the board. It really obscure but a good example of this is BGP. So if you look on Twitter, there's always a conversation about BGP hijacks, and things like that, and everybody's talking about it right? By and large, if you're in information security, unless you work for an ISP, or somebody has a bunch of IPs, like understanding BGP, not super important. However, if you're in maybe offense, understanding the raw concept of BGP saying, Hey, there's this big enterprise that advertises these IP blocks out here, I can kind of see why people actually use really niche, hey, you know, understand BGP, you understand that advertises IP blocks, the internet, how everything else works behind the scenes, not super important. But like, that's the level of depth in that area. And then kind of step through those other pieces we were talking about, like CDP and LLDP, where you can do discovery on a network of devices, you know, maybe there's a little bit more depth there. So I think coming to some kind of standard body of knowledge or like level to kind of aim for, because if you say networking as a whole, and throw some Cisco books at somebody, that's, you know, that's a whole career in of itself, but trying to work with, you know, different organizations to kind of come up with a standard body kind of level set, like, Hey, your insecurity and an enterprise here, you know, you're focusing on cloud security, you know, okay, here's what the minimum network stack for that looks like things like that.
Mick Douglas21:37
I couldn't agree more couldn't agree more. You know, you don't have to be a ninja at networking to be an effective defender, right? I'm just asking that you know, a little bit more. You know, one of the things that I do, we are primarily defensive, but we do contests and stuff from time to time, there's got to be have claws and teeth to be a good defender. And one of the things that I will know beyond a shadow of a doubt that I'm going to just crush the network is if I'm in, say, a workstation network, and I'm seeing routing protocols come at me, I know that that environment is a hot mess. And you don't need to know, like, I had one where I was seeing VRRP traffic, that's a, a high availability, Portal protocol that's used for like, keeping network gear, like load balanced with each other, so that one can, like fail down and the other one will happily run. And we've seen that in the workstation environment, I was like, What the hell's going on, you don't need to understand the intricacies of VRRP, you just need to know, that ain't ready, that I can see this right here. You know, that that sort of just, here's what normal, you know, air quotes around normal, here's what normal looks like, here's protocols that I shouldn't see. You know, you don't have to know all the security implications of the fact that like NetBIOS is a weak protocol, to know that anytime you see it, you should hunt down and reconfigure that machine. Like, you just don't want that protocol. And the thing that's really weird, and one of the things that should sweeten the pot, and why both security and networking really do need to run to fixing this issue is that a lot of times when we do InfoSec, it's really tough. And it winds up being a drag, a lot of times the InfoSec and networking when they're working together, it actually winds up with better networking performance, like NetBIOS, for instance, unbelievably chatty protocol. I mean, just getting rid of it, your land will do better. And there's the security benefits. And I can go on and on. There's so many protocols, were turning them off as a better multicast protocols. Like ll m&r, one of the worst things that Microsoft has done so far, is still like, there's so many opportunities. And I feel like with just a little bit of a understanding of like, what you can do, you're going to wind up with more secure networks, things that are making, troubleshooting and break fix a lot easier. And you know, one of the main reasons that I am actually fairly successful in getting organizations interested in micro segmentation is that when a machine breaks, like whether the network card goes bad or something glitches or Yeah, it's compromised. The blast zone is incredibly small. And so like it's good security and good network, why wouldn't you do that? And I feel like there's so many opportunities in this space that we really, as an as an industry, we do need to lean in and start nudging toward that
Sean Martin 24:58
and Oh, my head just filled with so much stuff here. So let's, I mean, one, one thought, in my mind is, do we focus too much on confidentiality from a security perspective, and we forget the integrity and availability and therefore, performance gets lost in the conversation. And we don't focus on that. And so we do stuff that we shouldn't. The other thought, in my mind is, I'm, I'm a guy that likes pictures, right? And you can't protect if you don't know what's there. And, and having a view. So I guess visibility of the network seems to be key. Not not just from an IT perspective, but also from a security perspective and understanding what's there and how things flow. And then your to your point, MC, there's what's flowing, what protocols what, and what's being what's being moved around. And so how let's stick with the visibility piece, because those two parts what, what's there and what's moving around? Is that a good place to start perhaps to say, what's going on in my network. And so rather than saying, Here's what I want it to do, let me see what it's doing, and then kind of adjust from there.
Mick Douglas26:11
The problem is, though, for larger networks, it can be very expensive to build that map. I mean, you look at some of the enterprise grade software in the space, Skybox, Red Seal, those those tools are not cheap. They work great. But for a lot of organizations, they're not going to be able to pull the trigger on them. So instead, you're winding up with organizations doing other things like using Nmap. Or, and there's nothing wrong with Nmap. It's just that that's kind of not the tool that I would reach for given the opportunity. It's tricky. I do think, though, that you're right that visualizations are very important part of this problem. And I want to be clear, it is a universal rite of passage, when you do this in your network, you're gonna be like, well, these networks don't touch and actually the you, you just didn't know that. So it, I think that that would be where most words could really be. Because right like, in Justin, you'll, you'll probably agree with me on this is that when you do a like an open box, or crystal box, or whatever it's called pen test. And you say, Hey, give us the network topology maps. They're like, Oh, sure, you know, when they pull it down off the shelf, and they kind of go, here you go, they blew all the dust and cobwebs off this thing because it hasn't been updated. So visibility, Primo.
Justin Elze27:43
It this is this is one of those areas that like, goes away and comes back. Right. So the past few years have been so hyper focused on endpoints, right? Everybody's logging everything on the endpoint, you everything here and the network piece kind of fell off. And then now you see, hey, work from home, like we used to have a proxy that SSL did SSL interception like, but you know, now that we're work from home, like everybody's watching YouTube all day, and we can't, you know, handle that traffic. So what did we do? So you'll see products like z scale, or in some of these other things pop up in the cloud. And then now you're like, the last pass hack somebody's home Plex server got hacked, right? So now you're talking about the person's home network is in kind of scope. So you'll see I think you're gonna see networking come back is you know, you know, understanding where traffic's going, how it's getting from end to end, you know, what can talk to different endpoints and things like that, and kind of what you're introducing, you know, back into your network by, you know, what your VPN topology and things like that look like? I think that, you know, obviously, Mick and I have been doing this long enough, where, like, firewalls weren't a thing, and they were like, You need a firewall. And then, recent years, it's been, hey, we have a firewall, but we don't really filter too much outbound, like I, you know, you'd assume like, there was a point in time where, like, people filtered everything out and you had ad and 443 goes through a proxy, you know, that's kind of getting lost. So I think you'll see a trend back to that. More so. Because, you know, you're looking at like, see two detection, things like that, like the DNS traffic. And, you know, if you have a compromise, it's an endpoint or something in our environment, it's going to most likely talk out to the internet, right? There's a choke point there, around networking, that is, you know, for the time being, isn't going to go away, right? It's most mostly to traffic is like a HTTP GET HTTP PUT request, or some DNS traffic, it's very unnatural in the way that it works. If you look at like normal web browsing, and it's, it's interesting to see us we'll go, you know, full bore ahead on pulling all these events out of a workstation to try to stop malware. At the same time. It's, you know, getting and putting to one static URL every 15 minutes is you know, it's I think that you'll see the networking piece come back we've we've put so much effort and insight into the workstation. Now it's where do our traffic flows look like? What is what is normal for us, and then that's going to be the next piece and I think you'll see that too with Microsoft nav. Read Zeke, into defender, because that's the next evolution. So I think there's I think there's a good, you know, it's not just off saying this, I think that a lot of people realize that the the network side of this is coming back around.
Sean Martin 30:13
Super cool. And so in terms of the flows, and I'm gonna go back to the the q&a P, so let's assume we'll never, ever get our inventory done. Right? Completely. We'll have some view, that's going to be good enough. Hopefully, we have some view of how things are moving north, south, east, west and out, right, how big how small, what protocols? And then there's the what do I do with both of those bits of info, but the QA piece, I'll say, how to how do we, again, rooted in least an understanding of networking? What what do we need to know in order to look at that data in a way that that will help us make better decisions?
Justin Elze31:09
Yeah, the first Nic, or
Mick Douglas31:12
the main thing that I think you're going to have to do is eat that elephant one bite at a time. You know, one of the things that
Sean Martin 31:23
may maybe just make it easier. I are there. Because I think it was somewhat naive. And Justin mentioned, some, some standard or something, and you kind of wrinkled your face early on, Nick, some, oh, what's your OSI model? So I'm wondering, are there things teams can look at that give them a sense of what should I be queuing for? Because you've gambled off a bunch of protocols out there, right? Then, I don't know their NIST standards, or things are
Mick Douglas31:59
a lot easier, a lot easier. What you should be doing, in my opinion, is take like your net flow, right? And just do a NetFlow summary of who's talking to who. And that's it. And then, here's what today's traffic was, here's what yesterday's traffic was. Let's look and see, are there new flows that we don't know about? Like, that is an amazing way. So just start doing rolling baselines, look for a new protocol? Like, why is this protocol on my network, none of that was there. You know, I feel that too often in all of InfoSec, whether it's networking or host based, or whatever, we let perfection be the enemy of good, you should really just try to make your understanding of your network just a little bit better each time, you know, you know, 1% better each week would be a huge win over the course of a year. So that would be my recommendation is just make it so that you have these rolling baselines start simple. And very quickly, you will find where you have lack of visibility, and you know, make make fixes for this invisible areas.
Justin Elze33:19
I'm usually the the risk based approach person, right? Like Where where are people getting compromised in business is like us and what is happening next. Right. So if workstations is the biggest risk for you all, then, you know, let's work on firewalls between hosts. Because in most environments, you know, things aren't talking to each other. You know, from there, kind of like I mentioned, like X, Phil and things like that. If you're worried about like DNS X Ville and weird stuff like that, like just simply doing like a top talkers list of like top DNS requests going outbound, or you know that that's a very good one. Because if if anybody, there's, there's always be some new exotic see to that to doing something. The problem is, the more exotic this see two gets, the less common that traffic is in your environment. So you know, DNS over HPs was a big topic, and everybody in the networking side, and then for sex, I kind of debated this and was like, Oh, hey, like, you gotta block this, or we should be aware of this is going to happen. And you're like, does anybody actually allow this in their enterprise network right now? Like, if I do this, is it gonna stand out? If people are like, Oh, I'm moving like, 100 main binaries over and you're like, yeah, so that's just going to stand up over here, versus things that, you know, naturally happen. Obviously, it's a lot harder when you say, you know, fix networking, we're worried about, you know, some very common traffic that happens on a regular basis. Like, for example, using a cloud infrastructure for C two, right, like our whole company, say is backed by AWS talking to a new easy to instance might not that's like that's the last ditch piece but I think there's a lot of other areas in there. The workstation and workstation communication, you know, like the VLAN piece, things like that. There's there's some Very easy wins to get there. And then you can kind of work back through, you know, is this going to be impactful to users? How can I roll this out in a small group, but I think that, you know, backed by many, many breach reports, the trying to do something about where workstations can go is obviously the probably the biggest return on investment. So, you know, jumping in a network like that, running Wireshark, seeing what's normal, you can set up a SPAN port, which lets you see all the traffic in a particular VLAN, things like that. Just kind of learn that area, and protect, you know, the most important things first.
Sean Martin 35:35
Yeah, like that. Breach reports, I know, there are some, like Verizon does the various database with use cases and stories kind of describing how things fell apart, different compromises, probably good place to look. I have to go here, because I've just didn't, it's the extreme abstraction. Where I don't have the time to investigate and analyze my tools are set to alert me on things, but they're only as good as what I can tell them to look for. And now there's this generative AI and natural language processing stuff that a lot of people are using it on the public web, which may not be appropriate for the kind of data that we're talking about here. But I don't know if there's a way internally to take those rolling views that Mick was talking about, for example, and say, show me where things are different in this feed, versus spinning up a tableau and trying to trying to sort that out and becoming a tableau expert on top of a networking expert on top of the security expert as well. Is there a role for that kind of thing? Do you think
Justin Elze36:56
there's so there's some products out today, that, like I said, you see this trend where it's endpoint and then network, there's some network NDR network protection response products today, that are, are really like actually very, very good, right? They'll use machine learning to baseline what's happening, you'll see things that shouldn't be happening kind of pop up. And I've tested a bunch of them for clients and things like that. It's just not the most talked about most interesting piece with all the marketing money behind it right now. So I think machine learning is going to fix I know, nothing is ever fixed, but it's going to the point of machine learning is to look at Massive Datasets and find outliers, right? So the it's the technology is there, it's scaled down into, you know, pizza boxes, or virtual appliances, things like that, that technology is there to do this. It just isn't cool. Right now, in the networking space. There's a couple of companies doing and it's coming back. You know, the learn language model stuff with, Hey, I'm seeing this packet header, what is this? Like? It's great for like helping Sox investigate, but the machine learning piece of just giving it a bunch of data, figuring out what stands out is the technology is there today. It's just not. It's just not the cool thing. I think it will be given if given another couple of years. But it's just a little bit ways to go.
Mick Douglas38:15
I will say that. The good news is there's actually some really cool to open source tools that I really like in this space are actually written by the same org is Rita and then also EC Hunter, they have a free edition motc Hunter and Black Hills InfoSec slash active countermeasures, released these tools and they're phenomenal. They allow, like, I don't think people realize how weird CTU traffic looks. It is, Justin probably wins the understatement of this conversational word. It is bonkers, crazy. But because of the way C two works, it's you don't see it until you look for it. Once you look for it, it sticks out like nothing else. The analogy that I use for this is like once when I was visiting my brother and my nephews were sneaking across the kitchen like this, right? Like they were hunched over and they're very carefully tiptoeing. I didn't know that they were up to no, like, I wouldn't have heard them if I didn't see them. But when I saw them, I was like, What are you guys up to? And that's, that's what's happening with C two attackers have to use CT because they rarely have the luxury of hands on keyboard. So the network in this is something that Justin said that I think is worth repeating from the top of every hill is that the network makes an exquisitely Good show me. You should be harvesting that telemetry. Because if You know what to look for? It's, it's right there.
Justin Elze40:05
Yeah, we make it I have dug us a bit on Twitter before it, I think people are so hyper focused on one side that if you look at all the ransomware groups, and you look at all the different threat actors out there that are attacking most organizations, right, they're using cobalt strike, they're using off the shelf tools. But as soon as they go hands on the keyboard has a callback rate that they need to use for their CPU servers. So how often it's calling back calling home and sending data back and forth. It's such a tight pattern that it stands out, right? You're not most organizations are fighting the NSA where like, they can do a call back that, you know, the the implant calls back once a month and tasks a command and does something right? You're fighting human operators, their skill level, maybe middle of the road, but when they go hands on a keyboard and do stuff there, the traffic is it stands out, like if you go to a website today, you know, it loads, you know, Google ads, there's a bunch of JavaScript and things like that. All of these features, there's, you know, tons and tons of open source tools out there all do this HTTP GET put, they don't there's no padding, there's no extra gets like it's, it's very it stands out. And it's it's the one area that it's impossible to hide from, for the most part, right? We're talking about using cloud providers and things like that, like that's, that's a way to abstract that. However, that's still the get put behavior is primarily what you see out there. So I think people get scared about the networking piece because they go oh, man, there's there's traffic or my whole, my whole Windows machine is calling back all over the place constantly. But the things that see too, and the things that attackers are doing are very obvious when it goes back to the internet.
Sean Martin 41:40
super interesting. We're coming up on time here. I thought maybe we'd looked at a couple of the tweets in the thread. But I don't know. If you recall off the top of your head. Was there anything in either the threads that it kind of took an offshoot? I think, is there anything in those threads that stood out to you that maybe we didn't? didn't touch on yet?
Justin Elze42:06
So I'm sure Nickleby you brought, you mentioned this kind of on the side before that they just came up with the OSI model is legacy and Dad, there's been this big kind of offshoot of this networking conversation into there. And I think this goes back to what we were saying about. So the OSI model is a conceptual model to kind of teach networking, it's a way to break down different areas and kind of it's the core building block versus going a lot of places. I think that I'm layering that kind of Yeah, Larry, Larry, was where all the problems are you, you know, this is how it's traditionally taught. And when you approach it in that way, people are expecting you to get the full gamut. And it's usually overkill, right? We're never going to learn that and that's kind of what we're going with saying hey, like, we really want to be really heavy right here are VLANs this whole one piece, but like this whole middle section like you don't need to know about like rip isas OSPF like you they exist, the routing protocols, if you encounter them cool, become an expert. But like, there's, you know, 80% of this stuff isn't super important, like understanding subnetting. And what a gateway is, like, this is a stupid one. But like, you know, a lot of people use that one for a gateway, if they're a little bit older. Sometimes they use that 254, which is like something that most people don't think about, right? Because you're like, oh, it's always dot one. If you you know, there's just weird things like that with subnetting. and stuff. There's so trying to condense and trying to get people away from thinking that, hey, you need to learn networking is to 2000 page textbooks that you have to go, you know, beat somebody over the head with and try to keep the focus.
Sean Martin 43:36
Anything from you? Yeah,
Mick Douglas43:38
I, you know, I want to be clear, OSI is a fine approach for learning and even kind of thinking about things. But where it breaks down. And why I get a little squeamish when folks talk about it is that there's a lot of folks who try to foist this understanding of this model that never was actually implemented, except for a few edge cases, onto modern networks. And at certain points, that model that approach breaks, it just doesn't work. And so I've seen some very weird network design as a result of people like, oh, well, we got to force this, because this thing's a layer four and like, okay, whatever, you know, I feel that sometimes people aren't taking a pragmatic enough approach. And that's the main beef that I have. You know, there are some folks who say that we shouldn't be teaching LSI anymore. Maybe what I'm advocating is that you don't try to force OS AI into your network because it doesn't like it just does it.
Justin Elze44:47
Yeah, I think the other point with that would be it's it's a learning tool. Like Mick and I both did network in the past. I don't think I've ever had a discussion outside of a learning environment. We're like, Oh, this is this This OSI model layer right where it is in networking, and we're doing things like we might talk about, hey, we're doing some switching, or we're doing this thing. But like the OSI model, just a way to chunk things up and teach. As soon as you have practically hands on like, it never comes up again. So people kind of conflate all these things is, you know,
Mick Douglas45:18
the only the only exception to that might be layer three, like for some reason, layer three keeps on coming up. That's the only one that I ever have even talked about. But even then it's not that often. So yeah, totally. We're in an agreement on the
Sean Martin 45:37
right. Well, this has been amazing. I feel we could probably go hours talking about different stories and scenarios, different elements here. But I want to thank you both for First off, engaging with the community and each other, like you did on social media, I think it's super helpful for folks, right, kind of kind of poke things and get people to think differently, which is why I asked you to join me here. And I'm grateful you did, because hopefully, people are thinking a little bit differently about networking and security and the connection between the two. And what's important to understand what's important to abstract. And hopefully someday we'll just toss it over to natural language stuff. Go to sleep. But until then, thank you both. Thanks, everybody. For listening. I'll include links to the posts that we're referencing here. Plus anything else that Nick and Justin feel would be worth a good read. Presume I won't get a link to the OSI model. reference at the moment, but anything else they want to they want to share all of those in the notes as well. Of course, you're listening, subscribe to the podcast and hear more on redefining cybersecurity and watching the video. Subscribe to YouTube as well. Thanks, everybody. See you later.
voiceover47:07
Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk and remediation guidance virtually false positive free. Learn more at edge scan.com.
sponsor message47:29
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com
voiceover47:48
We hope you enjoyed this episode of redefining security podcast if you learn something new and this podcast makes you think then share itspmagazine.com with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society