Skip to main content
Right of Boom
January 30, 2025

July 13th, 2020

In this video, industry experts dive deep into the importance of incident response planning and management in the cybersecurity landscape. The discussion highlights the alarming lack of preparedness among many organizations, despite the growing threats posed by advanced phishing techniques and cyberattacks targeting MSPs. By emphasizing the need for regular tabletop exercises and a proactive approach to cybersecurity, the speakers aim to raise awareness and encourage businesses to better protect themselves and their clients.<ul><li>The webinar emphasized the importance of incident response planning and management, highlighting that many organizations still use makeshift response plans without consistent application.</li><li>The significant rise in consent phishing attacks was discussed, where attackers trick users into providing access to their data through application-based attacks.</li><li>The conversation highlighted the necessity of tabletop exercises for preparation, comparing them to NFL team walkthroughs, to ensure readiness for potential security incidents.</li></ul>

Guests

Andrew Morgan

Video Transcript

Week 10. Week 10. 10, 10. Lemme just 10, 10. Can You believe it? That deserves a hey. Unbelievable. Can't believe how quick it went. Thank you, Kyle. Thank you Gary. And Wes, if you are out there previously was with us and uh, so there's always something, something going on here. So bit of housekeeping real quick. We'll get right on into it. Um, number one, um, Wait a minute, is Wes is always somewhere different. Is he like in the witness protection program or something? I Think it is.

They gotta move him just in case if they're able to triangulate him, it's over. So, yeah, very True. Alright, I'm gonna remove him and then try and get him back here. Lemme do that real quick, just so, um, housekeeping by the, oh, he's off. Okay, so housekeeping, tabletop housekeeping. Yeah, housekeeping. I'm putting a URL in. Um, we almost have literally right on the border now, Gary, uh, about 500 registered for tomorrow's tabletop true methods.com/tabletop.

And we'll certainly talk a little bit about that. But, you know, in essence, you know, going through and what it's like to actually be compromised, Chris and Wes walking everybody through those steps and then with the intent to help everybody build an incident response plan. And, um, so really excited for that. It, it, they, we've done a lot of these over the years, um, with them at different events. So really good stuff, Kyle. Hey in. Yeah, we'll talk about it.

But yeah, I'm excited and, uh, about bringing this to, you know, the true methods community, but in general, just inviting people in general to take part in this. Yeah, Kyle, was, was that a part? I mean, I probably a silly question, but, you know, NSA was that, were those things that you guys had a walk through at times and practice quite a bit?

Uh, you know, you could even take it outside of NSA if you think even before like the, uh, the infamous Bin Laden rate, uh, raid, they were building the compound in Ab Baba and they were, you know, practicing what would happen when the helicopter exploded.

So all the way from the physical to the digital, and you best believe, like in the cyber side of the house, we actually had a couple called cyber guard and cyber flag, which were two exercises just like this that would move from tabletops in theory, all the way down to real cyber exercises where the government would spend, you know, a pretty penny to practice targeting, uh, environments. So yeah, it's legit. And I highly encourage the idea of table topping. Well, thank you for that.

And it's really interesting. Wes is gonna put up a, um, a video that he did and, and I thought he did a really good analogy of NFL, like an NFL team right before a game. You know, they, they come in the day or two before, but the day of, right? A few hours before they survey everything, they walk through the wind, all these different scenarios about what would happen. Is the sun gonna be coming from this way? Is it gonna be coming from this way? So anyway, let's get right on into it.

Um, But there's one thing, the Patriots, they couldn't prepare for the Philly special. I knew we weren't gonna, uh, yeah, That wasn't in their tabletop or their walkthrough. Very good. Um, Kyle, I'm gonna have you kick us off today. Um, I'm gonna put the link in to this article from bleeping computer, but it's really to the sense of getting us into how we, how we're gonna get into a tabletop because of being compromised.

And, you know, the, you know, you would think like the, you know, we talked about zero trust and OAuth and better mechanisms for te protecting identity, and yet those are things now are being used by the attackers. Um, in fact, I'll quote from this article, and I'll put it in here and let you take over, is that Microsoft warns that the shift to remote working, uh, with the shift to remote working customers are exposed to additional security threats.

And I'd love for you to talk about what consent phishing is besides the credential theft and email attacks. Consent phishing is a variant of an application based attack where the targets are tricked into providing malicious, uh, oh 365 OAuth. Um, and, and so can you, with that setup, Kyle, could you take us through what's happening and these seemingly good things are now being used against us again? Yeah, yeah, I, so I just threw a link for anybody that's fallen on along.

It's in the chat from computer, but I'll also provide links from Microsoft and a couple images if anybody wants to follow along. But I'll start at the high level. Uh, what's beautiful about this attack that Andrew just gave us a segue into is any of us that's using more or less any application based framework, nowadays we're at risk. It just turns out that Microsoft has access to usually more data than anybody else.

So, uh, even though bleeping is the article, it's all based on Microsoft's direct reporting. So let's peel it back and figure out what is the attack. So we all know nowadays it's super convenient. Like when I log into social media, sometimes you could say, I wanna log on with my G Suite account.

Ironically, sometimes logging into other applications, you could use your Facebook account and each time you go in and accept when you're logging in as one of those applications, whether it's a web app or like a mobile phone application, it might say, do you trust this website to have access to your data? And we all are in it for convenience or end users are the first to just say Yep. Right?

And I think any of us who've ever looked and remember the older days of Android security, there was a lot of applications on our Android phones that would ask for egregious amounts of information. And so what happened is Android platform got better and it warned you this is what it's gonna have application access to, but we all know nobody reads those. So let's now take that Android example from 2013 and fast forward it to 2020.

And so what happened is part of phishing in this consent phishing tactic, the idea behind it is I'm gonna send your users a phishing email, but I'm not gonna ask you to log in, for instance, with your username and password. Because even when I do get that username and password and then I redirect it to the malicious website, maybe I get hit with two factor and there's frameworks available to try to capture that two factor token from you.

But me as a hacker, I still only get access to you for maybe 30 days. And some frameworks only allow you to have 15 days. So let's think about that real quick. Okay, so we know the idea is the attackers are trying to fish you to get your credentials, but what if they wrote an application and said, you know what? Please fall for this phishing email.

And when you give access to this phishing application or this malicious application, you're more or less just granting them legitimate access from an app to be able to read from your O 365 or M 365 data. The downfall is when you set up these apps that act on your behalf, you know, sometimes they're just as convenient as allowing you to send emails automatically in a timed frequency. I use that for G Suite. I use an external app that says, yes, you can have access to my inbox.

So you can send scheduled emails. However, think about that. The attackers are giving malicious apps with this consent base phishing t uh, tactic, and that malicious app allows them to say, Hey, you know what? I'm gonna be able to have long-term access and since it's through API access, there's no two factor there because there's no two factor, you know, human to be able to prove Yes, I'm allowed to get in there.

So what they're doing, just to recap at a high level, in case that was too much, they're taking a built-in feature that says, yes, I want apps to be able to have access to my O 365 data. People are making malicious apps and getting you to fall for it and getting your end users to accept permission to those. They, and the downfall of it is because you've given trust, they're using legit features to go around two factor to have long-term access to your data.

So there's a couple big problems there. Before I jump in, guys, I'm obviously always sensitive on time. Did anybody want to add something to that real quick? Hey, I wanna add something that's super good. That's, so Kyle, we're seeing the same thing at Perch. Um, in, in fact, I covered this on our IT nation breakout talk. We talked about you're going to start seeing more like OAuth and API based attacks because two factors ubiquitous, right? Yep.

And so I think we've had this idea in security far too long that if I just put two factor everywhere, that I don't have to worry about authentication attacks. And that's not the case. It's just this iteration. We're already seeing bad guys pivot off of that. And so you're exactly right and those are things you've got to be notified. You've gotta be watching for that. And it's not hard. I know both Google apps and Microsoft do produce logs around that data.

So it's definitely things you've gotta be watching for, for sure. This is a big deal. I mean, when you think about, oh, And, and then also, I mean, it's also user awareness training, right? Yeah. I I was gonna say, when you, when you think about the average user, how many things do they sign into with just sign in with their Google account? Like, like, like it's so widespread. Like it's ma it's massive Andrew. Yeah. Yeah.

That, and that's why I wanted to talk about it because they keep innovating and you know, just the way Kyle put it was, you know, they're using what was seemingly, or it is, you know, something that is, is quote unquote kosher. And it's just like, you know, the the, them using our RMM tools or using our remote control tools, they're using them as, as they should. It's just they're using infer of various purposes.

So I, I have a question other than, um, is the, other than prevention, let's put, put that away for a second. Um, in terms of, um, you know, knowing when there's an issue, right? Um, is it something like checking logs? So what, like how do you, how do you become aware? 'cause you're saying like, Hey, you're not aware of this because there's no two factor. That's why they get long-term, you know, access, which is scary. That's a scary idea. I've secretly paid Gary to ask that question.

That's the truth is, uh, he's hitting up the right thing, right? What is the, what can we do about this? The first one we always talk about is education, right? We need to educate our users. By the way, in chat, I threw a link to Microsoft's documentation about how to have a conversation about permissions. And keep in mind permissions and OAuth and all those aren't specific to Microsoft.

But one of the beautiful things that they called out was, you know, at the end of the day you might wanna audit what things you're granting access to. And us as system administrators, right, have the ability to help our customers and say, you know what? You've granted maybe so-and-so application access, you should go back and review and audit. What are you given access? And when's the last time it was used?

So the picture I just threw in, it's another Microsoft picture, um, actually calls out and it says, Hey, if you wanna be able to audit your applications that have access to your data, well, you know what? You probably should be doing that on a recurring basis. But I think Gary, you and I both know that it, it takes, uh, to do anything on a schedule, it takes a whole lot of, um, I don't wanna say tenacity. I don't want to say discipline, but I wanna say responsibility.

Something along those lines. And I think we all know And time And time. Yeah, Time of course. So anyways, this is obviously just the kicking off your Monday of this week. If you've never heard of API targeted attacks or granting, you know, when you grant another application access to your permissions, there are bad apps, there are bad things that are gonna use the permissions that you consent to, to do bad things. To sum this up quickly, you should audit who you're granting permissions to.

And I included a boatload of those for you there. And obviously you see Wes throwing a cool link of, look, there's other people who could help you with this too. Great, Kyle, thank you so much. Um, that was really, really well done. Thanks as always coming on for week 10 and um, I'm gonna move you over to the audience. I know you do an awesome job over there for us. And I'll bring on Chris Laer to talk about tabletop exercises. Alright, let's bring up Chris.

Yeah, Man, you, you hit Kyle right in his sweet spot today. He was all fired up. Yeah, I aim to please Gary. We had a, you know, we week 10. Gotta do good things here. Okay, let's see. Okay, exit Mr. X split you there? I'm here. All right, thanks. Chris. There He, yes. Yeah. And, and for week 10 you got a new computer specifically for the cyber call. As we understand it, Chris, I rebuilt the machine just for the purpose of making you guys happy. Awesome.

Okay, well, let me get right on into it 'cause I want to hear from you guys.

Um, tabletop exercises, nothing new to Wes and Chris, uh, recovering bankers and, uh, in setting the stage here, I'll just point out this and we'll get right into it that, you know, I I just like reviewed a bunch of different security frameworks, um, because number one I'm weird, but just the point being whether it was, you know, something you're really akin to us, which is the FF IECs, you know, cat where it's domain five for the banks or the, um, CIS controls and its control.

19 point is every framework talks about incident response planning and management. So it should be no surprise to you, and I'm air quoting that as sarcasm, that according to IBM in a recent, uh, study they did, um, 74 per, and again, now IBM they're not surveying SMBs and MSPs, they're surveying mid-market upper, you know, large accounts. 74% of the organizations still use makeshift or response plans that are inconsistently applied and may have no plans for to handle, uh, incoming threats.

Any surprise to you guys like that to me is kind surprising. But then real concerning when we look in, in terms of what I'm gonna ask you, Chris, but are you shocked by that at all? Wes? Chris? I'm not shocked. I mean, uh, the, just go ahead Wes. You go first, Chris' Life, of course he's not shocked. That's right. It pays the bills. Yeah, I was about to say, Chris's job is to say, I'm not shocked, right?

Because all he does is walk into all these organizations left and right who are not prepared. But the study data, the study data shows the same thing, doesn't it? I mean, you look at study after study, even like the super large organizations, the world, I tell this to people all the time, it's not like they're better, they just have more resources. But even in all of those more resources, they're still not doing an adequate job testing.

I remember reading an IBM study data two years ago that showed they, they interviewed executives and they asked them, you know, so you may have a IR payment plan in place, but how often is it tested? Is it actually up to date? And 77% are like, Nope, not at all. It's like super old, not freshed up, it's, we don't spend time, it's not a priority. So yeah, it's a systemic problem. Yeah. Well, Chris, I'm gonna kick off for, for time's sake.

I was gonna throw around some more stat, but I'm not gonna do that time's sake. Chris, what percent of your cases, which consists of both MSP and commercial, but having, you know, started with an incident response plan and they got to that point where they're like, oh, here's the part in our plan where we're gonna pick up the phone and call solace? Or was it more oh, blank, you know, our insurance carrier said we got, so how many, what percent have em?

I, I can't tell you a percentage, but I could tell you that I've only remem of all the cases in the last two years, I've only remembered less than a handful that had some type of plan. Wow. And then, and then I, I, there were probably some that maybe had a plan, but they weren't gonna admit they had a plan 'cause it, it didn't apply. Got it.

And so, you know, kind of back real quick is not only are we seeing, so what's interesting is in the mid-market and above space where you see people focusing on incident response, they're actually starting to expand it to a two day effort where the first day may be more technical in the second day, is really focused on more legal and they actually have attorneys get in. So there was, somebody had posted a question before this call about that specifically.

And I think you're starting to see attorneys weigh in more to an incident response plan than ever before. And so it's really making, you know, I mean, so I mean we, we, we have existing clients and it's interesting. I mean, they've had IR plans for a long time and let's just say they're a bank and one of the things that comes up is their insurance and they know they have insurance.

They have no idea even how to work it, like who to call, what to expect, how it's gonna work, and that type of thing. And so it's, um, it's an interesting, um, it's, it's just like, you know, Kyle had talked about earlier on the assault on Bin Laden. I mean, that is like the pendulum swinging the other way. I mean, we see most people completely just unprepared whatsoever. I mean, if they've done it just to check a box, so be it. But that's, that's basically all we're seeing out there. Yeah.

Kyle say, do a little poll. Let's ask people how many people not even asking how good it is. We will just ask 'em whether they really have one or not, not. Oh, Yeah. Oh, he, Kyle, you're, you're, you're like, you're Carac Remember Johnny Carson, you're reading my mind. I had that all queued up. It's already out there. Um, The answers in the mayonnaise jar in funk Wagner's porch. So there's another poll is how many people actually know who the hell Johnny Carson is. That's Right.

Yeah, that's true. Yeah, Really dating myself. Uh, thanks, God. True comedy. True comedy though. But, uh, yeah, I mean it's, it's, you know, this is anonymous. So, you know, again, I I can't see who's answering what or anything like that.

Just, you know, if you guys could just answer away and, and, and so it's interesting, you know, um, you know, I'm, I'm pleasantly surprised so far, you know, there's about 38% that say they do have a plan, but what I would expect in the lateral part is that 86% don't test their plan, which is, you know, the, the other big piece of the equation. But yeah, you guys Go, so Andrew, think, think about the MSP population in general.

You're asking people who have enough interest to come to the cyber call. Yeah, yeah, very true. So even within that, like, they're already saying like, yeah, I realized I, you know, and then you see those percentages. So expand that out to the general popul population and not a good scenario. And look, with this, we're trying to deal in reality here, everybody who comes on, we're not, you know, we're not, um, Fox News or CNN, right?

So we're not trying to act like there's no security risk, just go about your business. And we're not trying to pump it up to something that's, that, that that's different. We're trying to bring the reality here. And the reality is, with an IR plan, you may have been in business 10 years and you've never s had a serious breach. That's very possible.

When you think about most of the things that would've caused a breach, the majority of them really over the past 18 months, and even more over the past three or four months, it's not gonna be the same. We can all agree on that in the next 10 years. So like, you can feel that we're at this critical timing to start doing the basics, at least. Right? Yeah.

Well, and Gary, let me just ask your, the question I had for you, and then we'll move to what Yeah, but I, I have the question around just, you know, we've done a lot around standardization, improving efficiencies with tools and things like that over the years, but like, what are MSPs gonna have to do here? Because again, we're giving them more work.

And again, kudos to your point of everybody out here that this is the, you guys and gals are the ones that really care and are actually doing things. Yeah. Good, good. Thank you for pointing that out, Gary. But it, it, you know, it takes, you know, commitment, culture, et cetera. Um, do you see, you know, incident, you know, and, and what I was gonna say is, so, you know, something like this takes, you know, culture, discipline, et cetera, very similar to sales.

Um, are, do you see it similar or different, you know, when it comes to MSPs? Well, On one side I see a different, it's like you have to do something, you know, proactive. The difference with it is you can make the decision to inve, you make the investment in sales, and you hopefully get paid back by having more revenue on this side. We have to figure out how to pay for it. We have so much money, and that equates to so much time. And we have so many tasks.

That's why every, almost every week you hear us talking about, you have to think about the relationship with your customers. And I'm gonna guess that most people are between 20 and 50% off on their average seat price, just because the only thing I know is the math.

So that they're even able to do tickets to run their stack and, and then be able to have the, the discipline and the time to be able to do what we're talking about, both in incident response, but also in prevention, in in compliance, uh, and those kind of things. Well, so I'm gonna throw in, in, uh, and I have a, you know, you, we talked about some of these questions, but I just curious, you know, in a, in a bank, I gotta believe cyber, there, there was budget. Is that a fair statement?

You know, there was line, you know, budget in terms of, you know, hey, we're gonna increase for these security controls. We've got the FFIC coming in. We, we had this gap. What do you feel is gonna have to take Yeah, I mean, place, go ahead. Go ahead. No, no. Uh, I, I'm anticipating your question, so I'm gonna answer it this way. So, yeah, banks, yes, banks have a budget.

And what's good, where banks are lucky is they have examiners that come in every year and actually review it, and they wanna see where your investments are going, the result of those investments, third party audits, I mean, all of those kind of things, which makes your job easier as a banker because you can simply produce that data back and say, here's what we're doing, here's what we'd like to be doing. Can you help me get there? These are some things I think are missing gaps.

I mean, I could do an entire one hour session on how regulation can be helpful. It's not always helpful, but it can be helpful to accomplish your security objectives, right? But the rest of a lot of other industries don't have that going for them. And I understand that sitting here on the cyber call. I've worked with so many MSPs, I see that as a problem, right? And so sometimes what you need to do, obviously we say this over and over and over, you've gotta start yourself, right?

Gloria said this right here. I love what she said. I feel like we can't afford not to do this. Gloria is right on the money because she's walked through those situations before. So it, it, it, where you start is yourself. Start with your own MSP, do these yourself internally, eat that dog food. And then I've mentioned this before on other meetings and calls, but you can actually use tabletop testing and you can use incident response and you can actually bring your clients around in on this.

So do things like a lunch and learn and bring them together and talk about these things. It doesn't have to be an all day event, but it can be a, Hey, how would this happen? And there's so many analogies to this, and I'll just give one, I posted this video on Cyber Nation. If you guys are not a member of Cyber Nation, you need to go and join. And I'm sure Andrew can figure out how to do that. But, um, I made an analogy to NFL the day before an NFL game. You know what they do?

They do a walkthrough, and during that walkthrough, they go through the stadium, they practice what they're going to do. They discuss what's in the stadium. Is it a bowl, is it a covered stadium? You know, what's all of these things they practice, the reason they practice is so that they're ready for it. Those walkthroughs are critical. We don't do that in cybersecurity enough. And because we don't do it when something hits the fan, we don't know how to react.

We don't know who's responsible for what. We don't know how we're gonna respond. And all of a sudden delays get worse and the breach honestly gets worse, right? So those are big things that I think we've gotta do. But we start with ourselves. And if you haven't started with yourself, there's your take, uh, to do take home is start with yourself. Yeah.

You do have like a lunch and learn, which you may want to try to pull off is have somebody that attends and you don't tell anybody that that's actually been a victim, and then they're not afraid to speak up. And so you're having this lunch and learn and everything is going fine. Then, you know, we say somebody finally stands up and goes, Hey, I can attest to this because I had this conversation with a group of MSPs on Friday. And you know, they somewhat like, what do we do?

I, and I'm, you know, we just kind of, we're always behind in this battle. And I'm like, well, you, you, you gotta, you have to be, uh, rigorous about doing these types of things and you gotta be on top of it. And you have to have these conversations with these customers, and you have to give these very current examples that are happening as in the s and b community to people next door to them.

And if you just pound it and pound it and pound it, and I'm telling you that's the one thing I see these days with the calls we get, is that people are less shocked that it happened to them. They now realize, Hey, look, yeah, you know, I'm not, you know, before it was, I thought I, it was never gonna happen to me or blah, blah, blah. But now when they actually get popped, usually they're like, yeah, we had some budget to do that.

We hadn't got around to it yet, or this or that, whatever the case may be. So the, the shock factor's not there. So the word on the street is out. People know it's happening in the s and b community. So you really have no excuse not to have this messaging and these stories right in front of the face of your clients because you do, they do need to share in that risk management of this stuff.

'cause if, if they're gonna dump all the instant response on you, you might as well fire 'em because you're in a losing situation right then and there. Yeah. Look, I I hate to always be the wet blanket, you know what I mean about taking this back to the business model, but this is what I live with and helping people every day, right? So just, I was doing some little napkin math, right? If you take what your a what what I see as the average seat cost, right?

For, for an MSP, um, 25 to 30% of it now is stack, right? It's their, their tools and it's going up, right? Uh, stack tools, kit, whatever you want to call it. Um, but really if you have truly proactive roles, that's like another 25%. So now 50 to 50 plus to 55% of your seat cost is around stack and, and, you know, proactive roles, right? Compliance, security, VCIO, you know, those things. So now if you're an MSP, it's real simple. Andrew is 55% of what you're doing that today, probably not.

Probably not. And so you need to start there so that you can get to raise that percentage each quarter and take your customers along with you on that investment. Yeah. Well, and By the way, this is episode 10. I think maybe going forward we should have a little bit of a change. Anytime Gary Pika wants to start talking about something, we should have, like one of those things that happened on radio. It goes, oh, Gary Pika wet blanket moment, Wet blanket alert. I vote for that.

It really gets focused. Anyway, go ahead. Sorry. Yeah, No, but it, it, I i, i, it, it really, I guess excl the, if that's the right word, but the point of some kind of, you know, framework. And again, you know, I think, again, kudos to everybody here that would even consider using a framework to assess and build a roadmap, Gary. But I don't know how you get there without some kind of, um, you know, uh, a competence of, of a framework, right? Because it can't just be like, Hey, we think, right?

There's gotta be something bonafide behind it. But anyway, if, uh, if that makes some sense. Um, so Chris, here, here's something, you know, you're in a peer group, several, I think, and I'm curious if you feel the role of peer groups, um, and or conferences. But if you maybe take both for me needs to change like less, you know, hey, you know, we're gonna talk about, you know, EBITDA and this and that.

I'm not saying those aren't important, but is this gonna have to change knowing the landscape that we live in and, and, and our conferences, for example, gonna have to maybe take a turn if and when we get back to actual physical conferences of less, Hey, here's another vendor showcase for four or five hours to, hey, here's actually something that we can, that's critical to our business. What are, what as, as you know, someone in the business, what are your thoughts? Well, yeah.

So I was talking with, uh, someone on our insurance side that basically owns the whole tech insurance policy side of our business. And I, he is, he is a bright guy, very energetic Australian guy that just gets after it, right? And so one of the things that he talked about, and I think it, you know, it's distilling thunder from something I'm gonna talk about in a few days, but he was saying that, look, in the US in the legal system, you can get sued, right?

So in Europe, for example, if you sue somebody and lose, you are on the hook for their, for their legal expenses in the us that's not the case. So his point from his perspective was, Hey, look, if you're not doing everything for the client, then you, they would prefer you do nothing for the client. Because let's just say you were doing some managed services and you weren't doing backups as an example.

It doesn't matter because they're still gonna sue you if their backups fail or the insurance might go after you, whatever the case may be. And so it is a real deal. It's not just selling security or adding that in your stack or whatever it really is. You are the, you're the highest risk industry there is, period. I mean, that's it.

I mean, ransomware is the number one cyber claim expense, and then the ransomware coupled with an MSP is just the worst case situation and it's not gonna get any better. So really, if you want to, it does flow into all those conversations about ebitda. You want us talk about something that would adversely affect your EBITDA instantly, it's it's being, having a, having a, a successful cyber attack against your business. I mean, being able to recover.

I mean, ask my buddy Eric, uh, who at ProTech, who's more than happy to talk about this stuff. I mean, he is, you know, what is it now, you know, 18, 19 months now, and he is still every week on calls with attorneys over this stuff. And he, he, he doesn't have any problem talking about it, but it sucks. And so you do have to be on top of this stuff, and you do need to be making, just like we were at banks.

So I I, if I could spend the time maybe to just, you know, talk about the comparison, and, and, and West knows this too, when you're extending credit, especially on the commercial side, there's a lot of stuff taken into account whether or not you're gonna get a line of credit, you're gonna get a commercial loan, a real estate loan, or whatever the case may be, a an MSP should be taking that same, uh, that same concept to who they bring on as customers and who they retain as customers, really, because each customer presents its own unique risk to you and to your business.

So what may look great from a profitability, and I'd love for this to be another Gary wet blanket moment, but what, what you could be looking at is you've gotta look at the risk side as well, because, I mean, there were plenty of times at the bank where the rates and everything look good on the look good, but if you start to peel into it a little bit more into the customer and to the ownership and everything like that, you're like, no man, we wanna stay as clear away from that loan as possible.

And so I think from an MSP, we just have not been talking about that enough. And I do think that's a great, the peer group is a great place for those conversations to happen because they're focused. And a lot of those people can kind of, um, I guess experiment with, with doing those types of risk assessments on their clients. So Gary, if you Take off, I'm not gonna be a wet blanket. Yeah, I'm gonna be uplifting right now. How's that? Everyone thinks I'm gonna zig I zag.

Okay, so two quick things. One is, so we have about a hundred people, right? In Pier. We're, we're now to the point where we're pretty much focused in dictating, they do special projects that at least one special project, um, has to be, you know, security based. So, but here's the uplifting part. The people that I see that are on that road to doing this work, they all have better MSPs. They all sell more recurring revenue.

They have increased their close ratio, they've increased their seat price, their profit margins, their customers are happier and have a better relationship. Their employees. The result of it is not just reducing your risk, which is important and securing your customers, lowering their risk, but they've actually built a better business model. The security first MSPs see that, that's uplifting. Wes, how about you?

You know, the, we've talked a lot about tabletop exercises from a cyber perspective. Are there other ones that we should be talking about here on the cyber call? Um, in, in, so a few things I'll think about. So, pandemic testing, right?

Uh, you go ask any of any of the, the folks that are on this call right now that have banks and credit unions, they have done pandemic testing for years now, and I, I sit on a bank board and I know a lot of banks and the ones that actually took it seriously were actually pretty well prepared.

You look at a lot of these banks and how they handled the pandemic and what they would do with not coming into work and, you know, uh, cross, um, cross training and actually showing that, like banks did a really good job with that because they were, they, they pretty much were required to do that on an annual basis, right? And so I think pandemic is it, that kind of testing is important. Those two tend to be pretty tandem with each other. But I want to go back into cyber a little bit more.

I mean, there are like, like offshoots. Like I had a phone call just last week with someone who's actually on this call today and they were dealing with a client of theirs that had some financial breach stuff that happened with them. And it was really all about for them. Uh, the client, uh, just fell for one of those a CH email frauds, right? So how can you test around that? How does, how do you, your clients, the, the financial institutions you work with, how do they work together in this?

That's valuable. And, and anytime you do any of those kinds of things, you know, you're becoming this valued partner. You're not just the IT guy you're that you're, you're that CIO level, Hey, you're producing value, you're helping us understand how we would walk through and handle an incident like that. And once you do a couple of these, you'll get more familiar. You can always offshoot into other things. It doesn't have to be a ransomware breach.

What about an Office 365 breach where patient health data leaks out the door? Right? That's a big one. What about what Kyle was talking about OAuth style attacks and it leads there and how do we handle the, the customer side and, and, and the communications plan and all of that, right? So you can really get pretty creative with these. The key is, again, just starting on one and, uh, getting addicted to what they are. I always share that story and I'll share it really quickly in 15 seconds.

The first time I did a tabletop test, I did it 'cause my examiners told me, and if you wanna see the ones that we did, I'm gonna paste in fds, uh, right here in the chat. And uh, what was good about them is I walked in thinking, oh, this is gonna be a joke. I don't need this. My team doesn't need it. We have three pages of notes that we had of to-dos and follow ups and everyone's like, that was great. When do we get to do another one?

We got a lot of stuff we learned and, and I was the same way. So just trying it once will be amazing and there's a lot of different ones you can follow. And do you just get started on one? Yeah, I was gonna say, I love Wes' idea of starting involving your customers with this.

'cause what happens is if something happens and you do end up having some type of an issue, your customers in those scenarios are holding you less responsible because they know what you've been doing in the diligence you've been doing. It's the customers who don't really communicate this and their customers just assuming they're a hundred percent protected who get hammered, right? When, when the time comes.

Gary, let me wrap it up this, because I'm gonna bring up Amit and close out with some phishing stuff that's pretty important here. And it actually has to do with statistics about MSPs 'cause they're actually protecting a lot of 'em now. But Gary, just curious, you're a small business, um, you know, ha have things changed for you post covid in terms of how you look at, I don't know, policies, planning? Um, I'm just trying to think of it, it, you know, you could be called on by an MSP, right?

Or an MSSP. Yeah. What's changed or have things changed for you? Uh, well I'll tell, I'll I'll tell you a couple things, right? Number one, you know, for easy transition to home, we're mainly a hundred percent cloud company. But, um, even just from this call today, I'm thinking about some things, right? Based on how we open this call, I, I have to go back to the drawing board, you know, on it. Um, but I, I'd rather than talk about us, lemme tell you about a story.

One of my close friends, sure, he, uh, has a, uh, a company that does um, um, financial management type stuff. And so he said, look, we're looking for a new provider. And he sent me over a couple proposals and I was able to look at 'em and tell him real quickly by looking about what they presented, what their pricing was, I was able to tell 'em, and you know, basically like, Hey, you got three, get the this one, take it out immediately. The price is too low.

They don't understand how, what security means for someone like you. And so then I went back with a series of questions. Get an idea how many customers did they manage? How many seats did they manage? And then how many people are in each of their delivery areas if they even know what that is. I'm trying to see do they have anything dedicated to any proactive roles or don't they before I give them the recommendation. And when he finds the right company, they're a small business.

They don't care whether it's gonna cost 'em 3000 or 4,000 a month. They don't care. They wanna make sure that they're going to make the right investment. And so that's the way you know that I'm teaching a friend how to look at this. Very cool. So, um, I wanna bring up back up if I could. Chris, could I ask, I'm gonna bring you over back to the audience. There's some questions I was wondering if you could answer 'em in the ask a question section.

Wes, you're gonna stay and Gary, do you mind if I bring Kyle back? Yeah, go ahead again. But um, I'll bring you and Chris over to the audience 'cause I want Amit up here. Yeah, I don't get much of a chance to go and I can go, yeah, chat over here. Perfect. Okay, Wes, let's, uh, let's bring up back up, uh, Kyle, 'cause this is gonna be interesting in terms of, I, um, Amit has onboarded a boatload of MSPs since the Cyber Con and their clients.

And what we're gonna focus in on, um, is actually what, you know, 'cause they have a sock, right? That is looking at the fishing and, um, Hey Ammit, welcome. Hey guys, thank you. Awesome, Ahmed. Hey Ahmed, I'm just gonna post just real quick. We're not gonna walk through this step by step. I'm just gonna post the most recent phish, uh, hack that you're seeing. I'm gonna put it in there for those of you that wanna take a look at it, but let's stay focused right now on, on you.

You've onboarded several hundred MSPs and their customers in the last few months since v Cyber Con. Congrats, by the way. And yeah, absolutely. And you were sharing with me some statistics today. Can we start off with the one about what, because, because the MSPs do a protect, you know, a protected house first. Yeah, correct. And then they deploy clients. Okay, so here are some stats on what you're seeing for the MSPs and MSPs that you're actually protecting, Right?

So, um, as you said, the MSPs deploy and then they deploy clients. So the, it like steps for us also to see what's going on. And the amazing percentage is like 84% of all the MSPs that we protect are getting phishing emails, right? That's huge amount of percentage, 84%. Now, um, two kinds of, two kinds of, uh, phishing emails, right? The credentials web, IM posturing, so Im posturing to brands trying to steal your credentials. And the second one is business email compromise.

Whatever everyone tends to think is like, uh, phishing attacks are kind of linear. Like you're doing that or that if you got your credentials, then you're or back. The thing is, is most of the significant phishing attacks like spear phishing, right? Uh, uh, modeler, it means that you're first getting, uh, your phishing emails, uh, start trying to steal your credentials, then you have an attacker that eventually steals your credentials. Office 365 for example.

And then he sits inside your MSP for weeks or months, right? And then he learns what's happening inside your MSP. So it's not like he's stealing you the next day, he's stealing you money and then he disappears. No way, most of the time you won't even know about that. And then he starts knowing who are your clients? Who are your suppliers, what are your bank accounts, signatures, no, whatever.

And then he starts stealing your clients or through, or Im posturing to a supplier and stealing others and stuff like that. So, So Lemme just add to we, and we got some I think, ah, but, um, Wess first Kyle, um, spearfishing is about, Amit was telling me offline is about 50%. And the reason we know that now is he's actually starting to see emails with go figure Ingram Micro, oh, and the bill and, and the payables person or cynics or tech data talk we about dormancy and what are they doing?

Kyle, flip it over to you next about, you know, Amit's talking about how they're just sitting there and, and what are they trying to do in the recon and, and, and the spearfishing as they're getting better and better at it and really learning. Yeah. So you guys have heard me say all the time, bad guys communicate and they talk to each other. So at Perch we have access to a lot of different threat intel sources from some of our partners.

Um, two examples, I was talking to the Intel 4 7 1 guys just, um, last week and they made a really interesting point. They're like, you know, we don't know anything about MSPs, but they're like, you guys do. And we were doing some cross research and we found a whole bunch of them talking about ConnectWise automate, right? They, they now understand who MSPs are, the tools you use, the delivery channel. And like you mentioned, knowing people like Ingram is a great example.

They understand the delivery model. They understand if I'm gonna spearfish you, here's how I should do it. Just like I might do it for a bank and I'm gonna use some kind of a CH wire or something like that. That's very similar to what a bank does. They understand the attack surface and the profile of MSPs now and they're using that to spearfish. So, um, this is something, it's a reality, right?

This is an accepted reality that we have to understand that MSPs understand where or bad guys understand MSPs, who they are, why they're lucrative, target the things that would entice you to click, which just has to, we have to up our game. I mean, we absolutely have to up our game. It's not just throwing a bunch of tools to secure ourselves, but it's understanding that we are a threat and truly building information security into everything that we do as an MSP and inre that in who we are.

So Kyle, turn it over to you, but yes, we're a Target. Awesome, Kyle. Kyle, I'm gonna give you a stat, we turn it over to you. One of the other stats on it was talking about is that, and Wes just gave me this thought to, to lead you was, he's like, we gotta up our game. Amit's like, Hey, we have a sock Andrew. He goes, do you know that 50% of the MSPs that we provide services to never log into the portal? He's like, we have to call him and go, Hey, by the way, you're being phished right now.

No, you're actually being attacked. So with that, you work with a lot of MSPs. Take us through your thoughts. I'll, uh, I'll attack it two ways. Uh, Amit's, uh, point about MSPs responding. I have been a part of numerous late night phone calls and the first thing when my sales team tells me what's the number one objection, they say, I want to make sure that I have 24 hour coverage on any, any soc. And then I follow that up with the people who are calling 24 hours around the clock.

And most of our partners, after hours, phone numbers don't work, the mailbox is full, nobody calls. So it cuts both ways. It's one of those sales objections that as a vendor you have unique insight into. Um, so yeah, MSPs and vendors both can have, uh, rough problems that way. With regard to phishing, specifically, we're seeing a lot of the, let me use phishing as the gateway drug.

So whether it's spear phishing or just, you know, generically broad, we are seeing actors spending their time to say, oh, I'm in O 365. Can I now use the rules of O 365 to maybe drop files on this computer or maybe convince other people to open my emails by automatically forwarding certain emails with certain attachments and things like that. So it is becoming more common to see people with uh, you know, spearfishing only using that as the initial part to a much bigger attack.

The last piece I'll double down is on Wes, I don't know if anybody saw the, I think it was the department of IT in Texas got hit once again with ransomware and unfortunately on that ransomware sample that was just found and reported on last week, uh, turned out this malware actually disabled screen connect and a handful of other MSP related tools trying to prevent not only the ability for anybody to go in there and remotely triage, but hinder recovery.

So bring in full circle, Wes is dead, right? They're learning your tools, they're targeting, the malware is getting better and as Amit said, it's not just about so what somebody detected it, they're trying to notify you after hours. You gotta make sure you're able to respond as well.

Yeah, I mean, are you seeing anything just kind of in wrapping things up, um, are are you seeing anything that would indicate maybe they understand like things like an Autotask or a manage where, let me just kind of just pause there. We've talked about data exfiltration.

So if I'm a bad guy now and I understand those tools, um, wouldn't I wanna go in and look at maybe payables and receivables in terms of, hey, if I know all of my, your customers what products they're buying, what great I get ammunition, Ooh, that would be for, to come back. So Yeah, of course we see that, uh, because mo obviously most of the sphe are, are spearfished. It's not that like by mistake they got fished, right? So most of the attackers know their, their MSPs.

We see that they're looking for the, the number one importance for the msp, which is the, the, you know, the the the login that the, the machines that are running their clients, right? And we see from that, uh, we can identify for example MST that have been compromised before we got there. Uh, and we see various clients of the same MSPs attack by the same attacker with the same kind of attack, with the same email.

So, and we, we see different attacks towards the same uh, MSP that are looking for his funds to his knowledge, to his kinds of clients that he is running. So we see by the business email compromise by the questions that is asked that someone is looking for his clients for the knowledge. Oh okay. So you're seeing the kind of the downstream through because you're multi tenanted.

So you're seeing these emails have relationships that are being, you know, client a having very similar type back to Right client B and C and all of them connected to MSB one. Got it. Wow. Alright. Wes, any, are you there with us? So I wanna close on a philosophy. Yeah. So I was, I was at a conference one time and I was talking to the CISO of a very large green logo bank that's I'll say. And he said to me, he goes, Wes, I've given up on u uh, end user awareness testing.

He's like, there's no point my, my users are gonna click. And so, you know what he did, the philosophy that he had because he had that mindset was I'm gonna make the easiest fish test possible so that I can have the highest success rate possible. So I can go to my board and say, look how fish prone my people are. But in reality he was just doing vanilla basic pre-canned easy stuff that wasn't actually helping his his org and 'cause they had a punishment philosophy tied to it.

In other words, if you fail more than two times, these bad things happen to you, they're incented to make sure that everyone passes. And so this was like a wake up moment from me years ago where I thought, you know what, and this is why I asked the question in chat down below, I thought, you know what, we're completely, and we're gonna try as hard as we can to fish everybody 'cause that's what the bad guys are gonna do and we're gonna do everything.

Like if, if we use fidelity for investments, I'm using Fidelity stuff, I'm going right after 'em, you know, and, and, and our failure rates go up. Yes. But the actual testing and awareness is so much more solid. And so I just wanna throw that philosophy out there. Just make sure that when we're doing fish testing and we're actually thinking about all this, that we act and think like bad guys because they're not gonna throw you a softball. Not at all. So why do we do that when we test?

It's a philosophy point for everybody. Good point. Very good point. Ahmed, thank you so much for being on with us as always. Um, thank You. Thank you very much guys bring Back, it's been A pleasure. Thank you. Yeah, likewise. Bring back Gary and we'll close things out. Great job guys for round week 10. Yeah, I'm still blown away. 10 weeks. Uh, and how fast it goes is just wild. And hey, should we give a maybe a little a sneak peek into what's coming? 'cause what kicked all this off?

I'll wait for Gary to come back up here. 10 weeks ago, well, it was probably about 12 weeks ago, right? We had v Cyber Con, we had this idea perch res and, and, um, I, uh, we all got together and we said, Hey, you know, um, all the peer groups were canceled. Um, all the events were canceled. So we'll do this cyber event. And, and it was, we had a simultaneous capture the flag event going on four days of awesome content.

And then we asked, Hey, are, are you, would you guys like to keep this going? And everybody said, absolutely. So that's where the cyber call comes from, just a little bit of history. And next month, a little sneak preview, we are going to be added again in terms of not tons of content, but a three day capture the flag event. Um, so you, you know, get, get your skillset ready, but then we're gonna have, um, three days, one, just one session per day.

So we're not gonna content you to death, but we're gonna have the perch day, the hunter's day, and the ID agent day and we're gonna have some phenomenal sessions. We'll keep you guys up to speed on that. So, uh, all of you guys have been involved, Gary, Wes, Kyle, since the beginning and I just want to thank you so much for your continued support and helping everybody out there. So, uh, Kyle, any parting words from you today? Always about a high level, right?

Um, we've got one week till we see each other again. It's always about what did you accomplish since the last week? Whether it's, you just thought about it, you informed something you learned in here in your conversations throughout the week. And in regards to that, capture the flag that's coming up. One of the beautiful things to go look back at V Cyber Con is some of the top competitive teams in the CTF.

Ironically, I'm aware of several of those individuals who have come to me afterwards with bugs in RMM products or PSA related products. And this is that environment of those people who are thinking offensively are starting to grow in this MSP community to harden the products all of us use. So if you're looking to give back, you're looking to contribute, even if you're to see your first capture of the flag.

I would encourage this is a way to surround yourself with other people who've been there and done that, who are also humble and willing to teach as well. So that's, that'll be my highlight of saying, you know what Andrew, I think we've done a good thing here when we look at what was fostered 10, 14 weeks ago to what we've accomplished today. Very cool.

Kyle, to your point, um, we're gonna have some, um, actually, I, I did a, a, an op, I landed a deal, lack of a better word, that we're gonna be able to bring EC council's content. I'll tell PE everybody about that, but like at a, this dirt cheap price for everybody to be able to do, um, ethical hacking and capture the flag courses leading into it.

So for those that haven't actually done it before, we're gonna be able to give them, seed them with some great stuff like, so anyway, I'll talk more about that, but that's something I'm real excited to bring to everybody. Wes, closing thoughts from you? Hey, no other than, uh, continue thank you for 10 weeks. May we go 10 more and that's only if you guys continue to join and give us feedback. So anything that you guys want us to cover and talk about, we are here for you.

Uh, we, we definitely makes me really happy to have this opportunity. I love being able to have the opportunity to work with Kyle, Gary, Chris, everyone else. So, uh, that's all I wanted to say is keep continue to give us feedback on what you guys want us to talk about. So real quick, Gary, before you close, I see Monica out there and everything. Do you guys have trade craft? Tuesday, tomorrow? Um, Kyle? Yeah. Yeah, it sounds like it. You know, first, uh, or second Tuesday of the month.

Also patch Tuesday, so, okay. Alright. Be there. Trade craft Tuesday. What time are you guys? Is it noon? I think we're one o'clock Eastern. Oh, we're gonna be competing head to head tomorrow. That's okay then we'll, we'll figure out a way to reschedule. Not intentional guys, by the way. Uh, we have a table that tabletop. Um, but anyway, you pick your poison. When it poison you pick your, whatever is better for you. So whether it's Tradecraft Tuesday tabletop, but we've got both going.

Gary, closing thoughts from you? No, just really happy to be here because, um, look, everybody here has companies to run and we're all looking to build our companies, but we come and I'm here because everybody on this call comes for the same reason, which is really trying to make a difference right now in this community. The same way we do that tabletop, you'll come there, you won't get a commer any commercial for anything. You'll get the value.

I'm bringing it to my community 'cause it's something that they really need. And, um, so, uh, just, uh, it's great to find other people to think that way and, uh, I'm, I'm, I'm happy to be here. Wonderful. Well, with that everybody, thank you so much for coming on 10 weeks. Kyle, Wes, Gary, Chris, Amit, and everybody that's networks. All the people that have been part of this. Mike regard. Who I Agent Id Agent Kevin. Kevin Lancaster. Yeah. All everybody's just keeping it going.

And everybody out there that's joining from the MSP and MSP community. Thank you. Have a wonderful day. Take care everybody. Hey guys, Give it a tan.

Related Videos

July 13th, 2020 | Right of Boom