Special guest: Beau Bullock
In this video, cybersecurity experts discuss the vulnerabilities and challenges facing organizations in implementing effective security measures, focusing heavily on MFA and cloud security. They explore real-world scenarios, such as the change Healthcare compromise, to illustrate how threat actors exploit weak security controls and offer practical advice on improving detection, segmentation, and response strategies. Additionally, the conversation highlights the importance of strong contractual agreements and clear communication with clients to ensure comprehensive security practices are maintained.<ul><li>The 2024 Verizon Data Breach Investigations Report (DBIR) highlights an increase in supply chain attacks by 68% year over year, indicating growing vulnerabilities in this area.</li><li>Despite the prevalence of Multi-Factor Authentication (MFA), many organizations still face challenges in deploying it effectively, leaving critical systems vulnerable to attacks.</li><li>Detection and response strategies are crucial as attackers often exploit gaps in security configurations, with threats evolving to target cloud infrastructures and leverage techniques like phishing and device code logins.</li></ul>
Guests
Video Transcript
Happy. Um, gosh, we just got through, way through a first quarter and into the second quarter now, uh, two, two heading into the second month of the second quarter. It's good to see everybody. We got a bit of a mix crew today, but an awesome crew as co-host. Uh, just quick explanation. So Phyllis is out at RSA Ryan's on vacation. Gary had something come up, uh, at the end of yesterday and let me know. So, um, I'll introduce co-hosts and, and, uh, our, our special guest momentarily.
But welcome to all of you. It's great to see you all and hope you had a fantastic weekend. Um, few quick announcements. Um, so not this coming week, but the following week, we will have Phil Langua back on the cyber call. He's one of the principal authors of the Verizon Data Breach Report. Uh, the 2024, uh, Verizon, DVIR is out. So this will be our third year, um, having them join us and talk about what's changed.
And there have been some significant changes in the 2024 DR uh, for example, um, first year, uh, Keith, I don't know if you've had a second to take a look at it, but they actually introduced a new category around supply chain. No, no, uh, shock. But there was a 68% year over year increase in supply chain attacks throughout actors see that as a juicy target. Um, so, uh, we'll, we'll definitely, um, be looking forward to having, um, Phil join us and talk about that.
Um, let's see, what else, Bo Um, I know we're gonna talk about CNM, but it's really good to see you and, uh, I know you're gonna be doing some really cool stuff at the Flow conference. Um, and that is June, what is it, 19th? Oh, I think, yeah, somewhere around there. 17th, 18th, 19th, somewhere around there. Yeah. Yeah, yeah. So we'll be talking about that. So, all right. Um, I'll set the stage here and people are killing their dogs. What's Going on?
I'm gonna say, I'm gonna say too, since Gary's not here, I feel like I should do the honorary, like the ha You have the, I don't wear the shirt, right? Do you have the, uh, the buzzer thingy? I, I, you know, I don't, I don't have anything like that. No, I just got, I got the shirt and I gotta say, hey. Oh, and that's my job. So, Gary, you're welcome. My job's done here. Well done, Keith. Thank you. Thank you. Yeah, absolutely, Keith, and, and very conservatively you're done.
Very nice approach there. Well, um, alright, so, whoa. I put, I made, I, I put a post up because I, and I still, I, I, I read the post literally once a day because I still, um, shake my head.
Eric, I know you probably don't shake your head as much because you deal with this day in and day out, but, um, so if you guys recall the United Healthcare Group change, um, the, the change healthcare attack was originally, uh, the fingers pointed ironically at ConnectWise because when they got compromised, it was literally almost to the day that it came out that Screen Connect had the mass, the 10 out of 10, you know, 10 vulnerability, and they pointed at ConnectWise.
Well, lo Andhold, um, a month or so later, the CEO of United Healthcare Group has to testify in front of the White House and state that the compromise was stolen credentials and lack of MFA on the Citrix portal that supported users, right? Bo the people that work for Change Healthcare, uh, an Optum Group, which is a subsidiary of, of the organization, um, I don't know, just does payment transactions and stuff like that. Nothing to see here. Not, not an important system to protect.
Um, no, and, and, and impacts, I think just about every, um, provider known to mankind in the United States. Uh, so, like I said, I, so I'm shaking my head that in one statement he admits this, that, you know, our security team basically didn't put MFA on one of the most critical in internet facing systems, and at the same time talks about how awesome their internal security threat team is sorting off a, you know, a threat every 70 seconds.
So it was just kind of one of those shaking your head type statement. So I thought, you know, Bo, you would be the perfect person, um, as we come out of, uh, talking for months now here on the cyber call about Microsoft's failure of MFA mm-Hmm. Um, we can look back at Colonial Pipelines failure of MFA on their VPN, but you know, you as a, your living right, is attacking, um, yep. You know, these larger organizations.
And so I really would thought it would be awesome to get your perspective on this. And for those that may not know you, go, um, first of all, welcome back. It's awesome to have you with us, but share a little about yourself and, and, and what you do there at Black Hills. Yeah, yeah, absolutely. Yeah. Thanks for having me on again. Um, so I'm Beau. I, I work for Black Hills Information Security. Um, I've been at Black Hills for 10 years now.
Basically just doing red team assessments and hacking into companies just like United, um, and, you know, like hospitals, banks, you know, government agency stuff, um, doing, doing kind of the gamut of all the different types of testing. Um, over the years I've kind of gotten into, uh, this, this place where I really found that like cloud was like the main place we were getting in on most of the red teams. And that kind of, um, made that my niche over the last few years, right?
So I've, I've really focused like really heavily on r and d and, um, trying to figure out like some of the best ways as an attacker, how we could get in, um, from the offensive side, right? Obviously, like trying to help organizations fix those gaps as well. Um, but yeah, no, this is, I, I wish I could say that it was surprising.
Um, but in all honesty, uh, you know, some, we're still finding a lot of organizations that are having issues with, with just deploying MFA, it sounds like such a, such a, a simple thing that just everyone should have, right?
Um, but in all honesty, like we're still finding a number of organizations that you're either, either they're not deploying it in a, a way that it's configured to cover everything, or maybe they just don't have, you know, the, the team, uh, the, the size of a team that should, should be there to deploy it. Um, so the, the one thing is it being a VPN service, right? That didn't have MFA, that is one thing I would say is a little bit different.
Um, you know, and, and from what we see traditionally, the majority of, um, organizations tend to tend to do a pretty good job protecting VPNs. Um, however, you know, things like Microsoft 365, that's one of the big places we still find gaps in MFA. Um, so one of the big thing, one of the big things we see pretty often is not just the, the fact that MFA is just disabled on certain accounts, um, but sometimes it's left where maybe the employees haven't registered for it yet.
Um, so for example, like, you know, you can, you can enable MFA for everybody, but if they haven't actually gone and registered it and we password spray a user, a lot of times we can just go register it for ourselves. Um, so that's, that's one big kind of kind of hole there, right?
Um, the second thing is, you know, when it comes to V vpn, actually one specific, um, red team, I was on this, this actually made me think of this, this, this, uh, this, this, this story, um, where we password sprayed, I don't know, like probably 30 accounts, um, but this was just in the M 365 realm, right? So cloud, email, SharePoint, that kind of thing, right?
And this, this particular company had a, uh, internet exposed VPN service, but they had 8 0 2 1 X cert based off to get into their VPN. So, you know, there was multifactor there, which is great. Um, however, um, we were able to find those certs in SharePoint, right? It's like if you, you know, you can put all this, all this effort into protecting your, your MFA endpoints, right? And deploy, like what you would think is the, the best possible, um, you know, solution.
Uh, but at the end of the day, at the end of the day, humans are humans. And that's realistically what we end up exploiting more oftentimes than software. Um, it's the fact that people make mistakes, choose bad passwords. Um, they, they end up literally just not, not even, uh, deploying MFA or, you know, putting certs out in SharePoint and email. Um, uh, one of the thing you study, Andrew, is they mentioned something around, um, their ability to detect, um, activity in their network, right?
So one of the big things that I, I've, I would say, like we see across the board is, um, detecting from like north to south, like outbound and inbound into a network, right? So somebody that's either trying to fish their way in, or maybe they try to get C two on a system and they're trying to talk to you like an internet based system, right?
But what we don't see a lot of is that east to west kind of detection where if IVPN into your network and I start to, as a valid user, poke around that becomes like infinitely harder to detect, uh, for most organizations. And so, um, I I think I, I saw that it was like, what, nine days or something that they, so that's actually a pretty quick detection, um, timeframe in my opinion. Um, you know, we, we just looked at, uh, Microsoft, uh, just a couple months ago. They had a threat actor.
It was a midnight blizzard in their network for two months before they, before they even knew, you know? Um, so, But I think the giveaway here was ransomware. Yeah, yeah. Right? Yes. Yeah. Yeah, that's true. Yeah. So yeah, they weren't, they were just trying to hide activities. Yep. No, no. They eventually just, yeah. So no, that's awesome. Perspective be, and, and again, why I wanted you on.
So it was just a few, uh, other just quick intros of Keith you've been on with us before as a co-host, just to knock out a quick intro for us, and then I'll let Eric intro and take it away. Uh, who's playing Gary today? So Keith, um, yeah, Keith Baral founded, uh, DKB Innovative, uh, about 11, 12 years ago, and, uh, exited it in October to Evergreen. Awesome. Congrats. And, and amazing story, how, how awesome you built the MSP and, um, Eric, good to see you as always.
Thanks for filling The help of a great lawyer, by the way. Yeah, That's A great lawyer. That's right. Don't, Don't forget, don't forget. So, uh, hi everyone, uh, Eric Tills, uh, lawyer, former MSP owner and now lawyer to MSPs. Awesome, Eric. So take it away. Let's get right on into it here with Bow. Yeah. Thanks Andrew. And thank you for, uh, trusting me to kick things off.
I've been on your, I've been on a million times, but you've never trusted me to, to be a question asker, so I appreciate the trust that you've, uh, Well, what, what really led it to me is, is the amazing couch you have. You know, Exactly the avocado, green, uh, Airbnb couch that I'm, uh, sitting on right now, which is fantastic. Um, so Bo let's take this back up to the, the 30,000 foot view, right?
So Andrew mentioned, and Andrew and I actually talked last week about, um, Andrew Witty, who's the CEO of UHG, um, United Health. And he gets in, in front of the White House after previously, um, putting forth statements of how it wasn't our fault, it was ConnectWise, who I think it turns out they don't even use. Um, but now it turns out that it's MFA, right?
And so as someone who, who ethically attacks organizations for a living, um, how often is it that you see, um, public facing systems, um, not protected by MFA or not having other critical security controls? Yeah, It's getting a lot better. So, you know, like I mentioned, like a lot of the critical ones, so like VPN, um, you know, any sort, any sort of like remote access, uh, we, we typically tend to see at least some MFA deployed, um, even, even in in 365 now.
Um, we're seeing a lot more coverage. Uh, but the biggest thing is, uh, conditional access policies and holes in those conditional access policies. So it's one, one thing a lot of people don't realize is that Microsoft, um, is, is not, there's, there's not just one place to log in, um, to a Microsoft account. Um, there's actually like a good, like, I don't know, 11 different ways.
Like, so between all the APIs, so you have the Microsoft Graph, API service management, API, um, you have legacy protocols like exchange, web services, active sync, you know, legacy, SMTP, imap, all that stuff, right? So you have all these, these various services, and each one of those you can tie to specific, uh, specific condition conditional access policies. So, um, in, in addition to the protocols, you can also tie those to, uh, things like, um, uh, uh, devices, device types and locations.
So I could say, you know, if somebody's coming from my corporate network, I don't want them to have to worry about MFA, um, and that could be, you know, just single factor run, right? Or same thing, uh, my CEO doesn't wanna use MFA on his phone, so we're gonna let him have single factor access into the network.
And what, what we, what we see happen is those mistakes get made where they, they, they begin to, um, configure their MFA, uh, conditional access policies around like specific device types. And, um, what that ends up doing is saying like, now all iPhones can, you know, authenticate single factor.
And that's one of the big things that we look for now as attackers, is after we password spray credential or Phish somebody, one of the first things we're doing is trying to check all those different locations to see is there a, a loophole in their MFA deployment, right? Is there a another place besides the main Microsoft portal that we can get into, uh, from a single factor perspective?
And that's, that's what we tend to see more oftentimes than anything else, is just those little, those little spots that maybe the coverage isn't quite there. Yeah. Got it. So let's, let's dive into that a little bit deeper. So, so you've got the United Healthcare umbrella. Underneath that is Change Healthcare, right? And, and Change is sort of their, their procedure to cash management, um, organization, right? They, they, all of the money goes through change.
And if you, if you look at the statistics, it's something like 80% of hospitals or hospital networks say that cyber attacks have affected their cash flow. Um, and of those, um, 60% say that it's affected it by more than a million dollars a day at times, right? Not that sink in a million dollars a day. So just one all of your Yeah, yeah, absolutely. Per, per per healthcare institution, a million dollars a day.
Um, and, and again, going back it's 60% of, uh, of those hospitals and healthcare systems who have suffered a cyber attack 60% or more than a million dollars a day. Um, so, so Bowen, your years of, of doing what you do, is it your opinion that this is just a simple process breakdown, or is it a systemic issue in your opinion? Um, it's tough. I, I would say that, um, it depends on the specific industry.
Um, so, um, I would say that health, health organizations in general, educational institutions in general have a lot harder time, uh, securing not only, you know, externally facing systems, but internal systems.
So the big thing is anytime we see like ransomware that, you know, where that happened, usually what that entails is that internally, those organizations, um, maybe they're using the same local admin password across the board, or, um, they had, you know, they had bad like EastWest detections internally as well. And, you know, that's, that's actually what I would consider a bigger risk even, you know, so it kinda comes back to the, um, you know, detection is a must kind of thing, right?
You know, PR prevention is great, but detection is a must. And, you know, if somebody is v VPNing into your network and starts to interact with every system on your network, um, that should throw, throw up some red flags quickly, right? Um, even, even before like the ransomware is installed on those systems.
And, you know, I think, like, to back to your question, you know, I think that, uh, healthcare organizations and, and educational institutions in general, those tend to be, um, the, the types of organizations that have a lot harder time, um, dealing with that problem. Um, you know, we, we, a lot of banks, a lot of law firms, like, um, and they tend to do a little bit better job on that front. Eric, can I ing Interesting. So One second, Eric. Yeah, go ahead.
Well, you've, you've mentioned the east west detection as challenging. So like if when you're sitting there debriefing, you know, post red team exercise or pen test exercise, and you know, let's just say you were able to laterally move and no one saw you and you know, you did this and you did this and you did this, what are the recommendations?
So the folks here on the call can think about, you know, is it, you know, as an example, I know John's doing a si his awesome cyber deception class coming up here. Should it be better planting of, you know, some type of canary? Is it, but can you kind of just dig into that a little bit if you're, if this, if this was a, you know, the, the 32nd overview, I'm kidding, but, you know, Mm-Hmm. A few minute overview of what, what MSPs might look into doing for better East West detection.
What are some of the things to consider? Yeah, so, you know, the big one is just, um, segmentation, right? Having network segmented well enough that you don't, you don't get an entire network ransomware easily. Um, and then back to like the, the root cause in which I would say most ransomware attacks kind of, kind of live off of is this whole concept of a, um, widespread local administrator accounts.
So, like, instead of using a randomized password for local admins, a lot of organizations are still leveraging one like standard password across the board. And what that means is that if I get admin on one system and extract this password hashes, I can now leverage that one local admin credential to log into every system in the network. Mm.
And so one of the biggest, one of the biggest things you can do is just, uh, leverage something like, uh, lapse local admin password solution, um, to randomize those local admin passwords across every system. Um, because then if I get, you know, admin on one system, I can't go take that one credential and, and log in and other places, you know? Right? So that's, um, that's, that's one good thing.
Um, and then when it comes to how, uh, attackers are pivoting and, and what to look for, there is the big thing, right? So if they're leveraging, um, you know, built in tools like R-D-P-S-S-H, um, becomes a little bit more harder to detect those types of things. But if they're leveraging, um, system calls, right?
So if they were using like SMB, um, uh, dcom, um, various, uh, WMI, you know, protocols to, to authenticate to other systems, um, that should throw up a little bit more of a red flag than those traditional protocols. Sh should, and, and you bring up a good point. So living off the land type things are challenging to, to detect should we be doing a better job really looking at whitelisting, like, Hey, we never use the, we never use screen connect.
Should that, some things like that, should we start saying, we don't use this, we don't use this, we don't use this, we don't use it. Absolutely. Use 100%. Yeah. I mean, so, you know, there's, there's a million different types of products out there, right? Um, absolutely. Application whitelisting is, is a great one. It is, you know, a little bit harder to manage and detect, right?
Or not detect, um, manage and deploy, um, o over some of the other ones that are kind of like, um, have prebuilt kind of engines. Um, but it doesn't really matter like what product to use at the end of the day, it comes down to who's actually managing it, right?
Um, so like you could deploy like, you know, all the best eds, avs, behavioral analysis, app application, white listing, but even if you don't have somebody there that's actively configuring it correctly, um, a lot of times still doesn't help. Very. Yeah, really good point. Alright, Eric, back to you, man. Yeah, no thanks. And along those lines, I mean, this was, this was not a sophisticated attack, right? Going back to change healthcare, right?
Simple lack of, of MFA, and you know, if you're talking about good cyber hygiene, you know, inventory management is, is where everyone needs to start, right? Having a handle on what is your attack surface so they surface, so then you can kind of go from there. But, you know, for, for MSPs and for MSPs who, who are listening, you know, they know that that inventory management is tough.
It's tough to mid start, it's tough to maintain, it's tough to convince your, your client that you should be, that they should be doing this. So what advice do you, do you have to, to MSPs along just getting started? Yeah. So that's, that's actually, um, a really, really good question.
So, um, one of the biggest things that I have seen over the last few years is this kind of like advent of, um, organizations giving privileges to other business units within their, like cloud provider, for example. So think like, um, if, if I am, you know, it at a, a healthcare institution, right? But I have developers that want to build this new awesome medical application, and they want to do that in the cloud.
So what organizations are doing is, instead of now having this change con control process where the IT staff is the one that's deploying things like web servers and storage, uh, resources, and, um, these types of, these, these types of things, now the development team has that capability, uh, in their own, in their own subscriptions, right?
Um, and why that becomes a problem is because now you have these teams of, of employees that maybe aren't going through your traditional change management kind of control, where now I go to deploy a server as a developer, or I go to deploy a storage bucket as a developer. A lot of the stuff isn't getting tracked in inventory management because, um, it's just, it's, you know, they're, they're basically leveraging almost like it's like a test bed, right?
It's, um, it's a, a lab, uh, in a lot of cases. And those are the accounts, those are the subscriptions that we tend to see, um, get exposed publicly, um, get, you know, uh, end up having vulnerabilities because they're not being patched on a regular basis because they're not in that inventory lifecycle, uh, management, uh, process.
And, um, I think that, um, that's, that's one of the bigger things that we've seen over the years, um, is just that, that that kind of newer, uh, kind of model where, you know, with everything cloud facing, you've got, you've got this like, very easy ability to deploy stuff. The internet now l Yeah. Eric, quick question here for Bo Yeah. Among, yeah.
Uh, from Eric in the, uh, another Eric in the, uh, in the audience, he says, uh, Bo people often have air quotes break glass accounts that are set up just in case MFA breaks, and these break glass accounts have global admin, clearly a vulnerable config. What would you, what would be your recommended method instead? Or, or do you, do you advocate for this method? I'm, I'm adlibbing that last piece, but what would you be your recommended? Yeah, yeah. No, no.
So break loss counts are, um, definitely one of the, the Microsoft's best practices, right? In fact, I think they recommend two of them. Um, and, um, the other kicker with brick glass counts is that you leverage them to bypass conditional access policies altogether. Like the whole point of them is that if you make a mistake in your tenant that you're gonna have this account that can actually get back in, right?
And I, I've actually had other customers that have called me and they're like, oh, uh, we made a conditional access policy change and we just locked out an entire company and they did not have a break glass item account. And they, they literally sat on the phone with Microsoft for over a day just trying to get back into their account, uh, because they did not have a specific account that was like, outside of the conditional access policy.
Now, the thing with break class admin accounts is that because you're kind of opening up that hole there where they, there's this global admin account doesn't have MFA doesn't have conditional access, you absolutely have to watch it like a hawk, right? So every single time that that account logs in, you wanna know about it. Um, but more importantly, you don't wanna use it like, pretty much ever, unless it's an absolutely emergency, right?
So it's one of those things that gets thrown in a password vault and, you know, never sees the light of day, right? So, uh, yes, I, I recommend, like, I recommend doing that for sure. Uh, protecting it is, is, you know, one of the biggest things though, right? Like, you have to make sure that you protect those creds. Awesome. Alright, Eric, So, so, so Bo as Andrew mentioned in his, in his intro, the 2024 Verizon d ca, or DA report is out.
Um, and what it says essentially is, is what we all know, and that there's a, a huge increase in the exploitation of vulnerabilities, 180% right? Year over year. What's your, what's your take on that? Um, so in increase in exploiting like software based vulnerabilities? Yeah, it was, uh, you know, it, it was a massive increase Bo because 2023 really was the year of, um, pretexting mm-Hmm.
Um, you know, and that pretexting even overtook phishing, um, vol vols, although were always there, they weren't in 2023. It wasn't like this really big thing, but this year it, it spiked Almost doubled. Yeah. Yeah. It, it, yeah, I I would say a lot of that probably comes from, uh, some of the bigger, uh, you know, software based issues that we've seen, like screen Connect, you know, like that kinda stuff, um, over the last year.
And I, I don't know, like from what I'm seeing, like on the red teams and the types of assessments we're doing, we're still leveraging phishing more than anything.
Um, and I, I personally have not like, tried to exploit a software-based vulnerability or even needed to, um, for the last like, I don't know, eight, 10 years, you know, like maybe, maybe some, like the first, uh, first pen test I did while I was here at Black Hills, um, like it was relevant, but, um, realistically like phishing to get in is, is the best way you possibly can.
And, and, and bo the, the one thing to be fair, and I think this could be skewed this year, that the Die bird did mention Move as an example, move it as one, and, and were those, do you think maybe some of those big large scale vols just skew the data tremendously? I think so. Yeah. I, I think so. I think it's, it's what it is. You have, you know, um, every, every, every criminal on the planet hops on those immediately, right? To try to exploit everybody on the planet at the same time, right?
Whereas dedicated threat actors are trying to think of those rues and they're trying to do specific targeting against specific organizations, and Right. The thing is, when you spray everyone in the world, like you're gonna have luck, you're gonna, you know, end up hitting, um, you know, one random company here and there, and, um, that's what they're looking for, right? And that's probably what that report is seeing more of is just those attempts, right? Yeah. Yeah. Yeah. Yeah.
And Daniel put the, yeah, we had Daniel A. Good point. Like Avanti was a, like, I mean, if we think about Avanti, we think about, um, uh, gosh, Fortinet just can, the gift that keeps giving threat actors year over year. Um, and, and you talk about, you know, just using tools like, um, Showan to just, you know, and, and, and what, so, and I know we're gonna get into one of the questions, I think with Keith too, on, on the, um, days to exploit, um, coming up here.
So let me, let me not steal his thunder. Um, well, Yeah, yeah. So let's, that was good segue though. Yeah, Perfect segue. So let's talk about those vulnerabilities. And so, although you're not, you know, you're going in and you're not seeing vulnerabilities as an efficient way to attack in your role as a white hat, um, obviously it's still a big issue.
So like, let's talk a little bit about the mismatch because, um, cis a's, uh, Kev database, uh, knowing known exploited vulnerabilities, they're saying that, um, average time for exploitation is five days, uh, once they publish a, a known exploit. But the averages for enterprise patching shows like 15 days to patch of vulnerability. So are like, are you seeing changes in policies or like what advice do you have for, for patch management for the MSP, given the, the mismatch between those two?
Yeah, I think that that directly kinda comes back to, um, the, the threat actors of the world that are just kinda hopping on the bandwagon, right? So the thing, if you get a thing about like, uh, dedicated, um, threat actor groups that are targeting big organizations, and specifically us, like pen testers, red team, um, like we, we generally don't have the ability to take like a, a vulnerability that's dropped like today and then use it on a bunch of organizations.
It's like, I'm, I'm doing a cloud assessment this week, right? And so I'm not gonna be able to leverage like that, you know, random ft people vulnerability on the same organization, right? Um, so by the time that 15 day window hits, usually, like our customers have, you know, things kind of covered. Um, and, you know, even, even with that 15 day window, um, that's, that is a pretty long time. However, um, it kinda comes back to, alright, what are you doing after, after exploitation, right?
So, you know, yes, we know about all these public vulnerabilities and how widespread they are, however, what about the ones you don't know about? You know, because threat actors are exploiting stuff and, and finding vulnerabilities all the time. And yes, you hear about the ones in the news that, you know, are super widespread.
Um, but there's, you know, there's definitely, um, uh, individuals out there who are researching and trying to find software-based vulnerabilities and some of the biggest products right now. And they're, they're gonna leverage those on the organizations they wanna get into. And so, really, realistically, it comes down to, all right, so somebody finds a, a zero day and starts exporting a software that you, you own, what are you gonna do after the fact?
What, what is it that after they get in, like, how, how are you gonna, how are we gonna react? Right? How are we gonna detect them? Yeah. Yeah. So I, I mean, I, I think that's where that prioritization comes in in big time, right? Like for us, we know we can't, you know, we can't patch as soon as any vulnerability is, is released and it can't be immediate because then not having testing, you're gonna run into bigger problems.
But, um, and my security team knows that if there's a zero day and it's exploitable and it's on the edge, that, uh, they better have coffee and energy drinks on standby. 'cause it's just gonna be a, you know, all nighter and, and attack it. Um, but hopefully that's not, not very often. Maybe that's a, a few times a year and it's not a weekly ordeal.
Keith, lemme just go go to to Erica a second on this because, you know, I think, I think what Bo has summed up here, Bo first, let me just make sure I understand, and, and I'm gonna, I'm gonna paraphrase a quote from Steve Carter of new, you know, nucleus security.
Um, you know, he, I was on the phone with him and he said who you know as well, Eric, now, now Nucleus out there guys, they, they play with the biggest of big, so you're talking about, you know, patch, you know, the vulnerability management and the, you know, fortune 50 and bigger, you know, like those types of companies. But his point was, the majority of this, the, this hype cycle around vulnerabilities Bo is just that, he's like, it's people go, you know, it's a big FUD fest.
He's like, not that they're not important, but, but yeah, exactly. Anne, like, to Keith's point, so, but for the ones that are Eric, there's an internet facing device. It's highly exploitable, like a Fortinet vulnerability. And w and when you see, you know, you get the phone call Yeah, my client, we got it. First off, are there typically policy that is good, uh, in these companies? And, and if not postmortem, what do you, what, how do you kind of advise, what, what do you see in those areas?
Well, Well, hopefully there isn't a postmortem. Hopefully we take care of in, in advance, right? But you know, like Keith mentioned, there's this disparity between how quickly systems are passed versus how quickly vulnerabilities are exploited, right? And that gap is where the risk lies.
So, and, and, and you've heard me say this a thousand times, Andrew, that you know, when you're, when you're contracting with your customers, you have to be very, very specific in terms of what you're going to do if you're going to reduce your risk, right? In other words, I, I can, 98% of, of managed services statements of work that my, my new clients send me, they all say the same thing. They say, we're gonna patch your systems, right? And that's it.
And, and, and when I questioned my client, I said, why are you so vague, right? And why don't you, why don't you get more specific about when you're gonna patch and how you're gonna patch, and how often you're gonna patch and what customers gotta do and all that stuff. And, and they all tell me, invariably they say, well, we don't wanna commit to anything, right? Well, when you don't commit to anything, you're committing to everything. And, and, and, and that's the problem.
So instead, if you just say that, look, Mr. Customer, here's how and when we patch, right? We're not necessarily gonna apply a patch the day that that it comes out, right? We might wait some period of time, we might patch on a regular schedule. And, and that's okay, as long as you're telling your customer and you're contracting with your customer, with your customer for what exactly you're going to do, instead of just saying, we're gonna patch your systems.
So whenever that happens, Andrew, that's a long-winded answer to your, your question. You know, that's the first question I always ask is, what's your commitment to your customer? What is your contractual commitment to your customer to prevent things from like this happening? Yeah.
So it's, it is really, you know, Bo I think we, we, we were, to sum this up, it's get real specific in terms of, Hey, if, if there's something highly exploitable, if it is being actively exploited, let, let's focus on the real things, not, Hey, there's lots of vulnerabilities in the world. Mm-Hmm. Yeah, that's good. Good summary. Yeah. All right, Keith. Yeah. So to pivot a little bit, let's talk, let's talk a little bit about reconnaissance Bo.
Um, I, I think it'd be helpful just to understand like with, in your experience as a wide hat hacker, um, what, what are some of the lessons learned? And I guess how, like, how do you approach reconnaissance? Um, and I guess in terms of like the, the change healthcare compromise, what, what insights can we get out of that? Yeah, yeah, absolutely.
So, um, I think it comes down to what, what's the goal for us as a pen tester, or what's the goal for the threat actor specifically because, um, depending on your goal, uh, what you're actually targeting might change. Um, so one thing that I've, I've seen trending like absolutely more towards the cloud over the, over the last few years is just trying to get into a, an account versus trying to get, um, like a shell on a desktop.
Um, so, you know, eight years ago, uh, we could create a, you know, word document or an Excel document with a macro and then send it to an, an organization, and we get, you know, like 10 people clicking the link and, and, you know, get shells, uh, very easily. Um, and that honestly has changed a lot over the last, you know, 10 years. Um, you know, with EDRs, with avs, behavioral analysis, application whitelisting, we have all these kind of hurdles to get past that.
We didn't previously have to, like, bypassing AV eight years ago was extremely different than it is today, um, is much easier. Um, so with that, um, a lot of our attacks have been more targeted towards getting sessions, so hijacking sessions, getting credentials, getting into, you know, um, cloud accounts. Um, and so when it comes to recon, when it comes to recon around that, um, there's a lot of things we can identify around cloud asset usage without actually having any access at all.
Um, so first of all, it's, it's, you know, it's very easy for somebody to discover that you have a Microsoft 365 tenant. It's very easy for us to discover. If it's federated, it's very easy for us to discover the domains that are tied to it. Um, and when it comes to password spraying, uh, or doing any, any sort of password attacks against Microsoft, uh, you know, specifically, um, there's a lot of different ways we can do it.
And in, in all honesty, a lot of organizations still don't have, um, either the detection capabilities or the ability to block it. So when it comes to recon, one of the biggest things we wanna look for is can we identify employees at a, at an organization, one of the first things. So just can we go to LinkedIn?
Can we go to, you know, uh, go through our, our, our previous breach databases and pull out any email addresses that may have been part of like a LinkedIn dump or may have been part of, um, any other breach that ever happened. Um, that's one of the big things we can probably talk about a bit too, is, you know, uh, you know, in, in that case of like the MMFA being missing, a lot of times we don't even need to perform a password attack.
A lot of times we can just pull the credential out of a previous breach. Um, and you know, us at Black Hills, one of the things that we do, we have, I think a, a good two or three people now that like, are dedicated to just trying to find all the dumps that app. Um, so anytime a big website gets breached, um, like a lot of times, uh, it'll get sold, first of all, the data. Um, so, you know, email addresses, you know, phone numbers, addresses, passwords.
A lot of times they're password hash, but a lot of times they're just clear text these days, um, just get dumps to the internet. Um, so we'll take those. I'm in a big database, and now we can go search for just the email address of the company we're targeting. And so from a recon perspective, a lot of times we can just immediately have this giant list of email addresses, first of all.
But secondly, a lot of times we have clearex passwords that they've used on other sites, and password reuse is a huge issue already. So, um, somebody's using their same password on their LinkedIn account that they're using on their corporate, uh, login. Um, it's literally just, you know, go log in. It's, there's, there's nothing to it. Um, and that, that does happen occasionally where people just are leveraging their old passwords, you know, ones that have been dumped.
Um, and it makes it really easy for us to just go log in their accounts. Um, so from a recon perspective, you know, identifying employees, um, for multiple reasons. One, to do password sprays against one to, um, potentially phish, uh, those users is a big one. Um, and then identifying externally facing systems. So, um, one of the biggest cloud vulnerabilities that we tend to see is publicly exposed storage buckets. So things like S3 buckets.
Azure has storage buckets, um, where, you know, an organization has, has leveraged those buckets to store various pieces of data, but they've, for whatever reason, left them publicly accessible. So think just like a file share out on the internet, basically. Um, and a lot of times those, those file shares have sensitive data in 'em too. Sometimes they have access keys, sometimes they have other secrets. Um, another big piece of recon is looking at publicly, uh, available code.
So, um, you know, sites like GitHub right? Tend to be a goldmine for us. Um, we'll go look for who are the developers at the organization, where are their private repos, as well as what is the organization publishing publicly? And there's a lot of times where we'll find, um, where developers made a mistake and they put passwords or credentials out in that code, um, that's publicly accessible. Um, and then identifying, uh, just, just, just, uh, hosts, right?
So doing like subdomain enumeration, um, looking at MX Records, looking at, um, uh, certificate transparency is a really good one. Um, so you haven't heard of Certificate Transparency? It's basically the, uh, it's database that stores all of the certificates that have ever been generated at some of the most popular certificate authorities. So anytime you go create like a let's encrypt cert for domain, um, there's this giant database of all these certs that have all, like, all that data.
So like we can go search for a domain and find all the, the SL certs or TLS certs that have been generated for that domain. And a lot of times those domains, or I'm sorry, those certs also have subdomains inside them as well. So it makes it really easier for us to go find a bunch of subdomains for an organization really quickly. So that's, that's some of the recon techniques right there. Wow. There's, yeah, there's a lot there.
Well, like with, would you say with that dark web scanning tools and, and having a service around that, like an ID agent use of a tool and a process around it, is that essential security at this point versus an advanced Security? You know, that's good. That's a good question. So I, I honestly haven't looked into a lot of the services out there. Um, so I, I can't really speak to 'em.
Um, but yes, if, if, if you do have insight into your, I would say like just even your domain, um, getting dumped to, uh, to, to various, uh, dark web services, um, then yeah, I mean that's, that's, that's great because you can say, all right, I know at least you know, these 100 employees had their email address potentially passwords as well included in the dump. Let's go change your passwords, right? Yeah. Yeah. It's awesome. Keith, no, that I, yeah.
Andrew, Keith, Chris Bo you mentioned LinkedIn, you know, as, as a, as a place for, you know, doing recon and names. Obviously that was one of the things MGM, you know, black Hat used against an MGM. Have you been asked to do any type of, you know, red team attack, like being the help desk, um, trying to social engineer your way in the way Blackhead did to MGM and, and are you seeing more of that in terms of a, an, an attack?
You know, whether it Machine, whether it's, you know, Yeah, so I would say like, not specifically asked for that scenario in like recent times, I'm actually, you know, I can't speak for every one of Black Hills. Maybe somebody else has had that, you know, scenario. Um, but yeah, I mean, years ago, you know, um, we, I mean that was, yeah, pretending to be a help desk was great.
Um, in fact, with LinkedIn, one of the, one of the, I would say most, um, successful attacks was basically pretending to be a coworker on LinkedIn and then just opening up a DM with other coworkers, um, and, and just saying, Hey, um, you know, I'm, you know, Sally from hr, you know, and you, you basically clone her a whole profile, right?
And make it look like it's Sally from HR and open up a conversation with, you know, um, database admin or somebody that works at the company and say, Hey, I've got this new, uh, this new, um, resume that just came across my desk. Can you just take a look at it real quick for me? And, you know, see if, uh, you know, if this, this seems like a good candidate for this position that we've got open, right? Right.
And, And you know, once you have that kind of direct connection and you have some sort of, um, legitimacy to who you are, um, people, people will open documents. They will, they will click links. Um, and so dms and, and in fact, you know, LinkedIn, um, I would say is still somewhat useful in that, in that scenario. However, it's gotten a little bit harder to set up in, in the short term.
Um, so LinkedIn has put some protections in place where you can't just, like, I can't just go sign up for a LinkedIn account today and then add everybody at a company anymore, which you used to be able to do. So you used to be able to just go in and start adding everybody as a friend.
Um, and then what that did is that opened up those, those connections, right, where I can now start to see more and more people, but I think they've limited it to like, I don't know, 14 or 15 people you can do a day now. So it makes that a little difficult in the short term. Um, but what I was gonna say is modern day version of that, the thing that we're doing now is, uh, direct teams messaging.
So, so if you, if you, um, if you look at your configurations around how you have teams set up, um, there's a few different ways that you can incorporate external collaboration. And one of the big things that we see is that a lot of organizations don't go and configure this, and they just leave it default. And what that means is that now anybody in the world can open up a teams message with your employees.
And why that's important is because now I can pretend to be a support staff person and literally open up a teams message, um, bypassing email filters, right? So if I can DM your employees, uh, you know, a malicious link or a, a malicious document, um, you know, that, like you don't have all the email filters in place that can see that anymore, right? It's, it's just a dm.
Um, so yeah, modern version of that, that's, that's what we're really kind of leveraging heavily is those, those teams direct messages. Got it. Got it. Keith, back to you. Yeah. So the CEO of UnitedHealthcare said that the threat actor in, in, uh, this case was in the environment for nine days, uh, living off the land exfiltrating data moving laterally. Um, like how long can you remain undetected in an environment?
And I'm curious, is that being in there for nine days, is that just a result of poor detection, or is that just a really good threat actor that's stand under the radar? So it comes back to, you know, the fact that they installed ransomware, right? That they were detected probably like if I had to guess, yeah, that was the main reason why, like, they were like, oh, yeah, there's obviously a threat actor in our network. Um, yeah.
But, uh, in all honesty, like nine days is a really short period of time. Like, I think like the norm is like 200 something days, you know, that threat actors go and detect it. Um, and in all honesty, like, you know, if, if we weren't giving a timeline, right? Like I've got a week to do a pen test or two weeks to do a pen test, um, absolutely we could last a lot longer.
Um, because what, what it is is, you know, whenever we're, we're trying to be, uh, whenever we're doing a pen test, we have to be able to provide enough value in that short timeframe that what that, what that entails is that we have to start to automate things, right? So we have to start to automate the ability of, of finding open shares on a network or trying to find, um, where's that local admin password that's gonna work on all the systems, right?
Um, and, and that kind of automation is noisy. And because we have to automate things and be noisy, that's the reason things get detected. So most threat actors though, they don't have a timetable like that, um, you know, they, they can spend as much time as possible, they want just moving slow. Um, in fact, you know, if we, if we kind of go back to talking about midnight blizzard a bit, you know, um, two months in Microsoft's tenant, um, their cloud tenant, right?
Um, the threat actor was there and they, they didn't do anything crazy like they, you know, they didn't, um, I, so they, you know, if we actually read between the lines of like what Microsoft actually announced, um, in my opinion, like they had global admin access in Microsoft tenant, like their main tenant, um, which is a terrible, terrible thing. Like that should never happen, right?
Um, and the thing that I like it, it's surprising to me, but also I think is very relevant to this, is that with global admin access, they could have done literally anything, right? But what did they do? They, they installed, um, email forwarding, uh, rules and certain accounts so they could read, um, certain departments email, and specifically they wanted to read what Microsoft knew about their own threat actor group, right?
They wanted to target emails that were specifically calling out midnight Blizzard, so they could have that detection of, um, or that I guess, insight into, you know, what Microsoft was seeing for their own threat actor group, right? And so, so when it comes to like laying in weight, like they could have done a lot of other really bad things, however, what they ended up doing is just kind of staying, you know, kind of under the radar for the most part and trying to read email.
Um, so I, I think that, you know, nine days is pretty short, um, in all honesty. Um, but that's most likely due to ransomware being installed. Yeah. So, so if you look at the, um, these recent MFA attacks, right? The Microsoft attack, the change healthcare and MFA is like a protective control, but really is it, is it a vulnerability because of how critical it is? Yeah. So in, it is funny you mentioned that.
So, um, in fact, that's one of the things that at Black Hills now, um, which I, so I don't know if many other organizations are doing this, but one of the things that we've started doing is even, even if it's not an assessment where, um, we are actually getting like credentials to authenticate, so let's say like a, like an assume compromise or, um, like the cloud assessments that I would typically do if we're doing like, let's say an external network assessment, right?
Which in most cases an external network assessment, we don't get credentials. Um, one of the things that we do now is we have a, a, a conversation with organizations and, and literally ask, Hey, we saw this SSH server out here. Hey, we saw this VPN service out here. Is it covered with MFA and can we validate that with this set of credentials? Because if we can't validate that, it's absolutely gonna be a high vulnerability, um, in our reports.
Um, and, and the main reasons because of this, right? We're like those, the fact that MFA is so prevalent now, it's, and, and, and honestly should be easy to deploy. Um, it's absolutely, in my opinion, a high vulnerability if you don't have it. Yeah. Uh, Eric, I'll bet you have some advice on, uh, on MFA usage in contracts, right? I I do. Just do it. Just do it. Yeah. Just, just have it in there and say you have to have MFA. That was, that was Eric's Eric's advice. Yeah.
Through us, when we redo redid our agreement, we went to Eric and that was one of the things he put in there was like, uh, required like no non-negotiable. Uh, the client is agreeing to put MFA in place on everything. Yeah. And, and look, you can negotiate, you know what, what MFA goes on, right? Obviously 365 is the easy one. Um, but, but what Else is everything external, I should say, right? Yeah. Externally facing application, externally facing, uh, absolutely. That's right.
So then it's, um, it's on the client, they've gotta have it. And as I've told, um, I've, I've told clients, it's like, Hey look, you got a really expensive Ferrari that's just sitting out on the street, you just gonna leave the keys in it. 'cause that's what you're doing right now if you don't have MFA in place. Yeah. Yeah. Good stuff.
Eric, can they have compensating controls if they're like, Hey, well in this particular case is as long as they're doing something that can, you know, mitigate is, is that an acceptable, can there be a carve out or a one off when you are supporting someone like Keith? Yeah, there can, but it's gotta be a a, it's gotta be negotiated, right? You can't just be a, you know, I'm gonna go off and, and do whatever I want.
It's gotta be, um, you know, something that, that, that the customer and the Ms P agrees on. Got it. Got it. Doc. Well documented, well stated. Absolutely all that stuff. Okay, Bo um, look, I, we've had Ashley Knowles on before, who I know heads up your, um, attack surface management practice, and she, you know, did it for Wells Fargo for years.
Um, you know, again, MSPs when they're dealing with customers of, you know, 25 to let's called 500 employees, and we know you guys out there go up larger, but let's just use this for conversation's sake saying to a customer like that, Bo Yeah. And we're gonna need another, making it up oh, $4,000 a month to do your, uh, attack surface management. You know, it's probably not gonna fly in most situations. Mm-Hmm.
But if you were to give maybe just a few words of wisdom of where MSPs could maybe even start looking at themselves, I think it's really important to, right, Keith, you, if you're gonna start to do this, you wanna be able to do it on yourself first to look at, well, you know, what are the steps for a good a SM practice and, and could I even, you know, start to do this on my top five customers? Is it from, so Keith, as, as I asked that to Beau, is that probably the best?
You know, if you're gonna do something, probably the best route, if you will, first yourself, then maybe, oh yeah, we gotta do this on our, you know, 80% of our revenue with these top five customers. Yeah, for us, that's what we do internally. And then you're able to ma map out that process, map out the process, what's it gonna take in terms of resources to get that across. It also helps you to know, understand how to charge for it.
Like if that's gonna be a major effort and it took so many, you know, x number of hours to do it across, uh, your end points, your systems, then you know, uh, what you're gonna need to charge when you put that in place for your clients. But, um, we're the first testbed and, and then we push it out and absolutely prioritize it based on, uh, you know, the risk of clients. If I've got a, a finance client, uh, versus a construction client, I'm gonna pick the finance company first and go down. Cool.
So Bo what, what, what things could they focus on, you know, knowing that it's probably gonna be finite, but we wanna make sure we take care of ourselves and, and maybe our big customers. Yeah, yeah, absolutely. So, uh, we've kind of beat MFA, uh, quite a bit, but yeah, you know, MF a's a big one, um, conditional access in general, um, is I would say one of the biggest kind of protective layers you can deploy, um, if it's configured correctly, right?
You know, um, looking and, and making sure you don't open up those various APIs is a good one. Um, but, you know, password policies, right? Just having strong password policies, um, making sure people aren't choosing weak passwords, making sure that, um, you know, you have at least a level of rotation in there as well.
Um, so that if somebody's cred does end up in one of those, those data breaches, um, that, you know, it's not just gonna be, you know, attacker takes that one credit and pivots over directly, um, and one hop. Um, but yeah, I mean, I think, um, I think those are, you know, between those two, like those, those help tremendously.
Obviously, phishing awareness, I, you know, I hate to like, kind of pull up like the security awareness game, but like, um, honestly, some of the, the tougher customers we've had have done a really good job of calling out, uh, you know, potential rus, right?
And knowing, knowing what is a phish and knowing what to look for, um, because, you know, at the end of the day, like the two biggest ways we're gonna get into an account is compromising a password or phishing somebody, and, you know, sometimes they go hand in hand, right?
So the, the phishing attacks, a lot of the ones we're, we're generating now, um, we're trying to get credentials and trying to get sessions, and if we can be prevented from either password spraying because you have a good policy, or if you're alerting on password springing, like that'll be a great thing. Um, from the phishing perspective, if your employees know to look in the domain, right?
Like just, just simple checks, like does, is this a Microsoft, um, like portal I'm logging into that's actually on a Microsoft domain? Um, or is it just some random weird domain, right? Um, like the less that can, can go pretty far. Um, the other, oh, so here's what run really big one that I would say, um, the majority you can probably enable pretty quickly, and that is disabling the ability to do device code logins.
Um, so if you're not familiar with device code logins, it is, I would say like the new hotness for phishing attacks. Um, and it's something that I would say the majority of your employees aren't gonna be using. Um, so device code logins.
If, if you think about, um, if you've ever logged into your tv, uh, if you've ever logged into something like Netflix or Hulu or Disney Plus or any, any of like the, the streaming services on your tv, um, you go to your TV and it says, all right, well, instead of you entering your long password, which you all have, right? Like long passwords for your accounts, um, here's a six digit code, right?
Take that six digit code to your phone where you're already authenticated or to your computer where you're already authenticated and enter that code, and now magically your TV's authenticated, right? So Microsoft has the exact same thing. It's called Microsoft Device code authentication.
So I can be logged into my browser right as my user, and I can go to a completely different system and do what's called a device code off where I can authenticate another browser without actually using a password. I just use a, like, it's like a, I think an eight digit, you know, code basically.
Um, and so this is what we're doing now, um, and, and something that I think that you could probably disable pretty easily through conditional access and, um, from a phishing perspective, the way it looks is I would generate that code on my side, send it to you as a victim and say, Hey, go to microsoft.com/device login and enter this code, you know, build a ruse around it.
Say, you know, Hey, I'm with security and, um, you know, we need to, you know, validate your, your session or so something, you know, you gotta think of a ruse, um, and what the victim would then do, go to microsoft.com/device login, enter that code, and now all the, all of a sudden my external browser is authenticated as that user. And that is, you know, the, the thing that's kind of, um, tricky about that type of attack is the attacker's not asking for your password.
The attacker's not trying to get you to go to a malicious link, you're gonna microsoft.com. The attacker's not trying to get you to open a, a file, you know, an executable Word document, Excel file, nothing like that. Um, it's literally go to this Microsoft domain, enter this code, and as long as they're authenticated in their browser, you have now given access to this threat actor externally. So interesting.
Um, yeah, that's, you know, if I had like a number one takeaway, like, go disabled device go off, um, because the majority of you probably don't even need it. Interesting. So Bo, we, we've got a few minutes left. Um, for those out there that may or may not know, I'm gonna assume for a moment you don't know, but Bo is one of the top instructors at Black Hills also, and I was fortunate that he lives in my home state. Uh, I was fortunate that, um, I'm helping out, um, roost in their event in June.
And Bo often teach, I should say, often Bo teaches, um, what he calls breaching the cloud. Now, breaching the cloud often has other components besides M 365 and Azure.
But because MSPs really focus on that versus say a AWS like the enterprise clients, he trains, um, you know, we're really gonna get very focused and you can meet Bo uh, in person in, in, uh, in June here in Tampa Bo but maybe if you could give, give it just a high level of, of what you're gonna be teaching in that, in that course. Yeah, yeah. No, I'm, I'm actually super excited about it. So over the years, I've, I've collected a lot of, uh, M 365 attacks.
Um, so I, I built my breach in the cloud class mainly to target all cloud providers. Um, and what we've, we've kind of found over the years is that most of our customers are using M 365 and, um, you know, we, we really need to kind of build up a methodology for attacking N 365 customers. And through that, over the years, um, have, I've built a few different tools, uh, released tool called Graph Runner, um, that targets M 365 accounts from a post compromise perspective.
Um, and, you know, so what I'm gonna be talking about at that conference is, um, basically like all of the, the number, you know, top or top 10, um, issues that we're kind of seeing. So, you know, do you have, uh, that kind of like external collaboration enabled teams? You have, um, you know, the ability for users to create groups. Can they modify groups? Can they update them, can they deploy applications? A lot of these things you can do by default.
Um, and I'm gonna kind of walk through a lot of the, the common things that we're seeing, um, as issues for organizations. Um, so yeah, that's, that's the gist of it. Yeah, I'm excited. I'm really excited about that. In fact, let me just like Ken guys real quick. Um, here again is the link, um, about the event and Bose course, which is, um, normally when he teaches it in person, that's a big link. But anyway, um, that's about the event.
Um, when he teaches it in person, like in, in the past years, you know, we've charged up to, you know, five, 600 bucks for it. So if you register, you get to attend that event for inclusive. So, um, uh, that's about the flow event, which we've talked about a few times here. But I really glad Bo you came on to, um, you know, talk about this specific topic. I think it's, uh, it's, it's one that certainly is not going away.
It's certainly one that, um, as you indicated, you know, although vulnerabilities are important, this is really where the threat actors are living, um, mm-Hmm. And it's, um, you know, it's in these basic things that we have to, um, have to do. The date on the event looks like it passed. Uh, I don't think so. Um, yeah, it's, I I looked it up. It's June 17th. I, I confirmed, uh, Yeah, if you go, if you go, That's the, that's date I have on my calendar. So yeah, So if you, um, here you go.
Let me just put in one more. Uh, there you go. Where can you hear me Shred guitar, actually. Yeah, you know what? I know we're a minute over here, but tell everybody about the album you just released. Yeah, no. So I, you know, outside of security, my main hobby is music, so, uh, if you do want to hear me shred, uh, guitar, I here, I just base it in a domain, no bandwidth, that io so no bandwidth is my kinda music project. So, Yeah, that's really cool.
All right, so we're gonna, we're gonna ask you to do that at, on after the event too. Okay. I'm down. Let's do it. Alright, well, um, Keith, thanks a million for co-hosting, uh, Eric as well, really appreciate you filling in Bo. Of course. Thanks as always my friend, really appreciate you giving your time. Yeah, Thanks for having up. Thanks, Educating everybody here. So, um, everybody have an awesome week. Thanks everyone.
I'll figure out what we're doing next Monday, but again, the following Monday will be the Verizon data breach report. Till then, make it a great day, everybody. Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois