Welcome everyone to another week of the cybersecurity lecture series here at the School of cybersecurity and privacy at Georgia Tech. This week I am very excited. We have a very unique opportunity here. In fact, something that you could really only find in the School of cybersecurity and privacy here at Georgia Tech, the combination of deep technical cybersecurity problems with how to actually run and manage those problems. So today, I wouldn't, I am very glad to introduce Jerry Perullo. He is just joining us as a professor of practice. Some of you may have heard of a small organization called the New York Stock Exchange. Well, if you haven't, they are one of the multiple exchanges that are underneath Intercontinental Exchange and that is a tremendous organization that runs all of them. And the person who was at the helm of cybersecurity for all of those was Jerry Peru and he is now joining us to teach courses on this matter and what he has direct experience in cybersecurity, leadership, adversarial risk management. And the list goes on. So I'm not going to take up too much for your time, please. Go ahead, Jerry. Thank you so much. Thanks, Brandon. Those great need bringing around with me everywhere I go in life. So yeah, a little bit about me and then I'll move on into things that maybe more interest. Though. As I noted, I just spent 20 years as the Chief Information Security Officer for isis. We call it. When I started, we had about 40 employees and now there's over 10 thousand. I just retired out of there on Tuesday. Curiously March 1st after after 20 years though. So I'm, I'm hot off the press here. I started as a professor of the practice. As I mentioned, I've worked with Georgia Tech for many years now, going back to the G task days and then IISP from an industry viewpoint, meaning judging student projects, looking at curricula, working with the, with the center and then the Institute on the advisory board of that. So I'm familiar with it. And then as I was approaching retirement, I thought, you know what, I haven't opportunity be more involved. How can you utilize me? And we started talking and came up with what I'll generally describe as the idea of injecting practice into the academic side. I think that's a good broad way to look at it. I'm a practitioner. So my background while I was an executive running the strategic side of cybersecurity mission for large firm. I came from a practitioner background, and so I was very hands-on both of recruiting and width actually duplicating decisions and tactical decisions and all of that. I apologize, but my talk will thus, it will vacillate between very high level and very low-level. So what I wanted to talk about today in lecture series, it could be just about anything and I think that's great. You can get a real variety here. In particular, I started talking with a lot of my colleagues after the with the Ukrainian Russian conflict going on. And what really prompted me to put pen to paper and start to organize my thoughts around this. Recently was I talked to some of my peers and and they were all deliberating decisions around what they should do in the private sector based on the conflict. And you only have so many knobs to turn us. We'd like to say, I mean, there's only so many things that you actually can do from a technical perspective, from a policy perspective, it's pretty obvious companies can choose not to do business in Russia, for example. And you certainly have seen a lot of that lately. But from a technical perspective, the questions that came up, where should we cut off all access from Russia? Should we cut off all access from Ukraine or from Bella roots? And those are very different entities in this whole game, aren't they? But I heard all of those questions being deliberated by CSOs. And so we brought me back to 20 years of the same discussion about whom should we cut off? How do we handle geographic restrictions and that sort of thing? And we had really come up with a really codified approach to this. And I think under this most recent test, it standing the test of time there. So I wanted to put it on paper and share it. Though. Let's jump right into it. So, yeah, I'll preface the whole talk by saying we're going to be talking a lot about internet. That's where we get into the technical details of this. Because that is the presence that we're talking about most of the time. So we're going to be talking about Internet traffic on Ingress, who then that means your inbound traffic. So for a website or a service that's internet-connected, whom are you allowing to contact the service? Where are you allowing more accurately? And then egress, which is the other side of that. And that's where your employees are also your, your infrastructure and your cloud computing and all of that as an enterprise, where are you letting it connects outbound to websites you're allowing to visit that sort of thing. And so those are the two main areas. And then lastly, I mentioned on the slide, because it's so obvious today, but travel restrictions. That's more nuanced and peace time, if you will, in wartime, it's pretty clear no one is sending employees over to any of the places in conflict right now. And so what we want to talk about it, as I mentioned, what is a reasonable policy and then what should change, if anything, at a time like now? Though? Please share I will I'll repeat the question for online. So the question is, what's the definition of cutoffs? Since people can pretend to be somewhere and they can come from somewhere else. I won't even answer because it's so bang on the material we're going to go through. Yeah, Good question. That's exactly what we're going to be talking through. So if want to get closer to the end, I have an answer to hold me accountable to it, but I think we will though. Right, to sue. Why should we care about this? Or should we care at all about it? So I put up here some, some bad and good reasons. And I'm kind of cutting to the chase here. When I get to the end, I'll do a summary and we'll and we'll tie together the material in the interim. And this and these conclusions are the bad reasons are that you just don't like people from a certain country, or that you think that they're all malicious individuals, that doesn't really hold, doesn't work. That's not a, a national level thing. And then the second one, those a little more surprising with, or you may think that it is illegal to serve people from a certain country. And it is in some cases when you think about sanctions and that's the, that's what sanctions are all about. And I'm going to talk a little bit about why I'm asserting that that's not directly relevant to the subject and take Internet routing and cutting people off from websites. The good reasons. And so I'll keep emphasizing on, is this whole idea of Zero Trust, which is the idea of only allowing what is necessary so that you can filter out anything that may be potentially malicious or that you're not aware of. And that's a really good reason to handle all that to get into this business. And so I'm going to walk through that a bit. All right, so one quick fundamental slide, more technical side and then we'll, we'll get into that. But when we're talking about the Internet, and let's dock really touched on this. Geography isn't really an Internet domain, right there. There's not really a, a sure concept and correlation of geography on the Internet. So how do you determine geography? Well, what we're talking about is IP addresses generally in the network. So when you're talking about inbound traffic, systems and individuals are looking at the IP address that connection is coming from. And if you want to do anything with geography about that, you're trying to make a conclusion about the provenance of that IP address and what country it's from. That is an inexact science without a doubt. So there are commercial and free services that you can use to do this and they are not perfectly accurate. Why? Well, the way that these companies build these databases, they start out with actual registration information. Though if you're a company just like a resident or a residential customer, when you order Internet service, you sign some forms and you put your address on there. It may be accurate. It may not be accurate, but generally it is. And that's the biggest source of a lot of the information in these databases. It's correlated by internet providers. And then they publish it in these registries that are run by an international organization. Then there's one for each major region of the world. The one for the United States is called Erin ARIMA. I think it's the American registration of internet numbers. Like correct me on that. I think it's least directionally accurate. If you query any of these services, they will tell you the address of a network and it's based on the paperwork. But somebody signed up with not perfect. Also, networks can be advertised out of different places. So for resiliency, you can have a given network that is birthed out of a data center in Atlanta. And then at a moment's notice, you could shift and announce it out of a data center in Chicago. It takes a few seconds for that to happen. All that paperwork going to tell you that it doesn't get updated when that happens, right. So it can be inaccurate there. But you do have some of these Location Services track that information. And they will say dynamically, Wow, this network is being announced out of this what's called autonomous system. And we know from that paperwork that they're in Chicago. So we're going to tell the whole world is network is now in Chicago. Then their sum. And I call this fairly academic. I don't think there's a lot of people in a commercial service who have been able to really operationalize this. But there's this theory of latency triangulation. Though. If you think about it, you can actually judge the latency at any given point. And that roughly correlates with the geographic distance from you because it takes so long for the speed of light things to get there. And so if you test for a given IP address, how long it takes to get there and back from places of known location. And you can imagine the math on that. You could ultimately say, I bet it's in this general region because it's 200 milliseconds from Atlanta, but only 18 milliseconds from Dubai and on and on. You could do something like that and come roughly close. That hasn't been very successful because there's not a lot of straight lines on the internet because of routing. And things take a lot of detours and go in a lot different places. And so I've seen, like I said, some really good research products, but it hasn't been really commercialized widely yet. On the other side is a newer way of doing it. This is pretty interesting. This is where your privacy mania comes in. Though all of these apps that want to track your location, It's not so they'd come your house and kill you. It's huh, It's not just so that they can sell you products either. It so that they can bundle up that data and sell correlation information of IP address. Because you always have your IP address out there whenever you're doing an internet and the GPS data that's on your phone, right? That is that's extremely accurate. When you're walking down the street, you have any runway, any app that supports something like this. It will have your location. And then there's a database that affiliates that with the IP address or sourcing from. And the reason that people want to do that is that it only takes one person on a given network to have a mobile phone running an app like this to disclose the location of the entire network, which is super valuable. Though, you may have a data center that's off the grid. Nobody knows about it at all. Am I off the grid? I mean, not registered in the correct address. It's hidden from everyone. There's no computers on their surfing the web running apps. And if one employee launches a mobile phone on a wireless network connected to it and they running any location app, it'll give away the location of the entire datacenter, much more accurate data though. And then finally, the application data. I want to mention that similar to what I just mentioned, using your location prompts you and ask you. There's also just shopping data, right? When you actually order something and you give it the shipping address, your IP address is somewhere in there as well. It's a little bit of a looser correlation, but all of these datasets are fair play and they're all mind and integrated. And there's algorithms to determine with true positives how accurate it was and determine what factors they should favor over time. So the takeaway from this slide is, there are geographic databases, they are not perfect. They vary depending on the amount of data that's available. And they are probably depending on what you're talking about, anywhere from 60 to 90 percent accurate depending on the region. So now let's jump into the meat of that. So Ingress. Let's say you want to block people coming into whatever your service, whatever you, whatever you're giving. So if you have a website, if you're Amazon and you decide that you don't want to allow anybody from a certain area to commence, so tying it back together, why would you want to do that? You don't want to get attacked. Cyber security, cyber crime. You don't want anyone to be trying illegal things against you to break and steal your data, to plan plants, ransomware, any of the other things that we know of. But what about sanctions compliance? You hear a lot of things like certain country has sanction. So maybe at them off of my argument here is that the former makes perfect sense to secure an organization and prevent it from criminals. Or any type of or hacktivists are any adversary. But that the latter try to enforce sanctions doesn't make sense. And the reason and i'll I'll use the the O fact sanctions in particular, which is I I I wish I had office of anybody, Department of Treasury under them. So financial bottom line, and the United States in particular. So if you look through all of the sanctions on there and they're long detailed documents. It's full of actual names. People are sanctioned. Almost never is a country sanctioned. When a country has sanctioned, It's usually the regime that sanctioned and that changes frequently. That's not very common. Something like Myanmar might be on there, but there's very few. North Korea, Iran, i'm, I'm almost out of them already. The rest of countries that people say are sanctioned, if you look really closely, it's key individuals. And in some cases, it's actually the contrary of the country. But for example, Hezbollah is on there with a Lebanon address or things including threatening the government of Lebanon. So if you take that sanction at face value and say, we need to cut off Lebanon kind of counterproductive there. The whole idea of sectioning them was to actually help Lebanon. Though I here, the reason I care about this and talked about it is that I've seen a lot of organization is take these blank geographic restrictions and try to cut people off. And from the second bullet here, even if they're on people, those people travel, they can use a VPN. Absolutely. And if there are sanctioned individual, they're going to do that. So that kind of approach is not going to be effective at all against the desired adversary, is going to cut off just the population of a given area who are most likely not sanctioned. But it's not very effective at all. And likewise, you've got people that are totally valid customers that maybe visiting in here. So he had a sanctions manifest. It's really about the customer of record, though when somebody is actually signing up and that's one that takes place and that's where you'll notice anything in the banking sector or anything that can move money and money laundering potential, anything like that. That's where they're taking your ID and they're running deep checks for KYC, what we called know your customer checks. That's where sanctions enforcement, among many other things, is actually taking place. And it doesn't matter where you are. They want to know your identity and you could be sitting right in the headquarters town. There's no correlation. There. It's worth spelling this out though, because when CISOs get in the business of trying to play compliance with IP address restrictions, then they run the risk of having a very imperfect sanctions enforcement. And so if you try to do it via the network with all of these qualifications that I mentioned, we're not going to do a great job of it. And then all of a sudden you, are you guilty for violating sanctions because you're trying to do it via IP address. Though I've always contended that compliance and the networking team should not be eating lunch together, so to speak. And that rather, the networking team under cybersecurity is auspices in this case, it would be trying to prevent crime and attacks. Though. What does, Let's talk about that domain getting into these, these two major bullets here. So signal noise ratio in general, when you're protecting anything in cyberspace, anything you can do to cut down the attack surface or cut down the amount of potential customers or anything else like that, that touch it is going to be a huge win. Now you don't want to cut down anyone who's going to produce revenue for you, right? That's the trade off. But what you can do is say, we don't offer a service at all outside the United States. The right there you can pull stop cut off access from outside the United States with very little collateral damage. And you see a lot of companies actually doing that. Again, nothing new, sanctions, nothing to do what they think about the people from that country. They don't offer service there. And then, so how do you pick which countries have if you only work in the United States, it's pretty easy everything except the United States. But what if you're a global brand? What if you're a Goldman Sachs? If you're a Walmart even or Amazon, who, you'll have international touch now, how do you pick what attributes of a nation actually make it criminal? I said earlier, whole nations are not criminals. And within part an individuals vary quite a bit, but there is some correlation. But before I go on and reveal like the big answer there, I wanted to touch on that new reason. I'm on the right side there. I said, don't do this, don't cut off people to enforce sanctions, do do it. Your fibers that your cyber crime attack surface. Something new. And this is very relevant to today, is what companies can do though, is if they actually want to deliver a political message to the residence of a certain country. They can say if you're visiting from Russia, display and Cyrillic, this message protesting the war and asking for their support and stopping the war. And that's a huge paradigm shift. May never before it's a private sector been able to engage in mass communication with a hostile territory in wartime. Countries have thought about this. It is such a strong tool that you'll notice that people aren't dumping pamphlets from airplanes even yet in the Ukrainian-Russian conflict, right? That is a severe escalation that countries aren't going to get to until further along than we even are now in that conflict. Yet today that powers in the hands of the private sector through things like GO network restrictions. So now onto them. The secret, if you will. So how do you determine what countries to cut off extradition status? That's the simple bit of it. And it works pretty well though. What does extradition about? It's a treaty between two nations. Hey, that they're going to make a effort, takes seriously requests from the other country to bring someone out of there to face justice. Though it's a relatively high bar. It's not going to be in place if there's any animosity all between nations. But it's not just the political climate that Matt think that microphone just died though. I'll hold onto it until it starts feeding back. Now I'll switch back to that baby day. Yes. Perfect. Yeah. You're good. Okay. Though it's actually the climate that a lack of extradition sets up. That's the problem. Because if you are a cyber criminal, It's great to be in a non extradition treaty and attack countries that you don't have extradition when we see it all the time and rewind back six months ago before the current animosity with Russia. But just even the ongoing environment. There's so many indictments on Russian citizens, Chinese citizens as well. I'm just naming the ones you see a lot of indictment on that name individuals. And it always as the footnote, we'll probably never bring this person into custody because there's no extradition with it. And so it encourages people to sit there and attack a. And likewise, it encourages people that are not in those countries to route their data through them. Because not only can you not extradite individuals from those countries if you're in the United States, for example, but you also can't subpoena. And that's really important if you want to do in incident response and attribution. So if you have a hack and you know it's from an IP address, you can pretty much bet that the owner of that IP address is not the one who hacked you, someone routed through it. However, you can subpoena the owner of that network infrastructure. And you can get the logs and see who was using that IP address at a time. And then you go to the next hop and you subpoena them and then you go to the next hop and it's a long it's something the FBI does really well though. But if the first hop is an anon extradition treaty country, and then when you send that request recipe now they're going to completely ignore it over and over again. But even if you're in Brazil and you want to hack a bank in the United States, it makes a lot of sense to use compromise, compromise infrastructure anywhere in the rhetoric. Though, if the collateral damage isn't too gray, meaning you're not gaining a lot of revenue out of any of the countries. It's extremely effective, the block them and that matter. A political consideration and a lot of people don't think about, but you certainly will in an enterprise environment. Two is, whatever strategy you have for blocking countries has to be defensible. If you just cherry pick countries based on news reports, you're going to get accused of discriminating against those people. Because an enterprise of any size, you're going to have employees that are from that country and family members in that country that are trying to visit websites in that country to buy things. And on if you have a defensible strategy, sorry, we mapped to the extradition treaty status, write your congressmen, and that's much more defensible. And that does come up and it is very helpful to have something. Now let me flip it around. So what we just talked about was, how do you decide if and when to cut off any went from accessing your internet facing resources. Now let's flip it around. What about your employees? Or I should mention even your, your datacenter itself and any resources that have the ability to get out to the Internet. What kind of geographic restrictions should you be thinking about there? Well, first of all, it's good to establish that the traffic that comes out of a network connection is generally not limited to things that are done on purpose. So in other words, don't just think about this as, do I want someone to be able to visit a Russian search engine? Do I want them to be able to, to shop locally stores in India or something like that. That's certainly part of egress traffic. But perhaps much more importantly, any compromise of size. Early in what we call the kill chain, you establish command and control to an adversary, sends a phishing email to someone. What happens if you click that e-mail and really go for it is that they download some kind of malware to your computer or you do inadvertently. And the first thing it does is it tries to call out to a command and control server to receive instructions, received second stage payloads, and on. So it has to create egress traffic. And a lot of people don't think about it that way. Means you're being attacked. Can't help but to think things are coming toward you. But it's actually your ability to reach out that is critical to the kill chain. That the adversary. Though if you actually look at an enterprise of any size or, or actually even a university at the traffic that comes out of a given PC or something like that. It's massive. It's surfing the web, you're hit so many advertising sides, content delivery networks, cracking sides. There's just this massive array. And if you do anything malicious and you trip in any kind of malware, that's going to be amplified in triple and it's going to be going through a lot different locations. Though. Back the sanctions, the same things I said already apply here. You know, that's that's not a great way to enforce sanctions. Signal noise ratio, there's a benefit. But we're not blocking criminals per se because the employees aren't criminals. But we are blocking criminals because they may want to use command and control infrastructure in certain countries that we could easily take off the map. But what I really wanted to add here on the egress site that's different than on the ingress side is the element of DNS or the domain name system. And I know in the audience I have people that know DNS inside out and people had never heard of it before. So let's see how I thread that needle. But the domain name system is translating names like google.com or got tech.edu or Yandex dot ru into IP addresses that are necessary to actually establish communication. That's all does and does that all day. So for any given network communication and outbound or egress communication, you will ultimately have an IP address. And everything we talked about a few slides ago is going to apply. You can look it up in a database and you can get back some data that may not be perfectly accurate about where it is. And you can use that information and apply the same time kind of restrictions. So you could do those IP address restrictions and say, I don't care what name they go to if they think they're going to google.com and I go to a new site.org or whatever it is that resolves to an IP address and Bella Rous, arbitrary example, I'm going to block it. You could do that and that works too. But there's this whole other world of the DNS infrastructure itself. And DNS is kind of like a planetary ontology of its own. So you have these country level, top-level domains like dot ru. I mentioned earlier that one belongs to Russia. Dot IN belongs to LinkedIn. Boats would be India. Well, what's up with that? So you have these, these loose affiliations. But as LinkedIn shows us an example, and by the way, you will see linked to dot in and not on the main page, but a lot of the subcontinent. He says that what you'd have is countries leasing out their DNS space, the things that have no geographic correlation with them at all. I forget what islands it is that is dot IO, but it's not the land of input and output yet.io has become that dot AI. You know what, That's all used for. It's very profitable for what I, I think that's a country level and I could be wrong with that, but most of those two little ones were country codes originally. So if you want to do what I said a moment ago and say, well, we're worried about not about extradition status with hello rows, for example, using the top-level domain isn't going to be a great idea. Because as I said, these countries least them out. It could be all over the map, literally, right? So how do you, how do you know a bad domain then? Well, get rid of geography. Though. Domains go far beyond country code. I forget how many, maybe it, maybe in the hundreds that order magnitude at most. There are of country level ELDs. But then there's about 5000 more, what they call generic TLD. And they all got released about seven or eight years ago. And that's the new ones. You may have noticed that things change and last seven or eight years and suddenly you see links that go to dot club dot online. They'd looked at when he first ran across one of these, you probably thought it was a typo, something dot tech. But you click it and sure enough the thing works. That's a whole new wave that just got released recently. But those aren't countries. Dot google is one that GUG is one belongs to Google. Dot MS is a really popular one that Microsoft is using everything now, though, those aren't affiliated with countries at all, There's an owner for each of them. But everything that I said before, like this I paradigm of extradition status. It holds it's not extradition, It's not treaties, it's not law. But there's things about the environment, about the locale that make them more friendly to hostile act. What are they? Well, free registration is a great one. But if a domain allows people to register free names, That's great because if you're an adversary, you want to dynamically register new domains all the time for use and attacks. And that gets expensive if you have gotta pay 1999 every time you register a domain. So they have APIs. So it's really easy to algorithmically create all of the right if you have to manually go through and click every time, that's not going to be great either. If you're trying to create a ton of them. They hide the registry and information. That's really nice of them, though their anonymity friendly. And then finally, they're not responsive to take down requests. And that means if you're running a company, let's say you're running Walmart again. Suddenly Walmart dot PW pops up and it's hosting malware and trying to attack your customers. When you find out about that at Walmart, you're going to want to get that domain taken down, de-register taken offline. If you're going to write to the owner of that TLD and start that way and go through their registry and find out who owns the site and onward. And some of these are more responsive than others. If you're an adversary, you're looking for one that's not going to respond to the take down. It's going to leave your sign-up for an extra two months before you finally react. Not going to tell anybody who you are. And they're easy and free to register in. And so you will find that similar to that world map that you can construct a map and it's not spacial, but of each top-level domain to the badness in it. And you could do it by attribute, which I just mentioned. I haven't seen anyone go through and try to register and every single top-level domain to survey the different policies because they could change. But what you can do is simply look at the percentage of domains and each top-level domain that are malicious. So we know that, I mean, we hear about it all the time. It's usually too late, but you hear about watch out for these domains, they're hosting malware. Time, you hear about it, it's too late, probably taken down. But you hear either to their IOCs indicators of compromise. You get a report about an actual breach anywhere it give you the IOC's, these domains were used. This is what the C2 called out too. This is what someone actually took all the stolen data and moved it to, almost always associated with a DNS name. And if you correlate that to the number of domains that are registered in that top-level domain, which is all public data, you can get a percentage of them that are used for malicious purposes. And sure enough, there's strong correlations there. Though. Dot app, for example, is one of the new domains you may have run across it because some mobile app developers started using it. You can download the zone files by rule. They have to make them available on request. And it's often universities that are actually for research that are downloading it. But if you've looked in dot app, you would see every bank name world that they are pre-registering all these fishing domains in there because the registration policies are just absolutely abhorrent and dot app, PWD, TK, I know them just because if you're fighting in the trenches all the time, you see those domains all the time. So if you're a defender, block them. Once in a blue moon, someone can't get to a site that's in dot app and quickly make an exception for that specific one. You have to allow the whole thing. But some of these other ones like that dot PW and not TK or just rife in attacks. And there wasn't a single good site that I had ever heard of that was mostly in any of those top-level domains. Three, it's cheap, but people that are trying to sell your solutions aren't gonna mentioned that as often, but it's extremely effective. Sure, I covered everything in here. Yeah, so I'm calling these non extradition domains. But what they really are as adversary friendly domains. And what I advocate to a lot of my peers that were working as chief information security officers was to just rip those out right away and to judge them by their actual behavior. Because if you do it that way, you could do more dynamically. You don't have to just measure the attributes and then not keep up on the changes. You actually statistically use the amount of bad data that's in these, then you can algorithmically update that and to double-click on that for a minute. So we actually had done that and what we did was we worked with Cisco. So Cisco runs one of the largest commercial DNS provider solutions out there and it's called open DNS historically and outs don't flee by them. But they have all of this passive DNS data for people that are querying things. And they dynamically will notice if a query is for a site that's malicious and they will actually use DNS to protect their customers will return a false address. But in the process, they create this huge data set of all specific domain call outs that end up at a malicious site. But we worked with them and we have the mind through their data and come up with a report of each top-level domain and the percentage of requests in there that came back with a malicious answer. And we always use that whenever we decided or not to, to block a domain, got a lot of request open up a domain. Good example would be dot IO. That one came along, we already had it blocked. You'll notice he never heard of it six years ago. Now you can't live without it cites all the time in technology and.io. We got a request for that. We opened with one little site. We got another request, we open up another site, start again at a point where we thought maybe we should open the whole thing. Look at that dataset, look at that Cisco dataset. And sure enough, in that case, there was 0 or very few malicious registrations that told us they must have a pretty strict registration policy without having to read the policy, I can just infer that we're able to open it up. And then the final bit on there's about what I'm calling default deny. But the most powerful strategy for a defender. And when I say things like that, think critical infrastructure groups like that need to use the most powerful strategy is to just not allow access to anything unless it's explicitly requested and approved. That's super powerful because again, while it's counter-intuitive, inbound attacks rely on outbound access. If you cut that off, the majority of attacks will actually not succeed. Now, one other point on that, though, even if you're not critical infrastructure, even if you were a startup, let's say you're a Georgia Tech technology startup, stored, right? That's one will excuse them. For example, you may think, well, I'm not critical infrastructure, I don't need to worry about all this. More importantly, I'm growing fast. I've got a lot of developers in here. I'm trying to hire engineers every day. If I cut them off from their websites and they like to go to, and they make it a hassle. They're not gonna want to work here anymore. They're going to go somewhere else. And that's all valid consideration and you have to think about that. But you know what? Your data center isn't shopping, right? Entire datacenter footprint your web servers, they don't need to get to Gmail. They don't have to get the LinkedIn, they're not check and cat videos, anything like that. Your infrastructure, your datacenters don't really need to get outbound to the Internet at all. There are some exceptions to it, but they're very static. Data center environments where it's really easy to be what I call draconian on network policy. And nobody is. It's extremely rare. And you know it because many of you will be familiar of that major vulnerability. It was reported in maybe December log for J, the software library that was extremely widely used. And it was determined that there was a vulnerability in there that was extremely easy to exploit. And a proof of concept was published in anybody who wanted to try out against any website to see if they were vulnerable. And everyone did. Though there's this massive amount of scanning and every C, So let's say in the world and thought it was hyperbole, it's maybe exaggeration, but it's close to accurate that every C, So in the world, it was scrambling and their teams were up all night, all weekend because they were vulnerable instantly. Nobody could be vulnerable if they had restricted egress out of their data set. And that just tells you 99% of the world out there has open outbound access from all of their data centers and doesn't need to. And when they don't, things like that, vulnerability will be drastically reduced and potential impact. What that means is that instead of everybody racing to patch things over the weekend and vulnerable until they get it done. It means they still instead can take 30 days, do it in a more professional fashion, not break anything in the process, knowing that they're not going to have a massive compromise. It's a huge difference maker. Okay, So using everything that I just went through, Let's go back to the intro and then talk about the current state of affairs. Though has noted, I've had other CSOs discussing this. Should we block activity from Belarus? Should we block activity from Ukraine? Was really interesting. I saw that particular question, can we block activity from Ukraine? The person asked was really smart, so it wasn't like they didn't get it and they thought Ukraine was the aggressor here. What, what they were intimating by that was their infrastructure may be controlled by Russia. And we blocked Russia before an even more now though, should we be blocking Ukraine now because it might be controlled by them. And then likewise Belarus, they just lumped in with Russia. And for many organizations, data is elevated the level of hostility with that nation in general. So they thought about all of these, these rules. Though. My answer to that is, what's really changed from the old map. If you look carefully, Belarus, Ukraine, and Russia were read already. They've been non extradition countries for as long, as long as there's been extradition, really, though, they should have been blocked a long time ago. And I consider Ukraine a friendly country. A lot of people work, but the letters there, anyone ever second guesses that, hey, we're thinking about working in Ukraine, I'm not sure. Is it good? This was the conversation they should have had. You know, it's not an extradition country. We have software engineers there. They decided to take everything. We can have a really tough time, bring him to justice. And that should amend the calculus that people are thinking about before, despite the fact that they may have been friendly and nothing has changed now. So maybe this is a good excuse for people to revisit their geographic blocking policy. But don't stop at those three. There's a whole map. And if you're gonna do it, make sure that you do it for a defensible rationale and not a knee-jerk reaction to the headline right now, do it for something consistent. And as I noted earlier, if you have revenue coming from any of those countries, that's obviously silly, but you can figure that out pretty easily. Look through logs. So in summary, and I'll open it up for questions about judging countries by their friendliness to criminal activity. I just write it off the screen, but it couldn't say it better that, you know, are they a hospitable environment adversary activity, both because people actually sitting there rest freely, as well as people rerouting their traffic through there will enjoy that environment, the hostile environment. That's why you cut it off, not because of anything that's going on geopolitically at the moment. Divorce sanctions from IP networking. This is a bad road to go down to try to mix those up. Always. And this is just a defender paradigm. Always try to improve signal noise ratio, which just means eliminate the unnecessary. And then finally, blocking an adversary by their IP address is not an effective way to keep them from attacking you. It's a good way to affect people who wrote their traffic through them from attacking you. But again, the new paradigm here is that you can send a message to people and just blocking them. Yeah, that's a message it is. Making people depriving people of your service may cause them to question what's going on from a policy standpoint over there. But you also can actually deliver a message. Not a lot of companies were willing to do that general, but that's, that's changed a lot in the last 48 hours. I would even say, I mean, Cisco, who's in this building, was it I think this morning announced that they were going to stop doing any business with Russia. And that's a really, really impactful for an organization like that. But I know I spoke fast and covered a lot and and wavered all over the place and the levels of detail. Let me open it up for questions. For example, VPN is only one example, right? But of course the Tor network, right? So those things are being put out there that help people to stay anonymous when they they said and without being no being being yeah, yeah. Whatever I can to the Constitution I sold. My point is that let's say, let's say if, if, if, if washer they use that to connect to the top, to the two to account for some of us, it can tend to be us. And then whenever the axis, Peter from larger, they use toy using VPN of causes a year. Fbi can go and pass on those servers and say I want to go take a look at your law. But in that case it wouldn't conflict with the intended. This to the general public. Meaning that IQ was oh, do you know? Pause. What can we do? Fbi. I mean, I may have they would stay away from that, So yeah. Yeah, absolutely. The question was about Tour and anonymize or services which today are called VPN. 10 years ago. That's how a VPN meant at all. I was totally differently. It's funny because that's just what the definition of the term VPN is now beating. And they're very popular. I'm, I would just guess that 60 percent of you are using, but I'm calling a VPN can get a show of hands. People are using a VPN minimizer. Exactly 60 percent. I'm really good. Actually had it felt like about 70. Yeah. Though that's never do. Yes, Great. Always check before us sale something. That's figure out who you're insulting. But I'm gonna do it anyway. I'm not a fan of those services at the Piazza di I know that wasn't a nature your question. But a lot of time teaching a class right now called adversarial risk management. There's a little advertisement for it, right? Because I'm continuing to teach it. And it's really like a CSOs viewpoint of the entire ecosystem ranging from strategy to cyber operations whose security assurance, Risk Management touch on everything in there. But the first thing that we talk about is this notion of threat objectives. But an enterprise you have scarce resources, we have to figure out where to divert them, are type, where to apply them. And so there's a lot of different ways to do that. And in my methodology that I'm advocating for. Look at the objective of the adversary though, what are they trying to accomplish? Forget about who they are, what country, whether they're hactivists or a criminal or a nation state. But are they trying to accomplish extortion? That it's not objective? They're trying to steal personally identifiable information that isn't thread objective. And the reason to do that is to figure out what you need to be worried about and then focus on that because each of those objectives has a different set of controls that are related to it that you should emphasize. And I like doing that all the way to the board level meter. So much pressure I now to talk to the board about cybersecurity. When you go in and talk about IP provenance, their eyes glaze over even more than yours, right? Though, what does work to talk to them about is the news though that breach, major ransomware. That was remember we talked about Fred objective of extortion. We all agreed. We're worried about that. So yes, we're taking a series. We see this other thing where they stole intellectual property. Remember that we all talked about it last quarter and said we're not super worried about that. We had a tough discussion, but we all finally came to terms with the fact that someone stole our source code. It wouldn't really matter to us, which is more true than most people are willing to exist, to admit. But we're not going to focus on that news article. So that approach, that strategy, it's really important at the enterprise level. Again, you can't do a halfway job at everything or you're just going to get hacked. We've got a really good job of the things that matter. You can apply that to your personal life too. And so if any of you and I know a 70% of you are Iranian dissidents. Maybe while, and you don't have to raise your hand. But it's really good to use anonymize or I, or if you're Jamal because Yogi, right? Because otherwise if somebody checks or IP address, they might kill you. But for the rest of us, may not be super important. I mean, you're, you're going out of your way to try to hide from the man. I figured that some mythical thing. What is going to happen though, is someone wants to steal your cryptocurrency, that's hot, that's your top thread objective, or getting your bank account pre-wired transfers, that sort of thing. And so by installing software and redirecting all of your information instead of sending through AT and T. So instead subjecting yourself to the evil empire of AT and T, That's what you're worried about. Now you're sending your information, tuck Kazakstan, who's over there? I have no idea. But to get back to your question, thank you. Sorry about that. Yeah, that's a problem. If you'd look at so let's say you're a commercial provider and you're running a public website. If you cut out certain nations, if you implement what I said, you're going to hurt some legitimate customers are using VPN, anonymize them or give them an even worse than cutting someone off is giving them a really unreliable experience. Because then they're going to call NSA doesn't work and then even trumps when it does work, because now they've chosen a New York IP at random. Really painful. But that's how I started out with a, you know, you've gotta pick where your customers are going to be. Tor land, if you will. And TOR to tours, I think centered the onion router. It's, it's kind of a predecessor to what has been called VPN. That's kind of a provenance in itself in this world. And a lot of companies choose to just block that. So the similar database services that associated IP addresses with nations will also have a category called tour and anonymize. There's a lot of countries that B1 is to kill those off. And that's why a lot of you, the 70 percent may have to turn that off whenever you go to I was going to say truest, but if they're there yet, but maybe a dedicated banking institution, sorry truth. But when you go to do something in your financial institution that might not work, you might have to turn off the anonymous there. And that's exactly why I have a question about these datasets are databases about malicious actors. Whether it's easier to maintain a database on extradition treaties. While I find that a second. But bad DNS, hiphop, bad IP addresses, who maintains and creates those databases? Is it in the house? Private sector, public sector. And if it's, if it's outhouse, but I'm kind of guessing that it is because it's collective information that benefits everybody. Does it create dependencies among organizations who are suddenly your security is dependent on a third party. It, public or private might create an range dynamic and the security calculations? Yes, that's a great question. There is a direct answer to it. So the first question when you, who maintains that? Is it in-house, external or, or public sector? It's private sector, it's commercial. To some of the, there's three repositories of this type information and there's paid repositories of it. And they are dynamic. You can subscribe to them. The general sector is called feeds. And it's a really hot commodity right now, though. And it's pretty fascinating. There's a startup called grey noise, grey noise.io, and that's a really good example of it. And the way that they do it, which is kind of buried in your question a little bit is how you can get the information. Is they actually run what you might think of this honeypots. They run fake Internet nodes and allow people to try to hack into them. When they do they say, Aha, your IP address, isn't that great? Let me quickly put it in the feed that is algorithmically shared. Now what do people do with that information? How people use it to implement blocks like this. So they will pick this feed and its massive, I mean, there's websites in many per second that are going on there. They have somebody takes malware, they figure out what it would try to call out to you and they say, Aha, that's malicious. Let me, let my customers now, some people take that down and either manually or automatically try to implement those as blocks in their networks, nobody will get to it. Problem is by the time those indicated published, it's usually too late. Putting in all these blocks for things that were attacking last week. And there's a cost associated with it. I mean, literally in memory on routing tables and IP addresses and things like that. You can't just load up infinite numbers of all the bad IP address in the world. And those IP, those who were attacking someone else, they're not even interested in you and get your eating up your memory with those. Though, what I'd like to say is that they're better to look at thematically. So when you see a bunch of by Peters keep coming back in the same network, they maybe block the whole network at the parent level, or a bunch of domains in the same top-level domain as I mentioned, keep coming up that TK dot dk don't locked a little individual ones is blocked whole thing. But as far as the dependency goes, It's a really good point because what someone could do is to put Goldman Sachs and one of those less men, lots of companies with dynamically block them from going to Goldman Sachs. So far we haven't seen that. We haven't seen a lot of pollution in that. The Cisco service that I mentioned, that commercial service, really good example of this. But what their customers are subscribing to them for is a dynamic categorization of websites and figuring out, or I'm sorry, URLs, anything like that, saying these are malicious, therefore, I'm gonna prevent you. I'm going to save your customer from going there. And I could just say, you know, empirically that they've done an excellent job. There hasn't been UP use of that to date. Certainly possible. And they're generally doing it off of algorithmic systems that are seeing malware. And then after that, blocking it. That had everything else about that and said, Jerry, you mentioned AT and T, they used to be someone there. He said, I'm going to deliver clean water to your head. So I think that I get that the problem could be solved at the network level. I understand defense and depth and all that stuff, but how much of the problem do you think that you talk to? They're trying to solve it at the network level. Now, how, what fraction of fit you think is being handled? It looks good, maybe compliance reasons or whatever else, but what does it really get to the problem or yeah, it's a good question. I have a theory, I'll answer for you about some important. Though everything I described today really works well. And he can help an organization defend themselves and likely not be the one who gets compromised. And in the future, it will fail miserably. It, it's not a sustainable model. And one reason if you've heard about Web 3, the whole idea, but make sure that that evil web server farm doesn't, isn't the one getting your traffic. But instead it gets served dynamically off of a PC. And Kazakstan. Really what Web 3 is about is taking the infrastructure and decentralizing. It's going to blow everything I've talked about today apart. I think those are good considerations to consider. Maybe slow it down on that, but let's just assume it's here to here to stay. But that's okay. And in the early days, logically, I struggled with the idea of these temporary Band-Aids. I was looking for the permanent solution. But that's why I call it adversarial risk management. That's exactly what it's about, is giving up on the fact that you're ever done. It's an iterative process though what works today? Do it and don't pause because it's not going to last. Do it. Because if you don't and you get ransomware and your company gets shut down, no one's going to care that you say, well, we could stop there, but it wasn't really sustainable and I wanted to build elastic model. What is last thing is the idea of being agile and reacting. And so the right type of program with view this today, but then be figuring out what's going to be done with Web 3. It'll be something different, but it will be a new paradigm and it'll only work for 30 years because by the way, short-term is still 30 years. Remember IP version 6. We were all scared about that 15 years ago. You gotta get ready. It's going to be here. It'll not here. Well, in a noticeable fashion. So I think yeah, it's short-term, it's ephemeral. And it's absolutely critical. And you have to just keep on iterating and adapting. Hi, As you speak to your peers. So the last weeks to use, Do they see a lot of increased adversarial activity compared to, you know, a month ago. Now, I'm good question. Yes, but only in a particular way. So it's really interesting. But over the last week, even some of the threat actor groups have chosen sides and mimicking taking a political stance. Oh, there's a ransomware operator called Conti that was always said to be operating out of Russia. And they said, Well, we support the Russian government and this. And there have been groups that have been ransomware very recently because of their support for the Ukrainian side. So just yesterday I heard about that and I asked them, I said, you just kinda making that connection loosely or did the ransom letter mentioned the conflict and they did all that to say. I haven't heard tale of states are known state-sponsored activity increasing yet. So if I may maybe as a final comment, just give you an opportunity to plug the outstanding course that you're offering here at Georgia Tech. I know you're going to continue to offer here at Georgia Tech. So what can students look forward to in that shirt? So it's a special topics course in 88 or 348, O3, there's an undergrad sections. Well, I called adversarial your risk of adversarial risk management. We're modules, strategy, fiber security operations, security assurance, and governance. What does that mean? Strategy I talked about earlier, talking about how to figure out where to prioritize, how to set the mission, how to do that all the way up through the board level. And that Cyber Ops, we actually get in the Incident Response and details a lot of the psychology of it, a lot of the, what are easy mistakes to make and can false conclusions to rush to. And what do you need to know when you're working an incident to be objective? So the methodologies like there's some called analysis of competing hypotheses to keep you from just jumping toward your bias when you're trying to figure out what's going on, then security assurance is really what I call the second line side of the house. Risk management, risk identification and the methodology there is all about testing. So if you figured out that you were worried about data theft and see where it happened at Equifax. If the whole playbook and report on it and try it out at home in your organization. So you have the same techniques will work. They will think because until you've tried this stuff, it probably will work. And then that's your mission. Then finally on the strategy side, I'm sorry, the governance side. How do you take all that and really deliver it to the board? Sure, but also how do you set up an internal governance structure so that you have people from all over the company hearing about these things in a way that's digestible, eating into it and taking away things that they could do to help the mission. Thanks for that opportunity. Yeah, no, that's awesome. I can see your enrollment blowing up already. Great. Let's thank our speaker one more time. Thank you.