Threat Modeling and the MSP
In this video, Ryan and Wes discuss MSP threat modeling and the importance of understanding adversaries to improve cyber resilience. They explore a real-world case involving a threat actor known as Gold Southfield, highlighting the significance of multi-factor authentication, phishing simulations, and effective control mapping to mitigate risks. The session emphasizes the necessity of adversary emulation and continuous improvement in security practices to safeguard MSP environments.<ul><li>Understanding threat actors and their tactics is crucial for creating effective security measures. Adversary emulation can help test the effectiveness of current controls against specific threats.</li><li>Data flow diagrams are essential in threat modeling. They help MSPs understand their network and identify vulnerabilities. Regularly updating and auditing these diagrams can significantly improve security posture.</li><li>Basic security measures such as multi-factor authentication, proper credential management, and network segmentation are often overlooked but are essential in defending against common cyber threats.</li></ul>
Guests
Video Transcript
Welcome back, everybody. Let me go get Ryan and Wes and see if Mr. Peak's around as well, and we will get rolling. What a great session. That was awesome to see that involved. And, uh, I can't wait for the day to see MSP's sharing knowledge around, um, testing emulation, tool effectiveness, control gap assessment, all of that. This is really cool, Really, really cool. And, and doing it for their clients and their threat actors.
You know, I thought what was really great about this, I've seen some technical stuff, people showing, you know, what bad guys do, but after that first hour of, you know, understanding why this is important to understand adversaries and then having forest on where you were, seeing the technical details in the context of the framework made it so understandable and so much more usable, and now we're gonna take it to the next step.
So I, I really thought that's one of the best, uh, these last couple hours or couple of the best hours I've seen. So That's saying a lot. Gary, for you, you've seen a lot of stuff. Alright, Wes, Ryan, let's talk. MSP threat modeling, shall we? Yeah, Yeah, absolutely. Awesome. And, um, wonder if we could bring a guest up at some point today too? Sure, sure.
Like maybe, maybe Tim Fornet or someone like that towards the end may want to, um, run this through and get some feedback from a practicing MSP too. That's a great idea. Just lemme know Wes. Okay. Alright. I'm gonna let you guys take it over. Alright, so we, were gonna actually start and we're gonna, we're gonna go back and we're gonna revisit Gold Southfield, um, because they're our favorite today. So get this loaded up. So Wes, do you wanna give some context on this? Yeah, absolutely.
Uh, you, you wanna pull the next tab to your left up, um, from Mitre. So looking at the actual, so we, we showed this at the very beginning. This is Gold Southfield right here. This is the actor profile that Mitre has. One of the things you heard Ryan, um, elaborate on a little bit, or maybe hint at is it's not complete. And I don't think Mitre would ever say, oh yes, everything we put here is complete. It's missing a few things, it's missing some data pieces, all of that.
But if we actually, let's see, is this the right, if you scroll down, you should have the news articles. I think it's on. Yep, yep. Yeah, here we go. So if you look down here under the references, they reference this Tetra Defense article, and this was helpful for us to kind of get an idea of, um, you know, what provided some of the intelligence that went into the actor profiling. And, and so if you open this, we'll pop a link to the Tetra Defense, um, uh, link in chat here in a minute.
In fact, let me just pop it in there and make it easy. Oh, you already beat me too. Okay, good, Ryan. So, uh, this is just one example of a gold Southfield slash soden attack of, of many. But what we thought is, because this is directly an MSP that was breached, um, we thought we would walk through this scenario and then use this historically for you to kind of evaluate how you would stack up.
So why don't we do some, this is less about the technical, um, emulation and more about control effectiveness and mapping this out to what we have in place. So you can go check this article out later. It's a pretty interesting read. It talks through how the attack happened, um, what the aftermath was, what the lessons learned, what the causes were, all this kinda stuff. And you won't be shocked to realize it wasn't some like super scary zero day, nothing like that.
So we'll walk through the attack and the event, and we're also gonna overlay on top, um, some things that you could use to assess in your own, um, your own mapping process, Ryan. Yeah, for sure. So, yeah, let's switch over to switch over to this. So this is gonna be a lot to look at initially, but just from the beginning. Okay, so we talked about a threat actor, we just perky purple here just for fun. Um, I like it.
But again, we talked about a risk-based security program with threat informed defense. So threat informed, we've covered in depth, and now we need to understand our defense. In, in order to understand our defense, we need to understand our battlefield, which is our network, right? And which means we also need to understand ourselves.
And so one of the things that, um, I have found from working through, um, cyber resilience assessments with MSPs is it's really difficult to start to provide rational guidance on how to improve resiliency from cyber threats without having a, a data flow diagram. And this is not yet a data flow diagram. This is just a listing of all the things that exist in a, we'll call it a common MSP environment. So y your yours might look something like this or it might look a little different.
Um, for example, maybe you have your RMM deployed on-prem within your MSSP. So that box should move from a SAS application back inside your on-prem MSP environment, right? And I stole this concept of customer zero being you, the MSP from yesterday's cyber call because I loved it so much. Um, and if you really look like your SMBs look a lot like you, so this idea of your, your cyber defense being, um, you being number one in terms of your cyber defense, right?
And so you have all these other third parties and these third parties can introduce risk to you as well, right? So, um, in one MSP, we did a data flow diagram and a threat model with, um, they had a knock as a service that would help them triage, um, kind of level one alerts from their RMM platform. And the way they did that was the knock as a service had a VPN directly into the MSP's network.
And that was, that VPN allowed them to access everything that, that was within the MS P network and everything that was connected when the only thing it needed access to was actually the RMM. And so, you know, one of our recommendations to them was restrict your VPN to only the asset that that vendor needs in order to f facilitate their statement of work with you.
Um, and so these third parties may have access to things that are either on-prem, at your customers, OnPrem at your site, or on-prem in any of the various IAS SaaS has, uh, you know, platforms that you use. Um, and I left some boxes blank here because, you know, as we go, it'll be interesting to see, um, if there are pieces missing here that MSPs have. Like for instance, I don't really have password managers on here anywhere.
I have like IT documentation store and sometimes MSPs use password managers from their IT documentation store, um, to store passwords. But all of this starts to really be, uh, basically the foundation for how we're gonna walk through the threat model because we're gonna start to overlay some of these tactics and techniques into the MSP environment and how their defenses may or may not withstand those TTPs based off of the strength and configuration and ultimate effectiveness.
Um, so we're probably gonna refer back to this a lot, but this is the framing and, and this is really what most MSPs should seek to do, they should seek to build. I mean, this is just a quick PowerPoint diagram. I probably put this together in about 30 minutes. So it doesn't have to be fancy, it doesn't have to be, um, you know, super complicated.
It just needs to be accurate because that's how you're gonna start to walk through where, what controls do you have there in the path of some of these tactics and, um, and where you might have material defenses and, and ultimately where you might actually want to position something like adversary emulation to do some of these tests. So, uh, Wes I'll hand it back to you. I don't know if you have anything you wanted to add here before we move on or we wanna move on?
Yeah, the only thing I'll just reiterate, Ryan, is, you know, hopefully give us a yes or no in chat. Does your MSP have a working current data flow diagram of some sort? Um, we'll leave it generic there. Just a yes or a no. Uh, I wanna know that just because this will kind of help us as we go down this journey. And I wanna make sure you guys are, um, comfortable and clear in understanding why these things are really, really insightful and helpful.
And we'll kind of overlay this, like Ryan said, as we, as we jump through this. But the data flow diagrams really show, uh, there's one note that came in. Thanks, Michael. Um, Cal says, yes, the rest of you fine folks, make sure you give us some answers here. Um, the reason we're wanting to know this is it really does help understand process flow, uh, in this age of cloud understanding where data goes from one point to another, from APIs to APIs you might even have from one cloud to another.
And so when you have threats, you really need to understand, um, where the weaknesses are and where the opportunities and vulnerabilities may exist. Um, so yep, lots of nos coming across a few yeses. Um, that's kind of largely I think what we, what we expected. Yeah, so I mean, I I I love Dell's answer not to this degree. So I want, I want you to think about this. I don't, I don't manage an msp. I don't, I'm not in the business you are in, right?
This is literally me just taking what I know about MSPs for half hour in PowerPoint and drawing some boxes and using some basic, uh, you know, Google slide arc to create this diagram. You could create a similar diagram in 30 minutes and you could be more detailed than what I have here. And you could be materially better in a half hour than you were the half hour before. And if you really wanna start doing threat modeling, it starts here. You need to do this before you go any further.
And it doesn't have to be a huge time commitment. There you go, Ryan. Good word. All right, cool. So let's, let's, uh, let's move on. And we're gonna take gold Southfield. So we've, we've already talked about them a lot. We've, we've kind of, the first session is an introduction into all of that. Um, and what we're gonna do is just kind of dive into some of the philosophies behind all of this. If you don't mind whacking the button, Ryan. We will, uh, we'll move forward. There we go.
So let's talk about building a threat model and we'll pop forward again. Um, you know, I don't know if you, we've alluded to this, I don't know if you've seen this before in the news, I'm sure you have. 'cause you can't go to a trade show and not see this, but I just literally copy pasted a bunch of, um, marketing blurbage. Everything you see here is marketing blurby blurbs. I tried not to put any vendor names in here. Uh, I may have had one slip. Oh yeah.
Let IBM slip in just because they're IBM, they deserve it. Um, but, you know, look at, look at what you see here. Stop every attack, uh, detecting malware is not enough, which I guess is probably true, right? But, you know, stopping all forms of attacks before they happen, uh, you know, I love this kind of marketing stuff and we let our marketing friends have free reign. Um, these are the kinds of things that happen.
And this doesn't help us at all because in theory, um, if really there was a way to stop all attacks before they happen, don't you think A, everyone would be using it. And b, every vendor out there that was stopping attacks before they happen would have like, threat bulletin, after threat bulletin, after threat bulletin, all this stuff. They stopped, Hey, can I just, I gotta throw in one thing here, do it.
So I was on, uh, like a security, some webinar I was doing, and, uh, while I was waiting to go on, there was a vendor and they did a good job, they finished up. And, um, but the last thing he said is, so, yeah, so if you buy this, then you could tell your customers that they're secure. And I was like, oh, awesome. That's all I gotta do. I just gotta buy this. And then I can tell my customers that they're secure. So when I got started, you know, I said, Hey, that was really good.
And as soon as he was off camera, I'm like, don't ever tell your customers they're secure. Bingo. Uh, and I love what Tim says, minority report. That's key. That's always what goes on in my mind too. Did you guys see the news article yesterday that, uh, Amazon's AI is now firing their own employees, uh, based on whatever metrics Amazon, uh, deems necessary. So yeah, welcome to the age we're living in. So let's move forward. I mean, this is not what we want.
Clearly this is not what security is about. This is the opposite of a threat informed defense. So as we whack the next slide here, one of the things I want to talk about is the words threat informed defense. This is supposed to be an arrow, but when I translated it from PowerPoint to Google Docs, it, the, a little arrow in a way. But the, the whole idea of a, like our defense should be by nature threat informed. Like that's the real goal we're trying to get across.
So the first question you should ask yourself is, what is the nature of the threat? What is the, the threat informed piece trying to answer? And you can hit the, the button again, Ryan. Um, what we'll see here is the, it, it should answer the who the how and the objectives. In other words, who is my adversary? We've talked about that a lot already. How do they work, right? Like, uh, we're gonna di dive into gold Southfield and understand, you know, the, the TTPs that are involved.
And you guys should all know by now, TTPs tools, tactics, procedures, the things that they do could be high level, it could be very minute. Um, but, but that's what we're thinking about. And then the objectives. What are they trying to do? What are they going after? So we've already answered that.
But the whole point of threat profiling and, and understanding the adversary is understanding all of these things that lead us to what does the battlefield look like and what does their adversary look like? And then once we know those things, we can know. Now what we're trying to answer in this session, which we'll whack the button again, is the so what, in other words, how does that inform where I need to put, I have so only so many resources. Think of them as eggs and baskets.
What eggs do I put in what baskets? This goes back to the age old. What goes into the stack question that you guys are asking, right? I always hear that all the time, and I know why you're asking. You're asking. 'cause you only have so many resources and we can't do infinite things. Yeah, I love this, Wes. This is when an MSP walks up to me at a conference. It says, Ryan, what should I buy next? This is why I have a stupid look on my face. Yes.
I have no idea what to tell you because I, I have no idea what your threatened form defense dictates you should do next. So that's why I say you probably shouldn't buy anything. You should probably go back and you should figure out whether or not the things you have are working. Well, adversary emulation is a great way to figure out if the things you have are working well. Love it. Yes, indeed. So let's whack the button again, and this is what we're using.
So we've already shared the link with you. You can go click this and dive into Gold South Field. Uh, the Tetra Defense is, well, will be there. I think we've already shared that out. So you got all the details and data to do what we're about to do today, right? So we're gonna take this one attack scenario from a known threat actor and then use that to kind of have some lessons learned. So let's move forward.
And uh, first thing I did was this is all in Excel, and if you guys want the Excel spreadsheet, happy to share. It's nothing special though. But first thing I did is I took the actor group themselves and I started to go through, okay, let's, what do we know about them? So I, I literally copy pasted some data from, uh, from the Mitre description on the threat actors.
So now we know what they're going after, what the attack group is, we know their associate reval AKA, so, and all the things we've talked about. So I'm gonna move past this and hit the next slide. And here's where it gets a little bit more, um, useful. So what we started to do is take, and I added a few things into this, but started taking what we know about, uh, what they're, what this bad guy is known to do, tracking that across what Mitre attack techniques we know are present.
And then we can begin to understand some things as we overlay this on top of what actually happened in this attack scenario. So we're not gonna go through every single one of these. And keep in mind, as I said, the very beginning, this Mitre, um, attack, uh, reference is not complete. There are certainly things that are, that they have not documented here that Soden is known to do. But you can go through some of these things and you'll be like, yeah, this all makes sense.
The power shelf stuff, we already talked about that in the last session. You know, understanding of reconnaissance and what they're looking for, for like publicly facing stuff, whether it's a vulnerable RMM, it's a, you know, IAS server that you've had, it's A VPN that's been vulnerable from a, you know, a past exploit that has not been, uh, patched or remediated on your end. Phishing access.
You know, you can walk through these things and really begin to understand, but where it gets unique to us is towards the bottom, the supply chain stuff, the trusted relationship stuff. This is where, as we said from the beginning, that Soden has really shown an understanding of you as an MSP and understanding how to exploit that trust relationship you have because you already have these pre deployed, uh, exploit kits that we like to call RMMs, right, Ryan? Yeah. And it's, it's right here.
This threat actor will target MSPs to target their customers using phishing, remote access software, screen capturing and external remote services. It's, it's right here. It tells you what they're gonna do. That's right. And they're not known by and large to do super scary unknown like exploit development that no one's ever heard of, right? What are they, what are the access points other than phishing? Right? You can, you wanna chat about that?
And that's another reason that demystifying threat actors and what they do is so important. Because often when we talk about niche and state level threat actors, right? And like, okay, this is, I I could go down a rabbit hole here, I'm gonna avoid this, but I'm gonna try and cut myself off before I do. A lot of times when we think about apps and nation state threat Act threat actors, we think of they do things that we've never seen before.
The truth is 90% of the time or more, they're doing the same things over and over and over again, and it's just continues to work. Rarely is there innovation. Now you take the SolarWinds breach that was, that was full of new techniques, that was full of new attack patterns. That was a, that was a net new, uh, way of breaching, uh, customers using supply chain and similar, you know, exchange. There's something to be learned there that that is a change in what we call the threat landscape.
Those changes in the threat landscape means there's an opportunity to change our threat profiles and increase our understanding. And one of the things I did is I said, oh, great, the next thing that's gonna happen is my leadership and my board is gonna come to me and say, what is the probability that we're the next SolarWinds?
And so what I did is I gathered all the TTP information I could, and I went to my adversary emulation tool, and I brought my hacker team in, my red team in, and I said, I want you to run these tests on our, all of our software pipeline, and I want you to be, I want you to emulate the behavior of these attackers. And I brought my blue team in and I said, I want you to tell me if you can detect these.
And at the end, we had a report card that says, of all these techniques that we, that we used, three of them were prevented, 17 of them were detected, and eight of them we need improvement on. And that was how I answered the question when people came to me and said, what is the chances this happens to us? And I said, the chances are that we would detect it and we would respond to it before it actually became a real issue.
However, there are eight areas of improvement which we are gonna go work on. Right? That's a very specific answer to a very hard question. You don't get that without adversary, emulation and threat profiling. Uh, man, I love that, man. I, I can tell you, every board out there would drool to have a CISO that can answer like that, right? Because it's evidence-based answers.
And, and too often cybersecurity is the witches cauldron that we stir together, the dark arts and say, the chance and the magic comes out and it's security is never that way. And yet we've turned it into that. Um, Steven makes a good point here in chat. You know, he is like, Hey, they, they're gonna do that until it works, until they were, they're forced to change. And that's right. It's like this herd mentality. You guys have heard me say this over and over.
You look at any Netflix documentary when the lion is chasing the herd of Buffalo or whatever the heck they, I guess not Buffalo. There's, they're in America, but whatever it is, they chase those horn looking things. Gazelles, uh, Gazelles, I'm sure that's the name of 'em. Thank you. You know, it's always, they never get the leader of the pack. They get the laggards, they get the ones that are old and young that can't keep up with the rest.
That is a lesson from nature that holds true in cybersecurity. And so, you know, we could actually, if we wanted to, we could have just paused on this slide right here, and you could dive into every single one of those and say, okay, I wanna dive into this attack technique and I wanna see what Mitre is saying about it, and I'm gonna see what kind of defenses I have aligned for it.
I might cross correlate this to shield and really begin to understand and build my, what are my defenses around this? And then, yeah, you can test against it. So we could literally just stop here and, and just say, okay, this is enough for us to really begin to build on. Um, but that's your homework will de beast, Noah. Thank you. I'll take your, your word for it. That sounds like a Lion King reference. You're trying to trick me on. Uh, I'll take honey badgers too. Okay, so let's move on.
Perfect. So next thing we can do is I decided, why don't we take the story from the writeup from Tetra Defense and then really begin to understand the phases of attack. So just in your mind, okay, we, we took the, the profile stuff, the, the attack tactics. TTP is involved that Gold Southfield is known to use. Now let's pause in our mind and let's dive into the Tetra Defense scenario. I realize you guys probably hadn't read it, so lemme just sum it up for you super quick, right?
So, uh, this MSP got hit and the aftermath of the whole thing was this, is that there was an IT guy, it's always the IT guy, isn't it? That was, uh, had, um, they had, they had rolled multifactor out to everybody, but for whatever reason, the main guy, the IT guy did not have it rolled out on his machine. He just didn't, either he turned it off or just was never fully enabled for him, or he was lazy and a, you know, physician healed thyself, you know, one of those kind of things.
Regardless, uh, he didn't have two factor on his machine first problem. Second problem is he had clear text passwords, usernames, and passwords to most of his systems. Didn't use a password manager of any sort whatsoever. Uh, was also involved in downloading a bunch of like Torrance and crack software and stuff like that. And so, uh, there's gonna be more problems as we'll illustrate, but so now you have a huge hygiene problem from the person that has the most credentials in the org.
That who, the person that is the most dangerous to the org based on what they have. Does any of that sound like a scary zero day? Of course not. I mean, this sounds like Ryan to me, an attack from the era of 2006, doesn't it? Like you remember the days of like crack software and junk like that, that puts a some base.
I was like, Yeah, I mean, nowadays it's mimic cats, but like when I was in college, like, this is j John the Ripper, like these tools, these tactics have been frowned since the nineties. Like it's, it's crazy that it's still there and like that we're still having arguments about the need for MFA and passwordless authentication. It's, I mean, if, if you're not doing this, you're at this point, I'll, I'll be honest, you're negligent. Yeah, absolutely.
Good luck getting a cyber insurance payout when, uh, some of the forensics details comes out from this one. Yeah, and you, I know you guys are all rolling your eyes, but anyway, uh, like, like that's not me. I, I don't do that. And I'm glad you don't. I trust that you don't. But let's look at the attack phases here. So typically it's either phishing or it's ma and you see I added one B because of the Tera defense article. So in this case it's one B that caused the whole thing to happen, right?
And whether it was like some command and control for some loser, uh, ex or, uh, uh, command and control, it wasn't even something sophisticated that was sold to the soden actors or whatever. It doesn't matter. That was the entry point, that was the foothold that everything began to happen from there. And so you see additional weaponization things happening.
You see, um, the, the, the Trojan, the, the command and control, uh, um, established, you see this walkthrough down into the parts three where we already talked about the bad guy. Once he has access to the machine, he realizes he's got a treasure trove of data available to him because they make it easy. Everything's stored in clear text and he's emailing passwords and usernames to himself and to others. Like there's just no hygiene anywhere.
So, you know, by the time you're into phase three for this bad guy, like you don't even have to be sophisticated. I'm pretty sure like one of my kids could do this if they had access to the machine like this bad guy did. And so then we move on. And this is where you see it goes from bad to worse in this case. So, uh, lack of multifactor for this particular user so that this threat actor, you, he logs into ConnectWise control.
This has no, like in this particular case, there's no CVE associated with this. There's no vulnerability, there's no, all you're doing is logging in is legitimate user that doesn't have two factor. This is not rocket science, right? And it comes in even more egregiously from Russia of all places, also New York. Yeah. And again, this is what we call living off the land. I didn't deploy malware, I didn't deliver custom scripts or exploit kits or war shells.
I, I just stole a credential and I'm using it to log into something that has a perfectly valid use. I'm living off the land That is right. So goes from worse to worser. Uh, now we see that he realizes what kind of ability he has through control. So he deploys his own nice little PowerShell script. He did encode it into base 64, uh, just a slight obfuscation that he did, not that that's difficult or challenging. Uh, and so he deploys that to 2,500 endpoints.
Uh, a new task was created called ran command, not run command, ran command for whatever reason. Uh, I guess Russians probably struggle with, uh, tenses from English. Uh, and that is what does the dirty work. And all of a sudden the actions on objectives occur. And so, you know, the media will make ransomware look like step seven just happened outta nowhere. Magic happened. And there's step seven and that's all we focus on.
The truth is, all of these other things had to occur from the beginnings of hygiene problems in probably a week or up to 30 days or more of all of this being in place that had opportunities for us to do something about it.
So when you think about these phases of an attack that happened here that led to ransomware everywhere, not only was it egregious, but there's also multiple like points TTPs that should be known and should have a defense that's been designed around it to either prevent it or to detect it, to allow response and recovery. Ryan? Yeah. So let's go back to our cyber resilience framework, right? Uh, right of boom, left of boom, phishing, we're still left of boom, we might receive a phishing email.
Doesn't mean we've been compromised yet, right? The moment our a user interacts with that and they get compromised is the moment that we are now right of boom. And so laying these attack phases out the way we have, one of the things that, you know, I think Matt kind of alluded to this, and we really want to drive home, is every single one of these rows in this sheet is an opportunity for you to succeed.
Go by all the way back to something West said in the cyber resilience workshop there in your house. It's a defender's advantage once they're in your house, right? You know, you have the ability to detect every single thing that they're going to do. And it starts with fishing. And so this is a really powerful foundation because what we can do is we can say, okay, I have my data flow diagram.
I know all the technologies I have and how they interact and you know, I somewhat have an idea of who has access and how they're all connected. Let me start to take these, these TTPs from my study of this, of this specific MSP attack. Let me go back to my data flow diagram and let me start to walk through the different scenarios. What defenses do I have? Are they configured in a way that given how the attacker facilitated their attack, I would be defend, I would be able to defend against that.
Or do I have some sort of weakness? Do I have any technicians that lack MFA, right? I mean, what do you know? How do you know it? Can you prove it? What do you know? I know all my techs have two FA two FA. How do you know it? I made it a policy and I configured it like that six months ago. Okay? Can you go back and prove that it's still in place? Can you audit that? That's your stance. If you can, then you, then you can check the box. I'm defended against that, that technique, right?
So I don't know what was, is there a next slide after this, Wes? Yeah, let's hit the next slide. So the, the question now becomes, okay, now we understood how this happens. We understand how this actor behaves and we understand how this particular scenario carried out. So the next thing we can do is almost like our own, this is less a tabletop session, but more of like a, just a, how would the bullets have fired for us and how would we go back and address this? And what does it point out?
Like what, what can this help for us? And so a bunch of things that come to my mind and I, I would love for you guys to give some of your thoughts as well, because this list is by no means exhaustive. So Ryan just mentioned it. Are we religious about multifactor? You guys know, I joke about this, you should be from the holy church of two factor, no questions asked.
Because things like this, cause major, major problems, two factor does not stop the entry point of a breach, but it, well, it, I guess in some cases it can, but it can certainly go miles and miles and miles, um, to prevent the ultimate actions on objectives. And it makes it much more difficult. We know that we talked about this for years. The question is, are you religious about it? Another thing, what about phishing simulation and controls, right?
Like, do we, are we religious about those things? Do we actually teach our clients how important this is and why? Um, in this exact example, this is a perfect reason. This is why we need executive authority and buy-off, um, a, a buy-in to why we're doing these things. 'cause again, this is usually the entry point.
You guys know, this is not blowing your mind here, but some additional things that come to my mind, and Ryan, I'm curious what else you think too, but who's watching those with the most power, the it people that typically have or can elevate to administrative levels.
Those are the ones that are most scary compounded when you have lack of visibility into what they're doing when you have no change control in place that lets you really understand what's happened when it's happened, and no alarm mechanisms to understand, whoa, this particular event occurred, this could be a sign of something risky happening. Um, these are things that we're typically missing. What about looking at network traffic?
Because we could have seen some anomalous behavior in some of the things that occurred in this network, and none of this would be like super elite. I can probably almost guarantee you we'd see enough of the command and control stuff occurring and seeing where it's connecting to and from that would probably tell you, uh, something's not good on this machine. Same with the endpoint data.
This is what we talked about in the last session, really understanding how does malware like to operate and what could we see, uh, inside of it. Yeah, So one of the things I'll say is what I would do with this sheet, um, and Wes and I probably would've done this if we had more, more time to prepare, is we would probably add another column and we would call it controls. And we would start mapping the CIS framework controls that we have deployed in our MSP to these different tactics.
And we would, we would be very honest with ourselves about which ones are fully implemented and which ones are partially implemented, which ones we think are effective and which ones we don't think are effective. Because at the end of the day, if you're not, if you're not being honest with yourself about the strength of your control and the completeness of your rollout, you have a false sense of safety. And that's what we want to avoid.
But that would be a great next thing to do with this, is to start to say, what controls do I have that help me prevent phishing? Do I have an email security layer? Do I have, uh, sender policy framework? Do I have DAC enabled? Do I have, um, some sort of extra email security filtering layer in front? Um, do I have end user awareness? Do I act, how frequently do I test? Do I have follow up training?
Like all of these types of things are controls that can help reduce the success of these types of attacks. Uh, and so you go through each of these, and again, once you have those controls, when you go back to your data flow diagram, you can start to say, well, this control exists here. Let me see how else I could start to walk through these scenarios. If we have time, I actually want to take this list.
I wanna bring it back to the data flow diagram, and I actually wanna walk through maybe one or two of these attack phases in the data flow diagram and show you how we, uh, would model this with an MSP. So let's, No, that's, that's awesome. And this goes right into you, you made me think of this and, and you're right, I did want to track this back to, um, uh, control effectiveness. Check this link out.
This is a press release from CIS, uh, and, and they've done some analysis on this, and you even see this, um, they say that approximately, lemme just read this to you, a prioritized and prescriptive set of safeguards that mitigate the most common cyber attacks. They, so, okay, here it is. So going through the CIS framework, um, mitigates approximately 83% of all attack techniques found in the Mitre attack framework. That's awesome, right?
This is now, of course, assuming that the controls are operating effectively. This is this combination of what a security framework that's control assessed, that's looking at prescriptive controls combined with how a bad guy works, and understanding of what TTPs are involved can, can overlap with each other and truly begin to have controls that meet, um, attack behaviors and types of bad guys, the TTPs that that bad guys are involved with. Okay, so let's move on.
So now we can finally get to the, so what, remember the threat informed defense? So now we understand our data flow diagrams. Now we understand, um, this particular attack scenario. We understand how Gold Southfield likes to act the things that they typically like to do. So now we finally get to this point where we can say, like Ryan said earlier, now I have the so what's, and Ryan, you guys produced a really good report. I was reading it this morning.
And, uh, you just wanna talk about, I'll let you take the lead from here. You wanna talk about some of these things that you guys have seen as you've gone through some of these study exercises here? Yeah. So we did these cyber resilience assessments with MSPs. It was really meant to give us a much deeper understanding of, of why so many MSPs were falling victim to threat actors. And so we selected a very diverse set of MSPs and we actually went on site with them for two to three days.
And we did, uh, a, a free pen test. We did a NIST cybersecurity framework benchmarking exercise, uh, and we did a threat modeling, um, workshop. The threat modeling workshop was a full day and threat modeling workshop was the first part of the day, was building the data flow diagram four hours because most of them didn't have one or the one they had was wrong.
Um, based off of what we found during the discovery of the CSF exercise and the second half of the day was, okay, this is what we've seen being used against other MSPs. Let's overlay that in your environment to give you a very strong set of recommendations of what to do.
The so what, um, so we did this threat modeling with them, and what we consistently found was, uh, oftentimes it was, it was fairly basic things being overlooked, lack of MFA lack of patching, lack of proper credential security, um, things like that, right? RDP open to the internet. Almost always these things were present in some form or fashion in the MSPs we assessed. So, but basics were just overlooked.
One of the hypothesis we had was that the, the, the, the vulnerabilities were gonna be different for different sized MSPs, that there were gonna be different profiles, um, that made different sized MSPs attractive. What we found is every MSP has the same problems, just bigger ones have bigger problems with those things. They're harder problems for them to solve. And so they, the gaps do scale with the company. They get bigger as you get bigger. So you have to really pay attention to your gaps.
Very test heavy. We have this control that does this and this control that does this. And I remember one MSP assessment we did, they had a firewall. Oh, this firewall's great, it's, you know, it's got the, it is got the greatest detection capability. We love them, they're the best. You guys should look at them. It's better than your data networking firewall. And I'm like, cool. I'm like, so my pen tester's been banging away at your environment for five hours.
How much has that firewall told you about what my pen tester's doing? Not a single alert had fired on the IPS or IDS capability of that firewall. And so I was like, cool, let's call up your vendor support. Called up. I, I literally got on the phone with vendor support and I'm like, Hey, I'm running a pen testing exercise. Uh, my threat act, you know, my threat actor is currently, um, actively attacking this environment. They've, you know, here's what they've been able to do so far.
Your firewall hasn't alerted to anything. Can you tell me why that is? They're remote in and they're like, yeah, no, that, that traffic doesn't matter. Uh, we just dropped that on the floor. And I'm like, okay, great. So you have a great firewall, but you have never tested its effectiveness. And furthermore, the vendor has basically just told you, um, you should never expect to be able to see signs of reconnaissance of a threat actor against your environment. That's a huge red flag, right?
And your process should be to test this, these controls to make sure they actually give you the detective capability, which goes to another item. Almost all the gaps from the MSPs, from a cyber resilience perspective, they're all really doing well. Uh, and, and advancing quickly on the left of boom things, the identifying the protect things, but universally they were suffering on right of boom, detect, respond, and recover. It's just, it's not there.
Or they know they need to do it, but they're just so still focused on the protection and the prevention that it just wasn't there. And so I could go on and on and on. You've heard me talk about supplier management and, um, and, and most of them don't have a documented incident plan. Like I don't think any of them have ever reviewed the tabletop exercise for IR that you and Chris Lara had done. And like, honestly, they all needed it.
So these were just some of the things that came up as consistent when we did this assessment. Um, and, and if you read the report, which we'll link later, we actually listed out Mitre attack techniques and how they applied to the environments. And we have like little mini diagrams, like everything we did, we anonymized and shared out as a case study for MSPs, uh, to leverage. And so it is another way for you to help do threat modeling inside of your environment.
And we made the whole workbook that we used for every MS pre, it's free, go download it and you can use it and do a self-assessment and walk through this. So yeah, this is, this is part of the, so up from what we found. Yeah, it's good. So there's, yeah, you can hit that next slide, Ryan. So the, there, there's things that we can do from here. There we, this is by no means the beginning, right? This is, uh, I mean the end, this is just the beginning.
So what I would do is now we have, we have the threat model, understand who the bad guy is. I've said this already, we understand how they work, how they act, all these things. But now we can overlay this on top of the asset inventories we have in place. So, you know, what are the, what are the things they might hit? What, uh, begin to understand things like, uh, are we overlaying vulnerability assessment on top of those asset inventories?
Do we understand, hey, these are the points of entry, these are the points of command and control. This is, you know, where my RMM is and how this would work. This is how the controls work between the two. Really gives us that starting place. Also, it allows us to begin to work through policies, procedures, and all the, the process stuff we have on board.
If you've looked at the cyber defense matrix, which many of you have, you see at the very bottom, uh, that last part that the policies or the, I'm sorry, the procedures are always even it's before the boom, it's very technology heavy light on people post boom after detection, it becomes very people heavy. But process is always throughout. And so this lets you really understand where you are at from the process perspective.
We've already given you the example of MFA as MFA truly aligned everywhere. Or is it not? Um, Ryan, jump in. Yeah, so if you don't wanna go through and you, and you wanna do the threat modeling exercise, but you don't wanna go through and build up threat profiles in that resource that I just provided you, we, you could ignore everything else. We created a threat section. This threat has the tactic, what the technique it maps to in the Mitre attack id.
So at every MSP, you could literally start going and doing a threat modeling exercise just by stealing this list and working over it with your data flow diagram. So if you don't want to go through and do the tetra defense analysis that West did, like maybe that's a ma mature, you know, that's a thing you'll do six months from now. There's a way for you to bootstrap and get started more quickly. Just steal this and go do it. Uh, go do this assessment in your environment.
One thing I want to add to that, this, a vendor will not have this discussion with you because a vendor is concerned primarily with solving one thing. They're like, this is the thing that we do. And so you go back to all of those. That list is Golden Ryan, of all of those different common attack TTPs and the associated, uh, MITRE references. This is why when you ask a vendor, Hey, you know, how can you help me solve this problem?
They're gonna always jump to that one thing that they do, versus this is what a true cyber defense looks like and how we build maturity around it. And so, um, this is why you have to go through these exercises. It's why you have to begin to map controls across. This is why going through these threat exercises just to keep yourself fresh and understanding what bad guys are doing, to understand where the weak points and gaps are that you may have deficiencies.
Just like Ryan said when his board asked that question, he said, well, there's eight things we could work on. There's always eight things everybody could work on. The question is what are those eight things, right? Uh, so this is why it's a process that we go through. Yeah, for sure. Um, okay, so some links, uh, that we have down below as well. So we, we popped in the data one that's there for sure. So all of this is here.
There's a very in-depth one that I nearly used and I backed out of because it's a bajillion pages, but it comes from Mitre. Um, it's that top one. What they did was they took a, like a bank, a financial service org. And Ryan, do you, I don't know if I could put you on the spot, do you mind to open that one real quick? Um, yeah, there it is. So what's really good about it is it shows a very in depth data flow diagram.
It goes really far into the weeds in, um, how pro like they overlay risk assessing with it on top of, um, all of their different like business units inside of it. This thing is a monster. And by no means does any MSP need to go to this level of complexity. Um, but you'll see this, I do want you guys' homework to go take a look at this because it's a good example of a very, very, very sophisticated one that you can certainly pull pieces out and say, man, that's really, really good.
I wanna take a piece of that and I won't replicate that for me. Um, you might even have some banks or healthcare or highly regulated orgs you wanna walk through and begin to map all this through. So this is a, a very, very, very good sample. You'll even see some pieces that I use to kind of pull out to create that spreadsheet that I had. Um, so by all means take that and use that how you may wish. Uh, Ryan, anything else you wanna add to this?
No, I mean, I think one of the things we're trying to do here is we're trying to give you free open source resources to help you go and bootstrap this. You do not need to buy anything. All you need to do is invest time and you can materially improve your cyber defense with the tools you already have. You don't need to buy anything.
You just need to build this capability and this, this process and this maturity, and this is why I get so sad when people don't, when when you talk about threat, you know, threat, threat monitoring or what we call threat management, really from an end, like from a, from a true high level security program perspective. And they're like, oh, you mean like a an IOC feed? And you're like, no, that's not at all what I mean.
Because half the time those are garbage and they're recirculated and they contain crap information. And you know, although I will say the perch IOC fees that you guys have up on, um, on GitHub are, are pretty decent and MSPs should definitely leverage those. Um, you know, those are highly curated and that's really what you want. You want something that's targeted in your industry that's curated by professionals that's not recycled, uh, information.
So the stuff on purchase GitHub is pretty awesome. Yeah. Yeah, definitely check those out for sure. Um, Bryce and Met Lock is our, our, um, senior, uh, director that handles all of that. And they're fresh, they're new, they're young, and they're created and seeded from stuff that we see internally. So yeah, by, by all means. I agree. Um, so there you have it, like this is just a high level, like gives you the starting points that you need to kind of put all of this into place.
And I hope we, we de muddied the waters a little bit here to give you some understanding. Um, let us know what questions you guys have in the chat. We'd love to answer anything you want to know.
And then I was hopeful that we could get like a, like a Tim Fornet or someone else that may want to join and just kind let us pepper them with a question or two or three on, you know, where they must be is at and, and maybe some of the roadblocks or challenges or opportunities or wins that they've gotten across the board. Um, 'cause I'd love to, uh, pull a partner into this whole discussion as well. Um, anybody in chat that wants to just say yes, I'll join and we can bring you up on screen.
I'm ready waiting, Wes. So while we're doing that, one of the things I I wanted to do was, so we, we talked about phishing, right? We talked about common phishing, defensive controls. So when you go through your environment, right, you need to think through how, um, how an attacker will target you via phishing. Well, first there's the duh, they're gonna send you an email. The email's probably gonna contain an attachment or a link.
And so the first thing to understand is how strong is the email security layer that I have now? Uh, and you can go through and one of the best ways that I usually tell people to test their email security defenses is to sign up for a trial of another email filtering solution and set it up in a passive mode so that it just gets a copy of all of your email and let it tell you what it would've thought was bad in quarantine.
You can get this true ab testing without necessarily having to actually change your mail flow. And what you'll commonly find is your existing now layer probably needs some work and which is why you usually usually need multiple layers. The other thing is they're, they're gonna send spoofed emails a hundred percent. So you need to have strong SPF records, you need to have strong dmar records.
If you don't have those, your customers and you are likely susceptible to spoofing from your own customers. And I love the old CEO conversation, right? Oh, CEO of the company, they're so busy, they don't have access to anything useful. They don't need MFA, they're not a target, but what happens when their email gets popped and someone turns around and uses their email and says, Hey Ryan, could you transfer $200,000 to this bank account for this deal that we're working on?
Um, you know, this CEO has influential power over your people, so you need to care about spoofing and you need to care about protection of all of those inboxes across your entire ecosystem, right? And so what we would do is we would sit there and we would work through what are all of your phishing defenses that you have and where do they have gaps?
Um, and you know, if you're, if you don't have an additional email filtering layer between say like Google or O 365, um, you should really start looking at another layer in between that it's still not gonna be bulletproof, but you'll be shocked at the amount of stuff that's actually getting through those layers That what you're describing happened. Uh, and he told about it to Vern Harnish. Yeah, He was given a con conference and he left his pc his laptop on in his hotel room.
Someone got there over the wifi, they went through his emails and I guess they must have searched, uh, wire transfers and saw what he'd written, who he'd written it to, sent the email, then deleted it from sent items, and it was hundreds of thousands of dollars. Yeah. Very, very real. These are very real print scenarios, right? Yeah. But again, like you have O 365 in this diagram, you have an additional email security layer, right?
And then you say, okay, well then what happens if the phishing link is, is opened? What defenses do I have on my endpoints? Do I have, um, you know, and in this diagram I put everything in VLAN zero, which means every machine, every asset is in a flat network. 'cause most MSPs do not have segmented networks. And I said, who are, if you looked at your phishing data, your click rates, who are your people that tend to click and who are your people that don't tend to click?
And they, so they brought it up and they're like, well, it's usually the same four people. And I'm like, why do those same four people live in the same VAN as your technicians? Why would you do that? Why would you like the lateral movement from that tech work, from that marketing person's workstation to that tech workstation is trivial, right?
But if you have network segmentation and they literally can't talk to one another, um, it's gonna be very hard for them to actually pivot or it's gonna be harder for them to pivot, or you're gonna be able to detect that lateral movement capability. So there's a lot of things as you walk through each of the TPPs, you can literally slice it very small slices and say, do we have more defenses, uh, in place to detect these through all steps of the attack chain? So yeah, let's bring some folks up.
Yeah, I've been trying to get a few here, Ryan. Everybody is, uh, not responding. Certainly not here to put anyone on the spot, uh, but just that'd be fun to have a partner just get their perspective on this. Uh, anything that they have to say is, is fair and valuable to us. Um, I I would say as we're waiting, you know, one thing to just keep in mind too is like, look, this all begins with that single step.
And by no means are you going to like, get all of this, like no one's perfect at this big enterprise. Literally have teams of people that do each of these segments of things. Uh, you, you don't. We get that. So just start with a conversation. Start with Gold Southfield and walk your org through it and spend some time on it. I promise you'll come out of really, really good useful takeaways.
You know, and I'll tell you something else I see in the industry, like, you know, everybody's all cybered, every vendor right? Is cybered up and you know, and they're gonna, and, and they wanna show you how you're gonna be able to close more business, like with their tool and pushing you down this, uh, the, the road. Like the tool is gonna solve your, the sales problem that MSPs have had for 30 years, right? What's gonna solve sales is maturity, right?
Of understanding things at the depth that you heard today to move in that direction because, uh, and you heard a couple of them yesterday, right? We had a couple, um, uh, customers on. When you get to that level and you get in front of a customer or a prospect, the sale is easy. From the minute you walk in the door, they're sensing that you're there to help 'em, that you have knowledge and experience that can benefit them. The sales are a result of your maturity. Does that make sense? Yeah.
It's not, it's not voodoo mind tricks. Yeah. Well it's always, you've always said it's command, Gary, this is nothing, nothing new. No. It's just that this wedge is so much easier because customers understand it so much better than they could in the past. So it's just, that's why people are selling who get there are selling so much more and they're selling at such a high price. And these three hours today will alone can get organizations on the fairway and get 'em moving. It was so well done.
Yeah. It really was Ryan West, man, you guys knocked it out of the park. Out of the park today. Thank you so much. Appreciate that. So the Next time someone in your MSP asks you what you, what next piece of security technology you should buy, you should tell them, we don't need to buy anything. We need to do adversary emulation. Yeah. Yeah. Let your, your control effectiveness and your gaps determine that for sure. Yes.
And I think the other thing I would say too is I think the big takeaway even for me in all of this, to distill it into like the just one thing is we don't know our adversaries well enough. We think we do, but we don't. And I think because we don't know them well enough, we tend to want to just jump to the latest shiny thing.
And it makes the marketing blurbage so much more swaying, uh, because we want to hope and prayer that the coolest, newest AI driven whatever is gonna solve the problems for us. But the reality is we need to know our adversary far better than we actually do. You guys have been talking for the last couple weeks about the simple thing like, uh, inventory, right? Um, asset inventory. It's, you know, you buy all these tools and then there's an issue.
'cause you know, there was, there was three workstations that for whatever reason, your policies, uh, they, they got attached and you didn't have your tools deployed. Right? Your awesome tools didn't help you. Right? So, you know, but what, what this really brought home for me, Wes and, and Ryan was just seeing it when you do the adversary emulation, you know, we've been talking about frameworks and controls and policies. This forces it ties it together, yeah. To the real world.
It connects the framework to your actual business, right? It's the it's the link between the two. Yeah. It, it was, it was just so really, really well done. And it also, like I said, I mean if you walk through this and you can, you know, as you know, put the oxygen mask on at home and I just love the way Keith Bartel yesterday says, I'm client number one. My MSP is client one. And, um, what, you know, what command you would have going out to your customers. Yeah. So let's go, let's go people.
Yeah. Get cybered up. Get cybered up. Alright, well, um, so Patent and pending It is, it looks like it's patent and pending already. So we're off next week on the cyber call again, wishing everybody a fantastic 4th of July, we'll be back the following week. Don't blow your fingers up. What's that? Don't Blow your fingers up. Fingers Up. Yeah. It's very true. Very true. Ryan, do you wanna, The NFL always loses at least one player every year. Ryan, uh, closing thought from you.
I mean, you've heard me talk all day. Um, like, you know, uh, John Strand, for those of you that don't know, is a, he's a very well known kind of, um, information security figure. He owns, um, uh, I think it's Black Sands or Black Hills, uh, security, I can't remember Black something. Um, he's a Sands instructor. He's a faculty of ions, like just very well known. Really smart guy, um, really great pen tester.
He was, um, you know, uh, he, he's just, we very well known like the, the, the kind of red teaming adversary emulation space. Um, he, he, Olivia, with a quote from him, the most important thing you can do this year is run adversary emulation. Hmm. And when John Strand says something like that, that is like something that you should stand up and listen to because he is a guy that really truly gets it.
Um, so you should, you should be doing this stuff and don't just run the tactics and not, you know, not know why you're running them and freak out if you get a, if you, if you don't get a detection, again, it needs to be grounded in a threat profile. So figure out a threat actor, figure out a specific variant of ransomware you're worried about. Figure out the threat actor behind it. Map it back to some tactics. Run those in the adversary emulation.
Start small and just, this is a, this is a journey. You're not gonna bite off adversary emulation overnight, but it is one of the most important things you can do this year. And it's free. Yeah. Free. It doesn't cost you anything. Uh, we should, I wonder, Andrew, if we can get him on as a guest, uh, for cyber call, that'd Be cool. John's a smart Guy. 3000 folks. We should pursue that. Hey, here's my takeaway. This is totally outta left field, but the thought just occurred to me.
You got ConnectWise, you got Datto, you got ca all here on a call. Isn't that cool? Yeah. Uh, that's what security is really all about at the end of the day is sure we all compete, but, um, you know what, we're in this together when it comes to security. I learned this in my banking days, you know, talking to all my friends from competitive banks. I don't care. Like, uh, we're security is a journey we all go through and we're all in this together for sure. So I I think that's awesome.
And Andrew, thank you for being the one to kind of put this together and, um, really get it going. I, I appreciate that so much. Yeah, well, absolutely. My pleasure. Gary, how about final thought from you? Uh, no. I I I'm just feeling like we've done, we've been building towards this. We've done a lot of good work over the past year together, right. And with the help of a lot of other people.
Um, but I think, uh, these three hours, uh, are something I'm gonna encourage every true methods member to go through this, this, every one of 'em, uh, needs to go through this and needs to, uh, solidify everything else we've been talking. This really ties in everything together. So, uh, I'm, I'm, I'm thrilled and thankful that to be able to, uh, to be able to make this part of our arsenal. Well. Excellent.
Alright, well till next following Monday, everybody have a fantastic day and always great being with y'all. Take care. Thanks guys.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...