What MSPs Need to Know regarding Potential Russian CyberWarfare
In this video, cyber experts come together to discuss the rise in cyber threats linked to the ongoing Russia-Ukraine conflict. They delve into the implications of these developments on global cybersecurity, especially highlighting the increased cyber activities originating from Russia and China. The conversation also covers practical steps MSPs and businesses can take to mitigate risks, emphasizing the importance of maintaining strong IT hygiene and vigilance against potential cyber attacks.<ul><li>The discussion highlights the increasing importance of cyber hygiene and basic IT security measures to protect against both nation-state and cybercrime threats.</li><li>There's a notable increase in cyber activity originating from Russia and China, with patterns suggesting possible collaboration or similar motivations in their cyber attacks.</li><li>The webinar emphasizes the need for MSPs to communicate effectively with clients, especially regarding cyber threats, to establish themselves as thought leaders and trusted advisors.</li></ul>
Guests
Video Transcript
One. Alright, welcome everybody. Episode, gosh, 85, 80, whoa. Almost at two years. Can you believe it? Whoa. Here's the two years more. Yeah. Incredible. And we're coming up on, I, wes, do you think we'll make 4,300 Today? Today we're gonna make 4,300 today. Yeah. So we're at 42 95. That means I need five of you to go out and invite one friend to join. Let's make it 4,300 today. Fair. Fantastic. So, hey, this will be a quick one. Not much going on in the world.
Let's just, uh, you know, see how everybody's doing and wrap things up quickly. What do you say? Okay. Um, so, uh, quick announcement, I'll have, um, at the end I'm gonna bring on Jim Lippy, CEO of SaaS alerts. He's got some really interesting data to show as well as an offer. I gotta Talk on a webinar in a couple minutes. I have a webinar in a couple minutes. Oh, we're already on Ryan. Oh, you can hear me? Oh, a Andrew. So much better. Send me, I think I know what's going on.
Yeah, well, don't worry, Ryan, I won't put that out in LinkedIn or anything. Oh, sorry. You've had Pro tip. The, uh, the mute, the physical mute button is a really nice feature. I have it. Oh, okay. So, um, I put a poll question in if you guys could please take a look at that. Um, we typically get like, I don't know what it is, Gary. We got hundreds and hundreds of MSPs on live, and I put up a poll question, like, yeah, 46 respond. I don't know what it is. But anyway, they think Mining.
You're tracking them, Andrew. Huh? They think you're data mining them. We can't. You can't. It doesn't. It's anonymous. Anyway, all right. So let's get right on into it. Setting the stage here.
Um, so in light of the, I shouldn't say light, I don't, there's nothing light about it, but when I say in light, you know, for today's, uh, event topic, uh, the Russia uca Ukraine conflict, um, we are, you know, probably seeing some things, and Ryan, you alluded to this in our, um, YouTube or LinkedIn video earlier today. We will look back at this as probably some of the first time we're going to see, you know, both physical and cyber warfare, um, at a grand scale come into effect.
And, and we're seeing, you know, sympathizers choose sides. Um, there's gonna be a lot to unpack and a lot to learn, fortunately, and unfortunately, as a result of this, um, I wanted to make sure that we could bring value to all of you all today. And in doing so, I've got two awesome guests that I'll introduce momentarily. But I want to just kind of set the stage of the agenda for today.
Um, we're gonna start off with Ryan doing a, um, little bit of a history of, um, Russia, ATPs, um, Russia, Ukraine, cyber attacks. Um, so, so there's some perspective on this.
So that's important because when we get to point number three about what your MSPs could be doing, and John Merchants and mentioned this, you know, you know, we, we haven't hit the panic button, nor should we, but there's probably some organizations that you could be servicing where you're gonna be wanting to know the threat actor that attacks that group looking at Mitre attack, et cetera. Um, so, um, that's point number one. Point number two is what's happened thus far.
Bryson's gonna give us some insight on that. Those are things like, you know, the white of malware and other things that have occurred thus far. And I think we'll probably end up spending most of the time today talking about, you know, what's relevant today for your MSP. What, what do you need to, you know, focus on, you know, what would actually matter?
Where, you know, we are starting to see things ramp up and, you know, we need to do things beyond, uh, our, our standard protocol of cyber hygiene. So with that quick, Hey, Andrew, before we start, can you look at that poll? Like 61% said no, and I'd like to see if anybody here has an opinion about what that poll might mean. 'cause I think it's interesting if 61% of people said their customers either aren't asking or aren't concerned. So what does that mean to everybody here? Yeah.
What does that mean to those MSPs? And, and then I even think too, like, are they not asking you because they think you, you're not a thought leader in this. That's a scary thing. Like, you want to be involved in these kinds of things, right? Not to be the one that knows all the answers, but certainly if clients are gonna wonder what's happening, whether they're asking you or not, they're not asking you that, that could be a little concerning. Hey, we hit 43 0 2 Andrew. Awesome. Hey, fantastic.
Yeah, I have other people's clients, uh, reaching out to me to ask me. So my thought on it, Wes, was you gotta step back and saying, do your customers not understand security risk? Right? Have you not shared enough with them so that when things happen, they're able to start to make, uh, those, those connections. So I think everybody should put some thought process into, into that.
Well, and a question, I guess, Gary, if you are the MSP and they haven't asked you, is say, you know, A are you intri? Are you concerned? Are you interested? And B, if you are, are you seeking alternative? Are are, are you talking to other people? Are you talking, for example, are you talking to your CPA? You talk to peers? Like who are you talking to? To your point, Gary, why aren't you talking to me? Right.
You know, that should be the, the question, you know, going off if I hear you're where you're going with This. Yep. And I think I saw it was, uh, was it Jennifer that said, already sent a, you know, a blog out. You know, we recommended that to all of our members, a blog, a letter, something, you know, not a scare tactic, right? But just letting them know, like, just about that you're on top of things, thought leaders, like, you know.
So, uh, everyone should have had some communication into their Contacts. Right? And by the end here, hopefully you'll have some good resources. I'll put together, by the way, a packet of data and charts and everything where you probably could put together something compelling, uh, for, for your customers. Okay. So quick intros, Ryan. Uh, oh, sorry. So John, let start with you. John Meson, thank you for joining us.
For those of course that haven't, or don't know who you are, haven't seen, you don't know who, John, would you give us an intro? Yeah, sure. So first off, thanks to invite, you know, it's a timely topic, obviously. Um, I'm John Muren, CEO, founder of Black Point Cyber. Uh, you know, I'm a tech background guy. My, I spent about 12 years, uh, with the National Security Agency. You know, it's my running joke, but not a joke. We're bad guys to the right team. But I worked with them.
I worked jointly with many other agencies and conducted a whole range of operations, cyber, human, you name it. Um, so I guess my background or my view, a lot of this is a little bit from the aggressor's perspective, if that makes sense. Yeah. And that's why I wanted John, John for something that was an operator, uh, that had to, you know, do their job, what's going on in the three, what you can say, what is going on in the three agencies when we get to that point.
But I think it's awesome that you came on. Uh, great perspective. Um, next person, uh, Bryson Medlock. Bryson, you've been involved with us for years. Again, thank you for joining us for those of, uh, for those out there that may not know your awesomeness, can you tell a little about yourself, your background? I'm sure I'm, I, uh, work with ConnectWise. I'm on the cyber research unit or the CRU.
Um, our team is primarily responsible for keeping track of the latest threats, vulnerabilities and that sort of thing, and building, uh, detection capabilities in, in our tools. Um, primarily IDS and similars. Uh, we also do some threat hunting and, and that sort of thing. Very cool. Okay. So, um, Ryan, I am gonna turn this over to you to talk about the, hi, you know, so, so first the history, um, about the Russian ATPs, you know, and, and why that's important.
Why is it always important to maybe look at history and perspective and kind of bring us through up to date on, on kind of where we are today? Okay, so I'm gonna break this down in a couple different sections just to be a little easier to digest. Um, first let's look at the threat actors that are on the board right now. Um, I'm gonna break them down into three groups, nation states, activists and cybercrime groups.
Um, at the nation state level, you primarily right now have Russian Nation state threat actors on the board. Um, for the GRU, which is one kind of arm of the intelligence arm of Russia, uh, there's a threat actor called Sand Worm. And then there's a PT 28, um, on the FSB side, which is kind of, they have like a sister team, um, another kind of nation sea level actor. There's APT 29. Um, so that's kind of your nation state level threats.
Um, there may be more on the board, but nothing has been attributed yet, so we don't exactly know. Um, if there's anything more, I don't know, you know, we can figure out from John and Bryson if they're seeing anything else, but that's what we're tracking right now. On the hacktivist side, things are very active and very changing, like almost minute to minute, hour to hour in terms of who's in or who's out or who's aligning with who, or it's crazy from the activist standpoint.
Obviously Anonymous came out, which, um, you have declared cyber war in Russia. Uh, Ukraine has built our requested cybersecurity community to support them by building an IT army with two goals, one defense and two offense. And so there actually is like a Google doc going around where people are putting their name in and what their skills are, and they're assigning them certain tasks. Um, so there's this ad hoc activist group that we're calling the IT Army.
You have the Belarusian Cyber Partisans, which is a activist group that's targeted Ukraine in the past. Then there's the Ukrainian Cyber Alliance, which is actually an alliance of four hacking groups, um, cyber Hunter Falcons, flame Trinity, and, uh, RU eight, um, are RU hate, um, depending on how you want to pronounce it. And then you have cyber ku, which is believed to be associated with a PT 28 and also a PT 29.
And so, even though APT 28 and 29 are associated with different arms of the Russian military in the past when they've attacked certain targets, we've seen them work in concert. So you could almost think, especially when it comes to these kind of large events, you could think of them as almost join, maybe create this Uber Nation state level threat actor between the two of them. Um, and on the cyber crime side, it's actually pretty easy.
Right now, it's mainly just Conti that has come out and sided with Russia. Although, turns out not everybody in Conti was a fan of that decision. So, um, there's some, some interesting things that is being tracked there. Lock Bit came out and announced themselves as neutral. Um, they're just in it to educate CIS admins about proper, uh, proper security of their infrastructure. So that's your threat actor landscape.
Most of the threat that we're seeing is coming from the GRU, um, and the, and, you know, well attacks associated with them. In the past, the GRU has been associated with the tax to against the nation of Ukraine, against Georgia. They meddled with the elections in France. Um, they tried to destabilize and retaliate against efforts to hold Russia accountable for using, uh, weapon grade nerve agents.
Um, and they also, uh, attacked the 2018 pyeong chain Winter Olympics when Russian athletes were banned. So very, very active set of threats under the GRU umbrella. Prior to this event, we have kind of what I think of as four very big, five very big informative events from these threat actors. One was an event, uh, or a piece, a piece of malware known as black energy. It was specifically targeting power grid infrastructure.
Um, and then a second one called in Destroyer that was targeting power grid infrastructure. Uh, another one which is called Bad Rabbit, which is effectively a ransomware attack. Um, and then everyone knows about ncha. And then obviously a T 29 is affiliated with, um, the solar storm event of 2020. So we have some very large, uh, attack history, especially between these two nations with bad rabbit, black Indu, uh, black energy and Destroyer.
Um, what we're seeing now is a combination of ransomware wiping hacktivism, and, um, distributed denial of service from a DDoS perspective. Um, we, right now we have a hypothesis that's Cyclops Blink, which is a threat actor that is largely building, um, a botnet using, uh, vulnerabilities and WatchGuards firebox firmware. Um, we believe that that has been used in some of the de denial of service attacks. Um, uh, and this is a replacement for a previous botnet they had called VPN Filter.
So very capable threat actor on the distributed denial of service side, um, being tracked in cylin right now. Again, they're believed to be also be affiliated with the GRU. So again, like GRU should kind of be the main, the main actor umbrella. We're thinking about Whisper Gate as of right as of my last kind of round of threat updates, which is this morning unaffiliated still. So we don't actually know who they're associated with.
The whisper gate is, uh, what I'll call a wiper and ransomware clothing. So it's, it propend to be ransomware, but it's actually wiper, uh, wiper malware. And, um, that's been taking out a bunch of, um, government nonprofit and IT entities across Ukraine. Uh, third one is hermetic wiper. That one uses, uh, basically drivers and, uh, valid certificates to, uh, corrupt the master boot record, uh, of systems making them.
I recoverable, um, though there's a, a ransomware component to it, which we're calling false flags. So if you don't know what a false flag is, maybe John or Bryson can get us smart on false flags. Um, but it's not really ransomware. It's ultimately, um, wiping malware and, uh, intelligence as of this morning is that many of those attacks had footholds as early as November.
Uh, so as we get more intel on, on, on exactly how those footholds were gained, um, although, you know, and then obviously anonymous declaring cyber war has, um, largely led to a very large, what we'll call really a proxy cyber war. You have a lot of these ad hoc hacktivist groups causing a lot of mayhem, but a lot of the hacktivism has not yet been really affiliated with nation states.
Um, so that's kind of what we're seeing from a, from a, you know, from now and plus from a history perspective. Um, obviously I wanna, I wanna set that foundation. 'cause as we're going through, I think you're gonna wanna be thinking about how do you figure out who in your customer base might be targeted as a result of some of these actors and some of these tactics.
Um, so we'll circle back on that later, but that's really some history and kind of the latest in what we're seeing in the threat landscape. And of course, if John and B Brayson have anything to add and what they're seeing, I would love to amend that as well. Yeah. So I'm gonna hand it to Wes. Um, great job on that, Ryan, and the history. And, um, you know, uh, we, uh, hopefully it didn't take too much thunder outta yours on, on what's going on now, but, uh, yeah, no, great. Fill it In. Yeah.
So first question, Bryson, and then John, I'm gonna have it over to you as well. Um, what are you guys seeing from a threat ops perspective, uh, intelligence that you're seeing, either from your own systems or telemetry from threat intel outside the world? Bryson, I'll start with you. What do you, what are you guys seeing? I, Well, so far, actually the, the overall activity is much less than what we originally were suspect or expecting.
Um, everything's basically just been focused on Ukraine, um, except for disinformation, uh, campaigns which are focused on Ukraine and, and Russian, um, natives. Uh, that's, that's really about all the activity we've seen. And, and I think Ryan pretty much hit on all the important points. It's been DDoS, it's been website defacements, and it's been, uh, these data wipers.
Uh, and, and they're pretty much focused on government sites, uh, financial institutions or maybe some critical infrastructure. But, um, if anything, we've seen less, uh, cyber warfare than we saw at the last time. You know, when, when they actually brought down the power grid last time, uh, Russia invaded Ukraine, uh, for, for a while. Uh, we haven't seen anything quite to that scale.
Uh, the big thing has been the data wipers and even that, uh, NotPetya was, was an, uh, example that Ryan had mentioned, which was another data wiper from 2017. And that one kind of got out of hand, it was targeting Ukraine, but because of the way they were were distributed, it sort of spread and became much more massive.
Um, most of these really have just been in Ukraine, uh, with, I think the, uh, hermetic wiper did spread to a couple of, uh, contractors that were working with some banks in, um, in Ukraine. And so we saw some samples in, uh, Latvia and Lithuania. Uh, but yeah, that's, that's been like most, pretty much all, all the activity and there hasn't been much in the past couple days as far as actual nation state activity.
It, it has been, uh, yeah, the hacktivist, uh, you know, we're, we're seeing memes of, uh, you know, uh, Russian natives who are going to charge their car, and there's messages on, on the, uh, the actual charging device, uh, you know, saying F Putin and, and things like that. Or, uh, Russian, uh, state sponsored media sites that have, are, are playing, um, Ukrainian music and, uh, you know, various f Putin type comments. Um, so that's, that's a lot of what we've actually been seeing.
Uh, we've definitely can spread and I think a lot of the warnings that have been going out, everyone's thinking back to not Petya, uh, and how that kind of spread. And I think there was some concern about that. And, um, and then the chance of retaliation. Um, I, I think in anything that we're gonna see, I think we're probably mostly going to have to worry more about the, the cyber crime element of it.
Um, there, there is a bit of a cold war as far as cyber warfare goes at the nation state level. Um, if, you know, if we go directly start attacking the, uh, Russian critical infrastructure, they're gonna start attacking our critical infrastructure and that sort of thing. So at, at the nation state level, there's a bit of a standoff, but the cyber criminals, of course, don't care about that.
And, and, uh, like Ryan mentioned Conti in particular, they, they, they came out as very, with a very, very pro-Russian statement, and then they kind of backed off from that a little bit. And then, you know, we saw some data leaks yesterday, so it's been kind of an up and down with them.
Um, but we can definitely could see, uh, a lot of cybercrime operators who have pro-Russian, uh, because the, you know, the Russian governments let them operate with impunity for a number of years, um, kind of taking that side and, and, you know, they, they may be the ones who actually see that might target critical infrastructure. Got it. Yeah, that's good. Um, uh, John, same question to you. What are you guys seeing internally? Externally?
Yeah, so, you know, I can't speak for the MSP's customers and kind of calls, but our flown have blew up really, you know, kind of Thursday, Friday last week. So I recorded a private video to our customer base just 'cause, as you guys know, there's unfortunately lot of FUD that goes on, and I really can't stand when vendors do this marketing thing and prey on a tragedy to sell stuff.
So this is what we've seen, we've seen, um, kind, I'll take a step back about mid-December to the third week in January, we saw a reduction in activity in our threat ops center, a reduction in responses since then, it's just gone back up to the level, uh, that it was in the spring, summer or fall this year. So it's just kind of steady state. We haven't seen an increased, um, you know, kind of volume or level sophistication in attacks.
I would also say, I believe personally, you know, the vast majority of the typical customer of an MSP is not gonna warrant nation state attention. I do, uh, agree with Bryson that I think, and this is what I said in my video, is one pragmatic take is that you could expect that the Russia based ransomware gangs may feel more empowered and kind of gloves off. So that volume could increase, but we haven't necessarily seen that yet.
Um, I think the other thing that's really important for folks to understand is when a nation state decides to go to war, a lot of resources get diverted to support that war fighting effort. Um, and I think this is probably why you're seeing a lot of their cyber activity direct at Ukraine at the moment. You just can't do everything at the same time.
I think the other really important takeaway is, you know, defending yourself against a nation state once they get in is frankly not a hell of a lot different than defending against an advanced cyber crime group.
Once they get in, the one big difference is a nation state will go to, will stop at no end to get in, and they'll use very clever ways like, you know, kind of the attack on solar winds, you know, and, and some of the, the, um, critical infrastructure kind of I'll call preparation the environment or battlefield by planning some of the, the, um, the kind of latent capabilities for our power grid.
The other thing that's also really important to understand is taking out a, you know, SC attacks are quite complicated. Um, you know, which areas I worry about in the MSP community, I worry about municipalities, I worry about the regional local utilities because many times I see these connected to the same Windows domain infrastructure that, um, the, that municipality's on. You see their 9 1 1, their fire, you see their, you know, their kind of water treatment stuff. It's all there.
I mean, heck, we, we probably have a dozen jails as customers, and I can see all their PLCs in our network map. So I know their, all their PLCs are connected pretty much to the internet. Um, yeah, go ahead Andrew. No, Just 'cause I, I'm so glad you're bringing up scada. Can you just talk what ot, you know, I I'm sure a lot actually the MAT leads, I see people that really understand cyber out here. Right? Can you explain OT just for a minute, what it is, why we're hearing about it now?
Maybe a little bit about SCADA system? Yeah, sure. So, so OT or operational technologies that kind of nexus between it. So typical Windows domain infrastructures, and then something generally, uh, there's various forms of it, but there's usually gonna be some sort of Windows computer connected to a program, programmable logic controller, PLC.
So the PLC is what can instruct something physical, you know, to, you know, kind of open a breaker or, you know, kind of, you know, open something in the dam. So it's, it's that kind of nexus in, like, I'll go really quick on this, but like the, the Ukraine power grid attack was a really interesting one. There was actually no OT protocol manipulation, no SCADA style attack on that.
They actually broke into the corporate environment, typical stole windows, admin creds laterally, spread around and found the five or six folks that could v VP n to the OT network, which was, that was their air gap was kind of crappy air gap, but that's how they did it. Once they got on, there's another Windows domain, there's kind of a routing switching infrastructure.
And then you get to kind of this where it's really getting OT and there's something called an HMI in, in the power grid or human machine interface. And they essentially use something almost like the NC view to just go over. So they spread in that Windows to Bay network, same as hacker as ransomware groups do, um, to spread their malware. And what they did is they actually just opened the breaker.
So it wasn't actually like a stuck net style attack where you're manipulating commands going through the PLC to, you know, make things spin out and spin down and destroy the centrifuges. Um, and then, uh, and then what they did is they put bad firmware on the router switches destroyed it. So live off the land destructive attack, they did a wiper read joke and they call it destructo wear, but, um, they did a wiper attack essentially moving on out into and destroyed that infrastructure.
I think they also, uh, uh, uh, jacked up the firmware on their UPSs as well for their battery backups. Um, so, you know, I guess the real takeaway from all this is like, that's cyber hygiene we talk about every single day, you know, kind of patching, external vulnerability, skiing, these privilege, you know, being in position to catch not only malware, but trade craft of lateral movement and privileged cred use and live off the land.
It doesn't matter if it's a nation state or a bad guy, they still have to do it and to protect yourself. It's the same, the same tactics. Uh, so Bryce, I'm a lobb a question at you that you're not prepared for. Uh, I've never done that to you before. Ever have I? Um, so never, never, but this John's comments really get me thinking, right?
I love, I love what John said about cyber hygiene has always been important, and you get wins across the board regardless of what's happening politically around us, right? But I have to ask this question, right? We've seen every range of, um, narrative from World War ii, all hell breaking loose, every dam will break, every electric grid will go down all the way into, you know, nothing's gonna happen from this at all. It's a complete, you know, uh, nothing burger, right?
We do know that like Ukraine still has most of their electricity grid up and running. Like, do you think, do you think we've learned some lessons from all of this? Like this is one of the very first times in history we've always talked about like cyber warfare. Like I remember reading about this in books like in the nineties, you know, of like this huge colossal future war. That's all cyber. Well, we haven't seen that yet clearly.
Do you think that's, because some of this has been tried and failed, do you think because there's still holdback from all nation states, the US included, like we haven't gotten to that terminal velocity yet. Like what have we learned lessons learned so far in this past week about Actual nation state cyber warfare? Well, when, when, when you're looking at what's, uh, nation state groups do, they, they, it's really the same thing everybody else does.
It's just their, their objectives are different. So they're not out to get money so much. They're out to destroy systems, they're out to distract, they're out to produce disinformation. I mean, so, so their objectives vary, but a lot of the tactics and techniques are the same.
Um, but I I, I do think some of what we have now, like we saw last week, you know, before everything really went down before the invasion, the UK government, you know, publicly stated, if you attack our infrastructure, we're attacking your infrastructure. So I, I do think we're in a sort of cyber warfare cold war that's, that's going on. And, and so yes, there are, um, some Russian nation state threat actors that are, are very sophisticated and, and could launch a very sophisticated attacks.
Um, but the US has that as well. Uh, we don't talk about it as much because they're usually on our side, uh, defending us. You know, we're not so worried about who in, uh, in Russia, the NSA may be hacking and, you know, whatever that may be. Um, so that's, that's something they have to consider.
And then to John's point, you know, actually they're, most of what we've actually seen Russia doing as far as, you know, nation state level hacking and Ukraine, it's really just to support the war efforts. So it's, they're, they're going to DDoS telecoms to try to reduce the, uh, communication ability of, you know, Ukrainian government and, and the military there. Um, they, they've done a lot to, uh, try to cause um, you know, racial descent.
Some of the website defacements that they've done, had, had, were trying to, you know, poke at various racial issues in the region. Um, so it, it's, they're just really focused on the actual war effort there. Now.
Yeah, there, there is a potential, and I think that's where a lot of this stuff's comes from, is we've seen these, these attacks, like we saw last year, the colonial pipeline attack and the massive effect that, that had, um, you know, people in filling up trash cans with gasoline and putting them in the trunk of their car, that, that sort of thing, we still got those images fresh in our mind, and we know that that type of thing is possible, and it could happen.
And, and I think that's where a lot of the, the, you know, I mean that and just society as a whole loves to, to, uh, uh, jump on the fud and exaggerate things sometimes. But I mean, there, there is that risk there, there is that potential, whether or not it's gonna happen. I, I don't know. It, it, it just depends. It's, it's going back to the Cold War. Are are we going to every, is everyone gonna die because somebody decides to launch a bomb?
Um, you know, I I don't think it's quite that devastating, but, you know, there, there is, there is that risk. Someone launches a, an attack, they shut down a power grid, and you know, if they, they try to shut down large portions of the US power grid, well, we're definitely gonna do the same thing back to them. And, uh, you know, do they want that? Is that worth the risk? Um, so that's, that's I think a big part of like, where we are now.
And, and yes, there is the potential these, these things could happen. Will it happen? I, I, I don't know. I, I think that, uh, the Russian government is aware of our own, our capabilities and, uh, and it's not just us, you know, the UK government also came out and said, if you attack our infrastructure World Tech years, um, I don't think the US has made quite an official statement to that regard, but I'm pretty sure it's, it's well understood. Yeah. Okay.
John, I've got a, I've got two more questions for you, but I wanna ask one, I want to add a third if I can. Okay. Go. If we can get this in quickly. Um, one thing that surprises me is the amount of vigilantism that's going on. You know, I see this in my Twitter feeds nonstop. I see people sharing their own, like GitHub code for denial of service attacks. I'm seeing all kinds of, like, I saw a big download from a bunch of Russian officials with all of their credentials.
Um, we obviously see one of the Conti dissenters that's sharing an entire mega upload of like a ton of internal Conti data. Mm-Hmm. Does it shock you to see the amount of vigilantism going on here and the whole, and even Ukraine saying they invite anyone to attack Russia from a cyber perspective, if they so wish? Does this surprise you? Uh, no it doesn't because the cost to do it is damn near nothing.
And people like to get in the fight when they see, see innocent folks, you know, I was in Kyiv like not too long ago. Um, great folks over there. And, you know, it's getting, it's definitely kind of like part of Europe now. Uh, people don't like to see that. And so I'm not surprised at it.
And I think you also see the same thing when, you know, there's another, you know, unjust wars, you see mercenaries come in, I know there's gonna be, I'm sure there's gonna be exus special operations guys, former guys going in to fight. I mean, so I don't really see that. And, you know, on the kind of nation state warfare side to touch on that, I think one thing that, you know, we really need to step back and take a big picture.
I'm still in close contact with lots of my friends and folks in, in the high levels of government cyber's absolutely concern. And you scada gets all the attention, but it's really to be candid, like the hardcore stuff is I'm more concerned about large scale internet service providers like routing and switching. That actually really screws up everything at a much bigger level.
Um, and that's where I think a lot of the defenses need to be oriented in addition to a lot of the regional kind of utilities. 'cause conducting some of these SCADA style tax are actually quite difficult. And I think that's why you haven't seen it. And maybe there is kind of this, this red line, you know, it, it, the one thing about cyber is you don't just snap your fingers and magic happens unless you have some late in capability that's been in there for a long time.
And to do that stuff requires a massive investment in infrastructure on the nation state side to, to kind of test this stuff. So I think right now, like the country's definitely worried about cyber, but we're a hell of a lot more worried about not sleepwalking into a massive world conflict and 'cause that's when we start using anti-satellite weapons and this, this, all the s**t we're talking about, it's like child's played, be candid.
So it's, I think, you know, it's, there's a lot of nuance take on this, but, um, I'm not surprised in the vigilantism at all. And that is exactly why I think it's important for us to be, um, balanced in our commentary to decision makers, right? Yeah. Because we jump in with all hell breaks loose and then it doesn't, like we're seeing right now, like things are happening, but it's not like the extreme edge of the narrative. We lose our influence completely. Yeah. We just completely lose it.
Yeah, it's really, really well said. Um, there's another, there's another little nuance to these cyber attacks, right? You know, there's, there's always a balance for every nation state with, you know, CNO set computer network operations encompasses exploitation, attack and defense, the balance of exploitation. Read that as intelligence gathering and attack is tricky because when attack works, sometimes you blind yourself.
And when you're, when we're more worried about not, you know, kind of tripping into a nuclear conflict, we need to keep, we need to keep our, our lines of intelligence up as well. Uh, and I would suspect the Russians are also similarly, uh, wanting to do that as well, right? Yeah, indeed. Um, okay, so let me shift gears into the CSO alert that was put out. I think it's the, yeah, A 22 0 4 7 A, it feels like that got lost in the shuffle a little bit around espionage.
Can you talk to us a little bit about that? And then, um, Andrew, can you drop a link to that CISO alert in chat so folks can see it? Yeah, I think I have it up next to me. I mean, to be honest, like what they put in the CISO alert, so FortiGate, VPNs, Oracle Web Logic, Kibana, you know, the Microsoft Exchange vulnerabilities. It's really a collection of the stuff everyone's been using to get in nation states and non nation states.
And I think, uh, a lot of this goes back really simply to, you know, step one, you need to make sure your boundary between if you have a more traditional infrastructure, right, internet, right, that your boundary at the firewall side really doesn't have any ports open except maybe VPN and long term we need to move to zero trust so there's no ports open and it's truly a firewall, right?
The second thing is, uh, what it doesn't talk about a lot, and I was disappointed in it, is really the, the threat to Microsoft enterprise applications that we saw in the SolarWinds breach. So I'll give the audience like a real simple example.
So if you take a look at like a sonology nas and you say, I wanna back up, you know, all of my NAS stuff to, to Microsoft, or I want to back up my Microsoft 3 6 5 infrastructure OneDrive and email and all that, to my na it registers something called an enterprise app. Once you register an enterprise app and it's approved, there's two factors not involved, right? It's good to go.
And so what you can do is trick people into loading and accepting malicious enterprise apps, and that gives you access to like everything in your cloud where you can make an absolute mess of things. And so, you know, the one takeaway, just like a pragmatic like security advice is ensure, obviously the MFA stuff's a no brainer on your 3, 6 5, but ensure that only admins can approve, um, uh, enterprise apps.
Because think of your sales team and how much access they might have to customer data, right? You don't have to be highly privileged to get a lot of data. So that's a, it's a click of a button simple change that doesn't cost anyone a dime to do. And I think it's a real pragmatic step. 'cause you know, we get a little overly, you know, you know, external vulnerability in system, in patching shuts down almost all these attack factors right here.
Then it's all about, okay, now I gotta be able to tech guys when they steal creds and they're in, they're launching malware. Okay? So that's your stuff like we do and other companies do, and that's your anti malware side. And then you gotta apply that kind of same approach to the cloud.
So sorry for the long-winded answer, but like, you know, this was really a collection of just all the other crap they've been releasing for the year that hopefully is patched by now what we know in many cases, it's not across our customer basis. Yep. So now's your chance, folks on the call, go take a look at that CISA report and um, certainly take it. Andrew, I was gonna say I was, Ryan, do you have any comments? I, I saw you really listen intently there.
I was just wondering if you had your thoughts that you wanted to share? Uh, I mean, I was just, I'll double down on what John said. It's the same stuff we've been seeing for months, if not years that's in that article. Um, it's just really comes down to, you know, go back to John's talk, right? And boom, basic IT hygiene. Um, you know, that FortiGate one definitely comes to mind. I can't even tell you the amount of times I've seen that one popped.
Um, and leading to MSP or SMB compromise, like those ones are just incredibly common. And, you know, it's very easy to, to kind of take a look at some of those commonly used tactics and, and harden your defenses with very little effort. Ryan May be a good timing to just talk about. I know. Can, can you just look, we, we've beaten C-I-S-I-G one controls many, many times, and John did had Phyllis Lee actually joined him on stage.
But could that probably, maybe a good segue right here as we probably, Wes has got one more thing, but go over to Gary, but can you just for, for those out there again, can you tell us, um, and we will get the v Yeah, the va Good. Thanks for that, Brad. Can, can you, um, just enlighten everybody if they haven't done IG one yet? Yeah.
So IG one, uh, looks at the controls as it relates to the top five most common cyber attacks that are observed, and it groups them into, um, basically a set there like baseline and what it, what the, you look at those attacks and you look at the baseline set of controls on IG one, the, those IG one controls mitigate 85% of the tactics that are used in those top five, um, attacks. Now, there's certainly stuff in IG two and IG three that you can do as well, that is more advanced.
But like, I think, yeah, IG one's probably like 50 controls. You probably already have 25, 30 of them deployed. Um, it's not a lot of work, you know, in the next six months to go in and shore up the existing controls and add those other ones in there and buy yourself a lot, a lot of benefit. Um, and I, I did an exercise, um, earlier this morning. There's a, uh, sands, uh, sorry, MITRE has this, um, this tool called Attack Navigator.
You can overlay the techniques of multiple threat actors on a single Mitre attack map. And the more red the color gets, the more likely that that tech technique is to be used by multiple actors.
And so he took all of these threat actors that we, we've been talking about, um, or Sands, took them all and put them on, on the attack navigator map and pulled up the top six, which are phishing, user execution command and script interpret interpreters, valid accounts, scheduled tasks, and ingress and egress transfer. Every single one of those has defenses in IG one.
So the top six techniques used by all the threat actors that are currently in play on, you know, in the, in the Ukraine conflict theater IG one has compensating measures for the most common tactics. So again, if you're not IG one, you're getting left behind. Yeah. Hey, Andrew, can I back, uh, Ryan up on this with just some, please go some real world data. So, and I want to be really clear to everyone.
This is not to throw shade on any antivirus or EDR vendor, but 86% of our responses in the past 12 months at all. That's what you always say before you throw shade. By the way, I know I'm not throwing shade, but like this is, this is, uh, 86% of our responses in the past 12 months had no alerts from AV or EDR and you know, somewhere between 53 and 60% of our base runs an EDR in addition to other stuff. The point is there so much is like, are you like exploiting in or logging in?
And once you're in, what do you do? And all the stuff that Ryan's talking about that's hardening is frankly on the IT side. And this is, this is where the game is actually played, right? And so, you know, my point is you can't get exploits sexy, malware, sexy, yeah, right? But so much of it is live off the land IT stuff and all these hardening guys really help reduce that attack surface.
So I just wanted to back it up with some real world data, um, you know, just because I felt like it was perfect. You Think about it, look at the Yeah, I know, But it's, it's so much easier to deploy a tool than it is to do Work. I know it's So basic. Like, again, phishing use of valid accounts using scheduled tasks and jobs to maintain persistence. That's like the most basic stuff.
Um, so yeah, it's, there's a IG one, you know, if you're, if you're looking for a life raft because you don't know what to do, grab onto IG one. That's your life raft. And it's not just your life raft for this conflict, it's gonna be your life raft for every single cyber battle you will ever face. Yeah, yeah, yeah. Uh, Ryan Sands did a great, you know, by the way, and I'll, and I'll put it in the Sands blog. They've been doing a phenomenal job between their blog, their webcast, whatever.
And they said flat out, like one thing that, two things in essence, one that John said flat out, they're like these threat actors at the nation state level of Russia and their, you know, their, their affiliated groups are not looking at the US or, you know, quote unquote, they're not coming after you right now. They are focused heavily on this, you know, on on attacking Ukraine. They can't be everywhere. That said, if they do, they're not gonna do some incredibly new tactic and come after you.
They're going to do what they've done all the time, which comes back to what you just both just said. So anyway, Wes. All Right. So last question, and I wanna leave a lot of time for Gary. So, um, uh, we will see what you think on this John false flag operations. We mentioned that a little bit at the beginning of the call today. Can you describe what that is and why it matters? Yeah, at the end of the day, it's, it's, it's really just kind of a, a red herring concept, right?
I mean, you're, you're really, you know, engaging an operation to, you know, trick people in, to think one thing's happening when your true intent is something else. I mean, it's very obvious to me the, you know, the entire diplomatic push and, and Russian's kind of disinformation push was, listen, if, if, if some of the data heard on this call or some of these, you know, implants of back doors were sitting in November, that means they made their decision back then, right?
I mean, that's around when forces started getting staged on the border. And so, uh, and it's definitely the, the Russians love the Sun Zoo style of warfare, right? They really do. That's why I will, I need to like applaud, you know, our brothers and sisters from the ic because the intelligence that's, that the, the president and the White House has been outing, has been spot on. And it really, this is what helps galvanize the world.
You know, the thing I don't think a lot of folks understand is, you know, a lot of the Russian, what was the KGB and KGB back in the day, a lot of their big focus is actually planting disinformation. There's a, I'm gonna, I'll share a link at some point. It was a 30-year-old clip of A-A-A-K-G-B officer that, uh, defected basically describing their process of how they try to turn generations of data, and they want us to not understand what to believe is true or not true anymore, right?
And we watch these tactics get used a lot more, and they couldn't have dreamed how useful social media was at causing this and as a nice delivery vehicle. So I think it's just really important to understand, you know, this is how they love to operate. Um, and frankly, it's, it's effective, but one of the defenses to it is, is by outing it while it's happening.
I think if you combine this, you know, the false flags and the misinformation with the vigilantism right now, if you were gonna experience any sort of side effects, it would probably be as a result of misinformation leading vigilantes down the path that is not necessarily, you know, um, supported by fact. And I think that's, that's really where, you know, the most damages right now because there's no control over that mob.
So they're gonna go wherever they think they should go based off of the information that's being presented to them. Um, again, it's not, not fear mongering, like, you know, I don't, I don't, I don't know, you know, I'm not saying like everybody should prepare for one week outage.
I just, I just think if you're gonna have an impact right now, it's more likely that it's either gonna be because of what Bryson said, ransomware operators are gonna take advantage of the fact that everyone's distracted, or there's gonna be a vigilante that hits a target because of some misinformation they they heard, which isn't necessarily true. I mean, if you actually look like, look at the Ukraine power grid hack for a second from back in the day, like that was considered like a big deal.
It scared the crap out of everyone. It was a six to 12 hour outage for 230,000 customers. We've had thunderstorms do a hell of a lot worse for a lot longer, right? So it's, it is not easy to do this stuff. Big picture. So I actually really think like the ISP infrastructure is much more scary to me, I think, and in regional utilities Outside of power right now, there's been a lot more targeting of rail systems. Oh yeah, those are a big one. Rails and ports.
Like, listen guys, you know, one of the things that scares the crap out of me, you know, who makes almost every port crane in the world right now, China, that the US uses at all our major ports. These guys tend to have Windows domain networks. These things have PLCs, they have Windows machines and security camera infrastructure all loaded up with software on them. I mean, it's just craziness. These things need to be islanded off, but you're, you're spot on. Ryan Rails ports.
This is where you'll see, you know, cyber's a very good economic weapon. It's a challenging military weapon in my opinion. So as you bring it over to Gary, Gary, segue to you, man, this is where you can look smart as an MSP get involved with, you know, the, uh, uh, the, um, ports port, what did Wes, what was the Port isac? Um, I'm drawing a blind copy. Yeah. NPSI, south Christie Coffee. Coffee. Yep. Coffee. She's doing some amazing things out there. Yeah. I mean, hook up MPS Isac.
Yeah, Christie coffee, uh, on the ports. Um, but yeah, I mean, and, and this is back to your question, Gary, you know, if they're not asking you, but go, there's incredible information at those areas in our critical infrastructure that can help you as an MSP anyway, Gary to you. Yeah.
Well, listen, one thing we were talking about on a, uh, we had a call, uh, Friday with our peer members to say like, you know, you should be able to look down your customer base and knowing what you know about them, decide what order you wanna reach out to people. Like, if all you know about your customers is what technology they have, you, you can't help them assess when any this or anything else happens, because not all their risk profiles are the same, not all their customers are supplying.
And that is not just cyber right now, it is supply chain, it's economy, it's currency, inflation. There's a whole bunch of things that are gonna come out of this, all of which can affect a business. But you can't have those conversations starting with security if we don't understand anything about their business. And, you know, Wes, it's why you talk about, um, uh, bis all the time, right? Yep.
Um, Bryson, I want to ask you both, you and John kind of said, Hey, all this stuff's going on in the world right now here in the us We haven't seen a big spike in, in general, right, in threats. What would have to happen to heighten your level of concern for MSPs or SMBs? Well, I, I think it's, uh, while, while we haven't seen anything actually being attacked, um, you know, it, it is, the, the potential is still there. Uh, and it could change any minute. So definitely, you know, be prepared.
Um, like, you know, we've kind of talked about, um, I mean, as far as what would happen to heighten, um, Our alerts, I would, it would be an attack. I mean, we see increased activity if we start seeing the shift focusing instead of, uh, directly in Ukraine focusing on the us. Um, you know, we haven't seen that yet. Uh, if we start seeing attacks on municipalities and, and, um, massive DDoS attacks, you know, if they stick with what they've done before, uh, we'll start seeing DDoS attacks first.
That's, that's kind of what they've been doing. Um, and then, yeah, these, they really haven't been doing ransomwares, all the ransomware that's been sent, or that's been deployed by the, uh, state actors has really just been a false flag. It's been either fake ransomware that just erases the data, or they've deployed it along with a wiper and it's really just a distraction. Um, so yeah, I mean, we, we may see some of that stuff here.
Uh, we may not, um, we could see, uh, some incidental accidental infections, you know, there, there could be, um, they, they deploy some malware in Ukrainian office and it spreads to other offices. You know, we've already seen that a little bit with some contractors. Uh, that's kind of how not Petya got spread. It was just Yeah. And that was like 10 kinda Got out of hand. Yeah. They said just the, the unintended consequence on that was like $10 billion. So, yeah, I guess that's the thing.
These things go on, right then the, the, the wave can carry out. Yeah. And, and one thing, uh, just to follow up on some stuff we talked about earlier, you know, there's a number of vulnerabilities that you can patch now. Uh, but if you haven't patched them yet, uh, there's, there's a good chance they already have. Somebody already has a foothold and just patching the system doesn't, you know, remove their access.
Um, that's something we saw a lot of back last year when, you know, proxy log on happened. A lot of exchange boxes had, um, web shells dropped on them. We'd seen people patch their systems, but the web shells were still there, and so the threat actors already had access. So, uh, it's more than just patching the systems. You also need to check, uh, check them out, see if someone has access, look for, um, any accounts, any, any new accounts.
Uh, go ahead and reset your passwords when you patch those systems. Um, all, all those things. Check for persistence. Um, don't, don't forget, just, just because you've patched doesn't mean you're protected. Yeah. Uh, and I'm just gonna make this last comment, and then I'm gonna hand it back to Andrew so we have time to have Jim come on and share some info.
Um, but John, I was thinking about something you said on stage at write a boom of how often you get a new customer, the MSP, you know, you know, uh, deploys Black Point, and you find out that they're, there's, they're already there, right? So it's almost just what Bryson was saying, things were patched, but it's almost like you're locking the door, uh, after the criminals are already in. Yeah, there's, there's no question. That advice was fantastic, by the way.
We're still seeing this, we're still seeing MSPs. We probably have three responses a week that are due to unpatched Microsoft Exchange servers, and then folks are like, I did patch 'em, and then we onboard 'em, and you see kind of, you know, those web shells left over, which is basically a latent backdoor to access. Um, so yeah, I would say five to 8%, somewhere in that range of the customers we bring on are already owned, where it's kind like an ir, right, right. When it goes, yeah.
You know, you have to pop kick them out. All right, Andrew, I'm gonna hand it back to you, but one thing I will say, I did a survey on something I was on with a couple hundred MSPs, and I asked the, uh, the survey was how many people, um, you, you know, use in their, uh, practice, uh, cyber defense matrix? And 60% said no. So 40% are In other words. Yeah, in other words. Okay. Yeah, They're a bunch of 'em. Were customers of R so probably not, you know, it's a little jaded. Yeah, Yeah, yeah.
Well, so go ahead, I'll let you go. Bring Jim on and Yeah. Okay. So with that, Bryson, thank you a so much immensely for always sharing such awesome wisdom with us. Um, IM gonna, thanks Bryon, put you over into the, uh, audience, um, and look forward to having you back really soon. Thank you my friend. Alright, thanks for having me. Sure. Alright, lemme go get Jim and, uh, we'll keep going here.
Um, Gary, um, while I bring Jim up, do you wanna maybe just give a quick intro on Jim and as, as I get him up here and like what? Yeah, so, uh, Jim Lippy is the CEO of, uh, SaaS alerts, and he'll tell you kind of how they get their data, but I've known Jim for probably 15 years, um, uh, has owned several companies in the channel, uh, built a, uh, a, a bunch of practices at Case. So he's, uh, very knowledgeable, uh, when it comes to MSPs. Oh, and he was the president of Thrive.
I was gonna say Thrive, yeah. Yeah. One of the first MSPs to get acquired, uh, via Staples, um, Jim. So, uh, does that mean you have the easy button for us? I figured. You know What? Corny, uh, humor with you coming up here. All right. Yeah. I lost all those easy buttons. They were pretty popular through back in the day then. All right, well, fair enough. So, so Jim, um, you had sent me over a PowerPoint. I can certainly put that up. Would you like me to start there, by the way?
Uh, anything you wanna just mention real quick about yourself, who you are, and should I start while you're doing that with the PowerPoint? You can go ahead and put it up. Gary said enough about me. People don't need to know about me. I just wanted to share some information that we're tracking right now. Oh, darn. Oh, shoot. Um, so, um, John and or Wes, can I move one? I need a screen. Yeah, bump me out. No worries. I'm good. I said of course, you can bump me If you need to. Yeah, Yeah.
All right. Hey John, thanks so much for coming on. I reach Of course, anytime guys. Great chat With you. Awesome, John. Alright, let's try this again. I forget you with, uh, all right, so window, lemme go and find this, Jim. Okay. And tell me all if you can see my screen. Yep, yep. Okay, so let's start with the data set, Jim, is that okay? Yeah, absolutely. So I just wanna make it clear we're not here to make any claims. We're here to share information that we're seeing right now.
And, uh, the data that we're mining right now comes from 395 MSPs and specifically their 2100 SMBs. And we're looking at companies with users from two employees all the way up to 1800 employees with the average being about 50 employees, which is that sweet spot for the MSP. We've got about 120,000 total users on the platform right now, Andrew, and we're processing approximately 5 million security events per day.
So the other thing that's really important to understand is we're only looking at SaaS applications, okay? So specifically 365 Google Workspace, salesforce.com, slack, Dropbox, it, glue Ninja. So what, what we did was we looked at what was going on over the last couple weeks, right? Specific to attacks coming from various places.
And because of the conflict going on, we, we looked obviously at Russia, and we know that over the last couple weeks, the activity coming from Russia against those 2100 small businesses has doubled, okay? Doesn't mean it's nation state, it's not nation state, like, you know, all these experts just talked about, but these are attacks coming from Russia, people taking advantage of what's going on. They feel, I think it was Wes that may have said it. They feel empowered right now what's going on?
And they're, and they're going out and trying to do more damage than they usually do. So we took this chart and we said, okay, that's obviously, uh, you know, pretty serious. We just wanna highlight it, make sure people know about it. And then what we did was we said, let's actually bring in some other data from other known bad actor countries. And this is what we saw. So this is China. So first of all, China actually has a lot more activity, right?
And that's consistent what we see on a normal basis, but their activity has spiked as well. And what we thought was really unusual was that as following the same pattern, right? So you can draw your own conclusions based on this chart of what your eyes tell you.
But we thought, you know, based on a lot of people talking about, you know, how Russia and China are getting closer and closer, how consistent and correlated these, uh, these trend lines are specific to Russia and China and bad actor events. And then we thought to ourselves, wait a minute, maybe it's just hackers in general from various countries, just follow a specific pattern and maybe it has nothing to do with Russia and China. Maybe it's just all hackers.
So what we did was then we looked at other countries, and you can see Germany here, right? And they don't follow anything close to the same pattern. And we looked at Brazil and Vietnam, so on and so forth, and they don't follow the same patterns either. So we just wanted to highlight this as an area of interest to all of you and make sure that, you know, if nothing else, we're being more vigilant than ever. Uh, we're releasing something called the SASS e report, uh, within the next week.
Um, and that is a really in-depth report on a lot of data specific to the dataset that I've mentioned. And it stands for SAS Application Security Insights. Um, and you know, we just wanna put this data out there so people are aware of it. And one of the findings on that report is gonna be guest user accounts or out of control. And this is something a lot of people don't talk about, but it's a major threat vector.
And, uh, I talked about actually when I moderated a CISO panel with Ryan on it not that long ago, um, at the big big event and on a, on a hundred thousand licensed users, we see 55,000 guest user accounts. What's dangerous about that is that no one puts MFA on guest user accounts, but they have a login and that makes it extra dangerous, right?
So one thing you should be definitely doing right now to mitigate your exposure even more, go through your own guest user accounts, go through your customer's guest user accounts, eliminate anything that's not a hundred percent necessary. Um, and then the last thing you know, thanks for putting this up Andrew. We're not here to capitalize on anything. Uh, we want to help.
Uh, we know that, you know, first of all, our partners, our existing partners, they get to man monitor their own 365 all their SaaS tenants for free. This is part of what we do. Uh, but we know we have a lot of MSPs out there that probably wanna monitor this stuff, and they're, they have no intention of being our partner. And, and that's fine.
So what we wanna do is say, Hey look, if you wanna monitor your 365, your IT glue tenant, if you have Ninja, if you have any of those SaaS applications and you wanna monitor those to make sure that your own, you know, data is as safe as possible, go ahead. You can go sign up@saasalerts.com, start the free trial, put in MSP free 90, we're going, we're gonna continue this through June 30th. Uh, it, it will take you to our nor normal signup page.
It will ask you, I will tell you in advance for a credit card 'cause we're not gonna redo our signup process for this offer, but I promise you, if you put in that code, you'll bypass our billing. And, uh, there's no absolutely no obligation when this ends either. So anything we can do to help and to bring, you know, hopefully information that's helpful to the community, that's what we're looking to do. Goes, goes what you're just saying about guest accounts goes to what Ryan was saying.
Some of this is just, you know, like there's a loop. Yeah, just diligence, cleaning up like what we talk about every week. It's amazing how many people just guest user accounts just go on forever. No one ever comes in and cleans that stuff up. Um, and, and then we, then we get people asking, you know, well how come I'm getting, we don't bill for guest user accounts, but we're gonna start billing for guest user accounts in June because people need to learn the lesson.
If you're not, you know, it seems like, you know, if you're gonna try to correct behavior, there has to be something punitive to it. Otherwise people just let things gone, you know, infinitely. Sure. Awesome. Thanks for coming on Jim. Thanks for sharing that. Alright, um, I know we went a few minutes over, um, so I will wrap things up. Ryan, Wes, Gary, thank you for, uh, making it a great cyber call.
Um, thank you all for jumping on with us as well and we look forward to seeing you back here, um, next Monday. Until then, make it a great day, everybody. You much. Thank you. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois