WEBVTT 00:00:00.264 --> 00:00:04.338 Imagine I'm sitting in AWS or Azure, what can you do? 00:00:04.338 --> 00:00:07.134 We can image a lot of those. 00:00:07.134 --> 00:00:11.509 They have virtual block devices, and we can go in and grab those, 00:00:11.509 --> 00:00:13.228 and pull those images down. 00:00:13.228 --> 00:00:17.382 It takes a lot longer because we're pulling an image over the internet, 00:00:17.382 --> 00:00:19.895 and you set up a secure tunnel on one side, 00:00:19.895 --> 00:00:21.460 secure tunnel on the other side, 00:00:21.460 --> 00:00:25.606 and you run some commands that will make a forensic image. 00:00:25.606 --> 00:00:27.923 But a lot of times, 00:00:27.924 --> 00:00:31.759 we have to do things like logical captures where we're just getting the data as 00:00:31.759 --> 00:00:36.441 it sits from the web route and looking through that code. 00:00:36.441 --> 00:00:38.759 Do you still get stuff, because I'm not an expert at this, 00:00:38.759 --> 00:00:42.497 do you still get stuff, like the free space and deleted files, 00:00:42.498 --> 00:00:44.806 from those cloud images? 00:00:44.807 --> 00:00:46.026 Not as much. 00:00:46.026 --> 00:00:49.925 Again, if you can get a virtual block device, 00:00:49.925 --> 00:00:55.725 you can get virtual deleted space, or unallocated space. 00:00:55.725 --> 00:00:57.525 Slack space you can get if you're pulling an image. 00:00:57.525 --> 00:01:01.034 But if you're doing a logical capture, you're just getting the files. 00:01:01.035 --> 00:01:04.251 So you're losing some forensic abilities there. 00:01:04.251 --> 00:01:07.540 Is that a problem for you now in your industry? 00:01:07.540 --> 00:01:14.903 Not so much since we've seen the attacks moving more to the client side. 00:01:14.903 --> 00:01:18.872 We saw credit cards being hidden in unallocated space more on 00:01:18.872 --> 00:01:22.079 the server side where the attacker has greater control over 00:01:22.079 --> 00:01:25.182 the kernel or over the web server. 00:01:25.182 --> 00:01:29.704 Then they would try to hide data in those more sophisticated ways. 00:01:29.704 --> 00:01:33.575 With the client-side attacks, we usually find those, 00:01:33.575 --> 00:01:37.992 and we find the attack is revealed in the logical capture of the data. 00:01:37.992 --> 00:01:42.387 From my perspective, if I was the criminal, the server-side attack's hard. 00:01:42.387 --> 00:01:44.086 The client-side attack's easy. 00:01:44.087 --> 00:01:45.693 I don't require persistent. 00:01:45.694 --> 00:01:47.503 I'm less likely to get detected. 00:01:47.503 --> 00:01:49.621 Why would anyone do a server-side attack anymore, 00:01:49.621 --> 00:01:54.661 especially now that everyone's seen how to do client-side attacks really well? 00:01:54.661 --> 00:01:57.387 If you can still pull off a server-side attack, 00:01:57.387 --> 00:02:01.581 you can hide yourself very, very well. 00:02:01.582 --> 00:02:06.563 And so the persistence that you can maintain on a user's website 00:02:06.563 --> 00:02:10.411 is far greater than if you were relying on a third-party code 00:02:10.411 --> 00:02:13.032 that may not be there in two weeks. 00:02:13.032 --> 00:02:15.010 So a sophisticated attack is to go server side, 00:02:15.010 --> 00:02:18.203 less sophisticated attack is go client side. 00:02:18.203 --> 00:02:24.929 Client side, we're seeing a lot more surface area for the attackers to hit. 00:02:24.930 --> 00:02:27.186 On server side, 00:02:27.186 --> 00:02:32.308 they're really depending on the merchant not being in PCI compliance 00:02:32.308 --> 00:02:38.611 to pull off a sophisticated server-side attack.