SS&C Blue Prism RPA Digital Workers for Cybersecurity & Information Security
good morning everyone thanks so much for joining us on the western Canada RPA User Group we've got an exciting opportunity to listen in and learn a few new tricks from Brady Cusack for Brady's got a really interesting background in cyber security a little bit of blockchain that's super excited to have on the the Meetup so thanks so much Brady for joining us to be here wonderful I'll let you take the reins and share your screen if you want to thank you ever wait for uh for joining and again thank you Jackie this presentation that I'm going to give it should hopefully only be 30 30 45 minutes and I'll give you some questions afterwards that any of you may have but the focus that I want to Target is ways that group prism and RPA in general can be leveraged for cyber security use cases so in internally at group prison we are exploring the creation of different Frameworks and solutions that we currently actually have up on Partner digital exchange that we once introduced to the larger customer base that we support just to show ways that using robotics process automation you can't replace all those security tools that your organization is using today but you can make them a heck of a lot more efficient by using RPA um so just to get started I have a couple of slides but I won't spend too much time going to the different slide desks so some of the benefits of Robotics process Automation in cyber security is one of the key ones is that it's very quick to deploy so rather than needing to go in and get either a massive service documentation a massive API team building out different services and things like that with RPA you can have direct Integrations with any of those security platforms that your organization is using today so whether it be a komodo endpoint security solution crowdstrike any of those major providers that most organizations are probably familiar with blue prism can interact directly with those Solutions leveraging RPA through API calls and user interface interactions and just perform a lot of those tasks that typically a security engineer would be stuck doing and spending hours doing themselves on a computer it's also a very good tool for aggregation of logs so it in in traditional older Solutions and older systems that are out there today the logs aren't always accessible by tools like slunk or tools like Cabana or any of the major tools that are leveraged by teams today to go through it and look at things like access logs things like error logs and so on that your applications may have but leveraging RPA for those specific use cases as well blue prism and argument in general can just reach out to all of those different Legacy systems pull in all of those supports that typically a security engineer or somebody would have to go in and spend hours doing but painstaking work and blue prism will be able to bring all of that data in and actually go through it and apply different rules to say hey this is something that should be flagged or hey this is something that we need to create a ticket for it's also able to be leveraged for triggering remediations that are identified by different endpoint security or any Security Solutions that you have maintain your Cloud environments say for example that you have a a cluster of web servers that are working together to deploy some larger applications but one of those web servers one of those requesters has a bunch of vulnerabilities on it that were just identified and you need to isolate it rather than having engineer go in there isolate it and manually go through and do all of that tasks you can have that immediate solution of move prism or artery in general just being triggered and immediately isolating it so that doesn't expose the rest of your infrastructure to any risks that may have shown up with that exploit it's also good for non-traditional things so a lot of organizations have their own specific applications that they use they have their own specific security policies that they have to abide by depending on what industry you're in and so there's some instances where there's just not a lot of that there's not a lot of capability that you can get from existing tools so you'll have to get maybe one two three different Security Solutions and if any of you have purchased cyber security software it is very extensive compared to other Technologies a lot of these things you can just you know blue prism or create go in and Mana redo it and feed it to those other security tools that you have and manipulate it in a way that you can use your existing digital workers that your organization has and solve that problem without needing to purchase a bunch of extra tools and then again it's just a lot cheaper than most technology security platforms it's cyber security tools are very expensive and RPA is much much cheaper so some of the use cases that we're really targeting for this first kind of set of assets that we're putting out on our digital exchange are centered around things like vulnerability management Network detection and response log analysis simulated cyber attacks so things like internal campaigns that your it team would be doing to go in and try to trick all of your employee base we can create with our create much more robust and honestly a lot trickier to catch phishing simulations that can really Target specific user bases within your organization that are very vulnerable to this type of stuff and it can help you get a lot of them trained in in that mindset of okay I need to check all of these different things and I'll get to show you a bit of that also later today in this call and then more simple things too password resets somebody's locked out of their accounts not every solution is going to have integration with every major identity provider after One login Azure ID they can only support so many applications but you have your old Legacy systems and stuff like that um where traditionally you need to have somebody manually go in and reset your access to those to those systems rather than doing that arcade itself can just be triggered once the ticket is created and whatever ticketing system you're using an RPA can go in and just directly solve that problem quickly directly do those password resets and get it set up for the end users and then again one of the things that I mentioned earlier is again that subnet isolation in partnership with other Enterprise solutions that your organization has just because that's always a big area where they get in one place they can spread out to the rest of your for your technology infrastructure it's not isolated with enough so that's one of the other use cases that are really play a big part in so a little bit about what we have so far up on our digital exchange right now so currently it's only in the partner digital exchange but we hope to make it available to customers in the near future we have a base version of a Security Management automation framework that we're implementing which is not there to replace what you're doing but they give you a template that you can actually use to work with your cyber security team or your Society to the point that you can sit with them in a conference room for maybe four or five hours and create maybe one or two different use cases one or two different complex reports one or two you know complex functions that need to be updated through something like fccm or any of those Powershell modules that you can have on your uh Enterprise architecture for managing assets and so this framework comes with sample templates to help our customers get started off with those use cases and then we also have an example process so it's going to actually be leveraging some of those case study or some of those use cases that we talked about earlier and it's going to go in and it's going to simulate doing vulnerability management detection so it's going to go into each of the different assets or each of the different machines that are connected to your active directory user group and then it's going to pull in a list of devices it's going to query a third-party tool that actually keeps track of all of those cves that are open for software if any of you are familiar with what cves are they're basically just like vulnerabilities every time a vulnerabilities was detected in some type of software it gets posted online by the vendor so that all of the customers can go and see words where they're exposed and so this sample process is just taking advantage of all of these resources that are already available on things like Mist miter and all of these different websites they have all of them stored and it's going to pull in those cves and make sure that none of your devices are exposed so before before I move on I know I covered a lot pretty quickly are there any questions that anybody has before I move on let's hear the CDs actually list the mitigation as well which is actually the important piece because of that it's actually actionable exactly and yeah one of the things that in the demo I'm going to show today actually is how the cves that are pulled in blue prism goes in it does things like creating support tickets for so this video is just using a sample one that an open source support system ticketing system but on our digital exchange we also have freely available assets that can connect you to things like servicenow Salesforce and a lot of these different third-party tools that are already leveraged by organizations for like ticket management and stuff like that so it for the framework and the example process is that we have listed today so those will require a domain read account in your active directory so medical domain admin for like the reporting and reading item but for one that goes in and does the reports and pulls all of the list of software and stuff like that it'll have to have the permissions to read all of the users in a specific operational unit and in this automation too there's parameters that you can adjust for different groups and then if you're using any of the functions and so those ones aren't in the sample that I'm going to show today but those would need similar permissions to what your help desk users would have and so those can be managed through the prism credential managers the vertical that we're using for that right now where you just put in the credentials for whatever account would have access to go in and do like a force through policy update or pool and security policy for a specific device those would be the specific policies that they would need and so we also have a user guide and some documentation up on the digital exchange that has the different permissions itemized as well that I can share with everyone as I talk about work with sample automation we have a list of deliverables that are included in the the sample object that comes so you have various reports listed such as retrieval list of assets that are in a active directory retrieve the list of the software that are installed on the device get all of the users that have been actively made using a device over a period of time things like checking when it is update history just to make sure things have been people have been going in and running updates and not pressing that no button because I know a lot of people like to get the no don't update and also retrieving things like the device security policy we also have a template that is basically the Baseline for all of those supports above that template is able to be used by your RPS team in partnership with a system a systems administrator or anybody on your Android security team to build out additional reports as well so that way you don't you're not trapped with the ones that have been provided go in and extend it as you need we also have a bunch of different options that we're including out of the box such as basic things like enforcing group policy update checking the device up times a lot of times people have issues with their computer and it's because they haven't turned it off in 17 years so that's just one of the basic features that we wanted to include inside of it things like forcing device reboots for those people who have antigen device forcing Windows updates to just go through scheduling the defragments for the the drives on that device and then also an additional template okay we know this these are just very basic low level functions and reports that you're able to go in but with that template as you have different business needs reorganization you can use those templates to stand upon that a lot further you're using the standard kind of Microsoft offerings such as wmic and the Powershell commands and things like that you can take the exact same code and customize it based on your specific business requirements also here or nwmic as well yeah exactly and so it's actually a combination of both of those that we're using with this a lot of these templates are it's calling in a specific code stage that has some custom code that will be built out that is working with Powershell correctly on that machine and then also if it needs to have like admin credentials or something like that for specific devices or specific user groups we also accept different credentials from the blue prism credential manager that way you can authenticate the different commands that the digital worker wants to run but using credentials for a specific area in your organization or for a specific specific tasks that you need to find rich and so it's again this is the version one so we're working to expand it at additional capabilities to this some of the additional features that we do have in the process of putting up for the version two in the June July period is actually leveraging a window subsystem for Linux which you're going to see today and actually taking some of these open source things that come with an operating system for Kali Linux that enable you to go on and actually do pen testing and do different reports different scans and stuff like that as well in the machine for those specific use cases though you'll probably need a very specific isolated environment I made the mistake myself of putting it on my laptop and had it remote wiped more than one time but yeah so those are some of the things that we we have in the pipeline that we're working on and that we want to expand this out to and then of course as different customers Partners come back with feedback ideas and things that you would like to add in we're just going to keep adding things and hope we built but a much larger repository over the next couple years of assets that can support your organization so now what I'm going to do is just move into two demos that I have built out so I'm going to show a recording because again if I run it locally I'll buy or I will lock me out so I'm going to show one focused on vulnerability management that I mentioned earlier and so that one is going to just go in it's going to retrieve the list of devices so using one of those default functions that comes included with our templates I'm going to retrieve the list of devices for a specific operational unit within a active directory it's going to create a q item for each of those devices and so for each device it's going to go in pull a report of the software and for all the software that it has it's just going to just do a quick query or a third-party API tool so in this example I'm using opencv it's an open source project that syncs all of their cve with miter and missed databases or CDs and then once it pulls all those down if it identifies any cve which I have a couple in this demo that are installed vulnerable software for that reason that it's going to identify the cves and it's going to go and create a basic support ticket and then it's just going to keep all those metrics in a simple report as well at the end the second demo that I'm going to walk this one is probably my favorite one to show is simulating an internal phishing adapts so say that you have to go in and again make sure all of your end users are trained and educated and how to identify phishing as apps that could potentially hackers potentially used to take over access to tons of different applications that you have this is one of those solutions that is actually going to be used the Windows using the windows sub system for Linux and so with the windows subsystem Linux this is going to go in it's going to essentially create a clone of a website in this scenario I'm going to show you the blue prism portal because I'm sure everybody on here since a lot of you are RPA are probably familiar with the portal account it's going to actually clone that website it's going to weigh it to a local web server it's going to issue an SSL certificate and then it's going to send out emails to a couple of different users that I have set up on it and as those users take emails um they're going to open it up it's going to look very similar it's and this is mainly simulating targeted attacks so it's going to look very similar to some of the emails that you may have actually seen come from Blue prism in the past month or so so some of you may see that and then it's just going to take them to that that temporary web server that we have set up and then it's going to do credential harvesting and in an Enterprise use case the digital worker won't save the credentials it's just going to say person a b and c all for it time to sign them up for some training this first video I'm going to show I'm just gonna let it go through a little bit slowly and just talk to what it's doing just so you can get a get an idea of what it's working on so I'm gonna go ahead and keep going I'll just talk through it as it's gone so if any of you have worked with blue prism before and seen some of our templates so this is the best way that we're trying to adapt templates that we have available on our training portal and so it's going to go in it's going to do different work steps like the startup steps of going in loading the queue getting your application started up in this instance it's supportsystem.com application that we come in weird for this use case and then once it has all those two items loaded it's going to go through each of those devices and it is pulling all of those different applications that's on it and it is query opencde and then as you can see now it's going in and it's creating a security ticket related to that CD so in this instance right here we can see that the virtual machine that we were working with and it also lists the versions of you know the application it lists the name of device so in this instance it's giving the DNS the hosting of each device and it's going to give you a brief description and some information regarding the cve that it has and then it's going to keep going do and then it's going to cycle through all of these different applications you can check it out in the background so from a technical perspective it's not opening up many applications outside of the support system but what it's doing is in the backgrounds Jesse like we talked about a little bit briefly earlier is it's actually taking advantage of Powershell you the the checklight objects that we have it programmatically accessing Powershell right it's running all of those passing the credentials that it needs we're creating a temporary credential in the Powershell session that it has so that it's only temporarily able to run these queries so that way once it finishes note the permissions are no longer there and yeah so it just goes to it it's pretty quick and it does all these things and so once it finishes going through all of the devices as well it's just going to save a quick Excel report nothing fancy every company has their templates for things the report at the end is whatever UCL works best but for now it's just opening up it's just including all the data with things like the machine what's the software what's the cve and then it's going to distribute it to your team members does anybody have any questions around how blue prism can be expanded to work with vulnerability management or any use cases similar to this one quick comment hallucinates here we are working to automatically deploy um desktop software theoretically you could actually check the CD for the recommended update and then deploy it basically right you could literally package it using a few commands and then actually quite an interesting concept um yeah and that was one of the things that we were thinking about so we actually have an intern ownership to add in some additional use cases that are I.T Administration focused that kind of correspond with what these tools are doing too yeah so some of these might end up being joint so we'll see over the next last two years where that goes but but yeah those are one of the things that we're actually working too is either going in and deploying it using maybe like an MSI file that is on hand and automatically deploying those updated patches when we're leveraging something like no service now has a lot of capabilities to do that stuff a lot of endpoint detection tools that Hilton now where you can force those patches through as well so it's whatever use case or whatever tools that an organization has um we want to build around some templates that kind of work around whatever solution that they have in place so that they didn't encamped it that's very interesting there's a comment here how it can help with patch deployments and I guess we walk through that a little bit but I don't know yes so for yeah so again so patch deployments if there isn't any software available on the device and that's the actually the first use case that if you are interested amongst them now we can regroup I'll give everybody my email and we can show like show the progress on how that one's looking but for patch deployments that the way that we were thinking we could leverage this is being track of all the versions in all of the applications that an organization has and then leveraging a repository whether it be access via SFTP or network share again just depends on the setup and pooling those updated versions for the devices that are vulnerable and haven't had paths deploys yet and actually leveraging some of the again some of those features that Powershell makes available with a lot of renewal modules that they have and forcing those installations on those devices and that enforcing restarts through policy updates and stuff like that does that can I answer your question okay I'm not sure but we'll keep going we got yes it did wonderful and then David's got a question here where am I able to find a list of your data connectors we have our digital exchange that blue prism makes it available to all of our customers any questions does your product support automation uh centralized logging architecture yes so to practice the whole a lot of these would still have to be built out only get custom a case-by-case basis these are just sample processes and Sample actions and components within the blue prism that we're provided to get you started you know depending on architecture you have in place or maybe use Azure AWS reliable cloud services in a lot of cases it would just be a case-by-place basis in the end the sales pitches RPA can do everything but if you identified what it would add the most value in then I think let me just see a case or case basis on whether RPA would be the best solution for it Yeah in our organization we do actively download files and not for system data but really for financial data but it's the same thing actively so we log into an Enterprise app and then download Excel documents you dumps or reports or and we also access apis then we also access the databases directly and so there's a lot of different mechanisms to access data using our yeah and with the use cases too one of the things that we wanted to think about with the prism is and this is probably more like government specific is when you're accessing logs and data that require things like security appearances if any of you are familiar with how long it could take to get permission from one compartmentalized area of government to another mineralized area of government you could be six to 12 months waiting to get permissions just to check the logs so ones to set a thing but but RPA doesn't require security clearance it's not a person so you know those are all right thank you very much all right we're we're back right and then could you read me as a host Showplace I sure can yeah wonderful all right let's uh I'm going to restart my screen share great and then I'm going to pop open this next video that we want to we'll do a quick overview up so this next use case and can everybody see my screen yep perfect so this next use case is actually leveraging the windows sub system for Linux and a tool that comes with carry Linux called NC toolkit so SC toolkit for those of you who aren't familiar it's called a social engineering toolkit it's used to replicate a lot of social engineering attacks which are simulations that would Target specific end users within an organization and try to trick them into giving you credentials and things like that so this is SC toolkit something that's freely available online it's an open source project and it's it's very popular and widely used by security researchers and Pen testers so what you're going to see in this automation is it's going to go in and blue prism is going to actually retrieve a quick list of users so in this case it's just going to be me it's going to take that user add it to a queue and then it's also going to create a clone of the blue prism portal and then it's going to send out a link to my email address and then what you're going to see is me going in reading the email and then we're going to open it up and just see how we're able to drive that use case and drive this tool which would otherwise be something that's handled manually and we're able to drive this tool using RPA specifically to actually make it something that is scheduled something that's running frequently and that is able to Target different user groups at different times in a very quick period of time so I'm going to go ahead and kick it off and just let it start running and I'm going to pause periodically just to show different things that are happening so again it's going through opening a Windows subsystem for Linux for those of you who've used Windows terminal before it's just like Powershell but it's very quick and so everything that it's doing is command line based however we are using the I am using the web interface for this one specifically because it's a demo I want to make it look fun and so we're going to Leverage The or blue prism is going to leverage the site cloner tool that that ISC toolkit makes available we're going to provide a local IP address to to use we're going to provide a URL for the page that we want to clone in this instance it's going to be the user login page and then it's going to send a link to that to all of the users that you have listed and so now we can see it went in and set the link and it just finished creating that that campaign and so now what I'm doing right now is I'm here in my inbox as you can see most recent emails from Jessie and then the next one is going to be from this digital worker I'm going to pause my screen first and see if anybody can see from this email what is off other than a vast virus free Avast footer in this email see anything with golf from what you would expect to see from Blue prism in an email the email address yeah exactly yep a big thing hackers are doing is for one one dollar in the form of some different cryptocurrency it's very easy to now anonymously purchase domains and actually get it secretly using a hosting provider in somewhere like Switzerland or other parts of the world that don't keep track of that data and then they use that to actually Target specific areas within an organization and so this simulation right here is actually targeting people that are using blue prism and then my next question is has anybody seen this email before so everybody that you know is part of the blue prism portal that that receives updates around our product updates and announcements this was actually one of the emails that was sent out previously to everybody that is a blue prism customer or blue prism partner and so this is just again a clone of that email with some slight changes into it to try and really trick the users and so the goal of that is just to make sure users are always checking for the little things like maybe a footer's changed maybe the URL has like a letter off or something like that and so I'm going to let it keep going and as you can see it's pretty quick the next thing that a user would have going and check and that most people don't do is that that those hyperlinks so typically this would be a link to a blue prism portal page but in this instance it's localhost or um in a larger simulation it would be something like portal.blue prisonfoodprison.com just to simulate how users can recreate those different items and so once Sid opens it up so the tool that we used SC toolkit does a very good job of cloning those websites so you know essentially to the point where it's even able to pull in the cookie pops asking what are your preferences for cookies and so part of these simulations is one did the users actually access the page and so as you can see me as the the test subject for this use case I access the page I open it up and I'm just going to start clicking through it and I'm going to act like I'm trying to log into it so I'm going to accept all of the cookies I'm gonna put in a username and password or the name of the company that was on me and so once the tool that we're leveraging once it goes in and you know it does its thing then it redirects you another very common tap that's used that a lot of end users always fall for and so this simulation is trying to replicate again some of those tactics that happen and so now we're going to look at what the digital worker sees so our digital worker is seeing possible parameters again it's creating these clones of the website's ad hoc so it's not going to have a permanent website or it's not going to have a static website that it's always playing it's going to change every time and then it's going to identify the different fields that are within the form so in this instance we see two parameters we see the username field which is brady.cusic blueprison.com and then we also see the
possible password field and so you can see that I put in password one as my password obviously that's not my password I wouldn't share it publicly but it pulls in those passwords that users might have accidentally put into it from a digital worker we don't want the digital worker to read it and keep all the passwords but we do want to see that hey they put in a parameter of their email address so somebody fell for this phishing campaign and yeah it's very robust from here once we actually have all of these things brought in once it's actually gone through it started these campaigns you can just let it run so the digital worker can move on to doing other tasks and just let this run in in the background it doesn't need to go in and every five minutes outdated we could leave this campaign running for a week and then whatever your organization decides to do after that whether it be go through and assign training to everybody go through and lock people out of their accounts because they fell for it so does anybody have any questions regarding how blue prism can simulate these types of use cases or how it can actually work with the windows sub system for Linux and these tools in general this one's obviously a great mechanism too test is yeah two yeah you are clearly email is one of the biggest ways to actually car this kind of data and so yeah it makes great sense to do it the biggest vulnerability in any organization cyber security infrastructure isn't it's almost never the technology it's almost always the people falling for these types of these types of phishing attacks so yeah it's always it falls on that you always need to train people always need to just get them used to checking it because if you keep them them looking at it and you they keep falling for the same tricks then they have to keep going through the training and then eventually they're like oh gosh I don't want to have to do that training again so I guess I should read the email now hmm yeah it's really great for social engineering awesome thank you very much everyone I I was really excited to present this again to everybody on the call if nobody has any questions what I'm going to do is I'm going to leave my email in the chat here where you can also see it captured by SC toolkit and then if anybody on the call has any questions any use cases that you want to explore I don't have a life so I have a ton of time making to make these things out and I have a blast doing it so if anybody has use cases that you'd be interested in seeing demoed out for your organization or just because you think it's cool please send me an email because I would love to build it because I'd love nothing more to go because it's so much fun sounds good thanks so much Brady's interesting use case is a few ideas in my mind as well so thank you so much thank you very much everyone
2023-05-21 05:04
