Safety Talk #66

AI Generated Summary

This podcast interview from Safety Talk #66 features Anant Shrivastava discussing offensive and defensive cybersecurity, the NULLCon conference, and how companies can discover different ways to protect their businesses from cyber attacks.

Guest Background

• Anant Shrivastava: Founder of Siphonoid Research
• Experience: Both offensive and defensive cybersecurity, development and operations
• Conferences: Free speaks and provides training at Black Hat, NULLCon, and ConCon among others
• Open Source Projects: Tamer Platform, Code Vigilant
• Location: India
• Community: Especially active in NULL community, curates Hacking Archives of India

Key Topics Discussed

NULLCon Conference Overview:

Conference Background:

• One of biggest conferences: In India and South Asia in information security domain
• This year: About 3,000 attendees - had to close registrations for some events because running out of space
• Originated: Out of NULL Community back in 2010
• Community started: 2008 with idea of sharing knowledge with peers
• Some founders: Thought it’s good idea to have conference around this - that’s where NULLCon came into picture
• Conference running: Since 2010
• 2011: First got into NULLCon - started as attendee, then went on as speaker, also done workshops there
• Past couple of years: Helping entire Patu team which runs NULLCon with whole organizational activities
• Part of review process: Also participate in background activities around what to do in conference, how to do it, new funky things that could do which brings more crowd into conference, effectively create awareness around it
• Open to global community: Located in India

Anant’s Background:

• Started working with computers: Since around 1995
• 2000: First spotted Linux, started playing around with it, installing on systems, configuring services, reading Linux user groups online, Yahoo groups
• 2008: Got into corporate world - started as server administrator
• 2010: Moved into security community and security domain - felt like natural extension to server administration
• Knew how to defend server: But more curious on what happens on other side, what other things are there
• That’s how security domain came: Into picture - this is time when also got involved into NULL community
• From NULL Community: To whole wider group of communities
• Experience ranging: From server administration to developing softwares around PHP and Python, to past couple of years doing full-time information security work
• Ranging from: Pentesting to red teaming to setting up pipelines for people (whole DevOps keyword areas) to now focusing around supply chain security and distributed web in mobile areas

Conference Structure and Tracks:

Diverse Content:

• On one side: Talks happening around new and innovative things people are finding
• Examples this year: Talk around UPI, talk around biometric security, talk about someone trying figuring out how to open locks (all locks effectively communicating over Bluetooth protocol, able to find right signals, able to open all locks)
• Technical side: That was happening
• At same time: Another track totally focused on CXO side of equation
• CXO track topics: “Hey Cloud exists, should my organization which is non-IT organization be dealing with cloud or not? Should government be going into cloud or not?”
• Startups and entrepreneur community: Discussions ranging from “Should I even take funding from venture capitalist?” to “What does venture capitalist look for while giving security startup funding?” to “How do you self-sustain and how do you make money while building your own product?”
• Parallel workshops: Where people could basically do hands-on activities ranging from lockpicking to soldering own hardware badges
• Live places: Where people had or organizations had their presence, demonstrating products
• Could ask questions: Good part was most of these booths had either founder available with them or people who were technically inclined available - not just marketing people selling things, real technical people actually helping with answers, helping use tool in better way

Catering Entire Range:

• From: “I want to get into information security industry”
• To: Person who is in industry for very long time looking to refresh skill set
• To: Someone trying to upskill themselves
• To: Someone at executive position - “I don’t care how it works, is it going to work? Is it going to be useful thing for me?”
• Entire range: What we cover

Additional Tracks:

• Resume clinics: Trying to help freshers or people just starting with career how to get into good corporate jobs
• CTF organized: Called Wija CTF - trademark CTF for conference for about 7-8 years now
• Focus: To nurture and bring women in information security
• Short of women: In information security domain - this is way of bringing more women in information security community
• Everything for everyone: At least something for everyone

Conference Organization:

Track Structure:

• Two technical tracks: Aim is to have two totally separate topics so people don’t have to decide between attending this or that
• If hardware talk happening: Other talk would not be hardware talk, would be software-level talk
• Talks don’t compete: With each other - that’s the aim
• CXO track: Effectively what try to do is kind of audience who would be interested in attending set of sessions in series, those all bundled together at one place so don’t have to keep shuffling around
• Bug hunting track: India has very big community which is bug hunters community, whole bug bounty market, bug hunter community very big in India
• Dedicated track: Focused around bug hunting community
• Companies making presence: HackerOne, BugCrowd, Google, Facebook - making presence there, going through whole process
• Idea: Not just tell people “Hey do bug hunting and earn more money” but rather “Hey how do you do it properly? What are good things to keep in mind? How is it beneficial for you? How is it beneficial for us?”
• Workshop tracks: Lot of folks attend such events with idea “Hey I want to do something hands-on” - that’s where workshop tracks are there
• AMMO track: On and off also keep having track called AMMO track which is effectively tools demonstration
• Open source tools: If have good enough number of open source tools in submissions, basically keep AMMO track where for two days tool gets to demonstrate own usefulness
• Difference: Talk versus tool track - in talk talking about scenario, hypothetical situation or something that happened in past, people can take that learning and repurpose it however want in own world
• Tools track: “Hey this is open source tool which is available, this is how you can use it, if have question come and talk about it, if have suggestion can talk about it, from tonight onwards can basically just download tool and use it”
• Beautiful thing about open source: It’s free, it’s everybody, it’s community driven - doesn’t matter what project is, if part of open source movement, everybody contributes, everybody makes it better

Conference Duration:

• Conference: For two days
• Before conference: Have certain set of trainings - three-day training or two-day training before conference
• Some virtual: Mostly physical right now, but some virtual options also
• Two days: Of conference
• Post-conference trainings: Realized over years some folks better off doing trainings after conference - do post-conference trainings also
• Some trainings happen: Pre-conference, some happen post-conference
• Effectively becomes: 3+3+2 = about eight days of total events
• People can crunch: Lot of training and lot of knowledge into those days
• Good idea: Have post-conference trainings because when there, don’t want to miss anything - trying to see this presentation and this presentation, learn about this tool, don’t want to take time up from something else could be learning about to dive deeper into this, will go deeper into that later
• Give opportunity: Once dust settles from two days of conference, brains ready, everything absorbed, probably made some notes “Hey really want to learn more about this technology and this technology and this tool” - now can go and spend extra time, spend few hours with each one of them instead of 15 minutes at booth

Offensive vs. Defensive:

Keynote Example:

• This year keynote: By John Lambert from Microsoft
• Starting of keynote: Screenshot of six different approaches can have towards defending yourself
• Taking it: In classic sense like medieval defense
• Defense does not just mean: Helmet - could also mean shield, could also mean barricade, different sort of symbols there
• Knowing how operate: In own domain is one thing
• Knowing how other person: Going to operate and react and act when whatever doing will happen - that gives better perspective around how to deal with things
• At end of day: In infosec domain, infosec is not about breaking things
• End goal of infosec: To secure organization
• When take that approach: In mind, amount of attacks can mount on organization not going to help anyone if don’t know how to protect against them
• On one side: No one asking red teamer to tell “How to protect” but having realistic idea about what protections could exist in market around attack trying to mount would give realistic chance of having proper discussion when sitting in team

Examples:

• DoS attack: “I did DoS attack and collapsed entire organization, you should put yourself, should have some DoS protection” - easy to say “You should have DoS protection,” hard to actually have DoS protection in organization
• At one point: Organization would say “Okay yeah you know what after this much volume of incoming attack would have to accept defeat”
• That kind of realization: If have, helps in setting right boundaries, setting right expectations
• Otherwise: Things just go haywire
• Inverse way also: Can’t just go and say “Hey you’re attacker, should be able to crack application in two hours, that’s time giving you to just do testing before deployment to production happens”
• Both sides need: To understand how dynamics work, then easier, sort of mutual growth for both sides

Recovery and Detection:

Current Focus:

• From conferences standpoint: Not just NULLCon but rather large number of other conferences also
• Wave when prevention: Was key factor
• Right now: Not recovery, right now it’s detection which is key criteria which everyone is focusing on
• How do I detect: Attack?
• No one talking: About building whole layers of defense
• Everyone like: “Yeah attack going to happen, why worry about building layers? Build basic set of layers but then focus on detection - should be able to identify when attack has happened”
• Recovery: Something still not that much talked about
• Hoping: That’s why focusing - really hoping hacks that happened at Las Vegas casino chains (Caesar and other one) - two big hotel chains, both got hacked, ransomed, then one paid, one did not pay, still trying to get businesses up and running
• Those hoping: Would kickstart whole idea around “Let’s talk about recovery”
• Right now trouble: People not even confident about own backups - know backup happens, but lot of them don’t even know how to recover from backups
• Given chance: “Whether should bank on recovering from backup or should pay ransom?” - lot of people might actually tilt towards paying ransom because “At least I’ll have guarantee that data would be recovered”
• Strange: If cyber criminal provides key and let unencrypt data

Ransomware Reality:

• If pay ransom: Let’s say want $25,000, get key back, pay 25 grand, now say “You know what we want another 10” - “Wait minute, just paid you” - “Well okay you did, now know you’ve got resources, now paid it, got to pay more”
• Now pay another 10: What’s say they don’t say “All right give us another 10”
• Pretty ironic but true: Most perpetrators of ransomware attacks are ethical - pay ransom, give key
• If didn’t: Then whole scam falls apart - if everybody paid ransom and nobody ever got keys back, guess what, never going to pay another ransom
• CISA says: Don’t pay ransom - really shouldn’t because validating what doing, giving more resources can dump into more attacks, cause more damage, wreak more havoc, make more money - perpetual cycle, not good
• Having good plan: In addition to good backups
• Companies don’t trust: Backup, don’t want to take downtime on say Saturday night to pull system down, restore from backup, see if works - afraid to do it
• Should have second system: Have redundant server, restore to that, see what happens - ways can test it
• They’re like: “Ah it’s too inconvenient, don’t want to do it, don’t want to pay overtime” - “Pay overtime, what going to pay if get hacked? What’s consequence if go out of business? It’s drop in bucket when look at big picture”

Las Vegas Casino Hacks:

• Hoping: About whole Las Vegas casino hacks because going to give tangible numbers as losses incurred
• One company paid ransom: Got systems back into 3 days
• Other company: Had to deal with it for 15-20 days
• Amount of losses: Both incurred would give people idea “Hey this has consequences”
• More adapt: To this, more aware of own systems, easier would be to deal with it

Attack Surface and Supply Chain:

People Reckless:

• Pet peeve: People in information security industry (rather IT industry, not information security industry) - people reckless when start building things
• Don’t care: About where sourcing inputs from - be it open source, be it commercial, whatever
• People reckless: When adding more stuff into organization
• Term attack surface: Ideal approach is to have minimal attack surface
• No one going: For ideal approach
• Attack surface: Keeps on increasing
• Resources deployed: To help with that keeps on decreasing
• More attack surface: Have, more vulnerable are, more fronts got to defend
• Go back to scenario: Like castle, etc., defending yourself - if got to defend from front, from back, from both sides, from on top, from down - “Whoa hey how do that?”
• If can at least focus: Defenses in one area because that’s where vulnerable - makes so much more sense to organization
• Lot of people: When building solutions, think “Oh going to use this piece over here, phones going to use this, data going to be here, backups going to go there, CRM system going to be there, marketing going” - now got all these disparate solutions, stuff not integrated, spread all over place
• Nearly impossible: To have adequate defense strategy for all that
• Smaller companies: Don’t have resources - just go “Ah well hopefully doesn’t happen” - that’s not strategy

Turnkey Solutions:

• Information security industry: Going forward needs to start looking at turnkey solutions or solutions which actually help smaller entities have basic set of security
• Right now think: Large number of companies don’t even support SSO authentication as basic level even at paid tier level
• Always Enterprise feature: Or highly paid tier where SSO gets added into bucket
• Whole approach: Towards security kind of goes haywire where people even putting gatekeep in front of basic solutions which maybe earlier were not basic enough, now they are basic essential entities
• Not living in world: Where could have VPN and everything remains inside - everything is out in open, zero trust, whole cloud movement basically gotten one clear thing “You should use whatever is available” - that basically means half of stuff is all over internet

Conference Topics:

Diversity of Topics:

• While structuring conference: Aim is to have diversity of topic as much as possible so everyone has something to look for in talks
• On one side: James Skittle talking about web application security attacks
• Nemo presenting: On UPI hacks - UPI is payment integration technology, designed in India, now being used across globe, multiple countries started adopting it
• Instead of credit cards: As main source of swipe, UPI basically have system of APIs connected with all banks
• Does not matter: Which bank account use, can basically fund transfer from one person to another person using common ID
• Whole layers of complexity: Removed - don’t have to worry about what account is, what bank is, what bank ARS are
• Almost like crypto: Kind of like crypto goes from me to you without bank - banks involved, banks there, but complexity kind of taken away from normal human
• Just have to scan: QR code, then do fund transfer, immediate transfer happens
• Technology developed: In India
• Abana talking: About UPI hacks - talking about experience, comes from background of organization where working in financial background, dealing with UPI implementation for platform
• Talks about whole journey: Around how developed own app to understand how whole protocol works, found bunch of flaws in it, how then went about getting them noticed with people, get some of them fixed
• Talks around: Biometric security
• Talks about: eBPF - eBPF is feature added into Linux environments, has huge potential when comes to protecting environment, but something not way too commonly used and made available
• Proper talk: Talking about just eBPF itself
• Workshops, panels: Whole bunch of topics taken together
• If ask theme: For conference, there was no single theme
• Can’t say: Was web application security conference or infrastructure conference
• Conscious aim: Have as much diversity of topics as possible

Most Interesting Technology:

• eBPF has potential: For me from defense point of view
• Attack side: After few years start feeling like bit boring because at end realize there are misconfigurations or protocol itself not secure
• Example: Told about Bluetooth related talk where locks talking over Bluetooth, unencrypted, people able to get in if knew what signals to send over
• On offense side: Good to know as reminder “Hey this situation has not improved, still same”
• On defense side: Things like eBPF actually make think “Okay yeah this something interesting, not that big deal right now, but let me go back, bring team together, start exploring this as area where yeah this could be something”

Global Impact:

Audience and Speakers:

• Get audience: From across globe - not limited to India
• Getting audience: Across globe
• Speakers: From all over places
• When comes to defining impact: Of conference, way look at it is “People who have been attending these conferences - have they gone ahead and helped organizations build secure solutions? Have they gone ahead and built own organizations and done something for industry?”
• Feel proud: Because large chunk of people who - let me put it this way - this year at NULLCon when having booths from commercial vendors who were presenting own ideas, bunch of those booths actually members of NULLCon or people who have attended these conferences many many years
• Basically started: In this conferences in this arena, then grew within community, then now have own products, own services, now coming in as different entity as vendor, presenting whole ideas
• When see that: Then see “Yes conference has given value to environment”

Recommendations for Learning:

For Students (Pre-Corporate World):

• In golden year: Of life - spend time learning about as many variations as can
• If interested: In it, don’t stop yourself with saying “Okay only want to learn one programming language or one technology”
• Whatever can get hands on: Learn as much as possible
• In 10 years: All those technologies will go away, but exposure to learning variations would help grasp any new technology that comes in way
• Way say them to do: Build own websites, put resume up there, set up own servers, explore entire arena that is there - that gives confidence “Yes know what talking about”

For Corporate World:

• Don’t have lot of time: To do everything by yourself
• No one can learn: Everything
• Can target: Attending these conferences plus being part of communities
• Lots of communities: In India - OWASP, NULL, now DEFCON chapters also
• Most of them offer: Free monthly meetups - small gatherings, one or two sessions in them, but good ideas to expose yourself to new things happening around, things might want to learn, things have no idea about
• Just go and attend: Those - gives different perspective, makes more able to grasp different concepts
• Attending conferences: Like NULLCon, bunch of other conferences in India
• BSides conferences: Popped up in India and across globe
• Attending these conferences: Gives power pack punch - within those two days got exposed to n number of entities
• Suggest people: Attending these conferences - keep notepads handy, keep phone notes handy, note down things that feel different, note down things interesting
• Two days: Don’t spend time trying to explore those two days - just try to note down as many new things as want to explore
• Then go back: And explore them
• While at conference: Make connections - connect with speaker, connect with people talking about those topics
• These connections: Will help later on in understanding things

Communities:

• Good part right now: Compared to old days, have abundance of communities
• NULLCon Community: Keeps on doing events - can basically follow Twitter and other social medias, get involved about posts
• NULL Community: Basically runs monthly meetups on different cities - physical meetups
• OWASP communities: Again running meetups physically, maybe doing some other additional activities
• Communities like NULL: Doing more “Hamla Bacha” - Hamla is Hindi word for attack, Bacha is Hindi word for defense
• Do these sessions: Where it’s attack or it’s defense, or have mixed batch where group of people would be attacking and group of people would be defending
• Play CTF: In that manner
• Have all these variation: Of events happening in world
• Tell people: “Don’t worry about which community should join, which community is good, which community is bad, which is more useful - join community, if don’t like it move to other community, no one stopping you, no one saying can only join one or two”
• For example: Do lot of activity with NULL and NULLCon, but parallel involved with OWASP, Black Hat, bunch of other conferences, bunch of other communities
• Be involved: In as many places as can - don’t burn yourself out by being involved too much, but at same time don’t hold yourself back saying “Okay associated with one community, only going to be in that one community”
• Be in as many communities: As want
• Keep yourself open: About learning
• Be involved: In social media space - right now X or Twitter kind of on downfall or stagnated way, LinkedIn kind of making more waves, Bluesky is there, Mastodon is there
• Get involved: In these communities, understand how these systems working, be part of as many discussion groups as can

Siphonoid Research:

Company Overview:

• Research-based company: Started with idea that lots of topics left non-researched because either in corporate world too focused in protecting own assets, or in consulting world too much focused on getting done with project and moving on to next project
• Deep dive research: What gets missed out
• Took up research: As primary area
• Took Android, distributed web, web applications: As key areas
• As part of Android: Basically focusing on offense as well as defense aspects of Android applications
• Not looking: At OS itself, more focused around applications on OS
• Web applications side: Main focus is towards supply chain security and code-assisted auditing
• Code Vigilant: Another open source initiative called Code Vigilant where do code-assisted pen testing
• Distributed web: More of offshoot moonshot research area where lots of open protocols coming up like ActivityPub, IndieWeb movement is there, plus lots of blockchain-based solutions coming up
• Idea: Explore systems which not requiring central server to perform - how those systems evolving, how those systems able to deal with scenarios, again offense and defense aspect - how can attack them, if running them how can protect them

Trainings:

• Doing research: On own does not helps anyone
• Whatever do: As part of research is what now piping out as trainings
• Attacking different Android applications: Training been doing at Black Hat for past two years
• Look at Android applications: Take approach where try to attack Android application on day one, then on day two basically say “Okay attacked all of it, now let’s look at how can protect all of this and safeguard application” - both attack and defense
• Break and Fix Applications: Web applications - again hands-on application assessment class where take approach where four languages in which written four different applications
• Go to those applications: Break them
• Once broken: Know how attack works
• Now go and fix: Them
• By end of it: All four applications have broken into them, then have fixed them
• Gives holistic picture: Around scenario
• Supply Chain Security Class: “Beyond the Code - Securing Your Software Supply Chain” - new class started
• When comes to supply chain security: Everyone talks about SBOM (Software Bill of Material), everyone touting it as only solution that is there
• Kind of disagree: With that
• What doing: With this particular training is giving people end-to-end idea “Hey you know what not just dependencies but credential for DockerHub, ID to build servers, to extensions installed on developers desktop - these all part of problem, should be aware of all of these, should have protections against all of these”
• Cover: As part of this particular training
• Same approach: Day one talk about attacks, day two talk about defense

Last Thoughts:

• Field right now: Changing dynamically
• Every single week or month: Something new popping up
• Either: Keep yourself on toes, keep yourself up to date on all of these
• Or: Be part of these communities and these conference circuits
• That gives leg up: Because get all those things packed up in smaller packet, can digest easily
• That’s what it is

Key Insights:

• NULLCon is one of biggest conferences in India/South Asia for information security
• Conference caters to entire range - from beginners to executives
• Understanding both offensive and defensive is crucial
• Current focus is on detection, not prevention or recovery
• Attack surface keeps increasing while resources decrease
• Need turnkey solutions for smaller entities
• Conference fosters entrepreneurship - many attendees start own companies
• eBPF has huge potential for defense
• Communities are abundant - join as many as want
• Siphonoid focuses on research-based trainings covering both attack and defense

Actionable Takeaways:

1. Attend conferences like NULLCon to get exposed to diverse topics
2. Join multiple communities - don’t limit yourself
3. Focus on detection, not just prevention
4. Understand both offensive and defensive perspectives
5. Keep attack surface minimal
6. Test backups regularly - don’t just assume they work
7. Don’t pay ransom - have recovery plan
8. Note down interesting things at conferences, explore later
9. Make connections - they help later
10. Field changes dynamically - stay updated through communities and conferences

Summary

The video discussed cyber security strategies that both individuals and businesses can take to protect themselves from increasingly common and damaging cyber attacks. It featured an interview with Anant Shrivastava, the founder of Siphonoid Research, who spoke about the offensive and defensive cyber security techniques and tools that are presented at the annual nCon cyber security conference in India. He emphasized the importance of understanding both attack methods as well as defense strategies in order to adequately assess risks and strengthen security. The conference aims to educate people at all levels, from technicians to executives, on the latest cyber threats and solutions through various tracks, workshops, and presentations.

nCon covers a wide range of technical topics related to web applications, payment systems, biometric security, and more. It also provides opportunities to learn from and connect with security researchers, tool developers, and companies. Anant highlighted how past attendees have gone on to establish their own successful security businesses after gaining knowledge and inspiration at the event. He stressed the importance of staying informed on new developments through involvement in local and global cyber communities.

In addition to learning about threats, attendees can discover open source tools for both offensive testing and protection. Anant discussed upcoming tracks on software supply chain security and how organizations need to take a holistic view of their dependencies and credentials to fully address vulnerabilities. Conferences like nCon are valuable for exposing individuals and companies to a variety of perspectives and solutions that they may be unaware of in order to help strengthen global cyber security.

Key Takeaways

Three key takeaways from the discussion are:

It is important to understand both attack techniques as well as defensive strategies in order to adequately assess risks and strengthen security.

Events like nCon provide opportunities to learn from security researchers and connect with peers to gain knowledge and inspiration that can lead to new career or business opportunities.

Organizations need to take a holistic view of their full software supply chain and dependencies beyond just code in order to fully address vulnerabilities.