--[ Back to Basics: Why Your $10 Million SIEM Won't Stop the Bad Guys

Personal
$ getent passwd mklink
.
├─── name: Mark Klink
├──── org: Mission Command Training Program (MCTP)
└─ social:
   └─ twitter: @evilbotnet
Experience

Currently serving as an OCO OC/T at Fort Leavenworth, KS. Formerly I served as the 100 Combat Support Team Lead, C/781st Company Commander, and an OCO Planner on 01 National Mission Team. I have about 10 years of experience in IT and security. I've previously spoken at Avengercon, Defcon, and the International Conference on Cyber Conflict.

Abstract

As a community of hackers, we struggle to see the forest for the trees. In the process of analyzing big, complicated datasets, we fail to identify the simple solution lying directly in front of us. My approach to hacking is more along the lines of saying KISS, Keep it Simple, Stupid.

This talk is a conversation that leverages my experience on the offensive side as a penetration tester, bug bounty hunter, or from my observations working with red teams across more than a dozen Army exercises. I’ll discuss why big data analytics, artificial intelligence, and machine learning may be distracting us from achieving success on both the offensive and defensive sides of cyberspace operations, and why sometimes, taking a non-technical or fresh approach to a technical problem and lead to surprising solutions.

In December of 2020, I identified default credentials on more than 2 dozen printers and a public facing router within the Department of Defense which led to remote code execution as a root privileged user. As a result, I was awarded with DoD Security Researcher of the Month. Most of my experience in bug hunting, penetration testing, and offensive cyberspace operations often comes down to identifying simple vulnerabilities that can present substantial opportunity.

The 2021 HackerOne Security trends report states that the top reported vulnerabilities include Cross-Site Scripting, Information Disclosure, and Improper Access Control – Generic (including default credentials, authentication bypass, and weak/guessable passwords). The trends in the private sector seem to indicate that 51% of reported vulnerabilities are due either input sanitization or user error when configuring a web application. These trends match what I’ve seen in real-world bug bounty hunting over the course of several years, and these concepts can be applied to much more complex target sets.

While things like 0-days, custom exploits, and big data analytics provide benefit in highly specific or time-sensitive situations, it can be easy to get wrapped up in a complex task and miss the subdomain takeover, the default credentials, or the information disclosure right in front of you. This talk will attempt to encourage others to step back, take a breath, and revaluate a situation from a new perspective in order to become a better attacker or defender without having to rely on tools, technology, or buzz words to be successful.