DEF CON 30 - Arik Atar - Top performing account crackers business modules, architecture, technique
- So we have a really interesting talk for you. We're gonna find out why you aren't able to buy PS5 or a graphics card or any other in demand item. We have a first time speaker and first time at DEFCON member up here, Arik Atar.
Please give him a warm welcome. (audience applauding) - Thank you very much. So every time you buy anything online, especially if it's a limited stock item, you compete against bot and most likely to lose miserably. You probably can relate with the statement if you'd ever try to get your hands on a Xbox or PS5 console, and couldn't quite understand why the stock is always out, even three minutes after restock. Maybe when you scroll down on your social feed, you've seen your favorite artist concert tickets sold by four, five times of the original price and wondered how come.
Maybe even on your way here to DEFCON, when you tried to book yourself a flight ticket, you watched how the prices goes up, even for flight that were just published. Bot operators are to blame. Every bot can simulate thousands of human-like web interactions.
They will buy anything you want before you even Google it. They will schedule appointments with government services that you will pay for later. They will win at every online auction that you will attend and they will fake positive reviews that will (indistinct) by your bullshit detectors into buying scam products. Even when you asleep, there's a really good chance that the bot is trying to log his way into one of your 200 plus accounts while to enumerate your password. Bots are responsible for 77% of the global hacking and fraud activities.
That comes up to almost a quarter of the total internet traffic. Regardless if we like it or not, malicious automation is here to stay. It serves tens of thousands of underground hackers and drive millions of dollars worth of economies. In the next 40 minutes, I will give you a deep dive into the fascinating architecture and techniques that being used by threat actors by bot operators when they trying to crack their way into your password or log in and steal away your stock form your cart.
So a little bit about myself. My dad served two decades is the Israeli police force as the head of in fraud investigation department. During this time, he got the chance to investigate the most fascinating criminals that hack the financial system during what is considered now, then the era of financial fraud. Among all of those people, were also the ex-husband of my mother, which 20 years later led me to the most awkward how met mother conversation that you can ever imagine. And of course, growing up with a detective dad wasn't always an easy task here.
You can see really authentic photo of me and my dad having a "where have you been last night", casual conversation on Saturday, but on the good part, I got a chance to hear a lot of stories, fascinating stories about criminals and those financial fraudsters, their courage, and their creativity and their ability to flex their mind and to hack into systems. That was the characteristics that I found in myself. And this was what shaped my point of view as a cybersecurity researcher.
That research from the hacker perspective and not from the defender perspective. And indeed in the last five years, I spent most of my time, under 64 different hacking avatar different identities on a dark net, deep web and open web sources, collecting intelligence for the companies I work for. I started my way in Bright Data. Some of you will know it as Luminati networks.
Some of you, the older ones will know it as whole VPN. In Bright Data, I was in charge of doing a investigation upon high profile clients that tried to misuse residential proxy IPs for a cyber activity for cyber attacks, did those frauds and all this kind of stuff. I had to carry a lot of investigation there, but the most interesting one was a three months investigation after a 21 year old from Latvia that basically simulated 30,000 very popular gaming platform users, using 30,000 concurrent session. Every time he was collecting through the bots users, the gaming coins, centralized them in specific avatar, went to the gaming shop, bought some skin, and sold every sold for $6,000.
This kid made in three weeks, $1.6 million, just from selling sold skins of a popular gaming platform. In 2020, I moved to the defender side to Perimeter X, which two weeks ago, max merged with human security. There, I basically mapped the threat landscape of any threat actor that is trying to hurt our appliance and basically did a lot of proactive threat intelligence activity like credential honey pots that were reposted by other crackers, that didn't know it's honey pot, all hunting down malwares and info stealers that ran in the wild at least a year and a half before discovered by antiviruses.
So a lot of this experience, I'm going to take the most meaningful insight there and share it to you. Our agenda for today. First, I'm going to define what is exactly top performing 'cause it's really arbitrary titled there.
Afterwards, we're going in the first part of the talk, talk about account crackers, specifically those who are trying to steal your accounts, if you ever lost an account to a hacker, you'll find it very interesting. The second part will be dedicated to retail scalping, which means using bots to hack the stock of specific retail product, to buy all the stock and to sell it to you at three times of its original price. Lastly, we'll have a summary of all the TTPs we went through and we'll talk about the future of malicious automations And after the talk will be over, I'm gonna have of course a Q and A personal session here. So I promise not to answer like a bot. So like I said, we're going to focus on two use cases since the whole malicious automation world is enormous.
First is going to be counter using credential Brute-force. And the second one is retail scaling using automation to buy retail stock. I've defined top performing as those hackers who maintain a sustainable business model, meaning we are not aiming into hit and runners here. We're talking about those who are making a living out of their operation.
They should be at least six month of online presence to these hackers and they should belong to the top 20%. And I'm going to clarify this one because the hacking distribution... the hacking skill distribution, among application hackers, pretty much applied to the 20/80 law, which means that while 80% of the hackers out there, making only 20% of the successful logins, the rest 20% are making actually 80% of the successful logins or checkouts. So I'm going to focus on that specifically 20%, which means I'm not going to specifically talk about the most common tools on techniques, but those who are rare, but serve the top performers. So let's jump in.
First we'll do the Brute-force. So there are many Brute-force tool out there. There are all purpose is practically the same, is to camouflage all the concurrent sessions into real login. And they all do it by performed as a one stop shop for the cracker architecture, which means that all the components of the architectures I'm going to talk about in the next slide, come all together in this dashboard that you can see of Open Bullet.
While there are many tools out there. One of them, their popularity has went exponentially high in the last three years. His name is Open Bullet. It's an open source tool that like other many cracking tools, developed from web testing that went into Open Bullet.
And from there to Black Bullet and Cyber Bullet. Now all of the three, works under the same principles, but they have different integration capabilities with other hacking tools. And practically, this will be the oven that will cook the whole...
that will bake this whole cake that the hacker is doing. Now that they have the oven. I need a recipe of the attack and that will be the configured self. It will be the script that runs or everything. Every config can be roughly divided to three main parts. The first part that you can see on the right upper right, is the part that the defines the path of the attack itself.
It will include all the headers and the static variables that will repeat with every user that will use this attack, specifically. The second one will be the authentication, the login itself to the account. This is where you can find the payload manipulation techniques, the cookie replay attack methods, legit services, spoofing, or API spoofing, in which hacker finds out a API that's supposed to communicate with legit third party. And he writes on it to make a logins because this path is not regulated by the sat target site.
The last path of the part of every attack config will be the capture. And this is what you can see right there in the middle. After the login is made, as part of the same attack, it will go to your account and will try to figure out what essence do you have. Here you can see a checklist of very popular streaming services. So we check what kind of programs the hacked account has on his subscription. And this is how the hacker knows, later, how to price this stolen account because stolen account that has credit card, worth much more than the one that don't and right in bottom, you can see an ad of config developer that published it in an underground forum.
You can see it stands. It talks about CPM. CPM stands for credential per minute or combo per minute, which means this is the highest amount of credential that you can try repair specific path, specific config.
And it tells you, it depends on your proxy services and your recapture services. So it depends, like the number you can attempt depends on other architecture components that we'll talk about in the next slide. Also, it's mentioning that it has a capture of credit card and gift card. This is the CC and GC you see at the bottom. It means that this specific script can tell you exactly what is the essence inside the account, but you as a hacker need to go and figure it out and log in yourself.
Of course, it's limiting to five copies and it's doing the (indistinct) pricing in order for that not to be spread too much and not being patched by security companies. So now we have the tool, we have the receipt, but we don't have any cake. And the cake starts with the credentials to themself. It's common to believe in the cybersecurity community. That credential are easy to get, but need to go through some steps in order to get them, like paying a little bit or going to the dark net, while the truth, the awful truth is, they are really out there. The screenshot that you are seeing right now, is from a marketplace that you can find on Google and everyone can sign up and have access to all of these credentials.
This is almost 11 billion credentials. If you ever found your email, all the email address and have it been pawned, it's practically gonna be here. This is a compilation of all the data breach from the last 10 years.
11 billion credentials for the use of many hackers that are keep recycling those credential again and again and again. So hacker knows that, of course, this is their playground, and they keep collecting those combos all the time, running them from VPS virtual service, that has much more capability when... And of course establishing my SQL server in which they can use for creating reach data sets that will later be used for cracking your password. Now we'll touch it later. Of course, this database can be shared among several specific hacking groups, or it can be privately used. But the biggest (indistinct) is that most of the people in this crowd also are reusing the same password across different services.
And hackers knows that. So they're creating the tables that create your email, your password, and all of your last passwords. So we can be used later on when they try to Brute-force. So it's really nice that I have a lot of credential and 11 billion is really nice, but I cant do attack with 11 billion key credentials because I will go bankrupt as a hacker.
So the next step it's not necessarily in which it's a step in which we will go and do mail validation. Mail validation, practically, it's a process in which they go and clean non-relevant users that are not signed up to the target site because there's no logic targeting accounts that don't really exist and they do it mainly with using two techniques. The first one will try to figure out using the website itself. It will be an Open Bullet config that will be marked as VM, Valid Mail config. And you can find many of those online for free, and they will go to the target site and they will do forgot password with the victim email, and they will check the response.
If the response... this email does not match to our records, then I should not attack it as a hacker. So I will put it on the panel list and I will filter out more my target list. But if I get, "Hey, we sent you a recent link to this email." That means that this practical...
This user is signed up and this is why it will be later on the targeted as a Brute-force attack. The other path that can go is most stealth, and it will use an exploited unregulated API path that will practically, they will check using this API path. If the email is signed up or not depend on the request that they will get, if it's 400 or 3, ban. But if it's something else, leave it in the site itself. Now we have everything that we need to do, but we don't want to guess all the possible combination. We want to be precise as hackers.
And we want to aim directly to the point, like a sniper, not just shooting like Arnold Schwarzenegger in one of his movies. And this is the precondition before doing the enumeration itself. There are two predictabilities that make our password really predictable into hacker's eyes.
First... The first type will be involved with the pattern itself. Every target site has a password policy. Like you can see right here, but most of the people when they sign up to account, the last thing that they want to do is to think creative about new password that they will have to remember. Most of the people will just go by the simplest (indistinct), which means that our hacker doesn't need to try all the combination. You can just go for the most common one.
Let's just say I'm supposed to do 8 to 100 characters, most of the people will use 8 to 10. So therefore I have no reason to enumerate more than that. Uppercase and lowercase will usually be uppercase prefix, which is a built in feature in every Brute-force tool out there. And also when you need to use a number, most of the people will use 1, 5, or 7 suffix in the password. Also, there are the creative people that use the key strokes that are next to each other and creating different shapes.
And this is what helps them remember that. But just so you know, it's a feature that exists in a lot of tools out there. So when they are doing the enumeration, they will first try the keys that next to each other. The next part that we have of predictability is involve around the content itself.
These stats comes from the last year Google's research about passwords and it involves 50%... Practically says that 50% of US adults are reusing... At least are using the same password in at least 12 different services.
33% will use their pet's name. And this is where it all comes to a big one workflow. First, the hacker will go back to the table that I've talked about in the last slides, where they have the username and they have the password and they will enrich those data sets with the victim's PII. It's really easy to do that using open source repositories out there that just looking up accounts that are related to the specific email, social media accounts, and extract from specific places, these data points like education institutions, spouse names, birthdays, everything are totally available out there.
As you can see, they're using a password generator that has these capabilities, like you can see they're used password or birth date or postcode. All those will be used for doing smart enumeration, not just one that goes off run randomly. And the enumeration at the end will be depend on three things. The victim PII like its pet's name, wife name, birthday, and stuff like that. Bridge passwords, all the passwords they could ever found in the past that being breached and outside in the underground forums and the password policy predictabilities that we talked about, and this is how they can turn one email into large combination of passwords.
That has really good chance of hitting the target. Now that I have everything, if I try to log in from specific IP address, I can manage to do a top like maximum three logins before I get blocked. So in order to bypass this IP rate limit, hackers are used to using many IPS, many proxies. Those are connected with the service, it's called proxy network. And this service is actually managing the whole proxy operation for them. I dearly recommend you to learn about proxy networks and their capabilities.
It's really the one most common attack factor of all cyber attacks out there. Specifically malicious automation, and also it serve them as its hide their true IP, which is really important since cracking into accounts is a criminal act in most US states, of course, using a network allows the whole outsource of the proximal operation, which means the doesn't need to go with proxy list and then check, which one of the IPS got banned, which one is really not working well. And then replace it. He saves this time while connecting through API of specific server to proxy network that does everything even rotate the request itself when capture pops up. So here we can see everything comes up together through the same kind of cycle. It goes from the left bottom.
We can see the attacker Dell, he will use the mail validation, we talked about through the username. The password will go through Wordlist generation that will set a specific type of password that will be customized to the specific user. From then the request will be connected through the super proxy, which is the entry point of the crop proxy network.
The super proxy server will use different and thousands of load balances to spread those accounts. Those request among different devices, real devices of real people, which will make the target side really hard to block those requests afterwards. And with the successful logins that he manage to do using the capture, he knows what their essence, and then he gives back to these prospects 10%. Prospects means the people that following him, following his activity, but didn't bought anything yet. In front of him, he has the challenge of gaining their credibility.
So this is why he's acting just like a premium business model. He gives them 10% of the valid access account, the ones that he manage to break into, he gives it for free, and this is how it create more and more people and more and more attention on the dark net. 90% will go over different digital marketplaces, like selling stock, (indistinct) shop and this kind of services that are practically marketplaces that are legit, but are being misused by hackers all the time.
And the last phase with all of the account they didn't manage to break into because they didn't guess the right password. He will do combo recycling. He will release it again in some kind of forum, harvesting all the credits, all the likes, which will (indistinct) later in money in the same marketplace of the same forum. So it's actually beneficial for him. And from this point, it will be picked up by other cracker that will go from the same phase all over again.
And this is why I call a sustainable cracking. Here we did a actual (indistinct). We did a honey pot that actually demonstrated the capabilities of hacker on the underground forums. We faked 50 credentials. We marked them on our end.
We post them one time into one hacking marketplace. And we waited for the logs... the request, the first malicious automation Open Bullet request that we've seen came after only two minutes from the moment I pressed post. Overall, we had 50 repost. When hacker sees this, they say, "Hey, it's nice. I will repost it on other platform."
So we had another 15 website that were exposed in this whole operation. 50 repost after the first 24 hours. Overall, we have 600 attackers that took part on this party without the will or knowing. And this is basically how we can demonstrate and see it from both sides while using simple social engineering techniques on there. So from ATO, from stealing accounts, let's talk about the bots that are using those accounts exactly afterwards in product release. And we'll take you, I will give you one minute intro there because scalping is used to believe to be only a thing of PS5 or sneakers, but basically it affects all of us in matters that we can't even imagine.
We have two groups of scalping out there. The first one would be the limited edition. Those are the classic one, the sneaker marketplace, GPUs, PS5, NFTs, tickets for concert for flight tickets. All of them are being sold and buy both all the time with using bots, but we have the second part, which is really interesting. The opportunistic scalping, which mean those who rely on standard demand, but temporary low supply. We've all seen it with the COVID mask in the beginning of the pandemic, when it costs something like (indistinct) at times more than it cost right now, we had it on with the baby formula, which one...
during the last year, one big baby formula factory was shut down because of violation of health regulation, which cause a temporary low supply. And I've seen a lot of both operators out there in (indistinct), but the fact that they switch sneakers or PS5 in that moment to buying day before through a Facebook marketplace. And the last thing that we are seeing is government services, appointments, specifically passport or visa at embassies around the world, a visa appointment in Israel, you will have to least a year because of that pandemic of bots right there. So let's talk about retail, the ones that buying the PS5 consoles, the first thing that they will use in order to increase their success rate will be aged accounts. Aged accounts are digital accounts that exist at least a six month.
And sometimes even more, sometimes it comes to a year. The more, the better, the more the price will be up because the value will be higher in the perspective of the hacker. And why is that so? Because age accounts are practically...
have lower security standards. The more we go through time, the more the target site, eCommerce site know and understand the hackers and they're doing much more adjustment of security measurements. So therefore age account has less strict thresholds and less strict regulation under the compliance of the target site itself. And this is why they have much higher success rate. This is by the way where account takeover and bots are connected because those accounts are being bought usually from account crackers.
The next thing that will be used here is the Cook group itself, which is the community of the scalpers that involves an focus of specific retail product. And sometimes even specific bot. This is a basically the online community, which serves as a knowledge base since scalping and buying product online is really complex operation. And you need a lot of knowledge and a lot of different fields,` So Cook group will be the answer for that. These groups are exclusive, not open to anyone, cost a lot of money, and they will have limited amount of people inside.
So, in order to get access, it will take some time to most of the beginners, but this is how most of the scalpers begins. In these Cook groups, they will do group buys of product and therefore reduce their expenses, or they will shelve some tricks that will practically make them most successful. And the third thing that they will use is the bot itself, which is practically the most overrated part of the component because it's practically, every bot has a specific model for every target site.
There can be a specific bot that is really good... His model is really good for specific sites, but really bad for other sites. And therefore... and also if it's good for a specific site on specific launch, it doesn't mean that in a week it will be the same situation. It can be patched easily by the detection of the antibody solution of the target site.
So, therefore the bot itself has different... The prices are various between $400 to $6,000 a month. And again, limited amount of API keys out there, very exclusive, but top performers will use several bots for the same reasons that I just mentioned. They will do several products. They will do several sites and therefore they will use several bots. And in order to keep yourself on top of that main...
just huge operation, you will have to use a bot manager and a bot manager is practically a one stop shop for all of the bots you are using. The most common one out there is AYCD, which practically gives 12 different bot tools for scalpers, from creating fake credit cards to generating emails addresses that you can use for fake signups. Everything they will need to use is right over there.
And we have the fourth thing will be the product release monitoring service. Whenever you want to know when there's news restock of PS5, you will practically go manually and search PS5. This cost a lot of time. This is practically one of the reason that you will lose to a bot. A bot won't do it himself.
He will wait for a third party service, which is basically a web crawler that goes every second to the target site and check PS5 exist, PS5 exist, PS5 exist. Whenever PS5 has exist, He will go back with the P ID, the product ID, and he will tell the bot exactly where to go for. And we'll show you this in the two slides for now, but this one is the most important. One of the most important components in the architecture. As you can see on the right bottom, the two tweets of heat monitors, one of the most notorious product release monitors out there, you can see basically they are bragging about the fact that they spot product release and they competitor missed it totally. And on the total right, they are bragging about the fact that they were faster from their competitors in 1.4 seconds,
which might sounds like a little, but in the world of bots, this is forever an eternity. Which practically makes the whole function of a product monitoring service. It serves exactly like the gun what we see on the Olympics competitions. It tells the bot exactly when to start the competition again, to the PS5 unit. And now we have all of this.
It's really nice, but we want to use better stack than what we have on our PC. The scalper... The top performance scalper will put some money and we will rent dedicated server. Dedicated server means that it's not shared with other scalpers.
And you don't want to be share resources when you are playing a zero sum game. When every PS5 console that I will buy, my scalper friend won't buy. I don't want to share any resources. This is why the service is dedicated and not shared, and also bare metal and not VPS. They are physical, they exist, and they're geographically located around the target site service. So, they will minimize the ping time.
Just like you hear about FinTech companies that does that in order to get closer to the stock market or for any kind of financial institution, they need to work with that this is exactly what scalpers are doing. They will choose specific geolocation that are physically close to the target site, so they can know exactly... Can be first before you. And the last thing that will be here from the dedicated server itself, they will spread all of those requests through different proxy IPs.
This time, unlike crackers, they will not use just residential PCs IPs, they will use mobile. Why mobile? Mobile has different thresholds. The amount of action you can do from a five inch screen is much higher than the amount of actions that you can do using your keyboard and mouse. As a result, every target site, every eCommerce site that you are a certain with, will have different threshold, different amount of task that you can do per IP. They're using emulation to emulate the whole fingerprint of mobile and mobile IPs.
So they can do much more task, much more quickly from specifically geolocated pillars, proxy pillars that are located right now. So here is where everything comes to one place. As you can see, our scalper here is connected through remote connection. Usually it will be an RDP remote protocol desk, remote desktop protocol of windows, but not necessarily, he will manage his operation, which will be on the dedicated server.
Not only stack, the dedicated server will constantly communicate with the price, with a product monitor service that he will see the mesh there. The product monitor will go all the time and will return once the product is... When the product is released to the site. He will come back with a P ID, which is basically a shortcut to the product itself.
And then the bot will go directly while you are looking for the specific unit, he will go directly and will buy it before. Also all of this request will come up from specific geos, unlike crackers, that doesn't really care about where the IP is located. Scalper has really important high importance about where he choose to his exit proxies. He will usually located at next to the target site, which basically most of the time will be (indistinct), Virginia, but not necessarily.
And from there all the successful checkouts that he made it to all the PS5 units that he's supposed to get by mail, he will use a post proxy company that will use fake addresses around United States. All of those PS5 will be sent to different proxy addresses. And from there, it will be moved to his native country in which he located in which he will sell it by 600, 700 bucks for one unit. So where are we heading? I'm not a prophet and not pretend to be one, but I know that there are several actors and factors that shape the whole malicious automation world that keeps on going specifically because of Ukraine war and because of COVID. The first one thing that we have to understand here is that the top performers, that 20% that we are talking about, are basically the early adopters of new cracking tools and techniques, which means that whatever they're using will be what everybody will use in a year. Open Bullet, when it came out in May 2019, it was a niche at the beginning.
Only few where hackers knew how to really develop a good config. Nowadays, it's a standard. You can rarely find a config developer that writes ATO script, that knows how to write it in anything else than loli-script, the language of Open Bullet. So it's really important for us to understand those 20% and not just focus on the average attacker, because as I said about the hacking distribution is 20/80 low. There's no average hackers. It's either you are in the beginners or you will stay there in the beginners or the mid range, or you will go to be a top performer very, very quickly, if you have the right consistency and creativity and courage.
And the second thing is that every retail supply chain bottleneck is a business opportunity for bot operators, which means that now they like the same kind of attack architecture and scalping architecture that we've seen on sneakers turn around against PS5 and Xbox. It's the same thing that we'll keep on seeing on other products. And I mentioned earlier, the baby formala, that was just an example, but we have many other cases going on, whatever you hear on the media about a supply chain coming up. First thing, think about the bots because they will come afterwards because they will see that the temporary low supply can drive them a lot of profit when reselling it. In fact, if a bot had any physical existence in this conference, it would practically take over all the water supply and resell you every glass of water for 70 bucks.
So what differentiate the top performers from other threat actors? The first thing is that they will think development operation, just like a startup. They will think about minimizing the (indistinct) time. They'll think about customizing their architectural around the architecture of the target site. They will think about reducing the architectural resources and increasing its efficiency.
They won't like let's just to say, for example, new scalper, they try to get a PS5 will care the most about his bot. He will think that the bot is the key success for that. But a top performer will focus and do authentic work and figure out where is the target site servicer located? And it will be, is all architecture around it.
He will use the same ISP as the target site. So he will minimize again, a little bit, few... Every millisecond matters in that aspect and he will think differently. And this is exactly one main differentiator that we have there. The second one and really important one is they all use OSINTs, either as the cracker that we've seen earlier that established a big data set, that includes all of us, all of our PII that can be found on social media or either it's the bot operator, that's used product release monitor in order to figure out exactly when the launch is happening.
They're all making a preparation. They know exactly where everything is located and this mindset exactly with validating the bridge email and using a UX exploitation, all of this will practically makes them in a different type of level. The third thing here, and this is the practically the most important one, as I see it, from my last five years of research. The scalper or hacker at all, biggest asset is not his money, but his time.
Most of the people think the hackers who goes through a phase that is really similar to normal people, where it's called the promotion products, the promotion products simply claim that every time you get a promotion, you get to do less and less, the thing that got you the promotion from the first place. Which means for a hacker perspective, a lot of hackers are out there thinking, "Yeah, I can write a code really well, I know how to hack. I'm going to do tons of money out there."
And then they open up their own business and they begin to be client facing, which is something that they never did before. All of the sudden they need to do marketing in order to gain some credibility and really fully flood market. And they try to sell in a one-on-one conversation. They try to understand, to explain to people their value. Later on they will do, of course, customer support. And they will handle tickets of clients, which is something they, I believe, never thought it will happen.
Here you can see in the right there in the middle of the left, a real message of a 18 year old hacker that they tried to do a anti bot bypass solution. And this guy during exam period actually mentioned that he won't be available since he's have many exams. Of course, we took advantages of it and put 12 different detection logic, while he had his exam period. (evil laugh) And of course, so time is also something that is really necessary.
A lot of security companies are thinking about, yeah, should make the attack more expensive, so they went to... They will go on other site, but what's driven 13 out of the 13 hackers that I've tracked in the last year and a half, wasn't their budget. It was their time and the fact that they needed to remain on top of the thing and to keep handling all the time with stuff like that. So the top performers are doing a smart thing that we all need to do in our personal life. First, they outsource the code when needed. Whenever they can, whatever they can, they will outsource outside.
So they will keep their self, the biggest S in their time, but they will keep under their control, the stuff that they will have to do, the debugging, the reverse engineering of the payload. They will learn about obfuscation techniques. They will learn about deobfuscation. They will be there in order to maintain their operation working and to handle problems. But all the rest of the operation, like proxies, like wallies, like even credentials, they will use credential API in order to minimize their time. So all that will be outsourced, so they will have the maximum efficiency since hackers are most of the time in this aspect, at least, works along.
So basically what I want you to go to leave this talk with. First, go to underground forums. If you haven't been there, open up an avatar, start learning and be on the other side. It doesn't matter if you were pen testers, white hats, amateur hackers. It doesn't matter every code that you want to write down, somewhere, someone built it, wrote it, made it, upgraded into the level of art and uploaded online.
I still find pen testers that trying to write down techniques that are being out spread all the time. So know your enemy, know the threat actor, because as we've seen here, they are collecting intelligence about us all the time. The second thing that is really important here is think like a threat intelligence and let's put it in a practical example.
Okay. Let's just say a defender is watching this talk right now on YouTube and he thinks to himself, as a defender, I should probably put two factor authentication on my account. That's nice, but that's a defender type of kind of mindset. If you want to walk from the threat intelligence, think to yourself what nobody is doing on their password. And there answer will be putting space note.
Nobody's using space notes inside of password and any password generation that I came across, none of them had the possibility to add spaces because nobody do that. And no hacker that I've met ever came across or thought about that enumeration with space notes and the reason of that, he never seen that kind of password. So use spaces in your word until everybody else will do it. And hacker will go for it too, but be there, hand them down, know your enemy and stay safe. (audience applauding) Thank you very much. I will get questions if you have anyone have here and thank you very much.