1 00:00:01,199 --> 00:00:03,060 Going live. Woo hoo. 2 00:00:03,919 --> 00:00:06,799 We are live. We're live, Yasmin. Yep. Welcome 3 00:00:06,799 --> 00:00:07,459 to preshow. 4 00:00:07,915 --> 00:00:10,394 How much do you think like, how much 5 00:00:10,394 --> 00:00:12,075 internal debate do you think there was for 6 00:00:12,075 --> 00:00:14,155 adding the sad face to the Microsoft blue 7 00:00:14,155 --> 00:00:15,969 screen? Like, do you think they fought about 8 00:00:15,969 --> 00:00:17,489 that, or do you think someone just rolled 9 00:00:17,489 --> 00:00:19,329 that out? No. That was that shit just 10 00:00:19,329 --> 00:00:19,829 rolled. 11 00:00:20,210 --> 00:00:20,929 Really? I 12 00:00:21,649 --> 00:00:23,410 p if they if they went anywhere near 13 00:00:23,410 --> 00:00:25,744 PR illegal, they're like, woah. Woah. Woah. Woah. 14 00:00:25,964 --> 00:00:27,964 That sad face goes way back to, like, 15 00:00:27,964 --> 00:00:28,464 95. 16 00:00:29,244 --> 00:00:30,844 That really didn't I thought they added it 17 00:00:30,844 --> 00:00:33,960 in Windows 10 or Windows 8. Oh, now 18 00:00:33,960 --> 00:00:36,679 it's old. No. It's sad faces around that. 19 00:00:36,679 --> 00:00:37,179 Yeah. 20 00:00:38,119 --> 00:00:38,619 Yeah. 21 00:00:39,159 --> 00:00:41,000 I saw the proposal for that to, 22 00:00:42,155 --> 00:00:42,655 like, 23 00:00:43,195 --> 00:00:45,274 for drivers that cause that type of blue 24 00:00:45,274 --> 00:00:47,435 screen that it should fetch from a database 25 00:00:47,435 --> 00:00:49,590 or company logos and put that logo there 26 00:00:49,670 --> 00:00:51,189 love that idea. Face. That's cool. That's what 27 00:00:51,189 --> 00:00:52,469 the world that's what the world needs right 28 00:00:52,469 --> 00:00:53,750 now. Not not love, sweet love, but that. 29 00:00:53,750 --> 00:00:54,810 It's, like, this is 30 00:00:57,954 --> 00:01:00,274 It's like, this is a particular this blue 31 00:01:00,274 --> 00:01:01,975 screen brought to you by CrowdStrike. 32 00:01:02,675 --> 00:01:03,175 Absolutely. 33 00:01:03,635 --> 00:01:06,034 Stop all It wasn't added until Windows 8. 34 00:01:06,115 --> 00:01:08,180 Positives. Yeah. I I just wanna set the 35 00:01:08,180 --> 00:01:09,859 record straight. The sad face did not appear 36 00:01:09,859 --> 00:01:10,920 until Windows 8. 37 00:01:11,700 --> 00:01:13,379 Oh my god. I thought the sad face 38 00:01:13,379 --> 00:01:15,959 predated. I I I remember I remember, like, 39 00:01:16,055 --> 00:01:18,375 XP never having XP was just fatal system 40 00:01:18,375 --> 00:01:20,775 error. You're just No. I'm like, goddamn it. 41 00:01:20,775 --> 00:01:23,094 Like, there goes StarCraft. Yeah. Sad face is 42 00:01:23,094 --> 00:01:24,295 new. That's what I'm saying. Who do you 43 00:01:24,295 --> 00:01:25,359 think added it? You think they got a 44 00:01:25,359 --> 00:01:26,719 big bonus, or was there a big debate 45 00:01:26,719 --> 00:01:29,200 about is a sad face admitting guilt? They're 46 00:01:29,200 --> 00:01:31,039 probably like, we're gonna remove Clippy. Too much 47 00:01:31,039 --> 00:01:32,640 like that. We're gonna have this. I've actually 48 00:01:32,640 --> 00:01:33,759 got a picture of me with the guy 49 00:01:33,759 --> 00:01:34,739 who killed Clippy, 50 00:01:37,655 --> 00:01:38,395 from Microsoft. 51 00:01:40,135 --> 00:01:41,355 You mean, Copilot? 52 00:01:41,870 --> 00:01:44,270 What what an epithet. The guy who killed 53 00:01:44,270 --> 00:01:44,770 Clippy. 54 00:01:45,790 --> 00:01:46,290 Yeah. 55 00:01:46,909 --> 00:01:48,590 I see you're trying to make a Chad 56 00:01:48,590 --> 00:01:51,165 GPT clone. I'd like to help. Do you 57 00:01:51,165 --> 00:01:52,064 need any help? 58 00:01:52,444 --> 00:01:54,045 Yeah. I don't know. I've gotta find it, 59 00:01:54,045 --> 00:01:55,165 but I have a picture with that guy. 60 00:01:55,165 --> 00:01:56,444 He was in one of my classes, and 61 00:01:56,444 --> 00:01:57,505 he was the deciding, 62 00:01:57,930 --> 00:01:59,450 Like, they had a a a vote in 63 00:01:59,450 --> 00:02:01,369 a room, and he was the deciding vote. 64 00:02:01,369 --> 00:02:02,189 It was 5050, 65 00:02:02,569 --> 00:02:03,849 and he was the one to kill it, 66 00:02:03,849 --> 00:02:05,310 and he was the one that killed Clippy. 67 00:02:05,724 --> 00:02:07,024 I put that on my resume. 68 00:02:07,484 --> 00:02:09,324 Well, we need to get going. Let's bring 69 00:02:09,324 --> 00:02:10,944 out a crooked finger. 70 00:02:11,644 --> 00:02:12,144 Alright. 71 00:02:12,659 --> 00:02:13,479 Here we go. 72 00:02:27,455 --> 00:02:29,375 Hello, and welcome to another edition of Black 73 00:02:29,375 --> 00:02:31,969 Hills Information Security talking about news. And I 74 00:02:31,969 --> 00:02:32,790 assure you, 75 00:02:33,170 --> 00:02:35,490 we truly have some stories this week that 76 00:02:35,490 --> 00:02:36,469 don't involve 77 00:02:37,885 --> 00:02:38,385 CrowdStrike. 78 00:02:38,925 --> 00:02:40,145 Let's talk about CrowdStrike. 79 00:02:40,444 --> 00:02:40,944 Square. 80 00:02:41,245 --> 00:02:42,705 We'll get to those stories 81 00:02:44,284 --> 00:02:46,739 later. Alright. John, John, I will pay you 82 00:02:46,739 --> 00:02:48,680 $10 if we don't talk about CrowdStrike. 83 00:02:50,659 --> 00:02:52,519 Done. Just throw up your Venmo. 84 00:02:52,819 --> 00:02:54,254 Throw up your Venmo if you want 85 00:02:55,294 --> 00:02:57,534 So everyone's everyone that works for Black Hills 86 00:02:57,534 --> 00:02:59,375 Information Security is like, dude, our boss just 87 00:02:59,375 --> 00:03:01,455 got bought off for $10. I think the 88 00:03:01,455 --> 00:03:01,955 company 89 00:03:02,495 --> 00:03:04,800 I think the company is in trouble here. 90 00:03:05,520 --> 00:03:06,879 I think we've got I think we've got 91 00:03:06,879 --> 00:03:07,540 some issues. 92 00:03:08,719 --> 00:03:10,560 But, no, I mean, so there's been all 93 00:03:10,560 --> 00:03:12,080 kinds of weird things. Wasn't there, like, a 94 00:03:12,080 --> 00:03:15,435 fake CrowdStrike update manual that actually was, like, 95 00:03:15,435 --> 00:03:17,594 how to install malware on your system? I 96 00:03:17,594 --> 00:03:18,955 think we need to start with that, and 97 00:03:18,955 --> 00:03:20,819 I need to lose the bet for the 98 00:03:20,819 --> 00:03:23,139 $10 because we called it last week when 99 00:03:23,139 --> 00:03:25,219 this happened that there was gonna be attacks 100 00:03:25,219 --> 00:03:26,819 coming out, you know, using this. And the 101 00:03:26,819 --> 00:03:28,039 domains that were registered, 102 00:03:28,425 --> 00:03:30,344 it was kind of crazy. So can we 103 00:03:30,344 --> 00:03:31,705 bring that story up, or do we have 104 00:03:31,705 --> 00:03:33,965 that handy? Yeah. Here we go. Fake CrowdStrike 105 00:03:34,104 --> 00:03:35,405 repair manual pushes 106 00:03:35,780 --> 00:03:38,180 info stealer malware. It's like, yeah. We couldn't 107 00:03:38,180 --> 00:03:39,079 see that coming. 108 00:03:40,019 --> 00:03:40,919 And there it is. 109 00:03:41,299 --> 00:03:43,299 That's the story. Mhmm. Are we per I 110 00:03:43,299 --> 00:03:45,319 get the impression we're burnt out on CrowdStrike. 111 00:03:45,604 --> 00:03:47,764 You take my money, John. You take it. 112 00:03:47,764 --> 00:03:49,784 We don't talk about CrowdStrike. I mean, let's 113 00:03:50,004 --> 00:03:51,604 let's let's let's let's just talk out. You 114 00:03:51,604 --> 00:03:53,044 don't talk. Okay. 1 Just like the first 115 00:03:53,044 --> 00:03:55,229 real fight book. Okay. One real thing we 116 00:03:55,229 --> 00:03:56,770 have. We have a victim here. 117 00:03:57,150 --> 00:03:59,250 Kelly, tell us about your experience. 118 00:04:00,510 --> 00:04:02,724 Did you blue screen at any point? What 119 00:04:02,724 --> 00:04:03,865 does that feel like? 120 00:04:05,365 --> 00:04:08,164 Well, Corey, that's a very personal question. Personal 121 00:04:08,164 --> 00:04:10,344 question. I think that's an HR infringement. 122 00:04:11,599 --> 00:04:13,680 I have blue screened. I blue screened at 123 00:04:13,680 --> 00:04:16,660 about 3:30 when my caffeine goes bye bye. 124 00:04:17,839 --> 00:04:18,339 So 125 00:04:18,720 --> 00:04:20,019 I need to re up. 126 00:04:20,754 --> 00:04:23,495 But, yes, I was caught in Delta's little 127 00:04:23,555 --> 00:04:25,954 CrowdStrike shenanigans, and my flight out of Salt 128 00:04:25,954 --> 00:04:27,095 Lake City was canceled. 129 00:04:27,730 --> 00:04:28,230 And, 130 00:04:28,689 --> 00:04:30,449 I think the issue is really more about 131 00:04:30,449 --> 00:04:33,730 Delta customer service than it is necessarily about 132 00:04:33,730 --> 00:04:34,230 CrowdStrike. 133 00:04:34,805 --> 00:04:36,644 But I hear your question, and I've got 134 00:04:36,644 --> 00:04:39,685 a question for you. That article about fake 135 00:04:39,685 --> 00:04:42,185 malware and fake fix manuals, 136 00:04:42,539 --> 00:04:45,100 Who do you think those articles are targeted 137 00:04:45,100 --> 00:04:47,339 at? Because we already know that there's fake 138 00:04:47,339 --> 00:04:49,039 stuff going around. Is that for 139 00:04:49,339 --> 00:04:51,660 junior or new sysadmins, or is that for 140 00:04:51,660 --> 00:04:52,160 executives? 141 00:04:52,925 --> 00:04:54,944 What are those articles? What are they for? 142 00:04:55,245 --> 00:04:57,004 Oh, that's interesting. Is this just some type 143 00:04:57,004 --> 00:04:58,925 of fear? Because, yeah, that did happen. Right? 144 00:04:58,925 --> 00:05:00,145 I mean but, 145 00:05:01,480 --> 00:05:03,240 because what does that mean for the downstream 146 00:05:03,240 --> 00:05:05,100 impacts on that? Are people 147 00:05:05,480 --> 00:05:07,819 literally gonna be like, don't trust user manuals 148 00:05:07,879 --> 00:05:08,379 anymore? 149 00:05:09,764 --> 00:05:12,004 I think it's just for IT people, and 150 00:05:12,004 --> 00:05:14,485 it's an exercise in if you put the 151 00:05:14,485 --> 00:05:16,404 cart before the horse and you don't establish 152 00:05:16,404 --> 00:05:18,449 a procedure and you just send people off 153 00:05:18,449 --> 00:05:20,449 to go try to fix things, it's gonna 154 00:05:20,449 --> 00:05:21,189 end badly. 155 00:05:21,810 --> 00:05:23,810 You have to have a plan for how 156 00:05:23,810 --> 00:05:25,425 IT people are gonna fix things and not 157 00:05:25,425 --> 00:05:27,524 just have every individual person googling 158 00:05:27,904 --> 00:05:29,925 how to fix CrowdStrike blue screen. 159 00:05:31,105 --> 00:05:34,040 Yeah. Yeah. Well, okay. Let let me let 160 00:05:34,040 --> 00:05:35,879 me back this up. So there was a 161 00:05:35,879 --> 00:05:36,379 huge, 162 00:05:37,959 --> 00:05:40,264 there was a huge conversation that came out 163 00:05:40,585 --> 00:05:43,485 of a mailing list that I am associated 164 00:05:43,545 --> 00:05:46,025 with, like, I'm still on from an organization 165 00:05:46,025 --> 00:05:47,699 that I'm no longer associated with. 166 00:05:48,259 --> 00:05:50,660 But the but the thread was huge, like 167 00:05:50,660 --> 00:05:52,980 like dozens and dozens and dozens of people 168 00:05:52,980 --> 00:05:54,120 going back and forth 169 00:05:54,500 --> 00:05:56,680 asking whether or not this is a security 170 00:05:56,819 --> 00:05:57,884 incident. And 171 00:05:58,345 --> 00:06:00,665 the two breakdowns were, yes, this impacts in 172 00:06:00,665 --> 00:06:03,805 the CIA triad confidentiality, integrity, and availability. 173 00:06:04,264 --> 00:06:05,404 This impacts availability. 174 00:06:06,300 --> 00:06:07,180 Then there's a bunch of people who are 175 00:06:07,180 --> 00:06:09,500 like, well, we don't treat every single random 176 00:06:09,500 --> 00:06:11,680 DOS or failure as a security incident. 177 00:06:12,220 --> 00:06:13,902 And then there was questions of whether or 178 00:06:13,902 --> 00:06:16,245 not intent was part of a security incident, 179 00:06:16,544 --> 00:06:17,745 and it went back and forth. And there 180 00:06:17,745 --> 00:06:20,144 were some really great nuanced conversations around that. 181 00:06:20,144 --> 00:06:21,904 So I got a question. Is this in 182 00:06:21,904 --> 00:06:23,365 fact a security incident? 183 00:06:25,509 --> 00:06:27,350 I I know I know the list that 184 00:06:27,350 --> 00:06:29,189 you were talking about because I was watching 185 00:06:29,189 --> 00:06:29,850 that list, 186 00:06:30,550 --> 00:06:32,710 and I think my comments sort of got 187 00:06:32,710 --> 00:06:34,925 lost in this in the center of it 188 00:06:34,944 --> 00:06:36,944 all. My my question and the way that 189 00:06:36,944 --> 00:06:38,384 I look at it is, are all the 190 00:06:38,384 --> 00:06:39,985 companies that are affected by it going to 191 00:06:39,985 --> 00:06:41,889 be filing with that are public gonna be 192 00:06:41,889 --> 00:06:43,990 filing with the SEC per the regulations 193 00:06:45,410 --> 00:06:47,729 for a security incident? If they if they're 194 00:06:47,729 --> 00:06:48,050 not 195 00:06:48,584 --> 00:06:50,904 if if this is not a security incident, 196 00:06:50,904 --> 00:06:52,045 they don't have to. 197 00:06:53,225 --> 00:06:55,305 Well, if if the computer's down, it's not 198 00:06:55,305 --> 00:06:56,904 available and you can't hack it. Therefore, it's 199 00:06:56,904 --> 00:06:58,045 not a security incident. 200 00:06:58,589 --> 00:07:00,449 Well but it affects the materiality 201 00:07:00,990 --> 00:07:03,389 of an organization's bottom line, and that's what 202 00:07:03,389 --> 00:07:04,689 the SEC cares about. 203 00:07:05,069 --> 00:07:07,105 So if you ain't got no computer, you 204 00:07:07,105 --> 00:07:08,485 ain't got no business 205 00:07:09,105 --> 00:07:11,425 in some cases. So wait. Has anyone reported 206 00:07:11,425 --> 00:07:12,324 it to the SCC 207 00:07:12,865 --> 00:07:14,785 at all? I've not I've not seen any 208 00:07:14,785 --> 00:07:16,550 reports on it, and they're supposed to report 209 00:07:16,550 --> 00:07:17,610 within 4 days 210 00:07:17,990 --> 00:07:21,589 according to SEC regulations. But but there's a 211 00:07:21,589 --> 00:07:24,704 national security clause, so they may have exercised 212 00:07:24,764 --> 00:07:26,944 that national security clause and said, 213 00:07:27,404 --> 00:07:29,430 nope. And so they get a bit of 214 00:07:29,589 --> 00:07:31,610 waste time as they work with the FBI. 215 00:07:31,750 --> 00:07:33,189 That may be why you're not seeing it 216 00:07:33,189 --> 00:07:33,689 yet. 217 00:07:34,389 --> 00:07:36,069 I this question is is how many of 218 00:07:36,069 --> 00:07:38,229 these companies are working with the FBI at 219 00:07:38,229 --> 00:07:40,154 this point in time over something that is 220 00:07:40,154 --> 00:07:41,055 a known quantity 221 00:07:41,514 --> 00:07:44,235 that is not effect it's not directly attacking 222 00:07:44,235 --> 00:07:44,735 them. 223 00:07:45,035 --> 00:07:47,995 Despite fight. Yes. It's okay. I do it. 224 00:07:47,995 --> 00:07:51,189 Here's here's okay. John, first of all, you 225 00:07:51,189 --> 00:07:54,069 owe me $10 now. I do. I do. 226 00:07:54,069 --> 00:07:54,569 Basically, 227 00:07:54,949 --> 00:07:57,925 the my here's my take. If we take 228 00:07:57,925 --> 00:08:00,404 the spirit of what a security incident is, 229 00:08:00,404 --> 00:08:02,104 aka an impact to availability, 230 00:08:03,899 --> 00:08:05,724 whatever. I think it is a security incident. 231 00:08:05,724 --> 00:08:06,303 I think if you take the legal definition 232 00:08:06,303 --> 00:08:06,882 of a security incident, then no. And I 233 00:08:06,882 --> 00:08:09,029 would say it comes down to, for each 234 00:08:09,029 --> 00:08:09,529 company, 235 00:08:11,925 --> 00:08:14,905 who handles disaster recovery, IT or security. 236 00:08:15,365 --> 00:08:17,605 Some places it's both, some places it's one 237 00:08:17,605 --> 00:08:18,345 or the other. 238 00:08:18,645 --> 00:08:21,600 Most companies, the security team's getting involved when 239 00:08:21,759 --> 00:08:23,680 x number of systems are blue screening. So 240 00:08:23,680 --> 00:08:26,080 I would say it's security incident, but not 241 00:08:26,080 --> 00:08:28,080 from a legal perspective. It's, like, kind of 242 00:08:28,080 --> 00:08:29,574 a, you know, get out of jail free 243 00:08:29,574 --> 00:08:31,894 card, but Oh. Does anybody have a faulty 244 00:08:31,894 --> 00:08:34,214 counter take? I don't think companies are gonna 245 00:08:34,214 --> 00:08:36,134 report this to the SEC and claim, oh, 246 00:08:36,134 --> 00:08:38,159 we're investigating with the FBI. Like, everyone knows 247 00:08:38,159 --> 00:08:39,919 what happened. It's not I don't know. Anyway 248 00:08:40,080 --> 00:08:41,519 I think if you claim if you claim 249 00:08:41,519 --> 00:08:43,120 it was that and you do tell the 250 00:08:43,120 --> 00:08:44,559 FBI, then it, like, puts you on the 251 00:08:44,559 --> 00:08:46,514 naughty list and everyone's like, well, they did 252 00:08:46,514 --> 00:08:48,615 have a security incident. Right? Like, 253 00:08:48,915 --> 00:08:51,315 then Totally. I I I let's get some 254 00:08:51,315 --> 00:08:52,915 let's get some let's get some of the 255 00:08:52,915 --> 00:08:55,529 hot takes from our listeners as well. 256 00:08:56,629 --> 00:08:58,149 See if anybody has a take on this 257 00:08:58,149 --> 00:09:00,870 other than just GIFs of cute fat cats 258 00:09:00,870 --> 00:09:01,370 fighting. 259 00:09:04,455 --> 00:09:07,095 Security incident doesn't require a malicious actor or 260 00:09:07,095 --> 00:09:08,875 software, though. Is that true? 261 00:09:09,815 --> 00:09:10,955 Satral said. 262 00:09:11,309 --> 00:09:13,549 You could argue that the kernel driver was 263 00:09:13,549 --> 00:09:15,789 malicious. It wasn't intentionally malicious, but it was 264 00:09:15,789 --> 00:09:16,610 still malicious. 265 00:09:17,309 --> 00:09:19,070 It it doesn't have to be an issue. 266 00:09:19,070 --> 00:09:21,294 Now we're gonna have to define malicious, though. 267 00:09:21,294 --> 00:09:23,875 Yeah. Like, is malicious and intentfully, 268 00:09:24,254 --> 00:09:25,934 like, bad, or did it just do something 269 00:09:25,934 --> 00:09:28,014 bad on accident? Right. And as someone who 270 00:09:28,014 --> 00:09:30,429 has to write reports every day about, is 271 00:09:30,429 --> 00:09:32,429 this malicious or not, this can go deep 272 00:09:32,429 --> 00:09:33,169 real quick. 273 00:09:33,789 --> 00:09:35,870 Like, is it malicious? Is it suspicious or 274 00:09:35,870 --> 00:09:37,649 is it just a benign positive? 275 00:09:38,024 --> 00:09:39,304 Right? Like, did it do that? I mean, 276 00:09:39,304 --> 00:09:41,625 how would you describe this as malicious? But 277 00:09:41,625 --> 00:09:42,985 but then how does it mean they did 278 00:09:42,985 --> 00:09:44,824 it on purpose? You did so then it 279 00:09:44,824 --> 00:09:46,504 was then how would you what would you 280 00:09:46,504 --> 00:09:48,750 classify this as then if it's not malicious? 281 00:09:48,970 --> 00:09:50,649 I think this is the IP image. I 282 00:09:50,649 --> 00:09:52,810 don't think this is a security incident. I 283 00:09:52,810 --> 00:09:54,914 will go there. I love the shit. You 284 00:09:54,914 --> 00:09:57,394 guys So it's not malicious. It's I'm trying 285 00:09:57,394 --> 00:09:57,975 to remember. 286 00:09:58,434 --> 00:09:59,495 It's defective. It's defective 287 00:09:59,875 --> 00:10:01,634 product. Yeah. Yeah. It's a defective product that 288 00:10:01,634 --> 00:10:02,934 you did on somebody, though. 289 00:10:03,590 --> 00:10:05,769 But if you kill somebody, but it isn't 290 00:10:06,149 --> 00:10:08,230 you didn't intend to kill them, you can 291 00:10:08,230 --> 00:10:09,850 still be prosecuted. 292 00:10:10,230 --> 00:10:12,090 I don't I'm not a lawyer. For manslaughter. 293 00:10:12,399 --> 00:10:15,813 Homicide. It depends. It depends. Okay. So but 294 00:10:15,813 --> 00:10:18,961 still, you've got somebody who's dead. So Under 295 00:10:18,961 --> 00:10:20,360 manslaughter. There's still 296 00:10:21,060 --> 00:10:21,909 great Bronwyn. 297 00:10:23,409 --> 00:10:24,069 In this 298 00:10:24,610 --> 00:10:25,110 case, 299 00:10:26,690 --> 00:10:29,809 whether CrowdStrike intended it to be malicious or 300 00:10:29,809 --> 00:10:30,309 not, 301 00:10:32,154 --> 00:10:34,095 millions, millions of people were impacted. 302 00:10:34,875 --> 00:10:37,115 So I would say it's still a security 303 00:10:37,115 --> 00:10:37,615 incident. 304 00:10:39,019 --> 00:10:40,940 I think Cyberman Fox is the only one 305 00:10:40,940 --> 00:10:42,540 that's been running. By the way, links to 306 00:10:42,540 --> 00:10:44,460 the actual 8 k filing that, 307 00:10:45,100 --> 00:10:46,879 CrowdStrike put in with the SEC. 308 00:10:47,764 --> 00:10:49,764 Yeah. Oh, Marky. There you go being all 309 00:10:49,764 --> 00:10:50,264 serious. 310 00:10:50,565 --> 00:10:52,804 No. Someone's gonna I'm sorry. I I know 311 00:10:52,804 --> 00:10:55,125 I'm I'm I'm mister paperwork over here. Job. 312 00:10:55,125 --> 00:10:56,964 Here's another here's another way of looking at 313 00:10:56,964 --> 00:10:58,410 it, though. For CrowdStrike, 314 00:10:58,790 --> 00:11:00,790 it can be a security incident where they're 315 00:11:00,790 --> 00:11:03,050 filing their 8 k. For their customers, 316 00:11:03,590 --> 00:11:05,590 it might not be a security incident. It's 317 00:11:05,590 --> 00:11:06,730 in the IT incident 318 00:11:07,894 --> 00:11:10,054 because it's their IT department's dealing with it. 319 00:11:10,054 --> 00:11:11,754 So you could have it both ways. 320 00:11:12,134 --> 00:11:14,455 Alright. But it impacted the AMUS was down. 321 00:11:14,455 --> 00:11:15,595 Would you file that incident? 322 00:11:16,420 --> 00:11:17,940 Yeah. That's one of the questions. Love this 323 00:11:17,940 --> 00:11:19,879 is the CIA triad is dumb. 324 00:11:23,754 --> 00:11:26,154 This thing is completely predicated on the fact 325 00:11:26,154 --> 00:11:28,315 that we're just going to take what the 326 00:11:28,315 --> 00:11:30,975 ISC squared said as at face value, 327 00:11:31,480 --> 00:11:33,080 that at face value that, you know, oh, 328 00:11:33,080 --> 00:11:36,200 computer security is confidentiality, integrity, and availability. Any 329 00:11:36,200 --> 00:11:38,299 impact on any of those different three things 330 00:11:38,600 --> 00:11:40,620 is going to be a security incident. 331 00:11:41,585 --> 00:11:43,504 And and I love that. But I but 332 00:11:43,504 --> 00:11:45,424 I love how all the arguing that we're 333 00:11:45,424 --> 00:11:48,920 doing is assuming that. Right? Like, we're all 334 00:11:48,920 --> 00:11:51,500 assuming that that is a starting point, 335 00:11:52,200 --> 00:11:53,740 for this entire conversation. 336 00:11:54,120 --> 00:11:56,040 So I wanna put this out there I 337 00:11:56,040 --> 00:11:57,995 wanna put this out there as a thought 338 00:11:58,054 --> 00:11:58,714 for everybody, 339 00:11:59,575 --> 00:12:01,495 because I've watched that that thing go back 340 00:12:01,495 --> 00:12:03,735 and forth. I do believe insofar as security 341 00:12:03,735 --> 00:12:05,894 teams in an incident it is because we're 342 00:12:05,894 --> 00:12:08,370 talking about it. Security teams are dealing with 343 00:12:08,370 --> 00:12:10,769 it. It is a security problem that we're 344 00:12:10,769 --> 00:12:11,990 going to have to deal with. 345 00:12:12,690 --> 00:12:14,769 However, we're gonna actually stick to definitions and 346 00:12:14,769 --> 00:12:17,294 terms it's not. It was a security event, 347 00:12:18,235 --> 00:12:19,214 not an incident. 348 00:12:19,514 --> 00:12:21,674 And there's a difference between these two things. 349 00:12:21,674 --> 00:12:24,315 An event is a security occurrence that happens 350 00:12:24,315 --> 00:12:25,214 in an organization 351 00:12:25,740 --> 00:12:27,440 that absolutely can impact CIA. 352 00:12:27,899 --> 00:12:29,659 An incident means that there's some type of 353 00:12:29,659 --> 00:12:32,639 malicious act. There's actually a threat actor associated 354 00:12:32,860 --> 00:12:33,424 with that. 355 00:12:33,904 --> 00:12:35,205 Now this absolutely 356 00:12:35,745 --> 00:12:38,144 can be part of a security incident. In 357 00:12:38,144 --> 00:12:40,799 a couple of examples, example number 1, a 358 00:12:40,799 --> 00:12:43,200 whole bunch of ransomware groups putting out different 359 00:12:43,200 --> 00:12:44,820 user manuals that are using 360 00:12:45,279 --> 00:12:47,360 this, trick to get people to use the 361 00:12:47,360 --> 00:12:50,294 user manual that install Infostealer logs. And example 362 00:12:50,294 --> 00:12:53,195 number 2, domains that are being registered associated 363 00:12:53,335 --> 00:12:54,714 with this particular event 364 00:12:55,014 --> 00:12:57,815 that are used to spread malware, ransomware, and 365 00:12:57,815 --> 00:13:00,389 various attacks. That is a security incident. 366 00:13:00,769 --> 00:13:03,570 This is an event that feeds into those 367 00:13:03,570 --> 00:13:04,870 other security incidents. 368 00:13:05,329 --> 00:13:07,889 Also, if your organization is seriously thinking about 369 00:13:07,889 --> 00:13:10,914 ripping and replacing CrowdStrike because of this, it 370 00:13:10,914 --> 00:13:13,074 went from an event to a security incident 371 00:13:13,074 --> 00:13:15,814 because at that point, it's going to impact 372 00:13:15,875 --> 00:13:17,814 the overall security of the organization. 373 00:13:18,889 --> 00:13:21,210 I'm using this because, once again, the organization 374 00:13:21,210 --> 00:13:22,730 I used to teach with that shall not 375 00:13:22,730 --> 00:13:23,389 be named, 376 00:13:24,090 --> 00:13:26,009 this is what we drilled into people's heads, 377 00:13:26,009 --> 00:13:28,190 that there is a difference between an event 378 00:13:28,475 --> 00:13:30,235 and there is a difference between that and 379 00:13:30,235 --> 00:13:30,975 an incident. 380 00:13:31,355 --> 00:13:33,995 This is absolutely an incident if your organization 381 00:13:33,995 --> 00:13:35,789 is looking to rip and replace. This is 382 00:13:35,789 --> 00:13:38,509 absolutely an incident if you are dealing with 383 00:13:38,509 --> 00:13:41,149 incoming spear phishing attacks with the domains that 384 00:13:41,149 --> 00:13:42,529 are using this event 385 00:13:42,830 --> 00:13:44,210 to further their attacks. 386 00:13:44,774 --> 00:13:47,335 So with that type of clarification, it is 387 00:13:47,335 --> 00:13:50,134 absolutely an event that can be a security 388 00:13:50,134 --> 00:13:53,250 incident when the certain, like, criteria apply or 389 00:13:53,250 --> 00:13:55,730 not. Does that help clear thing clear things 390 00:13:55,730 --> 00:13:57,649 up at all? I think you nailed it. 391 00:13:57,649 --> 00:13:59,410 I feel that's fair. You scattered right on 392 00:13:59,410 --> 00:14:00,850 the front of the like that. Was that 393 00:14:00,850 --> 00:14:02,355 in a circle that came in? Caught that. 394 00:14:02,355 --> 00:14:04,995 But I still like cyber manslaughter better. Anyway, 395 00:14:04,995 --> 00:14:07,554 so I'll add one thing. Everything I just 396 00:14:07,554 --> 00:14:08,054 said, 397 00:14:09,029 --> 00:14:11,110 somebody just said, did you just drop into 398 00:14:11,110 --> 00:14:13,590 Sam's explaining? It's like the string got pulled 399 00:14:13,590 --> 00:14:14,490 in my back. 400 00:14:14,790 --> 00:14:18,009 And were you just saying explaining slide 24. 401 00:14:18,245 --> 00:14:20,804 It's like slide 24, day 1, the incident 402 00:14:20,804 --> 00:14:23,205 handling day. What is the difference between an 403 00:14:23,205 --> 00:14:25,625 incident and an event? So, 404 00:14:26,639 --> 00:14:28,240 so Let me add Go ahead. Let me 405 00:14:28,240 --> 00:14:30,320 add Go ahead, Kelly. What you said was 406 00:14:30,320 --> 00:14:32,639 was brilliant. I agree with it. So we 407 00:14:32,639 --> 00:14:34,740 talk you mentioned we went from an incident, 408 00:14:34,794 --> 00:14:36,954 I'm sorry, an event to an incident, and 409 00:14:36,954 --> 00:14:38,894 let's not forget the b word. 410 00:14:39,674 --> 00:14:40,414 We have 411 00:14:40,954 --> 00:14:44,009 most compliance shops will talk about exactly what 412 00:14:44,009 --> 00:14:45,690 a breach is. Our legal team will tell 413 00:14:45,690 --> 00:14:46,909 us what a breach is. 414 00:14:47,289 --> 00:14:49,745 I don't think the CrowdStrike situation was a 415 00:14:49,745 --> 00:14:52,784 breach, but, just to take your analogy one 416 00:14:52,784 --> 00:14:55,105 step further, we go from an event to 417 00:14:55,105 --> 00:14:57,284 an incident to a possible breach. 418 00:14:58,059 --> 00:15:00,059 Yes. I would agree with that. I would 419 00:15:00,059 --> 00:15:02,559 agree with that because an incident doesn't necessarily 420 00:15:02,700 --> 00:15:05,179 mean there was a successful attack. It means 421 00:15:05,179 --> 00:15:07,340 that there was an intent to harm the 422 00:15:07,340 --> 00:15:07,804 organization, 423 00:15:09,004 --> 00:15:11,245 and that intent can be successful or it 424 00:15:11,245 --> 00:15:12,225 may be unsuccessful, 425 00:15:12,684 --> 00:15:14,205 both of which would be considered to be 426 00:15:14,205 --> 00:15:17,269 security incidents. So What if the intent wasn't 427 00:15:17,269 --> 00:15:17,850 to harm? 428 00:15:18,789 --> 00:15:21,509 Cyber manslaughter. They already covered that slaughter. Are 429 00:15:21,509 --> 00:15:24,089 you just effing with me, Wade? Like, what? 430 00:15:24,904 --> 00:15:25,404 Yes. 431 00:15:26,904 --> 00:15:28,664 Yeah. I I I I I got nothing 432 00:15:28,664 --> 00:15:30,985 for you, Wade, on that one. It's like, 433 00:15:31,225 --> 00:15:33,580 yeah. I don't know. Okay. But that tracks 434 00:15:33,580 --> 00:15:36,399 because the event triggered a whole bunch of 435 00:15:36,620 --> 00:15:37,759 collateral incidents, 436 00:15:38,220 --> 00:15:40,539 like the 83 year old man who disappeared 437 00:15:40,539 --> 00:15:43,054 for a week, like all of these these 438 00:15:43,054 --> 00:15:45,955 other incidents that have have happened 439 00:15:46,495 --> 00:15:48,754 that were a direct result 440 00:15:50,470 --> 00:15:51,610 of the outage 441 00:15:52,149 --> 00:15:54,389 and and the failures of systems around the 442 00:15:54,389 --> 00:15:55,929 world. Great point. 443 00:15:56,389 --> 00:15:58,454 We have 12 RZA said a breach does 444 00:15:58,454 --> 00:16:00,855 not mean, no. No. Wait. Hold on. Things 445 00:16:00,855 --> 00:16:03,334 are moving really, really fast. Does breach not 446 00:16:03,334 --> 00:16:04,475 mean data leakage? 447 00:16:04,899 --> 00:16:07,299 No. And how is CrowdStrike a breach? Once 448 00:16:07,299 --> 00:16:09,779 again, we're conflating terms. Right? Let's set up 449 00:16:09,779 --> 00:16:12,339 some very clearly defined terms. An event is 450 00:16:12,339 --> 00:16:15,345 an observable occurrence that happens in an organization, 451 00:16:15,404 --> 00:16:16,705 like a logon sequence, 452 00:16:17,404 --> 00:16:19,644 somebody going to a website. That would be 453 00:16:19,644 --> 00:16:20,304 an event. 454 00:16:20,764 --> 00:16:23,800 Those events can be basically analyzed, and it 455 00:16:23,800 --> 00:16:26,279 can become an incident. Are any of those 456 00:16:26,279 --> 00:16:27,980 events potentially malicious? 457 00:16:28,360 --> 00:16:30,379 So that mean that goes to, like, somebody's 458 00:16:30,440 --> 00:16:31,740 intent to cause harm. 459 00:16:32,084 --> 00:16:34,644 A breach would be when an incident leads 460 00:16:34,644 --> 00:16:38,004 to successful compromise of the confidentiality and integrity 461 00:16:38,004 --> 00:16:38,824 of an organization 462 00:16:39,319 --> 00:16:41,079 dealing with the intent of it. So you 463 00:16:41,079 --> 00:16:43,480 have an event, you have an incident, and 464 00:16:43,480 --> 00:16:45,159 then you would have a breach. There are 465 00:16:45,159 --> 00:16:48,154 3 completely separate things, and, hopefully, that that 466 00:16:48,154 --> 00:16:49,695 explains it. And, by the way, 467 00:16:50,075 --> 00:16:52,075 I also wanna go through all of this, 468 00:16:52,075 --> 00:16:53,674 like, I don't think we've ever in the 469 00:16:53,674 --> 00:16:56,669 history of computing had an event lead to 470 00:16:56,669 --> 00:16:59,709 so many different breaches or incidents because, yes, 471 00:16:59,709 --> 00:17:02,509 this is absolutely being used by malicious attackers 472 00:17:02,509 --> 00:17:05,275 to launch addition attack additionally. John, I'd like 473 00:17:05,275 --> 00:17:06,255 to ask one 474 00:17:07,035 --> 00:17:08,015 Go ahead, Kelly. 475 00:17:08,315 --> 00:17:09,775 Just one quick little clarification. 476 00:17:10,475 --> 00:17:12,715 Usually, I know, John, I heard you say 477 00:17:12,715 --> 00:17:14,799 this leads to a breach. I like to 478 00:17:14,799 --> 00:17:15,519 say that, 479 00:17:16,000 --> 00:17:19,039 engineers and handlers don't declare a breach. A 480 00:17:19,039 --> 00:17:21,619 breach is declared by by the attorneys, 481 00:17:22,515 --> 00:17:24,755 or the incident commander. And so once it's 482 00:17:24,755 --> 00:17:27,174 declared, it becomes a capital b breach. 483 00:17:27,875 --> 00:17:29,414 Absolutely. And for the record, 484 00:17:29,900 --> 00:17:31,759 Kelly is a 100% correct 101% 485 00:17:33,740 --> 00:17:36,220 correct, which is technically not possible, but it 486 00:17:36,220 --> 00:17:36,720 is. 487 00:17:37,075 --> 00:17:38,914 The other thing is when you're working a 488 00:17:38,914 --> 00:17:39,815 potential incident, 489 00:17:40,355 --> 00:17:43,154 never ever put the word breach in an 490 00:17:43,154 --> 00:17:45,315 email until it has been declared by people 491 00:17:45,315 --> 00:17:47,630 who have the authorization to do so. Because 492 00:17:47,630 --> 00:17:49,710 if you're working something and then all of 493 00:17:49,710 --> 00:17:51,470 a sudden, like, a line analyst says, I 494 00:17:51,470 --> 00:17:53,309 think we have a breach. This is a 495 00:17:53,309 --> 00:17:55,164 breach. That is something that can come back 496 00:17:55,164 --> 00:17:57,345 to haunt you later on in legal proceedings. 497 00:17:57,804 --> 00:17:59,884 Did did anybody else wish that just this 498 00:17:59,884 --> 00:18:01,640 just happened to Teams so we didn't have 499 00:18:01,640 --> 00:18:03,400 to use Teams anymore and everyone moved the 500 00:18:03,400 --> 00:18:03,900 Slack? 501 00:18:05,480 --> 00:18:07,019 No. No. I hate Slack. 502 00:18:07,720 --> 00:18:08,174 Yeah. 503 00:18:08,575 --> 00:18:11,375 Compared to Teams? Oh my god. Alright. Teams 504 00:18:11,375 --> 00:18:13,795 is Yeah. Teams is inevitable. It's like Thanos. 505 00:18:16,099 --> 00:18:18,019 Shecky, what were you gonna say? Oh, I 506 00:18:18,019 --> 00:18:19,619 was just gonna say based on the whole 507 00:18:19,619 --> 00:18:22,339 event to incident thing, you're gonna start seeing, 508 00:18:22,339 --> 00:18:25,234 if we haven't already, a lot more security 509 00:18:25,454 --> 00:18:25,954 events 510 00:18:26,654 --> 00:18:27,875 that'll lead around 511 00:18:28,174 --> 00:18:28,994 bad patches, 512 00:18:29,454 --> 00:18:30,355 bad updates, 513 00:18:31,190 --> 00:18:33,210 non actual security functions 514 00:18:33,589 --> 00:18:34,089 where 515 00:18:34,789 --> 00:18:37,430 company where the threat actors are gonna go 516 00:18:37,430 --> 00:18:38,950 ahead and put out more of these bad 517 00:18:38,950 --> 00:18:41,575 manuals, bad fix it. I think that's something 518 00:18:41,575 --> 00:18:42,855 that's been around, but I think it's gonna 519 00:18:42,855 --> 00:18:44,554 be more prominent going forward, 520 00:18:44,934 --> 00:18:46,634 and we're gonna see innocent 521 00:18:47,654 --> 00:18:49,460 I hate to use the word innocent, but 522 00:18:49,940 --> 00:18:51,159 standard IT 523 00:18:51,539 --> 00:18:52,039 breakdowns 524 00:18:52,740 --> 00:18:55,319 turning into more security events and incidents 525 00:18:55,859 --> 00:18:57,859 going forward from here, and that's something that 526 00:18:57,859 --> 00:18:59,140 we're all gonna have to keep an eye 527 00:18:59,140 --> 00:19:01,384 on. Agreed. And this gets into a question, 528 00:19:02,085 --> 00:19:04,964 Mike, that somebody asked. Like, somebody said, John, 529 00:19:04,964 --> 00:19:06,884 why do you hate the CIA triad so 530 00:19:06,884 --> 00:19:08,750 much? Well, when I was a very young 531 00:19:08,750 --> 00:19:11,250 boy, it touched me in very inappropriate ways. 532 00:19:13,230 --> 00:19:14,769 I hate it because of hurricanes. 533 00:19:15,265 --> 00:19:17,025 I hate it because of hurricanes, but I 534 00:19:17,025 --> 00:19:18,245 I absolutely hate 535 00:19:18,705 --> 00:19:20,705 the reason why I hate this stuff is 536 00:19:20,705 --> 00:19:23,029 it it lacks nuance. Right? And that's one 537 00:19:23,029 --> 00:19:24,789 of the reasons why I love the spirited 538 00:19:24,789 --> 00:19:27,429 conversations around these things because it's allowing us 539 00:19:27,429 --> 00:19:29,349 to kind of identify what the edges of 540 00:19:29,349 --> 00:19:31,210 definitions are, and that's really, 541 00:19:31,565 --> 00:19:33,005 in in my world, that's a lot of 542 00:19:33,005 --> 00:19:35,265 fun. I think that that's just great. 543 00:19:36,205 --> 00:19:38,285 But no. I I don't really like things 544 00:19:38,285 --> 00:19:40,125 like the CIA triad. I think it's a 545 00:19:40,125 --> 00:19:42,559 useful tool for people getting started in computer 546 00:19:42,559 --> 00:19:44,900 security. But then we get into a situation 547 00:19:45,039 --> 00:19:47,039 where people that have been in this industry 548 00:19:47,039 --> 00:19:48,019 for a long time 549 00:19:48,525 --> 00:19:49,025 become 550 00:19:49,404 --> 00:19:50,625 beholden to it, 551 00:19:50,924 --> 00:19:53,005 and they try to win arguments based on 552 00:19:53,005 --> 00:19:54,765 that alone. And that's one of the concerns 553 00:19:54,765 --> 00:19:56,960 that I have is it is a useful 554 00:19:56,960 --> 00:19:59,200 tool for getting started, but we start getting 555 00:19:59,200 --> 00:20:00,480 into something like this and all of a 556 00:20:00,480 --> 00:20:02,924 sudden now it's really, really a nightmare. And 557 00:20:02,924 --> 00:20:04,484 the reason why I like this stuff is 558 00:20:04,484 --> 00:20:07,065 because I've been in court. I've seen conversations 559 00:20:07,285 --> 00:20:09,845 that have literally started picking apart the terms 560 00:20:09,845 --> 00:20:11,525 that we use in computer security, and this 561 00:20:11,525 --> 00:20:12,480 is just one recent 562 00:20:12,960 --> 00:20:15,039 example. Now people are just ripping on burn 563 00:20:15,039 --> 00:20:17,440 Teams to the ground. Okay. That's cool. Yeah. 564 00:20:17,440 --> 00:20:18,960 We may have started on heat. We may 565 00:20:18,960 --> 00:20:19,619 have started 566 00:20:20,065 --> 00:20:21,424 a we we may have a little bit 567 00:20:21,424 --> 00:20:23,744 of a holy war. Teams, the new dumpster 568 00:20:23,744 --> 00:20:24,244 fire. 569 00:20:24,625 --> 00:20:26,384 Yeah. Yeah. Teams. Chime in with your I'm 570 00:20:26,384 --> 00:20:27,365 sorry. Dumpster 571 00:20:27,984 --> 00:20:28,484 fire, 572 00:20:29,264 --> 00:20:30,909 folks. O g g. You mean Skype? 573 00:20:31,929 --> 00:20:32,429 Skype. 574 00:20:33,369 --> 00:20:35,609 Uh-huh. Right? No. Is there any other news? 575 00:20:35,609 --> 00:20:36,109 Yeah. 576 00:20:36,490 --> 00:20:38,009 I think we need to find out that 577 00:20:38,009 --> 00:20:40,315 story. Of other news. I want to bring 578 00:20:40,315 --> 00:20:42,234 one up because we have Michael Allen here. 579 00:20:42,714 --> 00:20:45,434 But the the story is multifactor authentication is 580 00:20:45,434 --> 00:20:47,454 not enough to protect cloud data. 581 00:20:48,549 --> 00:20:49,289 And this is 582 00:20:49,750 --> 00:20:52,789 this is, like, really, really, really a concern 583 00:20:52,789 --> 00:20:53,990 for me, and this is something I feel 584 00:20:53,990 --> 00:20:55,509 like we need to talk a little bit 585 00:20:55,509 --> 00:20:56,009 about. 586 00:20:56,815 --> 00:20:59,055 So we we do continuous pen testing at 587 00:20:59,055 --> 00:21:01,134 BHIS, and one of the kind of, like, 588 00:21:01,134 --> 00:21:04,515 the starting, like, guarding, like, guiding north stars 589 00:21:04,654 --> 00:21:06,115 of continuous pen testing 590 00:21:06,430 --> 00:21:08,690 was to do things that a traditional penetration 591 00:21:08,830 --> 00:21:10,130 test cannot do, 592 00:21:10,830 --> 00:21:12,750 and that has to do with time and 593 00:21:12,750 --> 00:21:14,529 resources and things of that nature. 594 00:21:14,974 --> 00:21:17,534 And we kind of ran an engagement, and 595 00:21:17,534 --> 00:21:19,375 Corey and Michael, if you guys could Michael, 596 00:21:19,375 --> 00:21:20,914 if you wanna talk a little bit about 597 00:21:21,054 --> 00:21:22,815 what was the ruse that we used and 598 00:21:22,815 --> 00:21:24,740 what was the success associated with that, I 599 00:21:24,740 --> 00:21:26,200 think that this feeds into 600 00:21:26,580 --> 00:21:28,180 the problems that we run into with cloud 601 00:21:28,180 --> 00:21:29,779 computing. Can you kinda set up a high 602 00:21:29,779 --> 00:21:31,720 level? Because we wanna do a full webcast 603 00:21:32,164 --> 00:21:33,845 and write up on this, but can you 604 00:21:33,845 --> 00:21:35,704 talk a little bit about that with Corey, 605 00:21:36,085 --> 00:21:37,924 about what was this recent engagement that we 606 00:21:37,924 --> 00:21:39,924 just did and why our continuous pen testing 607 00:21:39,924 --> 00:21:43,029 team isn't sleeping very much, the past couple 608 00:21:43,029 --> 00:21:44,730 of weeks. Yeah. Absolutely. 609 00:21:45,029 --> 00:21:48,424 So the the ruse for this, test that 610 00:21:48,424 --> 00:21:50,845 we did against our continuous pen testing customers, 611 00:21:51,464 --> 00:21:53,644 was that we we picked 20, 612 00:21:54,184 --> 00:21:54,684 employees 613 00:21:55,144 --> 00:21:57,085 from each company that we targeted, 614 00:21:57,660 --> 00:22:00,160 and we went out online, used open source, 615 00:22:01,420 --> 00:22:01,920 sources 616 00:22:02,220 --> 00:22:04,559 like Fast People Search to find 617 00:22:05,335 --> 00:22:05,835 employees' 618 00:22:06,134 --> 00:22:08,694 home addresses. So we we found the employees 619 00:22:08,694 --> 00:22:10,294 just on LinkedIn. We went and got you 620 00:22:10,294 --> 00:22:12,109 know, generated a list of, 621 00:22:12,750 --> 00:22:14,929 employees of each organization off of LinkedIn, 622 00:22:15,309 --> 00:22:16,369 use their names 623 00:22:16,750 --> 00:22:17,490 and cities 624 00:22:17,789 --> 00:22:20,750 off of LinkedIn to I who've been identify 625 00:22:20,750 --> 00:22:21,490 their addresses. 626 00:22:21,865 --> 00:22:24,444 And then we used an online service that 627 00:22:24,505 --> 00:22:25,644 prints, like, 628 00:22:26,024 --> 00:22:26,524 postcards 629 00:22:26,984 --> 00:22:29,464 and greeting cards. We print up some custom 630 00:22:29,464 --> 00:22:31,500 postcards for us that were branded with the 631 00:22:31,500 --> 00:22:32,640 company's name, 632 00:22:33,179 --> 00:22:35,259 and branded with the Amazon logo or the 633 00:22:35,259 --> 00:22:36,700 company's logo, I should say, and then the 634 00:22:36,700 --> 00:22:37,599 Amazon logo. 635 00:22:38,075 --> 00:22:40,315 And, and the ruse that was printed on 636 00:22:40,315 --> 00:22:40,894 the postcards 637 00:22:41,274 --> 00:22:44,095 was that the individual employees had each, 638 00:22:44,394 --> 00:22:46,974 been nominated for a peer recognition award 639 00:22:47,490 --> 00:22:50,130 by someone at work, and, as a result, 640 00:22:50,130 --> 00:22:52,950 they were receiving a $50 Amazon gift card. 641 00:22:53,009 --> 00:22:54,630 And we looked up the real, 642 00:22:55,424 --> 00:22:57,765 head of HR for each of those organizations, 643 00:22:57,825 --> 00:23:00,085 and we signed every one of those postcards 644 00:23:00,144 --> 00:23:02,359 with the real head of HR for their 645 00:23:02,359 --> 00:23:02,859 organization. 646 00:23:03,240 --> 00:23:04,680 And there was a QR code on the 647 00:23:04,680 --> 00:23:05,500 on the postcard 648 00:23:05,960 --> 00:23:08,759 that the employee is supposed to scan with 649 00:23:08,759 --> 00:23:11,259 their mobile phone in order to receive 650 00:23:11,724 --> 00:23:13,804 the Amazon gift card. So when they scan 651 00:23:13,804 --> 00:23:15,325 that QR code with their mobile phone, there's 652 00:23:15,325 --> 00:23:16,684 a little few little instructions at the bottom 653 00:23:16,684 --> 00:23:18,444 of this postcard to tell them they're just 654 00:23:18,444 --> 00:23:20,044 gonna have to log in with their company 655 00:23:20,044 --> 00:23:21,024 email and password, 656 00:23:21,529 --> 00:23:23,690 and then they're gonna receive that $50 Amazon 657 00:23:23,690 --> 00:23:25,230 gift card. So, 658 00:23:25,609 --> 00:23:27,849 this this particular ruse one reason I love 659 00:23:27,849 --> 00:23:29,230 this ruse is because 660 00:23:29,784 --> 00:23:31,164 it walks completely 661 00:23:31,464 --> 00:23:33,724 around a bunch of security controls 662 00:23:34,025 --> 00:23:36,125 that most organizations have in place, 663 00:23:36,664 --> 00:23:37,404 like endpoint 664 00:23:38,089 --> 00:23:39,549 defensive products, endpoint, 665 00:23:40,009 --> 00:23:42,650 you know, like web filtering proxies or anything 666 00:23:42,650 --> 00:23:44,089 like that that's gonna affect something on an 667 00:23:44,089 --> 00:23:44,589 endpoint. 668 00:23:45,275 --> 00:23:47,994 It's not gonna affect them scanning something on 669 00:23:47,994 --> 00:23:49,755 a mobile phone most of the time, visiting 670 00:23:49,755 --> 00:23:50,875 that site on a mobile phone. So by 671 00:23:50,875 --> 00:23:53,355 sending them a QR code, we, 1, make 672 00:23:53,355 --> 00:23:54,335 sure that they 673 00:23:54,980 --> 00:23:56,980 aren't able to, you know, use their security 674 00:23:56,980 --> 00:23:58,440 awareness training to 675 00:23:58,980 --> 00:24:00,660 take a look at that URL we're sending 676 00:24:00,660 --> 00:24:03,160 them to very easily without scanning it first 677 00:24:03,794 --> 00:24:05,794 and see where that's going. So we're, you 678 00:24:05,794 --> 00:24:07,095 know, avoiding scrutiny. 679 00:24:07,474 --> 00:24:08,914 We're having them open it on a mobile 680 00:24:08,914 --> 00:24:10,514 device. We have a high level of certainty 681 00:24:10,514 --> 00:24:12,730 they're opening it on a mobile device. We're 682 00:24:12,730 --> 00:24:14,569 mailing it to their home address, so we 683 00:24:14,569 --> 00:24:15,950 have a high level of certainty 684 00:24:16,490 --> 00:24:18,009 that they're gonna be opening it either on 685 00:24:18,009 --> 00:24:20,089 their home Wi Fi or on their mobile 686 00:24:20,089 --> 00:24:20,589 network, 687 00:24:21,164 --> 00:24:23,005 and not at the company network. So all 688 00:24:23,005 --> 00:24:25,724 network based controls at the company are out 689 00:24:25,724 --> 00:24:27,904 of the game at that point. And then, 690 00:24:28,230 --> 00:24:30,390 they're they're visiting our adversary in the middle 691 00:24:30,390 --> 00:24:32,630 server is what's happening whenever they scan that 692 00:24:32,630 --> 00:24:34,630 QR code. So when they type in their 693 00:24:34,630 --> 00:24:37,130 username and password, they get their usual multifactor 694 00:24:37,190 --> 00:24:40,214 prompt. And unless they're using something that is, 695 00:24:40,615 --> 00:24:42,535 adversary in the mult adversary in the middle 696 00:24:42,535 --> 00:24:45,414 of resistant, like a FIDO 2 type of 697 00:24:45,414 --> 00:24:46,554 a multifactor token, 698 00:24:46,899 --> 00:24:48,679 we will then capture their 699 00:24:48,980 --> 00:24:49,880 session cookie, 700 00:24:50,899 --> 00:24:52,819 and we will be able to hijack that 701 00:24:52,819 --> 00:24:55,000 session and and access their 702 00:24:55,715 --> 00:24:58,434 portal. So in this case, we, targeted the 703 00:24:58,434 --> 00:25:00,195 the single sign on portal of all of 704 00:25:00,195 --> 00:25:02,355 our customers. So for some, that was Microsoft 705 00:25:02,355 --> 00:25:04,215 365. For some, that was Okta. 706 00:25:04,569 --> 00:25:06,429 For some, it was Duo or ADFS. 707 00:25:07,289 --> 00:25:08,809 And we were then able to just get 708 00:25:08,809 --> 00:25:11,210 access to everything. We we have access to 709 00:25:11,210 --> 00:25:12,890 that single sign on portal, and we we, 710 00:25:12,890 --> 00:25:14,455 you know, can access it just like we 711 00:25:14,455 --> 00:25:15,275 are the real, 712 00:25:15,654 --> 00:25:18,055 employee themself. And in exchange for all of 713 00:25:18,055 --> 00:25:20,615 that, this is my favorite part. We give 714 00:25:20,615 --> 00:25:23,339 them a real $50 Amazon gift card. They 715 00:25:23,339 --> 00:25:25,220 get that real Amazon gift card. They don't 716 00:25:25,220 --> 00:25:27,460 normally get that from a fishing exercise. Most 717 00:25:27,460 --> 00:25:30,259 fishing exercises have a, you know, an empty 718 00:25:30,259 --> 00:25:32,394 promise of some kind, you know, like, complete 719 00:25:32,394 --> 00:25:34,394 this employee survey, and we'll enter you in 720 00:25:34,394 --> 00:25:36,255 a drawing for an iPad or some crap. 721 00:25:36,394 --> 00:25:38,075 And they never get whatever it is they're 722 00:25:38,075 --> 00:25:39,914 promised. So when we give them what they're 723 00:25:39,914 --> 00:25:42,569 promised, we close the loop on that, that 724 00:25:42,569 --> 00:25:45,869 they are happy. Now they've received positive reinforcement 725 00:25:46,410 --> 00:25:48,730 for, doing those actions that they did for 726 00:25:48,730 --> 00:25:51,125 us. And, and we got access to their 727 00:25:51,125 --> 00:25:52,964 account. It's a small price to pay for 728 00:25:52,964 --> 00:25:55,605 an attacker, $50 to get access to one 729 00:25:55,605 --> 00:25:57,444 of the biggest companies, you know, in the 730 00:25:57,444 --> 00:25:59,589 country or in the world. And this was 731 00:25:59,589 --> 00:26:02,569 a massive success on all of our CPT 732 00:26:02,630 --> 00:26:05,109 customers that opted into this. Almost all of 733 00:26:05,109 --> 00:26:07,684 our customers did opt in. Some of them 734 00:26:07,684 --> 00:26:09,684 wanted to just take the assumed compromise route 735 00:26:09,684 --> 00:26:10,644 and see if we could just do the 736 00:26:10,644 --> 00:26:12,085 adversary in the middle of phishing and didn't 737 00:26:12,085 --> 00:26:13,765 want us to, like, be so mean to 738 00:26:13,765 --> 00:26:14,424 their users. 739 00:26:14,819 --> 00:26:16,740 But we've been we've had our hands full 740 00:26:16,740 --> 00:26:19,399 for a few weeks now doing post exploitation 741 00:26:19,460 --> 00:26:20,919 on so many accounts, 742 00:26:21,539 --> 00:26:22,019 and, 743 00:26:22,419 --> 00:26:23,859 we've had a lot of lessons learned. It's 744 00:26:23,859 --> 00:26:26,484 been a really good experience. So, yeah, multi 745 00:26:26,484 --> 00:26:27,384 factor is definitely 746 00:26:27,845 --> 00:26:28,664 not enough, 747 00:26:29,605 --> 00:26:31,365 it on its own, for sure, especially if 748 00:26:31,365 --> 00:26:33,304 they're using weak multi factor tokens. 749 00:26:33,839 --> 00:26:35,359 You know, that's that's the first thing right 750 00:26:35,359 --> 00:26:37,599 there. Let's talk about the MFA for just 751 00:26:37,599 --> 00:26:39,279 a second. I I know it did not 752 00:26:39,279 --> 00:26:40,419 work against U2FA. 753 00:26:40,720 --> 00:26:42,879 Right? But if people were using traditional 2FA, 754 00:26:42,879 --> 00:26:46,705 it did. Correct? Yeah. So, basically, security keys 755 00:26:46,705 --> 00:26:47,445 like Ubiquis 756 00:26:47,825 --> 00:26:50,325 or, you know, universal two factor actually 757 00:26:50,650 --> 00:26:51,150 cryptographically 758 00:26:51,529 --> 00:26:54,009 verify where the credentials are being sent and 759 00:26:54,009 --> 00:26:56,589 so they won't we can't capture session 760 00:26:57,049 --> 00:26:59,710 tokens when we're capturing in the middle. 761 00:27:00,304 --> 00:27:02,644 But everything else, every other MFA factor 762 00:27:03,024 --> 00:27:04,804 works. We can capture sessions. 763 00:27:05,424 --> 00:27:07,744 And this campaign has led to so many 764 00:27:07,744 --> 00:27:09,204 clients just face palming, 765 00:27:10,169 --> 00:27:11,630 for so many different reasons. 766 00:27:12,329 --> 00:27:14,490 I'll just give some highlights. Number 1, one 767 00:27:14,490 --> 00:27:16,029 company, the day it, 768 00:27:16,490 --> 00:27:18,555 got delivered, someone reported it, and they sent 769 00:27:18,555 --> 00:27:20,474 an email and text message to the entire 770 00:27:20,474 --> 00:27:22,234 company saying this is fraudulent. Do not scan 771 00:27:22,234 --> 00:27:25,115 this. And people still did? They also they 772 00:27:25,115 --> 00:27:26,990 also said report it to the United States 773 00:27:27,069 --> 00:27:29,390 postal services. Oh, yeah. Don't do that. But 774 00:27:29,390 --> 00:27:31,470 basically Unfortunately, no one's shown up at my 775 00:27:31,470 --> 00:27:33,630 door yet. Yeah. We haven't no one has 776 00:27:33,630 --> 00:27:35,684 gotten we haven't yeah. We haven't gotten coal 777 00:27:35,684 --> 00:27:38,505 fired yet. Will we? Who knows? But, basically 778 00:27:38,884 --> 00:27:40,244 so even though they said not to scan 779 00:27:40,244 --> 00:27:42,399 it, people still did it. So security awareness 780 00:27:42,399 --> 00:27:44,000 might not always you know, people will give 781 00:27:44,000 --> 00:27:45,220 up their accounts for $50. 782 00:27:45,759 --> 00:27:46,579 Second of all, 783 00:27:46,880 --> 00:27:49,359 we found tons of instances where customers thought 784 00:27:49,359 --> 00:27:52,304 they had closed, conditional access gaps and they 785 00:27:52,304 --> 00:27:52,804 haven't. 786 00:27:53,184 --> 00:27:55,265 Because we're using the exact when we go 787 00:27:55,265 --> 00:27:56,704 to take over these sessions, we're using the 788 00:27:56,704 --> 00:27:57,845 exact user agent, 789 00:27:58,170 --> 00:28:00,570 the exact like, everything is the exact same 790 00:28:00,570 --> 00:28:02,430 as it would be on this person's device. 791 00:28:02,730 --> 00:28:03,710 And we're discovering 792 00:28:04,410 --> 00:28:06,330 that a lot of places are just letting 793 00:28:06,330 --> 00:28:07,914 people in as long as they're an iPhone. 794 00:28:08,234 --> 00:28:09,695 Like, that's a thing now. 795 00:28:10,475 --> 00:28:12,475 So conditional access needs to be hardened, and 796 00:28:12,475 --> 00:28:14,315 there's tools that we've published and other people 797 00:28:14,315 --> 00:28:15,755 have published as well that that does for 798 00:28:15,755 --> 00:28:17,419 that kind of thing. But the other crazy 799 00:28:17,419 --> 00:28:19,039 thing is that users 800 00:28:19,579 --> 00:28:21,980 like, one user actually, like, self reported that 801 00:28:21,980 --> 00:28:24,585 it happened, changed their password, but then logged 802 00:28:24,585 --> 00:28:25,785 in again to see if they could get 803 00:28:25,785 --> 00:28:28,345 another gift card. So they, like, compromised their 804 00:28:28,345 --> 00:28:28,845 credentials. 805 00:28:29,224 --> 00:28:31,304 They compromised their credentials again, and then it 806 00:28:31,304 --> 00:28:33,160 screwed up incident response because they looked at 807 00:28:33,240 --> 00:28:34,759 the time stamps and said, well, the Caesar 808 00:28:34,759 --> 00:28:36,599 changed their password after the attack, so we're 809 00:28:36,599 --> 00:28:38,119 just not gonna mess with it. But we 810 00:28:38,119 --> 00:28:39,960 still had access. So it's, like, it's like 811 00:28:40,200 --> 00:28:41,795 2 did you give them 2 gift cards? 812 00:28:42,355 --> 00:28:44,994 No. Alright. No. But then after the after 813 00:28:44,994 --> 00:28:46,515 the second time, the gift card didn't work. 814 00:28:46,515 --> 00:28:48,674 They didn't change their password again. It's just 815 00:28:48,674 --> 00:28:50,720 kind of fun. We've got people asking what 816 00:28:50,720 --> 00:28:53,299 was the percent success rate on this. Honestly, 817 00:28:53,359 --> 00:28:54,960 I don't I don't know. We have not 818 00:28:54,960 --> 00:28:56,659 figured up an overall percent 819 00:28:56,964 --> 00:28:59,224 rate success across all customers. 820 00:28:59,845 --> 00:29:00,345 But, 821 00:29:00,804 --> 00:29:03,144 I mean, it's it's pretty much a 100% 822 00:29:03,444 --> 00:29:06,079 success as far as, like, on a how 823 00:29:06,079 --> 00:29:08,000 many customers do we get some level of 824 00:29:08,000 --> 00:29:08,900 access to? 825 00:29:09,919 --> 00:29:12,319 Like, one lesson learned from this was if 826 00:29:12,319 --> 00:29:13,519 I if I had this kind of campaign 827 00:29:13,519 --> 00:29:15,615 to do over again, I would not send 828 00:29:15,674 --> 00:29:16,174 20, 829 00:29:16,875 --> 00:29:19,835 postcards per target company. When when I've done 830 00:29:19,835 --> 00:29:21,755 this before on a red team, I only 831 00:29:21,755 --> 00:29:22,974 sent out, like, 10. 832 00:29:23,650 --> 00:29:25,730 20 was overkill. I I just wanted to 833 00:29:25,730 --> 00:29:27,090 be on the stage. I was afraid to 834 00:29:27,090 --> 00:29:29,570 see some of the 20 per customer is 835 00:29:29,570 --> 00:29:32,105 excess. Yes. 20 per customer was too many. 836 00:29:32,105 --> 00:29:33,545 We should have done, like, 5 that I 837 00:29:33,545 --> 00:29:35,625 would say like, 5. Yeah. Yeah. Just shooting 838 00:29:35,625 --> 00:29:37,164 from the hip, I'd say 40%. 839 00:29:37,730 --> 00:29:38,789 At least 40%. 840 00:29:39,330 --> 00:29:41,809 So at every customer, that's, like, almost 10 841 00:29:41,809 --> 00:29:43,509 sessions that we're trying to triage. 842 00:29:44,130 --> 00:29:45,990 Another lesson learned for me 843 00:29:46,369 --> 00:29:47,269 was pretty funny. 844 00:29:47,924 --> 00:29:50,404 So OPSEC lesson learned for me was one 845 00:29:50,404 --> 00:29:52,484 of the people who I sent a gift 846 00:29:52,484 --> 00:29:54,164 card to I did not know that there 847 00:29:54,164 --> 00:29:56,130 was the ability to do this. Whenever a 848 00:29:56,130 --> 00:29:58,690 person types in the gift card code into 849 00:29:58,690 --> 00:29:59,190 Amazon, 850 00:29:59,809 --> 00:30:01,750 even if all they have is that code, 851 00:30:01,890 --> 00:30:03,569 they have the ability to click a button 852 00:30:03,569 --> 00:30:05,714 and tell the sender thank you. And that 853 00:30:05,714 --> 00:30:07,414 actually discloses the sender's, 854 00:30:07,795 --> 00:30:09,554 name. And I had sent I purchased these 855 00:30:09,554 --> 00:30:11,654 gift cards from my personal Amazon account. 856 00:30:12,115 --> 00:30:14,619 So they they sent a thank you message 857 00:30:14,700 --> 00:30:16,859 back to my personal account, and that like, 858 00:30:16,859 --> 00:30:18,779 they had no idea that they that they 859 00:30:18,779 --> 00:30:21,019 still like, that user did never figured out 860 00:30:21,019 --> 00:30:22,700 that their account was compromised. I feel like 861 00:30:22,700 --> 00:30:25,144 there's a take backseize coming up shortly. 862 00:30:26,404 --> 00:30:28,484 Yeah. I mean, if we were APTs, we 863 00:30:28,484 --> 00:30:30,724 would be going to jail soon. So let's 864 00:30:30,724 --> 00:30:32,644 be glad we're doing this as simulated, but 865 00:30:32,724 --> 00:30:35,519 yeah. Yep. So I wanna use that. Right? 866 00:30:35,519 --> 00:30:37,119 And then let's go back to the article. 867 00:30:37,119 --> 00:30:40,480 Multifactor authentication is not enough to protect cloud 868 00:30:40,480 --> 00:30:40,980 data. 869 00:30:41,934 --> 00:30:44,734 And if we bring up this particular article, 870 00:30:44,734 --> 00:30:47,375 they're talking about Shiny Hunters or Scattered Spider, 871 00:30:47,375 --> 00:30:49,134 all of these different things and data leaks 872 00:30:49,134 --> 00:30:50,034 and these breaches. 873 00:30:50,340 --> 00:30:52,259 And they have some recommendations and I wanted 874 00:30:52,259 --> 00:30:53,940 to talk about the recommendations. Let's go down 875 00:30:53,940 --> 00:30:55,160 to recommendation 1. 876 00:30:55,619 --> 00:30:58,694 Recommendation 1, start with MFA then go beyond. 877 00:30:58,694 --> 00:30:59,974 There's a lot of room for growth in 878 00:30:59,974 --> 00:31:02,694 the adoption of MFA. 64% of workers, 90% 879 00:31:02,694 --> 00:31:04,315 of administrators use MFA. 880 00:31:05,335 --> 00:31:07,355 More than 6 out of every 10 organizations 881 00:31:07,414 --> 00:31:09,440 have at least one route user user administered 882 00:31:09,579 --> 00:31:10,480 without MFA. 883 00:31:11,019 --> 00:31:14,400 Businesses need to be a consistent verifiable 100% 884 00:31:15,339 --> 00:31:18,079 co founder chief technology officer, Matiga. 885 00:31:18,674 --> 00:31:21,474 Company should make MFA enforced and required if 886 00:31:21,474 --> 00:31:22,775 using single sign on. 887 00:31:23,315 --> 00:31:26,134 Make sure to use, make sure non SSO 888 00:31:26,195 --> 00:31:27,815 log on is disabled. 889 00:31:28,500 --> 00:31:28,980 So 890 00:31:29,460 --> 00:31:31,700 alright. And then they say turn on additional 891 00:31:31,700 --> 00:31:34,339 security measures, such as device or hardware based 892 00:31:34,339 --> 00:31:36,325 u 2FA is what they're talking about there. 893 00:31:36,484 --> 00:31:38,164 So let's start with this group. Like, I 894 00:31:38,164 --> 00:31:40,164 I think that this is I think that 895 00:31:40,164 --> 00:31:42,565 this is a good recommendation. Like, if you're 896 00:31:42,565 --> 00:31:43,625 gonna do MFA, 897 00:31:44,220 --> 00:31:46,779 do it right and turn it on everywhere. 898 00:31:46,779 --> 00:31:48,539 Like, you need to make that be your 899 00:31:48,539 --> 00:31:51,420 policy. I don't think there's much disagreement about 900 00:31:51,420 --> 00:31:52,240 that. But 901 00:31:52,765 --> 00:31:54,785 what are the practical implement implications 902 00:31:55,404 --> 00:31:58,045 or, like like, you would run into with 903 00:31:58,045 --> 00:31:59,105 trying to do U2FA 904 00:31:59,484 --> 00:31:59,984 everywhere? 905 00:32:00,680 --> 00:32:02,920 There's potentially costs. Like, if they're by having 906 00:32:02,920 --> 00:32:05,320 to buy a YubiKey for every employee or 907 00:32:05,320 --> 00:32:07,640 something like that. Yep. So one one lesson 908 00:32:07,640 --> 00:32:10,345 we learned from the postcard phish also was 909 00:32:10,345 --> 00:32:11,705 the importance of 910 00:32:12,184 --> 00:32:14,105 well, from our point of view as attackers, 911 00:32:14,105 --> 00:32:15,705 I mean, this ruse was pretty convincing. So 912 00:32:15,705 --> 00:32:17,724 we actually were able to convince some admins 913 00:32:17,785 --> 00:32:19,799 to log in as well. So at a 914 00:32:19,799 --> 00:32:21,740 bare minimum, we would say 915 00:32:22,200 --> 00:32:22,940 the admins 916 00:32:23,720 --> 00:32:25,179 should be using those, 917 00:32:25,480 --> 00:32:28,555 you know, stronger forms of multifactor authentication. Those 918 00:32:28,555 --> 00:32:31,355 people should be using passkeys or YubiKeys or 919 00:32:31,355 --> 00:32:33,134 something like that along those lines, 920 00:32:33,730 --> 00:32:36,369 where maybe the less privileged employees, if an 921 00:32:36,369 --> 00:32:38,529 organization has a concern about how much it's 922 00:32:38,529 --> 00:32:41,330 gonna cost either in terms of effort or 923 00:32:41,330 --> 00:32:44,075 in terms of, you know, actual monetary cost 924 00:32:44,214 --> 00:32:45,654 to roll that out to everybody in the 925 00:32:45,654 --> 00:32:46,154 organization, 926 00:32:46,694 --> 00:32:48,134 then, you know, they could just roll it 927 00:32:48,134 --> 00:32:49,575 out to their admins. And that's a really 928 00:32:49,575 --> 00:32:51,755 good start as long as they have, 929 00:32:52,339 --> 00:32:55,240 you know, like you were saying, multifactor enforced 930 00:32:55,299 --> 00:32:56,980 everywhere because that's the very first thing that 931 00:32:56,980 --> 00:32:58,740 we do when we get creds. If we 932 00:32:58,740 --> 00:33:01,365 didn't weren't able to, capture a session for 933 00:33:01,365 --> 00:33:01,944 some reason, 934 00:33:02,325 --> 00:33:04,345 is we start using every, 935 00:33:04,724 --> 00:33:06,484 tool and every endpoint that we can find 936 00:33:06,484 --> 00:33:07,464 to try and authenticate 937 00:33:07,765 --> 00:33:09,684 with single factor auth. And sometimes we get 938 00:33:09,684 --> 00:33:12,119 in. We found, 1 or 2 customers where 939 00:33:12,119 --> 00:33:13,720 there were some exceptions where we were able 940 00:33:13,720 --> 00:33:15,259 to get in with single factor authentication. 941 00:33:15,960 --> 00:33:18,220 Alright. Next one. Number 2. 942 00:33:18,554 --> 00:33:21,275 Use access control lists to limit authorized IP 943 00:33:21,275 --> 00:33:21,775 addresses. 944 00:33:22,394 --> 00:33:24,315 Organizations should also put access control lists in 945 00:33:24,315 --> 00:33:26,329 place restricting where users can access a cloud 946 00:33:26,329 --> 00:33:28,650 service or at least enabling reviews of access 947 00:33:28,650 --> 00:33:30,029 logs on a daily basis. 948 00:33:30,730 --> 00:33:32,890 And this comes from Jake, another instructor at 949 00:33:32,890 --> 00:33:34,890 Anti siphon. This further limits the ability of 950 00:33:34,890 --> 00:33:35,789 cyber attackers 951 00:33:36,174 --> 00:33:37,934 and it says, really, for pretty much any 952 00:33:37,934 --> 00:33:40,335 cloud infrastructure, it's best to practice to restrict 953 00:33:40,335 --> 00:33:41,394 what IP addresses 954 00:33:41,775 --> 00:33:44,650 folks can come from. If you can't, then 955 00:33:44,710 --> 00:33:47,029 access reviews are more important to make sure 956 00:33:47,029 --> 00:33:48,710 that people aren't coming from some place you 957 00:33:48,710 --> 00:33:50,730 don't expect. And I agree with that, 958 00:33:52,465 --> 00:33:55,025 except whenever we're talking about Office 365 and 959 00:33:55,025 --> 00:33:57,025 mobile. Right? Like, whenever we're talking about these 960 00:33:57,025 --> 00:33:58,945 cloud services that people are using on their 961 00:33:58,945 --> 00:33:59,445 phones, 962 00:34:00,130 --> 00:34:01,650 that all of a sudden gets a lot 963 00:34:01,650 --> 00:34:02,869 more difficult. And 964 00:34:03,250 --> 00:34:04,690 I I'd like to get everyone's take on 965 00:34:04,690 --> 00:34:06,289 this. Like, I know where Jake's coming from 966 00:34:06,289 --> 00:34:08,875 on this. Like, we really should have especially 967 00:34:08,875 --> 00:34:10,335 certain SaaS services. 968 00:34:10,795 --> 00:34:12,635 We should have those things locked down from 969 00:34:12,635 --> 00:34:13,614 specific locations. 970 00:34:14,155 --> 00:34:16,315 But is that feasible for all of these 971 00:34:16,315 --> 00:34:16,815 apps? 972 00:34:17,900 --> 00:34:20,539 I think not. Number 1, it's absolutely possible 973 00:34:20,539 --> 00:34:22,219 to do it in Microsoft 365, and they 974 00:34:22,219 --> 00:34:24,380 actually make it not that hard. And it 975 00:34:24,460 --> 00:34:26,714 I mean, for Microsoft, not that hard. For 976 00:34:26,714 --> 00:34:28,795 anyone else, it's kinda hard, but it it's 977 00:34:28,795 --> 00:34:30,255 possible, and it's also 978 00:34:30,714 --> 00:34:32,155 what what a lot of what the more 979 00:34:32,155 --> 00:34:34,489 secure companies are doing is is they're basically 980 00:34:34,489 --> 00:34:36,030 requiring you to enroll with MDM 981 00:34:36,570 --> 00:34:38,250 to be able to like, that that's the 982 00:34:38,250 --> 00:34:40,170 simple thing. Like, you oh, you wanna get 983 00:34:40,170 --> 00:34:41,610 to your email on your phone? Well, we 984 00:34:41,610 --> 00:34:42,924 don't know what IP you're coming from, so 985 00:34:42,924 --> 00:34:44,684 you have to be on MDM to get 986 00:34:44,684 --> 00:34:46,385 to it. Right? Like, that's the simple 987 00:34:46,844 --> 00:34:47,824 bypass. But 988 00:34:48,204 --> 00:34:49,344 I think that the 989 00:34:49,644 --> 00:34:50,144 recommendation 990 00:34:50,525 --> 00:34:52,719 kind of is a little bit confusing about 991 00:34:52,719 --> 00:34:54,880 what cloud means. And if we're looking at 992 00:34:54,880 --> 00:34:55,539 the breaches, 993 00:34:56,239 --> 00:34:57,140 the breaches 994 00:34:57,440 --> 00:34:58,260 are, are 995 00:34:58,719 --> 00:35:00,715 SaaS products. Like you said, John, they're not 996 00:35:00,875 --> 00:35:03,515 cloud service providers like Amazon or Azure. These 997 00:35:03,515 --> 00:35:05,994 are like Snowflake. Right? It's like a cloud 998 00:35:05,994 --> 00:35:08,715 service provider that gives you convenient access to 999 00:35:08,715 --> 00:35:09,199 things. 1000 00:35:09,599 --> 00:35:10,099 And 1001 00:35:10,480 --> 00:35:12,260 I'm not saying logging is impossible, 1002 00:35:12,800 --> 00:35:15,199 but I'm guessing that every SaaS product out 1003 00:35:15,199 --> 00:35:17,039 there, getting that to go into your SIM, 1004 00:35:17,039 --> 00:35:19,555 is a month's long IT or security project. 1005 00:35:19,555 --> 00:35:22,195 Like, you can't just connect everything into the 1006 00:35:22,195 --> 00:35:24,434 SIM and expect it to work perfectly. That's 1007 00:35:24,434 --> 00:35:27,340 all takes integration. Let alone I mean, the 1008 00:35:27,340 --> 00:35:29,180 reason this is all Steeler logs. That's all 1009 00:35:29,180 --> 00:35:31,579 it is. And with the with the like, 1010 00:35:31,579 --> 00:35:33,900 let's say Snowflake, for example. The use case 1011 00:35:33,900 --> 00:35:36,059 that we observed or that has been observed 1012 00:35:36,059 --> 00:35:38,295 in, there's, like, 200 something companies, so it's 1013 00:35:38,375 --> 00:35:40,614 this is generalizing, but it's a lot of 1014 00:35:40,614 --> 00:35:43,655 the times offshore or contractors who have access 1015 00:35:43,655 --> 00:35:45,670 to it. And while it's not impossible, 1016 00:35:46,049 --> 00:35:49,170 it's kind of a business limitation to say, 1017 00:35:49,170 --> 00:35:51,489 alright. We have 10 contractors who are taking 1018 00:35:51,489 --> 00:35:53,029 a look at our data in Snowflake. 1019 00:35:53,434 --> 00:35:55,214 We need to get their home IP addresses 1020 00:35:55,275 --> 00:35:57,034 and, like, it just I I mean, it's 1021 00:35:57,034 --> 00:35:58,795 like, come on. It's not really super feasible 1022 00:35:58,795 --> 00:36:00,800 to do that at scale. If you have 1023 00:36:00,960 --> 00:36:03,539 a large company that has thousands of contractors 1024 00:36:03,599 --> 00:36:05,219 logging in to look at their data, 1025 00:36:05,519 --> 00:36:08,079 that's still cloud. It's still Snowflake cloud, but 1026 00:36:08,079 --> 00:36:10,315 it's not like Snowflake cloud has an IP 1027 00:36:10,315 --> 00:36:12,394 white list and you just enable it 1 1028 00:36:12,394 --> 00:36:14,735 per contractor. Like, it's just not gonna scale. 1029 00:36:14,954 --> 00:36:17,329 That's the thing about, like, cloud means more 1030 00:36:17,329 --> 00:36:20,710 than just AWS, Entre, whatever. It means also, 1031 00:36:21,329 --> 00:36:25,349 like, Salesforce cloud, Oracle cloud services, Snowflake, 1032 00:36:26,515 --> 00:36:28,914 you know, your printing service, like Michael said. 1033 00:36:28,914 --> 00:36:30,755 Like, all those things are cloud products, and 1034 00:36:30,755 --> 00:36:31,655 they're not necessarily 1035 00:36:32,195 --> 00:36:33,635 they don't always have logs, and they don't 1036 00:36:33,635 --> 00:36:36,420 always have IP whitelisting capabilities. So A lot 1037 00:36:36,420 --> 00:36:38,420 of them don't, actually. Yeah. I can speak 1038 00:36:38,420 --> 00:36:39,859 from experience on the other side of the 1039 00:36:39,859 --> 00:36:41,460 fence from, you know, when I was back 1040 00:36:41,460 --> 00:36:43,139 over on on the business side of things, 1041 00:36:43,139 --> 00:36:44,735 and we actually the company I was with, 1042 00:36:44,735 --> 00:36:46,574 we actually tried to get a number of 1043 00:36:46,574 --> 00:36:49,715 SaaS providers to do explicit limitations on where 1044 00:36:49,934 --> 00:36:51,710 either all of our accounts or certain accounts 1045 00:36:51,710 --> 00:36:53,710 could actually access services from. And most of 1046 00:36:53,710 --> 00:36:54,530 them, they're like, 1047 00:36:54,909 --> 00:36:56,429 no. No. Yeah. Flat out no. It was 1048 00:36:56,590 --> 00:36:58,109 there wasn't even negotiation. It was just like, 1049 00:36:58,109 --> 00:37:00,174 you're crazy. Nobody else wants this. Yeah. This 1050 00:37:00,174 --> 00:37:01,934 is not a feature we're implementing just for 1051 00:37:01,934 --> 00:37:03,534 you. Go away. So the one thing with 1052 00:37:03,534 --> 00:37:05,694 that though is you can enable SSO with 1053 00:37:05,694 --> 00:37:07,934 some of those features. Right? And then you 1054 00:37:07,934 --> 00:37:09,969 can log the SSO, and then they you 1055 00:37:09,969 --> 00:37:12,530 have login, and usually you have location and 1056 00:37:12,530 --> 00:37:14,449 time and everything like that. So you can 1057 00:37:14,449 --> 00:37:15,510 get some log in. 1058 00:37:15,809 --> 00:37:17,730 And you should. And actually, like, there's an 1059 00:37:17,730 --> 00:37:19,684 argument there's 2 arguments to be made. Right? 1060 00:37:19,684 --> 00:37:21,684 1 is, like, I will say doing this 1061 00:37:21,684 --> 00:37:24,005 post x, having customers that have multiple SSOs 1062 00:37:24,005 --> 00:37:26,325 and multiple different local logins does make our 1063 00:37:26,325 --> 00:37:29,110 jobs harder, but it also makes things centrally 1064 00:37:29,110 --> 00:37:31,369 managed. I will say, like, with the SSOs, 1065 00:37:31,829 --> 00:37:33,670 those have to be secured too. One thing 1066 00:37:33,670 --> 00:37:35,030 we do is, like, let's say they have 1067 00:37:35,030 --> 00:37:37,214 Okta. We'll launch every application 1068 00:37:37,514 --> 00:37:39,434 from Okta. So, like, we'll go in Okta. 1069 00:37:39,434 --> 00:37:40,954 We will launch every single app this person 1070 00:37:40,954 --> 00:37:42,255 has in their Okta Tiles. 1071 00:37:42,610 --> 00:37:44,210 Not all those apps we launched. So when 1072 00:37:44,210 --> 00:37:46,530 we launched it, it does an authentication with 1073 00:37:46,530 --> 00:37:48,309 Okta and says, okay, here's your token. 1074 00:37:48,610 --> 00:37:51,675 Sometimes those tokens don't expire. So, like, I 1075 00:37:51,675 --> 00:37:53,835 still have a session on Oracle Cloud that 1076 00:37:53,835 --> 00:37:56,255 was launched, like, 2 weeks ago. Because, 1077 00:37:57,035 --> 00:37:59,375 like, this the Okta session has been invalidated. 1078 00:37:59,789 --> 00:38:01,710 The user's credentials have been changed. I can't 1079 00:38:01,710 --> 00:38:03,550 get in there, but the session that was 1080 00:38:03,550 --> 00:38:06,030 brokered between the SSO and this target cloud 1081 00:38:06,030 --> 00:38:07,864 site is still valid. And we see that 1082 00:38:07,864 --> 00:38:09,904 a lot. We're like, these timeouts have to 1083 00:38:09,904 --> 00:38:12,005 be configured for every different SaaS product. 1084 00:38:12,385 --> 00:38:14,385 After launching, you have to go and triage 1085 00:38:14,385 --> 00:38:17,204 and potentially do, like, 20 or 30 sessions. 1086 00:38:17,619 --> 00:38:20,019 I've found in my experience that the people 1087 00:38:20,019 --> 00:38:22,099 setting up SSOs for these for, like, particular 1088 00:38:22,099 --> 00:38:24,519 services usually aren't security people. Right? 1089 00:38:24,855 --> 00:38:27,014 They're usually Usually, yeah. They're they're it's yeah. 1090 00:38:27,014 --> 00:38:29,174 It's usually some and they're not thinking about 1091 00:38:29,174 --> 00:38:31,494 that. So I have seen that as well 1092 00:38:31,494 --> 00:38:33,769 a lot. Yeah. We've also seen, like, some 1093 00:38:33,769 --> 00:38:36,349 people in Okta just have infinite time out. 1094 00:38:36,409 --> 00:38:37,690 Like, you can you can make it so 1095 00:38:37,690 --> 00:38:38,909 that there's no hard 1096 00:38:39,369 --> 00:38:40,890 end to an Okta session, and a lot 1097 00:38:40,890 --> 00:38:42,190 of companies do that because 1098 00:38:42,545 --> 00:38:44,785 convenience, I guess. I don't know. So, basically, 1099 00:38:44,785 --> 00:38:46,785 like, SSO is great, but just like anything 1100 00:38:46,785 --> 00:38:48,625 else, you have to lock it down and 1101 00:38:48,625 --> 00:38:51,449 monitor it. So yeah. I mean Alright. So 1102 00:38:51,449 --> 00:38:52,329 that brings in, 1103 00:38:52,969 --> 00:38:55,130 the number 3. We've kind of touched on 1104 00:38:55,130 --> 00:38:56,329 some of these, but I wanna get to 1105 00:38:56,329 --> 00:38:59,230 this. It's maximized visibility into cloud services. 1106 00:38:59,914 --> 00:39:01,114 Correct me if I'm wrong, but one of 1107 00:39:01,114 --> 00:39:03,114 the things we did post exploitation is we 1108 00:39:03,114 --> 00:39:04,954 ran Graph Runner on some of our customers. 1109 00:39:04,954 --> 00:39:05,454 Right? 1110 00:39:05,755 --> 00:39:07,550 Yeah. We did. Yeah. And how many of 1111 00:39:07,550 --> 00:39:08,829 the customers and for those of you that 1112 00:39:08,829 --> 00:39:10,349 don't know, we'll put a link to Graph 1113 00:39:10,349 --> 00:39:11,489 Runner in the chat. 1114 00:39:12,590 --> 00:39:13,409 But so, 1115 00:39:14,764 --> 00:39:16,045 Michael, do you wanna talk a little bit 1116 00:39:16,045 --> 00:39:17,505 about what Graph Runner does? 1117 00:39:17,965 --> 00:39:19,965 And then could you talk a little bit 1118 00:39:19,965 --> 00:39:22,684 about how many customers actually detected that activity? 1119 00:39:22,684 --> 00:39:25,940 Because Graph Runner is not a subtle stealthy 1120 00:39:25,940 --> 00:39:27,780 tool once you There's, like, blogs that are 1121 00:39:27,780 --> 00:39:29,400 like how to detect Graph Runner. 1122 00:39:29,860 --> 00:39:31,795 Yeah. Yeah. And that's that's not the only 1123 00:39:31,795 --> 00:39:33,474 tool of its kind that we ran for 1124 00:39:33,474 --> 00:39:35,235 post exploitation, but, yeah, that's one of the 1125 00:39:35,235 --> 00:39:37,074 things that we did for post exploitation. After 1126 00:39:37,074 --> 00:39:38,454 doing some initial things, 1127 00:39:38,889 --> 00:39:41,309 when we would get into any user's 1128 00:39:41,769 --> 00:39:42,269 Microsoft 1129 00:39:42,730 --> 00:39:44,809 tenant account, you know, like in a Microsoft 1130 00:39:44,809 --> 00:39:45,949 365 environment, 1131 00:39:46,494 --> 00:39:48,835 Once we're logged into that user account, 1132 00:39:49,375 --> 00:39:51,855 we can either we can pull tokens out 1133 00:39:51,855 --> 00:39:54,755 of the traffic that's going from the browser 1134 00:39:54,815 --> 00:39:55,715 to the API 1135 00:39:56,119 --> 00:39:57,400 on the back end if we wanna do 1136 00:39:57,400 --> 00:40:00,300 it that way. Or if if the, organization's 1137 00:40:00,760 --> 00:40:03,160 tenant allows it, we can do what's called 1138 00:40:03,160 --> 00:40:04,460 device code authentication, 1139 00:40:05,505 --> 00:40:08,144 where we it's it's the same authentication that 1140 00:40:08,144 --> 00:40:10,785 you use whenever, say, you're you're authenticating your 1141 00:40:10,785 --> 00:40:13,849 smart TV to Netflix, and it says, visit 1142 00:40:13,849 --> 00:40:15,610 this URL on your phone or on your 1143 00:40:15,610 --> 00:40:18,170 tablet and enter this 6 digit or 6 1144 00:40:18,170 --> 00:40:20,250 character code. And then all of a sudden, 1145 00:40:20,250 --> 00:40:22,410 now your TV has access to your Netflix 1146 00:40:22,410 --> 00:40:22,905 account, 1147 00:40:23,224 --> 00:40:23,724 Microsoft 1148 00:40:24,025 --> 00:40:26,125 365 and Azure, the Microsoft 1149 00:40:26,425 --> 00:40:27,164 Graph API 1150 00:40:27,625 --> 00:40:31,465 supports the exact same thing. So, after obtaining 1151 00:40:31,465 --> 00:40:32,199 access to 1152 00:40:32,679 --> 00:40:35,239 user's account, we then do that type of 1153 00:40:35,239 --> 00:40:35,739 authentication. 1154 00:40:36,039 --> 00:40:38,119 Since they're already logged in, they're not required 1155 00:40:38,119 --> 00:40:40,219 to put in their password again. Just like 1156 00:40:40,555 --> 00:40:43,035 when you're authenticating your smart TV, you're not 1157 00:40:43,035 --> 00:40:44,795 required to put in your password again if 1158 00:40:44,795 --> 00:40:47,035 you're already logged in on your tablet browser 1159 00:40:47,035 --> 00:40:48,735 or your phone's browser or whatever. 1160 00:40:49,190 --> 00:40:51,349 So at that point, now we can run 1161 00:40:51,349 --> 00:40:52,170 all kinds of, 1162 00:40:52,710 --> 00:40:54,650 using the tokens that we've, 1163 00:40:55,110 --> 00:40:57,735 established with the Microsoft Graph API. We can 1164 00:40:57,735 --> 00:41:00,155 now run all kinds of queries against the, 1165 00:41:00,614 --> 00:41:03,015 the Azure API and Microsoft Graph API and 1166 00:41:03,015 --> 00:41:04,394 other Microsoft APIs, 1167 00:41:05,349 --> 00:41:06,550 depending on what type of token we have 1168 00:41:06,550 --> 00:41:08,150 and what kind of token we refresh to, 1169 00:41:08,150 --> 00:41:09,510 to do all sorts of things like, 1170 00:41:10,550 --> 00:41:13,315 in you create a guest account in the 1171 00:41:13,315 --> 00:41:15,235 organization. That's one of our go to methods 1172 00:41:15,235 --> 00:41:17,394 for a little bit of persistence. We can 1173 00:41:17,394 --> 00:41:20,515 enumerate all of the users. We can, enumerate 1174 00:41:20,515 --> 00:41:22,690 all the groups, look for all sorts of 1175 00:41:23,569 --> 00:41:26,050 security vulnerabilities in an automated way. So the 1176 00:41:26,050 --> 00:41:26,550 GraphRunner, 1177 00:41:27,170 --> 00:41:28,769 John asked what, you know, if it, what 1178 00:41:28,769 --> 00:41:31,065 it is in general. It's a generally a 1179 00:41:31,065 --> 00:41:32,204 post exploitation 1180 00:41:32,824 --> 00:41:33,324 toolkit 1181 00:41:33,704 --> 00:41:36,125 for the Microsoft Graph API 1182 00:41:36,585 --> 00:41:38,364 and other Microsoft APIs, 1183 00:41:39,619 --> 00:41:40,119 using 1184 00:41:40,660 --> 00:41:43,800 authentication mechanisms like device code authentication 1185 00:41:44,180 --> 00:41:45,320 and just token, 1186 00:41:45,940 --> 00:41:48,335 token based authentication in general. So we can 1187 00:41:48,335 --> 00:41:49,715 we can also do things like, 1188 00:41:50,335 --> 00:41:50,835 granting, 1189 00:41:51,535 --> 00:41:53,555 access to an account with a malicious 1190 00:41:54,015 --> 00:41:55,235 app that's deployed, 1191 00:41:55,695 --> 00:41:56,515 through Microsoft. 1192 00:41:57,019 --> 00:41:58,619 So we we run tools like Graph Runner. 1193 00:41:58,619 --> 00:42:01,099 We we also ran Azure hound using the 1194 00:42:01,099 --> 00:42:03,500 exact same type of tokens. We just refresh 1195 00:42:03,500 --> 00:42:05,125 to the correct token type. I forget which 1196 00:42:05,125 --> 00:42:06,885 it was for Azure how that things might 1197 00:42:06,885 --> 00:42:09,684 be MS Graph token or something. But, yeah, 1198 00:42:09,684 --> 00:42:11,445 we refresh our token to the type that's 1199 00:42:11,445 --> 00:42:13,760 required by Azure hound, and Azure Hound just 1200 00:42:13,760 --> 00:42:15,940 grab grabs all kinds of data 1201 00:42:16,239 --> 00:42:18,659 about the users or the, the customer's 1202 00:42:19,119 --> 00:42:21,199 Azure environment. And then that allows us to 1203 00:42:21,199 --> 00:42:23,855 identify all sorts of, you know, privilege escalation 1204 00:42:23,914 --> 00:42:25,375 opportunities, other vulnerabilities, 1205 00:42:25,675 --> 00:42:27,994 resources that are available to us. Everything is 1206 00:42:27,994 --> 00:42:30,974 very similar to Bloodhound for, active directory environments. 1207 00:42:31,219 --> 00:42:33,460 Alright. So how many of the customers detected 1208 00:42:33,460 --> 00:42:35,539 us doing those things inside of their cloud 1209 00:42:35,539 --> 00:42:36,039 infrastructures? 1210 00:42:36,659 --> 00:42:38,199 0. Yeah. None of them. 1211 00:42:38,525 --> 00:42:40,125 There we get into a problem. And we 1212 00:42:40,125 --> 00:42:42,364 have secure customers. I will say it's funny, 1213 00:42:42,364 --> 00:42:44,125 because the customers who we couldn't fish are 1214 00:42:44,125 --> 00:42:45,985 probably the ones who would have detected it. 1215 00:42:46,489 --> 00:42:47,389 Yeah. The customers 1216 00:42:47,690 --> 00:42:49,369 the customers with u two f are also 1217 00:42:49,369 --> 00:42:50,650 the ones who would have detected it, so 1218 00:42:50,650 --> 00:42:52,329 it's kind of like a selection bias thing, 1219 00:42:52,329 --> 00:42:54,704 but Yeah. Yeah. All of our our CPT 1220 00:42:54,704 --> 00:42:57,025 customers are generally like, as a whole, they're 1221 00:42:57,025 --> 00:42:58,885 generally very secure environments. 1222 00:42:59,664 --> 00:43:01,264 And, you know, we have a lot of 1223 00:43:01,264 --> 00:43:03,590 trouble getting payloads to execute, 1224 00:43:04,130 --> 00:43:06,530 on inside these environments because they've got, you 1225 00:43:06,530 --> 00:43:08,469 know, really strong kind of traditional 1226 00:43:09,090 --> 00:43:10,309 on the network controls 1227 00:43:10,914 --> 00:43:14,355 like EDR products and and finely tuned EDR 1228 00:43:14,355 --> 00:43:15,734 products and things like that. 1229 00:43:16,114 --> 00:43:19,050 But there's just a lot of lack of 1230 00:43:19,050 --> 00:43:20,670 visibility and lack of monitoring 1231 00:43:21,130 --> 00:43:23,210 in those cloud services in a lot of 1232 00:43:23,210 --> 00:43:25,690 environments right now. Yep. I think I think 1233 00:43:25,690 --> 00:43:27,309 a big part of it is just there's 1234 00:43:27,494 --> 00:43:28,235 a lack 1235 00:43:28,695 --> 00:43:31,055 of subject matter expert in Yeah. For sure. 1236 00:43:31,175 --> 00:43:33,735 Securing in securing cloud environments. Like, I genuinely 1237 00:43:33,735 --> 00:43:37,170 think that most companies have strong endpoint security. 1238 00:43:37,309 --> 00:43:39,869 People who know, like, endpoint security front to 1239 00:43:39,869 --> 00:43:41,630 back, back to front. I think if you 1240 00:43:41,630 --> 00:43:44,545 ask the average security blue teamer, like, hey. 1241 00:43:44,545 --> 00:43:47,025 How do I monitor for risky sign ins 1242 00:43:47,025 --> 00:43:48,784 without you know? Or how do I, 1243 00:43:49,425 --> 00:43:51,744 use conditional access to only let iPhones do 1244 00:43:51,744 --> 00:43:53,500 this, that, or how do I getting a 1245 00:43:53,500 --> 00:43:55,260 lot of people would be like, I don't 1246 00:43:55,260 --> 00:43:56,619 know how to detect graph run. I mean, 1247 00:43:56,619 --> 00:43:58,140 there are blogs for it and it requires, 1248 00:43:58,140 --> 00:44:00,300 you know, like, Microsoft licensing. That's another thing 1249 00:44:00,300 --> 00:44:01,804 is a lot of it is paywalled. Like, 1250 00:44:01,885 --> 00:44:03,885 the whole cloud is paywalled pretty much when 1251 00:44:03,885 --> 00:44:05,964 it comes to security features, which makes it 1252 00:44:05,964 --> 00:44:07,484 a lot harder too because then it's, like, 1253 00:44:07,484 --> 00:44:09,210 security person figures out how to do it 1254 00:44:09,449 --> 00:44:11,289 eventually, and then they say, alright. Let's go 1255 00:44:11,289 --> 00:44:12,089 do it. And they go to do it, 1256 00:44:12,089 --> 00:44:13,130 and it's, like, this is gonna cost us 1257 00:44:13,130 --> 00:44:13,630 $40,000 1258 00:44:14,089 --> 00:44:16,170 extra a year. I think another big part 1259 00:44:16,170 --> 00:44:18,329 of that is most security people like myself, 1260 00:44:18,329 --> 00:44:20,144 right, usually have access to an endpoint. So 1261 00:44:20,144 --> 00:44:21,664 I can at least do the testing, do 1262 00:44:21,664 --> 00:44:23,905 all the stuff, run some simulations on my 1263 00:44:23,905 --> 00:44:25,445 own internal host, and do attacks. 1264 00:44:25,905 --> 00:44:27,585 But I don't have access to our cloud 1265 00:44:27,585 --> 00:44:29,630 production cloud environment to the point where I 1266 00:44:29,630 --> 00:44:31,630 could do that exact same thing, and nor 1267 00:44:31,630 --> 00:44:32,929 will they give it to me. 1268 00:44:33,230 --> 00:44:34,670 So it's a lot harder for me to 1269 00:44:34,670 --> 00:44:36,349 go out there and be like, poke around, 1270 00:44:36,349 --> 00:44:38,494 figure it out, and to test because, yeah, 1271 00:44:38,494 --> 00:44:40,815 the money type of thing. That's and that's 1272 00:44:40,815 --> 00:44:42,494 one of the things we're talking about vendors. 1273 00:44:42,494 --> 00:44:44,175 Some people were asking about vendors in this 1274 00:44:44,175 --> 00:44:47,059 space. And there's a ton of super shady 1275 00:44:47,059 --> 00:44:48,579 vendors out there, and I'm not gonna, like, 1276 00:44:48,579 --> 00:44:50,739 poop on any of those vendors. But a 1277 00:44:50,739 --> 00:44:52,900 ton of them, they aren't actually detecting any 1278 00:44:52,900 --> 00:44:54,664 of the stuff that we talked about. Right? 1279 00:44:55,144 --> 00:44:56,905 The one vendor that is an exception that 1280 00:44:56,905 --> 00:44:58,905 I will talk about because, well, 1, they're 1281 00:44:58,905 --> 00:45:00,744 awesome, but, 2, because they're helping the pay 1282 00:45:00,744 --> 00:45:01,724 what you can initiative 1283 00:45:02,184 --> 00:45:03,565 is, SaaS alerts. 1284 00:45:04,369 --> 00:45:05,969 And they came up and they started talking 1285 00:45:05,969 --> 00:45:07,170 to me, and I'm like, crap. It's another 1286 00:45:07,170 --> 00:45:08,690 vendor that wants me to say good things 1287 00:45:08,690 --> 00:45:09,570 about their product. 1288 00:45:10,050 --> 00:45:11,570 And they're like, so what we've been doing 1289 00:45:11,570 --> 00:45:13,885 is, basically, when BOW releases tool, we make 1290 00:45:13,885 --> 00:45:16,045 sure that we can detect those things. And 1291 00:45:16,045 --> 00:45:17,425 I'm like, wait a minute now. 1292 00:45:17,965 --> 00:45:19,824 This is now relevant to my interests, 1293 00:45:20,285 --> 00:45:22,489 doing, like, crowdfunding and things like that. 1294 00:45:22,889 --> 00:45:24,650 But, yeah, check out SaaS alerts. But then 1295 00:45:24,650 --> 00:45:26,489 again, SaaS alerts does have to have the 1296 00:45:26,489 --> 00:45:28,329 appropriate logging to be able to detect these 1297 00:45:28,329 --> 00:45:28,829 attacks, 1298 00:45:29,530 --> 00:45:31,664 and that's that's a big deal. I really 1299 00:45:31,664 --> 00:45:32,724 do go back to, 1300 00:45:33,025 --> 00:45:33,845 I I think 1301 00:45:34,224 --> 00:45:36,644 you should there should absolutely be no, 1302 00:45:37,389 --> 00:45:39,170 like, there should be no upcharge 1303 00:45:39,469 --> 00:45:41,630 for logs. Like, to get the logs to 1304 00:45:41,630 --> 00:45:43,389 detect attacks, it shouldn't be like, well, that's 1305 00:45:43,389 --> 00:45:46,210 gonna be tier 5, and that's dog shit. 1306 00:45:46,424 --> 00:45:48,505 Like, if if we need those logs for 1307 00:45:48,505 --> 00:45:50,025 day to day security, it should be part 1308 00:45:50,025 --> 00:45:52,105 of the lowest tier package of everything that 1309 00:45:52,105 --> 00:45:53,964 we get. You shouldn't be, like, holding, 1310 00:45:54,339 --> 00:45:56,500 you know, security over someone's head for more 1311 00:45:56,500 --> 00:45:57,000 money. 1312 00:45:57,300 --> 00:45:58,980 I know. And I'd like to remind everyone 1313 00:45:58,980 --> 00:46:00,339 why did we make Graph Runner? We went 1314 00:46:00,420 --> 00:46:02,914 we made Graph Runner because when the storm 1315 00:46:03,114 --> 00:46:05,675 whatever attacks targeting the state department happened, and 1316 00:46:05,675 --> 00:46:07,295 we talked about it on this show, 1317 00:46:07,594 --> 00:46:08,414 and we said 1318 00:46:08,715 --> 00:46:11,610 some attackers just got root keys into the 1319 00:46:11,610 --> 00:46:13,849 cloud environment for the US State Department. How 1320 00:46:13,849 --> 00:46:15,849 can we simulate this attack against our customers? 1321 00:46:15,849 --> 00:46:17,929 And Bo is like, hold on. I'm going 1322 00:46:17,929 --> 00:46:19,289 to my cave. And he came back in, 1323 00:46:19,289 --> 00:46:21,454 like, 2 weeks with Steve and was, like, 1324 00:46:21,454 --> 00:46:23,695 alright. Here you go, Graph Runner. And it's 1325 00:46:23,695 --> 00:46:25,155 basically what it is. It's, like, 1326 00:46:25,454 --> 00:46:27,909 that whole attack was the state department hack, 1327 00:46:27,989 --> 00:46:30,150 and yet what has changed since then? It's 1328 00:46:30,150 --> 00:46:32,650 the same thing. How has Microsoft not been 1329 00:46:32,710 --> 00:46:35,190 required to I know they did kinda, like, 1330 00:46:35,190 --> 00:46:37,190 e 3 gets logs now or whatever, but, 1331 00:46:37,190 --> 00:46:39,015 like, I I still am just, like, how 1332 00:46:39,015 --> 00:46:40,534 is how is this not more of a 1333 00:46:40,534 --> 00:46:42,054 thing where, like, if it happened to the 1334 00:46:42,054 --> 00:46:43,675 state department and it's happening, 1335 00:46:44,054 --> 00:46:46,295 like, business email compromise, let's also talk about 1336 00:46:46,295 --> 00:46:48,190 that. It ain't just about sexy hacking and 1337 00:46:48,190 --> 00:46:50,750 graph runner. It's also about emails. Like, that's 1338 00:46:50,750 --> 00:46:52,590 what that's where the money goes is business 1339 00:46:52,590 --> 00:46:55,965 email compromise is not, you know, that APTs 1340 00:46:56,184 --> 00:46:57,864 or whatever. So I don't know. It blows 1341 00:46:57,864 --> 00:46:59,065 my mind that, like, this kind of stuff 1342 00:46:59,065 --> 00:47:01,065 doesn't get good logging and good, like, it's 1343 00:47:01,065 --> 00:47:02,585 just I don't know. It's it is what 1344 00:47:02,585 --> 00:47:04,510 it is, but I don't love it. That's 1345 00:47:04,510 --> 00:47:06,269 the reason I have a job. Alright. It's 1346 00:47:06,269 --> 00:47:07,550 the reason why we have a job. We're 1347 00:47:07,550 --> 00:47:09,409 giving way we're giving way job security. 1348 00:47:09,949 --> 00:47:11,809 Alright. Now this gets into 1349 00:47:12,190 --> 00:47:13,934 yet another one that I 1350 00:47:14,655 --> 00:47:16,434 this is, number 5. 1351 00:47:16,735 --> 00:47:17,954 Check your 3rd parties. 1352 00:47:18,894 --> 00:47:19,394 This 1353 00:47:19,934 --> 00:47:22,035 whole thing when we're talking about Snowflake, 1354 00:47:22,349 --> 00:47:24,130 when we're talking about what was it? 1355 00:47:24,590 --> 00:47:26,429 God. There was another story I wanted to 1356 00:47:26,429 --> 00:47:28,349 talk about that was it was a breach 1357 00:47:28,349 --> 00:47:30,030 of a breach of a breach. Oh, here 1358 00:47:30,030 --> 00:47:30,454 we go. 1359 00:47:31,414 --> 00:47:32,375 It was the, 1360 00:47:33,255 --> 00:47:35,914 data pilfered from Pentagon IT supply supplier 1361 00:47:36,454 --> 00:47:36,954 Leidos. 1362 00:47:37,940 --> 00:47:40,760 So if you're reading this article, basically Leidos 1363 00:47:40,820 --> 00:47:42,980 data was compromised through a company by the 1364 00:47:42,980 --> 00:47:44,360 name of Diligent Corporation 1365 00:47:44,844 --> 00:47:47,105 And if you scroll down, the Diligent Corporation 1366 00:47:47,405 --> 00:47:47,905 appears 1367 00:47:48,764 --> 00:47:50,925 to have been a breach from a company 1368 00:47:50,925 --> 00:47:53,744 by the name of Steel Compliance Solutions. So 1369 00:47:55,469 --> 00:47:56,989 So, okay, is this just the you know, 1370 00:47:56,989 --> 00:47:58,829 the degrees of Kevin Bacon? This is that, 1371 00:47:58,829 --> 00:48:00,829 but for breaches. This is like that, but 1372 00:48:00,829 --> 00:48:01,570 for breaches. 1373 00:48:02,269 --> 00:48:04,065 So I don't know if we got that 1374 00:48:04,065 --> 00:48:05,905 Here, let me share that article so Ryan 1375 00:48:05,905 --> 00:48:07,105 can get it out if he doesn't have 1376 00:48:07,105 --> 00:48:09,744 it out yet. I just did. Okay. Awesome. 1377 00:48:09,744 --> 00:48:12,039 There he goes. He's got it up. And, 1378 00:48:12,280 --> 00:48:13,640 or he's getting it up here in a 1379 00:48:13,640 --> 00:48:14,140 second. 1380 00:48:14,519 --> 00:48:16,360 But, you know, whenever people are talking about 1381 00:48:16,360 --> 00:48:17,579 supply chain security, 1382 00:48:18,284 --> 00:48:19,804 one of the things that's kinda pissing me 1383 00:48:19,804 --> 00:48:21,565 off in the industry is whenever people talk 1384 00:48:21,565 --> 00:48:23,405 about this, and this ties to the MFA 1385 00:48:23,405 --> 00:48:23,905 thing, 1386 00:48:24,204 --> 00:48:26,429 as though it's super easy to do. Right? 1387 00:48:26,589 --> 00:48:28,429 Like, oh, well, we just gotta verify our 1388 00:48:28,429 --> 00:48:31,170 supply chains for things like Snowflake or Kaseya 1389 00:48:31,309 --> 00:48:34,210 or Leidos who's bought by Steel Compliance Solutions 1390 00:48:34,269 --> 00:48:36,905 or, like, it it it's it there's such 1391 00:48:36,905 --> 00:48:40,105 an inception of cloud products and vendors out 1392 00:48:40,105 --> 00:48:42,585 there that I really, really do feel it's 1393 00:48:42,585 --> 00:48:43,644 almost impossible 1394 00:48:44,440 --> 00:48:46,840 for us to develop a good solid bill 1395 00:48:46,840 --> 00:48:49,320 of materials, especially whenever we're talking about cloud 1396 00:48:49,320 --> 00:48:51,480 solutions. Right? You know, we were talking about, 1397 00:48:51,480 --> 00:48:52,760 well, we just need to make sure there's 1398 00:48:52,760 --> 00:48:54,824 a bomb for all the security products so 1399 00:48:54,824 --> 00:48:56,105 we know what's in that, so we know 1400 00:48:56,105 --> 00:48:58,985 the security associated with it. And I think 1401 00:48:58,985 --> 00:49:01,385 that this last point in this article about 1402 00:49:01,385 --> 00:49:01,885 MFA 1403 00:49:02,539 --> 00:49:05,039 and this article from the register security 1404 00:49:05,579 --> 00:49:08,619 just highlights, like, how effing hard this is 1405 00:49:08,619 --> 00:49:10,299 actually going to be. And if anybody is, 1406 00:49:10,299 --> 00:49:12,494 like, you know, at a keynote at RSA 1407 00:49:12,494 --> 00:49:13,974 or anything like that, it's like, we need 1408 00:49:13,974 --> 00:49:16,034 to make sure we're securing the supply chain. 1409 00:49:16,335 --> 00:49:18,574 Those words are super easy to, like, get 1410 00:49:18,574 --> 00:49:21,170 out your flappy lips, but the reality of 1411 00:49:21,170 --> 00:49:23,829 it is it is incredibly difficult 1412 00:49:24,130 --> 00:49:26,609 because you literally have cloud solution providers, the 1413 00:49:26,609 --> 00:49:27,985 6 degrees of a breach. 1414 00:49:28,545 --> 00:49:30,785 You literally have cloud providers that are using 1415 00:49:30,785 --> 00:49:32,864 other cloud providers that are using other cloud 1416 00:49:32,864 --> 00:49:33,364 providers. 1417 00:49:33,664 --> 00:49:35,425 And literally, when you hit one of them, 1418 00:49:35,425 --> 00:49:37,025 sometimes it can lead to a data breach 1419 00:49:37,025 --> 00:49:37,925 across multiples. 1420 00:49:38,530 --> 00:49:39,889 Or am I reading too much into this? 1421 00:49:39,889 --> 00:49:41,090 Do you guys think that this is in 1422 00:49:41,090 --> 00:49:41,989 fact easier 1423 00:49:42,369 --> 00:49:44,404 than John, you're you're done. No. You're you're 1424 00:49:44,404 --> 00:49:45,590 right. Spot on. 1425 00:49:45,914 --> 00:49:47,434 Well, and I We talked about it last 1426 00:49:47,434 --> 00:49:49,515 week. That's great. I'm so happy you all 1427 00:49:49,515 --> 00:49:51,035 agree with me. Now I remember that you 1428 00:49:51,035 --> 00:49:52,655 all I pay all of you. 1429 00:49:53,089 --> 00:49:55,010 Yeah. You pay all of us. Yeah. Well, 1430 00:49:55,010 --> 00:49:55,206 couple of times, we have to pay all 1431 00:49:55,206 --> 00:49:55,909 of us. Yeah. Well, couple of times, 1432 00:49:57,889 --> 00:50:00,289 like, number of you wait. Okay. So Yeah. 1433 00:50:00,369 --> 00:50:02,444 Let's look at the CIS controls. For those 1434 00:50:02,444 --> 00:50:04,204 of you who aren't familiar with them, we 1435 00:50:04,204 --> 00:50:06,364 do have a control, control number 15, that 1436 00:50:06,364 --> 00:50:08,784 talks about server pro provider management. 1437 00:50:09,489 --> 00:50:11,890 And to those people who say it's difficult 1438 00:50:11,890 --> 00:50:12,789 and it's hard, 1439 00:50:13,090 --> 00:50:15,489 start with a darn spreadsheet and just start 1440 00:50:15,489 --> 00:50:17,809 making an inventory of your service provider. 2nd 1441 00:50:17,809 --> 00:50:20,164 of all, do you have a server per 1442 00:50:20,244 --> 00:50:21,304 servers provider 1443 00:50:22,005 --> 00:50:22,505 policy? 1444 00:50:22,964 --> 00:50:25,125 You know, I look at organizations where they 1445 00:50:25,125 --> 00:50:27,545 allow individual departments or business units 1446 00:50:27,969 --> 00:50:30,369 to contract with cloud providers, that should be 1447 00:50:30,369 --> 00:50:33,010 centrally managed within IT. So I think we 1448 00:50:33,010 --> 00:50:33,510 can 1449 00:50:33,969 --> 00:50:35,809 eat this elephant one bite at a time, 1450 00:50:35,809 --> 00:50:36,309 John. 1451 00:50:36,924 --> 00:50:38,525 Well, and I also think it goes back 1452 00:50:38,525 --> 00:50:39,904 to contracting. Right? 1453 00:50:40,364 --> 00:50:42,284 If you wanna know all your SAS programs 1454 00:50:42,284 --> 00:50:44,284 that you're paying for, go back and pull 1455 00:50:44,284 --> 00:50:45,664 your accounting records. 1456 00:50:46,449 --> 00:50:47,989 One company that I was interviewing, 1457 00:50:49,570 --> 00:50:51,269 I wanna say it was last week, Friday. 1458 00:50:51,809 --> 00:50:53,409 They sat down, and they were doing an 1459 00:50:53,409 --> 00:50:53,909 inventory 1460 00:50:54,210 --> 00:50:56,454 of all the different SaaS products that were 1461 00:50:56,454 --> 00:50:59,014 allowed into their environment, and they were comparing 1462 00:50:59,014 --> 00:51:01,114 that to accounting, what they were paying for, 1463 00:51:01,175 --> 00:51:03,514 and they realized they had, like, 4 enterprise 1464 00:51:03,735 --> 00:51:06,070 Zoom accounts to 4 different people within the 1465 00:51:06,070 --> 00:51:07,050 company. Right? 1466 00:51:07,510 --> 00:51:09,829 Now that's just highlighting a cost to an 1467 00:51:09,829 --> 00:51:10,329 organization. 1468 00:51:11,109 --> 00:51:13,030 But whenever you're looking at all your SaaS 1469 00:51:13,030 --> 00:51:15,301 products that you're using, the best place that 1470 00:51:15,301 --> 00:51:17,400 you can go is start with accounting. And 1471 00:51:17,400 --> 00:51:19,499 then just like you said, Kelly, actually go 1472 00:51:19,499 --> 00:51:21,598 to your vendors and ask them if they 1473 00:51:21,598 --> 00:51:22,909 have a letter of attestation, 1474 00:51:23,469 --> 00:51:24,829 that they were tested. We 1475 00:51:25,389 --> 00:51:26,989 you know, you start with the elephant one 1476 00:51:26,989 --> 00:51:29,069 bite at a time or a chainsaw, but 1477 00:51:29,069 --> 00:51:30,510 I also think that we have to start 1478 00:51:30,510 --> 00:51:32,894 pushing our cloud providers, our SaaS providers, 1479 00:51:33,534 --> 00:51:36,015 to kind of start asking these questions from 1480 00:51:36,015 --> 00:51:39,054 a compliance risk perspective. And this sounds scary, 1481 00:51:39,054 --> 00:51:40,594 but getting attorneys involved 1482 00:51:41,019 --> 00:51:43,099 and making sure that these legal contracts that 1483 00:51:43,099 --> 00:51:45,260 we have do at least have that language 1484 00:51:45,260 --> 00:51:47,099 that they can communicate to us their bill 1485 00:51:47,099 --> 00:51:48,534 of materials, possibly, 1486 00:51:49,074 --> 00:51:51,635 maybe. Well, I'm dreaming of unicorns at this 1487 00:51:51,635 --> 00:51:53,554 point, but we gotta start somewhere because this 1488 00:51:53,554 --> 00:51:55,989 is just going to get worse. Right? Yeah. 1489 00:51:55,989 --> 00:51:57,910 And this I was, like, I was looking 1490 00:51:57,910 --> 00:52:00,869 over the articles earlier today and and going 1491 00:52:00,869 --> 00:52:01,930 through and realizing 1492 00:52:02,710 --> 00:52:04,250 we've gotten to a point 1493 00:52:04,869 --> 00:52:07,514 that I don't think anyone really envisions 1494 00:52:07,894 --> 00:52:10,214 30 odd years ago when the Internet started 1495 00:52:10,214 --> 00:52:11,034 going mainstream 1496 00:52:11,655 --> 00:52:12,474 and that 1497 00:52:12,775 --> 00:52:15,114 all of these digital services 1498 00:52:16,039 --> 00:52:16,940 aren't just 1499 00:52:17,239 --> 00:52:17,739 conveniences. 1500 00:52:18,920 --> 00:52:20,539 They've become so 1501 00:52:21,480 --> 00:52:24,204 enmeshed with our daily operations that they've moved 1502 00:52:24,204 --> 00:52:26,144 on to the point of becoming utilities. 1503 00:52:26,844 --> 00:52:29,824 Now granted, we suck at securing our utilities 1504 00:52:29,964 --> 00:52:30,464 too, 1505 00:52:31,140 --> 00:52:33,699 but this is this is a paradigm shift 1506 00:52:33,699 --> 00:52:34,519 that I think 1507 00:52:34,980 --> 00:52:36,900 a lot of people haven't quite grasped is 1508 00:52:36,900 --> 00:52:39,780 that okay, you're gonna add on a new 1509 00:52:39,780 --> 00:52:40,280 provider. 1510 00:52:40,715 --> 00:52:43,614 How is that going to affect the holistic 1511 00:52:43,835 --> 00:52:44,335 environment 1512 00:52:44,795 --> 00:52:46,315 of what you're doing, of what you're trying 1513 00:52:46,315 --> 00:52:47,135 to accomplish? 1514 00:52:47,675 --> 00:52:49,614 I just I wish I knew how to 1515 00:52:50,010 --> 00:52:52,650 get people to think about the security aspect 1516 00:52:52,650 --> 00:52:53,150 before 1517 00:52:53,849 --> 00:52:55,949 rather than after things go 1518 00:52:56,409 --> 00:52:56,909 sideways. 1519 00:52:57,704 --> 00:52:59,784 Well and I think that's always been a 1520 00:52:59,784 --> 00:53:02,664 problem, though. We've we've been fighting from the 1521 00:53:02,664 --> 00:53:04,045 backside of it all. 1522 00:53:04,639 --> 00:53:06,659 And the not thinking forward 1523 00:53:06,960 --> 00:53:09,199 for 30 year for 30 plus years. Yeah. 1524 00:53:09,199 --> 00:53:11,199 Yeah. That that that mind shift should have 1525 00:53:11,199 --> 00:53:13,545 taken place years ago before we even got 1526 00:53:13,625 --> 00:53:15,005 to this ingrained portion. 1527 00:53:15,385 --> 00:53:17,545 It should have happened when with Microsoft's trusted 1528 00:53:17,545 --> 00:53:18,525 computing environment 1529 00:53:19,304 --> 00:53:21,784 minimum back in the early 2000 pay attention 1530 00:53:21,784 --> 00:53:22,989 to stuff when it impacts 1531 00:53:23,469 --> 00:53:25,949 them. Well but you're absolutely right. Even that, 1532 00:53:25,949 --> 00:53:26,829 though, I mean, if you if you wanna 1533 00:53:26,829 --> 00:53:29,389 be really depressed, you know, technology operations folks 1534 00:53:29,389 --> 00:53:30,989 have been fighting the same battle from the 1535 00:53:30,989 --> 00:53:32,289 back end on availability 1536 00:53:33,055 --> 00:53:34,735 for as long as computing has been a 1537 00:53:34,735 --> 00:53:36,335 thing. Like and even before we were all 1538 00:53:36,335 --> 00:53:38,414 talking about security, I mean, how many app 1539 00:53:38,414 --> 00:53:39,775 support teams have you ever seen where it's 1540 00:53:39,775 --> 00:53:40,974 like, boy, I really wish you guys would 1541 00:53:40,974 --> 00:53:42,500 talk to us at the design phase as 1542 00:53:42,500 --> 00:53:43,480 opposed to at rollout. 1543 00:53:43,780 --> 00:53:45,219 And it No. Security is just, in a 1544 00:53:45,219 --> 00:53:46,500 lot of ways, another one of those. It's 1545 00:53:46,500 --> 00:53:48,925 sad, especially given the impact, but it's not 1546 00:53:48,925 --> 00:53:49,425 surprising. 1547 00:53:49,885 --> 00:53:51,405 Going back to what Mike was saying, you 1548 00:53:51,405 --> 00:53:51,905 know, 1549 00:53:52,525 --> 00:53:53,965 I I I think that we've all felt 1550 00:53:53,965 --> 00:53:56,125 a slippage. Right, Mike? Like, we we Oh, 1551 00:53:56,125 --> 00:53:58,400 yeah. You know, for for 20 years, 20 1552 00:53:58,480 --> 00:54:00,739 4 oh, god. 26 years. Never mind. 1553 00:54:01,359 --> 00:54:02,880 We've been do dealing with this for a 1554 00:54:02,880 --> 00:54:03,699 long time. 1555 00:54:04,000 --> 00:54:06,545 We can barely keep up with the technologies 1556 00:54:06,684 --> 00:54:08,525 that keep getting thrown at us. And whenever 1557 00:54:08,525 --> 00:54:10,684 we throw SaaS, going back to the accounting 1558 00:54:10,684 --> 00:54:11,184 thing, 1559 00:54:11,565 --> 00:54:13,619 do me a favor, seriously, as a security 1560 00:54:13,619 --> 00:54:15,539 team, go to the accounting team and see 1561 00:54:15,539 --> 00:54:16,679 how many reoccurring 1562 00:54:17,460 --> 00:54:20,199 expenses exist for SaaS products in your organization. 1563 00:54:20,864 --> 00:54:21,684 Even at BHIS, 1564 00:54:22,385 --> 00:54:23,844 we're a small company, 140 1565 00:54:24,144 --> 00:54:27,025 people, and of course we're very heavily focused 1566 00:54:27,025 --> 00:54:29,285 on IT, there's literally 100 1567 00:54:29,880 --> 00:54:32,599 of IT services that we're using. My wife 1568 00:54:32,599 --> 00:54:34,519 just asked me today, there's a database of 1569 00:54:34,519 --> 00:54:35,659 SDR signals, 1570 00:54:36,359 --> 00:54:38,460 that we have a subscription for, 1571 00:54:38,844 --> 00:54:41,164 and she's like, what the hell is this? 1572 00:54:41,164 --> 00:54:42,764 And I'm like, well, that's a database from 1573 00:54:42,764 --> 00:54:45,664 SDR signals for reverse engineering of embedded devices. 1574 00:54:46,420 --> 00:54:48,340 She's like, who the hell does this here? 1575 00:54:48,340 --> 00:54:49,720 And I'm like, well, that's David 1576 00:54:50,260 --> 00:54:51,780 and and a couple of other people here. 1577 00:54:51,780 --> 00:54:54,260 And but when we start breaking that stuff 1578 00:54:54,260 --> 00:54:57,545 down, it is a monstrous amount of different 1579 00:54:57,545 --> 00:54:59,864 services. Like Bronwyn was saying, these are not 1580 00:54:59,864 --> 00:55:01,864 nice to haves. These are things that are 1581 00:55:01,864 --> 00:55:03,005 absolutely essential, 1582 00:55:03,380 --> 00:55:04,579 and a lot of it is driven by 1583 00:55:04,579 --> 00:55:07,719 the VC culture, right, where you want people 1584 00:55:07,780 --> 00:55:10,980 in subscription models. You want that reoccurring revenue 1585 00:55:10,980 --> 00:55:13,155 model so you can keep getting that money 1586 00:55:13,155 --> 00:55:15,155 on a treadmill again and again and again, 1587 00:55:15,155 --> 00:55:17,474 and it just bleeds to no more on 1588 00:55:17,474 --> 00:55:19,974 prem solutions, no on prem software, 1589 00:55:20,380 --> 00:55:22,300 everything has to be SaaS, everything has to 1590 00:55:22,300 --> 00:55:23,199 be in the cloud, 1591 00:55:23,500 --> 00:55:25,980 everything has to be multi tenant, everything has 1592 00:55:25,980 --> 00:55:28,639 to be connected and single sign on, therefore, 1593 00:55:28,780 --> 00:55:30,079 everything becomes vulnerable. 1594 00:55:30,605 --> 00:55:33,005 And, you know, somebody made a snarky comment 1595 00:55:33,005 --> 00:55:34,605 of so much for the cloud leading to 1596 00:55:34,605 --> 00:55:35,825 things being more secure. 1597 00:55:36,684 --> 00:55:38,864 That's a really snarky comment, but 1598 00:55:39,299 --> 00:55:40,659 I'd like to put it out there. It 1599 00:55:40,659 --> 00:55:43,639 kind of seems like SaaS inheritance of failure, 1600 00:55:44,339 --> 00:55:46,375 Joseph just put out. I think that's kind 1601 00:55:46,375 --> 00:55:48,215 of where this is starting to look. Right? 1602 00:55:48,215 --> 00:55:51,015 Like, it's absolutely leading to SaaS inheritance of 1603 00:55:51,015 --> 00:55:51,515 failure. 1604 00:55:51,894 --> 00:55:53,974 Well, hold on. Let me let me tease 1605 00:55:53,974 --> 00:55:56,349 my up an upcoming webcast and hopefully make 1606 00:55:56,349 --> 00:55:58,130 people feel a little bit better because 1607 00:55:58,429 --> 00:56:00,130 something to keep in mind is that 1608 00:56:00,750 --> 00:56:03,425 as much as these tools can SaaS tools 1609 00:56:03,425 --> 00:56:05,364 can also be used for harm, 1610 00:56:05,905 --> 00:56:08,385 we can also use the capabilities infrastructure, and 1611 00:56:08,385 --> 00:56:10,305 you can monitor things today that you could 1612 00:56:10,305 --> 00:56:13,039 never monitor 20 years ago. You can monitor 1613 00:56:13,420 --> 00:56:15,820 I mean, you can do things in cloud 1614 00:56:15,820 --> 00:56:16,320 products 1615 00:56:16,860 --> 00:56:18,079 that have insane 1616 00:56:18,460 --> 00:56:21,675 security outcomes without just check boxes or easy 1617 00:56:21,675 --> 00:56:24,074 things, like, you know, there's many, many examples, 1618 00:56:24,074 --> 00:56:26,474 but my upcoming webcast is talking about using 1619 00:56:26,474 --> 00:56:28,630 1 a really cool vendor. If you wanna 1620 00:56:28,630 --> 00:56:30,150 monitor this and you're if you're not a 1621 00:56:30,150 --> 00:56:32,070 CSO who can go to the accounting team 1622 00:56:32,070 --> 00:56:33,369 and say stop all payments, 1623 00:56:33,750 --> 00:56:35,190 if you're just a guy who would like 1624 00:56:35,190 --> 00:56:37,885 me, you can you can like, a tool 1625 00:56:37,945 --> 00:56:40,025 like Flare that we're gonna talk about during 1626 00:56:40,025 --> 00:56:42,744 my upcoming webcast, you can monitor a huge 1627 00:56:42,744 --> 00:56:43,804 part of your footprint 1628 00:56:44,264 --> 00:56:44,764 without 1629 00:56:45,079 --> 00:56:47,079 really having to do much work at all. 1630 00:56:47,400 --> 00:56:48,299 You can see, 1631 00:56:48,679 --> 00:56:50,760 like, in a tool like Flare or Spy 1632 00:56:50,760 --> 00:56:53,194 Cloud or whatever tool you pick, you can 1633 00:56:53,494 --> 00:56:56,054 see very far reaching security things before they 1634 00:56:56,054 --> 00:56:57,414 happen to you, which is why there's really 1635 00:56:57,414 --> 00:56:59,574 no excuse for someone like Snowflake not fixing 1636 00:56:59,574 --> 00:57:02,389 this stuff. Every CPT customer gets a spreadsheet 1637 00:57:02,389 --> 00:57:03,909 the 1st day they sign up of, here's 1638 00:57:03,909 --> 00:57:05,769 all your breach creds, here's all the ransomware 1639 00:57:05,909 --> 00:57:08,069 dumps that your data's in, here's all the 1640 00:57:08,069 --> 00:57:10,405 GitHub profiles, here's all of this. Like, you 1641 00:57:10,405 --> 00:57:13,045 can use tools to monitor and detect this 1642 00:57:13,045 --> 00:57:14,804 kind of stuff way further out than you 1643 00:57:14,804 --> 00:57:17,204 could ever before. Like, you can see, oh, 1644 00:57:17,204 --> 00:57:18,260 I was in the collab 1645 00:57:18,739 --> 00:57:20,679 or breach from this, you know, 10 1646 00:57:21,059 --> 00:57:22,980 terabytes of data from this breach, and then 1647 00:57:22,980 --> 00:57:24,900 I was in this, and then they'll OCR 1648 00:57:24,900 --> 00:57:25,664 data, like, 1649 00:57:26,224 --> 00:57:28,785 they'll it's just there are tools like that 1650 00:57:28,785 --> 00:57:31,525 that make people's lives much easier of, like, 1651 00:57:31,664 --> 00:57:33,025 I can just type in my company name, 1652 00:57:33,025 --> 00:57:34,539 and it'll be like, hey. Your company was 1653 00:57:34,539 --> 00:57:35,900 in this company's breach, and then it was 1654 00:57:35,900 --> 00:57:37,500 in this company's breach. And so you can 1655 00:57:37,500 --> 00:57:39,840 do that. Like, you can actually follow along 1656 00:57:40,460 --> 00:57:42,184 with some of that exposure before it hits 1657 00:57:42,184 --> 00:57:43,785 you, and you should. Like, I think that's 1658 00:57:43,785 --> 00:57:45,644 kind of a core thing now is, like, 1659 00:57:46,025 --> 00:57:48,664 follow your supply chain data exposure. You might 1660 00:57:48,664 --> 00:57:49,945 not be able to fix it on the 1661 00:57:49,945 --> 00:57:51,820 front end, but you can at least know 1662 00:57:51,820 --> 00:57:53,980 it's coming and it's gonna hit you. Right? 1663 00:57:53,980 --> 00:57:55,280 I think that's part of it. 1664 00:57:55,820 --> 00:57:56,880 You gotta do that. 1665 00:57:57,500 --> 00:57:59,039 Speaking of supply chain 1666 00:57:59,500 --> 00:58:00,000 attacks, 1667 00:58:00,539 --> 00:58:02,465 can can we please talk about North Korea? 1668 00:58:02,765 --> 00:58:04,445 You have one minute. Go. You have one 1669 00:58:04,445 --> 00:58:05,965 minute. I have one minute. I don't even 1670 00:58:05,965 --> 00:58:07,344 have the pretty much, 1671 00:58:08,125 --> 00:58:10,760 know before hired North Korea. They they found 1672 00:58:10,760 --> 00:58:11,980 him. We got him. 1673 00:58:12,440 --> 00:58:14,679 That's it. No. There's a there's a lot 1674 00:58:14,679 --> 00:58:14,840 of 1675 00:58:16,360 --> 00:58:18,199 Feel like we might be missing some steps 1676 00:58:18,199 --> 00:58:20,554 there, Wade. Great job, Matt. So that we 1677 00:58:20,554 --> 00:58:21,835 hit all the details. Bring up bring up 1678 00:58:21,835 --> 00:58:23,275 the news article so I can read it 1679 00:58:23,275 --> 00:58:25,034 as I as I pretend to know exactly 1680 00:58:25,034 --> 00:58:27,489 what happened. So pretty much know before was 1681 00:58:27,489 --> 00:58:29,890 hiring, an internal IT guy, right, with this 1682 00:58:29,890 --> 00:58:31,890 awesome cool picture right here. Went through all 1683 00:58:31,890 --> 00:58:32,949 the proper steps, 1684 00:58:33,494 --> 00:58:35,494 and then they actually even issued him a 1685 00:58:35,494 --> 00:58:37,835 laptop. I believe it even says 1686 00:58:38,695 --> 00:58:40,454 what type of laptop. I believe it was 1687 00:58:40,454 --> 00:58:42,135 a Mac, which I'm, like, good for them 1688 00:58:42,135 --> 00:58:44,039 for using Mac. Like, I would hate to 1689 00:58:44,039 --> 00:58:46,199 do that security, but anyway, that's another subject. 1690 00:58:46,199 --> 00:58:47,980 That's brave. That's true. And 1691 00:58:49,320 --> 00:58:51,800 so the crazy part is that picture is 1692 00:58:51,800 --> 00:58:53,964 actually a deep fake of an actual stock 1693 00:58:53,964 --> 00:58:55,085 picture if you go all the way down 1694 00:58:55,085 --> 00:58:55,744 to the bottom. 1695 00:58:56,125 --> 00:58:57,424 So this 1696 00:58:57,724 --> 00:59:00,125 the moment this guy got his laptop, he 1697 00:59:00,125 --> 00:59:02,869 just immediately loaded it up with malware and 1698 00:59:02,869 --> 00:59:05,349 all sorts of good things. And their sock 1699 00:59:05,349 --> 00:59:07,349 actually went went went to full throttle and 1700 00:59:07,349 --> 00:59:08,329 triaged everything. 1701 00:59:08,630 --> 00:59:10,789 And they found out, hey, this is, actually 1702 00:59:10,789 --> 00:59:12,785 not a person working here. This is a 1703 00:59:12,785 --> 00:59:15,684 North Korean IT actor who's trying to 1704 00:59:16,065 --> 00:59:16,565 infect 1705 00:59:16,865 --> 00:59:18,865 know before and then possibly as a supply 1706 00:59:18,865 --> 00:59:20,224 chain attack go to the words of their 1707 00:59:20,224 --> 00:59:22,690 customers. I'm sure know before is probably at 1708 00:59:22,690 --> 00:59:24,369 least I think they're one of the top, 1709 00:59:24,849 --> 00:59:27,250 what, security awareness companies out there. At least 1710 00:59:27,250 --> 00:59:28,849 I know their name and I've used them 1711 00:59:28,849 --> 00:59:30,230 quite a lot in different 1712 00:59:30,704 --> 00:59:31,764 organizations. So 1713 00:59:32,144 --> 00:59:34,304 it's a pretty good one. I'd know they 1714 00:59:34,304 --> 00:59:36,005 did get in contact with the FBI 1715 00:59:36,385 --> 00:59:38,545 further down, but this is something we've been 1716 00:59:38,545 --> 00:59:41,069 talking about all the time. These it's not 1717 00:59:41,069 --> 00:59:42,510 something that's gonna happen to everyone, but I 1718 00:59:42,510 --> 00:59:44,190 think it's actually a cool story and and 1719 00:59:44,190 --> 00:59:45,789 a win. And for us to end on 1720 00:59:45,789 --> 00:59:47,864 a win is very rare. Let's take it. 1721 00:59:47,864 --> 00:59:50,684 Go with the puns. Alright. Release the puns. 1722 00:59:50,905 --> 00:59:53,144 With that that let's close it out on 1723 00:59:53,144 --> 00:59:54,905 a win. Thank you so much for joining, 1724 00:59:54,905 --> 00:59:56,764 and we will be back next week.