Skip to main content
Right of Boom
January 30, 2025

MITRE ATT&CK / Shield in depth

In this video, Gary, Wes, and Ryan discuss the critical aspects of threat modeling and building a threat-informed defense for MSPs. They dive into understanding threat profiles, using the MITRE ATT&CK framework, and how MSPs can leverage this knowledge to enhance security measures against adversaries like Gold Southfield and others. The session aims to demystify threat intelligence, helping MSPs better prepare and respond to potential cyber threats by understanding their enemy and improving their cybersecurity posture.<ul><li>The workshop focuses on building a threat-informed security program using threat modeling to better understand and defend against cyber adversaries.</li><li>Understanding threat profiles and adversary tactics is crucial for tailoring cybersecurity defenses to specific industries and threat actors.</li><li>The workshop emphasizes the importance of combining human-readable and machine-readable threat intelligence to create an effective cybersecurity strategy.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right, we're live. Welcome everybody to the first MSP Threat Modeling workshop. Joined, uh, with a special guest and three other guys that hang out with me every Monday. So, special guest, Boris Carver of Mitre. Boris, thanks for joining us. Yep. Hey, thank you. Glad to be here. Yeah. You, we, uh, we hear, uh, you are near some of the, uh, best seas on the planet. Is that true? Yeah, Yeah.

I, I have the, the poor luck of, uh, being, uh, like a hundred meters from the Mediterranean Sea on vacation this week, so I'm not gonna complain. Fantastic. Well, thanks for joining us. Thanks for taking time away from your family. What's That, like 11 miles or something? Right. So my Conversion. Alright, so, so, um, I'm gonna hand it to Gary in one minute, but I wanna introduce, um, well, Gary, you're gonna introduce him, so I'll Yeah, yeah, we'll do, We'll do the introductions.

We have some pictures. We're gonna, this is very Professional. Yeah, that's true. I totally forgot about how professional this was, but welcome everyone, and let me share out my screen and, uh, gimme one second here, Gary. We'll go right at it. Here we go. Share. And let me put this into full view and we will be on our way. Go to the first slide. Here we are. Here we Go.

Hello everyone, and welcome to really the first I've seen in our industry of this concept of bringing you a threat modeling, uh, workshop. My name is Gary Pika, the President of True Methods, and, uh, Andrew, let's, let's introduce our illustrious panel. Oh, look, there's me, there's you, Andrew, of course. Great picture of Wes Spencer, the CISO of PERT Security. Fantastic. Should I drive forward?

Yeah, I and the rest of our team, Ryan Weeks, uh, who everyone knows, uh, each week on the cyber call, and a couple special guests. Uh, so we have Forrest Carver, who we have on right now at this, at this moment. And, um, he is from, uh, MITRE. So Forests, thank you so much for being with us. We really appreciate it. Awesome. Hey, Thanks, Terry. No, glad to be with you. This is gonna be awesome. Yeah. And then, uh, Andrew, can you do the intro for Matt? Yeah.

So, Matt Abel is gonna be joining us at, uh, 2:00 PM He's with Red Canary Ryan, uh, thanks to you. Pulled the favor. They, uh, work, do some work with Red Canary and Atomic Red, and they are gonna literally bring out, uh, their, um, platform and walk through, uh, an adversary, um, in, in essence an attack. Um, so we're gonna be doing that with Forrest and Matt, um, are gonna be going back and forth and that. So very exciting. We'll have, uh, Matt on shortly. So here's our agenda.

Go ahead, Andrew. You, you can run through it. Okay. All right. So the agenda here, um, we're gonna start off with Wes and Ryan who are gonna talk about Mitre attack and Shield. We've, we've talked a little bit about this on the cyber call. So Attack is the TTPs, how our adversaries attack US Shields, how we can defend it. And then, uh, Wes and Ryan are gonna really talk about how to build a, a threat informed security program and why knowing your enemy, as Ryan says, is really critical.

Um, so that's hour one, hour two, as I mentioned, Matt's gonna be here and fors, they do a lot of work in this area. Um, so I'm really looking forward to hearing certainly force, uh, perspective on this. Um, and so that'll be the second hour, and then we'll come back to, uh, Ryan and Wes, and we'll actually get into threat modeling, uh, and your MSP. So that is our action pack agenda. Gary, why don't you tell 'em what they can win? Yeah.

So, uh, if you haven't already done this, uh, you can get free access to true Methods training. So this is sponsored by Cisco, where you can gain 60 day access to true Methods Formula One training. Um, you'll see this, uh, this session will be, uh, posted in our cybersecurity track. Uh, everything you need both go to market and technical training, uh, also some, uh, Cisco Cyber, um, uh, uh, enablement. But there, you see some of the things in there. Go ahead, Andrew. You can go there. Yeah.

There you see some of the things. This is just in the foundation. So this is the really the business aspect of it, of, um, an overview, how to look at things, securing your house, packaging and pricing and, uh, go to market. So, uh, and then, uh, all the technical resources and diff you know, a a lot of the people you see on this call across, you know, others, um, security, uh, people from the industry. So really good technical training. And then the last thing is the Cisco enablement. Yeah.

So, um, in, in addition to this, Andrew, not just this track, but people will get access to our entire library of videos and resources, which is, you know, over 150 hours of role-based content on every aspect of building a high performance MSB. So, uh, service delivery, sales metrics, business planning, um, every really, there's nothing in there, uh, no question that I've been asked over the past 12 years that we haven't created a video, uh, to answer it.

So, um, Gary, I'm just gonna say I'm a little biased because I've known you a long time and believe in what you do, but man, we had two MSPs on yesterday. Your first customer ever. Miles. Yeah. Call, and then Keith Bartel.

I mean, and I think Keith really typifies, uh, you know, a, a guy that was working in corporate American technology decided that, uh, you know, you know, based on your convincing, I'll, I think I'll run an MSP got part of your program, and now what, what is he, like 3 50, 400 grand in MRR? Uh, yeah, yeah. At least, yeah, 40 employees. He's a, he's, uh, he's done a great job. So, yeah. But you know what, what really what this is about, like today is a good example.

That cybersecurity maturity, it's a journey for every single MSP and for into your customers. And you're going on that journey together, right? You're not taking over their, their risk, right? It's gotta be a shared, uh, risk relationship. But you're walking with them and guiding them through that journey, and that's how they have to see it. You need to do this by building and assume breach security mentality. That has to be, uh, how you approach things.

And security needs to be part of something, uh, that's part of your culture and knowledge and community are the foundations. So you need to understand what you need to do. You need to be around others that are also on that journey as well. And that's what, uh, we're trying to do here at True Methods. And that's what, uh, the Cyber Cult and Cyber Nation, uh, are also all about. So this is gonna allow you to understand bad actors and threat vectors at a much deeper level.

So, you know, we can change people process technology to better be prepared for attacks, both preventing them and what to do, uh, uh, um, you know, right. A boom. So this is, I would say today, uh, is the second best way to make a positive change in your security posture. We always say the number one way is to get breached, right? So if you get breached, uh, that's the ultimate motivation. But if you want the second best way, it starts right here, right now with these experts today, Andrew.

Yeah, well said. I always think of Wes, you want, uh, you, you, you want security budget get breached. So, uh, with that, and, Uh, Gary, Gary will go ahead, my son. He will put the, he'll go ahead and put the link in for how people sign up, uh, to get the, get free access. Yeah. And Gary, I my understanding too is you guys, uh, sheer them through it, like they're, you know, a paying customer. They, you have an onboarding person right when they sign up. Absolutely.

They'll have one of our member success folks, uh, who knows our content inside and out. They'll ask 'em some questions about their business, their goals, uh, to make sure that they make the most, and we point 'em to the contact. It's real content that's really gonna move the needle, uh, in their business. Great. So, without further ado, as they say, I wanna hand this off, and I'm gonna stop sharing my screen momentarily to Ryan and Wes, um, who, uh, do an awesome job.

And, and I, I, I'm excited about this because I think about what you guys did, um, with the, uh, cyber resilience, uh, session that we had not too long ago. And, um, I don't think that this is going to, uh, let anybody down either. So with that, uh, yeah, often If people haven't seen that, we put that also in the security track, people can go, It's An awesome session. Yeah. Alright, awesome. You guys are up. Yeah.

So we have, uh, a bunch of concepts that we have to build today, and then we're gonna help you figure how to connect them all together. So the, the kind of equivalent to the cyber resilience, uh, chat is actually in the third hour, but we're gonna spend this first hour creating the building blocks and then the second hour demonstrating how you can use those building blocks. And then the third, how to apply them to your environment.

Um, so where we need to start at the top is let's first define a threat informed defense. So Wes, when you think of a threat informed defense, what does that mean to you? So let me say what it doesn't mean first, and then we can kind of stumble into what it does mean about that. So, uh, have you noticed often times that's a very answer, by the way, Wes. Yeah, it is.

Have you noticed, oftentimes you're in the vendor hall, you're, you know, talking with friends at the latest conference and you know, you're talking about some thready threat and you're like, oh, I got vendor X that does that. I got, you know, person B that does this, and you almost feel like you'd throw in a bunch of things at a wall. Um, and it's like hope and prayer is what it really is. And, and, and we're trusting in the control effectiveness based on what marketing people tell us.

Uh, have you been in those shoes before? I think we all have. And that's not a threat informed defense. Um, a threat informed defense is the complete opposite of understanding, um, what our, who our adversary is, what they're doing, what they're looking for. So let's use a military analogy. 'cause this is where it came out of, you know, imagine I'm sitting in a war room and I'm like, yo, you know, I'm the general, what's our next step?

And they're like, well, you know, we have this AI powered drone and it's anticipating that, you know, the bad guy's gonna, you know, move this direction. Well, how do we know that? How do we know if they moved that direction before? What, what's their tactics? What are they going after? What's our signals intelligence telling us from what we're seeing from boots on the ground and from, you know, people in the underground or whatever it may be.

Like, I don't come outta military, but we've all, we all know how that whole process works, right? And so the idea behind, um, the war room scenario should be what we do tactically in defense should be in response to what we know our adversary is doing. And so when we talk about the cyber world, it's exactly the same. It's this idea of a defense should be designed around and be informed by our adversaries, what, what they're doing, who they are. I'll give you great example of the opposite.

I come out of banking banks are always talking about a m jackpot or ATM jack potting, right? Which is a physical threat against ATMs. How many healthcare orgs really care about ATM jack potting? None of us, because it's not really in my scope of control, and even I have an ATM in the hospital, it's probably not my responsibility. So I just say like, that's an example.

Just a simple example of a bank might spend lots of time understanding this, understanding how to design a defense around it, whereas others may not. And so for us, we need to realize as MSPs, when we're going through and we're building a threat informed defense, who are our adversaries and what are they doing? What are they looking for? So just to start simple, and Ryan, I'll turn it back over to you. The vast majority outside of maybe CMMC are financially motivated.

So we can at least start there and say, okay, so now I know the objectives, right? The, the, you know, looking at this, this, the kill chain from Mitre, the very last phrase is actions on objective. They want ransomware to run everywhere so they can force us into pain, to force us into pain 'cause they're financially motivated.

So if I start there at the end of the maze, now I can work backward and understand, okay, now I need to understand the processes, they're going to try to get to that last objective, and then I can begin to build a defense from there. Um, Brian, what did I miss? Yeah, I mean, I think I'll, I'll kind of overlay a talk track that I have there, which is right when I think about building a security program, I think about it being a risk-based security program that leverages threat informed defense.

And that might sound like thought leadership, word garble all put together, but break down the word risk. Risk exists when there's a data asset of value that has a vulnerability or a weakness that can or will be attacked by a threat actor. You cannot have a risk-based security program if you do not understand the threat actors, because you could be investing in the wrong things.

You could have a data asset of value that has a weakness that a threat actor is never gonna be interested in or go after. And you could be mitigating potential loss, but you're not actually maybe focusing on the right thing. And so, going back to my analogy, know yourself, know your battlefield, know your enemy. Those things help you understand your risk. And so you can't really have a risk-based security program if you don't understand your enemy.

And the enemy understanding is really what informs your defense. It, it can also inform offense, which is a little bit what adversary emulation is, which is cool. We're gonna actually kind of purple team this idea of threat informed offense, which is like the combination of using it for offensive use as well as defensive use. But on the defensive side, moving on, right? When we think about risk, we treat risk with mitigations or what we call controls or countermeasures, right?

We have a bunch of different words for these things, but let's call it a control because we like the CIS framework and we call those controls and safeguards, right? There's another word we have safeguards too. Now, um, all the same thing effectively, right? A safeguard has differing levels of effectiveness. So if I need a safeguard that prevents script kitties from compromising my environment versus nation state level threat actors, the strength of my control needs to be much different.

Or I need to have many more layers of control in order to resist that threat, slow it down, or even be able to detect it, right? And so this idea of understanding your threat actors and emulating their behavior in your environment helps you understand whether or not your current defenses are effective against the tactics of the adversaries that you will most likely go to battle with.

And so you can take this idea of understanding a threat actor, turn it into some testing, and give yourself an actual level of assurance that your controls are operating effectively and that they can resist the strength of the threat actor. It's, we, we refer to that in security circles as control effectiveness and control strength, right? The strength of a control needs to map the capability of your threat actor. Very just like kind of foundational basic stuff there, right?

And so going back to Wes' example, oh, I go to a conference, oh, I have 30 threat detector, you know, new hotness of the day that I just put in my environment. Um, cool. What is it protecting you against? Have you tested it against the capabilities of the adversaries? You're actually gonna focus? How do you know that the AI powered drone is actually gonna gonna protect you when it matters, right?

You, you don't, the only way to know is to know your enemy and emulate the behaviors and run through that chess game that that may occur. So, um, and, and Gary said something really important earlier, uh, which is this, this kind of, we've talked about left and right of boom, right? Threat and formed defense is a left end right of boom activity. You do this to understand the extent to which you can resist or prevent an attack.

You also do this to emulate what happens when you assume you've been breached, right? So we assume node zero or patient zero has already been compromised in an environment, there's now a foothold. What can the attacker do from this foothold? And as they do those things, do I have the ability to see or detect their movements through my environment?

And we, again, that's something we call purple teaming, which is this idea that you have someone emulating the attacker and someone emulating the defensive person, the, the defender, and they were the red team and the blue team, and they work together in this adversary emulation. So it's like, okay, I'm running this test now. Did you see it? No, you didn't see it? Okay, well that's an area we need to improve, right?

So this stuff un it all starts with understanding your threat, but you're gonna make it much more actionable. And we're gonna get through that in the rest of the three hours. So just wanted to lay that foundation. Um, but I think the next part I really wanna, if is still around, um, with Wes, we use, we talk about building threat profiles a lot, right?

Uh, people have heard that probably a thousand times, but I'm willing to guess maybe only 5% of the MSPs on this call have ever actually seen a threat profile. So what I would love to do is actually start with gold Southfield in the Mitre attack framework.

I don't know if, um, if I can share or if, uh, And while was doing, doing that, Andrew, would you mind popping a poll question up and, uh, just title it, um, have, has your MSP, um, what should be Ryan ever created or used a threat pro profile? How do you wanna word that? Yeah. Do have you, have you ever seen, uh, or built a threat profile, right?

And we're, we're gonna walk you through building a threat profile today, and we're gonna demystify it and we're gonna show you examples of open source intelligence to build that. But that is definitely an important piece. So go ahead. So, so right up, if you look at your screen, Ryan, Yeah. Share one at the top, right? Yeah. You just go above there, share, and then it's a little funky at first, but you'll, you'll get it.

Just go ahead and hit the share and then it kind of gives you a window where you Yeah, no, I can share the event. It's not letting me share the screen. So, so just above your head in your window, you'll see your mic. Oh, There we go. Yeah, new platforms. This is fun. Lemme make sure I share the correct screen here. You don't wanna go into YOLO mode. Yeah. Up any sensitive data. That's part of what I was, was trying to avoid. All right, here we go. All right.

So you can see, yeah, you can see this. Okay, that's perfect. So we've gone through the Mitre attack framework before, right? We, the Mitre attack framework is, well, let me just copy this and let's go back up to the top of the attack framework, right? So the attack framework helps you understand through various different TTPs, the, the very low level activities that a threat actor will engage in, in as part of reconnaissance or execution or et cetera, right? So this is helpful.

This is, this is a framework to express the very, um, finite things that threat actors do. But if you spent your day inside of the attack framework, just looking at these, um, these tactics, you wouldn't necessarily know what you need to do in order to start to defend against these threat actors because there's just too many of them. So this is where this idea of threat profiling comes in. Well, let's understand our threat actor.

We understand there's this universe of things they could do, but oftentimes threat actors don't do all the things they could do. They're like humans, and they have a set of things that they do and they do well, and they rinse and repeat, and it works. And why change if the thing you're doing works, right? So we can overlay these concepts of these TTPs or these techniques that are used, um, onto a threat actor. So we're gonna use, we're gonna talk about Gold Southfield.

This is gonna be a theme through the rest of the event, is Gold Southfield. Gold Southfield is the threat actor behind, um, what used to be GaN Crab, um, and is now Ville, also known as sobi. And it is arguably one of the most dangerous threat actors in terms of ransomware that exists in the marketplace now. And it's one that, uh, you've heard from Chris Lahr, you've heard from me, you've heard from Wes, you've heard from a dozen people actively targets msp. So we think this is right.

Today, we're gonna help you build the threat profile for one of the most prolific threat actors targeting MSPs with ransomware. And that starts with the attack framework. So the attack framework actually has gone through and said, this threat actor group uses the following techniques in order to achieve their objectives. And they exist at different points in that kill chain, like Wes said, right? Um, so they're gonna start with fishing, right?

They're gonna, they're gonna try and fish your employees and gain a foothold into your, onto a victim machine from there. If they have administrative access to that machine, they may run PowerShell. Um, they, uh, if they can't get, you know, uh, access through phishing and PowerShell, they might try to leverage an open RDP or some sort of RMM service in order to gain access to your machines. They have a very finite level of things that they do.

And, um, you know, down here we see, you know, not, not throwing shade, but this, you know, this is on MIT's website. This is not, not not me kind pointing anything out, but they've actually listed that, uh, this group has actively used ConnectWise, um, I think, uh, the ConnectWise screen share and ConnectWise RMM in the past. Um, and then there's the Reveal software, which is its own kind of malware variant.

Um, and there's a couple different links off to some different information about the threat actor where you can get more information. So this is the basis of your threat profile. You, you can understand generally it's a financially motivated threat group when they were established and what their primarily using. So you have a, a brief description. You also have a bunch of different Mitre attack techniques, um, and you have some information about software.

This is a great place to start, but that's not a, that's not necessarily all that you need when you're looking at the threat profile. So let's pull up another piece of information here. And I, I found this the other day, just quick searching around for, um, for some information to share with you.

I actually have, I've, I've basically spent every waking hour on this site since, um, But Ryan, what if I could just say this, you know, one thing you just said about, you know, a also NBI that you know, goes after MSPs, you know, how powerful is it if you are focused on banks or yesterday we talked with Keith that focuses on healthcare as an example, and you were to have a conversation about instead of, we need to include, we need to put these additional controls in because of whatever reason.

But not only is there a risk assessment, but hey, by the way, we've studied your threat profile. You know, your, for the threat actors that attack your industry, your vertical, your EHR, whatever it may be. Here's why we are advocating for stronger controls. Think about how Gary, in the sales process, how much more powerful would that be?

Uh, listen, just you can hear the command that Ryan and Wes have, that command comes from these kind of exercises today and, and this level of understanding, yeah, it takes, it takes an infinite field of things that MSPs are worried about. What should I do first? What order, what's most important? And now it narrows that field into those most likely things. It, it also, and Ryan, probably the last thing I'll say, let you guys get back to it, but it also, it, it strengthened so many things.

Like we're talking now about data flow diagrams and where's the sensitive data? Wes and Ryan did a fantastic job in the upcoming cyber cast on the podcast talking about this. And again, you know, on one hand, if again, we, well, where's your sensitive data and why is that important? All of a sudden we talk about, look, this is, this is the group that attacks you. This is what they're gonna do with exfiltrating that data. Here's why we need to find it. Here's why we need to do this.

What a difference. Anyway, Yeah. So I'm gonna pull up a little bit more information. Again, I found this just by doing a quick search. Um, uh, I was actually searching for a threat card for a PT 29 and came across this site, and I just started browsing around at the threat actor, uh, inventory that they have, which is quite impressive actually, the, the, the kind of level of detail they have.

But this is the, the Thai Thailand's computer emergency response team has published their threat profiles for some of these actors. And so Gold Southfield also referred to as Gold Garden, which Wes and I find hilarious. The SecureWorks has two names for the same. I think it's typo, but I'm not sure. No, it's, it's real.

I saw, I saw it referenced in multiple other places, and so we're not sure where that comes from, but also, um, you've probably heard pinchy spider more often that I think is kind of the more often used reference for gold Southfield. So again, we're actually, you could hear all four of these monikers, and they all mean the same group of people. Um, but in Russian based, their motive is financial gain. Uh, the Thai cert saw them first in 2018.

Um, one of the earliest attacks was actually on, uh, Texas local governments hitting a coordinated ransomware attack. Um, and, uh, you know, that's where some of those software profiles from the previous, um, uh, you know, from the minor attack framework came from, um, was actually stemming from this attack.

But you can actually go and you can read through every single documented attack that this attacker has, uh, facilitated that has become public, and gain more information about what that threat actor does. And ultimately what you're gonna do is you're gonna start to map that information back to the what Mitre did. Those techniques that exist, uh, that the attacker leverages when they might seek to do you harm. The end result is gonna be have a threat actor.

I know who they are, I know if they're active, I know what their motive is, I know where they're located. I can see their history of all of their attacks. I can map the things they did in those attacks to the Mitre Attack framework, which has very finite, uh, actions or TTPs. Um, and that's where when we talk to, uh, red Canary a little bit, that's, those are called atomic tests. They're small portions of what the overall attacker might do in an entire attack chain.

So we're gonna do these atomic tests to test very specific portions of what they do to determine our defensive capabilities to prevent or detect those types of things. So that is really what building a threat profile looks like. Wes, I know you guys at Perch build threat profiles, you know, know all the time. You have profiles internally for, for your team. What do you do when, when you're building threat profiles?

Like what other information do you add to them and do you maintain and, and, and you know, what, what other sources are you using to get this information from? So, yeah, so, you know, one of the things, so let me just brag on Patrick Snyder for a minute. So Patrick was our director of Security operations and has moved into a different role. Um, but the guy's phenomenal.

And one of the things he does behind the scenes that we're working towards peeling this out and exposing it to you guys, uh, as well, is the operational mechanics that happen behind the scenes with his team. And so, I'll give you some examples of this, Ryan. Um, one example is on, on some occasions we have, um, found what we, what we believe to be a new threat actor group.

Um, we get the luxury of naming them, just like you saw, you know, like oftentimes you see the, there's like naming colloquialisms behind them, like bear refers to Russia and so on and so forth. And so purchase done a few of those. If you check out the 2020 threat report the year before, we actually profiled all of the major ones that are attacking MSPs. Um, it's a lightweight profile, but at least gives you an understanding of who the major threat actors are at the time.

Um, we have found a few new ones. And so sometimes Ryan, when we find ones through new organic research is we're hunting and we discover something and we start diving and unraveling the malware that we're seeing or where its command and control is going to, and we get access to its infrastructure. We'll notice things that are unique and, and leads us to believe in our research that it's, it's a new actor group. And so in those cases, we'll do a deep dive. Who are they, what are they targeting?

What's their infrastructure looking like? What, what does the malware look like? Uh, all of those kinds of things. And we don't really do a great job yet just because we're a small company, like how do we expose that out, uh, to the rest of the wide world? But we do that. The other side of that though, is our security operations team knows what to look for.

So when we get called in on something, and let's say just from the ransom note, well, let's use Soden since we've been talking about them a lot, um, we know right, what to look for. This enables your security teams to say, okay, if it's this actor I know to look for these certain things. I know that, you know, trick bot that they're using looks and does these things operationally, I'm gonna go right to that source.

And an operationally efficient and sophisticated security operations team should have the capabilities of do doing those things to where you've got a treasure trove of data, but how do you sift through very quickly to what you're looking for? And so, um, this is where we use these things oftentimes internally with pretty significant documentation that teaches us look for these things, do these things, this is evidence of that.

Um, and it really, really helps escalate the tiered, um, triage processes that we have to go through. So long term goal for us, just internally is beyond the scope, but we want to take a lot of that material and we do want to produce that back so that you guys have access to it, um, because there's a whole lot that goes into that for sure. So think about What you just said, and I I think about every time we have, uh, Chris Lair on, and you know, he's always right of boom, right?

Dealing with response and based on, they figure out right away who the threat actor is. They know, you know, right where, right where to go, right where to look. And you think, well, if Chris was to own an MSP with that knowledge, um, what are the chances he'd have a better, more focused defense than other people? And that's really sums up, you know, what we're trying to do today, right? Right. It, it does.

And maybe the last thing I'll say quickly is when I, when I talked to breached MSPs that have gone through this, Gary, the way they talk, the way where the thin red line has always been has moved by miles and, and they have this clairvoyance to be able to like defend it to their clients of like, you will do this and let me tell you why you'll do this. It's like, it's the same thing that I can only imagine A veteran comes home after going through, you know, a battlefield experience.

There's only certain people that understand those things that they can relate to. And I think for MSPs going through those exercises, again, I see this all the time, Gary, they, they walk out of those situations with a totally new mentality and a brand new way to express it. And if I can use this aggressive word to even enforce it, Yeah.

So I wanna pick up and I wanna keep building on the threat profile because Wes, whether or not you just realized it gave you a new piece of information that should be in your threat profile for this threat actor. It is information that has not yet been viewed in either of the threat cards that I've shown you, and that's the relationship between Trick Bot and soda, right?

And so if you don't believe me, which I'm sure you do, but I'm gonna, I'm gonna go back and I'm going to show you the evidence anyway, I'm gonna search the Mitre attack framework for Gold Southfield for the word Trick bot. You'll notice zero out of zero results. I'm gonna go to Pinchy Spider's page. On the T cert, I'm gonna search trick zero out of zero results. So how do I know and how does Wes know?

Well, you know, regardless of whether or not I'm supposed to share this with, I'm gonna share this with you. Um, we have a service provider that we use called The Recorded Future. They provide us open source threat intelligence information, and this is part of their threat card on Gold Southfield, you'll see refuse referred to as Pinchy Spider more frequently than Golden Garden. Um, SecureWorks has referenced them a number of times. They primarily target US North America, Canada.

But you'll see the malware that's associated with them is GaN Crab, which, um, David actually pointed out Golden Garden is actually from their great GaN Crab Days. And on Gold South Fields is from the Ville days. So I guess we can't make too much fun of SecureWorks now, less, um, That's right. But they use this threat actor is associated with the Soin, uh, ransomware and Trick bot. You see the number of references, the high number of references to Trick Bot.

That means that if you are infected with, with Soin, and let's say you were able to recover your machines from a backup, uh, there's a probability that that threat actor has been latent in your environment for a number of days or weeks. And knowing that that threat most commonly comes through Trick Bot will tell you, when I recover from my backups, I need to sanitize my backups and make sure that there are no latent trick bot infections on my machines.

Because that's the most common way that Soden is gonna get deployed onto an asset, right? So you could recover from backup, but if you don't get rid of the Trick Bot infection, you're gonna get ransom all over again, right? And so now here, this is o again, uh, recorded Future largely is just open source intelligence. So this information is out there on the web associated with this threat actor.

You can know Trick Bot malware or the More Egg Backdoor or the Core Bot botnet or the Dana Bot banking Trojan are all have been associated with this threat actor. And so you can leverage that information, um, to do that. So something else I like about Recorded Future, it gives me like over the last 60 days, how much has this threat actor been increasing? You can see they've been very active in the last 10 days, um, in terms of what they've been doing.

Um, you know, and it gives you some, just some more basic information that, again, this goes into your threat, your threat card for this threat actor. So, um, I don't know if there's anything else you wanted to add to that or if anything anybody else wanted to add to that. But these pieces of information, three different freely available sources, you could have a working threat profile in a half hour of Googling for a threat actor that will likely cause you the biggest heartache of your life.

And you could start building a threat informed defense in a half hour based off of understanding this threat actor. I think that's pretty powerful. I do too. And, uh, you mentioned Recorded Future. I mean, they're super awesome, right? But they're super expensive and not necessary for an MSP to truly be able to delve into all this, right? There's this, um, well just gimme your comments back on that first if you would, Ryan. It's, it is very much true, like it's very much an enterprise solution.

The reason I brought it up is, again, I I stress the majority of what Recorded Future does is aggregate open source intelligence about threat actors and put it in a single place. So really what that means is all the information that they've aggregated exists out there. So if you spent time going through that tie cert page and you clicked on those links and read about the various different attacks, you would likely get the same amount of information that you would've gotten from Recorded future.

It would just take you slightly more time. But I would argue it's a really good use of your time to go through and click those links and read about everything this threat actor has done, because that's how you know your enemy. So at this point, Ryan, the clouds are demystifying on part one of this, of knowing my enemy, right? Uh, we'll still talk more about knowing the battlefield, knowing ourselves, but can you just share a little bit more about why knowing our enemy is truly important?

You know, comparing them to maybe an a PT threat group that may be out there like a, you know, a Chinese nation state group. Why is it maybe used them to contrast a difference of how this helps us understand why knowing our adversary is important? Yeah, so it's kind of a, a very broad question, right? Knowing your enemy, you don't have a single enemy, you have multiple enemies, right?

And so when you build out your threat cards, eventually what you're gonna do is you're gonna say, wow, look, 90% of my threat actors all use the same tactic. That would be a really high value place for me to improve my defense. And so you're starting to take a threat informed risk-based approach to what you do, instead of saying, what's the latest hotness that I need to go by and deploy into my environment, right? What's the, what, what's the vendor of the day? What's the solution of the day?

Um, so I think that's one reason. And, and you know, when it comes to apps versus kind of, you know, I, I'll I'll contrast, there's a threat act or we follow follow that we track, um, I don't think to use, to use the word follow, because that has like a positive connotation from, uh, from like social media, right? But like, we track a threat actor called sheriff, and Sheriff is a threat actor that loves MSPs.

And the number one thing that sheriff does is actively try to buy credentials in the dark web of MSPs. How do I know this? Because I have a, a service that I use at Datto that monitors all of the login accounts that exist for all of our platforms in the dark web, and they will alert me whenever there's a new post of, uh, credential that's been associated with the login portal for our website. Meaning the, the MSPs credentials were compromised somehow.

And largely, I don't worry about that too much anymore because we have mfa, but we still notify MSPs because password reuse is very prevalent and we wanna help the MSPs prevent themselves. But one of the things we get from that is we can engage with that, that threat intelligence service provider and say, Hey, has anybody hit on that sale? And they're like, and frequently we get back, yes, there's a threat actor sheriff that has indicated interest.

Um, and my current hypothesis is Sheriff is an affiliate for a ransomware threat actor group. Um, so they're the ones that are kind of pen testing, they're sourcing the, the access to the environment and the foothold, and then they either sell that to someone that then actually does the ransoming, or they're the one partnering, they, they're part of a team and their job is the initial foothold. Um, but we track that threat actor. And so that's a very specific threat actor.

But you get to something like, I don't know, let's say like FIN seven, which we're actually gonna talk about a little bit when we do the adversary emulation because of one of the tactics they use, um, that's a much different profile right there. There's a much broader set of tactics and techniques, and it's a much higher level of capability. Um, and so you're gonna see, um, you know, a really, really capable threat actor is gonna have one of two profiles.

They're gonna have a lot of software that they use to do what they do, or they're gonna have none. And the reason they're gonna have none is because they're so capable. They don't need hacker tools. They can just do what they do living off the land as we, as we, we call it, right? Just using the native capabilities of the operating system and their mastery of those systems to work through and act on what they do.

And so knowing your adversary is gonna help you calibrate within my threat profile. Okay, well, yeah, maybe because a PT 28 and Noum went after SolarWinds and I was a SolarWinds, MSP, maybe I need to understand no BEUM now because they're in my threat profile, but they're a second order threat actor in your threat profile. They're not your primary threat actor. And so oftentimes we get too focused on a PT 28, no BELLUM went after SolarWinds. They're not really in your threat profile.

Your threat profile are the ransomware affiliates and the Gold South fields of the world and how they do what they do. And so, yes, you need to understand the entire world to some extent. You need to, you know, know the, the shape of the world and where the continents are, but you live in a very specific part of that map, and you have to calibrate on that map. So I don't know if that fully answers your question.

Yeah, no, that it does answer my question because this is what I was getting at is, is defenders, it is our job to, to have a good, uh, understanding of who our threat actors are. And, and I, I was even getting at that example, because you look at a lot of the, um, a PT groups, we, we classify them as that are typically going after foreign na uh, secrets, it's nation states, right?

Um, MSPs, unless you're dealing inside the DFARS manufacturing sector, I'm not saying that you shouldn't worry about them, but I am saying that, um, you know, they're not as much of, uh, you're not in their cross hairs as much, but that's not always the case. I'll give you an example of this, and Ryan, you'll remember this too. So I'm pasting this in. So this is also from Teer.

Um, this is a PT 29, and this is really in my view, what kicked off, why we're at where we're at today with us talking to you about this. So a PT 29 was a, uh, threat actor group Russian base that was going after state secrets. Interestingly, in 2018, they breached an MSPA very large one out of like, was it Finland Ryan? I think it was something like that. And, uh, anyway, the reason they went after them was because they were using them to leverage their clients to get access to state secrets.

And I remember when this happened, we were at perch and, uh, we saw this occur, and I remember Joe Pan and Terry covering this, and I snipped the article out, and I used it for an entire year in my talk saying like, Hey, we're just telling you guys, I'm not saying the MSPs haven't been targeted before, but you asked Chris Laer post 2018 most breaches and ransomware attacks for $10,000 because they look and they see a small company, which is an MSP 10 K move on in life.

Then all of a sudden the GaN crab guys get this, and they understand, wait a second, we can leverage what a PT 29 did, but we understand the MSP's operation o operating model for the first time. And now you see a huge pivot of certain threat actors specifically going after you as an MSP. And so I just wanna like clear the clouds again, to use that term again, for you guys to really understand.

This is why we have to know this world because one threat actor may do something that causes an entirely differently motivated actors say, I can learn from that and I can use this for, for my goals and what I'm going after. Um, Brian, does that make sense? That's really a big piece of what I was wanting to drive at. It does, and I'll, I'll bring it to literally time now, right? Um, there was a, a threat actor group. I can't remember the name.

It was an article, I'll try and find it in when I'm not kind of in the moment. Um, that came out today. There's an emerging tactic of ransomware threat actors to bypass security controls on endpoints.

They're, uh, if they get a, a foothold, but they can't necessarily break out and evade the controls that are there, but they can install software, they'll install virtualization, uh, systems like VMs, and they'll actually run, they'll mount the file system of the get of the host from the vm and they'll actually run the ransoming process from within the VM to encrypt the files. And then when they're done, they just tear down the VM and delete it.

And they've, you've lost all the forensics information that go with it, and it's completely evaded all the security controls on the host because it's directly interacting with the disc. And so that was a, you know, that technique was actually used by a threat actor a few months ago. And so they've had such great success with it that other threat actors are starting to pick up on it and starting to use the same tactic.

And so we monitor those evolutions so that we can, uh, you know, we, we can modify how our products work and behave to continue to detect the evolutions in those TTPs to help keep you safe. And so that's another way that we use threat profiles at Datto. It's not just, you know, one, we're trying to understand your threat profile so that we can help protect you, but we're also trying to understand our threat profile because we can't protect you if we're not also protecting ourselves.

And so we actually have this multi-dimensional threat profile. And, and this is really powerful, right? Not every one of your customers is gonna need a threat profile, but if you have customers that are doing business in the defense industrial base, they need a threat profile. If you have a customer that is dealing with highly sensitive, uh, maybe pharmaceutical information right now, they need a threat profile. If they're in healthcare, they should have a threat profile.

If they're in certain segments of financial and banking, they should have a threat profile. If they make donuts, if they clean laundry, if they sell lottery tickets, they don't need a threat profile If they're an energy, Right? Yeah. If they're, if there's some sort of supply chain, um, critical infrastructure, they need a threat profile. And, and you can actually now help them do that.

And they may actually have resources and support to get information from government entities about threat actors that might target them and understand that when you acquire a customer. So on yesterday's cyber call, I think it was Miles said, I told a couple of my customers not to do business in the defense industrial base to ditch the DOD. Why? Because when you start doing business in those entities, their threats become your threats.

And if you are not ready to handle that, if your program defense is not strong enough to combat those threat actors, you really have no business do, you're not doing anybody any favors by taking on that customer, Right? And he was saying, you, uh, to the customer, you're either gonna have to have enough customers, uh, it, you know, that require that to make it worth the time and money for you to prepare for it. And we said the same thing about the MSP.

You don't want to have one or two or three customers there, uh, because just what you have to do for that, you're gonna have to either make it a vertical or you're gonna have to stay out of it. Yep. Yep. For sure. Ryan, one thing you just said, and I'm gonna kind of come to Wes because of his experience and threat intelligence, but I, again, Wes, I think knowing these, you know, as Ryan was saying, if you're in this, you should have a threat profile.

If you're in banking IT talk maybe just real quick about ice stacks and ICEO here, because you could literally turn to, for example, fs-isac, and if you have a bank and look at that type of relationship, and again, that's how you differentiate your MSP. Yeah. So, um, we could do a long talk on this and maybe at some point we'll do a threat intelligence deep dive, Gary, uh, if you'll host us back one day, but, um, I can simplify it in this.

So there's like human-based intelligence that's human readable understanding largely what we're talking about right now. Who are the actors? What are they targeting? Um, what's emerging, all that kind of stuff. But there's always a need to compliment this with what's called machine readable intelligence. Machine readable intelligence are, when we say the words IOCs indicators of compromise, what do we specifically see happening right now that we could share with the world around us?

And it's an immune system, so to speak, right? So it's this goal and idea of, um, okay, here's the, here here's the actual ransomware sample or malware sample, whatever it is right now that we see, here's what it's currently doing at this point in time. Now we know tomorrow it's gonna be encrypted and changed and different infrastructure, everything, no big deal we're focused on right now.

And, and also re like recursion going back and looking in history to see what do we know about this with evidence? And so that's machine readable intelligence. Um, we have worked at Perch and really Aaron, our founder, was one of the creators of Sticks and Taxi, which is an open source, uh, protocol that's used to build and share all of that. But ISAC serve in the middle of all this, right? ISAC serve as that conduit that get in Ice House too. Um, think of them as pretty much the same thing.

The goal that they have is, okay, so one of our members is seeing this particular thing, human intelligence, what do we know about it that we can list out and share and discuss and communicate, uh, machine intelligence? What can we share in an automated way that we're not intending for people to go look at? We're taking, we're intending for machines to pick it up and then use it in their detection processes. That is really what ISX are good at.

And then also conduits by having legal capabilities to be able to share with the federal government to be able to take cited indicators, IOCs that we just said from members, and be able to freely share those back to the federal government and also have subpoena free ability to be able to share that, uh, without any worry that their members are going to be exposed from it. That's where all of this, the CSA Act that was created, all of this stuff enables all this federal intelligence sharing.

The two groups that are most active in it are DHS and FBI. Um, just so you kind of have an idea because they're largely focused with, um, sector defense inside the us. Um, but that's the goal, right? And a Healthy Ice Act should be doing that for their members, Andrew, and should be producing both human consumable intelligence and short shelf life machine intelligence that contains IOCs. Thanks for that, Wes. Yeah.

So there's one other thing I'll leave you with here, which is when you build a threat profile, you might sometimes come across to TTP that's non-technical. Um, for example, um, something that caught my eye maybe six to nine months ago and really kind of hit the panic button for me was, um, a Tesla employee that actually came forward and notified Tesla that they had been contacted by a nation state threat actor in order to, uh, install malware in the Tesla manufacturing plant.

Um, and the more you dug into it, this employee was getting offered 10 times their salary in money just to plug a USB stick into a, into a machine in the manufacturing floor. And I thought to myself, man, like there's some, there's some technical controls that I could put in, but I'm, I'm opening up that tactic now to everything my trusted employees can do, which is often much more than can do.

And so you're gonna have to get creative, and one of the things that we're in the process of rolling out is we're calling it an amnesty program where if you get targeted by a threat actor to target us or one of our customers, and we can validate that through our external counsel and law enforcement relationships, we will actually send you and your family on an all expenses paid vacation, right? You like, you have to understand your threat actors and how they're going to come at you.

And that, that example of a defense, what I just said, I'm gonna send my employee on a vacation, I'm gonna reward them. That's a policy and that's a defensive capability. We call that controlling an administrative control and information security. I'm gonna motivate my employees to help me do the right thing. I would never be able to do that if I didn't have a threat informed defense, right? That's, that's such a good example because it's so far out of what people may be thinking about.

Um, but it's exactly the same logic that you've been talking about here, uh, in this first hour or so. That's really great. Ryan, There's one more thing I want do before I hand it off to Matt and Forest. Um, You gonna something because I got six on here now? Yeah. All right. Uh, let me boot, let me boot Forrest for two seconds and I'll have, you can Boot me Andrew if you want. I, I don't wanna boot you yet. I'll boot for and bring 'em back. Okay.

So one of the tactics that Matt's gonna help us dig into is a common tactic, um, involving M-S-H-T-A and it is actually a tactic that, uh, threat actor group called FIN seven uses. So you can see again here our standard threat profile. We got all the different names for 'em and the different monikers country, their, their motive when they're first seen. But you can actually see as, that's gonna walk us through in a minute here. Um, that, uh, I'm on the right page, right?

Ms HPA, how, if I spell it right, in April of 2017, they innovated in their phishing, uh, attacks to leverage M-S-H-T-A. And so Matt is actually gonna walk us through again, what I described as one of those atomic tests, right? This is one way in which the threat actor actually acts on what they do. We're actually gonna pull out that specific, very small piece of that attack and we're gonna show you how to emulate that behavior.

And then we're just gonna let Matt and Forest geek out for a while on adversary emulation and what you can do with it and just really what the power of it is and how it relates back to, to threatened form defense. So I just wanted to, like, before we really get into that, because we hadn't really covered that tactic when we were talking about gold Southfield, I wanted to make sure that that landed as this isn't a theoretical tech technique that can be used against you.

This is an actual observed technique that has been successful for four years now. Right? So very real, uh, in terms of what we're gonna do. So with that, I'm gonna hand it over. Uh, what's going on here? Red Canary? That's not what you thought was happening. Was it Gary? No, I said, what the heck's going on here to the music baby? All my, yeah, you had my interest. I wanted to do the Superman move and show my Superman, but yeah. Yeah.

Um, so, Uh, be, before we move on, I just wanna say great hour. Um, the two of you in that short time period, I think really kind of de demystified, um, how people should be thinking about this. And, um, I get clarified, right, uh, of how, and you can take a big scary world and start to narrow it down and now we're gonna go down into the detail, but to narrow it down to something that's real actionable. So I think you did a great job.

So, um, Gary, um, what I'm gonna do now as um, we go into the, um, second one here okay, is I'm going to just everybody I want the audience to hear, this is really critical of how Crowdcast works. I'm gonna end this particular session. You're just gonna stand by, don't go anywhere and I'm gonna pull you into the next session. And that way we've got these broken up hour sections for everybody to come back to. And it's not just GLO together, three hours worth of information. Yeah.

So We're, we're gonna edit it anyway, so Yeah. So stay where you're at and we'll bring you right back.

Related Videos

MITRE ATT&CK / Shield in depth | Right of Boom