Session 1
Guests
Video Transcript
All right, we're live and recording. Welcome Wes. Welcome, Gary. How you guys doing? Awesome. May the fourth be with you. I Complain on a day like this. That is so funny, Wes. I I knew I I had no, no doubt that you would bring it today. So, um, so, hey, we're, I got Disney. I wore the shirt last time I was at Disney. I a few months. Yeah, it's a ho I mean, I love Star Wars a lot, but it's a, it's literally almost like a holiday for a few people on my team. For sure. This is, yeah. Yeah.
They're big Guy. Tiny dancer, I'm sure. Rock Dancer. Yeah. Alright, well let's get going here because the, uh, just to let everybody know, we started off with a tad of a technical difficulty. So if you see me doing this back and forth, it is a shiny object. I'm looking for Kyle SLO out there who had to do a reboot. So just so you guys know that, um, uh, in, in terms of the format, let me just real quick share my screen and we are gonna, uh, get right on into it.
I wanna share my screen because there's a reason, um, I was, uh, passionate about doing this. And, uh, Gary West let me know if, um, one second here. I'm gonna expand my screen to full view. Let me know if you guys can see me in fall. Now. Can I, can you guys see that all? Yes. Alright, let's kick it off. So, welcome everybody to the weekly cyber call.
Um, I've been reading The Infinite Game by Simon Sinek and you know, it dawned on me coming out of the V Cyber Con event where we had like 1600 people there. And I was reading this and you know, I'm just gonna read it out loud where it says, as security threats and attackers constantly evolve, information security professionals may feel attackers are outpacing the efforts to stop them. But security professionals and business leaders have powerful tools of their own to deploy against bad actors.
The most important defense is knowledge. And it hit me, it hit me that the cyber criminals play in the infinite game, right? They've morphed, as soon as we went to deploying all of our customers in a remote environment because of Covid, they quickly morphed, they're in the infinite game, which means we have to be in the infinite game, which means I wanted to get the best of the best, which I emphatically know I have here.
So thank you all that are participating and all of you out there, 'cause this is about, um, a community and that that is the just cause that Simon Sinek talked about is to build a community to continuously improve our knowledge, capability, and resiliency of all MSP and MSPs. And Gary, as you've said many, many times, that a rising tide floats all boats. Yep. That's what's good for everybody, Andrew. Absolutely.
Um, here are some of the folks that are going to be participating in the cyber call. Not all of are here today, but, um, I am really excited, uh, about who we have, um, in the lineup. And, uh, I can assure you more are coming and here's today's agenda. And the agenda came from me watching something that I'm not gonna get into.
But basically I wanted to distill short and condensed and, and applicable security domains and having Gary on look at that can from, can we apply this in a business setting? So this is our agenda today. And last but not least, just a quick public service. Kind of call out to everybody that you know, if recently you've seen the good work come from Harry Pur and n and this is one of these one page documents.
And, um, the call to action I have for everybody out there is if you could just simply do a quick 30, 62nd email to uh, s uh, and I'll put it in chat this email, if you just say, Hey, this stuff is relevant for us, please keep producing it. Um, that'll go a long way. If they don't hear from us. Um, it's pretty straightforward. Our tax dollars, uh, won't be hard at work. So with that said, um, let me stop sharing. Gary, I'm gonna turn it over to you from the business perspective.
I'm also gonna look to see if I can find our good friend Kyle. So let don't you take it away, Gary. Yeah. So again, uh, Andrew, I'm on probably only 10 calls a week with MSPs. I'm on two or three webinars interacting. So really staying, trying to stay close to, to what's happening. And right now what I'm seeing out in the MSP community is, you know, the initial surge of work from home, for most people that subside it, subside it, but ticket levels, uh, are still higher than they were pre covid.
And one of the big issues that we're finding is people need to find time to go circle back. They didn't, a lot of people didn't stick to their standards. There were things they did to move people to work from home where what they're using in their environments aren't what they would've accepted prior to this, but because of what happened, they did sometimes on a mass scale. And so obviously that's a huge issue.
And then you think about it, we're already telling people, talk to your customers about what does the unwinding look like? Does it go back to the way it was? Is is it gonna be something in between? What's the timing of it? Can we be more thoughtful and proactive about it? So I want people to think about that. Like what changes have you made over the past, you know, six weeks that you would not have done before this, that are outside your standards.
'cause that's where the big gaps are with a lot of things. Security is one, and just creating noise in general is the other one, which is gonna cost you money, uh, moving forward. Then the last thing I wanna say, I think this has shown a lot of people that may be coming into this, their security standards, their stack, their offering wasn't what it should be. Because before you might have customers that are on three different levels of your agreement. Well guess what?
They all have the same exposure today, which with what you did for them. So this is a tremendous opportunity to, one, ask yourself, what do I want my minimum security stack to look like? That's tools, that's process, that's everything involved to provide that result that you think is the minimum that you would want every client to experience. And then circle back to those clients. They're listening right now, Andrew. Okay. They're listening.
And just because you say, well, I don't really want to approach them about making an upgrade or a change. No, absolutely you do right now, this is the time to do it. Right? And you were saying to me, Gary, that you're some of your look, a lot of your members, but are being like, hit, hit rates are tremendously high right now. They're yeah, al almost no customer is saying no to the right security projects or the right upgrades in their offering.
They're adding some things, some process and, and some tools that are stacked. And the conversation is really easy to have with decision makers. Like, Hey, we made all these changes. Let me tell you what's happening in the industry. This is what we need to do. And Andrew, they spend $4,000 a month with you, now you're gonna raise their price by four or 500.
Did do they, in the big scheme of things, do they care about four or 500 bucks right now when their whole business is on the line with their technology and what they need to do? The feedback I'm getting is no, they're happy to make a few small and they're very small investments from their standpoint, they're worried about the three or four or $500,000 of other expenses protecting those and the, and the four or five, $600,000 of revenue each month that they have to protect.
So if you can show 'em how we're helping 'em do that, this is the time to get everybody up to the right, to the right level where you want 'em to be, man. Yeah, it was, it was basically a forced event to get everybody on your right stack. Right? Yeah. And I would like to know what people think because I, I, I feel like a certain percentage of people are almost like defensive with this. Like, well, I didn't really want to approach my customers. Now everybody's having a hard time.
And I'm like, well, wait a minute, you're saying they're at risk that they don't even know that maybe they had before this. And at a time when they can't afford to be and you're afraid about going and having that conversation. We're not on the same page. Yeah. Kyle West, your thoughts. We've got about a minute 40 on this subject, Kyle, I think Gary's nailing it.
I know the customers, uh, out there, the MSPs, especially partners of ours that have already went all in already having these conversations. They're, they're on offense now. Instead of going back on defense, how do I keep myself, they're looking at growing their business because those people were security first MSPs, right? It was part of their stack. There wasn't a choice. So I'm already seeing benefit of this, this method. Yeah. Awesome.
Yeah, Wes, the only thing I'll add to that is the numbers don't lie. Um, and purchase as busy as we've ever been, probably the busiest we've we've ever been, which just means the channel is, uh, redhawk right now. And so, uh, that that's a good thing, right? It's not just good because, uh, MSPs are actually able to monetize, which I mean, that's a plus, right? We're in this for profit. Um, but I think more than that, more importantly, I think Gary's exactly right. I think clients are listening.
Now is the time to get some of these things across. I've seen a lot of our partners say, you know, these are some things we've wanted to do for a while. It's been in the stack. We've just been kind of delaying getting some of these things out. Now. It's something they're able to really push and push effectively. So, yep. Now is the time. This is the season. Last thing, Andrew, the last couple seconds here.
Also, remember MSPs, a lot of them have changed how they operate and the worst thing that could happen is that they're less secure than they were eight weeks ago. So start there. Yeah. Yeah. Start number one, you have to start with yourself. Yeah, that's very true. And, and Gary, I'll close with a lot of times sales, whether it's covid or things are awesome, it's in our head, whether people will almost All the time. Yeah. Almost all the time. Okay. Hey, great, great, uh, way to kick things off.
Thank you, Gary. Kyle, you're up. Do you need, uh, this any screen sharing? No, I, I think with, with the, uh, four of us, I, I, I like the, uh, the Brady Bunch feel for here. Um, since I didn't get to be part of that initial intro, Wes, I'm also digging the shirt, Andrew. I think infinite game is right on. And, you know, kicking off the, the hunting side or the hunter's side of this, when I think about analytics, right?
Whether it's from the finance side or from the tech side of the house, it's always about not what the trend is doing today, but what's it going to do tomorrow. So I took a step back and said, you know what, of all the things that we're hunting across, what are things that are hunting against us? And the one thing that is parallel and true is the low hanging fruit in opportunity. It is a game of finance. At the end of the day, it's a game of economics.
And so what's interesting is just the same way that we see a new big event. Like for instance, when COVID-19 kicked off, we saw spam emails, or we saw the payloads go in that direction, that is not changing. So the idea if they're going to continue to adapt, and that's the trend, is adaptation. Our trend obviously has gotta be keeping up ahead of whatever they're going to adapt to. So I had a couple, you know, I guess winners and losers I'd point out just like they do in stocks, right?
Winners, um, since I obviously live on the end point, you could imagine that hackers are gonna continue using and abusing the legitimate applications on your computer. If you've got remote administration tools, why not? I don't have to carry anything with me. Your, your remote admin tools are just as capable.
Um, locking 'em down, obviously that user access, who has privileges to it, and maybe something a little bit more forward thinking is now that hackers are saying, I'm not only gonna abuse your applications to do something nefarious, like it's always ransomware or something like that. They've already tipped the hat to us and just said, you know what? I'm not holding your data for ransom anywhere anymore. I'm holding your reputation for ransom.
And since they're doing that now, by stealing your data and making sure, even if you don't pay for the backup key, they're still gonna disclose your information online. I'd love to challenge, I guess, you know, maybe, maybe both our audience and ourselves to start looking at that forward trend. What's gonna happen when it's not just about data restoration, but it's about reputation restoration. Yeah, that's an ex excellent point.
And you're seeing that first, I mean, you get those phone calls, don't you, Kyle? Uh, three, three last week. So one we found on our own, which was just an MSP that had their data dumped to the dark web two phone calls. So that's, uh, that's where that trend is coming from, that that's breaking as of last week. Gar. Yeah. No, no.
What I'm gonna say is, you know, the hard part about this is, this has always been an issue, but Kyle, right now, just like any business, the MSP, it's the worst possible timing. I mean, they're already having to make so many decisions so quickly, and so something like this is almost, could be like a ca like a straw that broke the camel's back.
So I feel like, again, whatever steps you think people extra steps you think MSPs need to be making, you know, right now, even before they think about their customers, that's what they should be thinking about, right? Going back to your default offering, right? This should be something that should not be an after the effect, right?
For those who had already had, you know, their solutions that could allow VPN or remote access, that had two factor moving to home was not, it was just business as usual, right?
So yeah, Gary, I, I'm, I'm doubling down on that, that if you're gonna see this, build it into your default offering, figure out your go to market, your personas, and how to make this work financially and double down And listen, I, you know, listen, we both work with customers, you know, MSPs that have a hundred, you know, they're larger, a hundred, 150 customers. Think about that. This is not a small task, right?
The more scale you have, the more process and discipline, and it's gotta be for those kind of companies, it has to be metric driven. You have to determine what those metrics that determine when you've gone and done these, you know, locked everything down to that minimum level. And you gotta be tracking against it, like almost in a daily heartbeat. The KPIs, right? Key performance indicators are gonna help guide you at the end of the day.
So, uh, when it comes to hunting, the hackers use the same, they think about how many clicks does it take to get this phishing email to open phish, or how many antivirus, detections discover it. If they're doing these with KPIs and driving their business with metrics, we should be as well. Yep. Our friend Chris Patton out there saying, doubling down on MFA. And I love Chris's comment that the only thing that Google, apple, and Microsoft agree on, it's very, very good. Chris's true. Excellent.
Uh, Wes, you wanna round anything out here in the 30 seconds we have with Kyle? Yeah, I do. So my favorite quote, one of my favorite quotes on this, this comes from George Washington who some of you may have heard of and, and know my kids are studying him right now in the Revolutionary War. So he said this quote, I wanna read it, he says, the most great, he says, to be prepared for war is one of the most effectual means of preserving peace.
Uh, what a really, really good quote when it comes to cybersecurity, right? Being prepared for these things. And so, as, as Kyle was mentioning, you know, those things like playbooks and testing our preparedness, these are things that we need to do. These are things that I think MSPs in the past have struggled with because, you know, those are not profit generating. So how do I really prepare and, and, and cycle down on those things? But that's not the case anymore.
You know, as Chris LA and I do these tabletop sessions, number one thing I get asked every single time is, Hey, can I, how can I take this back home to my team? So I think being prepared is really, really, really important. We can't overstate that enough. Yeah. Well, I'll close it out with, and we'll move to you, Wes, the watchers next.
Close it out with, you know, as we do more of these, we'll figure out specifically what things, maybe we'll do a weekly, I'm sorry, a monthly webinar on, and, and we can rest assure that, you know, you doing your tabletop is gonna come Wes and quarterly some capture the flag stuff for the fans out there on, on that side. So, Wes, you're gonna be on the clock. Gary, if you don't mind, I'm just gonna move you to the, uh, audience side just for a moment. Wes has something to share.
I'll pull you back in Okay. After that. Okay, sounds good. Sorry. Thank you. Alright, we let me know when you're ready and I'll, uh, All right. Good deal Screen here. Yeah, yeah. Ready to go. If you wanna go ahead and pull that, uh, PowerPoint up. So I just have a few talking notes just to kind of keep my, my, my head cycled on this. You send, I can share it. Yeah, Please. I did send it, but I'll, I'll share it. Yeah. Gimme just a second. Yeah, please Go through this onto presentation mode.
So, um, as, uh, Andrew had mentioned one of the things that we're doing on the perch side of the house, and and I'll be covering is from my focus, just the watchers, what are some things that we're seeing at Perch? What's going on in our environment? And that's certainly not to speak for, you know, everybody, we see the things that we see, right? Uh, but I wanna share a few things about that. One of the things that we think is coming up that's, uh, that's pretty interesting.
So hopefully this thing is gonna work for me. Yeah. Looks like it. Like, it's, so one things I wanna do at the beginning of every month is just kind of share from purchase perspective what, what we think that threat level that that assessment is, is looking like. And the data that we pull that to kind of generate that really comes from the escalations we're seeing, the activity we're seeing, that sort of thing. And so, uh, from our perspective, we've got this listed as moderate.
Moderate just means that, um, you know, cyber attacks are happening. We're, we're seeing them, we're not seeing them. Uh, like we've seen in the past. We're seeing a very specific like onslaught. We're seeing a number of different things. We've seen some remote access, Trojan escalations, certainly a lot of Office 365 activity, things like that. But nothing like significant.
One thing that we're seeing that's growing, and, and I was talking with Paul Scott, our threat research director, uh, at perch is, uh, qbo. So some of you may be smiling when you hear the name qbo and you're like, is West really bringing out qbo? And we are, there's some interesting things that are going around on that. Also called Quack Bot is something else that's called, we're starting to see a little bit of this.
I'm gonna show you a sample escalation that we actually produced to a customer, uh, just this week or I guess early, early last week. Uh, so here's the deal. This guy's been around for a while. It's not new. This has been around for probably many of you, uh, have been, maybe even in it if you're a young person at 2007. This is pre Bitcoin base, right? So how about that? If you want to kind of think about it from a, uh, a, a perspective there. So it's a banking Trojan.
If you're not aware of like what banking Trojans are all about, these are credential Steelers of the old school variety, right? They're si they're simply si uh, sniffing and, and looking for credentials to be passed. This is before the days of like ransomware, commoditization, and ransomware as a service that we talked about a lot at, uh, these Cyber Con and some of the things that, um, uh, Kyle was mentioning, right? So, uh, the way that it spreads is kind of classic.
It's what you'd expect it does, uh, spread through a dropper. So like, think emo Ted is a good way to kind of think about it. What we're seeing though, is some interesting changes. So it's not the same old Q ata 2007. There have been a lot of updates. There is activity on this, and we're seeing this, uh, have a resurgence.
In fact, I was talking with one of our clients, a very large bank in, um, the, uh, kind of that big banking sector over in, uh, Minneapolis and Milwaukee kind of area up there. There's a lot of big banks up there. And one of them, uh, was talking with him. He said, yeah, we're seeing a big QBO resurgence. We're starting to deal with this a a lot more than we have in the past. And these, like, it's crazy to me, like this is one of these things I thought was dead and gone.
Uh, but we are seeing kind of a, a resurgence and a comeback from some of that. I wanna show you a sample escalation. This will kind of give you a hint at, um, some of the things you should just be aware of, right? So some, you know, starting to see some things like, um, some strange activity going to domain, some, some downloads that you're seeing. And, and I'm not gonna dive into all of this, not the point.
Um, but what I do wanna say is we are seeing, um, some more advanced, uh, uh, capabilities. It does have around AV detection and evasion, uh, VMware awareness, uh, that sort of thing. So it's pretty interesting to see some of that. Um, here are some of the, the domain activity we're seeing. And by the way, this will be free if anyone wants I, you can just screen share this or screenshot it. But we're gonna put this in the, the Perch Threat report. That report is free.
You don't have to register. You just go right to our website. It'll come out on Thursday. So if you want those, just reach out to me and I'll give them to you. Uh, or we will, it'll be in the threat report. So these, if you're interested in kind of querying and looking, uh, take a look at these.
We're certainly not saying this is exhaustive by any means, but these are some of the activity pieces that we've seen recently at Perch and just wanted to make sure that everyone's kind of aware of that. Um, and so interestingly, when you're kind of thinking about qbo, we think prediction wise, one of the things we're kind of thinking QBO is going to navigate into, there's some activity and reports around QBO now being used to serve up ransomware.
Kyle, have you guys ever heard of Mega Cortex by any chance? It's one of that I have not heard of. Absolutely. I'll post a picture of their, uh, their, their market for sale on the internet here in just one second. And that'll be in the chat for anybody that's live watching. Yeah, okay, good. So you guys are aware of that. I don't know if you have anything you wanna say on it or not, but that is, so there are some associations between QBO using, being used to serve up mega cortex.
So we're just kind of paying attention to that. I'm curious, have you guys seen anything related to that as well, Kyle, Another ransomware as a service? Um, I, I wish I could say it was more unique, but going back to that trend, right, you foresee these trends of people commercializing ransomware. And unfortunately now there's so many variants that even as a legitimate threat researcher, it's more than understandable to say never heard of that one before. 'cause it's just another thing.
So, um, I I would throw it up there that once again, ransomware a threat. Once again, people are gonna try to commoditize and mega Cortex Falls Square under. Hey, great, great stuff, Wes. We got 30 seconds left. I'm gonna, as we're doing this, I'm gonna bring up, uh, Chris Lair, who's next. And, um, once we're done with you, Wes, I'll pull you to the side. Bring back Gary. But any closing comments that you guys might have in the last few seconds here? No, I think a pretty good intro for me.
What do you got, Wes? Yeah, no, none for me. Um, just looking through the, the comments here in the chat, if you guys do have additional questions, uh, reach out to us, Kyle, or myself at any time. Thanks Wes, appreciate having you up. And I know you're gonna be, uh, one of our main hosts here. So I'm gonna push push you over here for a moment. And, uh, we've got Chris probably giving us some kind of funky background.
Chris, by the way, thank you for coming in from your peer group because I do know you have that going on as well. Thank you for, uh, for doing both. Um, but we can right now you're ex split.com/v cam. Chris, what, uh, what do you got cooking up for us there, my friend? Ah, I like it. I like it. That's some throwback for Gary right there. Hey, uh, no, thanks for having me. No, I appreciate it. And I'm gonna cover a few things here.
I mean, it, it's just gonna go within this theme that Kyle and Wes were talking about. We're seeing the same stuff, right? We're seeing that QBI activity, we're seeing it pop up. We're seeing ransomware events that have not necessarily QBO directly involved with them, but when we start looking through the environment and leveraging tools like hunters and Perch is popping it up in there.
So some, it's interesting, A couple of things I just kind of wanted to cover with everybody today was, you know, we're we, we have seen some more MSP cases come in and some sizable ones. And so one of them having to do with those REVO guys, the soda guys, right? And in this particular one, what they did is they picked out, uh, instead of you paying a, uh, single ransom for all the clients, they picked a single ransom for all the non-important clients.
And then they picked out the clients that they thought mattered more and then charged separately for them. So financial institutions, uh, municipalities, those types of things can go into detail. But the, I can just tell you that they're starting to get much more aggressive about getting paid the other new, They're matching up their pricing with, with it. It's almost like they have a seat price now. It's awesome. Yes. They're, they're, they're advancing the business model at kudos.
I heard they were true methods subscribers too. They did say something about layers of Kick. So true. They, they know the discount code Philadelphia Eagles, and so they even get it cheaper. So anyway, the, um, so that's, that's what's going on there. Uh, the other thing with the Sodding guys is they are now not taking Bitcoin. So, um, I have a screen right now. They are only taking Monero right now. And so the, that was been, that rumor was circulated, uh, about a month or six weeks ago.
We started seeing where they did similar to GaN Crab, if you guys remember GaN Crab, they used to have a dash and then Bitcoin, you paid a 10% premium. So they had Monero with a 10% premium for Bitcoin, and they've taken Bitcoin completely away. Uh, you know, some of the things around that have been Is that because Trackability? Just curious. Yeah, I think it somewhat has to do with trackability.
And also there has been some published cases where, uh, the, the wallets have been able to be frozen on the Bitcoin side. Okay. So for, in the uk they already have case law that has set that, uh, cryptocurrency is tangible property, so it can be seized. And I think with the, the Marro side, uh, they don't have that ability. That's just kind of the way I do things. It's nothing official, but that's what I think. So yeah, so that's happening.
So you could see, uh, and there's some talks with us on this IR side on whether or not we can even facilitate that payment legally, because as you, as I've talked about before, if you guys have heard me, and I tell you, I told somebody else on a board today, quit trying to go out and buy your own Bitcoin and pay this off for your customers. You, that's not what you're supposed to do.
Uh, but legally it may be difficult to run sanctions checks and do those types of things that you're federally required to do. Uh, so it could change the things. Now if there comes a time where you're saying, Hey, Sony, guys, we can't pay you at all just because you're doing Monero, they might flip back. But that's, um, that's what we're gonna be told. We are also seeing a number of other variants.
I mean, Kyle just talked about all the variants that are out there, and typically in the SMB space, we know there's hundreds of variants out there, but we typically see a handful all the time. But we're starting to see more of them pop up. Uh, one thing that we're also seeing lately is on the Dharma side, we're starting to see the tactics that have been used with Mamba. So Mamba, uh, the, basically the Africa based full disc encryption guys, they were always, they always would pull shenanigans.
They'd say, yep, we'll take three Bitcoin done. You pay 'em three Bitcoin. And they come back and say, yeah, well, we thought about, and the boss said he wants another three Bitcoin. Well, we really didn't see that much on the ransomware side, but if we, when I'm dealing with these guys, everything looks, feels, smells like these guys have gotten into the ransomware side of things and using Dharma. And so the same tactics. So we've seen the same tactics.
Yeah, we agree to that amount, and then you get half the stuff. And so, um, kind of sucks. So, uh, and then they, the other big thing that we've talked about a little bit, but we continue to see the exfiltration of data, uh, that is a real reality. Now, it used to be, when I get in those conversations, I would say typically we never see that. But now we're saying typically we do see that.
So it may be, uh, a small amount of data, but usually it's something that has some type of PII or PHI, uh, they're not just taking someone's love letters to their mistress, they're taking some something even juicier than that. And, uh, so that's what's going on. And so, and, and the kind of, um, anchor off of what Gary was saying, he's, yeah, go ahead, Andrew. I was gonna say we're up with five there, but it Go ahead and if you could wrap up. Okay.
No, that's all I was gonna say is I say, Hey, on the security side though, when we're getting a hold of these incidents, the people are still aiming to improve their security. So it's not one of these things we have yet to have a case in the last, during this covid time where somebody has said Budgets are tight, we just can't spend the money on security. Right? It is a huge focus of the client base. They know they need to do it. Yeah. Yeah. Well, thanks Chris.
I appreciate again, you taking some time out. We know we'll see you on a weekly basis and, uh, yeah, awesome. You have an have a great day, Chris, I'm gonna move you as well. I'm bring up Chris Patton, and, uh, You know, Andrew, while you're doing that, as I'm sitting here and I'm hearing all this information up to date, first off, it's awesome, great job. But I'm just flashing back to, you know, prior to eight weeks ago, you know, I'm on the road in front of MSPs a couple times a month, right?
And talking to them, and I'm always asking them, Hey, listen, there's a lot more security threats. You know, how many of you have at least one role that's a hundred percent proactive in your business? And the answer is almost no. So when you think about what's happening and how organized all of these attacks are and how really, and many times out gun the MSPs can be, it's really a time to change your go-to market.
How you look at it, pricing in the fact that you need time and effort to protect yourself and your customers every single day, man. Yeah. No, excellent. Hopefully That's coming through with this. Yeah, yeah, yeah. Gary, I'm gonna move you to the side one more time. Go ahead and, uh, Chris, I'm gonna go get a Star Wars T-shirt. I'm Going luck out too, Gary, I did not realize the May the fourth, uh, movie. Just, we could probably have you look like Chewba in no time. Hold on.
Had a, I had a different T-shirt on. All right, Chris, thanks for coming on. Um, you have something really, uh, interesting and obviously something very, uh, relevant, um, uh, going on right now. Let me know, let me know if everybody can, uh, see my screen in full. Lemme just get this all set and this and this, and tell me if we're good. Yeah, there's some, uh, there's some clickthroughs and things like that that have to happen in, in order. You, lemme know when. Okay. Um, okay.
So, uh, again, Andrew, uh, the rest of, uh, the rest of you folks, thanks for, uh, uh, thanks for having me on. Uh, and everyone else, thanks for, thanks for joining. Um, so really from an attacker perspective, uh, we continue to see from an offensive standpoint, we continue to see, um, you know, adversaries taking advantage of legacy authentication mechanisms, right?
These are things like pop, smt, p imap, things that can't, uh, or typically don't natively have multifactor authentication, right? So the move for MSPs, MSPs to, uh, transition to like modern authentication, MFA, those sorts of things, um, are very, very important. Um, and I think one of the biggest things, one of the biggest challenges that I think a lot of organizations have is based on the covid crisis, the scale, uh, in which cloud, uh, cloud compute was adopted.
Um, and there were obviously some, uh, you know, maybe security was particularly an afterthought. Um, one of my jobs is to kind of dispel the myths around some of the, uh, some of the vulnerabilities that, uh, surface.
And what I'd like to do over the next couple minutes is really kind of talk about, uh, one that, you know, we've already, we've already beat Zoom to death, um, but teams, uh, teams is one that, uh, I think hasn't gotten enough, uh, uh, attention and I think one that has been sensationalized a bit by the InfoSec community. Um, so I'm gonna kind of walk through, uh, basically how this attack works.
Um, it's a little bit lower level than probably some of the other guys, uh, have been talking through, but I just kind of wanna walk through this, uh, and then I kind of demonstrate or show you why this has been sensationalized in the, in the way that it, the way that it has. So, Andrew, can you kind of click, uh, gimme a, click That good? Yep. And then another one, another one. Oh, okay. I'll keep going. You tell me when. Oh, I know, I know One. I can do this.
It's the easiest job you've had all day. So, Chris, I got a feeling this is gonna be authentication related since you're already bringing up authentication Service. Yeah, you got it. You got it. So here, here's the deal. Oh, okay, here we go. So here's the deal. Uh, we got user A and B, they're talking, uh, they're talking via teams, right? Uh, they have, uh, their team sessions up, you know, user A says, Hey, user B says, oh, hey, basically they're having a conversation.
The way that this teams works is that, uh, both of these, these conversations, the user and Azure Cloud O 365 is talking within teams dot m microsoft.com. That conversation within itself can, can occur, uh, if say for instance, someone comes in and tries to solicit information from user A or B, and they're outside of, say for instance, that teams.microsoft.com example.com, then they will be blocked. This is called the same origin policy.
Um, and that's kind of a security mechanism in the way, in the way it works. However, uh, we have, we have Eve that comes in and they send a cat pick, right? Uh, and this is Dr. Evil Evil Corp F Society, whatever it is, right? Sends a cat pick. Andrew, can you give, uh, two more clicks, please. Okay, so now this guy has, uh, he's got the tokens, he's got the, uh, the session information, uh, essentially for the teams. Microsoft, uh, teams do Microsoft, uh, uh, uh, domain, right?
So basically, you know, user A had his session information, user B has his session information, but user e just, uh, just managed to gain that, that information. Um, why did this work? Well, the reason why this works, um, is because this cat pick here has what they call an image source. Uh, it is pointed to a microsoft.com domain. If we're up in the upper right hand corner, we can see a d sync test, that sort of thing, right?
It's pointing to a Microsoft domain that this evil adversary has access. How does this work? Normally, this user, this evil guy wouldn't have access to that, but there's something called, yeah, there you go. Uh, there's something called, uh, domain, uh, subdomain takeover. Uh, it is essentially without getting into, uh, really kind of too much detail, um, essentially what happens is There is a subdomain, uh, that is registered. So basically you might have AAD sync test teams.microsoft.
com, there's a canonical name, a C name, and it might point to another domain. Uh, typically you'll see this in like, say for instance, AWS hosting, uh, in order to make the resource that subdomain resource look like it is an actual Microsoft resource, but it's don't, but it's hosted on. Say for instance, you know, another piece of a cloud compute, um, in that particular instance, sometimes, sometimes that cloud compute or that top level domain resource falls out of registration.
So we've got these evil attackers, they're constantly squatting on us. They're constantly looking for these, uh, particular, uh, top level domains to fall outta registration. When that happens, when that happens, then they can, um, and these, uh, these adversaries will take control of those. Now, the problem is that a a d sync test, data dad, teams.microsoft.com, whatever it might be, is still registered, right? It's, uh, it's still registered as a valid, uh, as a valid domain.
The differences now that these evil guys actually have these adversaries actually have control of where it points to. So now they can host this image, uh, this cat image, right? Send it to these folks on teams, they view that cat image, and it sends back, uh, the session tokens back to, uh, the evil this, this adversary, uh, because he now owns and can control the a, a dsy test domain data dash deck point being here, uh, is that this is a very, very novel approach.
And the fact that it is also very opportunistic. These things don't happen, uh, very often. It is very rare. Uh, it is what I would consider the InfoSec community, uh, try not to rail on InfoSec community in a sense. But, uh, they have sensationalized this particular, uh, vulnerability, um, just from the simple fact that it was a subdomain takeover and a very rare occurrence, right? There are other things to worry about.
Uh, so if you're trying to protect against something, something like this, again, very novel approach, very rare, uh, the more recent teams attacks would be things like phishing for O 365 credentials. Uh, other things that are obviously more, more relevant and more in your face, uh, than say for instance, like I said, this novel subdomain sub domain.
I, I know we gotta be right at that five minute mark, but I'm trying to channel my inner dairy peak here to say, what does this mean for the end customers? And I think at the end of the day, what it means is there's always gonna be vulnerabilities, Chris, right? That's right. Some get more media pressed than others. You can only pick your battle. You only have so many of 'em, you can win. Overall, what would you say on this? Is this something that it's patched no need to worry about?
Or just Yeah. Yeah. And if you, if you distill it down to the root cause, it's because that subdomain, uh, was basically not, uh, you know, it, it, it was basically released out into the wild. They took, you know, they took control of it. Microsoft took control of it. They now had that under, you know, obviously they've got their arms around that. It's not out there being exposed. Someone's not gonna take advantage of that. Uh, malicious adversary is not gonna take advantage of that.
Uh, very, very rare occurrence, right? Luckily, researchers found that before it was actually released in the wild. So Thank Hey, Chris, thank you. And this is something we've gotta get, have you on for a more in depth. You and Kyle really get into this, but thank you for jumping on and sharing that with us today. Yes, sir. That it Amed, how are you? Fine, thank you. How are you guys? Hey, So we went a little over on that one, and I'm gonna start you on the clock.
I'll share out your screen real quick and we'll try to, uh, keep things pithy here. You just tell me how to drive Amed and, uh, do You want me to share it? I can do it in sec. Yeah, go, Go ahead. Yeah. Okay. Alright. All right. Can see it? Uh, not quite Ahead. Not yet. Alright. Um, this is where I, I I tap dance while the line comes up. Right? There we go. There we go. Okay. So let's share that out. You just have to, yep, there you go. Um, yeah. Alright. So Full view. There you go. Yeah.
Alright. So, uh, just a few things before that. So obviously, uh, we all thinking about the work from home situation today. And, um, we monitor, uh, uh, a lot of, uh, uh, a lot of, uh, emails and obviously with MSPs that we're working with, we see the main thing that hundreds of percent, like 500% of use usage of private emails, accounts that they're sending to corporate email networks from the employees that are at home.
So that leads immediately to something like 400% increase in business Email Compromise attacks, imposter. So that's a huge percentage of, of, uh, uh, of business email compromise attack. So dealing with phishing, obviously you are totally aware of the fact that these are the most dangerous, frightening attacks that are stealing your money, obviously. And beside that, we see hundreds of percent increase in the last 30 days of credential theft from, um, known brands that are sent to employees.
Um, it, it can be like Facebook for example, which you can ask yourself why that someone is interested in my Facebook account. So the main reason is, and everyone's getting that, so the main reason is that they're interested, interested in your personal information in order to build up the attack that will reach you to your inbox and you'll know, hey, someone knows me. So it might, it, it might be serious.
So it, that leads to, to a phenomenon which is serial attacks, meaning I've, I've written here a few of them, just screenshots of one of the, um, one of the companies that we are protecting. So you can see, um, tens of, of emails that are sent to very to few employees in the same organization a minute after minute, uh, in which they're asked, are you occupied? Um, are you available? Um, for example, this one is, um, um, could you get a purchase for me? Done?
So they're sending 10, 20, 30 purchase to 30 employees in second, and the first one that answers the first one that is generous enough. Then they go for it and they have his personal information from previous, as I said, Facebook information and others, and they go for it. So you can see very interesting things about direct deposit account. You see emails, no links whatsoever. Just a straightforward question from your CEO or your CFO.
Um, give me, I'm changing my account, so provide me your money. Um, you know, they're working from home situation, straight question, are you at home? And now they want to know if you're, uh, if you're weaker or not. So these attacks are in dozens a day.
Um, and um, you can see a minute after that or a day before that, uh, against serial attacks to companies, uh, not imposter attacks, but serial attacks that are web attacks mean that like straight forward phishing 20 employees, the first that answer provide you the credentials. And then, uh, then you get, you can see the screenshots of the attack itself. So a very important thing to say is that, first of all, um, that's an important thing to know.
The main ones that are attacked or the main ones that are, are the targets are the MSPs themselves, and I'm speaking with a lot of MSPs, dozens a week. The not everyone is aware of that situation, although it's like floating in the air. But the main targets are MSPs. The main reason for that is that they're what I call a bridge between companies mean once you compromise an MSP, you might have the information in order to take their companies or their credentials without any efforts.
So that, like the hub, a great proxy. So the main thing that an MSP should do, um, is protect itself, obviously, um, from active anti phishing protection, right? Not only the companies and then MSP that takes care of these companies obviously should take care of that. It means that, yeah, yeah. No, that's gr great. Amit, Kyle, how are you seeing, like, you know, do, do these ultimately end up at all at the end point, sometimes these serial attacks? And if so again, how can we apply this?
Um, you know, So there's no doubt that phishing still continues to be the way in. As I was listening to AMI seller's story, I, uh, I shared some of the emails that were hitting, uh, hitting us as a company up, you know, as a security provider. And what was really crazy is just this week it pivoted not only just from targeting my own employees over email, claiming to be me, um, a brand new employee within the first week of employment, someone text on his personal line asking for Bitcoin from me.
So I know, um, I mean you see this through phishing and we know that this eventually pivots down to the end point. But do you think, is there a bigger message that this impersonation from all platforms, whether it's you know, teams, whether it's through maybe uh, Facebook Messenger text messages, is there any reason to, to think it won't continue going on? No. No. That is done. No, no reason for thinking that.
Yeah, that's the main, that the simple thing, everyone believes that even one that, uh, wakes up in the morning knowing that he's gonna be attacked today receives a phishing email. A a very important thing to say is that, I don't know, even one employee, even one employee that will stand in front of a good phishing attack, even the most aware ones, if it's tailor made spear phishing, one that is walking on you for days or weeks, right? You will answer that. It'll be very authentic.
You will want you, you won't have any idea that is that, that you're phished and you'll provide even minimum information and you're done. We have a few MSPs that once we got there, were compromised. Um, and, and even though they were aware of someone is looking for them, that's a daily life. So Kyle, one thing I've heard now, right? With a few presenters, it gets back to a lot of times back to, uh, credentials. So I mean, like, there's still MSPs that don't even have dark web monitoring.
I'm, I'm assuming that you're recommending that everybody have right? Dark web monitoring, even especially monitoring on their O 365 accounts. I mean, that's just like some, that's just if that's, It's a tax service, right? You know, if you were, if you were a, a system that provided finance, right? Think about your customers that are currently doing the middle of accounting right now. Yeah. You know, your things are gonna come in or fake wire requests, fake all this. That's the attack service.
So yeah, of, of course if you're, if you have an opportunity to get ahead of leak credentials on the dark web, right? Or a way to lock down it's a attack service. What, you know, Gary, you and I definitely would do it, but you, and I know there's a translation layer between what we're saying here and what actually happens, uh, within the enterprise or within the, uh, the customers, uh, network. Absolutely. So Amit, thanks for coming on and we are on our last presenter.
Um, what this has taught me, Gary and Kyle, which you guys said all along is, you know, I knew this first one we go a little long, but, um, we'll do, you know, we'll have, going forward we'll have five and just keep things right, right at that half hour mark. But I think, I think the, um, you know, everybody's really been hanging in there inviting Ken up.
Last but not least here on the steward side because you know, we are talking about data exfiltration now, and this is where, you know, on the data security side where networks specializes. And again, it's just interesting where, you know, two years ago no one knew what a networks was. No one knew, you know, when we talked about data classifi, you know, Kyle, certainly you at the enterprise level, but data classification, data identification, um, you know, data auditing. Yeah.
If you were west and you were in the banking and things of that nature, you would, but very little. Now all of a sudden these, this is the big stuff's coming down market. Uh, so Ken, are you with us? It says you're on screen, but I do not see you. Yeah. Can you hear me At least Andrew, I can hear You. Yes, we can. Great, I can hear you. So Ken, um, hopefully we can see you soon, but in the meantime, I am going to put you on the clock and I am going to put a URL in the chat.
Um, guys, if you wanted to take a look at that, um, there's the seven things that, um, Ken has written up as best practices. Ken, why don't I let you take it from here on, you know, what you're seeing and what you're recommending. Yeah. You know, and, and a couple interesting things too, beyond just data security, some of the conversations we're having with so many of our partners right now is, you know, how to build that security culture within their organization.
I think the message, and Gary, you said this so many times, the message of you, you gotta practice what you preach before you can be successful in taking that to market, right? And those conversations are how do we build that culture? And if you look at different ways that you build a sales culture, uh, a service culture with your MSP, it falls around consistency, building those habits, and then recognition, right?
So it kind of comes down to those, uh, you know, principles of persuasion, creating that bandwagon inside, uh, of your business. Hey, everybody's doing this, the glitz and glamor side, and it's cool to be secure, right? So when we're looking at building that culture inside, I think that we can then take that to market. And, you know, we also talk a lot about, you know, some of our MSP partners that are struggling, being able to take that data security or security message to market.
Um, and it always comes back to Wes' Cyber Defense Matrix, right? With the identity, all the way to recover those underlying layers. In terms of apps, networks, data, one of the most important one is the user, right? And maybe going to market with that education, uh, for your end client. You gotta remember that, uh, MSPs are hired by those clients for a certain reason those clients don't know. And Andrew, when you started off with, uh, the most important defense is knowledge.
I, I completely agree with you there. Um, and simply maybe creating a, a go-to market strategy that way with knowledge rather than just the, the risk assessment that we've seen so many times. So, um, when we're looking at our users, you know, obviously there's external threats you always have to remember about the internal threats, especially when it comes to data.
Uh, but you can see suspicious remote, uh, access, connections being very important, you know, successful failed, uh, VPN log on attempts, uh, a new abnormal user behavior, uh, and making sure that, uh, users are behaving normally. That's much harder to detect now, uh, now that, uh, people are eating dinner than coming back and their work hours are, are totally different than they were two months ago. So very important, uh, to keep track on that. Chris was mentioning Microsoft teams. Yep.
And that's an excellent point, Kyle, can you chime in on that? You know, from a behavioral standpoint where, you know, that's an, you know, the behavioral anomalies that tools would normally go, Hey, Kyle, Kyle doesn't normally log in here at this time. That whole notion has been thrown out the door. Yeah, I mean, there's still gems to be found.
I, I won't argue if somebody's logging in from Iran or something like that right in the middle of the night, there's still gems to be found in there, but nowadays it only takes a couple seconds to VPN into somebody else, you know, a co-location in the US and come from A-U-S-I-P or abuse a trusted file list application and throw that whole trust out the window. So I always take this with a grain of salt. Yeah, yeah. Sorry, go ahead, Ken, please. Oh Yeah, no, yeah, no worries.
And, and that user behavior might be somebody trying to access files that they shouldn't be, and you're seeing a, a numerous amount of failed attempts to that, even with the Microsoft teams. I know Chris just went over that a little bit as well. Um, you know, there, there might be somebody that accesses or, you know, provides privileges in a team and then shares access to that file with somebody that shouldn't be there. So, uh, that's something new.
Obviously we all know, uh, that Microsoft had a great quarter, their earnings were way up. Um, and you know, there's some quotes out there that's saying they've sold more cloud business in the last two months than they did in the previous six. So I think taking a look at what's going on inside of those cloud applications now is even more important.
Of course, you got your signs of your brute force attacks, number of logline attempts, are they coming from several endpoints, uh, multiple failed log on attempts, uh, and then always checking, uh, you know, the access, uh, and to permissions, right? And I think Kyle mentioned that, uh, just about, we're about to jump on, but making sure that, uh, you have those permissions strictly in line with your business requirements.
And, you know, then obviously just looking at spikes and failed activity. And that's not only logons, but uh, file activity. Uh, if, you know, certain users, uh, keep, you know, getting denied access to files, shares, et cetera. That's really what we're seeing. Uh, we took a poll survey in those internal, uh, kind of hygiene things, right? That always seems so elementary or just really important today. Ken, thanks very much. Um, you hit the, you hit the mark right at four seconds.
Appreciate it. I am going to bring back Wess and we'll close things on out and, uh, let me just see. Great. Thanks for Having us, Andrew. Thank, thank you, Ken. Look forward to having you back. You Bet. Alright. Uh, so Gary, while Andrew's, uh, bringing Wes up on here, you know, having you on board is always nice 'cause you keep, uh, the, the geeks obviously in line focusing on the business side of the house. It's real easy to focus on nothing but technology.
And I imagine as we wrap up, there's gonna be some of those, uh, brilliant words. Um, we've got Wes online, so I guess I'll quit yammering, but I, I'm definitely interested even for me personally, to hear some of your perspective on maybe the first cyber call, how things will go in the future and things of that nature. Yeah, yeah, absolutely. Good. Um, first off, Andrew, great job on this, right? And I think what can happen on a weekly basis is people can be much more plugged in.
Um, Ken mentioned something like so important, right? Which is culture, anything, you know, he compared it to sales. The way you build a sales team and a sales culture is first you have some dedicated roles and process. You have a weekly sales meeting, you put metrics in place, right? And you base you're not only looking at activities, but you're looking at tying those to outcomes. Basically.
When I have a sales team and I've trained many of them, uh, just like our service team, what I want everyone to know in their job, what does success look like? And when I talk about security, when you go into a lot of MSPs, who's the person you would ask and could you ask them that question? What does success look like? 'cause it takes all of those other things.
And I think that people are, um, too often just maybe adding some tools and, but they're not really building the culture because they don't have those other pieces, if that makes sense. Yeah, makes a ton of sense. Wes, I think you'd be perfect to go next because you built security cultures within banks and, and so I'd love to go to you next. Yeah. So, man, I could write a book on this and maybe one day I will.
When I took over as the CIO, uh, one of the things that was mentioned to me many times was, Hey, we don't bring it into the boardroom very often. And that was a big con that was a contingency for me to come on. I said, I need to come, I need to be there on a monthly basis and they need to, to talk with them. And they're like, yeah, but it guys, you just go over everyone's head. Um, you're not gonna get the buy-in you're looking for. So we went low and slow, right?
So I talked with them, I asked them lots of questions. The first few meetings really started to get their opinions, their feedback, get to understand them, and then, you know, having that as I always talk about that risk-based conversation with them. Um, so I'm bringing myself into the boardroom rather than trying to pull them into the server room, right? And that worked really, really well.
After a few months of those kinds of meetings for just 15 minute snippets began to build that trust and rapport, they began to open up, began to share where I thought we were actually, you know, where we were presently, uh, where our risk areas and items were and how we could address and fix that. And, uh, magic happened. And uh, that was a very fun experience You just described. Exactly that same thing you described is what happens between MSPs and their customers. It's the same type thing.
They're trying, that's a great term. I'm gonna steal it. And eventually people will think that it's mine, you know, to be able to get onto their turf rather than dragging them into the server room. So, uh, that's a hundred percent applicable with MSPs. You're the new chocolate cake. Uh, Wes, I just want you to know that, Ooh, I'll take it. Hey, if Gary's gonna take that term, I'll take it. Yeah. I'll credit you the first one or two times and then there you go. Kyle, you wanna bring us home?
Yeah, I mean, right. With all analyst calls, just like the cyber call at the end of the day, your point is to kick off the week, uh, with the right flavor, right? A little bit of what is everybody seeing? You had what five, seven parties today? Just go give you their quick five minute overview and I'd expect to see much more of this. Mm-Hmm. The idea once again, is it to be once a week? Yep. We're gonna break it down each week getting better ourselves that we help you deliver.
So please share your feedback for those who are participating in the, the, uh, comments. That's the reason we're using this platform is 'cause half the show goes on in the comments section. So, huge thanks on that side.
And then, uh, you know, I guess my last little bit here was, uh, the, I know it's corny, but the whole teamwork, making the dream work, Gary's comments in regards to that culture that happens back and forth, Wes' points, and obviously Andrew Morgan making this a team platform for all of us. So I'm, uh, super thankful to be lucky enough to take part of this. Um, and, and I'm gonna end my stuff there just saying, you know, stay safe and obviously I'm looking forward to next week. Thank you, Kyle.
Thank you, Wes. Thank you. Gary. Couldn't make it without you guys. And, uh, we'll cut it down next week to five and we will knock this out in 30 from now on. And again, appreciate Kyle, your perspective that we're gonna get this honed in. Perfect. So have a great day everybody. Thank You. Thanks. Thanks everyone. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois