Skip to main content
Right of Boom
January 30, 2025

Conti Expands Ability to Destroy Backups & what your MSP can do to mitigate these attacks.

In this video, Andrew and John Strand discuss the tactics and impacts of the ransomware group Conti, with a focus on their ruthless attacks on healthcare systems. They explore the importance of network segmentation, lateral movement detection, and the role of deception in cybersecurity defense. The conversation also delves into practical steps MSPs can take to safeguard their networks, including leveraging tools like Sysmon and NTOP for enhanced monitoring and analysis.<ul><li>Conti ransomware operates as a service, functioning similarly to a franchise model where skilled hackers are recruited, provided with tools, and earn a percentage of the ransom collected.</li><li>The webinar emphasizes the importance of network segmentation and lateral movement detection to bolster defenses against ransomware attacks.</li><li>The discussion highlights the necessity of effective incident response strategies, including live forensics and memory acquisition, to manage ransomware incidents effectively.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Welcome everybody to week 68. And, uh, we've let everybody go. It's just now, from now on, it's gonna be the Andrew and John Strand show. Um, I'm kidding. So, hey, so, um, here's what's going on. We got Ryan, hopefully he's in here, but I think he's having maybe a technical challenge or two. Wes is going to be here in 15 minutes and Gary is not feeling well, so he won't be here, unfortunately. Um, all of that said, um, again, hope everybody had a fantastic weekend. I did.

John, I'm not in a white shirt. I am in an FSU Gar. They call this not red. This is Garnet, Garnet and Gold. I have to say the right way, but I got to see my, my daughter for parents weekend and Oh, that's awesome. You've got their first win. So that was very exciting, uh, for, for that. So, um, John, let's get right on into things here and the whole, again, you and I are gonna, you know, do some bantering here on Conti, but, uh, just a few quick announcements.

Um, John, I put the link to your upcoming course down below. It's in green for those of you that you are wondering. Um, again, um, John's courses, I'll let him tell just briefly about this fact. We talk about how this is gonna relate to today. Um, but you know, everybody realize they are the pay what you can. Course it's not, you know, the, I'm gonna have John talk about why that is, but it's, it's pay, it's, it's not pay what you want. It's ideally pay what you can.

Yeah, we do have a driver call code. Um, and that takes a hundred off. If you pay the 4 95, we're going to do some special training post event four MSPs. Um, John, just real quick blurb about it, uh, while, yeah, again, hopefully we get Ryan in here as well. Well, okay. So, you know, let, let's, let's talk about what this next class is. Yeah. So if you didn't make it to the first class, that's fine. You can jump right into the second class.

And this second class is all about what are the 11 things that you can do? And yes, that is in fact a spinal tap reference. I was gonna Ask, Is it Absolutely, absolutely. It goes to 11. What are the 11 things you can do to secure a network? Now it's designed for systems administrators. It's designed for security professionals that are on a, a shoestring budget.

And anytime you talk to anybody from security, they're like, oh, what you need is all this expensive software and all of this technology and you need to spend millions of dollars. And you're like, I'm running security for a bank that has three branches. Like, no, I'm, I'm not, I'm not gonna be, I don't have a budget to dark drop darktrace every single network sensor. It's just not going to happen. So basically what we do, as we say, these are the 11 things that you can do.

Here's how you can do it cheaply and effectively in your organization. And we do it as pay what you can. Now, as Andrew mentioned, I wanna explain what pay, what you can means, and why we do it that way. As he said, it's not pay what you want. 'cause everyone can be like, I'm gonna pay nothing. I will tell you right now, if you do that, you will feel bad by the end of it. Um, it's very common for people to be like, I'm paying zero suckers.

And then they get through, they're like, wow, there's a lot of work that went into this. There's like 23 labs and there's like a studio. And all kinds of effort went into this. So pay what you can is basically saying pay what you can. Um, if you could pay a full price, great. If you can only pay 50 bucks, great. If you can only pay 20 bucks, great. But those lower dollar amounts are there for people that are trying to get into this industry.

Um, I was just talking to a lady, uh, just like last or two nights ago. Um, she's a middle school teacher. She teaches third graders. She loves technology. She just got her degree in it. Um, technolo tech, I can't remember what they called it. It was like technological education. She wants to get out of school systems as badly as possible and get into security and get into it. For her paying 20 to 50 bucks makes a lot of sense, right?

Because she doesn't have that ability normally to get like thousands of dollars showered upon her to go do training. So what we've provided for the cyber call is we provided a discount code, the cyber call discount, discount code that gets you a hundred dollars off the price, but you also get additional six months of, uh, cyber range access. That's a full cyber range where you can practice your skills and you get a full two hour session.

That's just q and a with Andrew and I, where we talk about the issues that are like haunting the MSP space right now. So if you get a chance, you should go sign up and use that cyber call discount code. Um, and we, we'd love to have you in there 'cause we wanted to train 500 Andrew, was it 500 MSPs? I think we, I think we got that done in the first class. Um, I think we're now shooting for, let, let's shoot to the moon. We want 5,000, um, in like six months.

'cause I desperately feel that we can do this. It's very, very cost effective. It's not expensive at all. We hope to see you there. Yeah, absolutely. So yeah, that a hundred dollars off code works with the 4 95 where you get the extra stop. So, mm-Hmm. Awesome. Ryan, welcome. I just, I just did, um, yeah, I just registered for Deadwood, um, which is Wild West Hacking Fest.

Um, and I did the pre-day for, um, adversary emulation, the two day conference and the two day training event, the $620 and that's full price. That's, that's not paying what you, what you want that's paying. And I felt bad after that. I was like, dude, I should have paid like, was there an option for me to pay more? Like there was so much value in those Four days. And Ryan wait until you can come to the live one. I buy everybody a steak dinner at our conferences, like straight up, no joke.

I bring in cowboys, chuck wagon beans, and they cook up a steak dinner for every single attendee. But we gotta get through this COVID nightmare first. Yeah. And uh, Eric, um, thanks for asking the question. I put it in there, there was the code cyber call. Alright, so let's get on into this. Um, the reason I wanted John to join us was, um, he not only has, uh, black Hills, but he's got, you know, several other companies.

They do ir and he certainly works with the biggest of big, uh, Conti is considered one of the most ruthless, uh, ransomware. One of the questions we're gonna ask you about John, is it, is it a gang? Is it a ransomware? 'cause it's, it's really interesting how they were refer to it. And so we want to demystify that a little bit. Ryan and I were even looking at some of the articles and, um, in setting the stage here, John, for you, um, I do want you to tell just a touch about yourself.

'cause maybe not everybody knows you, but, um, just this week or past week, we had, um, a DV, uh, Intel do a great article on Mm-Hmm. How they're blowing up backups. And, and, and, you know, I thought it was interesting, um, that literally, you know, the backup vendors that were called out or saying, well, no, we've, we've had no in exhibits around that. Meanwhile, they have literally, their team is working active information around these.

So again, not throwing shade there, John, but then CEC comes out and on on Conti. And then again, I don't know if it was related horrific incident with a baby dies this past week. Yeah. Uh, because of ransomware. Now, Conti, um, focuses, you know, again, they're ruthless. They focus on healthcare, emergency medical, like, you know, it's really a sick perverted thing. And they do things called double extortion, which we're gonna talk about. So that's setting the stage here.

John, quickly, a little bit about yourself. Um, and for those of you that may not know you, appreciate you being a multiple time guest here and really getting involved to help MSPs. You bet. So my name is John Strand. I'm the owner of Black Hills Information Security. Um, I noticed a couple of people got the Joy Division reference on my shirt. Now as an extra bonus, tell me where did the Joy Division cover actually come from?

Um, so, we'll that's unknown pleasures, but we'll go through and we'll, we'll talk about Conti. Um, so my background is I taught an incident response class for probably the number one incident response class in the world for about 17 years. So I've taught incident response for a long time, and I know a lot of times people say if you can't do teach, um, at Black Hills Information Security, we also do incident response. So we're constantly working gigs.

Um, and ransomware just seems to be right at the top of everyone's list right now. So we do a lot of those gigs as part of our security operation center and as part of our IR practice as well. Awesome, John. So, um, again, so I, I mentioned CISA talks about, you know, this most recent alert on Conti just last week. Talk to us about who this, is it a group? Is it ransomware? You see, you know, Palo Alto refer to 'em as a group, but then you also see it as Conti is ransomware.

Maybe help us understand who they are, what they are. Demystify this a little bit, if you would. Alright, so one of the things you gotta look at is, if you look at how ransomware has kind of evolved and changed over the years, um, it used to be whenever you had like Petya, not Petro, WannaCry, those types of things, it was just malware and it would just spread around the internet, take over systems encrypt, and then you would pay.

What you're seeing now is you're seeing these groups, and I want you to think of 'em more as like a gang, right? So you have to have certain skills to actually come in and they provide you with additional tools that can make you effective in doing this type of activity. It's ransomware as a service. So imagine a bug bounty pro, uh, program, but for really evil people where they basically say, we're looking for hackers who have certain sets of skills who can do these certain things.

And we will provide you with tooling to be effective in doing these particular activities. And they take a percentage of all the money that you take. So when you're thinking of Conti, think of it as like a big consortium. It's loosely affiliated. They don't have a cantina like on tuin, right. You know, it's, you're, you're not going to have that. Right?

Um, and they, they basically hire people come in and do certain activities and then they basically pay them a percentage of what they take as a group. Uh, Keith just popped up, it's like a franchise model. Yeah. They're like an evil or McDonald's. How's that? They don't have, do they have a hamburger, I guess is the Yeah. Do they have a hamburger? Oh my God, yes. There you go. Alright. So John, um, in terms of threat profiles, you know, I, I put some questions in the polls for everybody.

Mm-Hmm. You know, and, you know, we are rapidly forcing MSPs or encouraging, not forcing. We're encouraging them to, you know, build capabilities they probably never thought of a year ago. You know, threat actors, threat profiles, you know, Conti is one that, like I said, you know, is is about as ruthless as you can get. You know, let's mm-Hmm. Let's focus on healthcare and emergency medical. Yeah. Let's Focus on where people can die. That's a great business model. Exactly.

Um, so how should MSPs look at threat profiles? Like, what would you recommend? And you know, you, you're certainly talking about Mitre attack, I know in this upcoming course. So maybe you could Yep. Can you tie those two together maybe a little bit? And is that a good, good way to do that? Great way to do it. So if you're looking at this particular set of attacks that we see Conti actually running with, they're sticking with things that are tried and true.

And these are the things that pen test firms do constantly. Alright? So they're gonna spearfish, they're gonna try to send emails into an organization to get their malware execute. They're gonna try to, um, find weak passwords on the edge of an environment. They're gonna try to find commonly exploited vulnerabilities. And this is the trap, right? The trap is, if I can protect myself against Conti, then I'm protected against Conti.

Not necessarily, because if you're looking at what these threat actors are doing is they're finding any of the vulnerabilities that they can normally use to get access to an environment, they're gonna take advantage of those vulnerabilities. It's kind of like if I tried to secure my house, I could put a steel post in my front yard. You would come there and you say, why do you have a steel post in your front yard? And I could say, well, somebody broke into my home. They came through that path.

So I put a steel post to block them from coming into my house through the same path that they took last time. And you would look at me like I was insane. You would say, well, all they have to do is just come through a different path. And I'm like, no, no, no, no, no. I read an article that this is the path they take. They're gonna run into that steel post. That's not how it works.

So you have to be careful whenever you're reading about what these different threat actors do, and you need to understand that these are the techniques that they're utilizing, but they will use any technique at their disposable at disposal to get into your environment. The nice thing about the, uh, CISA writeup is they have these broad buckets of what Conti is using to gain access.

They're trying to do password sprays, they're trying to exploit vulnerable software, and they're trying to spearfish and get malicious code execution on an environment. In fact, every single one of those things ties back to stuff that we do every day at Black Hills Information Security. And it ties back into the class that Andrew was just talking about. It's in those 11 things. So if you get down to the bottom of the CIS article, it says use application allow listing. That's in our class. Yeah.

We, we have a lab on that. Uh, use strong passwords. We have a lab on cracking passwords and two factor authentication, um, vulnerability assessment scans. We, we, we literally have a lab on that. So all of these different things are not super difficult to shut down. It just requires being able to focus on the right things and not getting caught up in like a 500 page document for compliance, but focusing on the things that really do matter. Yeah. So, so John, um, have you guys run into it?

And if so, like how are your clients, you know, communicating to their executive boards? Um, you know, and I'm just wondering if you can draw any analogies of this. 'cause MSPs have healthcare in their, you know, I mean, I Know MSPs are huge in the healthcare space. You're right. Yeah, Yeah, yeah, yeah. So what are you seeing? Are there effective means where you've seen some of your customers do a good job, communicate to the board, um, gain traction there to do some of the right things?

If so, can we draw any analogies of how MSPs, especially that have healthcare might wanna approach their customers? So this gets into the unhappy part of today's, like webcast. Um, most hospitals, not most, a good number of hospitals have an approach of putting their head in the sand. They don't wanna scan or do any security testing against large swaths of their infrastructure because it's extremely out of dated out of date. It's incredibly expensive and it's hard to replace.

So what they do is they say, Hey, you can come in and test, but don't test those things over there. Um, like radiology, dialysis machines. And they have really poor internal segmentation into their environment. And then when the pen test is done, they say, well, we're good. The pen testers didn't find anything, but we're always pushing back and saying, yeah, but you didn't want us to touch all the really dangerous stuff.

If you're looking at Conti, if you're looking at Rauch, if you're looking at reval, if you're looking at these organizations, they're going to go to the places that you don't want your security team to ever go to. So it requires people to be honest about what the actual threat actors do post exploitation. And once again, that's in the CISA article.

Moving laterally using vulnerabilities like, you know, the, um, SMB vulnerabilities, zero log on vulnerability, the print nightmare vulnerabilities, all of those things post exploitation. But they're gonna do it in a way that your security team and your MSP that's been trying to do the right thing are usually not allowed to do.

So what I recommend is, if you're an MSP, you start an education campaign where you basically sit down and you say, Hey, we're gonna have a symposium with all of our healthcare customers and we're gonna talk about ransomware and what's happening. And that's a place where you can have a frank conversation about the vulnerabilities that the attackers exploit, the techniques that they utilize.

And you're gonna get some feedback from some of your customers and potential customers about what they can do and what they feel that they can't do. But if they start saying what they can't do, you can open up a conversation about segmentation. You can open up a conversation about application, allow listening. You can open up a conversation about selling additional services like internal intrusion detection, um, user entity, behavioral analytics.

It opens up a wider conversation if you can talk about the problem clearly without using fear, uncertainty, and doubt, and really help these organizations come to some conclusions about how they can do better. But it's education far more than anything. Yeah. 'cause the vast majority of these hospitals and healthcare organizations, they just want someone to tell them that they're okay, they're secure.

Your MSP is gonna protect you, and then they wanna ignore absolutely everything else until it's on their doorstep. So, so two things that you said before I turn this over to Ryan. I brought, brought, I want to kind of pull out there. One, I love what you just said about getting a group together. If you have multiple healthcare, uh, customers and or prospects, Marco, Mike regard, um, mm-Hmm. Those guys sponsored Deadwood or, and Wild las Hackathon. Yep.

They were absolutely, But Mike, their CISO and their security team is doing a phenomenal job. So this is kind of a, a kind of a telling the MSPs out there what to do. They're doing a phenomenal job on these education events. Um, now granted, they're larger, they're regional, but you can do it in your very own community of what John just said. And, and get, you know, get those types of vertical customers together, healthcare emergency services, and do something like this.

Educate them around Conti, and you'll get, man, because I know Mike and team is getting a lot of business out of these types of thought leadership events. The second thing you mentioned, you know, and that's why I wanted to pull Chris Lahr on stage. I don't know if you've met Chris, but Chris is the EVP of solid security, A-K-A-C-F-C incident response. John.

And I want Chris to kind of pull home, he works, he's worked probably more the M-S-P-R-M-R-M breaches, uh, over the past few years than just about anybody. But Chris talk net network segmentation, what you see, not only in the MSPs that are attacked, but maybe in their customers. Are you running to TI here then I'll turn it over to Ryan. Well, we run into Conti all the time, so multiple times a week. Right.

So they're number one on our list as far as the top variant that we see today, uh, especially with some of the other big dogs falling off. I mean, they're, they're at it and they're, and you can tell that the, the affiliate network has grown, right?

Because you can just kind of tell when you're, when you're discussing things with them, you can tell if somebody's being a little bit more, uh, when you're negotiating with them, if they're being a little bit more, how would you say just kind of free flow scripted Well, I'm sorry Chris, I stepped on you, but I was gonna say ruthless. What were you gonna say? Say, well, no. Yeah.

You know, what's interesting about Conti is, I mean, I wouldn't say they're as ruthless as when, back in the IRA days, they used to be very short. They were never really ruthless when you negotiate with them. Now when they enter your network, yeah, they're ruthless, believe it. But they actually, uh, I've seen worse. Let's just put it this way. There are other ransomware groups that make more of a mess than Conti does.

Well, the, what, I mean, what was interesting is what Paolo was saying is though, like some of the victims would pay and then they'll like, just disappear. They won't give 'em their keys. Have you seen that differently? And sorry to digress. So you, you, you, you know, every, even all the ransomware groups like you, Chris, anyway, let's stay.

Yeah, no, I mean, yeah, I, I mean, I think it's interesting because, I mean, I don't know what goes on with with those other ones, but you have to really stay engaged with them the entire time because yeah, those things can't happen. But sometimes you can open up a, a prior thread with another Conti threat actor and, and do that.

I know back with, with our evil, I had to do that all the time, uh, because they would just get busy or disappear and, and there, and I don't know if you saw that article a couple weeks ago where they were saying there was our evil is actually Backdooring affiliates and basically stealing their cases from 'em. Right. So we really don't know. Everything goes behind scenes, but from a Conti perspective, Conti is one of the ones that has the most threat intel about them. Right?

So there's a lot of doc, there's a lot of LinkedIn posts and a lot of stuff that what goes on behind the scenes. And obviously we know the link, the link playbooks and all that kind of good stuff. But I, I would say that, you know, from a, where, where we see, uh, they've gotten a lot better. I mean, their decrypter in the past, let's just throw Rauch in there, in the, in the same category, was the one that always had issues, especially with big files and all that kind of stuff.

So they've evolved over time. So they've, they've gotten better from, from that standpoint of things. Now, who they attack, when they attack 'em, how big, how small, what vertical, they don't care. Um, and it used to be, but then, but they used to be highly predictable, meaning when you knew they attacked, you had a good idea of how much they were going to demand as an extortion payment.

But today I'm seeing 'em all over the place and I'm seeing more varying degrees of discounts when we do, when someone does have to pay. Yeah, go ahead. That's what I wanted To talk to you. Are they still willing to negotiate with you? Mm-Hmm. Um, we actually have a number of people that are fluent in Russian, and we find that it works really, really, really well for us to negotiate in Russian.

Even though, like, sometimes I'll like hear the conversations, it sounds like they're screaming at each other. And then I just realized they, they're talking about where they all grew up. But, um, are you seeing some of the ransomware groups are refusing to work with some negotiation firms completely. But are they still willing to negotiate with y'all? Mm-Hmm. Yeah. But, but when we, we don't identify ourselves as a, a firm, uh, so probably wise, right? Yeah.

And we try to change it up so then we don't come across as knowing what we're doing. Right. Uh, it's harder, you know, with these groups that have come out and basically said, Hey, we're not gonna deal with, you know, recovery firms is what they like to call you recovery companies. Um, you know, it's, it, it's, it's, it's difficult to kind of change your, change your game and act dumb and do all those types of things and, and try to come up as a somewhat as a first time negotiator with them.

So, uh, but yeah, but we still, we're still getting discounts. We're still getting those types of things. I mean, I I would say a lot of the cases that we see is half of 'em need for decrypting and the other half of it are trying to prevent publishing of their data. Yeah. That, so you, that's A, that's an interesting point. I still wanna get back to network segmentation. Yeah. Ryan, Ryan, your in your stuff. Do you talk, do I have you talking about the double extortion?

'cause I think that's really what Chris kind of led into. Do you want to maybe pick up there with John A. Little bit on that piece, even though that's not the first thing we were talking about, but I think it's a really interesting way that, um, Conti comes at things and you're on mute. Just so you know, bud, And still on mute, We Know 'cause there's a big mute button right below you. He he should have it down by now. Yeah. All well, well, wine's trying to come off mute.

Um, so when, when we're talking about double extortion real quick, are you talking about where, Oh, well they've got the files locked and they've stolen the data and they're Right. Because I've also heard the double extortion, meaning you pay and then they give you the decryptor and then they come back and say, Hey, we want you to pay again. No, they they do. They can do that. But you, I mean, we should talk about both, right? Mm-Hmm.

Uh, but usually what I see is like, no, my customer has backups, you know, f off, we, we don't need you. And then they circle back around and they're like, well, we have a whole bunch of your databases of your customer data. If you still don't pay us, and by the way, the price just went up. Um, we're gonna release this publicly. That's usually what I've seen.

I very rarely have seen someone pay for the Decryptor and then had them circle back and then basically try To, not, not with Con I've never seen, um, not With this group, but I think that the, the big thing that we've seen, and I want I'd love to hear you talk more about is you refuse to pay 'cause you have backups, and then they basically then drop the bomb on you that they've stolen a bunch of data, right. And they're gonna release that publicly. Yeah.

I mean, that happens every time now with them. Um, I think I've had one case in the, in the last couple of months where there was no Exfil period. Wow. Uh, and that was like a, that wasn't Conti, that was like a Fogo case. Everybody's grabbing something, right?

So, uh, but with, yeah, with this data, I mean, the thing about is, and, and not as much with Conti, uh, they used to be the most impatient group out there, but some of these other newer groups or whatever, they seem to be more impatient. So they're willing to stick it out there. Hive, as an example, is, is a very quick on the trigger about publishing something out there.

Whether it's just the fact that they hacked you or a sample of the, of the ex bill or whatever the, whatever the, uh, circumstance is. So, um, but you know, those, I hate that. I hate this, this deal. We, we we're so many cases where we're having to drag out negotiations for days or weeks to buy time because they don't wanna pay, but they don't want to get it published. But they need to have time to get all the forensics done and all that crap. It's the most painful process in the world, man.

I'd rather go freaking watch paint dry and sit on, sit on tax. I'm gonna, I'm gonna take responsibility on my side of the house. There's a bunch of forensic security companies that I feel in some ways this is horrible, are almost as bad as these ransomware organizations where they're basically like, we're gonna put five analysts all charging $350 an hour. We're gonna work on this. We need to copy every hard drive in your environment.

We want do a full packet capture at the edge of your environment for at least a week. And then the price just starts ticking up, up, up, up. And that's, you know, and I'm not gonna call out any names specifically on this show, but there are absolutely firms that will take advantage of this. And they'll do a whole bunch of work that honestly is now required.

Like, there's one firm I know, like we went through and we reverse engineered the malware and we spent like six days reverse engineering the, it's like, it's a fricking cobalt strike C two Beacon, the source code you can download from fricking GitHub. Why did you reverse engineer that for literally thousands of dollars? Well, we got, it's really awesome all the time. Hey Ryan, welcome to the show. Good to be here. All right. So let me let you and, uh, John riff a little bit here. Yeah.

I think we touched on this a little bit, but, um, talk to me a little bit, John, about what you're seeing in terms of how they gain access to the environments they're attacking and what they do immediately following. Um, and if you can, I don't know if you've actually been able to read the English translated version of the Coni ransomware playbook that got leaked about a month or so ago.

Maybe actually talk a little bit about what, you know, what you found in there, what you, you and your team have learned from that, From Absolutely. So if you look at what Conti is doing, it is literally a red teaming playbook. Like it is all the stuff that we do all the time. Um, so for initial access, we already talked about this a little bit at the beginning of the show. They're gonna use spearfishing, they're gonna use password sprays.

Um, they're gonna try to bypass two factor authentication with tools like tools like Evil Jinx to intercept those tokens. I haven't seen them do OAuth personally, but I've heard about them using OAuth attacks where they stand up a fake company and then it basically says you can do single sign on and then they can do an OAuth attack to Azure or Google. I've heard that, I have not seen it, but if you're looking at all this stuff, it's motherhood and apple pie in the offensive community.

Uh, password SPL sprays exploiting remote services, um, doing spearfishing. That's the, these are a few of my favorite things. Like this is literally what I do for a living, um, colonial pipeline, which I can talk about, um, at least what they've released publicly, we're working with them. And Colonial Pipeline is a great perfect case of they got access via password spray and previously compromised credentials to A VPN without two-factor authentication there in the front door.

Now post exploitation. Um, recently we've seen Conti using a lot of the exploits that have been out, like the exploits. Um, whether it's the SMB vulnerabilities or Print nightmare or any of those, those other vulnerabilities that we've seen pop up in Microsoft. But more than often than not, and I would love to get Chris's ba like opinion on this, they don't need to use exploits.

Um, with a number of our customers that we're seeing, their security hygiene is generally very poor to begin with and a lot of the users will be running as local administrator on their system. And the attackers can use tools like Minica to elevate themselves. And then they can use tools like similar to Bloodhound or Death Star to move laterally within the environment to get active directory to domain controller, um, active directory credentials.

Uh, so then they can take over absolutely everything. Love dumping. Yeah, go ahead. They love dumping LS a process memory too, and carving creds outta there once they have the fold. So, well, and you've gotta be careful dumping LS a right? So if you're looking at the local security authority subsystem services, there's two ways that you can actually touch that.

One is you can actually inject directly into the process itself, and that's very dangerous if you're in an environment of over 2000 nodes doing a direct dump out of LSAS will actually cause a domain controller to just puke and die and restart itself. Um, the other way that you can do it is you can actually touch each individual account.

And this is kind of what Mi Katz does, but as you try to access individual accounts, it loads the password up into memory in clear text and then you can pull it out. But what we're actually seeing more of them do is volume shadow copy.

Um, with volume shadow copy, what you can do is usually a domain controller or a system will create a volume shadow copy of that system's core files like the NTDs D file and a domain controller, and they will access the password hashes from that volume shadow copy. 'cause it won't, it won't crash anything. And then they'll do offline cracking of those particular password hashes after they extract them.

Now the thing that's really interesting about this is they'll do that and then they'll run vs admins to delete the volume shadow copies after they did that because they wanna make sure that people just can't restore back to that volume shadow copy backup. So this is all, like I said, it's motherhood and apple pie lateral movement. Ber roasting is absolutely in there as well. Password spraying is in there as well.

This is just what every offensive person does, and this is what the attackers are doing. Um, and we're absolutely seeing it in Conti and other ransomware groups as well. Ryan, just real quickly to inject here, John, you are talk, uh, correct me if I'm wrong in the upcoming course, you do go over quite a bit around lateral movement that can Oh yeah, absolutely. Yep.

So like we, like I said, you know, doing application allow listing and something is as simple as just turning on your Windows firewalls. So workstations can't talk to each other. And then honey accounts and Honey server, uh, curb roast service accounts. Yeah, we do cover all of that in the, uh, class that's coming up.

By the way, Ryan, Ryan, John, would creating something Veeam related if you didn't have it, or, uh, would that be a good deceptive technique here, John, potentially knowing they look for that? It could. I feel bad for Veeam, by the way. Um, just because they've been absolutely hammered. Um, some of my friends that work with that company are just like, why did they pick us?

Um, like, and people look at this as a vulnerability inherent to Veeam, but usually what they're doing is they're escalating privileges to demand administrator moving over to the backup service taking out that, well, they actually exfiltrate off the Veeam server first more data, and then they actually nuke it from high orbit because it's the only way to be sure. But it's not like they're taking advantage of an inherent weakness in Veeam at all.

But yeah, if you wanted to name a server, Veeam be my guest because they're probably gonna go right for it. Yeah. Um, Ryan, I put the link in there and I'll let you continue. Um, like again, to John's point, this isn't a, I feel bad for Beam two, they just happen to, you know, really focus, uh, a DB Intel, which makes some great blogs, uh, has come across this and their taxon really up.

Yeah, I mean it's, anytime any vendor is named is unfortunate, uh, as we've, we've discussed in the past few weeks with our friends at Allstate. Um, right. Uh, but I think in the, in this case, really what the threat actors are saying is on premise, do it yourself domain connected backup solutions. That's what they're talking about when they use, when they use Beam. And I, I, you know, I sent the article to Andrew initially because I was like, Hey, this is interesting.

Um, I was, I was actually doing some research on our clone, which is a valid tool, um, kind of like Cobalt Strikes a valid tool for pen testers. Arlo's a valid tool used in qa and oftentimes for moving data files around the attackers typically use arone for data exfiltration. And Conti has been seen to use AR clone before. And so I was doing some analysis on our clone and you, our environment and our detection capabilities, et cetera, et cetera.

And I, and this article had gotten published like 20 minutes before. And so I shouted over to Andrew and I was like, Hey, look, I actually sent it to him because I thought the article did a really good job of like outlining the steps and the tools that they used. Um, and then we got talking more about the backup stuff and like we saw all these same tactics attacked and DA backups back in 2018.

The difference is we control the appliance, we control the cloud, we control the configuration so we can make the backup appliance, we can change how the backup appliance functions when we see these attacker Tradecraft problem with these DIY on-prem solutions is they're stuck on whatever version of software they're on, and they may or may not have been configured in the most defensible way. And that becomes the MSP's responsibility to understand and to modify that configuration.

So yeah, I I do feel bad for theme. Um, so yeah, what was the question? No, I did, I was just literally putting it up there, but, um, but can, can I pull Chris in real quick here? Yeah. Ryan, Chris, you know, the, the question that came up earlier, it also came up in chat around, you know, segmentation, you know, what someone posted. Like, so, so what does that really mean?

Can you, can you give it to us and you know, what, what your, what you see, what the mistakes are, what maybe some best practices are, if that makes sense. What I see as far, excuse me, best practices with regards, Start with the mistakes if you could. Yeah. Like where you're just like, 'cause I know I've talked to you many a time where a, you know, you'll go nameless on an MSP, but you're calling me going, you're not gonna believe this, Andrew. Well, yeah, no, I gotcha.

And, and, and how many times in this last 10 minutes have we mentioned memory, memory, memory, memory. And I get these calls and I talk to the MSPs and I'm like, well, have you rebooted, I hope you haven't reboot or shut down anything. Yeah, we shut down everything immediately. I'm like, thanks. What, why did you do that? And they don't have any reason for it. Right? It wasn't like, Hey, it was part of our plan, or, you know. Right.

Because if you go back to books 15 years ago, they were saying, if you think you're compromised, pulled up power cable. Right, Exactly. Oh, go ahead. So sorry. So that's it. I mean, there's, and there's, you know, there's variants that you can crack. And if you don't reboot that machine, you can crack them if you shut down a reboot. 'cause what we need to crack it is in memory. And if you don't do that, then you're good. So, I mean, I had Ms.

P all we already hired, so and so we're already negotiated with the, the, you negotiated yourself. Yeah, yeah, yeah. We don't care. We just need to pay 15,000 to get this done. And I'm like, you're gonna pay these yahoos $15,000. I mean, you probably can, shouldn't have to pay 'em in the first place if you didn't shut down. But we could probably negotiate those guys down to nothing and for what these guys encrypted and go on.

So same types of mistakes we're seeing where they're just doing our, and I, I thought by this time people would still would not be saying this, but they still say this, well, we just thought it was just an ordinary ransomware. I'm like, what the hell is that? I go, did, what is your, does your client even realize what's going on? Do they even know that their data could have been stolen? Well, they're in such, and they're, they're in manufacturing. They're not in healthcare.

Well, they have employee data. Uh, well, we didn't ask them that. Well, of course you didn't ask them that. Do you even know what's on their server? No, we, well, no, not really. So the same types of mistakes we see, um, you know, we still see these, these cases, uh, especially with, um, you know, the, the proxy shell stuff, the second iteration of exchange, which is a huge Conti door in, we still find all these people that are not running AV on their exchange boxes. Yeah.

We're finding people that have one exchange box, and that one's the box that's every And, and, and, and I think we should be like begging everyone. Yeah. If you're running your own exchange server, don't just Don't Migrate to Office 365 please. For, for, for all of us. I mean, we all make money off of this. If you want to keep doing it, that's fine. You know, we're, we're gonna, we're gonna take money from an IR engagement. Even Microsoft doesn't like people running exchange anymore.

Just don't do it. It's time to bring, Yeah. Uh, the, the lack, you know, the lack of logging, there are no excuse for it. Even the, even the firewall logging still not enabled, not enabled correctly. Uh, you know, and I would say that, that the other mistake is that just pulling the trigger and restoring stuff, and, you know, John talked about these IR firms that want to collect everything, which I know exactly what he is talking about.

'cause we will get in these cases, and they're like, well, we contacted so-and-so, and they're coming out to image our 500 PCs. Why? Uh, you don't need to do that. Right? Um, stop them and you're not gonna do that anymore. But, um, you know, they, but they, they go the other way where they go, well, we were in a hurry, so we just needed to, to, uh, restore. And we, they just wrote over everything. Well, then you're kind of screwed. And I mean, we've had one case lately.

They said, well, the MSP did the forensics, what does that even mean? And, and the way, and what they wrote us was like, that's not forensics, man. I don't know what you guys are talking about. So, um, yeah, same thing. I mean, if I was, if I was somebody's Ms. P, which I'm glad I'm no longer anyone's mss, uh, I certainly would not be doing forensics for a client because the optics on that don't look good any which way.

They don't look good to a lawyer, they don't look good to an insurance carrier. They don't look good to anything. Well, and I think that there's a big difference people need to understand between IR and forensics, right? Like, ir, you're working an incident, you're trying to stabilize that patient. You're trying to do everything you can to get that patient to survive. If you're working forensics, you're, you're, you're a mortician.

You're trying to figure out how that patient died, what killed that patient. So forensics is incredibly important, especially whenever you're talking about things like illegal pornography cases, or if you're working nation state attackers that are using brand new TTPs that we've never seen. But if you have a firm that shows up and they wanna start doing forensics on your hard drives, in a ransomware case, they're literally just patting their bottom line.

Um, as Chris mentioned, memory forensics is essential. If you're on site and you can run tools like WIN PM MFTK Imager, I recommend running multiple different memory acquisition utilities, then it can be imported in tools like volatility and some commercial forensics tools. Memory forensics is the hotness. It's amazing. Even better is if you can get network level telemetry from your environment. Look at Zeke installs. If you're an MSP that's free. You can run security Onion.

And then also your active directory logs are critical. And if you can, if the Gods smile on you, turn on fricking cisman on your workstations, pretty please with a very nice cherry on top, cisman is the cat's pajama. Um, you need to be running that. Yeah. Hey, John, a question for you. Do you see, uh, do you see mid-size and large enterprise doing in memory, um, capture like storage into like a log aggregation platform of some kind? Like I don't really see Anyone focusing on that. No.

We do see a lot of tools, um, that are security tools that do have the ability to do remote remote acquisition of memory. Um, so they can do that and they can pull it back down. That's where you're getting into something like an F secure F response type platform where it can remotely acquire that memory. Um, and if you're interested in this, I recommend looking into Cape from Kroll, um, from Eric Zimmerman.

Um, basically what are the memory and what are the hard drive artifacts that actually matter? Things like prefetch, things of that nature. So you can pull those things down, but Cape is very, very, very cool to give you that particular capability. Uh, Google Rapid response is also really, really, really solid. Um, hasn't been updated as much as I would like to. The big problem with Google Ger or Google Rapid Response is it relies on memory acquisition and analysis with a tool called Recall.

And Recall is pretty much an abandoned project right now. The developer went and started Velociraptor, and that just got acquired by Rapid seven, I believe. Um, but yeah, memory forensics generally you don't do that unless you're talking servers. Now here's where it gets cool. If your servers are doing automatic snapshot functionality in like VMware, you can actually do memory analysis on those VM snapshot files.

So your servers, if you're doing snapshots as kind of a backup, then you've got memory acquisitions. You can do memory forensics on those backups, uh, that are automatically being created in your virtual infrastructure. And do you see that, that's really helpful. Um, I, I suspected that was a gap. Do you see the potential for, uh, actual live detection based upon what's happening in memory as well? Because we also don't really have any kind of detection engines.

We, we typically rely on things like what's happening at the processor level. You mentioned cisson, for example, you know, maybe what's happening in PowerShell, but like we don't really look deep into like memory itself. Is there a future in which we can start doing detection in from, from memory, It's already being done. If you look at advanced EDRs, like CrowdStrike, carbon Black, uh, Cylance, they're actually hooking specific, uh, call tables that malware oftentimes uses.

Uh, for example, a normal process will just basically open up a request to N-T-D-L-L to try to open up a network connection. A lot of malware actually walk through NT dll DLL to do it in a different way. So we are absolutely seeing that in your EDR space is doing exactly what you're talking about. But that's specifically in the EDR space. As far as logs, no. The closest I've seen is binary defense.

Um, their vision product actually puts honey credentials in memory, and then if they're actually used in memory or scraped out of memory with something like MI Cats, then it triggers an alert. Um, if you wanna see another tool that's very similar to what you're talking about, it's called ra, um, like vaccine, but ransomware Vaccine rasine, uh, by Florian Roth. And what that tool does is it basically hooks memory.

And if anybody does the VSS admin command to delete volume shadow copies, it kills that and it kills the process that called it. So there are some products out there, um, but most of what we're seeing is in the commercial EDR space and John. Okay.

No, I was just gonna say Andrew, super quick, like this five minute segment where John just gave us a ton of tools and things to think about, both open source and commercial, I think is really gold for us to really have that stored and saved because I think these are areas of deep immaturity that we have as MSPs that are growing into for most of us. So John, that, that was extremely insightful and helpful. Cool. And I just posted a link for ene, um, in the chat. Yeah.

So I'm gonna go back to something you, we had said earlier, we criticized shutting servers down Mm-Hmm. Um, what is a more appropriate response action that MSPs should plan for or think about planning for when they do their table props or their IR plans? What, what's the, what's, what's kind of the, the alternative step rather than shutting off all your servers? So the first thing is understand that you shouldn't panic, right? Fear is the mind killer, the creeping death.

I will face my fear, it'll pass through me and over me, and only I will remain. So what you have to do is not panic to start. Then come to the realization that in a lot of scenarios, you're not going to outrun the attacker. A tremendous amount of that damage has been done. Number two. Number three, um, somebody had mentioned isolation. Isolation, but how do you go about doing that is critical. I'd recommend doing live forensics, um, basically running some things on the command line.

I would recommend doing the memory acquisition off of the system. Basically collect as much as you can before you bring that server or that workstation down. Now, some organizations have the ability to do a switch port isolation, where they can basically say that this particular port on this switch no longer has internet connectivity. They can move it over to another infected veland, and they can isolate it that way, which is great. You can absolutely do that.

Um, but I recommend you go through your IR playbook, you acquire the data that you need to do that kind of incident response, kind of live forensics. Then make a determination whether or not to bring that system down. Um, so bringing it down, I'd recommend collect what you can off that system first, then actually make the movement to either shut that system down completely or just isolate it at a switch level.

Ryan, in, in kind of combination with what you and John are talking, there's a question in chat, a question that came in, questions by Sonny and, and, and by Jeremy. Is it safe to spend machines in a virtual environment until the forensics can be spun up? Um, uh, so you can, it all depends on what your number one concern is. If your number one concern is to restore operations as quickly as possible, you might wanna shut that system down, revert back to a good snapshot.

But I would only recommend that if, and only if you know how the initial attack came in. Um, because if you're just shutting down systems without knowing how that system was actually compromised, you're gonna fail to prevent reinfection. So you have to know how that infection happened in the first place. Then you can shut that system down, then you can revert to a backup, and then you can restore it and fix it, uh, before you actually do it.

That's a great question, but it always comes back to the core thing. Do you know how it got popped? If you don't know how it got popped, I'd strongly recommend not killing those systems. Great stuff, Ryan. Yeah. Or if, or if you feel like you need to kill them to get back to restoration, don't kill them until you've done live forensic evidence acquisition on them. Right? Grab, grab your event log, grab your open network Connection. Go memory, get that memory dump, Todd, Get the memory dump.

So Ryan, Todd asked a question, uh, dto, is it possible to do memory forensics or require memory, uh, from your backups, Uh, not from the backup? So the backup is just your hard drive, not the actual like ram. Um, mm-Hmm. So what we, what we do tell people is, um, people usually want to go back and delete the backups that contained the threat while the threat was acted in their environment.

And I actually tell them, don't worry about deleting those backups, just mark those as like, do not recover Unclean. But it's actually good for you to have a copy of that Mm-Hmm. Um, to go back and do forensics on later. And then once you're really done, go back and do that.

But no, what you should think about is you all have RMS, so you can create scripts that, um, download, um, tools that let you do, uh, memory process dumps, and you can create PowerShell scripts that actually gather all of this live incident response data for you and deploy them out. Um, and I've been talking with my team about actually building, uh, one in PowerShell that we can contribute to the community, um, to run. Um, but there's a lot of them out there.

You can find them on GitHub and, you know, you can run them. A lot of these projects that John mentioned have them as well. Just import those scripts right into your RMM. And then whenever you have an attack, run that script from the RMM, gather all of that information and then enact your response playbook, which in my opinion, should be more about network access control than shutting systems down. Mm.

You, you probably wanna severely limit what type of inbound and outbound network access you have from the internet, because guess what? That attacker isn't sitting in your office attacking you, right? Mm-Hmm. They're coming in over the internet. So if you can limit the ability of those, of, um, the attacker to communicate with that environment, you effectively evict them.

But a well-crafted network, ACL lets you maintain the ability to access the environment and conduct forensics and facilitator recovery. So as part of your tabletops, you're gonna wanna think about what types of network access controls can we put in place that could evict the threat actor, but still let us maintain, uh, control over the environment to, to respond and recover. By the way, um, I know I want to get a few questions in here with Wes.

Um, uh, for those, somebody asked about steps in ir, red Canary has a great, um, uh, document I just put in there for you guys on steps for ir. Ryan, do you wanna wrap up with one more and we'll go over, uh, Mr. Spencer? Um, no, let's just hand it to West. Okay, Cool. Right on. So, uh, thanks for letting me take the call in the car, my friends, uh, there's a wreck up ahead and I was like, I guess I just gotta pull off and, uh, do this call from the car.

Um, I don't have a ton of extra questions, uh, but I did wanna get back to, uh, so we, we, the focus initially was Conti, right? Uh, but I think one of the things we've explored in this call is a lot of the, the TTPs that you see Conti use would be similar to, to other threat actors. And we should really, there's been a pretty good focus on, um, what we're doing from defensive countermeasures and where some of those gaps lie.

And what I wanted to zoom into a little bit more with you, John, is around lateral movement. Mm-Hmm. Um, so we, you just, I mean, Ryan, you just said it like good network segmentation is a huge boon to that. Uh, maybe a two part question. One, in your experience, how many organizations were you seeing a significant ransomware attack have had very intricate and very in depth, um, network segmentation in place Zero. That one's Easy. And, and I knew you'd say that.

So isn't it funny that like, I'm not sure where network segmentation belongs in, like the ci IS controls. I think it's IG two. Ryan, do you know, is it IG three? It's not. In IG one, I'll tell you that. It's not in one. That's rights. It's not in one. And I know it's hard. I know it's time consuming. Uh, but I also know every person on this call has the controls in place to implement it today or at least start it today. The crazy Thing is, is like network segmentation is hard for big companies.

Most of you are not dealing with big companies, like even for your MSP segmentation, like why do your sales and marketing folks exist on the same network as your MSP techs? Like it's very simple for you to do network isolation in small environments. Much harder for enterprises to do it. Just, just one simple thing. Turn on your Windows host based firewalls. So your workstations can't talk to each other.

You push a rule through group policy that says workstations can talk to servers, servers can talk to workstations, but workstations cannot talk to each other. Like, it blows my mind that our computers are more secure in a fricking Starbucks whenever it joins a network. And it's like, wait, this is an open network. I'm gonna turn on my firewall than they are in a corporate environment. So turn on your Windows firewall. It's horrible.

And also a lot of your security products, your eds come with built-in firewall management capability. That's much easier than using Nets. HADB firewall. Do that. It's free. You're already paying for it. And as Ryan just said, totally not hard. Um, you can absolutely do that and it will make my life more difficult as an a, as an attacker. And that's what we want. We wanna make John's life as an attacker incredibly difficult. That's The hope. We want him so frustrated. He gives up.

And did you hear a big goose egg, a literal goose egg on the number of organizations he's dealt with that have good intricate network segmentation in place? That it, that should be shocking or maybe it shouldn't be. It's so hard. Well, that's what I was trying to get LA to talk about. He never, all the places that they're popped, he never sees it. And so Wes just there a question came in it's that well that you kind of asked what are best practices? John, you started off on these smaller ones.

Ryan pointed it out that you could just put on Windows, firewalls, anything else top of mind, John, that people should tune into and will do you talk about it this at all in the upcoming course? Okay, so that gets, that gets, that gets dicey like real fast. Okay. 'cause the Windows host based firewall is something that you can turn on, um, with some very specific rules that are wide, that are fairly open, right?

When you start talking about segmentation at the, at the actual network level, like you have accounting segmented off from development, segmented off from your point of sale terminals, that really gets specific to your internal network infrastructure. If you're running Cisco, you can absolutely do that through private VLANs. Um, you can actually vlan off these different things from each other. Um, you also have people like ForeScout is a product.

Um, it's like an advanced network access control. Even though the people at ForeScout will be like, we're not an act. Yes you are. Alright. So now that we've gotten through that, there are products that allow you to do that, but you're actually moving up the complexity scale at that point. And it really depends on what your products are. Palo Alto is relatively easy to work with.

I know a lot of MSPs use Fortinet and Fortinet makes it relatively easy to do segmentation, um, based on different organizations and different buildings within organizations. But it really comes down to your technical solution. But the one thing I will come back to you on right now is no matter what solution you're using, it has the ability to do segmentation. It's just a question of how difficult it is to implement it and how much education you're gonna have to do. Cool. Wes, back to you.

That that's good. Um, so we probably have time just for a second follow up question to some of this around lateral movement. Um, I think Andrew, you and I had originally talked about lateral movement and deception sort of going hand in hand and I'm sure it does, but like if you're defending, uh, John and you want insight into lateral movement, what would you focus on? Um, if you're trying to, sorry, I just can't get over the fact that Facebook is down. Um, just blows my mind.

Um, if I'm going to do lateral movement, and you can put cyber deception in play right now. Set up honey accounts in your environment. It doesn't matter if the user account is an administrator or not, create a user account. Log into that user account 'cause it updates its last log on time from January 1st, 1601. Um, log in in that account and then disable its log on hours. Do not disable the account, disable its log on hours so it's still an active account in your environment.

And then set up in your sim and alert if anyone tries to touch that account, then it's gonna throw an alert. Trust me, the attackers will, they don't, we don't go through and look for individual accounts to pivot to. We do password sprays across all of them in one shot. Okay? So create a honey account or two, create a service account that is a curb or roast bowl account with an incredibly difficult password. The attackers will absolutely do lateral movement to that.

And then finally check out Har Mirror ATUs. They have a free tool called Canary tokens. You can actually go to the website and you can generate Word documents that if somebody accesses that document, it'll email you alert like what's the source IP address? Where was it actually accessing it from? You can run that. Those three simple cyber deception things at no cost. Super simple, barely an inconvenience.

And you're gonna detect in chest the first opening gambits of postex exploitation lateral movement probably 99.8% of the time. Okay, so and by the way, we have an integration with cus I wish more people used it. Uh uh Okay. So okay, maybe my final question and maybe 30 seconds John. So you just, you you're definitely indicating, I don't wanna put words in your mouth that deception is a, is a corollary, not Mando, but a corollary to towards lateral movement. Mm-Hmm.

What other controls or defensive countermeasures that are not deception focused might I look at as well? When it comes to lateral movement For lateral movement detection, you start getting into some expensive solutions. Like you start looking at it like a dark trace or an extra hop, which is very good at detecting that lateral movement and those attack methodologies and those patterns. Uh, if you want something a little bit more cost effective, um, I would look at N top N top.

You can set it up so it can uh, receive your IP fix and your NetFlow version nine and I think five data you can forward that to an end top sensor and they have a number of D detects to detect things like internal like, like port scans and sprays and things of that nature as well. Finally, whatever SIM you're using, you can implement user entity behavioral analytics to look for user accounts that are behaving badly, like trying to access thousands of files, trying to access other workstations.

Doesn't matter what your sim is. If you're running a modern sim, it's going to have a plugin for doing UEBA user entity behavioral analytics. Turn that on. That's fantastic. So Andrew, as I turn it back to you, I feel like when John comes on the call, he's like our, it's like we're like high school football coaches and we bring in like the NFL guy that like really shows us, hey, what, think about this, what do you think about that? Yeah, right. Justin Security folks.

Like when you guys start talking about all the problems in the MSP space, it's like, like I told everybody I know I came into this thinking, you know, I'm a security person, I know the problems of MSPs and you guys have really opened my eyes. This is not easy. Um, especially with the RMM stuff that Andrea and I talked about last week where insurance companies are flat out banning RMMs. How the hell are you supposed to do your job then There's a whole nother world man that I know nothing about.

So, And that's why Ryan has less hair today than he did last week. I'm on, he Didn't get a haircut over the weekend. Mind You Ryan, I feel you man. I feel you. So, um, John, by The way, Facebook still down. Sorry, just absolutely blows my mind. So No, no sweat. Well there's, there's socks started off really down this morning and I think, man, they've just taken it, uh, on the, in the shorts really bad today. So John, thank you for coming on.

Um, if anybody out there has questions in the upcoming course, you can email me, I'll get 'em to John. Um, I'll putting my email in here. Um, no we don't, for those of you asking, we're not spies. Um, one of their kind of concerns was, who are these guys? John? Uh, you have thir thousands, tens of thousands on your YouTube channel.

Uh, what's being, uh, you know, they were concerned about could there be, you know, bad guys in here and, and I guess of course there could, but I don't think we're, you know, giving the keys to the kingdom or anything. They dunno. Well, and I would, I would also be honest with you.

If, if bad guys implemented all the things that we're talking about, they're gonna look at your network or sorry if you implement everything that we're talking about, bad guys are just gonna look at your network and be like, there's someone right next door that has nothing. I'm gonna go over to that environment. That's a horrible way of looking at life.

But trust me, if you sit down and have conversations at Black Hat and Defcon and other hacker conferences like Brew Con in Europe where you talk to evil, bad hackers and you start talking about firewalls, segmentation, application allow listing, they're like, those things suck. I just quit and go someplace else. Yeah. Awesome. Oh, so again folks, thank you so much for, uh, staying a few minutes after John. Thanks Amelia for coming.

Ryan West, always great to see you guys and we'll look forward to seeing everybody next week. Take care everyone Later everybody.

Related Videos

Conti Expands Ability to Destroy Backups & what your MSP can do to mitigate these attacks. | Right of Boom