Session 1
Guests
Video Transcript
Questions then. Cool. Perfect timing. We're live. John. Welcome everybody. Happy Friday. Andrew Morgan here with John Strand. John, you're coming from a BSides event, right? Where Are you? Yes. I'm actually in BSides Cleveland, um, today and tomorrow. Tomorrow I'm closing it out with Dave Kennedy. Um, he's going right after me and we're gonna do a live back doors and breaches session. Nice. You've been on the road nonstop? Um, yeah, the past three weeks I've been home a grand total of four days.
Um, but the cool thing is, uh, my wife has been with me or my kids. They, you know, they, my kids all went back to work at their jobs for summer jobs, but I've been with my wife the whole time, so it's kind of like this extended, you know, just kind of hanging out with my wife all the time, which is great. Very, very cool. Wow. We already got some questions coming in. Scarlet Will, I Don't see the questions. Do you just wanna feed 'em to me then? Yeah, Yeah, yeah.
Um, you wanna start off with, uh, what you wanted to bring everybody up to speed with first John? Yes. I would love to Some q and a, um, so let's do that first. Alright. So the first thing that I wanted to say is I wanted to say thank you so much for attending.
Um, Andrew and I were wondering how many people would show up and we've had a, had a really good amount of the people that are doing the MSP training show up, and that means a lot to Andrew and I, uh, once again, this is a platform that we're planning on working together and making it better as we move forward, especially with you all in the first kind of cohort. Um, you know, the getting started and kind of coming up with a plan of what we want it to be.
So I wanted to give you a few heads up on what happened with the first sort of, uh, kind of scrum that we had. I think it was about 15 different companies that were giving us feedback and what they wanted. I'm gonna talk about what's going on with meta CTF. I'm gonna talk about a cool, uh, online tool for tabletop exercises. And then I'm gonna talk briefly about some of the stuff I've been working on for the past month. And then we're gonna kick it over to you all.
So you can ask me anything, um, at that point. So, jumping in and Andrew, if you see questions on any of the things that I'm talking about while I'm talking about it, just jump in and interrupt so I can Talk about it. Sure thing. So the first thing is, if you go into security for MSPs, we reorganized, um, how it is set up. Okay? And the reason why we reorganized it is because it was very linear.
Um, it was like section one, section two, section three, section four, section five, and section six. And what was in those sections was kind of this mystery box of what was in section one, what was in section two, what was in section three. And we wanted to make it a little bit more accessible so people could jump into the specific areas that would be of interest to them.
Um, I still recommend that you go through it in order, um, start with the start here video, and then work your way down because these things build on each other. But whenever you go through training, sometimes it's really hard to jump back to the section that is directly of interest to you and your team.
So now, instead of it being section one, section two, section three, section four, we now have the sections with more descriptive names, like resources start here, network basics, windows basics, Linux basics, memory analysis, network analysis. So you can drop straight in to that section and you can go to those individual modules. Now we've also had some people, a small number of people say that this can be overwhelming 'cause there's a lot here.
And those two recommendations are in conflict with each other, um, where some people want it broken up. So there's specifics and some people want less specific. So it's a little bit less intimidating and Andrew and I are working on that. But one of the things that we are doing is within this Brightspace platform, we have the ability to create a training manager for your company.
And what the training manager for a company will be able to do is assign specific modules to the employees to complete. So instead of everything being present all at once, you can say, I want all of my people to do anything networking. And they can assign those networking modules to their employees. So that'll be coming up in the next 30 days. That will create that rule. If you want that rule, you can have it. Yes, Andrew? So Kind of a pseudo question that Scarlet asks.
He said she, uh, she says, uh, Hey John, is there a way to create a playlist? So it'll just keep playing each video without the need to go back to the next page manually. Sometimes I put it on a third screen and listen while I'm doing my work return later, uh, for labs or a second pass, You just want it just to keep going. Is that what they're asking? I think so. Scarlet, can you clarify in chat John saying, do you want to just keep playing?
It takes, it takes a slight delay in chat, even though, uh, yes. Sorry, just keep playing. I'm making a note right here. So, so yeah, just keep playing John Playlist. All right, so I'm sending this off to John Bess after the, okay. All right. So there we go. So we'll add that into a question. Um, I thought it did it in a mobile app. Um, so if you kind of feeding it into, I have to check this, but if you want, you can get your training, um, on, in an app called Brightspace Pulse.
So it's called Pulses here and you can download it. And then you basically choose Antis Siphon as the organization. And then the videos that you have subscribed to will show up. And I thought it just kept playing in the mobile version of it. Um, but no, all the videos are present here. All the different modules are present, so you can listen to it in your car. So I will ask beers, uh, we lost you. It keeps going. So you can rock on and you can do it, but no, check out the mobile app.
It's called Brightspace Pulse. So you can take the entire class in your pocket and then I will get back to you all as far as what we have working. Um, so we'll add that to the queue of things that we can do. But I can check that, see if it's in settings, if that's something that I can do. If there's like an auto play. All right. I dunno, I'll ask beers. Um, and we'll try to get into the point where the video just continue to play. Absolutely. I could see where that would be. Awesome. Okay.
Awesome. Alright, so we broke it up so it has better modules, uh, as far as descriptions. And then in addition to that, I created a start here video where it'll actually walk you through exactly where everything is and how it's actually laid out. Um, that was one of the things that the group came up with was there needs to be a start here instead of just dropping you into it. And then you go, we now have a very clear start here.
Uh, the other thing in this section that I wanted to show you all is the implementation groups. So we created specific sections for implementation groups, not by their number. And the reason why it didn't go by the number for CIS implementation groups is the numbers change, but the titles tend not to. So if you do a search for MSP, it'll bring up all the different implementation group sections.
So you have like incident management, CIS, multifactor authentication, dedicated administration system, secure account management. So these are all the different implementation groups, uh, that we have specific sections for. Um, so you can actually see that. And eventually what I'm gonna do is actually do a CIS implementations group where I'm just going to talk about just those things.
Um, 'cause right now the way it is, is each of the implementation groups stand on their own and they're also tied into the rest of the modules that already exist. Um, so I'm gonna redo them again so it'll be there twice because I think it's better if things show up multiple times in the training. Um, we're gonna do something dedicated to the implementation groups.
Um, the one thing that's interesting about implementation groups is there aren't modules that are just implementation group one and just implementation group two. There's a lot of overlap between one and two. And two, they tend to be very, very few and far between. So like to meet implementation group one means to hit 80% of implementation group two and CIS. So that's why we stick with the names on those because It's easier.
Yeah, it's no, to your point John, and a lot of it's process, a lot of it, you know, they're safeguards within the control itself. Mm-Hmm. So it's very to, I'm agreeing a hundred percent with you. It's not easy to just say this is all of this or all of that. Yeah. But we're gonna try to make it better.
Um, so it's easier for people to do it because I, I think Andrew, I don't, I don't think I'm misspeaking, but it seems like the MSPs that are working to hit like implementation group one at a minimum for their customers tend to be a lot of the MSPs that are doing better. Like, go Ahead. Yo, no, no. Hands down. Look on the cyber call where we have thousands and thousands and thousands of MSPs, the majority still have not implemented implementation group one. Mm-Hmm. Like and that's the group.
And, and, and so, um, I say that where like the go, the people on this call are the ones that are doing it. So, um, but what I think would be really e what might help the whole use case. John, are you familiar with the controls navigator at all? Have you seen that? Yep. Yeah, absolutely. Uh, Like if we use that because that way we could kind of just go walk down, um, just as an idea. Yeah, We could absolutely do that in conjunction with the audit script spreadsheet too. Um, yeah.
On how to implement those things. Uh, I think it would be easy for people to track. Um, but anytime you're doing anything with CIS and I think that this is important, whether or not you're using Navigator on the website or you're using the offline spreadsheet, the offline spreadsheet's nice because you can record things and it's not public, um, so much. 'cause there's a lot of frameworks that are, um, out there.
But either way, it doesn't matter as long as your team is getting into the CIS controls. Remember we talk about master mapping and how if you look at CIS, it automatically cross references to like CMMC, the ISO standards, HIPAA PCI standards. So that's gonna be critical for your company. Um, NIST is in there as well.
So hit those implementation groups and then we have that cross mapping for your company to be able to sell that security package regardless of the compliance framework that your customers are working in. Very cool. Um, quick question, John, since we were just talking about platform, it, uh, this comes from trying to see who this came from. Damien. Uh, does the platform specifically via the app have an option to have an offline copy for 30 days similar to a YouTube, Spotify or something?
No, unfortunately, Brightspace does not support that. Um, from like the offline. I know, especially when you're flying in, in airplanes, that's really, really nice. Um, but we're working within the Brightspace platform because they had 95% of the functionality right out of the can. And, uh, they're used by universities and all kinds of different things. Um, but yeah, offline would be something that would be awesome.
But I, I've asked Brightspace and it's one of those things, it's like, that's a good idea. We'll look into that. I don't know where that's going to go. Fair enough. All right, John, back to you. Alright, very cool. So that's kind of the structure of the training to make it easier for you to, um, navigate to specifically what it is that you want to do in your organization.
The other thing, and I don't know if it's out here yet, the other thing is very, very soon the Cyber Deception class is going to be added. So that is, uh, if I go to Antis Cyber Deception. So if you go to, um, let's go to pay what you can. So very, very shortly, this Active Defense in Cyber Deception class will be in your modules. Uh, so this is going to exacerbate a problem, but it's a problem that I want to have.
The problem is there's gonna be a lot of training on your, on your, on your training page, right? So this is another two day class, 16 hours with hands-on labs that will absolutely be part of what you all are paying for. Um, 'cause once again, what Andrew and I are trying to do is we're really trying to get it to the point where this is a tremendous value for your company.
And some of you may not think that cyber deception is something that you can implement as an MSP and you may not see it as how are we gonna make money off of it. Um, what I want you to think about whenever it comes to Cyber Deception is the longer a customer of yours is compromised, more expensive it is for your company, the longer it takes for you all to detect a compromise increases the likelihood that a full ransomware situation will be tra uh, sprung on your customers.
In the Cyber Deception class, we talk about how you can use Canary Token files, how you can create service accounts and active directory, how you can create honey user accounts in your customer's platforms and put 'em in such a way that if an attacker gets access to a customer environment and they're trying to escalate to take over the entire domain, they're going to trip on these trip wires and it'll drastically reduce the amount of dwell time that attackers have and reduce the amount of time attackers have to be able to launch full ransomware in your customer environments.
So reducing that dwell time is something that this class can help you with, with very minimal, uh, implementation from your company. So this will be added in just because I think it's awesome. And once again, we're trying to add as much value as we possibly can. Uh, so be on the lookout, we'll be shooting out an email with the updates, uh, here shortly for what's, what's going to be happening with this. But it's getting cooked right now and it will show up.
Um, if we go into security for MSPs, it will show up on the bottom. You're gonna see that there's gonna be cyber deception stuff showing up there. Uh, so be on the lookout for that. Go ahead Andrew, do we have any questions? Yeah, Michael says, I'd like to see slightly longer videos. A few of the videos that were clips from Sox's basic class with 30 to 60 seconds in range or maybe a couple minutes. I think five to 10 would be the sweet spot, uh, on a topic video. Yep.
If you have specific topics you'd like me to go into details longer on that would be great. Some of them are very, very short. Um, just because the topic I'm talking about is very short. And then if you notice, some of them are much, much, much longer if you have specific sections, you're like, could you expand on this? Could you expand on this? Um, we absolutely can do that.
Um, it's easier for me to, if you give me a list of specific things that you want me to talk about rather than just expand everything. 'cause most of the time I'm teaching this class live in a two day format, over four hours or four day format, over four hours each day. Um, but the cool thing about this format is if there's an area, you know, John, you just skimmed over this, could you, could you add some more meat to it? Shoot me an email and I'll create that video. Absolutely we can do that.
But shoot me which sections you want me to add some more depth to and I'd be happy to do that. That's what we're here for. Very cool. All right. Um, so then James said, what should we, so regarding Brightspace, what's we search for? I downloaded the Brightspace Pulse app. Yep. I'm looking to add this training to the app. Who's providing your It is Antis Siphon. So once you're in that, you have to go to Antis Siphon.
It says who's providing it, because remember there's literally hundreds of universities using Brightspace and other organizations. So Antis Siphon is the organization. And then once you go into that, once you sign in your class that you've registered will automatically show up there, but you gotta put in your credentials to log in. Very cool. Alright. Alright. Alright. So that's what we've done with the framework of how this is.
Um, we're gonna try to play around Text and the white background because that's simple. Um, we're seeing if we can punch it up to make it look a little bit better. Um, I like, I like, one of the things I've asked Brightspace for is to go to, uh, like a night mode where it swaps the colors. Um, I think that that would be really, really cool. Um, I agree, but, you know, we'll see that's cosmetic. Um, I really want to keep this stuff so it's, you know, gets you what you need for your training.
Also, since many of you have actually joined, we've probably added about 15 new meta CTF challenges. Um, once again at Antis Siphon and what we're doing with this training, the vast majority of your organizations did the package where it's the training and it's the CTF as well. So we have that. And there's just so much here and this is really designed for you and your team to extend and push yourselves.
So it isn't just about what the training has, 'cause we have the hands-on training, we have the labs and all of those things, but a lot of people ask what's next? Um, what can we do to judge our team and how we're all doing, how can you all show off? Um, you absolutely can do that. There's tons of stuff here. Um, of course there's the scoreboard. Uh, my scoreboard is different than yours, um, because I have everybody an antis siphon on my scoreboard.
Um, but it's an excellent opportunity for you and your team to level up and, uh, share kind of where you're at, um, with your, uh, excuse me, share where you're at with, uh, with, in respects of actually learning computer security and, uh, what we have here. So be on the lookout for those emails. Also, you can share your progress. Every person that's in Antis Siphon gets a special link where they can share what their current level is and how many challenges they've solved.
Um, so you can share that within your team as well. Then this becomes critical for me because the training is the training. Most training is there to teach you a core set of skills. And the best learning you will ever do after you get those core skills is doing something hands-on. Right? I can teach you some something by showing it to you. I can teach you by having you do a lab. But when you start struggling through, that's really where the best learning happens.
So after you've gone through this, take advantage of this meta CTF cyber range challenge, uh, platform, um, because it's a nice, nice safe place where you can practice your skills and develop new skills, um, as well. The other thing that we are doing with meta CTF is we have the Antis Siphon Twitch Channel channel. And every week we do three videos. Okay? And it's also on YouTube. So we do a video, that's the news.
We also do something called address based layout, randomization and address based layout. Randomization is a random topic, uh, from like network threat hunting to, um, doing the top windows commands that you would use to, you know, really crazy bash, command line kung fu and all kinds of fun things that you can do. But that's an antis siphon. And with us doing this, this is like continuous training for your team. And it's the news on Monday.
It's then two random topics on Tuesday and Wednesday, uh, that you and your team can watch. So it's like this free training that keeps going. Uh, so check out our antis siphon Twitch stream. Um, lemme see if I can share. Well, we can do that. You all can share the link. Um, these are definitely a good way to kind of keep going. So John, yeah, so there's like a lot of MSPs are in Slack channels. Yep. I know Antis Siphon has Discord. Mm-Hmm. And now there's also Twitch. Yep.
Um, and, and I'm just, maybe I'd love everybody's thoughts here as I ask the question to John. And you know, you as the MSPs, can you chime in? I, I think like things like before like, uh, the comment from Michael, like, Hey, I'd like to see more content. Is there a way in which we could build an MSP channel? And can some of that content al automatically from the Twitch and things like that? Can it, can it absolute.
Um, so I'm, I'm just trying to bring, you know, like they always talk about meeting people where they're at, John. Yeah. And for us to really blow up this MSP community, it's like, you know, you have things like, I'm just putting things out there. Like, you have Ms. P geek with 9,000 in their Slack channel. They just moved recently moved over to, to, um, to Discord. I don't know if men, well they Did, they did move over to Discord. Yeah. And men, let me just see if Mindy's on by chance.
'cause he's one of the moderators of, I got a question, do you have a Slack channel for I did. I did. But it didn't really take off with Cyber Nation because there's so many things that people, you know, are part of. Um, any Discord, Scarlet, I think Discords better. Um, so Scarlet, are you and are you in the, in the MSP community? Not to be derogatory, I'm just trying to like figure out like where you're Yeah.
One of the things that we've been doing is trying, like you said, meeting people where we're at, right? So we have the Twitch channel and we're finding out that there's these generational divides. So just so you know, my generation was IRC, um, that's all I ever used for years. And then Slack came up for about, let's say five to eight years. And then everybody was using Slack. We're seeing the kids now switch to Discord, and then we're now seeing a lot of the people move to Twitch.
Um, anti Syphon also has a YouTube channel, right? And Most you Already have YouTube. Uh, one of the things that you can do is you can subscribe to the YouTube channel, uh, for Antis Siphon as well. So if you're on Twitch, subscribe on Twitch. If you're on Discord, subscribe on Discord. If you're on YouTube, subscribe on YouTube. And if people think it is valuable, we can start a Slack channel and we can start, um Oh wow. Under net that brings back memories.
Um, we can actually start up a Slack channel, but it's, I'm not Mar I'm not married to one or the other. John, I'm just, I'd love everybody's feedback here. So far. It's Discord. Yeah. Which is good news. Um, but like, can you guys just throw in your comment real quick in, in chat, like, do you care? Do go ahead. One of the things while they're filling stuff in, in chat, I see a couple of questions. Um, how much overlap is there between soc core skills in this class?
It's the same that both those classes are here. So all of the soc core skills class is present and accounted for. All of the Intro to security class is present and accounted for. And the entirety of the, um, of the, uh, uh, the Cyber Deception class will be here as well. Um, they'll be there as well. Okay. So it looks like Discord is where a lot of people are. So Yeah, it does seem for now, for now it seems to be the leader. Um, and I expect this fully to change.
Um, we keep reinventing the same thing. Okay. So should we, will we in John, help me understand, because when I go to Discord today for Black, I don't, I don't know if it's Antis, siphon or Black Hills. Would we have an MSP sub-channel in there? How would we wanna do this? Yeah, I think we'll set up a discord, like Discord sub-channel under Antis Siphon. Okay. It, my Discord, it might already be there. My Discord is a nightmare. Um, so everyone gets access to Discord.
Um, Derek saying, I'm just like I said, my Discord is bad, like really bad. Um, just gimme a second here. Yeah. Derek's saying there's one there, John. Yeah, I don't know if I'm on it though. Oh, okay. Yeah. But there, there should be an MSP. So this is, uh, here we go. Here's the MSP channel right here. Um, but that might be resources, tech support. This doesn't look like it's the place for it, but No, I will get in there. But as you can see, my, my Discord is a, is a hot mess.
I'm actually thinking about creating a separate Discord account, um, just for my classes. 'cause this, this happens. Um, we get a lot of people on it. Yeah, there's, it's, it's like real busy. It's too much. Um, it's just too much. Okay. So we'll get back to everybody on what the final verdict is, where we put it. The, uh, Oh, Bill's got something I wanna hit this bill said course. Yeah, bill. Um, I'm actually Bill Bill's your co-host, by the way.
Bill's your co-host and, uh, at, at the, uh, MSSP alert, uh, event. Oh, awesome. Cool. Yeah, that's built. So, So these are modules that we are currently working on. Um, the Office 365 best Practices. We have that class in, in processing, or it's done, I can't remember if it's being cooked right now. And whenever I say being cooked, it means we've captured the video assets and it's currently being chopped up to be put into Brightspace. Um, but that is absolutely something.
Um, so the incident management one is interesting and I probably have to get, I probably have to get over this. Um, but me doing something that's specifically called incident management, um, is problematic because of my background with the Sands Institute. Um, I taught their class the incident handling class for years. Um, and I've been retired from the Sands Institute now coming up on over two, two and a half years. Um, I've been very nervous about doing anything incident handling related.
Um, but I, I think that we probably should, uh, move beyond that now and I can, I can actually start doing that. Um, business email compromise and Office 365. That class is being created by Troy and um, Derek Banks right now. Um, so that'll be added into this MSP training soon as well. So There we go. Okay. All right. Those are great. So yes, That was A great recommendation from Bill, right? Alright, now Are we able to invite more?
You, you would just have 'em sign up Andy, like Yeah, you would just have them sign up. Yeah, if it's one-offs, right, it's better to go to the website and just sign up on one-offs. If you're gonna do a bulk of people, um, you're gonna want to contact us. If you go to our website, we have a link that'll get you in contact with support. So we can do more. Right now, we can do a max of 10 people signing up on the website, um, through PayPal because that's what we're doing for it.
If you want to add more than that, contact us. We also give discounts for more than 10 people. Um, so that is absolutely something that we do. Um, but if you wanna do onesie, twosies, just have 'em go to the website and sign up, um, and then we'll get access to it as well. John, one question that came in early, early from CS was I saw the webcast phishing and Microsoft 365 Yep. And Microsoft device codes and, and scary exclamation point, um, sorry, tenants are fully hosted in Microsoft Cloud.
How does one mitigate this attack outside of user awareness? Um, so the, unfortunately, okay, so there's a couple of different things. One of the things you need to look at whenever you're looking at Microsoft Cloud is what is the actual end state of the attack? Okay, so the end state of an attack somebody had mentioned, uh, bill had mentioned business email com compromise, getting access to a user's account is one end state.
So this is one of those things that's a problem with Microsoft because of the way that their levels work. Like almost all of their security goodness starts at like five, right? And that's it. So that creates problems. But within that group, there is a really cool setting like Impossible Travel where you can say, okay, John is logged in from Cleveland and he is also logged in simultaneously from California at the exact same time. And you can generate alerts from that. Um, that helps, right?
Having that level of logging actually enabled is going to be huge. The other thing is looking at the end state browser, uh, not browser plugins, but like plugins for Outlook. All right? Now, whenever you're looking at Outlook plugins, we create a ton of malware. And I mean we, in the industry, that is an Outlook plugin.
Now the interesting thing about like the manifest XML file that is created for those Outlook plugins is if I compromise someone's email and I upload an Outlook plugin that forwards the emails and sends them to me the attacker and it sends them to your inbox, or it searches for specific keywords and then forwards me on those emails, it will sync those plugins between the Cloud Office 365 instance.
And if they run the Outlook client, which is now just a skinned Microsoft Edge, but it, but it syncs them regardless. So the next thing that you can do to deal with that is how do you actually audit the plugins that are enabled? Most users don't use them very often. So by auditing those or possibly disabling those completely so your users can't just add them, we'll actually help with that. So there's those two end states.
So for me as an attacker, either a, I want to get access to somebody's email so I can like just search through their email and log in that Impossible Travel. And somebody had mentioned, Adam has mentioned that Perch has some geo uh, geolocation features enabled Intuit as well. That's great. But then also watching for the plugins that are enabled is absolutely essential as well.
Also, Microsoft is really good at looking at domains that are very close lookalike domains to your domain and blocking those domains. Unfortunately, many people aren't watching the logs for whenever those domains actually arise. The final thing, and this gets into the cyber deception thing that I think is really incredibly important, um, we talk about this in cyber deception is canary tokens. And this is one of the labs that we do in the class.
So with Canary tokens, what you can do is you can add HTML to your authentication portals. And many times you can actually put like custom banners and custom logos and custom JavaScript and things of that nature. Um, but one of the things that you can do is, where's my clone trooper, is you can upload JavaScript onto the website. So I'll just add this domain protected, let's say, uh, it's Black Hills, Um, and then I can create a token.
Now what this does is it creates this JavaScript right here. And what this JavaScript says is, if Document domain does not equal Black Hills InfoSec and only whenever it doesn't equal Black Hills InfoSec, then what it's going to do is it's gonna try to load an image that is hosted on the Canary tokens website. All right? So what this means is this will, um, this will only fire if it's executing on a domain that is not Black Hills infosec.com.
And that's pretty obvious that there's some shenanigans at play there. But you can actually go to a number of different Java, um, obfuscators. And what it does is it scrambles that JavaScript, sorry, not Java, but JavaScript. So we can, oh, I just clearly screwed that up. Let's go recopy this copy that. Here we go. We can obfuscate this code. So it's a lot less likely that someone's gonna be able to read it, that it, it say that this is actually a Canary token on it. And go ahead, obfuscate.
There we go. And some of these actually will, uh, that's the same one. Some of these will actually run it as well. So what this does, just so you know, is when you do it this way and you add in this type of JavaScript onto your authentication page, what happens is when someone scrapes that authentication page to try to harvest user IDs and passwords to break into your environment as part of a spearfishing campaign, this will fire before they even send a single email into your environment.
And whenever it does fire, it'll actually give you what the IP address is of the system that fired it. So this literally gives you the ability to block spearfishing attacks before a single spearfish comes into your organization. So I'm gonna stop sharing.
I hope that, uh, I hope that that makes sense because whenever we're talking about what we can do to protect Office 365, there's more to it right than just looking for these particular alerts, even though there is value in doing that without question, right? But there's so many other cool things that you can look at. Um, like I said, the manifest xml, the actual rules that you can load in through Outlook, um, really, really help. And then the cyber deception helps as well.
Um, and this is totally self-serving, but I mentioned earlier that, you know, we, we we're, I'm here at a conference and the people that put on this conference is some really good friends of mine from a company named Trusted sec. They're a sister pen testing firm to BHIS. And we're kind of competitor frenemies, like we go to each other's cons. We dinner with each other, our testers share information.
And I was just talking with one of their customers at this conference and what they said was really interesting, they were working a pen test and they were running Rita, um, Rita as a network threat hunting tool. And they were able to detect the malicious outlook plugin, uh, through Rita by doing network traffic analytics. And that's all in the class. There's a section there on network threat hunting and a section on Rita. Uh, so check that out. Alright, so what other, awesome.
That was Awesome. So keep these questions coming. These are really good questions. I, By the way, I love the shout out for Perch. Um, um, Sentinel One is here, by the way. I know Sentinel One is huge in the MSP space. And just so you know, they just acquired a company called a TiVo and they're going to be incorporating Cyber Deception into the Sentinel One product space here shortly. Um, so be on the lookout for that. Will they be similar to AY in some Respects, John? Nope.
So SI does adversarial emulation, um, much more than just emulating business email compromise or ransomware. With sife, you can load a SIFE agent on a customer's network and then it'll attempt to do a bunch of privilege escalation, lateral movement techniques, almost exactly like a real pen tester would. And it'll give you a report as far as which one of those techniques worked and which ones didn't. And you can mimic it. Let me show you something here.
Lemme bring, I'm gonna share my screen in a second, just gimme a second. Um, By the way, while you're doing that, we have Jake coming on the Jake Williams everybody on Monday cyber call, who is the big what, basically the CTO of sth. Um, let's go ahead and just call him that. I think that that's a good call. Um, We'll give him, we'll give him the CTO of S so if you guys have ever seen, we'll give him A raise and promotion.
Any, any, um, if you guys, he's known as malware, Jake out on Twitter, if you've ever seen any of the emergency. SANS Five is you see these techniques. Hopefully you all can see my screen. This is a CISA alert and it's basically saying these are the techniques for recon initial access and privilege escalation. Si can go through and emulate these particular techniques from Mitre attack techniques matrix so that you can test this directly on your customer's networks.
Um, so something like side or Atomic Red team can actually help your MSP start doing security testing. Now, as I mentioned, it is important, it is really important that you kind of set this up in such a way that you doing these testing services is something where you can start competing directly with companies like mine, black Hills Information Security, and Trusted sec. And you can do it in an automated easy way, um, utilizing a framework to do it. That's awesome.
And the insider threat, Adam, is really interesting because, so my background, uh, we'll probably just do a whole, maybe I'll do a webcast on insider threats. Most of what I say for insider threats, we'll talk about canary tokens and files and things of that nature. But a tremendous amount of it deals with HR and how you can train your customers to detect disgruntled employees.
'cause every single insider threat case I have ever worked started with a well-known disgruntled employee and it escalated from there. So, we'll, we'll probably end up doing that one. I'm gonna add that to my list of things to do. Insider threat. There we go. And we can definitely do that and add it in as well. I oh yeah, a DDoS issue. So were you going through CloudFlare, Adam and somebody was able to find your real IP addresses and hit them as well?
That's something we see a lot where internal leakage of internal of of IP addresses. 'cause usually you go through CloudFlare and it wrote, it rotates through and sends it to where it's supposed to go. If the attacker can actually find that, um, then they can hit your ips directly and flood your network. Got it. Oh, you got 'em. That's Good. That's awesome. Awesome. Good job, Adam. Um, okay, what, where do we go from here, John?
I want, I want to get people's input, you know, what are they thinking so far? But you, you know, John, your thoughts. And then again, I love the chat. Any, any feedback thus far? Is it, are you guys, you know, how do you feel about it? How, how are you enjoying the training? Um, what More can we add? Yeah, the AMAs ts Yeah, because I I, if you haven't figured it out, I love doing training.
Um, and when people are like, could you add more on this topic or this topic or this topic, um, that just makes me happy. I, I love nothing more than being in my basement doing videos, um, and doing training on these various topics. It's just one of the coolest things ever. Thanks so much, Derek. Yeah, very cool. Thanks for the feedback. And also, I'm gonna give you all my direct email 'cause some people are a little bit timid, Andrew. Okay.
If there's something that you can give me, you know, feedback is the Breakfast of Champions, that and broccoli. Um, if you can give me that feedback, if you don't feel comfortable putting it here, if you could send it directly to me if you're like, wow, this sucks, this would make it better, send it to me. If you're like, this is awesome, but this would be even more icing or sprinkles or cherries on top, send it to us. Really? Mm-Hmm. So love the training.
Okay, so the two factor authentication for Brightspace is, um, so Brightspace has two factor authentication, but here's the problem with Brightspace. Two-factor authentication implementation. What they do for two FA is they have it tied to your domain. So let's say that we had antis siphon university.com and I had students that were@antissiphonuniversity.com and they would register with their antis siphon university.com. They tie it to that domain.
The thing that Brightspace never thought of is, what if we wanted it to be gmail.com or we wanted it to be MSP 1 2 3 four.com. Between you and me, this isn't hard. Like, it isn't, like, it's not hard. Like literally there's documentation on Google's website where you can enable two-factor authentication. Literally there's documentation on Office 360 fives, um, uh, website to be able to do this. It's just getting them to make the change.
They've been very, very good with a lot of our recommendations. And this is one of those ones that we've been pushing on quite a bit. I mean, like port knocking training or something. Oh my gosh. Um, so we do have two fa it's in the password cracking section of the class, and we do talk about multifactor and how it stops those attacks. So if you wanna look at that. Um, but port knocking, so port knocking is weird.
Uh, so Andrew, like years ago, you remember we had like Lokey, we had all of these different port knocking utilities, ICMP tunnel and all this stuff, and um, uh, knock D was another one that was on BSD systems. And it was the rage for years, and then it just died like no one used it. And I would say within the last month, uh, there's been two back doors that have used port knocking on a Linux system.
So I literally have port knocking slides, uh, that I haven't taught in eight years that are now valid again. Wow. So, wow. If you want me, if you want me to do a port knocking, uh, video, I can do it. Uh, and we can even set up a lab for port knocking. Um, but this is just like, if you get old enough, you start seeing these chasms in these wheels that show up in the industry again and again. So Good, good, good. What's old is new. Very true, Adam. Yeah.
So I'm gonna, I'm gonna share what I've been working on this last week, Andrew, while they type in some more questions. Um, so my last week has been really, really interesting. Um, it was an expert witness on this case right here. Um, so this is, this was a very interesting case.
It involves Paige Thompson, uh, who used to work at Amazon, and she got fired and she found a way to actually proxy through attacks through Amazon's firewall services to gain access to the instant metadata service, um, on the backend. And she was able to upload crypto jacking software. She was able to, um, she was able to download a terabyte of files, uh, from the customers, um, from the customer's environment. And it was a really, really, really interesting case.
I, I personally feel like it's a, um, I feel like it's actually a slam dunk case, uh, working with the Department of Justice on this one. Um, and one of the reasons is her name is Erratic right here. That's her handle. Um, she was actually on Slack and she was communicating with other people. And one of the people on Slack said, Hey, this is some sketchy stuff. Please don't go to jail. And she responds like, wow, wow, wow, wow, wow. I'm like IP Predator going through Tor and S3 on all of this.
I wanna get it off my server and that's why I'm archiving all of it. This is when she downloaded all the data, it's all encrypted, I just don't want it around here. I wanna find it somewhere and then store it as well. And then basically she's saying that she strapped herself with a bomb vest effing dropping Capital One's docks and then admitting it. I want to distribute these buckets. Um, there's SSNs with full names date of birth as well.
So I honestly feel like this is a pretty slam dunk case, um, as it relates to the Computer Fraud and Abuse Act. Um, but the Department of Justice, when I was working with them, um, Department Of Justice, it issued additional guidance. It kicked up some additional guidance that, um, modifies the way that they will prosecute people that are doing good faith security research. Okay.
Um, so it basically is a department gold CFA enforcement are, promote privacy and cybersecurity by upholding legal rights, but also for good faith security researchers that are rooting out vulnerabilities for the common good. Right. So this has been one of those things I've been working on for months as it relates to this case, which once again, um, I think that Paige Thompson was definitely guilty. Um, and she was not involved in good faith security research.
Um, but you know, being able to work with the Department of Justice and make it so if somebody's doing good faith testing and they're basically sharing that information with the community or a company, um, is kind of a big deal for me, um, in the industry as a whole.
So that's what I've been working on, um, the past week or so, actually I've been working on it for months, but it just kind of popped last week with DOJ or two weeks ago, uh, where we got the DOJ to change their guidance a little bit and then also going and doing expert witness testimony, um, on that case as well. The final thing I wanted to share with you all is back doors and Breaches has an online version, so if you wanna play it with your team, you can. It's play back doors and breaches.
com and you can play the entire game and work through your IR process and sharpen your IR skills online. So we wanted to share that with everybody as well. Yeah, it's, it's, it's, that's, it's phenomenal and still one of my, the things that I laugh about still to this minute, John, was your hour rant, uh, at right of boom. I, you know, what's it, it, it's weird that the right of boom thing just, oh yeah. I probably should plug my thanks Derek.
Um, so, uh, Ika Publishing, I don't know if my shirt says Hacker or AKA um, here, but, uh, if you Google Ika, it's hacker backwards. We have a publishing company, we have a zine and a comic book that we're coming out with. Um, so yeah, we're definitely doing that. But it's been really surprising to me. You know, I, I feel like I have this, I feel like I found out that my dad before he was married, like had a whole nother family.
And I've just found like all these brothers and sisters with the MSP space, um, you all have been great. And there's a bunch that came out to be besides Cleveland really? Um, they, yeah, they literally showed up and they're like, so we're like in this really, it's called the Grog Shop, right? And it's this punk rock club and it's got stickers and it's black paint and all this stuff. And there's some MSP people that are showing up and they're like, are all security conferences like this?
And it's like, no, they're not. This one's, this one's a hark. Harken back to some of the old days of that old hacker groups. Uh, but no, it's cool to see some blending of these two groups and I'm hoping as you all have kind of invited me into the MSP space, I'm hoping to pull you all into the security space. Um, 'cause we're all brothers from a different mother. That's, we go. That's right. I'd love it. By the way, John, we're gonna, I think we're pretty close.
I just, maybe if you guys could give us a a why for a yes or an n for a no, we've kind of used this as a beta group still. Like we wanted to get feedback on the portal. Do you feel we're, uh, at a, you know, general availability GA state, um, do you feel we need to tweak things more before we open it up to the, the MSP world? Um, uh, again, yeah. What do you think? What are your thoughts?
Yeah, we're looking for MVP and even if it's not perfect, if we're heading the right direction, I think that would be great. I know Andrew, we didn't talk about it, but we definitely had some hiccups when people were first getting it set up. I think we've got a lot of that ironed out. Yeah. Um, especially since you can go to the website and buy up to 10 licenses in one shot. Um, but yeah, if it's, yeah, go let us know.
Um, personally, Andrew, I'd like to wait until we get cyber deception loaded into it, but Okay. You know, if we can go, we can go. Also, I don't know if you want to talk about this, but we are planning on raising the, uh, the cost of it. Now you all got in early, right? You're cool, you're cool. Um, so, And, and be transparent with John, you, you are barely breaking even right now with the Yes. With the, um, cost of the range, the cost of the platforms content production. Yeah.
So that's why, again, you guys are all fine. You're grandfathered. Um, but, uh, but yeah. Um, thank you Darren. Darren, we may Lose money, Andrew, but we make up for it in volume. We may lose money, but we may go for It million. But yeah, what Derek just said, um, we, we really appreciate if, if you guys can help spread the word. Um, is there a referral program, I guess David, once we raise the price, but because John can give like what would you want see in a referral program, David?
Like just give, give us a, if you could maybe help with that. Um, I could fly out, shake your hand. That would be cool. God, I hope he lives in Hawaii, So, But I do like the idea of a referral program and maybe just Yeah, yeah, yeah. Something I, IIII don't wanna say no. And, and we certainly appreciate the referrals. Um, but, um, I, I've got a question though, and this is a serious question. Yeah. Um, I'm a huge advocate of more is better. Uh, dude, let's, I'm taking that down. We can do that.
Uh, signed copy that goes in breaches. So, so here, here's something that Andrew and I have been wrestling with. There's a lot of content and we've had some people that weren't technical, but still their, their, their opinion is absolutely valid. When they went into the training and they saw all the topics, they were like, that's intimidating as hell, right? That is a lot of content that's right out of the gate. Like, that's scary to me And keep adding.
So it's just, you know, there's so much content. You, and I'm almost looking at this as like a wiki. Like if you're an MSP person, you're like, what do I do with security with two-factor authentication? Bang, click right there is what you need and you can search on it. Or do we need to dial this back? Um, and we're giving companies the ability with the, with the content curators what the role is called where they can hold some stuff back.
But I don't, I don't know, like is this overwhelming or is it just more is better as long as we got it under topics. And I don't think we're gonna get more topics. I think we're gonna stick within the topics we have, but breaking it down so you have subtopics on that. But this is a problem. You run into anything. Um, I I, I lean towards just fire hose. It's all there. But I can definitely understand where people are just like, crap, this is a lot.
So yeah, let us, I Love the, I love the feedback. I I guess the, um, the, maybe put it in a different way. Um, don't hold. So the, the general thesis there is more and don't hold back. But I guess, um, does it make any sense? Like, so picture in, in, in a perfect world, you have all MSP staff getting trained. Just role play with me here. Well, there's your help desk people that would look at this. Let's just say a newer help desk person. Oh my gosh.
Should, should, should there be like a section on, you know, the, you know, the basics security, Hey, it's called Security basics. And even though that stuff might show up in greater detail below, should there be a basic section and intermediary section? Um, Oh, it looks like Bill kind of answered that. If we can create a course to assign to users and pick the modules Yes, you, that is something that is coming up, bill.
So, and maybe that's the answer, Andrew, is for your help desk people, the, the content curator at the company can say, these are the modules that we think are important for help desk. And they can do that. You, I i, I wanna read Ann's next, but can we just stay with Bill for a second, bill and, and, and group.
Would you guys work with us maybe on like the different roles again for John MSP's a newer world, but maybe could we do an open mic, like a Zoom where we kind of walk through the idea, the, the roles like cis admin help desk, Mm-Hmm. Et cetera, et cetera. VCIO, you know, Joe, And I think a and I think a follow on question to that is do all the companies stick the same idea of what help desk is? 'cause I, I've seen some companies where help desk is literally resetting like passwords, right?
And I've seen some where the help desk is doing full on incident response. So some Anne had mentioned grouping things into level and then you can assign it. Like, I think when, whenever a company has control over their training, it might scratch all of these itches to basically say, here's our module list for this group. We can send it to them. Yeah. See you Scarlet.
Yeah, I, I, you know, bill saying yes, and to a degree, at least in the MSP world, like you have varying degrees of maturity, John Mm-Hmm. Um, you know, are there a few MSPs relative to the whole doing ir? Yes, for the most part. And Bill and Joe and Justin, maybe Derek just chime in. Um, it, you know, and Ann, you know, your help desk, you know, your tier one, two, maybe a three, they're, they're similar in terms of their CIS admins are similar. The BCIO role is similar.
The network admin overarchingly, would you guys agree, uh, in, in terms of we were gonna build, Hey, these are the base courses and you certainly can modify and add and tweak Adam, kind of, it got dark there quick. So, 'cause I think, I think Adam's point is if we hold back too much, then we might miss, uh, yeah. Okay. So that's a point too. Yeah. Okay. All right. Let's keep beating this up a little bit. Um, well, And it's something they can think about too, right? Yeah. Yeah, yeah, yeah.
Well, and you look at what we're doing, we're kind of working on that second s Damien, um, honestly, is really what we're doing. Yeah, very true. Very true. Okay. Um, John, what do you think? Three weeks? We'll do one, maybe one more, one more and let's do it. Um, yeah, And then, then we can go live. 'cause I have some modules that I'm gonna work on, like Office 365 security. Um, we'll get the cyber deception in and hopefully at that point there'll be a, a training manager role.
And that'll be great because regardless of how we wanna describe it, every company is a precious snowflake. So they will then be able to take active control over how they present the training material to their people. Um, and I think that that's gonna scratch a lot of those itches right out of the gate. So I've got my work cut out for me. Um, and I do think, I do think, Andrew, I would like if it's, I mean, people said it's okay to go off, but I would like to wait.
I would like to get one more from this group. Um Okay. Before we unleash the hounds. Yeah. In the meantime though, if you have friends, you know, peers, peer group members that you want, It's Yeah. It's for sale. Yeah. You can have people go and buy it. It's just we aren't pushing it real hard yet. And then, and then please, you can e you can see, you know, email me like I referred or, you know, copy me and John.
Um, uh, and, and just, just so you know, whatever program, referral program, whatever we do come out with, at least we can track it that, you know, you referred Jimmy or Ann or Steve or Mary. Um, And if you just shoot Andrew and I an email and say that you referred it, I'm gonna do the, I'm gonna send me your address. Um, I will send you, and then let me know how many copies I'll send you back doors and breaches and comics and all that too.
Um, as a way of just saying like a personalized Thank you. Yeah. Um, 'cause seriously, folks, we want to do this because we want the industry to get better. Um, and you know, he set out, I think Andrew was 500 MSPs and we blew that out of the water for training in computer Straight. Oh, for, yeah. Yeah. We're gonna keep doing that. Um, also, I'm getting a little bit of blowback from the security community, just so you know, they're like, this is a smoking good deal that you're giving MSPs.
Why aren't you doing that, um, for the security community. And I, I wanna explain that. So if anybody brings that up to you, um, it boils down to one simple thing. MSPs don't have the budgets of the security teams that I'm seeing in there. Um, so when I'm at BSides Cleveland, those security teams, they have hundreds of thousands of dollars that they're spending, uh, sometimes per quarter on computer security. And the MSP space is duct tape, bailing wire, and redneck engineering.
And, uh, you all are just pulling stuff together in a way that a lot of these security teams, it, it, you would be frustrated if you see security teams saying, well, we don't have a really expensive, you know, eim that we, we want this module that costs hundreds of thousands of dollars and we can't do our job. And I'm seeing MSPs that are like rolling up their sleeves and they're doing like just amazing engineering fess on shoestring budgets.
So there's a reason why we're charging what we're charging for this and making it accessible for MSPs. 'cause as I said, you all are the front lines, so keep kicking ass and keep giving us feedback to help you kick ass. Yeah. And Ann, great. I love your feedback. Okay. So Ann's overarching, like make it assignable by groups. And um, Ann only reason I was going there is like, I'd love to have a few ideas maybe if that makes any sense.
Like Yeah, we might be able to create some pre-canned groups That, that was it. Just like, here's ideas that we've heard from the beta group. Yeah, yeah. Um, and then, and tweak it from there. Um, Yeah. Also, folks, I'm, well no, we'll talk about this later, um, because we're at the end of the line, uh, for this. But no, just keep doing what you're doing. You all just keep doing it and you're, you know, yeah. You're doing great. Just keep it up. So, awesome everybody, John, thanks.
We'll get, we'll get back to everybody for three weeks from now. Um, we'll send out emails. Um, and again, like yeah, please talk to your peers. Bring it, let us, send us, let us know who you're referring so we can keep track of everything Later. Everybody. See ya. Take care everyone. Cheers.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...