In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler are joined by HD Moore, CEO of runZero. Drawing from decades of experience in offensive security, vulnerability research, and network discovery, HD shares his perspective on how defenders can better understand the real attack surface of modern enterprise environments. The discussion explores the intersection of identity and network...
In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler are joined by HD Moore, CEO of runZero....
00:00:12:21 - 00:00:34:10
Justin Kohler
Welcome to the Know Your podcast. My name is Justin and I'm Jared Atkinson. And today we're joined by HD Moore, CEO of Run Zero and has a huge background in cybersecurity. Thanks for joining us. HD to kick us off. Could you just give a background on like. You have an awesome story. Would you mind just giving everybody a view of like where all of the things you have done.
00:00:34:11 - 00:00:50:12
HD Moore
It's basically survivor bias, right? So I got into security really early on. Like I see where's trading 90 stuff and then got into a DoD contract really early on in my career to right exploits military, which is fun. Then lots of startups. And then during that period starting Metasploit worked with the Metasploit community and built that project up.
00:00:50:12 - 00:01:11:00
HD Moore
And about 15 years later decided I wanted to do something different. So I'm sure you all have similar experiences with open source projects for a long lived. Yeah, since I've been doing Run Zero, which is kind of a tax management, exposure management. We do a lot of really cool attack mapping stuff, kind of overlaps really well with kind of the BloodHound deal with world and SpecterOps model.
00:01:11:04 - 00:01:29:21
Justin Kohler
You joined us at So-Con and you gave an awesome talk. And like you're also the creator of Run Zero Hound, which we'll get into here in a second. I'm curious like for runs, if nobody's familiar with it. I know you guys also have a free product that people can use. Can you give kind of an overview of what runs zero does like you kind of just did it real quick, but like what it does.
00:01:29:21 - 00:01:33:06
Justin Kohler
And then what's the difference between the free product. How might people get be able to get started.
00:01:33:07 - 00:01:48:16
HD Moore
Sure. So starting with free one. The only difference really is it's free and it has a smaller asset count. Other than that, we try to give you kind of the full shebang. So if you want to do custom integrations, you want to connect to your E-R or whatever. You can do it all just with a 100 asset cap on it, which most people's home labs are not quite that good.
00:01:48:17 - 00:02:04:14
HD Moore
So it works out pretty well. But generally what we do is we find all your stuff, we tell you this wrong with it, and that's the really simple version, the cop gated versions, we do it. It's like a thousand pen test girls in a trenchcoat pretending to be asking inventory, like we use every dumb little network trick you can imagine, info leak whatever is to stack them up into thousands.
00:02:04:14 - 00:02:19:22
HD Moore
And so we can do unauthenticated and our discovery, you know, on a remote subnet in a way that's like safe wrote that can identify exactly what something is even without credentials. And one thing that it's probably more relevant for this conversation is we can often tell you about the devices on more than one network at a time from a one sided scan.
00:02:19:23 - 00:02:36:19
HD Moore
So even if we only see half of the device, we can tell you it's actually open network over there, either by correlating unique asset or by tricking the device and telling us about a second. Right. And so we can build a topology of an entire environment from a one sided authenticated scan, which is kind of a superpower. And that's when they're able to tell you where all exposures are.
00:02:36:21 - 00:02:50:14
HD Moore
But, you know, the main thing we solve for is like there's an a new zero day and some of antibiotic or any zero in some movement product or progress software. We will tell you within seconds where all those things are in your environment, so you can mitigate them without waiting on a scan or something like that.
00:02:50:15 - 00:03:09:16
Jared Atkinson
Yeah, I think I think one of the you so we kind of got reconnected. I think we kind of know each other from the offensive security community, but we got reconnected through kind of you writing Run Zero Hound, which is kind of an implementation of Bloodhound Open Graph, but kind of taking the data from run zero and injecting that into the graph.
00:03:09:16 - 00:03:33:03
Jared Atkinson
And I think it's really it's really interesting because it's given a different perspective. I think we've previously talked about this idea that the Bloodhound graph is primarily like a focused on identity attack. So I'm operating in the context of this user account. What do I have access to? How can I log in in different places authenticate. But there's there's kind of a layer that's being ignored from the BloodHound perspective, which is that layer two, layer three kind of network perspective.
00:03:33:03 - 00:03:42:21
Jared Atkinson
And those when you when you kind of like overlap those two, those two graphs, you get like the true picture of what's possible. Maybe maybe you could talk about how you think about that a little bit.
00:03:42:22 - 00:04:10:14
HD Moore
Sure. I don't want to take credit for the idea. Of course, like you guys have been thinking about it for ever. We've been poking around like weird network mapping for a long time. There's also, what is it, network hound? Data hound. There's some other really cool stuff happening to Bloodhound Community. We didn't invent this by means. Early on we said, hey, it'd be really cool to take like the run full analysis of like, you know, take your EDR data, your cloud data, your network scans, your passive data, overlay it all on top of actual maybe a graph and be able to see how do you hop from like network X to identity and all that
00:04:10:14 - 00:04:31:13
HD Moore
fun stuff. Right? So we did a first pass and it was okay, we got it out live. We shared it. It was actually more the most valuable part about that was basically releasing the open source part parser for one zero formatting go. So that was the big piece is like, hey, you should have a model processor for runs your data and then for so on coming up this year for or for this year earlier we said, you know, the run part is like, let's just pretend that run zero is not even here.
00:04:31:13 - 00:04:46:15
HD Moore
How do we make a really cool tool that does the same thing with whatever data you happen to have sitting around? So since then, runs around is now not really run zero. You can use run through a data for it, but you can also pump in and that put and sell put quality output I believe. Next post output snappy walks.
00:04:46:16 - 00:05:04:10
HD Moore
Almost any data you can possibly imagine you can throw into this thing and it spits out a bloodhound open graph model a file which you then load to Bloodhound community, which then you can kind of zipper that data in those entities into your identity graph. So when I set about it, because it's not just from zero anymore, it's actually it's whole bucket of cool stuff and it's all open source and it's all and go and look.
00:05:04:12 - 00:05:25:08
Jared Atkinson
And maybe, maybe a part. I was reading about this in your in the readme for one zero hound, one of the parts that maybe you kind of like breezed over, which I think is really cool and also somewhat complicated, is that you've normalized the data to where you're taking data from, maybe in Map or Nessus, and then you have a way to say, hey, these these two tools are reporting something, but they're actually the same something.
00:05:25:09 - 00:05:27:00
Jared Atkinson
And so they're related to one another.
00:05:27:03 - 00:05:40:11
HD Moore
Yeah, that's what we do all day at work. So it was a little bit of like returning my day job on this thing, which I don't want to step on my own commercial toes too much, but you kind of need to do it to give you a good result. You can't have like 15 things that are all the same thing, but reported independently, right?
00:05:40:13 - 00:06:06:17
Jared Atkinson
We kind of run into that on the identity layer where we have like an Active Directory computer that's also hosted as an Azure device, which is also, you know, an Intune managed device. And so it's like from the perspective of the Intune collector, it sees an Intune device, but that's actually an Active Directory computer. And so that means that if you're able to compromise into and you're able to get codecs on on that Active Directory computer, and those create these hybrid attack paths, which are the things that we think is kind of like our bread and butter.
00:06:06:17 - 00:06:20:21
Jared Atkinson
That's like the super kind of secret sauce is understanding how control over one platform leads to control over another platform and that kind of thing. And what we find is everything is interconnected. It's just it's like significantly worse than we thought it was when we kind of set out on this problem.
00:06:20:22 - 00:06:38:16
HD Moore
I mean, that's my favorite part of a fantastic find as unexpected penances, like doing a pentest for a very secure organization where everything was like HSM and locked down. But we took over like a 20 year old tape robot backup system, and from there we will pop up everything else. So it's kind of like, I love finding the kind of weird corner cases like that one of them working on now that isn't in public.
00:06:38:16 - 00:06:53:10
HD Moore
Yep. Will hopefully get out there is out of band management systems so be able to find out. Okay. Find all your CVS, your books, all your out of band serial port servers and then figure out what hell's attached to them and then map those two together and build it. And you show the dependency that if I pop this track, I actually take over the server and vice versa, right.
00:06:53:11 - 00:06:58:00
HD Moore
So we'll kind of show the bidirectional out of band management is kind of my next point here.
00:06:58:01 - 00:07:14:14
Justin Kohler
You actually talked about that at your second talk to. And I was a little bit I was like like the, the dependencies of trust like and that like we have a, we have a similar way of talking about that with like the, the allowed coin this term. Jared, you're going to do a better job than I can. The security dependency.
00:07:14:15 - 00:07:31:07
Jared Atkinson
Yeah. Oh man. What's the what is the principle. I can't even think of what it is off the top of my head. You just like threw it through it on me. I know, I know, it's like the general idea is, is that there's a there's security dependency. So imagine that you have Active Directory is sinking up to okta, and then okta is being used for.
00:07:31:09 - 00:07:58:16
Jared Atkinson
So federation to GitHub. Now there's this chain of dependency we previously had thought about like nested group membership for instance. Or like effective. This idea of transitive transitive control. But now we're thinking about this at like a higher level, which is the the security dependency chain across platforms. And how if I yeah, the general idea is if I compromise Okta and act as being used for federation to GitHub, that means I have necessarily have control of of GitHub.
00:07:58:17 - 00:08:16:14
Jared Atkinson
And the question is, is like the one hop is usually really easy for people to discern the like for hops. That's where it starts to get very difficult. And people like the GitHub administrator has no idea that they have this like downstream or upstream kind of dependency on on Active Directory, for instance. It's a clean source. Source principle.
00:08:16:15 - 00:08:26:20
Justin Kohler
Yeah. There you go. But you were thinking about like you were talking about that from the network side. And it was so it was so awesome. I don't know if I could, like, put you on the spot and kind of explain like, like how people under think that problem.
00:08:26:21 - 00:08:42:07
HD Moore
Sure. I can I could show off a little bit too. So yeah. Yeah. If you mind. So the main challenge is it's really hard to tell how things are connected until you really dig into it. So first we'll have a little crazy zoom thing okay. But here's a around you want to play that so runs your inc runs around Google it.
00:08:42:08 - 00:09:03:21
HD Moore
Be good. So one example that was like trying to figure out what is the exposure of a device actually exposed. So we did the scan of protocol gateways. In this case it was just a Ethernet IP slash SIP. And we said let's go scan the whole world for these two things. Let's figure out where they all are. Let's drill into them and let's see what's actually behind them.
00:09:03:21 - 00:09:20:23
HD Moore
So if we can talk to the gateway to me, talk to another bunch of devices behind it. And it was a crazy scary number. It was like we found 6611 internet facing devices, which is bad. But some of these were like thermostats or things you don't really care about. But behind those devices, we found 102,000 other devices that are actually way more important.
00:09:21:00 - 00:09:38:08
HD Moore
So a good example is you can find like a school's thermostat on the internet and you're like, yeah, whatever. You turn AC off. But however through that device you can get like the life and safety systems, you configure, the security announcements, the door locks, the all the like really, really scary stuff like fire suppression. It's actually accessible through that one thermostat through the back protocol.
00:09:38:10 - 00:09:53:09
HD Moore
Similarly for Modbus ether, all these other OT kind of manufacturing protocols. Same thing. So you can talk to the gateway. You can talk to everything behind it. So how do you go about actually showing those dependencies. So we'll do a couple like the scary ones. Here is a police station. And you can see the public facing Niagara Station four.
00:09:53:09 - 00:10:07:05
HD Moore
And then you can see all the stuff actually behind that device including like valves to use door locks, you name it. So you want to get all, you know, watchdogs or release all prisoners. You mean something like that if you want to. But yeah, it's kind of a this is just a quick hack for you to get a sense for know.
00:10:07:05 - 00:10:20:06
HD Moore
Said, let's go actually build that for real on the product. The challenge is when you're trying to show these kinds of independence, it's really difficult. Like one thing we noticed early on, trying to build like a graph, run zero and actually upload one example of what it used to look like is it's so horrible.
00:10:20:08 - 00:10:24:23
Jared Atkinson
So Justin feels that comment yes I do. Yeah.
00:10:25:00 - 00:10:30:18
HD Moore
So we have this like old layer three dependency graph and it looks like this. Everything kind of like connected and ugly.
00:10:30:18 - 00:10:35:02
Jared Atkinson
And that is an engineer's version of the graph for sure.
00:10:35:03 - 00:10:51:23
HD Moore
Right. And like it was really difficult to do anything with that because everything looks like spaghetti. So we said let's start over. Let's actually build a brand new graph from scratch that shows you both layer two and layer three at the same time. And this is kind of what you guys are getting out with your identity graph overlaid with network graph, you want to be able to show those things as a three.
00:10:52:00 - 00:11:13:05
HD Moore
So in this case what we have is like a modbus gateway and it's hanging out over here. And then you've got your internet, your gateway device back in the gateway over here ot subnets. But that is you can go to like a device that is actually not directly connected to the internet with whatever traces on the internet show the connection going through the firewall, hitting like your actual Modbus gateway, and then going from there to your actual OT device behind that system.
00:11:13:07 - 00:11:28:08
HD Moore
And so that's one example of how we're trying to show this better. The challenge does you click on any one of these individual networks and we show you the cross connections. It gets crazy like just this one subnet has crossed connections every other subnet. So when we first wrote this thing we're like let's just show all the links all the time.
00:11:28:09 - 00:11:44:23
HD Moore
But you literally could not represent it. It was just one giant pile of getting about how you looked at it. Yeah, kind of a ranty version of it that is like, you can't actually show all the links at the same time, the same user, because it's not passable. There's no way for the customer to figure it out or if you use to figure it out.
00:11:45:00 - 00:11:54:20
HD Moore
So you have to do a lot of work of actually showing the individual path and actually showing those different layer transitions without just putting like a million lines on the screen. Right. And yeah, I think that's the hard part of this problem.
00:11:54:21 - 00:12:12:03
Jared Atkinson
One of the one of the ways that I think about this is, man, I think the original there was a Netflix documentary docu series thing that was maybe, maybe apocryphal in some sense, but it was about Google Earth and the like. The origin of Google Earth is, I think the original product was called Terra Vision or something like that.
00:12:12:03 - 00:12:28:02
Jared Atkinson
And the the big kind of like breakthrough was their ability to infinitely kind of like zoom in and out. So it's like you start with the Earth and then you zoom in and they wanted to have like this smooth transition as you go in towards like the continental level and then the country level and then the state level and then the city level all the way down to the street level.
00:12:28:02 - 00:12:48:05
Jared Atkinson
And so I think of it like that, right to where when you're when you're presenting this to customers, like we talk about the identity graph. So imagine that there's a there's a graph in Active Directory. But then there's a zoomed out version, which is that thing that we talked about with those platform security dependencies to where it's like Active Directory is connected to Okta or Active Directory is connected to Azure.
00:12:48:05 - 00:13:02:14
Jared Atkinson
And you show like you show this like very high level, less granular picture that just shows the interconnectedness between the platforms. But then you could zoom in on any one of the platforms to understand, like the interconnectedness within the platform, so to speak.
00:13:02:18 - 00:13:19:17
HD Moore
It's a good point. One thing we found was, is when you're showing those graphs, like we try to show like the heaviest connected nodes at the top of the graph and flow downwards. And so even if you don't know how it's connected, you know, everything at the very top of the directory graph is more important than the ones at the bottom, because there's more hyper connected stuff than a kind of a neat way to do a layout in that model.
00:13:19:20 - 00:13:33:06
Justin Kohler
For sure. Have you, have you like when you, when you described this or whether it's through runs or self or just helping people understand this? Like what kind of things have you found that people are like, wait a minute, what? How is that connected like?
00:13:33:08 - 00:13:33:13
HD Moore
I mean.
00:13:33:13 - 00:13:43:16
Justin Kohler
The story is a lot of times we do the same thing with Bloodhound. It's like, wait, how like, are you going from one thing to five other things, then eventually, you know, owning the entire world.
00:13:43:18 - 00:14:01:12
HD Moore
You guys are probably running this. The second you show them the full map, they go, what do I do about it? Like everything is one thing else. Like it's all one degree of Kevin Bacon and gosh, your entire environment. And there's I mean we're looking at like how how how close are seriously safety relevant systems to the internet.
00:14:01:12 - 00:14:12:12
HD Moore
And it's almost always one hopper or less, like, you almost never have more than one hop because they're only like one Fortinet away from being your whole factory, being set on fire. Right. And that's kind of what the world looks like.
00:14:12:14 - 00:14:19:14
Justin Kohler
You mentioned in your talk. You're saying like, you know, gapped and networks are never really air gapped. Like, yeah, there's always some connective tissue.
00:14:19:17 - 00:14:38:21
HD Moore
It's amazing. I mean either it's out of band connectivity. It's a cellular router that I've put in that you don't know about. So oftentimes they'll you know you've got an offline earcup network, but the vendor puts a monitoring station in that. Things get a little LTE mode a minute. And that's depending on which APN is connected to. It's either directly on the internet in direct disposed, or it could be connected to a big shared VPN that any other customer can get to.
00:14:38:22 - 00:14:57:03
HD Moore
So we've seen cases like that before. We're like in early days. I think it's I think it's long enough to talk about this. All the Audi's in 2001 can actually do the same dial up network in the UK, and you could die on the same network using the credentials. And it's like tell then the people's Audi's and like deploy their airbags and brakes and it's still like that in the OT monitoring world.
00:14:57:03 - 00:15:01:08
HD Moore
You have these big shared subnets that if you can get into them, you can get it to everything.
00:15:01:10 - 00:15:27:07
Justin Kohler
Oh man. What not to ask like the stereotypical like I'm sure we've all been hearing about AI, but how do you how do you think about that in in this when everybody's worried about like the vulnerability apocalypse or the capability. And I think like there's there's the myth and there's the fear, but there's the very realization like very real thing that these things are gaining speed and competency.
00:15:27:13 - 00:15:35:00
Justin Kohler
Capability. Yeah. Knowing what you know about the network, what are your thoughts there?
00:15:35:02 - 00:15:50:00
HD Moore
I mean, short version is we used to be gated on compromised by how much time attackers had. And so unless you're North Korea, you didn't have that many people sitting around, you know, idle to the world right now. North Korea got really good at it. But now everybody can be North Korea. Everybody can do the same level of tax, the same speed.
00:15:50:00 - 00:16:06:18
HD Moore
It doesn't really matter what the models do with their safety because you can run half these things offline ablated. Right. So like we're well beyond the point of no return for folks being able to have, you know, at least reasonably senior penthouse capability anywhere they want almost for free. And they can also have almost infinite compute and attempts to go after it all.
00:16:06:18 - 00:16:21:04
HD Moore
So like for me, it actually just brings us right back to where we were in the 90s. Like in the 90s, all the hackers definitely wanted to write like you had these old boxes. Everybody has already and everything. So your only way of protecting your network was very much fundamental. Like this is not connected to that. This has a defense in depth.
00:16:21:04 - 00:16:34:21
HD Moore
This has good blogging. Like it doesn't really matter whether you apply a passion is a hacker is something that your passion doesn't help with. And we're right back there again. So most of the abilities that are currently in the queue don't even have CDs yet. There's so many thousands of bugs stacked up across all the open source repos right now.
00:16:34:22 - 00:16:48:11
HD Moore
Like we haven't even started allocating the bugs that will impact again. So we're so far behind. Like that wave is about to crash and then right behind it is a way we'll never have time to get out of. So we're going to go from people saying, well, I can patch my top 1% of bones every week, like it doesn't matter to passionate.
00:16:48:11 - 00:17:02:00
HD Moore
You're going to be hit by the next custom zero data for your custom out for this long tail supply chain thing on the fly for just as one attack. And a lot of folks say, well, that's okay. Well, you know, I'm not going to be the first person targeted. So it doesn't really matter. They're going to go use this exploit against more important targets.
00:17:02:00 - 00:17:14:05
HD Moore
Then they'll get caught. That's what we all see for things like Chrome and iOS bugs is you're not the targets and politician is, and you'll get the benefit when Apple finally finds it. It's no over. True. If you have enough resources to target and exploit for every single organization. Long tail.
00:17:14:09 - 00:17:16:00
Jared Atkinson
More indiscriminate basically, right?
00:17:16:02 - 00:17:28:14
HD Moore
Yeah, everyone can go for a zero day just for you particularly, and there's no chance of getting caught because, you know, if you're targeted at narrowly, you're not going to see it. You're not going to attack it. You don't have really warning can't help you. So yeah. Welcome. This is where.
00:17:28:14 - 00:17:52:18
Justin Kohler
You are. Yeah. I mean we have the same it's we're saying the same thing, right. Like, we've, we've we've helped organizations. It's funny because I was, I was talking to a customer earlier this week, and when we first deployed within his organization, he was saying, you know, when you were initially talking to me because he wanted to basically be prioritized based on the difficulty of attack.
00:17:52:18 - 00:18:13:00
Justin Kohler
And I said, I don't think that that's worth doing and here's why. And that's that's highly subjective. How do you measure that? And I like I think you want us to focus in different areas. And you know, we had some conversations. Then fast forward. He's like, we're I mean, we're creating bypasses on the fly for major EHR vendors.
00:18:13:00 - 00:18:35:13
Justin Kohler
And he's like, so I get what you were saying. Like, like, and so rather than focus on, like, like the attack paths, that may have been difficult network identity, whatever are no longer difficult. And like this vulnerability thing is just the way to get in the front door. And how you make your organization resilient is understanding how we're connected.
00:18:35:13 - 00:18:38:15
Justin Kohler
And are those things that you intended on connecting?
00:18:38:17 - 00:18:51:22
HD Moore
It's the same old stuff, right? It's like defense in depth. It's blast radius, it's auditing, it's logs. If you don't know what someone can get to when they got to a given point like your host. So if you know that if, hey, they got to the server, they can get to these ten other things, that's great. If you don't know that, you don't know what data was there.
00:18:51:22 - 00:19:03:06
HD Moore
You have no ability to figure out what happened in the sense of breach. And since you can't stop the attack anymore, like you need to do the next step of understanding your technology skill and understanding your interconnectedness and so on.
00:19:03:08 - 00:19:20:08
Jared Atkinson
I'm just going to really double click on your point, Justin, because this is a comment that comes up a lot, and I don't think that there's a better person we could be asking about this for, for their opinion. Justin made the comment. So to give like the full premise, imagine that for every edge in the Bloodhound graph, that's like the identity edge.
00:19:20:09 - 00:19:43:03
Jared Atkinson
At least there's imagine that there's some tradecraft associated with traversing that edge. And and so customers are asking us to basically establish weights on those edges based on one of the one of the features would be the difficulty to actually traverse the edge. My gut feeling, and I think I probably have some some backing on this, but I'm curious what your thoughts are.
00:19:43:04 - 00:19:56:21
Jared Atkinson
Is that the way that computers work is that once you understand how to traverse it, you build a tool and the the difficulty rounds towards zero essentially. Is that sound reasonable from your perspective?
00:19:56:22 - 00:20:11:16
HD Moore
Yeah. It's never the difficulty of delivering the attack these days. Right. Because someone builds a escalate. You can use the complicated exploit all day long. Don't have to care about building it yourself. And it's even more so. It's about how reliable is it? Can you stop it? How many chances do you get to detect it before it goes through?
00:20:11:20 - 00:20:23:06
HD Moore
So I mean, that's kind of it. I mean, same thing in our side. We have folks saying, well, what vulnerabilities do I care about the most? Like that's really matter. None of the ones that you're currently getting reported to you by your phone scanner are relevant to your security right now. What matters is what Taft you have exposed the internet.
00:20:23:06 - 00:20:38:08
HD Moore
What tech is behind that? How are you like connecting it all together? Like because that's what's going to be a hit. No one cares that you didn't catch your red hot server. That's three levels deep in your network. They care about, you know, the easy way into it. And yeah, I think attacker effort now is no longer a resource.
00:20:38:08 - 00:20:40:08
HD Moore
We can pretend is it.
00:20:40:10 - 00:20:58:22
Jared Atkinson
Yeah I think I think that's the the other the other idea is, is that I think both of our products do a really good job of kind of like dissuading you or showing you the delta between how you think you configured it and how you actually configured it. Right. Because it's a lot of times you have this concept of what's what you intended to do in your head.
00:20:58:23 - 00:21:18:00
Jared Atkinson
The problem is, is that in these large environments, it's very complicated, at least maybe complex in the sense that like, everything's interconnected in different ways, and it's like it's easy to understand how one single configuration might like what the outcome of that is. But once you start aggregating several configurations together, you lose control over kind of what's going on.
00:21:18:00 - 00:21:29:18
Jared Atkinson
That's what you're talking about with that spaghetti, right? Is like everything is just it's like everything made sense in a vacuum. But then when you tie it all together, now it's just this complete hot mess to where nobody has any concept of what it actually looks like.
00:21:29:20 - 00:21:45:19
HD Moore
And every individual person who is responsible for didn't see the rest of the picture. They're all kind of describing the same elephant. So I mean, even I put on my developer had and make the same security bugs as customers would. Right. Like I'm not meaning to just because I have a security background, you kind of get tunnel vision on what you're building, and you don't think about the side effects until someone else pointing out.
00:21:45:20 - 00:21:50:22
HD Moore
So it's one of those things where we really do need an external perspective. Even if you feel like you're an expert in this space.
00:21:51:00 - 00:22:12:06
Justin Kohler
We've been seeing this for the last, I don't know, six months now at least, especially as we got into one graph, is like, the complexity of a specific system. So like I, it correlated. It could be like a, like a isolated network can be very, very, very complex. So like if I do a whole bunch of work securing Active Directory, I can I can feel good about that security.
00:22:12:06 - 00:22:35:19
Justin Kohler
And maybe I can theoretically understand all the connections in it. But I have no idea what when you when you trust something else like we mentioned, like connecting to octa or connecting to enter ID, there are connections that are managed outside of my team, and now they are thwarting or undoing security. Like there's a security dependency that I have no visibility over what I think I've configured.
00:22:35:19 - 00:22:57:00
Justin Kohler
I've only allowed this one principal in to my organization, but that has complete wide open access. It's been interesting to see Bloodhound being used in a IT planning or IT kind of tool. So like we we thought of it initially and mostly as a security tool. You know, we're finding issues and showing you how to fix those.
00:22:57:00 - 00:23:09:14
Justin Kohler
But a lot of people were saying like, I don't know how this thing applies. So I'm going to try to figure out how how it's modeled. Do you guys get that in run zero two? Like, I would imagine this would be incredibly helpful for like like network teams.
00:23:09:20 - 00:23:24:17
HD Moore
Yeah. I mean, you get a little bit of both. In the early days, we're like, I started the company to sell it. I'm like, it needs something that's actually true, not what their discovery scanner is telling, right? Not just the management scope. And then we found out that it doesn't often care unless they are responsible for managing it.
00:23:24:18 - 00:23:38:11
HD Moore
It doesn't matter to them until it blows up and it's a problem. And so one of the reasons why you have that kind of like blind spot is like it's take is like, well. Am I replacing it for help desk on it if it's bad? I don't really care if it's a vendor. That's not me. I don't really care about it.
00:23:38:16 - 00:23:53:03
HD Moore
But the teams do have to care about all of it. So kind of naturally we've got pulled from the IT side to the security side. But then finding out for the last two years we can pull back. Security teams tend to be our buyers, but then the entire or behind it, like the network IT teams, all of them are like, wow, this is actually interesting or this is wrong.
00:23:53:03 - 00:23:56:22
HD Moore
I don't believe it. Oh crap. It is. You know, that kind of process.
00:23:57:00 - 00:24:01:10
Justin Kohler
I love that comment. Oh, this is wrong. Oh wait, no it's not.
00:24:01:11 - 00:24:05:08
HD Moore
I mean, that's the fun part, but being wrong is like half the fun of being in security. You never want to be right.
00:24:05:09 - 00:24:23:01
Justin Kohler
The the the crossover, the pullback and the you know, security is interested, but it's actually somebody else's responsibility is the same thing that we see in identity. And it's weird to see like where identity fits in the organization, whether it's under like security or not. But we see the same kind of kind of like, hey, this is this is a concern.
00:24:23:01 - 00:24:44:23
Justin Kohler
It affects our security, but this is actually an identity problem. But we have the same issue with like that you talked about on the IT side is like the identity teams commonly don't have the scope of the problem or charged with the responsibility. So they are I don't want to undersell what I am folks do by any means, but like I'm going to take the very pessimistic route.
00:24:44:23 - 00:25:06:00
Justin Kohler
And if we're doing user access reviews and people have access to do things that they need to do to get their job done, which is incredibly important. Again, we're security. Security is a is not the business. Right. But that conflicts sometimes with, hey, we're creating a security issue that's pretty severe. So it's just funny to hear the corollary on the on the network side.
00:25:06:01 - 00:25:19:04
HD Moore
Sounds like you blame that team, right? Because half the time they're going to be pulled by their vendor. You must give this account this credential. This service account must have these permissions because the vendor is too lazy to make their stuff work without it. And you're kind of putting the entire sub org at risk at that point.
00:25:19:05 - 00:25:42:04
Jared Atkinson
This is the the idea of the delegated access. So Justin talked about it from like the Okta team to the Active Directory team, where you're delegating access to some other organization, part of the organization to which you belong. But that's also like what you're describing, HD, which is the vendors. Right? So like a lot of times vendors need access or some sort of, you know, credentials to do whatever it is that they do into your organization.
00:25:42:04 - 00:26:05:02
Jared Atkinson
We saw this with like the sales left drift incident, where sales left had access to their customers, Salesforce tenants, and then those Salesforce tenants had apparently people were keeping passwords and notes in Salesforce, Salesforce documents or whatever. And but there's this problem to where you are accepting third party risk, and you have literally no idea how that vendor is securing the credentials that you gave them for.
00:26:05:03 - 00:26:20:05
Jared Atkinson
Like worst case scenario, they just have it literally sitting in like their downloads folder and like they have an SSH key into your environment, sitting in their downloads folder, or they're storing it in Gib, like, yeah, like we saw apparently everybody's doing everything in GitHub is what what I've learned recently. Yeah.
00:26:20:07 - 00:26:35:23
HD Moore
The scary part is like the three biggest causes of breaches that like I, you know, been involved with on the side or help someone resolve or from the security tools like if you want to get someone's password, the quickest way to do it is just sit back and wait for the bone scanner and then say thank you for your credential relay or whatever you want.
00:26:36:00 - 00:26:36:15
Jared Atkinson
Yeah.
00:26:36:17 - 00:26:56:03
HD Moore
So I mean, that's it. But the volume scanners need those permissions. So what you're seeing now is the bone management industry moving to. And only because there's no safe way for them to do anymore. Like there's so many different you know potato relay whatever's out there you're kind of those same thing goes for like I'll pick up all out to networks and networks has a user ID feature, which is constantly being problematic.
00:26:56:04 - 00:27:16:01
HD Moore
Idea is that when a device starts acting weird, your Palo Alto will log into that device with WMI and actually see who's on it. But of course, if the thing being weird is an attacker, and an attacker then collects your credential in a criminal network ad, then like this is bug I found ten years ago, is that you could basically just see all the Da creds from all the Palo Alto and internet by ports, and it's kind of the same thing.
00:27:16:02 - 00:27:31:00
HD Moore
And then the last category is your network management tools, things like your SolarWinds and other things like that. Their opinion network with credits. Again, you sit back and crunches, then turn around and scan and work with them, and off you go. And now you take over all the network equipment and your segmentation no longer matters if you control the switch.
00:27:31:02 - 00:27:54:16
Jared Atkinson
That reminds me of the the old DoD Red team tactic, which is you just break something and wait for the admin to RDP in. Perfect. Yeah. I mean that was the that was the same thing. We saw that with a, you don't really see this too much with modern implementations of backups, backup software, but backup software, we used to log in interactively to pull a backup of the host.
00:27:54:16 - 00:28:18:14
Justin Kohler
And that leaves credentials. And so you could just wait and wait to get backed up. And then now you're now you have the power of the backup, which typically was done through a domain name, which is just nasty. The gosh, there was another example of that. It is it is just funny, like the security tools being like the, the problem here, but now I'm drawing a blank on the other one.
00:28:18:18 - 00:28:31:14
HD Moore
Or getting better. The problem is, getting better means going endpoint on everything, right? And so if you don't have an important agent, you can't do any of this stuff securely. But then 60% of your stuff can't take an information. So now you're stuck with like, you know, a large portion of your org is still kind of a dark spot, right?
00:28:31:15 - 00:28:45:06
HD Moore
So we've kind of taken the opposite end of everybody else. The rest of the world went after cloud and we said great work to take care of everything else except for those and do a really good job of counterbalancing your endpoint in your cloud coverage with the real world network and fiscal connectivity.
00:28:45:08 - 00:29:03:04
Jared Atkinson
That's where we're kind of moving towards the cloud with a lot of what we're what we're adding to the graph. But like our bread and butter will always be Active Directory I mean always maybe not. But for the foreseeable future we sometimes get questions about like, well, Active Directory is going to go away. And it's like, probably not, probably not anytime soon.
00:29:03:05 - 00:29:24:00
Jared Atkinson
Maybe in like individual companies, they might, they might get rid of Active Directory. But on the whole, especially for the large enterprise clients that we're trying to interact with, not not at all. Active directory is here to stay. And I like what I actually think the, you know, with client side exploitation, for instance, the big problem is where the users are.
00:29:24:03 - 00:29:49:07
Jared Atkinson
Right. So it happens to be Active Directory by and large that ends up being kind of like that, that most central kind of node in the overall platform graph I guess. But really if like they moved off of Active Directory users have to use from somewhere. And so wherever that is is going to end up being the place where kind of like where credentials congregate, I guess, because people are logging into systems and exposing their credentials or their cookies or their refresh tokens or whatever it might be.
00:29:49:08 - 00:30:08:16
Jared Atkinson
And so that's, that's the that's the opportunity. It just happens to, by and large, be Active Directory today. But it could be something else in the future. I remember my other example. There we go. Like Jared has Jared has this. The pointed out this in the when we started mapping GitHub you mentioned like storing credential or like basically GitHub secrets.
00:30:08:17 - 00:30:34:12
Justin Kohler
Right. So it's doing good work to finding finding secrets and branches and repos and stuff. But but people will mis configure the access to the secret center. So like I don't need to scan your repos because you just collected them and put them in one place, and now I can get them all from there. Yeah. Get this. This is like such a tragedy, I guess, but it's it's like a tragic comedy to where GitHub has a secret scanning capability.
00:30:34:13 - 00:30:55:15
Jared Atkinson
Right? And you actually pay for it. So you have to turn it on per repo. And then it has a bunch of signatures that will look for like GitHub personal access tokens or AWS keys and all kinds of different things. So they probably support, I don't know, hundreds of different types of, of, of credentials. And what it's doing is it's trying to detect when you put like a plaintext credential in the contents of the repository, and then it will pop an alert.
00:30:55:16 - 00:31:10:03
Jared Atkinson
Right. And the the idea is, is that you should go in. It has like a validation feature where it probably does some sort of like, who am I thing to like, check that the credential is actually a credential. And then and then ideally you would resolve that by removing it, getting rid of the git history and all kinds of stuff.
00:31:10:05 - 00:31:25:21
Jared Atkinson
What we find is that people turn that on and then they don't actually like fix it. And so we'll be doing like a red team and we'll find that like we have we, we compromise a GitHub user. And that user has access to like literally thousands of these secrets to where the hard part is figuring out which secret you care about.
00:31:25:21 - 00:31:41:20
Jared Atkinson
But rather than having to crawl through all the contents of all the repositories that they have, there's now a central place where I can go and say, can you show me which repositories and like which file in the repository has an AWS credential? And it's like, oh yeah, here you go. Go check that out.
00:31:41:21 - 00:31:43:00
HD Moore
That's great.
00:31:43:02 - 00:32:08:17
Jared Atkinson
So that's fun, especially when you pay extra for that feature. That's that's what ends up getting you well you back to like the the run zero like so obviously runs around and people can check that out and GitHub back to the like just getting started on this. Like honestly I'm super eager to try this out now. Like run zero the the the account like the it's the free product right.
00:32:08:20 - 00:32:12:06
Justin Kohler
How do people get started with this. Like what would they need to get started. Like how would they.
00:32:12:06 - 00:32:26:17
HD Moore
Deploy. Try pop and email address and you get to log in and off you go. That's it. And you can do like we don't advertise it very much, but you can do full external hosted scans against your IP like free of charge. So you want to have your own little mini ESM for your home network. Go for it.
00:32:26:19 - 00:32:40:13
HD Moore
So all the connections are there. You want to connect to your also custom integrations. You wire up your like a home tail scale to run zero. You can do that. So this all kinds of stuff there, including like the network maps and pivoting and all that kind of fun stuff, it's all basically on by default or community as well.
00:32:40:14 - 00:32:54:12
HD Moore
And again, the only thing is like it's 100 assets but are recently seen last 30 days. So you have a bunch of containers going up and down, it'll age out whatnot. So yeah, it's a great thing about what we find is like a lot of our most aggressive home users end up being also amazing customers.
00:32:54:13 - 00:33:10:13
Justin Kohler
Oh, yeah. I'm sure. Oh, yeah. Yeah. Because I mean, you since I think that's part of the the thing with Bloodhound too, right? People run it and the best thing is seeing it inside your own network. Not theoretic like like, oh, I understand what this is doing. And then and then they can say like make the case right.
00:33:10:15 - 00:33:25:18
Justin Kohler
And I think, you know, if vendors can say anything that they want, it's one if you can actually understand and see it in practice. Like that's a big powerful thing for people, just to be clear, like do, do, do we have to deploy anything to run, run serum jelly?
00:33:25:18 - 00:33:43:12
HD Moore
No, I mean, you want to scan your internal network. You should deploy something like a scanner where you download a scanner, you run it someplace or across the top. But like, where have you, like federal Run Pi or even free or anything that basically has a heartbeat it can run on, even have a clear version of the scanner will run on windows without having privileges.
00:33:43:12 - 00:33:49:18
HD Moore
So if you need to pop a box and relay through it. So you can definitely tell was built by. But it's everything about what we do is like.
00:33:49:19 - 00:33:51:21
Justin Kohler
I was just going to say.
00:33:51:23 - 00:34:10:01
HD Moore
We some really fun stuff, like when you download the explorer and and double click it, it connects back to the infrastructure and there's no like there's no site key. But it also has a code signature. But Ethnikos signature is older. So we're basically stamping metadata into the binaries of breaking authentic code and having our own code signing internally to double check.
00:34:10:03 - 00:34:19:00
HD Moore
So there's a whole lot of really fun techniques stacked up so that it's really easy for the user. But it does make EDS very happy because like the different hash every time you download it, even though it's got signatures.
00:34:19:04 - 00:34:35:08
Justin Kohler
That's awesome. Well, anything I don't know. Do you have any more questions? I don't know this this part we may end up having to cut out if if you're not ready for this, but do you have the like the 3D map pulled up? I think that was like a really cool thing that you showed us kind of in the lead up to this.
00:34:35:08 - 00:34:44:22
Jared Atkinson
And I it just reminds me of when you showed it. It reminded me of hacker with a is it the Gibson in hackers? And like when, when he's like kind of like surfing through the file system.
00:34:45:02 - 00:34:54:02
HD Moore
Yeah for sure. So this is kind of a really small network. But you can go pop on the 3D one and then immediately go to like, you know, Minecraft, fly around with like your pupu maps up here and stuff like that.
00:34:54:03 - 00:34:54:18
Justin Kohler
Yeah.
00:34:54:21 - 00:35:09:07
HD Moore
It was kind of fun trying to figure out represent it because the very bottom layer here is like your subnets and then the next layer up or your assets, and then you've got things like your net gateways your devices. And then above these are actually your your risk levels. Your most critical risk and high risk are actually vertically high on the screen.
00:35:09:09 - 00:35:21:23
HD Moore
So it's kind of a neat way to represent it. It's really difficult to do this at scale where it's still real. And of course you can then search. This is just show me my servers, just my cameras, main points, etc. this one is actually not that big. Let me see if I can pull up a really horrible one real quick.
00:35:22:00 - 00:35:29:09
HD Moore
So here's like a scandal Starlink for kicks too, but let's see if it's going to actually load. This might be a little bit big.
00:35:29:11 - 00:35:43:00
Justin Kohler
This is one for for podcast listeners. You'll want to check out the video of this because this is pretty. Yeah. Especially if you've seen hackers before. This is how we drive people to the video.
00:35:43:02 - 00:35:55:19
HD Moore
The layer two mouse. Really cool because you see like all your different types networks overlaid, the layer three one is fun just to kind of like show off to your boss and generally play around with it. Plus it's like if you use Minecraft for first person shooters, the same controls, it's like wasD and so on.
00:35:55:21 - 00:35:57:03
Justin Kohler
Here we go. Oh my goodness.
00:35:57:05 - 00:36:13:00
HD Moore
Yeah. So here's like most internets, Drax and IQ lies exposed to the internet at once. And of course you can like zoom down. You kind of see like different layers. Here's all the different subnets, connectivity to click on the internet for example. Here's like all the direct internet paths coming into it. And then you can zoom in and play with it.
00:36:13:02 - 00:36:25:00
HD Moore
Let's see if we can. Real quick. There we go. Okay, so but the cool thing is you can go grab like any random node here and say, I want to do a trace. And then you will basically clear the entire how to show you the like little packets coming into it. Sorry.
00:36:25:02 - 00:36:28:08
Jared Atkinson
Are those packets actual packets like are they correlated?
00:36:28:10 - 00:36:44:12
HD Moore
No, I'm just going to showing you like roughly like here's the here's the path of bad traffic will go. And if we start removing some of the layer two and layer three stuff, it gets a little bit more visible. And again, if we started like clearing some stuff like I only care about IT management devices for example. Let's see at the trace off real quick.
00:36:44:12 - 00:37:06:12
HD Moore
There you go. So you can kind of clear them out and say, I just want to see VMs, I just want to see, etc. I just want to look at like network devices, but that's a lot of fun. So you can see really fun stuff with it, but it'll it'll melt your browser at some point. So the really cool thing about this is we actually got it to represent like millions of assets at the same time without crashing your browser, even for like layer two and layer three maps, even when it's a giant pile of spaghetti.
00:37:06:12 - 00:37:13:08
HD Moore
But yeah, this was a lot of fun and definitely play that. This is big internet scans, but internal corporate networks actually look worse if you can imagine it.
00:37:13:10 - 00:37:19:05
Jared Atkinson
Don't be like Justin and try to run this in Safari. Probably.
00:37:19:07 - 00:37:26:08
Justin Kohler
Yeah, yeah. Sins of the fast. Well, HD, anything else that we didn't hit on that you wanted to talk?
00:37:26:10 - 00:37:40:09
HD Moore
I think we're both fans. What each other does. Like, you guys have been like killing it in the entity space. Like we try to do our part of the network space and like, it's I think we're both really excited about the same thing, which is like most folks are kind of narrowly focused in one area of security, and it doesn't really matter which token account the rest of the picture, right?
00:37:40:10 - 00:37:43:08
HD Moore
We want everyone to understand that, whether it's through our product or not.
00:37:43:10 - 00:37:57:03
Justin Kohler
Well, thank you again for for joining us. It's okay if people haven't seen that talk. Well those will be posted hopefully soon or by the time this this recording goes out. And yeah, awesome to catch up with you. And again, I'm sure we'll be talking again soon.
00:37:57:06 - 00:37:58:05
HD Moore
Thank you. A lot of fun.
00:37:58:07 - 00:37:59:19
Jared Atkinson
Thank you. Thank you.