Hey, everybody, I'm Brian Kantos. I'm the chief strategy officer with Sevco security. And today we're talking about asset intelligence, dirty secrets, dangerous lies, and everyone's favorite, some hacking demos. So let's just jump right in. So I just want to give a little bit of a primer on asset intelligence, because that term is loaded. It means a lot of different things to a lot of different people. So when I talk about it, I'm really thinking about it in four dimensions. So the first one is length. These are your asset types. So this can be anything from an application, a vulnerability, a user, a physical device, a virtual machine. These can be Xiot devices, wireless access points, security cameras, voiceover, IP phones. So asset types, think of that as the length. Then we talk about breadth. These are the locations. So these devices can be on prem, they can be in the cloud, they can be at a remote location, they can be someone's laptop at a Starbucks, then height. This is where it gets really interesting. These are your asset details. And the best way to think about that is to bifurcate it into presence and state. So, for example, I might have a laptop, and on that laptop I have Crowdstrike, and maybe I have automox, Crowdstrike for EDR, automox for patch management. So that's presence. I know that those devices are there or those solutions are there, but then it comes down to state, well, is Crowdstrike two versions too old? Is it n minus two? Has it not communicated with the management console in over six months? Or maybe Automox is working, but it has an old configuration that's not the accepted configuration. So again, it's the state of those solutions, not just the present. And again, across applications and devices and users, and the final one is time. Certainly when I'm thinking about assets, I need to know real time information. So, for example, Bob is logged into ten one one. That particular machine has these particular applications, and those applications have these vulnerabilities. That's great. I would need that real time information, but I also need to know the historical data. Well, who is logged on to ten one one last week or last month or last quarter? Right. Pulling that information together so I can correlate it. So when I mentioned assetintelligence as part of this presentation, those are those four dimensions that I'm actually pointing at. And again, just remember, it's really any type of asset type can fall into that category. So let's jump into the dirty secrets. So, as I mentioned previously, the asset types can be any number of things. Well, for the sake of this presentation, we're primarily going to be focusing on XioT, or extended Internet of things. Now, there's really a few things that make up what I call XioT. The first one is this is purpose built firmware and hardware. So, for example, a printer isn't usually a camera, isn't usually an uninterrupted power supply, isn't usually a door controller. So they have a specific purpose. And the OT side of things, those can be very specific. It's digital assets controlling physics. Things like pressure, flow, temperature, volume. The next thing is they're network connected. Almost always. Not 100% of the time. And there's some legacy monolithic ScaDA devices that are not network connected, but most of them, even the old stuff today, has been retrofitted. It's actually hyperconnected. It's got Modbus and DNP three and TCP IP and serial over Ethernet and Bluetooth, and who knows what else are connected to those things. So now we're connected. So purpose built firmware hardware that's nowhere connected. The last item, perhaps the most important for today's discussion is you can't run endpoint security on these guys. So you're not putting an EDR, you're not putting patch management, you're not putting segmentation, you're not putting a local firewall or ips. The list goes on and on. Things that we consider pretty standard on the IT side of the house. You can, in many cases, manage the passwords. You can make sure they're being rotated every 90 days. Follow best practices. Uppercase, lowercase, special characters, numbers. You can even harden them by shutting off certain capabilities. Maybe I don't need wireless. I just want wired. Maybe I don't need Bluetooth or Bluetooth, low energy ble. So I can shut that off. Things like that, you can make them harder in many cases. So that's what Xiot is in the grand scheme of asset intelligence. So, I'd like to throw this up here just because most people watching are probably pretty familiar with Shodan. And I did a very non scientific study on Shodan. I just pulled up Shodan. I typed in camera, voiceover, IP, printer, and ups, and what I found was pretty interesting. And these again, those of you who aren't familiar with Shodan, it's devices that are Internet accessible, that fall into certain categories and characteristics or regions, however you break it up. Well, if we look at camera, there's almost 5 million Internet accessible. That's important to note, because interestingly enough, most Xiot attacks aren't predicated on being Internet accessible. We'll get more to that in a minute. But almost 5 million of these cameras are voiceover ip phones. A little over a quarter million printers, little under 100,000. I was really surprised at this one ups. I thought this number would be really low, like almost 14,000. What's the business case for having an uninterrupted power supply connected directly to the Internet, that somebody could log in and get access to that. Now, what's scary about UPS systems is there's only a few flavors of them that are out there. And usually people buy them because they have something pretty important plugged into them. One of the most common ups is APC. And I said, well, what's the default password for APC UPS CSO? I use this hacking tool called Google Search. And I said, oh, the default username for APC ups is APC lowercase. And the default password is APC lowercase. That's it. Now, I'll tell you this, out of those almost 14,000 ups systems, again, some of them are honey pots or whatever, but let's just say even there's 10,000, the majority of those are going to be APC. And we have a little joke in our company. If we ever find an APC ups system that does not have the default APC APC, everybody in the company gets a steak dinner. Well, we've all been eating a lot of chicken because it's always APC APC. So that's pretty scary. What we find is there's about three to five XioT devices per employee. So if you have a company of about 10,000 people, you probably have somewhere between 30 to 50,000 XioT devices. And in most cases, when you go into an organization, you say, how many XioT devices do you think we have? They're almost always off by about 50%. So if they say, brian, I think we have 15,000, I'm okay. You should probably have 30,000 because they go, oh, we forgot about lights out management. Oh, you're counting the voiceover IP phones. Oh, the digital door locks. There's a lot of o. But at the end of the day, these are just little Linux servers. They're usually Ubuntu busybox. Sometimes they're Android network devices, a little bit of BSD. Everything else is like Android, Linux. Android, of course, is a derivative of Linux. But busybox, Ubuntu, things like that. So all that to say this, they're pretty common operating systems. So you've got all these Linux devices running around, you don't even know how many you have, and chances are they're running some kind of default username and password. So that's kind of a bad situation. Last statistics page. What we find is about 50% of all the passwords on XioT devices are default. And the passwords that were changed, most commonly they were just changed once. And that's because it was forced at the time of installation. We've all been there. Okay, set it up. You got to change the default password. It can't be password anymore. So now it's password one password, exclamation point, something like that. So think about that in terms of those stats. 10,000 people, 50,000 devices, I've got 25,000 Linux servers all running the default password. And if that's not scary enough, and somehow the passwords were changed and are changed on that regular cadence, end of life firmware kicks in at about 25%. So 26% of devices that we find have an end of life firmware in the XioT world. The remaining 74%, the average age is about six years old. You've all got a smartphone in your hand. Probably most of you are looking at it right now. Could you imagine it operating if the OS was six years old or the apps were six years old? It probably wouldn't even run. And what comes with the old firmware vulnerabilities? If we just look at the CVSS scores, 50% of these devices have level eight, but almost 70% have eight, nine and ten. And I know I'm preaching to the choir, but once you get to that level, you're talking about devices that can be exploited remotely with little to no effort to gain full administrative access. So if I can't get in through the default password, chances are I can probably get in through other means. So now let's talk about the dangerous lies. When most people think about XioT attacks, they think of, I'm going to compromise a device, a group of devices, add them to my botnet. Well, those are legacy attacks, and those still happen. A lot of folks have heard about Marai. Marai was like the grandfather of XioT attacks where cameras were compromised and they were added to a botnet. Well, those things still happen today. There's actually a really interesting attack that came out last year called RSOCs. It was part of a takedown, in fact. And in this case it was interesting because they weren't actually looking at traditional XioT. The phones, the printers, the cameras, they were primarily focused on OT, and while they did go after some network devices and they did go after some enterprise XIot, it was primarily OT by a rate of about 80%. And these are things like PLCs. They run real time operating systems like Vxworks, and they weren't attacking these OT systems in these critical infrastructure environments to blow up a pipeline or shut down a power grid. They're simply adding them to their botnet. And they were using this botnet to take down systems, as botnets do. And they were actually so successful at creating this massive botnet, this global botnet, it was run out of Russia, but creating this botnet that they were renting it out. So I think it was for like $25 a day, us dollars, you could rent out this botnet and you could do botnet stuff, DDoS attacks, phishing, malware distribution, black hat, search engine optimization, all the things that you'd like to do with the botnet. But if you pay like $50, you actually get all that, plus you get 24 x seven online support. So, hey, I'm not really sure how to do this. Okay, we'll give you a hand. So they really did turn it into sort of an attack as a service in this means, and it was highly, highly successful, and it was eventually taken down by various government agencies working collaboratively. But why I'd like to bring this example up is it is it's that legacy? Hey, you've got a device. I'm just going to add it to a botnet. These attacks still happen, but it's definitely not the sort of the big, interesting piece of Xiot attacks. So now let's look at physical attacks. These are things like, I'm going to use your camera to spy on you, and I'm going to spy on you through audio and video. I'm going to unlock doors. I'm going to shut down power systems. These are often tied to nation states, but as we know, the line between nation states and cybercriminals is often blurred. Right? So I'm a nation state hacks by day, but I might be a cybercriminal at night. And a great example of this was frontin. So frontin was an XioT hacking tool designed by contractors for the Russian FSB. Very, very powerful tool. I'm going to find XioT devices, I'm going to take control of those XioT devices, and then I'm going to allow you to have CNC command and control of those devices to do whatever type of activities you want. Well, unfortunately for the russian FSB, the digital revolution hacking group got wind of this tool, stole it, and then released it. And not that any of you would, but if you go onto maybe some of your favorite torrents, you can probably find fronten on those torrents. Now, if you can read Russian or you know how to use Google Russian to English translate, you too can have a nation state military grade xiot hacking tool as well. And again, these tools are commonly used for those physical type attacks that we were talking about before, but they're certainly not limited to that. Another type of attack are OEm attacks. Now, these are attacks that it's not malware, they just ship maliciously out of the box. CSO, I'm talking about products like Huawei, ZTE, Hickvision, and there's several others. But these, in fact, are cameras. In most cases, they're cameras that came out of China. In most cases that if they're recording audio and video and you say, hey, stop recording audio and video, it turns the green light to red. But guess what? It's still recording audio. It's still recording video. Even worse, it's streaming that information. Now, a lot of security cameras are in very sensitive locations, as you can imagine. They're in military locations, they're industrial manufacturing, they're in healthcare, they're in pharmaceutical, they're in conference rooms. And all these other locations around CSO, if you have this massive stream of data, chances are you're probably going to find something sensitive somewhere. Now, for a while, we've known about this in a while, I'll say a few years. And it was policy within the US government that us government agencies and contractors were told not to use these cameras, that they're naughty cameras, don't install them. Well, in 2022, November of 2022, it's now illegal to import or sell these cameras within the United States. So most people, when that happened, went out on eBay and grabbed up as many as they could for their hacking labs. But the fact is that these cameras, while illegal to sell and use with the United States, are everywhere. In fact, I was at a conference in Dubai called Jitech. Great conference. It's kind of like ten black hats all glued together mixed with, like, RSA. So it's a huge, huge conference, like 150,000 plus people. Anyhow, one of the biggest sponsors there was Hickvision. I mean, you actually physically had to walk through their inflatable sign to get into the event. And just because they're still used worldwide, they're still very, very common. And the last type of attack that I want to talk about are pivot attacks. This is gaining access to your environment via one mechanism and then using Xiot on the backend. And a popular example of this is called Quiet Exit. This was actually an attack that was discovered by Mandian about a year and a half ago, maybe a little bit more than a year and a half, and pretty straightforward if you think about it. So what's one of the best ways to get into our organization? A phishing attack. So either through social media or some type of messaging app or an email, they get somebody to click, and we all know it works. So you basically just get this out to as many people you can in the organization. Someone, sometime, somewhere is going to click on it and get infected. Well, let's say their laptop gets infected. Well, the bad guys are like, well, hey, you've got network security and data secrets and application security and segmentation and this and that. I don't want to hang out here. I want to maintain persistence and I also want to evade detection. So what they do? Well, as soon as they got on, on that laptop and they had control, they started looking for XioT devices. In this particular case, in the case of quiet exit, they were looking for a lot of network based devices, which we talked about before, are things that are running BSD, wireless access points, load balancers, switches, network attached storage. Right? We've all got these all over our environments. Well, in addition to that, they also added some XioT stuff, traditional stuff, the voiceover, IP phones, the security cameras, the printers, things of that nature. And once they found these devices, they had their own version of Dropbear SSH, which as most of you know, is a client server software that you can use to have command and control and can do reverse tunnels. Okay, so that's pretty interesting. So they actually built this variant of dropbear SsH to run on these Linux, Android and BSD frameworks that they installed. So, okay, I got in through a laptop. I'm going to look for a vulnerable Xiot device that I know probably most people aren't managing. And I'm going to install there and I'm going to install there easily because the password is probably the default password and God forbid somebody changed it. I know you haven't updated the firmware, it's not patch. So I'm just going to find one of the level eight, nine or ten vulnerabilities of the 50 that that device is probably running and has been running for the last decade. Okay, so it's easy to get onto these devices, but the other thing is remember back to our statistic earlier, three to five devices per employee. If I'm on a laptop and I get on a network attached storage device and I get on a camera, am I just going to stop at those two devices? If it's an organization I really care about and I truly want to maintain persistence, why install in two if I can install in 200 or 2000 or 20,000? So now they're installed on all these devices, a plethora, throughout the entire environment. They get to the next phase of the attack, which is very simple. They're making API calls to on Prem, in this case, a quiet exit to office 365 and local exchange. So in the cloud and on prem mail, and they're pulling down all the information. They're mostly targeting biz dev people, people in finance and organizations that might have to do with M and A. And they're also watching the security team messages as well, to see if anyone's getting any wind of what they're doing. And they exfiltrated this data out. So, pretty straightforward attack. A little bit novel in the approach that they used with the XioT devices, at least Historically. Novel, not novel anymore. In most cases, though, people didn't even realize that they had been compromised. So there was a threat window of 18 to 24 months, CSO, 18 to 24 months, let's say two years before you figure out that this is even happening. Now you have to go back and clean up the mess on 20,000 Xiot devices that you didn't even know you had to begin with. Now you got to figure out who's managing it, what kind of security? Can we update these things? How do we do it? Is it one at a time? It's a real mess. And honestly, it's like the end of Spiderman, the Spiderverse. Everyone's pointing at each other. It's like, who runs this? Who's responsible security? No, it's network operations, not us. It's physical security. They've got it. No, we outsource that. It's a cluster and the bad guys know it, which is why they're targeting it, which is why attacks like Quietexit are so successful. Quite honestly, pretty darn scary. So let's get into some examples of this. I've got two really fun examples just to show you. One on the OT side, because I don't think a lot of people get exposure to see how that works, and one that is on the traditional Xiot side. So for the Xiot, we're just going to take a look at a security camera, everyone's got them, they're all over the place and honestly they're quite easy to compromise. And let's see how we're going to do it. So this is just Kali Linux, nothing too fancy. Most of you are familiar with this, a great platform to use for exploitation. And I'm going to log into a camera. This part, there's no hacking being done. I'm just going to show you what this camera is. I'm going to log in as an admin, type in my password, and as we log in you can do the typical things that you'd expect to be able to do if you logged into the camera. Well the first thing that we can do that's pretty straightforward is see what the camera sees. Well this camera is looking at another camera, a hick vision camera sitting on a switch. So that's super interesting, but we can also look at the configuration and we can see the network configuration. We've got the IP address, a default gateway, all the typical things that we'd want to see with a camera. So again, nothing fancy. Just wanted to show you that we've got a camera running in our environment. We're going to connect it with Kali. So I'm going to run showdown just to do a little query here and I'm going to see how many of these particular cameras. I'm going to put the last string at the end of the URL in that search. It goes oh, okay, so there's about three and a half million of these cameras worldwide. If we just look in the US, we find out there's a little under a half a million. So this particular camera type that we're looking at right now at the point I did this example, about a half a million that are Internet accessible. Well based on that camera type I'm going to go to exploit database and you could go to whatever your flavor that you like for your databases. You can go on the dark web and buy attacks, whatever, this is free, it's publicly accessible. So exploit DB, I say, okay, this is the camera I have. Let me look up the CVE. Here's the attack. This is great. It's a command injection attack. I can go ahead and grab that and modify it or I can just go ahead and download it directly. So I found out what the camera is. I download the exploit, I'm going to create Operation Hickvision. I'm going to run the python script with check and it says sure enough, this camera is vulnerable to this exploit. Fantastic. Now I'm going to change this python script from check to shell and boom, I'm in full administrative access. I see that it's running busybox. It was that simple. And now I'm even deeper than had I been if I logged in via the GUI, right? Because I'm underneath the GUi interface, I'm able to do everything as root on the system. So now I'm just listing some files. I see that I created a file. So I'm on this busy box. I created a file, or a folder rather, called bad. Okay, that's interesting. So what else can we do? Let's just clear this up a little bit. We'll re access it a couple of times just to make this screen easy to read. So what else can we do here? Let's first go to bad. So we'll go to this directory. Now I'm going to run TFTP. I'm going to do a remote get of a file called do bad off my Kali Linux system, right? So now I'm saying, hey, I'm running a TFTP server on Kali Linux. I'm going to run TFTP from the camera to Kali Linux on the default port 69 to get the file called do bad. So can I download files directly to the camera? Sure enough, there it is. I do a listing. There's do bad. I'm going to make it so everybody can read, write, execute that file. There it is, do bad. And let's see what do bad is. So essentially we went through this to download what, a shrek video? Because science, why not? And we could download scanners, password crackers, we cloud download things to do crypto mining, which is very common on cameras. Again, just a little Linux server. Okay, so we're able to upload files. What else can we do? So I'm going to go in the config file of this camera and see if I can find anything interesting. Well, here's serversert pem, as most of you know, these are tied to your certificates that you're using. So I'm going to use SCp now. So ssh port 22, so secure copy protocol. I'm going to grab all the PEM files. I'm going to exfiltrate that again to my Kali Linux server. The same system that was running TFTp is also running ssh. So I'm going to ssh and I'm going to basically grab those two files. Now I could have downloaded tools that were going to enumerate the network and grab other people's files and then take those files down. Compress them and expel. It would take too long, but you get the picture. And now I was able to grab files off the camera and bring them onto my Kali Linux system. It was that simple. So hacking. So pretty much we found out that the camera was what kind of camera it was. We went on exploit DB, one of lots of places to grab exploits. We downloaded it. We didn't even use metasploit. We just executed the Python script, which gave us full access to the system by exploiting that vulnerability. In this case, I think it was a level nine vulnerability, but it exploits that vulnerability, and now we've got direct access, upload files, download files, change configurations. If we wanted to, we can spy on people through the camera, et cetera, et cetera. So very, very straightforward attack. The next one and last one I want to show you is hacking industrial robots. And this one's a lot of fun. And one thing I'll mention, too, about any type of OT ScADA critical infrastructure device, however you'd like to categorize it, yes, you can do malicious things to the device. That's certainly one type of attack. But the intellectual property that organizations have in terms of how I make a certain pharmaceutical drug, what temperature and how much ultraviolet light and how much I stir for how long, at what speed, that IP isn't kept in some file system or some database. It's stored within those devices, whether it's batch manufacturing, discrete manufacturing, whatever it is, how I make Volvo's or how I make a painkiller that's kept on these devices. So if you can get access to these devices, you can actually steal the intellectual property. So this is a Fanook robot. These robots are really common. You see them in pretty much every single industry, and they're really fun to play with. So we bought a brand new Fanook, shipped in a crate that we actually ended up mounting the robot to that we did not do a very good job covering it up with these blankets. And we did the latest, greatest software, the firmware, all the latest patches, as vanilla as it could be. We wanted to be on the latest version, but with no modifications, just kind of how you'd get it out of the box. So these boxes are pretty cool. So here's a little bit of hacking on this Fanook. Now that you can control these guys a few ways, of course. Here's our remote control. And being the people we are, we said, well, let's just write some logic that will actually have this robot touch the top of a coke can very gently, because it'd be easy to do other things. We said, can we be gentle with it? Can we just touch the top of the coke can and come down again? I can use that using the physical remote control that's actually physically wired to the fanook. And you'll hear it pronounced Fanuc and Fanook. It's used interchangeably. So that's one way I can control it with this and program it. The other way is plc. So up here on this rack we've got a Rockwell and a Siemens. I can actually use that to control it. The third way is it's connected to the network, so I can ping it. I can ping my robot. If I can ping it, what else can I do? Okay, this is on the network again, this is an out of the box installation. So let me just put its ip address in a browser and see what happens. Boom, it's running a little web server from 1993, but it's a little web server. It's not the prettiest interface, but hey, it works for what it's doing. Okay, what can we learn by logging into the web server running on this robot with absolutely no security? Right? There was no authentication, nothing was done. Here we see the version. Okay, this was installed in January 2023. We see some of the configuration specs. Okay, that's interesting. That's valuable information to know for sure. Oh, active programs. Let's look at those active programs. Okay. It's in binary and ASCII. Well, I don't want to look at the binary. Show me canls. There's that ip we just talked about. So that program where the robot arm came down, just tapped the top of the can. There it is. We're going to play with this one a little bit later. So we can actually see the IP, the program that this robot was running. So that's not great right off the bat that we can get on with no access control at all. Now, that pendant that we are holding in our hand, that physical controller, there's a virtual version, the I pendant, right? So it's just like you're holding it, but we can do it virtually. So let's look at some of the settings here. Well, the first thing we see is, okay, it's got some TCP IP information. Great, we're already connected. We got that. But it's running FTP. Okay, anonymous FTP. Yikes. That can't be right, can it? So let's find out. Let's publicly google it and find out what Fanuk says about FTP. I love this line here. If you see an anonymous username. You may be able to connect through FTP without. Huh, you don't say. Interesting. Well, let's see what we can do. So let's go ahead and try to FTP to this IP address. And it must be a typo. There's no way this would be anonymous access right out of the box. And I'd be like, oh my God, I can. So now I can FTP to this device. Well, there's probably not much we can do. Let's see if we can do a directory listing. And within these guys, it's all flat. There's no folders, there's no hierarchy. So it's a big flat file system of all the files. Remember that can ls file we looked at before where we showed the intellectual property? Well, there it is. So we can see that file there. Okay, Brian, big deal. You can FTP, but there's no way you can get a file, right? You're not going to be able to download it. Oh my God, we did. So it's actually able to download that can ls file the IP. So I got it off the device again. Now it's on my laptop. I've got a little windows laptop here. I use my hacker tool notepad and I open it up. There's the program called can. I'm going to change the name to can crush and I'm going to change one variable here from a two to a three from 205 on the z axis. It's the only change I made besides changing the program name. Now I'm going to save this and I have to change it to ls because that's the extension that expects to see. So I'm going to do cancrush ls save again. I'm just doing this on my windows machine. This isn't on the robot yet. Okay, so we know we could FTP in, we could download a file, but there's no way we're going to be able to upload a file via anonymous ft. Oh my God, we can. So there it is. So we actually uploaded the file. And here's all the ls files. And there's canls, the original, and then there's cancrush, the naughty, naughty one we made. We modified the z axis. Okay, so we know we can get access via FTP. We know we can download files. We know we can modify those files and we know we can upload them. And here it is. Here's the cancrush ls file in ASCII that we wanted to take a look at. We see where it was modified and there's that z axis. So we changed it to 305 instead of 205. So pretty cool. But there's a couple of things we need to do because these robots are rebooted pretty frequently to clear the cache. When I say frequently, every couple of weeks and they reboot really fast, it usually takes like 10 seconds or less. But I want to find the default program to make sure that every time it reboots it uses it. So even if you don't know what it's called, you can probably guess. Default prog is the default program. We're going to change it from can to can crush now. You can reboot this thing all day, all night. It's always going to come up with can crush now because that's a default program. And again, they're rebooted a lot. So you want to make sure that if you're making a modification, you add it to the default program. Let's focus on what a reboot looks like, just so you can see it. There's lots of blinky lights. There's an Alan Bradley behind it as well, which is another PlC. But here we go. That's a very quick reboot. It doesn't say, hey, you just loaded a new naughty naughty file. So now we're expecting our robot to continue to do what it was doing, which is just do a nice little, nice little tap on top of that coke can and nothing worse. Oh my gosh. So it's actually running the can crush file. We had a little fun shooting this from different angles. And then we actually made the robot dance, which was pretty fun. And we made it do push ups, which isn't in the video, but was a lot of fun. So again, the fact that one there was no authentication turned on by default, that's an issue. And it's not to go after these guys at fenuc. This is the case across these ot devices. It's all about capital a. When you think about CIA confidentiality, integrity, availability, it's all about availability. So they often ship with no security controls, no authentication. The problem is they're plugged into the network, they're running web servers, they're running FTP servers, they've got email, they've got all these other things enabled in them. So it's very easy to get that intellectual property and with very basic skills. None of us were experts in this robot at all. We kind of just found out how to do these things through the online documentation. Oh, what file does it read? What format can we modify that in notepad and update it. Okay. If we put it in the default program when we reboot, will it really stay there or. There are eight other switches we have to hit. Pretty straightforward. Didn't take a ton of expertise, but very valuable. And this one was quite obvious, right? It went from touching a can to crushing a can, someone's going to notice that. But think if someone's manufacturing a car, for example, and a gear was supposed to be four and a half millimeters thick, but they made it 4.52 mm thick, well, it's probably going to pass QA, it's probably going to work. It's probably going to work for the first couple of months or even a couple of quarters, but eventually it's going to create so much friction, something's going to break, something's going to snap, it's going to cause a problem depending on where it is in the vehicle. And now you have a whole supply chain issue of devices that you've released that's a car. What if it's a tank? Or what if it's something else? So they can be very sensitive, in addition to the fact that we could download that intellectual property and steal it and leverage it. So I never like to just show the offensive side with that just a little bit. On remediation, I talked about asset intelligence at the very beginning and the four dimensions of Asset intel. And there's solutions out there today called asset intelligence platforms. And whether you've got robots, or you've got endpoint security devices, and it's installed on laptops, or you've got cloud, or you've got identities or vulnerability information, you've got all these sources of asset information, and they go through these different silos to your vulnerability management solutions, like tenable cloud infrastructure, like Google Cloud, IoT, OT, like phosphorus, or endpoint, like CrowdStrike, and they feed into these, these asset intelligent platforms that they're cloud native, they're agentless, they're very easy to work with, they'll make API calls to these different management consoles. So you kind of get the state of, the state of all your assets, including all those Xiot assets. Right. The focus of today's presentation was Xiot, but this expands to all of your asset types. Xiot is just fun to hack. So now you can have a platform that looks at all your asset intelligence, a lot like SIM looks at log data and event information correlates, that lets you analyze it, lets you sort things to say, again, presence and state. Hey, CrowdStrike is installed on 500 devices, but according to what I have in Microsoft active directory, I've got 600 devices that can be and should be running Crowdstrike. So I've got a gap of 100 and I see that they're not running malware bytes or my secondary EDR. So these are the devices that I need to get on top of, because CrowdStrike knows about CrowdStrike. Tenable knows about tenable, phosphorus knows about phosphorus. But if you have a platform that can understand what they all know, you start to find the gaps. Further than that, they feed to make other tools better. So they have API Bi directional integration with solutions like CMDBs, ticketing systems, SIm soar so from remediation with cortex or splunk or Servicenow or Arcsight. Whatever tools you happen to be using, it's feeding them with the best possible data so those tools can be as accurate as they are. That's my whole sales pitch on that. I just want to make sure people are aware that there are solutions like this out there that can actually get in front of these types of attacks. And if you'd like to try out one of these solutions for free, you can poc the whole thing in 60 minutes or less. Less time than it took you to listen to me yap on. In these presentation you can get like three sources, one person for a point of contact in 1 hour. You can actually try this stuff out. If you like it, you can say hey, beyond devices, I want to add identities and apps now. I want to integrate with CMDB. You can certainly do that if you decide to move forward. But if you want to kick the tires in something again, it's free, because most people aren't familiar with these platforms. Here's a QR code, here's a URL, go check it out. So with that, thank you so much. I hope you enjoyed the presentation. I hope you enjoyed the hacking demos. As you can see, hacking in the XioT world isn't that complicated, just some very basic steps and maneuvering, especially if the already are discoverable on something like exploit DB where you can just grab those and use that Python script, or use Metasploit if you want to use Metasploit. In that case, and take advantage of these devices, there's a lot of them, they're all Linux servers, they're not managed, they typically don't have good passwords, they're typically running old firmware, and they typically have lots and lots of exploitable vulnerabilities. I hope you enjoyed the presentation. See you next time.