Skip to main content
Right of Boom
January 30, 2025

Session 1

Guests

Andrew Morgan

Video Transcript

All right. Hey everyone. Welcome. Um, so excited you a lot of you joined. I know it was last minute. Thank you so much for coming and, and, and making it possible. Uh, 'cause these are fun when we get, you know, awesome folks like you making comments in chat. Uh, Ben, Josh, thanks so much already for, uh, livening it, uh, livening things up as I knew you would. Um, and so that's what today is about, really, you know, your interaction with John. You are very introverted, Ben, I know that.

Um, um, so, um, really wanna start off John, by kind of really just getting everybody on the same page. 'cause not everybody here knows about the MSP training initiative.

Not everybody knows necessarily about back doors and breaches, and not everybody knows, kind of like the flow that you and I have been talking about behind the scenes and that you've kind of brought to life now on how we're integrating back doors and breaches, training labs, and how this full circular lifecycle of training, um, is going to take place and is taking place with various different products, um, that are in the ecosystem.

So there's, we're gonna see a lot more of you, a lot more MSP products integrate that, that you're gonna be helping people learn how to incident response on and with. So exciting times. Thanks for joining us. Thanks for having. So, so, yeah, I don't know. There's, you know, this is gonna be an ask me anything, right? But like you said, we have a lot of people that don't quite know what the hell this actually is.

And, um, so for those of you that know, you know, for those of you that don't, uh, Andrew and I have a class that we sell, I'm gonna share my scheme screen real quick. Well, that you sell, John, this is your platform. I just kind of spread the word for you. There we go. Well, you're constantly helping me build it to what it, what it, what it can be.

Um, so this is my, my dashboard, but we have this training platform that's built on Brightspace and D two L, and it has a large number of different classes built into it. In fact, it comes with four. Um, it comes with the intro to soc, core skills, intro to security, intro to Cyber Deception, and intro to pen testing are all part of this, uh, are all part of this platform that I have, that we have set up for you right here called Security for MSPs. And all the modules are broken down.

We tied it to the, uh, critical controls implementation groups as much as we could, you know, download instructions, the virtual machine where the slides are, pre-interview reporting. All of these different things are all part of this. And it's really all about trying to get people ramped up with the core skills that they need to have in order to be effective working in an MSP or in a soc. So this is all set up. I think that this alone has four full days. No wait, no, no, no.

It has six full days of content, um, ready to rock and roll for your team to work through. Broken up into a variety of different categories. One of my favorite categories for MSPs is selling security. So how do you do pricing and packaging? How do you build a local community? How do you do your sales messaging? How do you utilize insurance as a mechanism to really help customers understand the importance of computer security?

And then getting into like asset discovery and data protection, some additional things that you can sell around that. So this is the course security for MSPs. We also, for all of the people that are involved in the MS P training class, we also have the meta C-T-F-A-T platform. And this is a full cyber range platform that focuses on taking your skills that you develop in our classes and developing those skills and growing those skills forward.

Also, it's really super neat because you can see how everyone on your team is doing. On this example account that I have, I'm not doing very well. Um, I am in the, like one percentile of all of these, or 68th percentile. Um, I have 510 points. I've only solved three challenges. But what it does do is it breaks down all the challenges that you have done, and it gives you your overall skills, uh, assessment for each of those different challenges as well, which I think is just super helpful.

Now, the problems for the cyber range, they go all the way from really, really basic introductory level challenges, all the way up to really difficult challenges. So it really helps meet you where you are and you're trying to get started in this community, trying to get started in security, trying to get started building a security team.

So if you wanted to get started with just, let's say straight up web exploitation, I can shut off all the categories and I can just start with web exploitations, right? Um, what are just my kind of type dealing with redirects plain as looking at plain text, looking for flags, running things through proxies.

And they all have little hints that you can take and you can say, you can look at the source of the profile image to rec, uh, uh, pull down your current profile image, URL, also known as hacking with the L 12 key as well. So lots of great stuff to get people started, and we try to set it up at a price point that is really, really effective, uh, for MSPs. So if you want more information, here is the registration link. And I'm gonna put that in the chat right here, like that. There we go.

And I wanna get started on the news, Andrew. And then when we get done with the news, let's circle around some questions. Does that sound good? Yeah, absolutely. And we can pull some of you up if you ever wanted to like literally interact with John, the Crowdcast platform allows us to pull you up and we can bring you on up here and, and chat.

So, news John, and also maybe me, uh, if you, once you get through the news, if I'd love if you could just touch on what's, what's new with, um, back doors and breaches, some of the expansion decks, where you're headed with that. Um, uh, we're gonna do, uh, by the way, I got the okay to talk about this. If you do show up at PAX eight, the PAX eight Beyond Conference, John is teaching the day one lab around back doors and breaches. Oh, yeah.

Um, and, um, the, uh, the EDR section of it will have access to CrowdStrike. Uh, Oh. We, we can talk about that publicly now. Talk about that publicly. We're gonna be talking about it more this Friday, me and Rob Ray. Oh, but yeah, so we can talk about that. And, and, and I, I kind of want to riff on that just a little bit because I think that that's super cool.

Um, if you're looking at computer security and good computer security, traditionally, almost all my classes dealt with open source tools. And I think open source tools are fantastic. They absolutely have their place, right? If you're looking at network traffic and TCP dump and wire shark and port scanning with Nmap and all these different tools, Zeke log analysis for network traffic, you're gonna be working in open source.

But if you're gonna be dealing with multiple endpoints, you've gotta be looking at a commercial level, EDR.

And, uh, we are very, very excited in the fact that, uh, uh, that, uh, CrowdStrike was willing to come, and Andrew can talk about this more on Friday, but for most big security companies, what CrowdStrike is doing is something that you just don't see where they're putting the tool in the hands of the students and they allow the students to play with the product and work through the product and work through some challenges. It's one of the coolest things I've seen.

So we're excited about getting a top-notch commercial product in, uh, for the, uh, PAX eight event in Denver. So go register, come on down. It's gonna be a good time. Yeah, you're gonna have four hours with John if you show up there. Um, and, uh, John, um, yeah, do you wanna go news or do you want to, for those, just let me just do a quick show of hands when I say just if there's a slight delay in Crowdcast, but if you could just give us a yes or no.

Are you familiar with back doors and breaches? And would, would you want John to just give you a quick overview today on what it is, how it works? And for those of you that do know, do you wanna see the new coolness in back doors and breaches? Yeah. Yeah. So let's see if there's some whys and yeses that come through, or some nos. We definitely have a little bit of a delay. They're running it through chat GPT for naughty things. I hear they come. Yep. Yep, yep, yep. Okay. Good.

So yeah, so, so let's, let's take a little peek at that, John. Sounds good. I'm gonna reshare my screen. Yeah, There we go. All right. So this is the new back doors and breaches. Uh, let me copy this and share it with everybody. This is demo, but eventually this is going to be the primary version of back doors and breaches. And one of the reasons why this new version is so incredibly cool is you have the ability to work with scenario tools down here where you can choose your scenario.

Do I want a random scenario? Do I want a custom scenario where it allows you to establish what your initial compromise card is? What is your pivot card? What is your persistence card? And, um, you can establish and create your challenges based on the scenario that you want to play, uh, with people, be it a customer, be it internally, however it is that you wanna work with it. Um, it allows you to establish those scenarios.

Um, the other thing that I really, really, really like about it is, once again, you can flip over all the cards. You can play the game with your customers, and I'm gonna talk about more with your customers here in just a little bit. But you also have the ability, if you look at these blue cards, right? These procedure cards, these procedure cards, if you go down to the bottom, have links now at the bottom.

And the links are really neat because you can click on a link if you, you and your team says, I have no idea how to do sim log analysis. Like, what is this? Like sim log analysis? Well, I can click the link at the bottom and it opens up this antis siphon link that says, here's a GitHub page with a full lab with what sim analysis looks like. Here's the VM for the labs, here's some pay what you can classes. And by the way, here's a webcast that's an hour on this topic, um, that are out there.

So right here, this is a lab that's domain log review. How can we use tools like deep blue CLI to identify potential malicious activity? And then we can actually look at the event logs to determine what that actual activity looks like. So I mentioned this is great when you're trying to set up a scenario for your own team, you can be the incident master where you know what the cards are like. The way I would do this one is I would say, okay, I would look at the overall attack. There we go.

And I'm gonna flip the cards over, and then I play it Dungeons and Dragon Style and say, all right, so you and your team come in on Monday morning and someone points out that the website for one of your customers has dancing gerbils, right? And you remember the dancing gerbils right now that's on your website. So if you're gonna deal with that, how are you gonna deal with that? And the team would say, well, the first thing we'd wanna do is we'd wanna look at the server. Excellent.

So now we have this card that says, okay, here is the server analysis card. How would we look at servers? What would be some tools we'd look at? Look at deep blue, CLI sans analysis, cheat sheets. Here's a link with some training on how we can do command line analysis on a Linux computer system to identify if there's malware on it. And then the team can roll a 20 sided dice.

So if they roll the dice and it's a four, it means it fails, it means they did not do that action successfully, then they might say, well, you know what, let's throw in some sim log analysis. Yet again, we have the SIM log analysis training where you can look at what does SIM log analysis look like? Here's full step by step instructions, and then you can roll the 20 sided dice and it comes back, roll the dice 15, it's successful.

And now we know based on that, that we were able to identify there the DLL injection attack on this particular computer system. And you can play this game with your team. And like I said, you have all of these different links, all of these different resources, all of these different tools that you and your team can learn from. And all of this is tied back into the training that Andrew and I were talking about earlier. Uh, so you can use this in conjunction with your training.

You can use it to kind of bolster, do a gap analysis of the things your team needs to learn. The other thing that I think is just really, really, really super cool about this is, as you know, a lot of the different things that we do, uh, at Black Hills Information Security and Antis Siphon in our training, we suck at capitalism is one of the things we talk about, which actually isn't true. I'm gonna come back to that here in a second. 'cause I love capitalism. Capitalism's great.

I just suck at the traditional version of capitalism. So if you look in the upper right hand corner, do you see this GitHub link right here with this GitHub link, I can take and download the entire game, like the whole thing, and I can stand up the entire game and I can modify the game. So you can brand it for your company. 'cause right down here in the lower right hand corner, it says Black Hills infosec.com.

You can totally go into GitHub, find that icon and replace it with your MSP's icon or your MSP's icon. And then you can sit down and you can, um, you can totally just work with your potential customers and you can sit down and play this game so that they can identify what the gaps are in their existing coverage. So an example would be customer just wants to pay for EDR. Let's say that the only thing they want is the endpoint protection analysis.

They don't want to UEBA, they don't want to have cyber deception. They don't want to have a sim, they don't want to have network analysis. And you could show them just how hard it is to play a game. Now, I know that some of your customers are too small, they don't have IT support teams at all. You wouldn't play it with them. But for those companies that do have IT staff that you're augmenting, this really helps drive home the idea that they need to have these technologies in place.

And it becomes a great opportunity for you to upsell your customers to get the right technology in place with the customer. So that is backdoors and breaches. Right now it's demo dot backdoors and breaches.com. I'll share that link out with you all and use the expansion deck. By the way, John, they were horrified that there's no cert on it. Uh, there's No what? There's no sir. It's not Oh, Oh yeah. Well, it's demo, right? Um, so I'm stealing all of your clicks.

Um, somebody mentioned, by the way, Andrew down below, I wanna see who said this. Um, what is it? Somebody had talked about, everyone always says Check, check your firewall logs. I am so happy that they mentioned that because we actually have a firewall log analysis call card right here, right? And there is an entire lab about how to look at your firewall logs right here, firewall log analysis link.

And it goes through step by step how you can take like Cisco raw log files and do that analysis in your firewall logs with some absolutely essential grip statements, and then some OC statements. And then my personal favorite is we actually do some math by doing frequency analysis by using our script. So there's some really, really super cool tools and some cool labs for you all to work with there. And yes, it is a, we don't have a certificate on this yet.

Uh, 'cause right now it's in demo, and I'm sharing it with you all on there as well. All the procedure cards should just say, call the MSP or call the IT company that, Yeah. Yeah. And John, even, even MSPs that don't have an it, you know, you can still run a scenario based Absolutely. Um, uh, incident, you know, a tabletop with them.

Um, and, and I think the power of that is kind of to share with them, look, you know, right now, maybe, and maybe it's John, you've talked about this with cyber insurance, like, hey, you know, we're you, you mentioned you really don't care, you know about cyber insurance. You're not, you know, that's not important. Let me kind of, or, or you only have this much coverage, right? Yeah.

Let's do something with your cyber insurance company to kind of walk through what a typical incident would occur. Okay? The breach attorney would come in, they'd call in forensics. Let's just kind of walk through these stages and kind look at the time that you'd be down, the impact to your critical business systems and the kind of the cost that gets starting to get wrapped up and why we're concerned about the coverage you have and maybe the plan or lack thereof that's in place.

So, well, what are your thoughts On that, John? Okay, so this is actually terrifying. I don't have any news stories on it, but this is actually something that's terrifying in the industry right now, Andrew. Um, so many MSPs that haven't been involved in a large scale breach where insurance companies get involved, they don't understand that the insurance company's incident response firm that they bring in, the breach coach is not your friend.

The vast majority of insurance companies, whenever they bring in incident response teams, their primary goal is to blame the MSP. Because if they can blame the MSP or the MSSP, then they can say, look, your MSP or MSSP didn't do a very good job of computer security. They were negligent. And we are not covering this breach. And you can start suing your MSP. This is happening. This is happening right now. So if you're looking at insurance, one of two things is happening across the board.

One of the things that's happening is there's a number of insurance companies that are flat out refusing to do cyber insurance anymore. Um, that's huge. The other thing that we're seeing is insurance companies pushing back very hard on insurance claims that if there isn't due diligence that's in place at these organizations, they aren't going to pay at best. At worst, they're going to encourage the company to sue you all. Mm-Hmm. That's where this is headed.

And a lot of MSPs aren't ready for it. You know, we've talked about it where they, they, we've talked with MSPs and their number one concern is, well, I've gotta be the cheapest MSP because that's how we win our business. Um, if I'm a little bit more expensive, I'm gonna lose work. I'm gonna lose business. And, and there's this great quote, I can't remember who exactly said it, Andrew, I can't remember if it was Wes or Ryan. They say, well, if we train people, they're going to leave.

And then the quote on the other side is, if you don't train them, they're going to stay. And what's more terrifying, right? And I, I think whenever we're looking at the entire space, the MSPs have really gotta make a decision, um, either A, they're going to get into computer security and they're gonna start becoming an MSSP. They're going to start charging appropriately for the level of security that's required for insurance, or you're going to go out of business. Those are your two options.

Either a, you embrace the suck, the fact that computer security is a thing, or you can just become a, a dinosaur. And we've talked with MSPs that are literally hunting other, there's the book, there are MSPs out there that are literally hunting for MSPs that aren't doing security and doing it well, and they're actively stealing customers from those MSPs. So that's the world that we live in right now. And that is an absolutely terrifying thing, but it's the truth.

And security has to be ingrained in MSPs and really trying to push MSPs to be becoming the Ms SP, I don't think that just an MSP is going to exist anymore. It's gonna have to have that second ass of security and really incorporate it for them to, uh, to exist in the near future. Yeah. So we got off on a tangent there. We did. But that insurance thing is huge, by the way. That's, that's a monster. But I'm so glad you, um, Bob, who, um, good to see you out there.

Brent Gleason, who is the author and Navy Seal, he is going to be the keynote speaker, John Mm-Hmm. Uh, at, at, uh, write a boom March. I I'm so excited. I'm gonna bring my copy and have him sign it because, Uh, yeah, he's awesome. He's gonna be doing a workshop on leadership, um, and literally, um, team building. Um, and it, his thematic really fits nicely into dealing with incidents. Um, so we'll have a team that, a group, it'll be limited that he'll be running, then he'll do the keynote.

Um, so you'll be competing with him, John, uh, during your pre-day. Um, but I, there's gonna be a, there's only limited, there's gonna be plenty of pre-day. Um, and, um, but, uh, the other thing I wanted to, to kind of just run through real quick, John, few quick questions. Our good friend Damien, who's on Damien is it, um, forgive me, are you in South Africa? And don't shoot me, or I thought I, but Damian's asking, um, do you ship backwards and breaches internationally? Not yet.

And that's part of the reason why we created the website. So it can be accessible. International shipping is a nightmare. Um, we have a 70% failure rate of trying to ship decks overseas. So Yeah, yeah, yeah. You started, Andrew, you started say right of Boone? Yeah, I'm sorry, Tobin. It's, uh, it'll be the sixth through eighth in, um, we'll, we'll have a, we'll have a save the date coming out. Uh, we did recently just finalize everything.

It'll be at the MGM Grand in Vegas, uh, March 6th through eighth of, uh, 2024. Such A, such a cool, We got a, we got a sick hotel rate. It's 135 bucks, John. Um, it's, it's gonna be incredible. Um, okay. Other thing. Um, so Josh, Joshua asks, um, does BHIS or anyone else provide, you know, kind of a consulting service to facilitate a back doors and breaches exercise? Absolutely. With MSPs? Yes, absolutely.

Um, just shoot, if you go to, uh, shoot an email to consulting at Black Hills InfoSec, um, and we will, we will set you up a link to do that. And we do that for free with a number of different organizations, especially for people that are former students and are, were working, they're part of like the cyber call family. Um, I may not be the one to do it. It may be rotated between, it's fantastic at that as well. Sorry about that.

So we'll do that with MSPs to make sure that they have the right technology stack in place. So, Sorry, I'm just putting the sun. So You said $135 per room? Like Per night? Yeah, per night. On the room night. That's Ridiculous. It's really low. We got, we, they, we got an incredible venue. Um, the, the space that we have is incredible. We almost have the entire third floor of the conference center. Um, and, and John. Um, so, so again, it's 1 35.

There's obviously a resort fee and tax, but even still with all inclusive, it's insane. The price and these rooms are incredible. Um, anyway. Alright, so, um, last question in the queue and then we'll go to the news, John, and open q and a. If anybody wants to come up on stage and chat with John, we can do that too. Um, I'm gonna just read this out from Josh. A big part of my job is getting our clients, um, with getting their Com companies compliant with their cybersecurity insurance firms.

One of the biggest things my clients lack is good. Uh, incident response plan, IRP, uh, uh, I know before it comes to writing an IRP, you have to do a risk analysis and identify the important data stuff. My question is, what are some good resources or training related to helping, um, with helping, uh, learn about good risk management and writing IRPs? Alright, so when we're looking at, boy, everyone's just calling us all over the place.

Um, so I'm gonna throw up audit scripts and I'm gonna start with the critical security controls right here. And this is, uh, Kelly, Ella is the main person behind this, along with James Ella. And there's a bunch of different like spreadsheets that you can work through that are amazing. We talk about this in the class as well, but they're free and they work and they're awesome.

And if you go down at the bottom of that, there's a master mapping document that allows you to take the critical controls and allows you to cross reference those controls to every other audit framework in the world. And the reason why that's important is because a lot of your different market verticals, you might be working in healthcare, healthcare may care about hipaa. They may not care at all about F-F-E-I-C or ISO or SOX or COBIT or any of those other frameworks.

You may have somebody that's doing manufacturing and critical infrastructure and they may be really concerned about nerc SIPP or the NSA, uh, cybersecurity framework for critical infrastructure. They may not care at all about hipaa. So being able to communicate with customers about which framework is applicable to their market vertical helps you sell things in a way that isn't you selling.

It's you illuminating and teaching your customers what is required in their industry and in their market vertical. Then selling is super easy. So the classes, uh, intro to Security is the main class where we talk about this, but the resources are free. I just sent the link in. You have it there, you can run it. Oops, I already sent that message. Uh, Crowdcast is telling me. So it's up above. So you have that, you have the resources and I think I can download them here.

Let me share my screen real quick. Unfortunately, I'm, I'm on a Mac, so it's gonna run it in numbers or pages. And so I'll show you the big ones that we have. One of them is just the assessment tool and I can open up the assessment tool like so, and I get a font error. 'cause of course I do. And in this particular tool you have, each of the critical controls is represented up above here. Lemme get rid of that. Uh, critical control four, critical control five, critical control six, and so on.

And as you go through and you say that these things are implemented in a customer's environment, I can just do the dropdown and say it's implemented on all systems. And then I can pull that all the way down. You can see that this is, um, going to change the way it actually shows on the pie chart up over here. Let's Go back. Yeah, I'll just tell, so John, the way Crowdcast works is it's not really great. It's showing any, sorry guys. It's not great at showing anything other than browser. Okay.

Even though it's, so let's stop that. Let's stop that then. Yeah. Even though it in theory says you can, but audit scripts is great. John, I just, if I could share one thing real quick. Sure. Go For it. Um, guys, if I'm not sure if you've heard of, uh, another resource that I have for you all, just bear with me if I can find it, if I can find it. It's called the Cyber Niche. What is it? Why, why is it not coming up here? Bear with me folks, please. Uh, No worries.

And, uh, whenever it comes to ir, um, the way I like to like to look at incident response, don't look at incident response as a workflow. Like do action one, decision tree decision two, decision tree flowing through that does not work. Um, there's, I don't think there's anybody walking the planet that's taught as many people incident response as I have.

And one of the biggest mistakes I see companies do today is they try to create a flow chart of how to handle an incident that doesn't work because of two reasons. The first reason is whenever you get into an incident, no one ever reads the flow chart. They just don't, they just end up doing whatever they're gonna do ad hoc. Uh, most of the time it falls into like, you know, one particular individual who is a champion at this stuff. And that's bad, by the way.

Um, the other reason why flowcharts don't work is your adversary is not going to work the way that you expect them to. Uh, Dwight Eisenhower said, plans are useless, but planning is indispensable. Trying to develop well detailed plans on how exactly a battle is going to work does not work because things change dramatically whenever you come in contact with the enemy.

So what happens, what I recommend is if we go back to me sharing and I can't actually share my browser, which works good, so let's go ahead and share that. Um, over here on back doors and breaches, the way I recommend that people look at incident response is they look at it as Lego bricks of functionality. So your team needs to know how to use server analysis, UEBA, memory analysis, isolation, network thread, hunting firewall, log analysis, endpoint analysis and so on.

These should be the skills that your team has and it's just like the Lego movie. Whenever you get into an incident, if your team is well trained in the procedures to these individual Lego bricks and functionality, you can handle just about any incident that you could possibly imagine, uh, working with. Now that doesn't mean you can't have an IR plan.

You should, most of the time when you're looking at IR plans, you should be looking at IR plans in the realm of, uh, flow of communication and escalation. Alright, so it looks like Andrew is ready. Yeah, I'm gonna try and share something. John, can you see, I see your screen for sure. Okay. Can you see this? It? I, there we go. Yes, I can see the cyber nation with Chris lower. Yeah. Yeah. Okay. So guys, if you come into the cyber nation and I can, I'll put the URL in there.

This goes all the way back to Joshua's question, if you haven't done an incident response plan before, um, a year and a half or so ago, maybe a little more, we did a, um, tabletop with Chris Lair, west Spencer, um, and, and then, uh, we also did one where we had Mike Beard, the CSO of Marco on, and uh, he actually shares, uh, his entire, um, incident response plan. Uh, lemme see if I can find it real quick, John. And I Think I just saw it do a search for incident response.

I just flew it just flew by the screen. Yeah, I ha I have it here. Oh, there it is. Incident response plan, webpage content. Yeah. IRP. Yeah. And, uh, bear with me guys. Uh, anyway, hey, there's Carl. I think Carl's with us. Oh, you can see, um, anyway, I'll find it in a second. I had it up a minute ago and I'll, but I'll put it in in the URL for you guys. Um, I'll stop sharing, but the entire, um, uh, uh, red, uh, incident response plan is available. Nice. Uh, here it is.

I think it's right here, John. Yeah. Um, The whole plan. Yeah. Yeah, he gives the entire plan right here. Cool. Yep. So I'll put this in there for you all. Um, it's a great instant response plan. He's, we san he sanitized it, he got approval to share it. That's so awesome. Uh, So lemme close this. Lemme put this in here for you all. Thanks Justin. Um, I'm putting it in there too. Um, Justin, was it, did you like it? Was it good? Um, and, uh, just let us know. Okay, John, over to you.

Uh, any news and do you guys, any of you all want to come up and ask John any questions? All, oh, go ahead. No, no, no. We're good, John. Alright, I'm gonna start talking about this story. Um, I'll put it in the chat and then I'll share my screen and then we will go to, uh, we will go to this first story, uh, bit mark halts operations due to a cybersecurity breach. Um, this is, there, there's actually two stories, right?

Neck and neck with each other, this one, and then the next one where I, I like to just reiterate that whenever you're looking at it service providers, right? They are absolutely in the crosshairs. And I, I think it really, really started with a casee breach where attackers realized that they could get access to one company and then they can get access to a whole bunch of other organizations. And we generally throw that under the umbrella of supply chain hacks and supply chain attacks.

And I have significant problems, uh, with throwing everything in the supply chain attack kind of umbrella. And the reason why is because if we throw it into that, we start getting into articles like this second article, right? Which by the way, is not a horrible article from the Hacker News, right? It says Why telecom struggle with, uh, SaaS security, right? Where they're talking about what are some of the problems that exist in telco providers?

And long story short, they're cheap, they have incredibly high turnover, they're treating people like absolute garbage. Their turnover is something like 18%, right? Here is what this article said. So 20 200,000 employees expect 36,000 to leave a company every year or 140 per workday.

And the reason why I brought up this article in the previous article is traditionally things are under supply chain attacks or SaaS attacks, and this basically turns into an advertisement for protecting your SaaS security, posture management. Um, so I bring this up for two reasons. One for MSPs to understand that they fall under this telco provider, they fall under this IT services provider umbrella, right?

Where you're constantly trying to maintain IT infrastructure on a su on a shoestring budget. You have nation state attackers coming after you, you have, you know, trying to keep people's morale up and the team is really, really, really incredibly hard, which I'm gonna get to here in a couple of seconds as well. And there's no real positive upside, uh, for these various stories. There just isn't.

I, I think that once again, the best way that you can arm yourself with these stories is use these stories to allow people to understand the magnitude of the threats that we are currently facing. Um, I have a number of friends in the industry that are looking at IT security and what's happening right now is not just a threat to humanity, but one of the existential threats to humanity. I mean, absolutely you have the capability for wild wide scale, uh, just carnage, right?

And if you look at critical infrastructure, this one percentage just keeps rolling around in my head that I saw it, right? A boom. The last one that I was at 50, Andrew, correct me if I'm wrong, 56% of the critical infrastructure in America is protected by MSPs today, 56%.

And the reason why that shocks me, and the reason why it concerns me is that means that 56% of the critical infrastructure today in America is being protected in predominantly with organizations that don't have the resources or the training to be able to deal with those incidents. And that's probably one of the bigger reasons why we focused so much on computer security training and trying to come up with affordable training and pay what you can training.

Uh, next week I have a class on cyber deception, which I'll talk about here in a couple of minutes. That is pay what you can for your teams as well. But there's things that we have to bring to the table, right? Because if you're looking at the attack against telcos, if you're looking at the attack against supply chain, and that includes MSPs, MSPs and RMM tools, these attacks are not attacks that are launched predominantly by script kitties, right?

They're not the attacks that make the news every once in a while about a 17-year-old in their basement in the UK hacking a large scale organization. These are incredibly deadly, deadly nation state, on nation state level attacks where the nation state attackers wish to dwell for as long as possible on those networks. So they have the ability to launch a variety of different attacks at a moment that's fits their choosing, right?

And when we couple that and we look at it, T-Mobile was hacked again today, uh, not today, it was like coupled a couple of weeks ago. But we have another breach of T-Mobile, right? You know, we're looking at like 49 million customers hit by a data breach.

And the thing that's absolutely terrifying is so much of our infrastructure is on SMS based two-factor authentication back to someone's phone that this shows that this is where you have nation state attackers that are focusing their efforts on because they're trying to get the biggest bang for the buck.

So if you're looking at Solar Winds, solar Winds is a great example of an attacker that gains access to a package and an infrastructure that is used by a large number of different companies for monitoring their network infrastructure. And the Russian's main goal wasn't to seed chaos. They wanted to stay on those networks, not because they had a specific goal, but because they may have specific goals in the future. And that goal may be chaos.

That GA goal may be intelligence gathering, but this is the game. This is the game that's being played at the highest levels and we're not talking about it. Instead, we spend a tremendous amount of time talking about ransomware. And that's not to say ransomware isn't important, but ransomware gets talked about because it's visceral, it's flashy, it's in the news, it's something that we can sit around the water cooler at work and have a conversation about.

We we're dealing with nation state attackers that are targeting supply chain. We're dealing with nation state attackers that are dealing with going after companies like T-Mobile. You're dealing with people that are gonna use very crafty means and methods. And we have to all up our game as much as we can, just saying ransomware is not the standard we should be shooting for.

One of the other things that, uh, has been coming out, like I was at RSA last week and it said that 52% of UK UKI decision makers expect security team members to leave within the year due to burnout and InfoSec burnout is a real thing. And I think it's interesting for a couple of reasons. One, a lot of MSPs are starting to get into the security realm. And like I said, burnout is a real thing.

I somehow think, or somewhat think, and this is kind of gonna sound weird, that MSPs are more equipped to handle the pace of the future of computer security than a lot of security professionals. Uh, let me explain.

So if I have somebody that goes to college, hypothetically, it's got Dakota State University, great university good cybersecurity program, um, is fantastic when a lot of these people get into computer security and they go into college, they have this vision of computer security is chasing hackers through cyberspace, hammering red Bulls. And what they don't understand is it's a lot of day-to-Day drudgery.

And it's a lot of documentation and there's a number of young people, and I don't wanna rip on just young people, a lot of people that are trying to enter the information security field that are not equipped for the pace and change of computer security, they're not equipped to dealing with the politics of computer security. And yes, you have people that absolutely eject from this industry. Now I want you to compare that to the MSP space.

A lot of the people that I've ran into in the MSP space don't have degrees. Not saying that is a bad thing, just, just bear with me on that. They just don't have degrees. They got outta college and they were really good at computers and maybe they worked at Geek Squad for a while. They saw a job at an MSP and someplace where they could grow their skills and learn networking and get into advanced things. And their growth in this field was more or less organic, right?

And they deal constantly with crap. You know, customer's, printer isn't working, someone's got a virus and they need someone to blame. So they're gonna blame you. And it's interesting because I feel like the Ms P space is far more equipped to deal with the pace of what is happening in computer security. So that doesn't mean that burnout isn't real there too. In the MSP space, it's just a lot of the MSP people that I talk to, they've got war stories.

I mean, you all have war stories, great war stories of all kinds of late nights trying to get computers up and running and working with customers that are problematic and dealing with politics and calming situations down. And the rate at which a lot of people in the MSP space deal with that is much, much, much higher than the computer security space. So once again, I keep telling MSPs and MSPs, you need to start setting your sites higher.

You need to start looking at how can your company compete with big security firms? And by the way, I'm asking you to come compete against me. But that there's nothing wrong with that. It's a game of hungry, hungry hippo and the marbles are infinite, right? And there are so many security firms that are doing an absolute garbage job trying to defend networks. There's a couple of firms, I'm not going to mention that in the security space are well known, maybe not so much.

And the MSP space, one of them we realized we pen tested five times so far this year and they didn't detect a single attack that we had. Now their booth at RSA was fantastic. They had an amazing booth, um, really, really cool things at the booth, but they don't catch anything. And I think that a lot of MSPs are coming from a different starting plates than that. Uh, the next story that I wanted to talk about is Google obtains a court order to disrupt crypto bot distri, uh, distri distribution.

And specifically the reason why I wanted to share this is, uh, this particular bot and what it's doing, and also looking at like lob shot and what it is doing. They are delivering malware through Google Ads. And one of the things I would encourage you to really try to push your customers on is severely limit the amount of advertisements that are allowed into your customer's environments.

Uh, you can block ads at the edge with firewalls, you can block ads within the browser, um, by using Ghost three and ad block plus and tools like that. And it's just a good idea and it's a good idea for a couple of reasons. The first reason why it's a really, really good idea to block advertisements is it's going to reduce the amount of malware that you have to deal with in an organization. It just is.

And the other reason why I think that it is so important to shut down ads is it reduces the noise that you have to deal with in your organization when you're looking at network traffic, when you're looking at outbound network connections from compromised computer systems or potentially compromised computer systems, it really helps clean up that signal to noise ratio so it's easier for you to work through that incident effectively for your customers as well.

So seriously look at blocking ads because ads have never been a good thing. They use a lot of bandwidth. Malware comes in through ads, there's tracking, they're just kind of all kinds of creepy things, um, when dealing with that. Um, next one, I I like this one. We have dried X and a number of different malware that, uh, specimens that are out. So ZI is one and this one is using, um, HVNC module. And I wanted to talk about here, lemme share with you these links real quick.

I wanted to share with you on this a couple of different thoughts on the kind of the where we're at right now and where I see the state of offensive security going to. Where we're at right now is Eds are flat out kicking the living snot out of incident. Sorry, the kicking the living snot outta pen testers. Uh, you get on a box with something that's running CrowdStrike, it's relatively easy to get initial code execution still because your computers are designed to execute code.

It's difficult to understand whether or not something's malicious just by doing, you know, like analysis on a hash or analysis on the modules. But once you get on a system and you start doing lateral movement or you start doing privilege escalation or you start querying the domain controller, advanced DDRs are absolutely just destroying pen testing firms today.

So what a lot of pen testing firms are doing, my firm included, is we're starting to look at these gray areas of RMM tools, be it VNC or be it commercial tools, talking about Velociraptor, velociraptor. We can get Velociraptor down to a very tiny little, uh, MSI package that installs everything and configures it to come up to one of our servers. I want you to think about your RMM tools that you're using. One of the ones that we play with quite a bit is Ninja, which is an awesome RMM tool.

Love the guys at Ninja, great product. And when my pentesters play with Ninja, they're like, this is really a fantastic remote access tool implant. It's like, no, no, no, no, it's an RMM tool. They're like, yeah, I know. But seriously, what it can do is incredibly powerful and it is many times completely ignored by EDR products. I'm telling you this to be careful, right?

Know what type of RMM tools you are using and really try to focus on doing some testing to make sure that your EDR and your SIM can detect if somebody drops another RMM tool in the environment. Uh, one of the ones that I like is Velociraptor, miss spell Velociraptor. There we go. Here we go. So this one is free and I encourage you, just give it a shot. See if you can deploy it on one of your customer systems and see if the EDR detects it. Um, this is just one of them.

There's multiple out there, there's multiple different versions that are out there to check. Oh my gosh, we've got questions, Andrew. Um, let's go through what do we have here? Uh, do you have any questions that you saw that you were, that you wanted to jump on real quick? So do you mean in in chat John Specifically? Yeah, in chat. In chat or questions? That's A question. So one of the questions I saw was, um, is there, uh, a good solution you have for shutting down ads?

John, you mentioned firewalls. Yes. Um, so you can shut them. A lot of your firewalls have a category that you can block for egress web traffic where you can block advertisements. That's number one. Number two, you could push push something like gory or ad block plus to your customer's platforms as well. Um, so you have a number of different tools at your disposal that you can play with out there. Got it. Uh, I want to hear some the company's John doesn't wanna mention by name.

I can't, IIII have this rule. I can only talk about companies that I've worked with that were 20 years ago. Um, so I can talk about Department of Interior right now. Uh, if you want me to talk about a 20-year-old series of incidents and stories, I can, I can talk about that. Um, 'cause I figure I'm well outside of the statue of limitations and I hope deep down in my heart that Department of Interiors replaced all of the servers that exist 20 years ago. Very fair.

Um, I think that's it is I, I, I is, um, in terms of questions, unless I'm missing them, maybe you guys can bubble. I've got, I've got some comments in here that I think are really good. Okay, go. Um, We've got one. Unfortunately, chat GPT will replace all of us soon so we can sit on the beach while the bots fight the nation states. Um, I don't think we're there yet. I I think soon is a relative term.

Uh, when I was at RSA, most of what I saw utilization of chat GPT and AI had nothing to do with like detecting attacks, reacting attacks. The thing that was really grabbing people's attention is how attack GPT and AI was describing complex things in an easier way for the analyst. An example of this would be, uh, correlate.

Correlate has Sarah Kata at the heart of it, and they have something where it submits the core light signature that triptan alert to chat GPT and then chat GPT describes the core light alert in plain English. So there's a lot of that right there. Um, that is, that is coming out right there. So, John, go ahead, John. Timmy says, uh, asks, uh, suggestions from John on how to combat the session hijacking we're seeing right now in Microsoft.

Um, so when you're looking at, uh, specifically what type of session hijacking we do RDP session hijacking, we do session hijacking and interception of, uh, web traffic. We, we do a lot of session hijacking out there as well. So, yeah, so Tammy, if you wanna just comment in chat, we can, we can go off of that if you want to. Uh, let's see, What do we got? Hmm. Um, do you have more info on Velociraptor? Have you have that configured? We are trying to use it.

Uh, Jeremy, we actually have, if you go into um, endpoint analysis, I think it's endpoint analysis, I think it's actually, I think it's under endpoint protection analysis. We actually have full step-by-step instructions on how to deploy and run Velociraptor. Um, and it's built into the class VM as well, so you can, you can play with it. Um, very, very cool.

But the long story short, whenever you deploy Velociraptor as a server, it gives you the option to actually create an MSI that has all the, uh, client configuration built into it as well. Uh, AI ml, don't ignore it. Figure out how to use it for your benefit and how to counter it when it's used against you. Um, I agree. I think that that's a great, great attitude for it. How long has it been enough for us to discuss, get, discuss attacks against Net Buoy?

That's something I haven't heard in a long time, Andrew. Um, I think that we're safe not talking about that, but I'm gonna say that and then next week they're gonna be like, legacy net buoy attacks are still relevant. I'll be like, I didn't even Know, um, How did I miss this one? Right, Right, right, right. Okay. Good stuff. I know we have, you know, we're approaching at the top of the hour.

Um, any questions you might have for John, specifically on the MSP training content, back doors and breaches? Uh, any of his upcoming pay what you can, he's got Cyber Deception. Yep. That's next week. Lemme put that link in real quick Right there. Yeah, we got Cyber Deception coming up. John, for yourself then, are you back to, uh, intro or, or soc I think we start with Soc. I think we flipped back around to intro to SOC at that point. Okay. Oh, I almost forgot Andrew.

We have a community edition of AC Hunter. Okay. That people can play with too for network tracking. Um, I put that in the link as well. It is a free version of AC Hunter, so go check it out folks. That's awesome. Um, here we go. What are some of the things you would recommend in MSP less than a hundred clients do if they were starting or when they start a cyber security department? So, in the intro to security class, we have 10 things, uh, that we recommend.

And this is available, you can get it on demand. It's part of the MSP bundle. I'm gonna teach it for free probably in two months, maybe three. I don't know where our timing is on this because I go intro to soc, intro to security and intra to Security. We really, really, really focus on, um, doing application allow listing and doing that in a sane way. It's not hard to do the way that we teach it doing internet allow listing in a sane way. Once again, totally not hard the way that we teach it.

Um, getting into running an EDR, running a good EDR, something like CrowdStrike is essential. It may be more expensive, but what I always tell people, and I don't wanna rip on anyone's product, I don't, but a high quality EDR is kind of that stitch in time saves nine, where if you're running something that's high quality, it reduces the incidents, which means that you're gonna be chasing your tail less.

Um, egress network traffic analysis utilizing passwords and multifactor authentication and really focusing on those core things that we teach in that class. And I can find that class that literally has all of those different things. Um, lemme go through The 11th, top 11 things, Joe. Yep. Well it's, it's the 10 things and then the 11th is do backups. Okay. Um, So, Uh, while you're looking, Eric says or asked, do you see honeypots being used and es Yes. And catching pen tests? Yes, we do.

In fact, once again, I'm sounding like a broken record on this. If you go to the demo, do backdoors and breaches.com, and you click on the cyber deception card, it takes you to this website. I'm gonna share that with you. And the website has three separate labs on how to set up, um, a honey share in an environment, a hu a Canary token in your environment for like documents and a honey user in your environment. And these are the three main things.

Whenever we're doing a pen test that get us, uh, we end up going after a share in the environment. It's like, you know, passwords and we fall into it every single time we do an internal password spray, we trip the user account that is the honey user account. Um, we, we grab a document that says passwords XLS. And it's actually a beacon. So not only does it work, but my customers come to me and say, we were able to identify where your pen tester lived within 70 meters. That is awesome.

And yeah, Ben Jones, we talk about Open Canary. Uh, when we talk about canary tokens, hi Mirror and his team are the people that keep that website up and running. And we have a lab completely built around that. Um, one of my good friends sub T on, he's on Twitter and on Blue Sky and on Mastodon, he's called Sub T, had fantastic security researcher and he works for Canary as well. So really good friends with those.

John, um, you said, I think, uh, some, I'm sorry, this person, uh, Tobin, sorry, said it right, a boom and talking about AC Hunter, your community edition. Mm-Hmm. Um, still standalone relative to multiple. Yeah. I think you, I think you can have seven different data sets in Community edition of AC Hunter. Um, full integration with ldap, single sign-on and with SIM is something that we do in the commercial product.

And I might as well tell you all we're gonna be raising the price to $20,000 in about two weeks, uh, for the full commercial version. So that's going up, right? But even, even for a soc, if you have full packet capture in your customer environments and you get into an incident, you can absolutely take those full packet captures, ingest those into AC Hunter and do analysis as part of ir. So it's still very, uh, Val very valuable as an IR tactical tool.

Well, he, and I think what he's sitting there wondering is it's, it's a, it's a, it's a tool for a company versus an MSP when they think about it is, is it they Think dozens of companies. Right. So the community edition is something that would be very single use and tactical. Uh, the com, the full commercial version is the one where you can have multiple feeds from multiple different organizations feeding it all at the Same time. Right. It fair enough. Good questions.

Um, John, when should we do this again? People, I think, what do you guys think? Do, do you like to Let's shoot it. Let's shoot it, let's shoot for June, like the first week in June. Yeah. Let's see. Sound good? Yeah. Um, I think, you know, 'cause I, we, we either people are, people may be going to IT Nation secure and or the Pax eight thing. Those are back to back weeks. Yeah. Um, so first week I weekly. Yeah. 'cause John has nothing to do. Yeah. Um, first week of the month. Okay, cool.

Let's Shoot for it. Let's do it. That sounds great. It'll be cool if we, I would love to do it from the PAX eight event. Um, that might be a lot of fun if we can do it, uh, from the, the floor or the hallway or something Possibly. Yeah, yeah. Yeah. That'd be fun. Yep. Uh, that'll be a lot, that'll be a lot of fun. Um, well good. Um, again, if you, uh, John won't be making it to IT Nation secure this year, however he will, like I said, be at PAX eight teaching day one.

Uh, the security, the whole security lab piece is kind of Mm-Hmm. John and I got to kind of do together with, uh, my good friend Rob Ray, who's over there now. Um, so we'll have a lot of fun. Uh, it's in Denver at the Gaylord, so check it out. Me and John, We should, you know, we should do a night where we get everyone together and we all go to Fogo to show downtown Denver. Oh, okay. I don't Know, I like, I'd like, um, we could do that. Or, um, there's some other good restaurants.

Uh, there's a Indian restaurant. We'll find something. We gotta find something fun to do with people. Andrew, That's, Hey, I, I think they'd just like to hang and do back doors and breaches, John, but we could maybe do that, um, you know, uh, at, at Fog Chow or something. Yeah. Alright. Alright, well we're at the top of the hour. Awesome. Seeing everybody. Thank you for showing up and hanging with us and we'll get something on the schedule for this time, uh, next early June.

John, thanks a million. Thank you all for coming and hanging with us. It was a blast. And uh, look forward to seeing you all very soon. Alright, take care everybody. Stay safe. See you.

Related Videos