Skip to main content
Right of Boom
January 30, 2025

Using Backdoors & Breaches Cloud Edition to Mitigate Top Attacks noted VDBIR

In this video, experts from Black Hills Information Security and SAS Alerts discuss current trends in cyber threats, focusing on the rise of cloud-based attacks and the innovative tactics used by cybercriminals. They highlight the importance of understanding attack vectors such as phishing through Teams, device code phishing, and token harvesting, emphasizing the need for robust security practices like conditional access. The discussion also covers the significance of gamifying incident response training with tools like Backdoors and Breaches to help organizations better prepare for real-world scenarios.<ul><li>Attack Surface Management is an emerging area that is becoming increasingly important as the attack surface continues to grow.</li><li>The convergence of enterprise and SMB toolsets has made both equally vulnerable to cyber threats, emphasizing the need for improved incident handling and security measures.</li><li>The increasing focus of threat actors on cloud platforms and the inadequacies of current security practices highlight the need for better training and awareness among frontline MSP staff.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome, welcome everybody. Episode 1 47 here on the cyber call. Gary, how's the puppy doing? Hear him in the background. I think very, yeah, my wife can't get back here fast enough to take care of the dog. I'm well, uh, you know, I'm gonna recommend that Sue gets another, another one. 'cause I know how much you like the first, what, three of 'em or so exactly that make your life better. That's what I'm here for, Gary. All right. Um, well we got a awesome, um, session today.

Go tell your friends, family, and neighbors if you can, um, 'cause you're in for a treat. Um, before I get to it, Gary, I do have, uh, 16 announcements I wanna go through today. Go ahead, take your time. Alright. Yeah, I know. Favorite thing. Alright, so no, real quick. Um, in the, um, call to action, the green piece below Bo, we're actually gonna have Ashley Knowles from your team at Black Hills, who's an expert in something called Attack surface Management. Mm-Hmm.

I'm doing a, yeah, I'm doing a fireside chat with her on Wednesday. And this is, uh, an area that, um, is, you know, Wes something that, you know, again, it was almost like, you know, BIS and dfds, right? Data flow diagrams and business impact were new, quote unquote MSPs a few years back. Um, I would say argue with tech surface management is something new as we look holistically right at, you know, the attack surface as it's ever growing. So, um, I think this'll be a really good session.

I think we lost Wes briefly there, so maybe we'll get him back. So that's one announcement. Second announcement is, um, the cyber cast, uh, the podcast on CIS controls. This is pretty cool, Gar. We got through all 18 controls. Um, we'll have the 18th out shortly. And, um, we hit 10,000 downloads. We got a notice. Um, and so for a com for a podcast that doesn't advertise, uh, doesn't do much other than word of mouth to help MSPs. Um, I thought it was a pretty cool accomplishment.

So, um, that's, that's awesome. Yeah. Um, and so we're, we're not over, it's not done. Um, we'll move on to, um, the respond and recover functions, which are, um, recognizably by CIS are missing. So we will, we'll move into those areas to other frameworks. So that'll be next up into, uh, into, into that area West. We, we were, I don't know if you heard, but we were just mentioning the cyber cast and the 10,000 downloads and Yeah. Um, last announcement is write a boom.

Registration will be open this coming week. Um, if you go to write a boom.com, the site is up, it is live right now. Um, we'll have some, um, some cool stuff that you can, uh, that we're gonna do for the first a hundred registrations. Um, and, uh, so that's that. So let's get right on into it. Um, I will put up a call question on back doors and breaches momentarily, but, um, we have Bo Bullock with us today. I'm just gonna kind of set the stage here briefly for us.

Um, last week I thought Phyllis closed us out, couldn't come out with a better quote. And that was about in the Verizon data breach report. She's like, Hey, one of the most important points of the DBIR this past year was that they, for the first time, there's no delta between enterprises and SMBs. I found that fascinating. Gary, I don't know about you, but basically the tool sets or the systems and applications that enterprises and and and SMBs are using are so almost ubiquitous now. Yeah.

That, that the threat actors number one, don't care. Um, which is what the data basically said. The other piece, frighteningly the data said was the percent of attacks of SMB relative to enterprise, which would be obvious is staggeringly higher because of lack of maturity and, and everything. So, well, anything you took away from that gar.

Yeah, I mean, one thing is that, um, e even though they see all these trends and some of it had to do with how people are using technology, uh, what I took away from it was that these guys don't have to innovate. Yeah, exactly. They don't have to innovate. They basically can use the same old tried and true methods and they're still getting their bang for the buck. Yeah, yeah, absolutely. And we're gonna get some perspective on that from Bo momentarily.

Um, the other part was because of that lack of distinction, if you will, between enterprise and SMB, I'm like, well, as MSPs we, we gotta get a little bit better at incident handling. Now, let me be clear, I didn't say to become a DR, right? I am not saying become an IR firm. I am saying we have to get better at spotting potential indicators of compromise anomalous behavior.

Would you say that's a fair statement, Wes, that like we we're gonna have to, especially in the world of cloud and M 365, we've gotta get our front lines better trained in this area because this is where the data hands down said, we're coming in and this is how we're coming in. Yep. I, I think we're seeing a, a bigger and bigger and bigger push towards threat actors focusing in cloud, taking advantage of our own inadequacies in term, which we're gonna talk about. Right? Right.

Like, I've got a question queued up around conditional access, but like, there's so much around this that like, you cannot just go flip on, you know, Microsoft 365 and move on as an MSP without deep considerations in security, or you're gonna get yourself in a whole world of trouble with your clients. So yeah, this world is coming to us full force. Okay, cool. So with that, um, just to set the stage, I'm gonna let Bo introduce himself and that's why we wanted Bo on today.

So, um, Bo's gonna talk a little bit, I'm not gonna steal his thunder, but I want him to tell what he's just released. Why we're having him on today is because he is the, the guy at Black Hills when it comes to cloud red teaming, cloud offensive cloud pen testing. And, um, I can't take all the credit. I can't take like, listen, we have a lot of really good red teamers. You have a lot of good cloud people too. Well, no, no one else is on this call. Just take Yeah, yeah, Yeah.

No, I, but yeah, I, I mean I, so I ended up helping work on the deck that, Yeah. Yeah. So, but, um, so that's why we wanted to have Bo on, and then I will be doing some screen sharing. I'm just gonna ask for, for some forgiveness. Crowd cast, the platform isn't the best when it comes to screen sharing, so just bear with me. But there are some things I wanna share here in between. So, uh, that, that's so bo take it away. Tell us a little about yourself.

Um, and it's great to have you finally on the cyber call. I've done a lot of things with you. You've been two years and about to be three at write a boom, so that's exciting. Um, yeah, Thanks for having me. Yeah, of course. But it's great to have you on the cyber call. Yeah, absolutely. Yeah, it's really cool to be here. Um, I, so, you know, met Andrew a few years ago at Write a Boom. Um, and, uh, so I, I've been working at Black Hills Information Security for nine over nine years now.

Um, and it's actually, it's, it's funny, like when you were talking about the, the, uh, the attackers using similar, uh, attack paths for enterprise and, and SMBs. I've actually gotta see that firsthand, like evolve over the last nine years. Hmm.

Um, I was the one doing the attacks against enterprises, you know, um, I've actually gotta see exactly what you're talking about and how, uh, realistically, like the attacks have completely pivoted from, um, trying to get a shell on somebody's computer, right? Like on an internal network Like that used to be like what we did all the time. That was, that was the goal, right? Mm-Hmm.

To get internal access, pivot around a domain, escalate privileges, still data, like end of story now though, um, with everyone leveraging cloud services, it's become so much more, um, of a focus and an effort against credentials. And it's exactly why, like, you know, the data breach report talks about creds being number one. Um, so yeah. So anyways, yeah, I, I, I've done the gamut of PIN testing.

Um, I have, you know, done every, everything from physicals to web apps to wireless to, uh, you know, just standard assume compromise type stuff. Um, blockchain security, like, I've kind of done all of it now. Um, but the last couple years I've really been focusing, um, very, very much heavily on the emerging threats side. Um, I've gotten the opportunity to kind of work into a, uh, an r and d role here at Black Hills, um, where I'm doing primarily just cloud testing.

Um, so, you know, any, any of our customers, uh, are looking for anything like A-W-S-G-C-P, Azure. Um, and then o obviously the SaaS side too. So Microsoft 365, um, I typically am like the main guy that handles this. We See, I told you you're the main guy. Yeah. We Came out, right? Um, so very, very cool bo. Um, and then, you know, we're gonna be talking about the introduction of back doors and breaches cloud, which is out now.

We'll tell everybody how to, you know, the URL to go to, um, to play it. Um, but that's really the impetus to today is how can we use this, um, platform, right? To not only teach us internally, but then to go take this to our customers. And, uh, so Gary, I'm gonna let you take it away, uh, here with Bo and at times I'll do my best to screen share successfully. You're on, you're on mute, pal. Want me? Have you read one, Had my cough button on? Yeah.

So, um, Bo first off, uh, thanks for, um, thanks for being here. We really, uh, appreciate it. Absolutely. Absolutely. Um, why don't I just stay with where Andrew started talking about the Verizon report and, um, this idea of, you know, the attack profiles for SMBs and Enterprises. Um, I, I want you to talk a little, a little bit more about it from a cloud pen test. So from that perspective, because that's where you live, what are the similarities there?

Um, regardless of size of organization, if that makes sense. Absolutely. Yeah. Yeah. So, so first I would say, um, there's, there's realistically two main views when you're targeting a cloud environment. First, are you trying to get to infrastructure or are you trying to get to like a SaaS service? Right? And so us as like red teamers as attackers from the outside, generally, um, we we're targeting individuals around, uh, access.

So, you know, over the years we've kind of gotten more towards targeting people that have like, interesting access, like developers, it, uh, database admins, that kind of stuff, right? Um, because in, in most cases in cloud environments, those are the only ones that actually have access to any sort of in interesting infrastructure. Um, but on the other end of that, right, the, the, like, 90% of your employee base is generally just your SaaS users, right? In most cases.

Um, like, and, and they don't typically have access to infrastructure. Um, so what I mean by that is on like the Microsoft side, like a very good example of this is how Azure and Microsoft 365 have separate APIs. And so if we phish somebody's credential, um, that has Microsoft 365 access, it doesn't necessarily mean we're gonna get access to interesting infrastructure on the Azure side. Yeah. Um, even though there, it might be there, right?

Um, and, and so that's kind of been a, a really interesting, uh, uh, I guess like, not necessarily a problem, but it's been an interesting thing we've had to kind of work around and try to figure out, well, what can we do with a set of credentials if we phish a random person in, in an organization, right? Generally it's like, all right, well, day one, let's say we did Phish somebody, well, the first thing we're gonna do is see, well, do we have access to infrastructure?

Because if we do, that generally ends up being more interesting. However, there is a lot more to gain from, um, just, just getting access to a, a user's email and SharePoint and teams messaging, um, as well. And in most cases, it, it kind of evolves into the next, next step in the attack process. Right. And, um, in general, like I would say after getting access to somebody's account, one of the first things we would do is first enumerate the, or the rest of the directory.

Um, because from the outside, uh, you know, during recon, before we do an attack, we generally have, you know, a very minimal list of actual employees at an organization. So in most cases, we might have somewhere between like 30 to four 40% of the actual, uh, employee list just from during recounting. It's LinkedIn, um, you know, doing, just trying to identify employees that work at the organization, um, through other means. And that list is very much incomplete, right?

But as soon as we get a credential, we can pull the full directory, and then now we have the full employee, uh, directory. And so that's like one really big piece of intel that helps drive further attacks, right? Because then we can phish other people, um, we can phish from the account we just phished, right? So you can do like internal, uh, phishing against other users. Yeah. Um, and then password attacks, right?

So password spraying, um, you know, is still one of the number one methods that we ended up getting in with, uh, through password attacks. And, you know, having that full list is, is really key in those cases. Gotcha. And so would you say, I mean, when you talk about it makes sense, like, it doesn't matter whether you're talking to a 5,000 employee enterprise or you're talking to a 30 person, uh, SMB mm-Hmm. It would be exactly the same in terms of process procedures. Yeah.

So I would, I would say that on the, the smaller side, right? So on like the, the 30 employee type environments, I would say that spraying probably isn't as effective, um, as it is against a larger environment. And, you know, there's a couple reasons for that, but, uh, you know, the main one is like when you have 5,000 people, somebody's gonna pick a bad password. Um, it's, it's just like the nature of it, right?

Um, but what I would say is that, uh, when, whenever we're, if we were to target a small organization like that, I would say the emphasis is definitely on phishing, but also credential reuse, that's the other really big one. So, um, uh, you know, credential, uh, like, like taking previous breach data and trying to reuse, reuse those credentials. 'cause, uh, humans love to reuse the passwords, right?

Like, they love to even just take a variation of something they, they had before, reuse it on a site. So one of the things that, um, that we do, and, you know, we're not the only ones that do it, like many pen dusting companies do this, is we collect as much breach data as we can, and we, we've built our own internal database of just every breach, uh, like the old LinkedIn password breaches, right? Like all the dumps that have been made public right. That are on the internet.

And one of the big things we try to do is look through that for credentials, for targets at the organization we're, we're trying to attack, right? And oftentimes we'll find a credential that matches somebody, but maybe it doesn't actually work on the current organization, but by kind of iterating it or, um, you know, adding some variations to it, uh, sometimes does get us into an account. Interesting.

So tell us, um, for people that don't know, tell us a little bit about, um, uh, understanding what back doors and breaches is and why you developed a cloud edition. Yeah, absolutely. Yeah. So back doors and breaches, um, is a, an incident response card game that Black Hills, uh, information security developed a few years ago. Um, it's, it's a game that is, it's very similar to, uh, running a game of Dungeons and Dragons, if you've ever played Dungeons Dragons.

Um, it's essentially you have a Dungeon Master, or in this case no, no, no One, no one who listens to the cyber call plays Dunes and Dragons. Yeah. Well, all right, well, then this will be your first introduction. Um, so it's a, it's a, a role playing type of game, right? Um, where you have an incident master who helps drive a narrative around an incident that happens, and then you have your instant responders, um, basically do a tabletop scenario, right?

And they have to solve the full attack chain, um, in 10 turns. And, and the way it works is you have four different sets of cards. You have initial Compromise Cards, pivot and escalate C two and xFi and persistence. And with these four cards, you, uh, you basically have the entire scenario from, you know, initial access all the way up through like data, data X bill. Um, and so what happens is the instant master will, uh, draw four random cards, uh, one from each pile.

They know the scenario, they can look at the, the scenario, and then they kind of build a narrative around it. They start with something like, Hey, you know, um, Bob and hr, you know, says that they clicked on a link and, um, maybe they, they entered their password. And you know, now it's like, oh, right. Well, we have to look into that, right? And so what's your first step in trying to solve this, this case, right?

And, and then, so you have these procedure cards, the blue ones at the bottom there on the screen, um, that are basically your, your traditional means of, um, doing some sort of instant response, right? So you have things like, um, endpoint analysis, right? I'm gonna go look at the desktop and see if maybe there's any interesting services running. Um, you have user and NCT, uh, behavior analytics, right? Are there any weird logins coming from different places?

Like you have all these standard cards, and so your instant responders, they would play one of these and say, all right, well, uh, we know he, he thinks he got Phish. Well, let's maybe look at his device or maybe look at his login logs. And then you have a D 20 dice, you roll it, and if you roll over a 10, your, uh, your defense succeeded and you, you detected whatever mechanism, uh, was on one of these cards. Um, if you an under under 10, then your detection failed.

Your procedure failed, and you have to solve it in 10 turns, or your incident response team loses. Um, that's basically the gist of the game. And, uh, the reason we ended up making a cloud version is because, uh, honestly, just we, uh, you know, we've, we've been attacking cloud networks for so long now, um, that it, it facilitated its own full set of, I think it's like 36 cards, um, 36 additional cards. And it's, so all, all of our expansions, they get mixed in with our core deck.

So if you ever play it, um, you have to have the core deck too. Um, the expansions, like, you could probably do it by itself, but it just works better if you kind of mix it in with all the rest of 'em. 'cause then you build out this really interesting kind of elaborate scenario.

Um, but yeah, so, so the, the cloud version, um, you know, covers all the types of attacks that we do, not only against, uh, like traditional SaaS type, uh, deployments like Microsoft, Microsoft 3, 6, 5, but also, um, cloud infrastructure, right? So what are the types of attacks that happen against, um, like an AWS environment or what, what types of attacks happen against Azure infrastructure? And, uh, I've got some interesting, um, uh, uh, persistence mechanisms in there.

Um, things like, you know, backdooring a container image, right? Um, and, uh, yeah, so like a lot of that I ended up pulling from a class that I wrote too. So it's, it's kind of like, kind of ties right into, Yeah, maybe pull, like pulling that thread be a little, a little bit more. So, um, we learned last week that like 74% of, of all breaches are like privilege misuse Mm-hmm. Right now, um, stolen creds, social engineering.

So are there some good like, scenarios that you would recommend based on this for MSPs coming up with to walk their, you know, their MSPs or even their clients through Like, uh, attack scenarios, like the, the full? So it's funny you mention that because we're actually doing like a three part series right now with, um, SA SaaS alerts. Um, that, that's exactly that. So, uh, we were actually doing this like, uh, webinar series, um, oh, yeah.

Then Andrew pulled up the slides from last week where basically what I'm doing is, uh, taking and customizing, um, three different full attack scenarios and kind of walking through, um, the entire attack path and talking about, um, all right, well, let's, you know, try to identify initial access and let's try this card. In this case, uh, like this one that, that's up on the screen now is misconfigured, MFA, right? Um, and you know, basically like, that's exactly what I ended up doing.

So, um, yeah. So in terms of building out, uh, your own, um, scenarios, if you wanted to actually, uh, Andrew, could you pull up just the, uh, the, the play out back doors and breaches.com site real quick? I can show you how to do it. I can customize 'em real quick. Um, also, when, when you get admitted, Andrew, um, maybe people would like the link to get to register for the webinar. 'cause it sounds like something they would want to do, um, or if they've done some of them the recordings.

I, So Bo is, is that, oh, shoot, was that the, You want the instructions how play No, the, the, the website, just the, the play backwards breaches.com. Okay. Bear with Me. No problem. Yeah, yeah. So on, on the site. So, so we have physical decks, right? Like that's, um, that's something that, um, honestly, if you, if you find Black Hills at any conference now, um, we we're usually giving them out like crazy.

Like, we usually bring like, I don't know, a thousand of them, and we give them, we give 'em out to, you know, for free. Um, at conferences you can, you can purchase them too, but we do pretty much give 'em out for free. Um, and, uh, in addition to the physical copies, we have the, the digital version. So, uh, yeah, west just pasted it in the chat there. Um, play do back towards breach.com. You can play it, you can play it live, um, just, just through, through a web browser.

Um, and it will automatically randomize scenarios. Um, but down to the bottom right there, Andrew, um, if you click on scenario tools, um, just right at the very bottom right of the screen there, scenario tools. Yep. And then if, if you click custom, then here, um, you can sort of pick out your, your, your full attack procedures.

So you can click the initial compromise, uh, button, and then, um, this will load all of the initial Compromise cards, and you could start to build out your own, um, custom scenario. If you wanted to just, you know, if you wanted like something very specific, some very specific use case, something that you wanted your in incident responders to have to solve and not have it be completely randomized, you can actually go in here and select them, uh, directly as well.

Because I was gonna ask you the opposite. You know, you, um, like maybe talk to us about how important, you know, uh, the attack chain is and how this can random, like, there's some advantages, right? That it'll make it random with these scenarios. Yeah. So, so Andrew, close that one real quick. Uh, just click the close button. Um, and then if you scroll up to where the, the, um, the attack cards are, oh Yeah, scroll up to where the, uh, the attacker cards are.

If you just click any of those, um, it'll, it automatically randomizes it. So you can see like the first one here, cloud service provider vulnerability. Um, so anytime you play it and you go to this URL, the second you go here, it will automatically randomize anyway.

Um, and that, that does add, um, a huge, unique factor to any sort of tabletop scenario you're gonna do because, um, it really drives narrative and drives, um, you know, uh, conversation drives conversation around how you would actually go about solving certain things. And honestly, like just even, even being able to detect something and saying, all right, one of our users got, got, um, list, uh, let's see, domain fronting is C two right as C two there, right?

Um, maybe that's something that you haven't seen before. Maybe that's something that your, your defenders haven't actually, uh, like looked into. And it really drives like that narrative around, all right, well, how would we actually go and find this? How would we stop it? How would we detect it? Um, so it becomes a really, really interesting, um, learning game.

Gary, we, Gary, you always talk about roles and process and responsibilities, but again, I'll ask you, with coaching 450 MSPs right now in Pier, how many people even have a process to go, Hey, we think something at the help desk is wrong in M 365, these are the steps. Like this is the escalation step that we're Yeah, The answer is not enough.

Uh, Andrew, I mean, everyone, I don't, I don't, uh, my feeling is today, especially at the support desk level, which might be the most important, uh, people are not, uh, all trained, like they're still getting trained to respond quicker to, you know, user incidents and not really looking out for, uh, security. Yeah.

And, and I think, you know, like I I, two people that come to the top of my mind is Chris Sears at Applied Tech, uh, leaf Willenberg at my tech, actually two organizations that have really focused on, you know, what, ha you know, it's almost like, again, I think about sales Gary and the, you know, you always talk about what happens next. It's like, what happens after, what happens next? And, and then next, right? Yeah.

And I think the importance of what BAU is showing here is not just what you can do to train your org through like a co-managed customer, but are like, what processes do we or don't we have in place? Whatever randomized situation we get, we should be looking at. Is that, is that fair, Gar? Yeah.

And when you think about it, like what percentage, like a huge percentage of MSPs have less than 20 employees, less than 15 employees, you get down into 5, 10, 15 employees think about what a challenge this is. And so what I like about, and I'm glad Beau is here today, is, you know, this is something that people can start to do to get everybody start to moving in that same direction.

And hopefully what should come out of this right, is just what you said be, oh, wait a minute, we've never seen that one. No, we don't have a procedure there. Mm-Hmm. Right? Yep. Yeah. Yeah. And, and you know, honestly, like I think anytime you kind of gamify, right?

Any, any sort of aspect that's, that can be technical and, and really, um, uh, tough to, to swallow if you, you know, are just talking through it, this kind of thing where you make it a game, um, I think can really help make it more fun, Like potentially a drinking game. Yeah, absolutely. A hundred percent. Yeah. Well, let, let's just like, uh, just one more thing that I I want to ask is, so once you esta have an scenario, right? That's established, um, you talk about established procedures.

So what are they and what are other procedures? Yeah. Yeah. So the procedures are, are what your, your instant responders are kind of bound to. Um, it ke kind of keeps you, uh, it, it keeps the game more, I guess, like rules-based, right? Like, instead of just kind of like having like a, like an ancillary like, oh, this is what we would do to solve this. Um, you have kinda like these driving very key like core cards, um, that kind of make up like your procedure base, right?

Like that they, they should cover like pretty much anything. Um, they're very, you know, high level procedures, um, things that should, uh, at least in some case, um, help you kind of like look into whatever the issue is. And yeah, so some of them, they, uh, like, so the established procedures, it, if I remember correctly, I think you can only use them like once every three turns.

Um, so if you, if you play like endpoint security, uh, protection analysis, um, which the first established procedure there, I believe you have to wait three turns before you play it again. So that is something that, um, does like make it a little tougher too, because you have to kind of look outside the boundaries of, uh, your normal detections. Cool.

Well, I, I'm gonna pass over to Wes, but Andrew, maybe we could ask people if you wanna do a poll or just maybe ask people to type something in chat. I'd like to know how many people, uh, are using backdoor and breaches And how many people have the game from one of the events and is, and haven't used it. But, um, I love, uh, Ben, I think, uh, who is it? Justin Showalter, who I do know uses if he's here, he is like, it's right in his background. I know a lot of MSPs now have it.

The cards literally, um, in there. And, and it's now called Bourbon and Breaches, by the way. Love it. Awesome. Last up to you now. Awesome. Another good one is, uh, I, I like Roddy's Fireball in first response. That one is also awesome. Um, okay, so, um, and I don't know, Andrew, if you wanna keep the screen share up or not. I don't know if you, um, uh, yeah, there we go. That we got our, our lovely, beautiful faces back.

So, um, Bo let's, let's, let's talk, um, get a little control focused for a minute. One of the things that we've seen down market and up market is the proliferation of EDR finally coming into the masses, right? Like, it's really standardized to the point where MSPs are very comfortable with it. They've pretty much built it and baked it into their stack, which is good. There's some phenomenal ones that are out there, no doubt. Um, but we also know they're bypassable for sure, right?

Like everything is standalone on its own. So I guess my question is, from Black Hills' perspective, or even yours personally, do you see this ubiquity of EDR coming out pushing bad guys to have to, as we said at the beginning of the cyber call, start to have to take some directions and other other ways? Is that why we're sorting, we're we're seeing them kind of move to the cloud a little bit more and focusing on that 100%? Absolutely. Yeah. Yeah.

So, like I said, like I, I, I've gotta witness it firsthand. So back, like, you know, when I first started pen testing, um, almost 10 years ago now, um, like we could, we could make a, an Excel spreadsheet and use like a mo a really basic like payload generation toolkit, like something just, you know, open source, um, didn't have to put a whole lot of effort into like, um, encoding, um, and send it, and they would click and we'd get shells. And it was just, it was, it was very easy.

Um, and that was because back then it was just av, right? And so anything that had a signature was what actually got caught. You didn't have behavioral analytics, you didn't have application. White listing was just becoming, that was just starting to come out. Now you have EDR, um, and EDR has a hundred percent changed the way that we have to kind of approach how we're doing any sort of payloads, any sort of phishing.

And, and like I kind of alluded to there at the beginning, um, like phishing has gotten hard because of that, right? So, um, we've had to kind of, you know, move from trying to get shells. In most cases. We still do, we still, like, we still end up trying and, and sometimes, sometimes succeeding there. Um, but the majority, I would say, of success we have now is through credential compromise, through phishing, um, uh, just for credentials through login portals.

Um, because, you know, we, we have tool toolkits now, um, that allow us to create, uh, effectively like reverse proxies to actual websites, right? So evil Gen X two is a really popular one. Um, that basically what it does is allows you to, um, instead of just, you know, back in the day we used to just clone portals, right? We used to just like, you know, scrape Microsoft Office, right?

And, you know, clone the portal and then just try to get credentials and then tell the person, oh, well your credential failed and then redirect them. But now, um, the problem with that, the problem with that, that kind of scenario is you don't get MFA, right? So if the user has MFA and you get their credential, you can't do really do much with that.

Um, but now with, uh, the way reverse proxies work is we can actually create a, a full on transparent, uh, proxy through to the actual application. So whenever they go to authenticate, we get not only their credentials, but also session tokens. So they go through the entire process, get, you know, establish MFA, right? Um, they, they still go through that entire process. SMS, you know, calls whatever MFA they have. Um, but we ended up getting, we ended, we ended up getting sessions right.

And that's realistically way more valuable than just getting a credential, um, be because of the way MFA is like, you know, everywhere right now. Um, and you know, I I would say that that, like, that alone has really kind of helped us pivot more towards, uh, towards, towards credential compromise over trying to get shells.

And, um, one thing that I've noticed heavily over the last few years is that oftentimes even if we do get internal, even if we get, you know, a shell on somebody's system in the, in the network, we still end up, um, trying to pivot to cloud in some context, in most cases anyway.

Um, and, and the reason is because, um, oftentimes we'll find that, uh, organizations are really heavily reliant on things like SharePoint now, and, and due to that one reason, um, you know, we end up finding sensitive data there. That's actually something that you know of, of all the pen tests I've done over the years, files on shares is one of the main places we end up finding, um, sensitive stuff.

Like it, you would, you'd really think, like, you know, people should know by now not to put like passwords that XLS, you know, on a share somewhere or, um, you know, SQL database backups, like on a share somewhere. But they still do. And, you know, it's, it's, I would say every single pen test I've ever done have found something like that on it, on either in network share on the inside or in SharePoint now.

And, uh, and, and, you know, so that's, that's one of the reasons why it's, it's actually become kind of the point for us to just get credentials now because we wanna just look at SharePoint, we wanna look at, we wanna look at email, we wanna see what they're sharing, um, between each other, uh, using just the SaaS services. Yep.

Andrew, We, yeah, Wes, um, also, I'm curious, what BO'S take also is on the things like Slack and teams and 'cause Lapsis didn't, they, Bo wasn't like, they took down a few enterprises just on that kind of attack, right? So are there, uh, do you find also when you investigate what's in, you know, uh, collaboration tools like that you find? Absolutely. Yep. Yeah. Are you amazing times what you find? Oh, yeah. Well, well, I mean, so, so there's two things there.

Um, with, with ChatOps, it, I would say like if you went back, uh, maybe three to five years, we started really heavily relying on phishing through direct messaging. Um, so phishing through LinkedIn, direct messaging, phishing through, through Slack, um, and now Teams, um, has become like the main place that we phish through. And the reason is because, uh, email protections is another big thing, right? So trying to get, you know, a phishing message through email has gotten a lot tougher too.

Um, and by default, uh, Microsoft 365 tenants allow collaboration with other tenants. Yep. And so, you know, I can spin up my own O 365 tenant and I can start a direct message with your team's tenant, unless you've explicitly denied that. So I can, you know, create a brand new tenants and call it, you know, um, you know, company names, help desk, whatever, right?

And, and then now your user, your HR person gets a, a, a DM through teams from, you know, your company name, help desk, whatever, right? And I'm, and I would have to phish through that, right? Like that's, and that's, that's really become, um, one of the better ways to, to, uh, to phish these days. So, yeah. So teams, absolutely, from a phishing perspective, it's big. But secondly, um, getting access to somebody's account and looking through teams' history as well.

And we, Wes just one last follow up question, I wanna steal your thunder, but also Bo does it amaze you that like Microsoft, like if you're not careful, like you create a, a, you know, A-A-A-U-R-L, like something you wanna share via A URL, by default, they don't expire also. Right? You know, and you're sharing, you know, creating, um, what, you know, something via, you know, via an M 365 tenant Mm-Hmm.

Like, you know, in talking to Chip, uh, buck, you know, at SA alerts that that's one way they've seen a lot of bad things happen, actually. Um, so like a, like a OneDrive link that Yeah. Created Yeah. Yeah. And then shared probably through email, Right? Right, right. Yep. Yeah, I mean, that, it makes sense, right? I mean it, why would they expire? Uh, you know, if they want to give, you know, somebody access to their, um, to their files, right?

I mean, it's, it's a, it's, it, it actually, I would say Microsoft probably calls it, you know, a function, right? Like that'ss how it's supposed to function, right? It's, uh, it's a feature. It's a feature, yeah. Feature. Yeah. So I think Everyone's stomach's collectively dropped when they heard all of this, right? Because you just unpacked, Hey, Wes, I'm sorry, I don't wanna, I, I, nope. Just, I, I'm wondering like some of these things, like it's so much is focused on Microsoft now, right?

Like, so much of it I spent a lot of time with, you know, Jim Liya, I get to look through all of his, you know, all of his data and is it surprising that Microsoft hasn't put a few basic things like what you just mentioned, like, you know, it is hard to tell when you get a teams message like, what, what you just said. I get messages like that from internal, it, it would be almost impossible to know the difference and nothing there is tagged. Yeah. Yeah.

I mean it's, i I, I don't know, like from a targeting perspective, Microsoft has always been the main, main, main organization, like for the, the history of pen testing. And, and the reason is because, um, that's where the directory is. That's what, that's what every organization on the planet is using. I, you know, I, every and air quotes, right? Um, occasionally we run into like, you know, a Gmail or G Suite customer, right? And they, they're using that for, for their SaaS side.

But, um, pretty much every enterprise in the world is using Microsoft 365 and Azure Services. And, um, and, and mainly because it, it was very easy for them to, to pivot from on-prem active directory to, to now using Azure Active Directory, right? And being able to apply policies and access to resources and access to, um, whatever network shares and, and types of data they want it to through Azure now. Um, so it's a very easy pivot to just directly into other Microsoft services. Yep.

Uh, and what keeps coming back in my mind, Beau, is how much of this I don't think that we've really prepared for, and this is where our stomachs drop, as I was just saying, like all these different areas, like as much as that wonderful feature is in teams to have other non tenant collaboration, you finish a meeting, you can still get back with them and ask a question. Like, that's awesome. But yep.

We don't think about the security ramifications there or, um, you know, looking at like how much go check your, like, corporate Slack, how many files have been shared into general use channels that are just still searchable? Mm-Hmm. Yeah. Like, it's crazy scary how much that Slack just continues to store. 'cause you're on a corporate enterprise plan, and anybody that gets access into it can just do a quick search and find who knows what, right? Over years of time.

Same with share drives and SharePoint and mm-hmm. Like, there's so much here that I think happens from sprawl that we haven't ever taken the moment to come back and think about the ramifications of this, because we're just sort of moving on doing business, right?

It's the same classic story that every MSP knows of like Bob, the CFO, sorry, Bob Miller, not you, but maybe a different Bob, um, having, you know, the G drive access or the S drive for years and they don't need the entire S drive, but they still have it 15 years later because they've always had it, right? And then, then that's the account that gets popped in. All hell breaks loose because of that, right?

We just, we've always been in those kinds of scenarios where that's been a challenge for us. So maybe we could do this, modernize this. Let's pay play a little bit of like bow and breaches here. If we could, um, take, take us through maybe a scenario of your choosing that's very modern, that's very Microsoft 365 focused, whether you want to go directly into the entry point, but, but take us through something that maybe we haven't thought of before as a scenario. Yeah.

So, um, if, if I were to, if, if, for example, you said, red team me today, right? What's the first kind of like, I would say like the, the, the, the more successful phishing campaign that I would use against you? This is what I, I, this is what I would do, right? All right, so this basically the, the first step would be can I collaborate via teams? And, and that's a very easy thing for me to find out.

Um, it's literally open up teams search for your email address, and it will tell me if I'm allowed to send messages to our organization. Very easy to do. Um, so that'd be the first step. And if we can, I, I would, I would immediately opt for phishing through teams over email, over any other, you know, phone calls at any, any, any day, right? Like right now, sending you a dm. Well, multiple reasons. One, um, it comes to your desktop, right?

Two, if you have it on your phone, it's gonna pop, pop up on your phone, right? Teams on your phone. Um, which is just as good for me because I am not gonna be trying to fish for a session on your computer. Um, it like, if, if, if I don't know much about your environment, and you said like, all right, just gimme your best, best shot, you know, blind, which in most cases, that's the way it works, right?

From a red team perspective, um, you know, occasionally we have some room to do some research around, well, what imp point protections you have. And that's, that's another story. But that basically, if you said, here, gimme your best shot, this is what I would do. So figure out a few teams, if so, phish through teams, um, I would develop a ruse around some sort of help desk kind of thing. Um, and I would opt for, uh, what is known as device code phishing. Are you familiar with this?

Um, I am, but let's, let's not assume that anyone is familiar. Okay? So, you know, historically, phishing for a user's password involves them going to a portal, typing in their username, typing in their password. That's, that's already a big red flag to a lot of people. Um, you know, trying to get them to click on a link and download something and then run something, that's another big red flag. What's right now, not a huge red flag for people is what is called device code phishing.

And what it is, is if you've ever, uh, like tried to log into something like Netflix on your tv, right? When you go to log into Netflix on your tv, it says, Hey, instead of typing in your long password here, go to your phone where you're already logged in, or go to your computer where you're already logged in and enter this like, six digit number, right? The TV says, here's a six digit number.

You go to your phone, you enter the six digit number on your phone where you're already logged in, and it will magically log you in on the tv, right? So Azure, Microsoft 365 have the exact same thing, and it's called device code authentication. And so I can initiate a device code authentication from my device, it'll gimme a little code, just a little, I think it's six, six or eight digits. Um, and then I would pass that off to you that I'm phishing through teams.

I'd say, Hey, um, go to microsoft.com/device login, enter this code. That's all, that's all you have to do. That will, that will, you know, restore your session, you'll be good to go after that. From a help desk perspective, I'd have to build some kind of ruse around that, right? Um, and then if the user goes to it's, you know, it's, it's not telling 'em to go to like a malicious site. It's literally microsoft.com/device login.

They go there, they're already authenticated their browser, most cases 'cause they're, they're looking at Outlook, right? They're looking at SharePoint in their browser. They go there, um, they'll see a little box that says, you know, enter this device code. They enter the device code, and then it will magically authenticate my external, um, uh, browser, right? That's, that is like right now, like that would say like the number one method that we end up getting into to, to enterprise accounts.

Um, Can you get, I'm sorry, can you, that was interesting. Can you just run through that one more time? Like, but from the perspective of me, I'm the user. Yep. What would I see? What would I experience? So use the user, you would get a, a new team's message from somebody that looks like they're in your help desk, right? However, it's an external person, right? It's me, it's the attacker. You'd receive this message and it says, um, you know, your help desk needs you to, uh, go to microsoft.

com/device login and enter this code to do something. Like, like, I'd have to build a ruse around it, right? And, and make it sound, you know, yeah. Useful for them. Um, but it's your, it's coming from your help desk, apparently. Um, they say to go to microsoft.com, so you as a user, you just go to microsoft.com and your browser, you enter the code, and that's all you have to do. And then that's the end of the story. Um, it, it's so nefarious because I didn't put in my credentials.

I didn't get a multifactor check, which I'm used to. You told me to go to a legitimate, trusted domain. Like I think 99% of people including IT, people would fall for this. And, and Wes, this is the thing when you go back to the Verizon data breach report about pretexting and that, you know, this, this term, which basically says, I don't need to fish you anymore. I just need to be good enough socially in a social engineering setting, which Bo just articulated.

I'm just gonna tell you what I want you to do, and you're gonna go do it. Yep. Yep. Um, what, Wes, can I expand on what you asked please? Yeah. And, um, I'm gonna bring up chip buck. Um, we're just gonna do this for a prelude to next week. Bo, can you set the stage as I bring up Chip? Ideally we can hear him too, about the Microsoft, the Chinese Microsoft attack, and I mean literally using like, um, what was it, uh, Xbox accounts to get into, you know, these token, you know, token harvests.

So let me see if I can get Chip. We're gonna do, this is a prelude to next week. Talk about like, one of the most, as Chip will share one of the most sophisticated attacks he's probably arguably ever seen, um, that, you know, now Microsoft has, you know, kind of pulled back the layers. But let me, chip, can we hear you real quick here to give a prelude to next week? And then I'd love B'S take on this. 'cause this is, you know, again, tokens that you're seeing daily, right? As a tax, right.

Token harvesting. Um, but this was a pretty sophisticated one. Is that fair? Yeah, I, this was very sophisticated. I mean, if, for for anyone that's read, uh, or reads Microsoft Security blog, um, you know, they, they published more details on this whole attack. And, you know, the fascinating thing about it was, is that, you know, these attackers figured out a way, um, and I'm sure it was just trial and error, right?

For anyone in here who's a coder, um, you know, like you're like, oh, maybe this will work and you try it, or you're beating your head against the wall and you happen to stumble across something. And my bet is that's how this happened. But they took a, um, they took a private key used for creating, um, tokens, authorization tokens, uh, intended for the consumer side of the business. And they tried it. They tried to forge, uh, an authorization token against the enterprise side of the business.

When I say consumer and Microsoft, I mean live.com, you know, outlook.com, the, the free stuff Xbox. Um, and lo and behold, it worked. So all of a sudden they had an access key, uh, without any of the kind of social engineering or phishing stuff that Bo was just going through. They didn't have to do anything to interact with any users.

They just created their own token, slipped in and started using it with rest API commands running off of Python scripts and sucking out data, um, pulling stuff outta mailboxes. Absolutely amazing. So, you know, the, the, the takeaway for, the big takeaway for me is, and I think we all know this in the community, is it's, it's a nonstop evolution of new things.

We talk a lot, you know, Gary opened up at the beginning that hackers are still getting away with doing the stuff that they always used to do because we're not good enough at protecting, um, ourselves and especially in the small business community, protecting our clients from the possibilities. Um, you know, both work walked us through how he's witnessed in the evolution of his career that the, the main point of interest now is no longer devices and networks, um, it's accounts.

You know, sure, you can use devices and networks to get to accounts. That's another way to get there. Uh, but the hacking community is always gonna take the path of least resistance, whatever. It's, and we've definitely noticed that SaaS alerts, you know, in the, in the three short years since we've been in the marketplace, we've noticed that it is now tokens and they're getting very, very clever about access tokens for Microsoft 365 in particular also applies to Google Workspace.

Um, same, they use the same OAuth approach. Um, you know, there's a lot a, anybody that's actually running a browser, an app is probably using a similar OAuth approach. So they're all targets. Um, and they'll, they'll all be mechanisms through which, um, the hacking community, especially the state level guys like this was, uh, are gonna develop another path in.

And, and so bo your perspective on this, and do you think, you know how Bo when you say, you know, there's a vulnerability, there's, there's always probably another one. Um, mm-Hmm. Do you think we're seeing this could be the beginning of something, you know, Microsofts, you know, you know, and in fairness to them, right? There's a lot of code they support, but they're like, Hey, we're good. Um, yeah.

So I think, I think, uh, you know, it's not the first time something like this hap has happened, but it is one of the bigger things that have ever happened. Um, like I, I don't think it's probably gotten as much news as it maybe it should, because it is actually, like, it is a huge, huge issue now, uh, you know, we've had multiple types of, of, I guess like vulnerabilities that have kind of happened against cloud providers directly.

So, um, a good example of that is Azure scape, um, was one that happened a couple years ago where, um, basically, uh, the researchers found that you could escape out of containers in the Kubernetes environments in Azure, um, and access other customers, right? And within, uh, the, the Microsoft environment.

And you know, like that's one of those things, it's like whenever, you know, people were worried about moving to the cloud years ago, the main thing was like, well, is my data gonna be accessible to anybody else, right? Like it's, I'm, I'm using these cloud servers, you know, like how, how much are they actually divided, right? Like, how much, uh, you know, how much, uh, space do you actually have in between like my services and you know, the next company over, right?

And it turns out there's not a whole lot of, uh, you know, like space in between, right? Like if you get high enough, if you can escape Yeah, exactly. If you can, if you can escape, um, even like certain resources just up to the next level up, right? Um, oftentimes you're able to kind of pivot around to other customers, and that is a huge issue.

Um, but this case in this, in this specific event, um, the, the attacker was able to basically just manifest tokens for whatever they wanted, um, for whatever organization they wanted. And that like, I mean, they targeted specific companies and, and So that sounds bad. It is, it's very bad. It's very bad. And, you know, I, In other words, I one person made no investments in security. The other one tons, but it doesn't matter.

So one thing you gotta consider right, is, you know, a, as an attacker who finds something like that, the number one thing you don't want to do is burn it. And so that's, that's why I, I imagine, you know, we, I think there was like, what, 25 organizations that were targeted, right? I, I think because you didn't see like a thousand organizations targeted, it's because they wanted to be very precise. They did not want to burn their access, right?

They ended up, you know, eventually like it got caught, right? Um, but I mean, what was it like a month they had access? At least they said this could have started as early as April. Microsoft was seeing access from the IP addresses. And, um, so it was probably four months, you know, could have been 10 months for all we know. Like, listen, That's a long time. I Think, you know, I'm often a big critic of Microsoft. People know this about me. Like I have a love-hate relationship with 'em.

I think like we all do, I think they deserve some, some kudos on this one because their, their follow up article on it was extremely straightforward. They admitted upfront, like, no, no glossy language. They just said, this is not the way our system was supposed to work. Period. End of story. It. And, you know, in other words, this was a code failure that we didn't catch.

Um, but we fixed it, you know, and, and I, for one that in this particular case, believe them that they have, um, we went back through and looked at ER's data. Oh, by the way, Microsoft's also claims that they've notified every single, uh, 365 customer, you know, across the globe who was impacted by this. 'cause the signature here is so specific of how this went down that they know exactly who this happened to. We went back and looked through all of our data.

We don't see a single access, um, from anyone of, of anything like this. None of the IP addresses that were listed in, in their articles. 'cause Microsoft laid the whole thing out exactly where this came from and how it all happened.

One of the fascinating things I, I found about it, I thought about it, Bo I don't know if you've read the article yet, but for those who haven't is Microsoft walked through the whole timeline piece of, and how they knew how they believe it's China, um, looking specifically, not, not just at the IP addresses. 'cause of course they're proxied all over the place. Um, but when the actors were logging in, like this was a day job thing, it was like an 8:00 AM to 4:00 AM thing if you live in China.

Like, that's what it was. So, so next week, chip, we're gonna have you, I wanna hold some of your thunder here, but I'll let Wes finish up with both, but thrilled to have you coming on and really unpacking this next week from beginning then. And it's gonna be really interesting Yeah. To look at. It's gonna be big. Gary, you're gonna have to call in from Italy, if that's okay. He'll have a glass of wine in hand though, that's for sure. So, uh, chip man, thanks for joining that.

That's, I can't wait for next week. That's you guys. Make sure you, you attend that one. Um, let's talk, I guess Bo I don't wanna leave us hanging on a, on a cliffhanger here, right? All of this is definitely scary stuff, right? Disabling external messaging. I'm sure it goes into something that you guys would recommend, but cover some of the other basic no-brainer defenses that organizations need to have in place and, and, and they probably don't.

Yeah, so, you know, the big one's conditional access. Um, so the, the thing that's funny about Microsoft, and probably my biggest pet peeve when it comes to, um, security protections in Microsoft, is that the day you sign up for a Microsoft 365 account, you actually have pretty decent protections in place. It's called security defaults.

And by default, like it, it, you know, forces MFA, it, um, you know, protects the Azure portal from, from users being able to access it, um, has, uh, it, it disables legacy auth, right? So legacy auth protocols can be used, um, lots of good stuff, but the, the minute that you want to have any sort of, uh, uh, exclusion from that, right?

If you have a CEO or you know, some C-suite person that wants a login in single factor from their phone, um, the day that that happens, you have to opt for conditional access and you have to disable security defaults. And so what, what the problem that is with that is that you now have to have an admin who knows how to go and rebuild those policies, right? Um, knows how to re, re-implement the good stuff, right? Disabling legacy off and all that.

Um, but yeah, so with conditional access, like that's, it's one thing we talked about last week, um, with, with, uh, mis configuring MFA and one thing we talked about is, you know, phishing for a session. Um, but also there is, uh, you know, there still is a very much a heavy, um, attack path to just phishing for credentials. And in those cases, um, you know, oftentimes we'll either phish somebody or, or password spray, right? Let's say, let's say we did password spraying from the outside.

Um, still a super common method, like I said. Um, but the big problem is that MFA is generally enabled in a lot of the tenants that we, we end up going up against. Um, so just getting a password for, for user is not good enough, right? Um, however, with, with Microsoft au there's multiple places to log in and multiple, multiple places you can misconfigure that in conditional access. So that becomes one really big thing we target.

Um, I ended up writing a tool to actually help us find those misconfigurations. Um, it's called MFA sweep. And basically what it is, is a tool that, uh, will, I think it's up to 12 different login portals at this point, where, um, you have a set of credentials and it tries, um, the, the Azure service management, API, it tries the graph management.

API tries, uh, exchange web services for legacy auth tries, um, the, the, the actual web browser, like modern auth portal, um, as well as, so the, the funny thing about conditional access is that if you try to, um, uh, create device platforms, so if you want a user to log in from their phone, Microsoft's literally just looking for user agent.

Um, so I try, you know, apple user agent, uh, Android user agents, Mac, uh, Linux, and, and go through kind of like all the different user agents that, uh, or possibilities there. And the, the whole point of that is that, you know, if there's a conditional access policy in place, it says X user can off, you know, from their phone, uh, single factor. This will find that, right?

And this will tell us, oh, well all we have to do is change our user agent to an Android user agent and we can get into this account with just a username and password. That's nasty. Yeah. So That's, is it me, Wes, or is this one of the more depressing sessions Awesome. And depressing sessions that we've had. I think I'm gonna become a chiropractor now or something. Listen, 'cause a few things you mentioned today, like, yeah, I feel would work a hundred percent of the time.

It, it's, it like, don't get me wrong, you know, pen testing does have its days where it's, where it's rough, um, and, and, and difficult. Um, however, uh, it was funny, I think Andrew, we were talking about it last week. There are these things that we call forever days, um, instead of zero days, right? Things that tend to work across a majority of things. Um, and, and oftentimes they're, they're more techniques than they are actual exploits.

Um, and like a great example of that, I like, I I, I can't do a, a single talk. Like I, I'll go speak at conferences. I can't do a single talk without talking about password spraying.

And it's because over the years, like I, I've probably written six different password spraying tools, um, you know, for from internal active directory to, to now Azure, just, just multiple different, um, scenarios for, um, password spraying, web applications, different, different, you know, types of, of auth, uh, portals. Um, and it really has been one of the main ways we end up getting credentials. And it's, it, it, it's, it's just a great attack because you don't end up locking anybody out.

Um, and you oftentimes have luck with something that is common, like a season and year company named in a year company named 1, 2, 3, that kind of thing. Sports, local sports teams is another good one. Well, Gary, I, I take it, you know, yes, you could talk, look at this, you know, depressing.

I look at it as, you know, the ability for MSPs to, to, to look at what are the fundamentals again, and that we, we have to all, like, if you think about it, fundamentals are provide greatness in all things sports, right? What are the greats do the fundamentals. And if you think about what are the threat actors doing? Threat, right? Well, it means that as defenders, we've gotta get back to the fundamentals.

And as you say, often Gary, it's us failing as organizations, not being able to convey that in business terms so we can get somebody to do something, right? And that's, Yeah, some ways is not even making customers make investments. It may be like, Hey, this is a big feature. You wanna be able to communicate with people outside of your org. Let me tell you what we can't protect you from. If that's on, here's the other side of it.

And having your organizations make more and more decisions to prioritize security over efficiency or convenience. 'cause that's ultimately, that's part of this Andrew, right? The hard Part for MSPs. 'cause SMBs aren't sophisticated. No, but it, but again, it brings us back to get, you know, rethinking, you know, what's the next greatest tool as Ryan Weak says, stop asking me about what I should get next.

Let's go back and look at fundamentally what you have today and are you using it effectively? Right? And it's the same thing with the fundamentals are gonna make or break B'S job. He doesn't need to do anything really hard to get in. He just needs to do, like he says, the forever days. So yeah, I mean, this is great. Be, yeah, great stuff. Be really, really appreciate you coming on. Um, love our partnership. Love the fact that you give so much, uh, along with all of Black Hills to MSPs.

Yes, chip, thrilled to have you, uh, come, come on next week and I'll close out by just sharing this quick, quick screenshot of your pre-day at write a Boom, which is up there. Now these are, you know, uh, probably one of the slots that's gonna go fastest, um, once registration begins. Uh, I think there's 40 slots available in your pre-day, so really good. I gotta get working on my beard. You do. So with that chip, look forward to having you back next week. Everybody have a fantastic one.

And Gary, have a great, uh, trip. Uh, and, and I think we'll see you what, in two weeks. He, he's already left, he's already gone on the plane. Alright, take care everybody. Thanks guys. Thanks guys. Thanks. Thanks.

Related Videos

Using Backdoors & Breaches Cloud Edition to Mitigate Top Attacks noted VDBIR | Right of Boom