April 8, 2020
  • 11:33 am US Navy Must Do This to Defeat Chinese in War
  • 11:32 am Dragunov Variations: Military SVD, Izhmash Tiger, Chinese NDM-86
  • 11:32 am Autonomous weapons could change battlefields of the future [Advertiser content from ICRC]
  • 11:32 am US Nimitz Class vs Russia’s Admiral Kuznetsov Aircraft Carrier – Military / Navy Comparison
Using Elasticsearch & Kibana for Security Analytics to Fight the Dark Army on Mr. Robot

>>SHAY BANON: We started to be used quite
a bit in the context of the security space, which we are very excited about. To be honest, it is a very natural progression
out of the logging space, especially in an area that is called SIEM, if you capture enough
logs and information about your infrastructure, you can actually make interesting decisions
that apply to the security space, on the other side of the house of the operational space. And what we are very happy about — almost
a year ago, we got an email from the team at Mr. Robot, the TV show, and they asked
for permission to use Kibana in one of the episodes. So, obviously, we were all very giddy, and
we immediately forwarded it to [email protected] and started to celebrate, and then we saw
the screenshot. We saw that Mr. Robot was using an old version
of Kibana in our stack. And we said, eh, we think the product looks
slightly better now. Can you please use a new version of the product? And the team said no, and we were like,  another
user that struggles with upgrading to the new version of our product, can we get a break? (Laughter). And we asked them why. And actually, we were impressed, we’ve
read a bit about it. The team tries to be extremely authentic
around the tools that they use that match to the timeframe, and specifically, this episode
happened in a timeframe that ran that specific version of Kibana. And that level of authenticity ends up spreading
all over the show and the level of the technology that is being used in every single thing that
happens in the show has real-world products and use cases and thought that goes into it. So we are very excited to try to explain
a bit how Elliott uses Kibana to fight the Dark Army. And with that, I will welcome Ryan on stage. Ryan? (Applause).>>RYAN KAZANCIYAN: Thank you, Shay. Hi everybody. My name is Ryan Kazanciyan, I’m a technical
consultant on Mr. Robot as well as chief security architect for Tanium. As technical consultant for the show, my
job was to weave accurate depictions of technology, of hacking and computer security, throughout
the show’s narrative. As a practitioner in the security space, this
afforded me a really cool opportunity to include the software and tools that I have used throughout
my career, and I was especially excited to have the opportunity to weave in Elastic,
especially given the fantastic community that is behind it. What I’d like to do tonight is walk you
through a little bit of a behind the scenes look at the hack that bridges through the
first half of season three and culminates with the inclusion of Elastic at a critical
juncture in the story. So as many of you probably know, the storyline
in Mr. Robot revolves around a fictitious super company, called Evil Corp or E Corp,
and this is the conglomerate to end  all conglomerates. It’s subject to a really destructive hack
in the first season. And at the end of season two, the storyline
revolves around this paper records facility which is the last bastion of hope for them
to recover their data through old fashioned paper records that they’re consolidating. The Dark Army is trying to destroy this building
by infecting a power management system that they’ve got a back door on and then using
it to deliver a malicious firmware update to the UPS devices that control the batteries
in the server room. And the idea is that you overcharge the
batteries, they emit gas, and eventually there is an explosion. Amazingly enough, this actually happened in
real life due to an accident not actual malice. If you want an interesting example of a real-world
attack like this, look up the Ukrainian power grid hack in 2015, that involved malicious
firmware pushed to control devices. This alone is grounded in reality. When we get to season three, this does not
end up happening., Fortunately Elliott, our protagonist, saves the day, kicks the back
door off that system, and the Dark Army is left without access (at least temporarily)
to Evil Corp. So what do they do next? Mr. Robot and Tyrell as agents of the Dark
Army have to figure out a way back in. And so like any good hacker or pen tester,
they go and use use a tool called Shodan. Shodan is a website that allows you to effectively
fingerprint the internet facing infrastructure passively of an organization, it is like a
search engine for the data that your websites and other internet sites are exposing through
banners and other scrapable data. They find that Evil Corp has in their DMZ,
web servers that are running an unpatched, out-of-date version of Apache. Specifically, they are vulnerable to a Struts
exploit. If that sounds familiar, that is because Struts
has unfortunately a long history of pretty bad vulnerabilities. Most recently, it was exploited in 2017 to
lead to the Equifax hack. The one we are using here is actually from
the 2014 timeline. So, like many companies, Evil Corp unfortunately
was not doing a great job of patching. So they used this exploit to get remote
code execution on the DMZ server and then they need to pivot, they go from the DMZ through
some hot points to internal hosts that they backdoor. And like any sort of attack that involves
post-compromised activity, there’s lateral movement, there’s reconnaissance, and the
trick is figuring out what happens next. Now fortunately our protagonist, Elliott,
is monitoring all of this, unbeknownst to the Dark Army. And he is doing so with log forwarding, with
Tanium, with other security  tools that are aggregating all of these disparate sources
of information into his Elastic Stack. Now Elliott is a security engineer at this
point in the story, but this is kind of off the books stuff, he is actually allowing them
to continue hacking so that he can understand what they are actually after. So he is using Elastic as his own private
stack to monitor all of this activity, and figure out what the Dark Army’s next steps
might be. This was actually all built out, like all
of our scenes, using real systems and real software. So I am going to cut from the lower right,
which is the on-screenshot, to the mock-up, which is a lot clearer, and actually this
is from my own VM environment when I built this. In the top left panel, we have  an executed
command history that’s coming from forensic telemetry including Tanium and logs on the
endpoints. This is a history of every executed command
 on the infected systems. On the top right, we have the panel that’s
showing user activity, on the bottom left, we are have some other statistical analysis
of process activity, and then over on the right here, we have what catches Elliott’s
eye in the midpoint of season three, an indication that the Dark Army is back in that power management
system and had a failed attempt to update the firmware that’s controlling the batteries
on the devices. This sets things in motion. And as Elliott monitors the activity and the
on-screen commands actually play this out if you freeze frame and read them, what he
finds is that the Dark Army is actually laterally moving to a new target, the code signing infrastructure
team at Evil Corp. And the reason they are doing this, is that
they are gathering data so that they can stage an attack against the hardware security modules. This, too, was inspired by a real world breach
case that I worked several years ago. Compromise of HSMs is very bad, that’s
like catastrophic loss for any company – let alone one like E Corp – and so it makes a
compelling midpoint to the season and I won’t spoil any further, but this is how that all
gets set in motion. Now you might be wondering why do we do
this, why focus so much on this accuracy, when most TV and media depicts hacking like
this. (Laughter). Or like this. And I think my favorite is the infamous NCIS
episode, where they’ve got like four hands on one keyboard so they can hack faster (laughter). So many good movies out there. I think Kor Adana, the writer and producer
I worked most closely with puts it really well, which is that if you need to rely on
flashy,ridiculous graphics on the screen to explain the drama or the plot, something is
wrong with the writing, something is wrong with the story, you are failing to convey
the stakes of the scene. One of the things that we always try to
do on the show is make sure no matter what your level of technical expertise is, you
can watch and understand what’s happening. And then if you do understand the technology,
you have the added bonus of understanding things at a deeper layer and engaging with
the show on a deeper layer. And I think this storytelling approach is
something that as a security practitioner, I try to stay focused on day to day, and I
think technologies like Elastic help us be better storytellers in conveying the impact
of critical things like breaches. From an audience engagement standpoint,
this helps us in the show quite a bit. One of the cool things that we can do is
have interactive ways the audience can go deeper. There’s an alternate reality game in the
show, where you can take IP addresses and QR codes, things that flash by on screen for
just a second, find them online, solve puzzles, and interact with things like this. This is a interactive version of the same
dashboard that we just showed you earlier, you can actually go to this URL, log in if
you have the password, and play with it just like Elliott did. We similarly set one up, and this is the Logstash
server that’s aggregating the UPS logs. There is a sort of emulated SSH interface
on our website where if you type the right commands, you can tail the log that Elliott
tails in the episode and see the exact events as if it was a real UPS power management system. So these are really fun ways to engage with
the audience in a unique way. One last one is just other ways we can kind
of hide Easter eggs, we had a shot of the Dark Army’s command and control panel where
they’re managing all of their infected systems, and if you were to freeze and zoom in you’d
see that their list of victims actually mirrors real-world victims of targeted attacks, including
governments and human rights organizations. Lots of ways we can make it real. Of all of the technologies that I incorporated
into the show the third season, I think the reaction from you all in the Elastic community
was the loudest, and it was really validating and exciting for me to see. When every episode aired, the writers and
I basically lurked on Twitter and Reddit, really anxiously awaiting  how people would
react. It’s great to see that type of feedback. I also incorporated a lot of other hacking
and security tools, one that I really find fascinating is Mimikatz, which is one of the
most widely-used tools for Windows credential attacks, and the author of Mimikatz tweeted
not only that he was excited to see it, but also caught an error that I inadvertently
included where the arguments — (laughter) — I supplied arguments that are technically
not necessary. (Laughter). And my response was, well, you know, even
the Dark Army operators screw up sometimes. (Laughter). We had this really elaborate HSM attack,
I tried really hard to make it real, I figured hardly anyone works with HSM stuff, so no
one is going to notice. No, I was wrong, I got lots of incredibly
detailed feedback, picking it apart, scene by scene, from the handful of HSM experts
out there. It was really fun to see this stuff. (Laughter) and last, I don’t write much code
anymore. I did have to write a bit of Python for,
I’m going to try not to spoil much here, something involving crypto. It is embedded in a file, and shows up on
a screen really briefly, and somebody noticed that there was an inconsistency between the
source code for taking user input and what was actually displayed as a prompt on screen
when the script ran. So he called that out to me. Again, this is why it is a labor of love,
because people notice those things. (Laughter). Mr. Robot is just my night job, what I did
between 10:00 p.m. and 3:00 a.m. for the course of just about a year. During my day job, I work for Tanium, and
one of the really exciting things is that Tanium is a great engine for data, for Elastic. And many of our customers are doing really
cool things with our technologies together. For example, automating endpoint vulnerability
management at scale, feeding data from 70 thousand plus endpoints to create really powerful
risk dashboards and to take corrective action. I’ll be here throughout the week, I would
love to chat with you about these and other use cases, but I just want to thank you all
for having me here. It is humbling to be a part of this conference,
and among such an amazing team and such an amazing community. Thank you all and have a great conference.

Tony wyaad