SANS Penetration Testing

The Bad Guys Are Winning, So Now What? Slides

By Ed Skoudis

Below are the slides for my talk called "The Bad Guys Are Winning, So Now What?" It's my most requested talk ever.

In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving onto another topic. My butterfly attention span doesn't let me stay on a particular topic for longer than that. In the past year, I've written talks titled "Please Keep Your Brain Juice Off My Enigma" (Debuted at SANS in Sept 2012 and posted here), "Unleashing the Dogs of Cyber War" (Debuted at BruCON in Sept 2012), and "Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World" (Debuted at SOURCE Boston in April 2013 a week and a half ago).

But, of all the talks I've ever written, there is one that I get more requests for than ever: my talk titled "The Bad Guys Are Winning, So Now What". I originally wrote the talk a couple of years ago, and have updated it a dozen times since then. Maybe it is the straight-forward title, or the topic matter, or something else, but I have been invited to deliver this specific talk dozens of times in two years. I enjoy presenting it, so I have continued to offer it where people have asked. I've delivered it for commercial customers, civilian government agencies, and several military groups. I'd like to release the final version of the slides below. Please do check them out here: Bad Guys Are Winning 1Q13.

The first half of the talk sets up and underscores this central thesis:

A sufficiently determined, but not necessarily well funded bad guy can break into pretty much any organization.

We talk about why that is so, discussing concepts like increasing attack surface with wireless and webification, increasing assymetries, failing to learn lessons, and more.

The second half of the talk is the "So Now What?" part. I split things into three groups: Pen Testers / Red Teamers, Enterprise Defenders, and the Military, with specific observations and recommendations for each. My pointed conclusions are:

  • For pen testers: You should make sure your scope is a realistic view of the attack surface, and try to almost always get in.
  • For defenders: Consider re-appropriating some of your defensive resources into finding out where you've already gotten owned, and eradicating that. Otherwise, you are depending on bad guys' being nice to you.
  • For the military: Cyber space will become increasingly militarized, as we continue to deploy systems with more vulnerabilities holding highly sensitive information and controlling critical infrastructures.

It was with this talk that I first became comfortable with thinking of myself as primarily focused on offense. Before pulling together my ideas for it, I had tried to balance my life and skills between defense and offense. After this talk, I realized that I had nothing to fear by embracing my offensive side. In fact, the last line I say when delivering this presentation is "So, I guess a subtitle of this talk could be How I learned to stop worrying, and love the Hack!"

-Ed Skoudis.
SANS Instructor
Founder, Counter Hack

Post a Comment


* Indicates a required field.