runZero’s week at RSA 2023 killer robots, time machines, and natural disasters

CN: "First off, right, Karate Kid Rule. Man can’t see, man can’t fight. Same exact words for any attacker. I can see things that you can't see. Good luck. And if that's what I'm looking for, right, I'm trying to find those lapses in visibility."

"So in general, right, when you're thinking about making a process in testing, it's not always like the voodoo magic and you just sprinkle your hacker dust and then magically like you win. It's a bunch of really crappy work."

"It takes a ton of time and you have to have a lot of process into it, it's not just a hit a button, hope that it expands to find the things. You have to catalog every single thing that you see and be able to start to index and understand this information and what starts to emerge is patterns, right."

"You start to see, oh, this is kind of where all the old stuff lives; this is where some cool, new stuff lives, this is where some I have no idea what this is. That might be interesting at some point. You might find names. You start to find, you know, indexed pieces of not only networking infrastructure, but I mean, engineers are good. They have naming conventions so that when somebody is like, hey, they want you to steal financial records, it's like D-E-N, Denver, F-I-N, financial, and then like a bunch of numbers and you're like, oh it's probably this server you know, like."

"So as you start to get yourself familiar, it's more about situational awareness to figure out what you're going to do in forward operation then it is go find a vulnerability, scan for something, exploit it, you know, move on to offense success, It's really about that process of getting that total view of the landscape because you kind of can't make plays on the field unless you know where the boundaries are."

CK: "So how do you, how do you go about that? When you go on a pentest, what are your tools to figure out what's there, information for your pentest..."

CN: "So obviously lots of things, right? Because we have a great relationship being able to use runZero in that capacity, I think it's great, especially in massive networks. Because what you find is, you know, in a smaller network I can get a relatively high degree of success, if I'm just using basic, you know, nmap engines and I'm going to be able to find, you know, the scripts that I'm using to to be able to pull information."

"You don't get that rich bit of information. right? I know that the host is up, I know that these ports are open. I can probably go grab banners, but now I have to like grep through a bunch of shitty text files. And it's not super useful. Whereas if all those things are indexed, they are in a searchable database, you have ways to look at that information."

"It's now what's there, what's available, what's running, what version is it running? What other things can I start to collect and find out about that box?"

CN: "We were working on manufacturing facilities, right? And the robotic welding arm things, right? Cool robots are just tech world stuff. Their TCP/IP stack was awful. And it's, like, I don’t know, somebody from the eighties built it. And it’s just half-open connections that make it harder for people. And I say that like in the most loving way, because like I portscanned it just started !@#$!@#, and just started shooting welds in the air going like this and I was like, ohhh shit, you know, like, I guess I didn't know but like the..."

CK: "Just to be clear, this wasn’t with runZero?"

CN: "No, no, no, no. No, this is bad scripts that, Chris, again 24 times unsafe, 25th time unsafe. I was like try three and it was now trying to kill people. So again, you know, like those types of tools, whether it's like the idiot guard for me, which, probably need it more often, especially now that I'm older, but but being able to understand and how you can interrogate a box safely is it's the hardest thing of testing because if you're wrong, you're really wrong."

"Like it's a super super bad moment because the whole thing that you're like, oh, I found the one box that I can compromise. Oh, yeah. Just turned it offline. That's it, start over, like two weeks of work gone."

CK: "Here's the thing that kills me, you know like, for a lot of that infrastructure. OT and also like the ERP system and those kinds of things, it's like it's both, this is absolutely critical for the business to survive, and this is so fragile and you can't touch it and never touch it. These two things don’t makes sense to me."

CN: "But this this is but this is where I appreciate the approach that's been taken with runZero because they think that not not only are we looking at this like central source of truth and system of record, but the idea that the logic is built in for the grouping and for some of those things starts to create that that map of of where severity could be without having to get into them, you know, robots killing people."

CN: "I’ve also worked in a lot of other enterprises and consulted all over the planet, and everybody's trying to change stuff in their network. Well, if I can just come in and give you an inventory. But let’s say, I mean, even if I'm a tester or I just run the network or I'm part of ops in engineering, if if what I can do is come back because you hired this, like, whatever some $4 billion consulting company to come in and like, upgrade your SAP system, they're going to be like, oh, give a map of everything and the people who run it will give them the maps of like a couple of interfaces and then everything else won’t be there."

"But if you can add value to go back and go, oh, this is absolutely every single thing that we have that as a SAP vendors, be able to group them, be able to categorize them, be able to explain to them that like, well, this one was from the 90s, this one was from the 2000s, all of them don’t follow the naming conventions, half of these aren’t in DNS."

"Like you're now making a graceful transition, which is huge because being a consultant, like the worst problem is information right? And if you can do that, you can give them accurate inventory, like they might actually get the job done on time. Probably never on cost, but at least quickly."

CK: "Now for asset inventory. I think you, well, you brought in runZero, that's why you’re here. But can you tell us a little bit about how you were doing asset inventory before you brought in runZero?"

RR: "I think probably the easiest way to put it is very poorly. We leveraged a lot of open source tools, mainly the command line tools, you know, nmap and mass scan are kind of something we use regularly. And we went through a lot of logs manually, you know, to go back and try to find things. I think that became very laborious. And doing our threat hunting sessions one time we had to kick off an nmap scan that was going to take forever. One of us said there's got to be a better way than this. and so we started Googling and found you guys and here we find ourselves today."

RR: "Literally, we just downloaded it and played with it. Each one of us ran it in our home network and we were just amazed at what it found. You know, we liked the fact that you can export everything straight into nmap format or XML format or interact with the API. I think that made it really easy. Then it was really just kind of figuring out how we were going to start implementing it internally."

RR: "Yes. So oftentimes we need to find an owner of an asset. I mean, everyone has the challenge of on certain networks finding owners is difficult. The extra information that we can look through or see who maybe was on that IP first. You know, I don't think of runZero so much as an asset tool but sometimes as a time machine where we can go back and see who was on that network or on that device at a particular time. That's been incredibly helpful for our incident response and our forensics team."

CK: "How do you, give me an example of when you have an incident that you are investigating, how would you leverage runZero in that respect?"

RR: "So there could be a time in which we saw that a certain IP, let's say, certificate on an IP, we could see what the certificate was. We could then pull that certificate and pivot across and see who else had that certificate."

"I think when it comes to our FortiGates, we can tell by that type of certificate what version it is, what this may be running, and then that's helped as we’ve gone through and patched certain things. Just seeing them, getting more details. But even the web page itself, being able to get a screenshot on that web page has been really helpful with runZero."

RR: "And runZero has been really good for helping us kind of figure out what's on the network before we put stuff on, once we put stuff on. We often forget where we put stuff because as you can imagine, asset inventory is a bigger pain in the butt. Whenever you're, you know, it's a volunteer thing at the end of your day that you’re not keeping good tabs on."

CK: "When you think about how you want to mature and evolve that, looking to the future for disaster relief, etc., how are you planning to use runZero in the future?"

RR: "So I think, you know, one thing we're starting to see is, as we start to partner with bigger companies like ZPE and other companies, we're starting to leverage edge compute devices a lot more."

"So the fact that runZero can run on such a tiny footprint becomes really helpful in figuring out what else has been added or taken off of the network. As we start to at some of these sites, do things like check the fuel levels of the generator or check the voltage level of the battery, we can do all that right off of runZero console access."

"So as we start to do those things, it just makes sense to just throw a container on it, just see what else is on the network and it might be compromising. So I think when we talk about security for a lot of our other projects, you know, the CIA triad, the one we're most concerned about is availability. The others don't matter so much, and we kind of see runZero being really helpful for just making sure things are up and we know what else is running on the networks that we kind of throw out spontaneously."