Incident Response Best Practices

Unsecurity Podcast

The number of aggressive cyber attacks we’ve seen has been on the rise very recently—including a calculated Ryuk ransomware targeting healthcare organizations. Knowing attackers are taking extra advantage of the chaos of the pandemic, Oscar (who leads FRSecure’s technical services team) gives some thoughts on incident response best practices and what to avoid.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Welcome back. This is episode 105 of the insecurity podcast. I’m your host this week. Friday nine. Today is november 10th and joining me this morning as usual is Evan francine. Good morning kevin.

[00:00:34] Evan Francen: Good morning brad.

[00:00:35] Brad Nigh: Are you today

[00:00:37] Evan Francen: tired again? Grumpy or No, there fat

[00:00:47] Brad Nigh: a normal day.

[00:00:49] Evan Francen: Yeah. Yeah pretty much. It’s good to be here though.

[00:00:53] Brad Nigh: Good. Well and as you can see on the video we have Oscar meets with us today. Good morning Oscar.

[00:00:59] Oscar Minks: Hey good morning brad.

[00:01:01] Brad Nigh: I don’t know if you saw the show notes but called out your sweet southern drawl there.

[00:01:06] Oscar Minks: I did see that. It’s a lot to live up to today. So I hope I don’t let anybody down.

[00:01:11] Evan Francen: Hey Oscar Oscar state barbecue.

[00:01:16] Oscar Minks: Uh, barbecue. Yeah, I love

[00:01:20] Brad Nigh: it. All right. As this tradition, let’s catch up with what has happened over the last week. Uh Evan, How was your week in your weekend?

[00:01:32] Evan Francen: It was a good week man. Um five or 6. Really good uh partnership. You know potential meetings I. O. X. T. I don’t know if you’ve ever heard of I. O. X. T. But that’s a pretty cool alliance with the IOT makers manufacturers. You know to get certified on, you know how to secure those things. Uh so there’s a movement now with IOT to start um you know, sort of self regulating to get them to secure their devices and secure their things out of the box. Uh so that’s pretty cool. Um a bunch of other really cool meetings, consortium networks was another really cool meeting which was kind of a bunch of old, not old, well maybe they’re old but bunch of information security veterans who grew up in places like Mandiant and fireeye and places like that that have now gone off in one. I do kind of this greater good thing. Yeah, so you know, good meetings last week they did the security show, we talked about seven ways to seven ways security can improve your sex life. That was an interesting show, but it’s, you know, it’s, it’s adults, all mates, 10 PM at thursday night but we didn’t get raunchy, we, we totally stayed on topic but we found a new, what do they call it, they call it? The Fitbit for your markets. Not cool man. But so it was neat and then last week’s podcast was really cool with you, me and richie breathe or I was really good week. Just you know, just tons of stuff going on man. 4th quarter. You guys are just as crazy if not crazier.

[00:03:14] Brad Nigh: Yeah, it’s been, it’s been crazy. Speaking of crazy Oscar, how was your week?

[00:03:20] Oscar Minks: It was busy, It’s been a very busy last few weeks over here. Lots of incidents fires, things like that going on, saving the world one day at a time. It’s

[00:03:32] Brad Nigh: uh, good thing. I think you got your, you guys on that team have been 24 7 for what? 2.5 weeks?

[00:03:40] Oscar Minks: Yeah, 24 7 for a little over two weeks. Um, so you have lots of knots weekends and uh, now we’re starting to ramp down, which is good helping our customers through these tough times. And uh, I don’t want to jinx myself, but things are going pretty good so far this week.

[00:04:00] Brad Nigh: That’s good. Yeah.

[00:04:02] Oscar Minks: Well you bread

[00:04:03] Brad Nigh: mostly doing that. A lot of that office 365 hardening for the national retailer. Um, it’s been interesting because the guys that I’m working with want to do the right thing and, but they don’t have experience with us and the person that had set it up and then was in charge of it just basically left. There were some, I didn’t have like good documentation so there it’s, yeah, it’s been good. They want to do the right thing. That’s the important part. So it’s been a lot of like teaching and he got, where did Microsoft, where did they move this to now?

[00:04:45] Oscar Minks: Okay. It’s like a carousel in there man. Every time I log into someone’s admin portal, uh, something is in a different place than it was before and then a

[00:04:56] Brad Nigh: bunch of changes for like, yeah, like the security settings are not going to be under the compliance center and you go to one place and their documentation and go to the link and then it’s like this is going away click here and then it’s completely different. So yeah, it’s been interesting that uh, you guys have had the I. R. S pretty well under control the last week. Haven’t had do anything that way. This weekend was Nice. Here is like what, 75 both days, which record highs records for both of them. So just relaxing and enjoying that weather because now they’re saying 47 inches of snow this afternoon. So yeah, 75 to 47 inches. Yeah, hoping to Minnesota.

[00:05:44] Oscar Minks: Yeah, we got that 75° stretched down here too is about the same in Kentucky over the weekend. And we’re lucky if you can see the sunshine bearing in through my window here. Uh, it’s another beautiful day today. I think we’re supposed to 80 today, which will be a record high for us november 10th. Um, we’re gonna get a cool down. Not quite as cool as you guys. I think we’re down to like fifties. Second half the week lows and thirties. So I’ll take that normal fall weather.

[00:06:10] Brad Nigh: Yeah. Yeah.

[00:06:14] Evan Francen: The sunshine and where I’m at two mm hmm.

[00:06:18] Brad Nigh: No, there’s no fun outside. It’s all overcast. The worst part was looking at the weather and had seen the weather service saying like get out and enjoy this weather. It’s the last time we’ll see the 70s until April

[00:06:32] Oscar Minks: oh man. So depressed. Yeah. Did uh all the snow melt you guys have gotten before because I know you had quite a bit piled up right?

[00:06:43] Brad Nigh: Uh I mean in the parking lot where they put them into the giant piles, they’re still actually snow. Um It’ll be there till probably may.

[00:06:56] Oscar Minks: Yeah.

[00:06:59] Brad Nigh: Yeah. You know what you signed up for?

[00:07:02] Evan Francen: It’s Minnesota,

[00:07:04] Oscar Minks: those could be some pretty sweet jumps if you have a dirt back. Yeah.

[00:07:12] Brad Nigh: All right. So I guess we should probably get started on some security stuff. Huh?

[00:07:19] Evan Francen: Yes. I mean I don’t know I’ll talk about anything. It’s just cool to hang out with you guys. Mhm. Do you see this cell right here? Yeah, This one right there.

[00:07:32] Brad Nigh: Yeah.

[00:07:34] Evan Francen: Yeah, that’s the one that they kept me in for a while. Yeah, this is what happens. This is what the prison looks like when you try to lock me up, it ends up going like this for you. So just saying you probably don’t want to catch me.

[00:07:49] Brad Nigh: I thought it was a D. I. Y. Project.

[00:07:52] Oscar Minks: I can’t keep lying in the cage, man. Can’t keep lying in the cage,

[00:07:55] Evan Francen: nope, wow. Yeah. Alright security

[00:08:01] Brad Nigh: security self let’s talk let’s talk incidents. So no surprise that as Oscar mentioned that our work is keeping us busy. You know they had that reporter on healthcare from was at DHS and Secret Service a couple weeks ago? Um So but had enough? I r. S coming in lately. What what are some things that people should be doing? What our dues and don’t when you bring in an Ir firm. Um So that’s why Oscar’s here. But first why don’t you tell us a little bit about teen ambush?

[00:08:35] Oscar Minks: Um Yeah, so he switched gears on me that real quick, man. I was

[00:08:41] Brad Nigh: different questions

[00:08:43] Evan Francen: actually, actually, through, I actually threw that in there because brad wrote the show notes, and I was like, you know, we talk a lot about this team ambush, who the hell are, who the hell is team ambush? And, you know, I want to tell the team a little bit because you guys are pretty damn awesome.

[00:08:57] Oscar Minks: Yeah, I like that, they deserve that to. Uh So yeah, team ambushes uh Red team and blue team uh here at f are secure. And so for those who don’t know, we got a a gang of really skilled technical security experts, uh some of which specialize in offensive security, so penetration testing, um that’s everything from, you know, doing internal tests, uh external test, uh web applications, um Red team engagements, which is, you know, we’ll throw the kitchen sink at you there a little bit of social engineering, a lot of enumeration, trying to find uh weaknesses and your posture and your people and exploiting those to be able to get to to gain an internal presence and foothold in your network and then from there and see if we can get to your um important data. Really simulate what an attacker is doing in the real world today. Um and then we also have Blue team services, which is their defensive services. Uh so that handles all of our digital forensics as well as instant response threat hunting capabilities as well. And um, I know the big talk lately is, you know, we’ve been busy with incidents and we have, there’s been a whole lot of work, but I can tell you this Ring Q four um, are red team practices just as busy right now. Those guys are uh pin testing like crazy, we’re at capacity right now at capacity plus, I’ll say that I’ve got both sides of this team is putting in work after hours and on weekends, so we can help clients are security and, you know, a lot of kudos for me to to both sides of red and the blue. Um feel incredibly lucky to have such a fantastic team, A great, great group of guys who are always always willing to put in extra effort to do what’s right to help our clients and our partners, um, I will say to, you know, on the, It’s been busy all of Q4 so far, which you know, we’re almost halfway through there and like I said, a lot of extra hours put in from both sides and everybody just takes it on the great attitudes. Uh they’re happy to be here, happy to be helping. And I think they all feel similar to how I feel that we’re lucky to have the opportunity to be in the situation, we are to really be able to make a difference and help people and um whether that’s on the proactive side of doing testing for people or it’s on the reactive side of helping people when they’re in trouble. Um I think we’re all driven by the mission and we feel lucky to be here. But yeah it’s just a fantastic, fantastic awesome team who can really do just about anything and uh love them to death.

[00:11:46] Brad Nigh: The coolest part is watching the two teams interact like we’ve got an incident and one of the pen testers jump in and help explain what’s going on with a piece of code or you know the the I. R. To the blue team talking to the right team and say hey here the things we’re seeing. Yeah, I went on in the real world to help them with their testing and similar. Sure.

[00:12:12] Oscar Minks: Yeah it’s it’s really awesome. Um You know, our purple team activities, right? Um are really really beneficial for both sides. Um You know there’ll be some times where we have some some folks on the red team, you know who are really good at reverse engineering, really good at decryption. And so you know if we have something that we’re having a hard time uh decrypting or d obfuscating. Um they’re always willing to hop over and help us reverse those things. Uh The same thing like brad mentioned nuclear identify programs um that maybe we’re a little unfamiliar with what these programs are doing, uh come over and use some of those reversing skills to help, you know, put some sanity to some of these things and some logic behind it, it’s really awesome. And then on the flip side, you know, we’re in a lot of things for them now, we’re um you know, we’re working together in tangent to look at attack techniques and from the blue team perspective um exercising showing how that we can detect those techniques and how they could be stopped and so it gives them, you know, insight into how to modify some of these techniques to be a little more evasive. Uh And you know, through that, I think ongoing relationship, we’re continually just leveling each other up. You know, there’s sharing these skills and we take those skills and we keep building on them and it’s uh it’s a really, really, really great thing. We fired up these uh hacked you sessions. Now we’re doing like once a month to this is really cool. Um and right now the goal is, you know, each month and we’re gonna kick these up to twice a month soon and when we hope to one day be able to start sharing some of these are the public, the videos, but I’ll explain that a minute. But so essentially gonna be picking exploit each week, each month and you know what I’m trying to do is get someone who’s really unfamiliar with that exploit today uh to go in really learn that exploit and we’re not saying how do you run the exploit? What does that exploit? Mean? I want to be able to explain it to me from the ground up, why is it vulnerable? Why is the exploit possible? How do you execute that exploit? And then what repercussions does that exploit have? Can you do with it? And then on the flip side we’re having someone from the blue team that’s working with them, say how do you identify the exploit? What impact will this exploit have on your domain enterprise and then long term, you know, like how do you really remediate and prevent this exploit from happening? And so it’s a lot of fun. We’re doing these sessions together in our lab, we built and doing some uh you know, just some good education to we open those up to the entire company right now. Um see that attendance is is, you know, it’s good getting better. And then when we finish these sessions um right now we started we set up a new piece of our website called fr secure labs and so we’re taking these exercises and the writing blog pieces uh and we’re sharing all that information with the world. So that folks will understand how do you do the exploit, why is it important? And then, you know, on the flip side, folks will understand how to, how to prevent that exploit, how to recognize it and how to remediate it. And yeah, I’m super excited. We’re going so many cool things. I can brag about these guys. How long do we got, we could do it for the whole hour got somewhat.

[00:15:38] Evan Francen: But

[00:15:41] Brad Nigh: yeah, I know it’s crazy like looking at, you know, a year ago where we were at with that team and where those guys were at and just kind of getting their feet wet and now, you know, where when I do need to jump in which is becoming mm less and less often like how much, how it’s just mind blowing, how improved and level up that entire team has gotten in a very short time.

[00:16:11] Oscar Minks: I think it comes from just are like a general um, attitude of the team as a whole, you know, and that’s a big thing that I believe in, my team believes in twos, that we level each other up, we educate from within and um, there’s no sacred knowledge here and I know that you guys have both had that before in the past for, you know, a new guy comes into an environment and there’s someone senior who, you know, thinks they know everything and they don’t want to share it with anybody because they’re afraid that they’ll get away their secrets right? Um and that was one of the things that always drove me crazy when I was young coming up and seeing those people who should be leaders trying to hold information to themselves, um to to keep a gap and we’re really big here on, we don’t do that. There’s no egos. Um, there’s no differences between any of us. Skill sets are things that are learned through support with each other. You don’t judge anyone for a skill they may have or may not have because I guarantee there’s another skill they have that you don’t have, you figured that out yet and you will and do time if you give yourself the opportunity to give them the opportunity. And so we’re really big on making sure that any knowledge that I have on my entire team to have and I want them to be better at it. And I am and I think that bleeds down through everyone on the team. My senior guys all the way down to the junior guys to um, and we constantly share constantly try to help each other level each other up. We don’t work on islands. We work together as a team a whole lot. And uh yeah, I think you’re right. I think we’re really seeing how that model works and and how about in people are too, you know, it’s it’s a beautiful thing to see that, you know, when you got a whole team that wants to support you and help you get to a level that you want to be um magic can happen man. Well, I mean

[00:18:06] Brad Nigh: It’s really beautiful. You have to threaten people to go take some time off working. Like it’s like 12, 15 hours and you’re like, what are you doing here? I’m going to shut off your access.

[00:18:19] Oscar Minks: Yeah, that’s not just one person calling without specifically. I’ve had a few folks on my team that’s like take a day off. No, I don’t want to, I don’t want to or they’re off work, but they’re logged in working with us and I’m like, what are you doing man? You just put in 12 hours. I want to help. I want to be here to help. No, I need you to be able to help and for you to be able to help. You need to get some sleep and get some food to recharge the batteries. And uh I had, you know, other folks like, hey, take tomorrow off. You’ve been burning, you know, for 9, 10 days straight right now, nope, I’ll take another back and we’ve got to get through this. And it, it feels great. I mean, it feels like family feels like a brotherhood and uh like I said, we’re all just, I don’t know, we’re in it together and we’re fighting a good fight and I think everybody has bought in for that and that’s really important. Yeah,

[00:19:08] Brad Nigh: yeah, it’s awesome.

[00:19:09] Evan Francen: Yeah. Super cool man. So you didn’t even mention the seat, You don’t even mention the CTF stuff that you guys do too. I mean, alright, you fit that into. We had your what? Five? No, Yeah, 10 episodes ago maybe. Uh I talked about the CTF work that you guys do to Yeah, I sat in last week on the, you know, on the demonstration and uh he was damn cool man. There was what? I don’t know 50 people there may be

[00:19:44] Oscar Minks: Yeah, that was quite a

[00:19:44] Evan Francen: few like,

[00:19:45] Oscar Minks: yeah, we had a pretty good uh pretty good crew on there. Um and I haven’t got to see the, I didn’t explain the beginning and we have this tradition now where every week or every month, whoever presented the previous month makes a slide show for who’s presenting this month and they’re not allowed to see it until until they present it. And so uh you know, it’s, it’s kind of on top, it’s meant to be fun to kind of warm everybody up, get a few laughs and let it set the presidents that we mean this to be fun. We want it to be loose. We want people to interact and ask questions if they want to, don’t feel uncomfortable. And so it was pretty hilarious. I think there was a lot of top was a golden, we’re looking at golden tickets. Um but I think I learned how to make a golden ticket soup, which I’m not going to arrest you

[00:20:34] Evan Francen: here. Right, Well, yeah, you’re right. I didn’t know that when I came in. So I was like, what the hell? I’m trying. I’m like, uh huh. No, I mean it’s not. I don’t get it so distracting. Like I know the pieces and then I’m seeing how you’re putting together the soup. I’m like, what the hell does that have to do with that? But then, yeah. And then you guys got into the real dick. Okay. I get it now. Yeah, it was funny, but at first it caught me soft guard. I was just like, I don’t all right.

[00:21:12] Oscar Minks: You know, others were feeling the same way. I have a feeling that when we got to the slide that says uh, Captain Picard is the best jetty. Everybody probably understood this was a joke.

[00:21:23] Evan Francen: Yeah,

[00:21:26] Brad Nigh: that’s a fight.

[00:21:28] Oscar Minks: Oh yeah. Yeah. There’s some things in there that, you know, are meant to be like a just find triggers for people.

[00:21:34] Brad Nigh: Yeah, yeah, for sure. So Bill, that’s how you can tell that that team is on both sides of so close. Like nobody like they know the limits, but nobody takes it personal. Yeah,

[00:21:46] Oscar Minks: a lot of fun. A lot of fun. And that goes on. I’ll say,

[00:21:51] Brad Nigh: I mean you have to when you’re working that much that closely.

[00:21:55] Oscar Minks: Yeah, we laugh a lot. I mean, and that’s important. I’ve worked into those environments to where we didn’t have that kind of open communication top environment or it was okay to put your guard down by yourself, you know, say things that you might get poked at and poke other people sometimes, but it builds camaraderie and it keeps us motivated and happy when we’re interesting times and uh you know, you really see the team pick each other up at times and you see us really have a good time even when we’re in the middle of a really challenging and stressful situation. Um you know, there’s always something to smile about in life. We’re helping people, we’re trying our best even if it is hard right now, so we should enjoy doing that as much as we can.

[00:22:38] Brad Nigh: Yeah, so it’s a good, good transition. Um, you know, talk about with all the incidents that you’ve been doing recently in the stressful times and you know, let’s get a recap of what we’re seeing right now. It’s it’s active. I mean,

[00:22:56] Oscar Minks: yeah, I think it’s so, you know, I’ve been thinking about this a whole lot and you know, we saw the report that came out, um, I think it first broke on CNN, right, and the DHS put out some statements and then every other news media picked it out and some other people would probably don’t even say the name, put it out there to um and I’m not saying that that wasn’t real a real threat, but I’m saying that threat’s been there and it’s always gonna be there, right. And that threat existed before that article came out. That threat exists today, that threat’s gonna exist two weeks from now, two months from now, two years from now. And so there is always a thing, you know, where we know the media love sensationalized things and in some cases that’s good. I can see the positive from that. It got a lot of people thinking that may have not been thinking about that at the time. And it gave us an opportunity to communicate with him and give them some knowledge that they would need and that would hopefully help them prevent an incident from occurring or be more prepared if an incident did occurred. And so while I may say that I do believe that was sensationalized. Um, I think that threats it’s real. It’s always going to be real. And if we see those opportunities as information security experts to use that to help people that we can touch and we can’t communicate with, I think that’s a good thing. Um, I will say that, you know, there has been an uptick and incidents. Um, I can also say that I looked through our actuals this year and I can see there was an uptick in incidents about March april um, see it died down a little bit after Covid. I could look through last year and see there was an uptick around this season as well. I kind of Q three, q four ish. Um, we know that these things are cyclical and there’s a lot of reasons around why they are cyclical. When you look at a Pts, right? There’s a lot of challenges that as advanced, persistent threats have to face and conquer to continue to be operational. And so the nature of the beast is these things are going to be cyclical in nature. But that being said there cyclical, but they’re always constant meaning. There’s gonna be times where there is an increased pressure. But still every week, the same old attacks are going on. People are still trying to gain those footholds.

[00:25:14] Evan Francen: Yeah, and so too. So just for the listeners, you’re, you’re referring to, um, they’re, they’re clear. And what we’re referring to when we talk about the joint statement by the DHS and FBI were talking about that, that credible threat, uh, and then there were credible threat against health care entities. And so we had some back end and you know, Information, you know about. So we kind of knew what was coming before it was released to the public. But you know, we heard word of up to 427, you know, health care entities getting hit at roughly the same time. Well, that threat, that specific credible threat never materialized, right. Because it was, it was already supposed to have happened. So it didn’t. But to your point, Oscar 100% these things are gonna happen probably when you least expect it, that’s just like Murphy’s law, whatever the hell it’s called, where when you let your guard down, that’s when you can expect to get hit, it just happens. So even if it’s cyclical, even if, you know, we see a significant uptick in, uh, and we predicted this too, right? I mean, I’m right when Covid first came out, I remember my fish diagram, yep, you know, you knew that that was going to happen because it happens every single time when significant world events occur that capture everybody’s attention, Attackers start to craft their attacks. They take the existing uh methods, right? There’s nothing new. And even in the A. P. T. S today, there’s some technical nuances that are new. But in terms of the steps that are taken, They’re the same as they were 5, 10 years ago. What Attackers do is when these world events happened, they they changed the messaging, They, you know, they just make it crafted a little bit better to capitalize on this current world event because they realize that it’s got everybody’s attention, right? And you’re letting your guard down, you click the button, no Covid thing, blah blah blah. Next thing, you know, you know, you’re in the news. So anyway, I just wanted to add, you know, those two pieces. One is the, you know, the listeners knew specifically what we were talking about, then, you know, secondly, just to build off of what you said, Oscar that, you know, these things are cyclical, but don’t let that fool you. You know, if a lot of attacks happened in May and so you let your guard down decided you’re gonna take your big vacation and you know, not patch in May. Well you can get smacked. Yeah.

[00:27:56] Brad Nigh: Yeah. So what are some things that you’ve seen, I guess I’ll call it successful I. R. S where what are the things that companies should be doing when they engage with us or any other IR firm to maybe lessen the pain or make it faster to recover or minimize damage.

[00:28:17] Oscar Minks: Yeah, I think, um, there’s a whole gang of things we can say on the good and the bad people do, right. Um, the big thing I’ll say is, um, you know, having a partner you trust and acting quick, uh, because that can make all the difference in the world here. If you see things in your, we’re working with some clients right now, um, I saw some things that they thought were uh, alarming concerning, consider holding that inside to say, well we’ll figure it out and we were engaged and we’re engaged, we’re able to get in there and see that this was, we had Attackers stayed in for ransom on a significant environment and by them calling us quick and us being able to act, um, you know, we’re able to contain that threat contain that risk and prevent that ransom delivery, we’re also able to get in and make sure they have protected backups because even when we engage, there’s no guarantee we can stop that ransom delivery depending upon where they are and the kill chain. But what we can do is look at your backups right now, make sure we’ve got good backups and you can secure those backups because we beat down that instant response and so I acted fast is really important. You know, and it’s better to err on the side of caution and just talk to an expert and see um I can tell you that we don’t charge uh for an initial call. You know, it’s free. You can call me call my team since an email and uh get on the phone with you for an hour or so. Talk about everything that’s going on and give you are honest opinion. And there’s been many times we talk to people and we say, yeah, I appreciate you reaching out. But I think you guys are okay that could contain this. You’ve done a good job continue to monitor for these 23 things. Maybe do this right away. And if you need my help, you know, I’m always going to be here, let me know and then we have some folks who, you know, reach out and say, yeah, this is a good call. We probably need to get moving right away to try to stop this because we know, you know, we know what the kill chain is, we know where they’re going. So let’s try to stop that. Um So I would say that you know my number one is um have a good security partner trust beforehand, make sure you have that relationship because you don’t want to be hunting for a partner. Uh and Melbourne incident. Um And then on top of that to, you know, one thing it’s always stressful is we go into an incident, you have sovereign Insurance and you got to start working with your Sovereign insurance and then who knows who they’re gonna sign to your case. Um And always I talk to people, it’s like this. Would you rather have your partner, they trust working your incidents, knows your environment that knows your people, I understand your business or would you rather have some random companies signed by your insurance that doesn’t know, you have no idea who it’s going to be and they don’t even know who it’s gonna be until it’s time to instant most cases. Um And the answer is always yeah, I’d rather work with people who know me. And so I urge people if you have Sovereign insurance, talk to your provider and get your partner set up as a preferred vendor and if your partner is set up as your preferred vendor and you have an incident, you don’t have to worry about any of that, You call your call your partner right away and now get to work under incident and then you can handle the entrance stuff on the back end because what’s most important in negotiating with the incidence, what’s most important is protecting your assets and your people. And so I would say getting that done up front is critical and then you know, besides that erring on the side of caution. You know, if you see things that you’re unsure of, it’s like the same thing we tell our people and we do social engineering training, fishing training. If you’re unsure, if you see something that’s suspicious, reported find out from someone who knows and I would say the same thing for entities and businesses are partners and clients. If you see something that’s suspicious that you’re not sure of. Like I said, it’s free to talk on the phone with us. We’re gonna charge you for that. Send us an email, give us a call and let us look at it together. We’ll give you an honest opinion and at the end of the day to, you know, I hope it’s nothing. I hope we can coach you through it in that hour so you’re able to contain that. But if you need help to, you know, we’re always here for that. And even if you go with someone else to get that help, that’s fine. I just want to help people prevent these incidents. I’m sick of seeing people get ransomed. I’m sick of seeing the businesses impacted families hurt all of that. So we’re here to help.

[00:32:48] Brad Nigh: And you touched on a really good point. You know, acting quickly, How many times have we had somebody call us on a friday afternoon where they detected the incident monday morning and then they, yeah, friday, they couldn’t figure it out all week. And I mean when you’re looking at that, I’m thinking that there’s a couple where you know, they did that the pre work with us that they identified something about what one in the afternoon and by like four or five we had tool deployed and you know, they were super on top of it and stopped what would have been, uh, just devastating raising them,

[00:33:33] Oscar Minks: right? You know,

[00:33:34] Evan Francen: well, and one of the, one of the things that it seems like people get sort of confused is acting quickly and almost panic. Right? So I always say act equipment in deliberately meaning, you know what to do and you’re gonna move quick, right? You’re not going to take a bunch of times to go here, go there because on the what not to do side of things, what you don’t want to do is not know who to call and started just picking up the phone and just start making calls. You know, we talked about, the one that you guys know, the one I’m talking about, you know, just a couple of weeks ago called my cell phone at two a.m. All right. I’m not the guy To call at two am I will certainly come and help you when I awake but that’s not your first call. So everybody who’s listening right now should know if you’re if you’re involved in this, what’s my first phone call? Mhm. You know, make sure it’s on speed dial, make sure it’s available. Make sure that people that are on your incident response team assuming you have one. No, that number. Right. And hopefully you’ve arranged you’ve done this leg work ahead of time because it is all free. It’s things squared away. Right? Like you said, Oscar, you know, calling the person that you would call, whether it’s fr secure or whether it’s India. So whoever you preferred provider is for incident response, you’ve already made the call. They know that you’re the person, they know that they’re the person you’re going to call. Right? So they’ve got, you know, maybe some paperwork already squared away with you. Maybe they’ve got a copy of your incident response plan on file so that when you do call, they can pull up that plan, start executing on that plan. It’s all just simple leg work. And it is all free. Right. I mean, in terms of just getting who am I going to call and then, you know, calling my insurance provider if I have cyber insurance, making sure that they know who I am going to call. Right? Because the one thing you don’t want to do is start getting down this path and realize that some of your expenses may not be reimbursable, right? Or you get halfway down the path with your preferred provider before the insurance company says, well you have to work with this provider. Well now you’ve got rework and the only people that are suffering, it’s not the insurance company that suffers. It’s not, it’s not your security partner who suffers. It’s your business who suffers. It’s your customers who suffer. So you owe it to yourself, your business, your customers, your employees to just get this stuff way. So if you haven’t done this and you’re listening, push pause on the listen, you know, I mean, figure out who you prefer provider is going to be, get that number squared away, Call your insurance provider, get that squared away and then come back and hit play again on the podcast. It’s that important. It’s that urgent.

[00:36:23] Brad Nigh: I mean, we, you just are wrapping up one exactly where that happened. Maybe talk a little bit about what we did for them. And what happens

[00:36:35] Evan Francen: are we talking about the one that I got

[00:36:37] Brad Nigh: called? Okay.

[00:36:42] Oscar Minks: Yeah. I mean, it was exactly what was going on. Too many details, right. But it’s exactly what Evans talking about there. It was, you know, we come in to work with a client who was in a critical situation. This is beyond hey, we observed something. This is a critical situation. And so, you know, we were their preferred provider. We weren’t the preferred provider with their entrance, they didn’t go through that set up so they call us and they needed help that. So we were engaged, I mean, boots on the ground, rolling 24 7, like you had mentioned brad within a couple of hours, you know, uh, I mean, it was probably from the time they called to the time we were actively in their hunting, um, to three hours, right from that triage call. And so we’re in there are making significant progress. And, and then the entrance provider comes into play and says, uh, we have our own preferred provider that you need to work with. And it was an incredible challenge for our client because, you know, we’re fully embedded in their infrastructure right now and we’re actively hunting. And so to switch vendors would mean we’ve got to stop what we’re doing, remove our tools with the vendor, deploy their hunting tools and kind of start all over again. It’s what caused a ton of complications throughout that. And we did reach a gentleman’s agreement in the beginning to say, let’s get through this phase, let’s continue to hunt and identify those indicators, compromise how they got in. Uh, well, let the other firms just with more back in dead box forensics. And so that way we try not have any overlap so they can get reimbursed for all of our services. But I can say that, uh, that one situation right there, we probably had to focus over the course of, you know, the week and a half to two weeks where we’re engaged every day, there was a couple of hours focus toward the sec segmentation of those duties. Were those lines were negotiating those contracts to make sure entrance can understand what’s, what, what’s what and the point being, it slowed down the process. It wasted a whole lot of time, a whole lot of my time, you know, and I mean, I’ll help you through that. But my skills are better suited hunting threats than negotiating with insurance and we see those things and and these situations every minute matters, every hour matters. And every time that your energy is spent on something that you’re trying to solve outside of solving this instant, you’re in its not efficient time, it’s not, your time should be focused and it’s going to delay your business becoming operational again. So it’s critical, you know, like everyone’s saying podcast, go fix that for people to get those relationships established, those processes established to have your plan, have, have those relationships built before this ever happens. Um, you know, again, the last, last place you want to be figuring this out as in the middle of an incident. You got to have all this sort of before and I know we’ve, you know, touted like this before, but we got a plan, It’s a really good plan and it’s free on our website. If you haven’t go get that, download that plan. If you need us to help you, we’ll help you through that. Um, Start there, call your insurance and get those relationships built right away and know your insurance policy too. That’s another thing I talked to some people, Hey, what’s the deductible on your policy? I don’t know figure that out. It’s just like car insurance man. Um, if you can’t afford, you know, a $3,000 deductible to repair your car, that’s fine if you’re aware of that and you can afford that. But what if you can’t, what if your car is in the worst 6000 bucks, you got a $3,000 deductible. That’s the entrance is worthless because your car is going to be total. It’s over $3,000 in damage anyway. So see where your deductible is. See what’s covered. Understand if your insurance provider really does want to get to know you want to work with you or if they’re on the back end hoping that their deductibles too high that it never kicks into play and you’re gonna be caught holding the bag in an incident. I mean we see some astronomically high deductibles that some businesses have on their policy that they’re not built to handle. And so there’s a whole lot, you know, that you can be doing right now up front to make sure that if an incident happens, you’re going to be able to respond, you’re going to be able to afford the services, you need to get through that and your insurance is going to actually have your back instead of fighting against you.

[00:41:24] Brad Nigh: Yeah, those are good points. I think given, given the team some props, the best part of that situation from kind of the outsider perspective as it were, was the other company complaining that we were finding all the I. O. C. S and that we were going too fast. We’re basically too good.

[00:41:43] Oscar Minks: Yeah, that was, uh, yeah, I don’t want to get into the, that too much. But it was nice to hear from someone else that hey, that’s, that’s what we’re supposed to be done. Tell us slow down there finding too much stuff. No, I can’t use the words right now that I want to say and how that made me feel. But uh,

[00:42:05] Evan Francen: but, but it’s so, it’s so cool to be able to have this team. We talked because we just talked earlier about how this team, you know, is loose and enjoy joys each other and can have a good time. Yeah. When it’s time for business, we get down to business, we got work to do. We absolutely 100 realize, you know that the importance of the situation and so yeah, we’re working. I mean the way you’ve organized things with the team Oscar has been amazing. You know, working in shifts, you don’t drop, the ball has never dropped from the beginning of the incident until, until we’re done. Uh, you know, which is, would I know that if I were on the other side of this, it would make me feel good. It makes me feel what I’m not going to feel good about is that the Attackers got me, you know, the bad things. But having somebody on your side is such a, I mean, Yeah man, it’s like calling the police, you know, except that should not be your first call in 99% of the times, you know, but it’s like that, it’s like you call in there, there we drop everything and like there you go. What can we do?

[00:43:16] Brad Nigh: Yeah. You know, kind of, you did touch on it to maybe the second thing that I would consider it is the right thing to do is like you said, trust your partner, right? If we’re coming in and saying, okay, here’s what needs to happen and here’s how we need to get this done. There’s a reason for that. Don’t, don’t argue, don’t not do it. Mhm Yeah, for sure. Like those are probably maybe the top beyond what you said of being prepared, Getting this stuff figured out ahead of time, you know, being proactive about it is once something happens, just a person. Just that partnership that you hit,

[00:43:59] Oscar Minks: yep. Yeah, I think that goes back to the right in line with what we’re talking about, right, build those relationships before choose someone you trust have everything taken care of before an incident happens with your insurance and so on that you can cover that financially. I understand that and then yeah trust them that’s what they’re here for. Are the experts to help you?

[00:44:20] Brad Nigh: Yeah. What would you say is uh the top thing not to do

[00:44:25] Oscar Minks: uh

[00:44:26] Brad Nigh: panic,

[00:44:28] Oscar Minks: panic, do things that you’re unsure but you think they’re right because you’re going to do the wrong thing half the time at least called five

[00:44:37] Brad Nigh: different companies.

[00:44:38] Oscar Minks: Yeah. Don’t panic and trust even trust your own support group and team internally too. I mean we see that you see sometimes there is a really good team that worked really hard. Um They got a leader who makes the decisions who isn’t necessarily integrated with that team. And so the team may have some knowledge, well the team has knowledge, have an idea of what should be done. We sometimes see leaders outside of that bubble making decisions without their team. I mean that happens quite often and that causes so many problems too because number one you’re probably gonna make the wrong decision, you’re not trusting your own internal team. Um And then # two Break Trust with that team. Um And the number three suspect what we talked about if you’re in an instant situation it’s probably going to negatively impact your time to recover as well. So a lot of trust in this.

[00:45:40] Brad Nigh: Yeah I agree. I think maybe one of the things that that leaders kind of maybe miss out on and I’m not just studying I. T. But business leaders right? Is in an incident the amount of work that that I. T. Staff is doing.

[00:45:56] Oscar Minks: I mean it’s always a very you know cohesive exercise between your incident response team and your technical team. We have to be one team when we’re working through this we rely upon each other entirely to get through this exercise. And those guys you know kudos to all these awesome technical teams that we’ve been working with because you know we’re working around the clock. Those guys are putting in serious hours too and they’re right they’re doing great work cohesively with us to get through these tough situations.

[00:46:32] Brad Nigh: Yeah and I’m just thinking of the active ones right now like how how much they care right? Like you can see like this back, I’m not going to name names or anything but I remember when one of them was first taking off like maybe a couple of days in and you could just feel the guys pain like when he was putting a message like it was we were talking about it on the back and like oh jeez you need to check on this guy like he’s really struggling with this,

[00:47:06] Oscar Minks: that’s the hard part about I mean there’s a lot of things that are hard about this but that’s one of the harder parts of scene, people who care about their businesses, you know, and just seeing them struggle mentally. It’s it’s a huge weight and huge burden. And I think sometimes, you know, people will put more of that burden on themselves and they should, because they haven’t been through this before. They don’t understand, you know, how a common this is. And you know, we were delivering a tough message yesterday too, um to understand when we’re delivering messages to people. Like I was wondering who was it? Like, who’s the account that got breached or who managed that? Or who did this? You know, and there’s there’s always fingers to be pointed, right. You know, there’s always something more that we could have done. But the end of the day, like these root causes aren’t shaming exercises. Uh we’re humans, we make airs, people make mistakes and as long as it wasn’t negligence that got you, there was an honest mistake that got you there. Um should be no shaming in that and we should just take that as an opportunity to learn and become better people. But we see exactly what you’re talking about a whole lot. Yeah, it gets hard. I mean, I hate seeing people um mentally struggle with these situations on top of everything else.

[00:48:31] Brad Nigh: Well, what you said is, you know, putting myself in the eye tissues and and having gone through some issues, you do care, you want to get back up to b, you’re always like if you don’t have support from above, you’re like, well, am I going to get fired for this, right? Why am I going to be putting in 15, 18 hours a day for two weeks if I’m going to be the one who’s, you know, going to have to take the blame and get it cut. Yeah,

[00:49:03] Oscar Minks: We always hope that doesn’t happen. You know, and that’s something we’re very clear when we explain these root causes, like it’s not to the blame again. If it’s not negligence, right? It’s not to blame that person. This is an opportunity to improve, right? Always good to see these opportunities to get better to improve. And, and I’ve seen some of these phishing campaigns, man, one that we’re looking at this week right now. It’s like we were looking at the issue of the team. It’s like, I mean, some security professionals could have fallen for this. It was a really, really good fish. It was phenomenal. And it was a new technique we haven’t seen before. And so, uh, you know, like, like Evan mentioned the same old killed chain right there doing the same thing over and over every year. They’re just tweaking and doing different things. There were good that, you know, unknowing psychology and the things that were more adamant to click on it and they start to learn the tools we use a little bit more. Like we’ve seen one note fishing and the window fishing is that’s, it’s really good. I mean, uh they’re using a legitimate one notes to send to people and the majority of population isn’t gonna be able to discern that based on their own fishing training. Like make sure it’s a legit link, that’s legit link, that’s Microsoft, that is going to a legit link, but embedded in that one note is malicious content and so like, it’s kind of brilliant, so simple, but it’s kind of brilliant and we’re seeing some stuff to with other uh, like ASAP and business tools and things like that, that we’re using uh that they’re able now to compromise and embed exploits within those. So we’re seeing those fishes kind of evolved for now. They’re, they’re getting valid tools from other entities you may do business with, they’re using valid links and then within those links they’re embedding malicious code. Um, and so, you know, it’s gonna continue to evolve. We’ve got to continue to learn and get better and people are going to get fished, but I think it’s important for us, like, you know, as being security researchers, when we identify those techniques to educate and to modify our services, you know, like for our social engineering stuff. As soon as we saw those window fishes start, we started doing fishing campaigns to match that. And so it’s so we can stay ahead of that curve and try to get ahead of that curve and try to get our users and our clients and partners ahead of the curve. So they don’t get fished. It’s all about learning, it’s all about becoming better

[00:51:23] Brad Nigh: well. And,

[00:51:24] Evan Francen: and one of the things you, you mentioned brad and this just lends credibility. One of the things you asked Oscar was uh, what’s one of the things, you know, one thing you tell people not to do, you know, and the answer was, I think it was perfect. It was, you know, don’t panic. I think another thing not to do his Nike false assumptions to assume that this isn’t going to happen to you is wrong. It’s going to happen to you. You have human beings who work for you, you have futures, you know, the views that can be manipulated to trick them to do all kinds of things. You know, you talk about the new phishing attacks, they’re using intelligence beyond what we’re using to defend, not our company I’m saying, but in, in the Gin general, right? So they’re moving faster than you are. Their attacks are moving faster than your ability to defend. And if you don’t have anything for response, it is, I mean, I don’t understand, I struggle with believing that not having a a response is not negligence because you know, it’s going to happen. So you’re not planning for it in my mind is negligent

[00:52:36] Brad Nigh: pretty indefensible. I think, oh God, Oscar,

[00:52:40] Oscar Minks: I was just going to say the first phase, an incident response is to prepare, that’s the first phase is to prepare and prepare is having that plan right? But prepare also includes a lot of things we’re talking about now prepare involves actively doing social engineering campaigns on your own employees to see if they’re susceptible in identifying ways to educate them. Prepare is also to do penetration testing on your external network, identify where those soft spots are. So you can start to fix those things doing continual vulnerability scanning, doing internal penetration testing, testing your environment and your people. So you can identify where your blind spots or your soft spots are so that you can place better controls around those things to help prevent the incident from occurring uh that prepare phase is critically important and we see it being neglected a whole lot and a lot of these situations were in, if they had really really paid attention to that first phase, they could reduce that likelihood by a significant amount,

[00:53:42] Brad Nigh: You know? So there’s what, six phases 566. So we did the higher maturity assessment, put that together and and I think yeah, we knew prepare was important but I think what actually caught me a little off artist when we finished it, that prepared section was probably had probably what Almost 1,40% of all the questions were in prepare.

[00:54:09] Oscar Minks: Yeah, it was a big significant piece of the whole plan, entrepreneur,

[00:54:13] Brad Nigh: you don’t realize how how comprehensive it is until you you actually sit down and do it. I think part of that to preparing is is that executive buy in right? Like if you have an incident as an executive, were you giving that team the proper resources, the proper manpower to do their job to protect the organization? It’s not why are you blaming them when you’re hamstringing them?

[00:54:43] Oscar Minks: I

[00:54:43] Evan Francen: think you have you have no buck stops at the top. Right. Ultimately I I asked this question over and over and over again just about every organization I’ve worked with who is ultimately responsible for information security here because I want to know the answer. I already know the answer. The answer is your ceo your board of directors. If you have one that’s who is ultimately responsible for information security here, their job and they delegate all kinds of things. I’m not saying that they’re the ones who write the incident response plan but it’s their job to delegate to somebody that an incident response plan has been created. Uh it’s their job to ask questions of their I. T. Folks or their information security folks. Where are we at in our preparation for an incident response. You know I saw on CNN you know that hospitals are getting attacked this week, you know going back to what you know what we said, it was in the news, the air situational awareness is so damn important ask your you know I. T. Folks are we prepared for this If not where are we not prepared for this? You know, I mean, it’s just those, those discussions that never take place. A lot of these things don’t cost a dime, right? Taking responsibility for information security in your organization. That decision doesn’t cost you a dime.

[00:56:12] Brad Nigh: So so you shouldn’t also say, I was gonna say you should be the executive that told me after an incident quote, I’m somebody’s gonna have to take the blame and it’s not me s rolls downhill.

[00:56:23] Evan Francen: Yeah. And that that person, that person should be held liable.

[00:56:28] Oscar Minks: I was gonna say going back to exactly like Evans message we were talking about before. It’s also their job as that ceo whatever to trust their people and to trust that message there people are delivering. I see that so many times and you know, it’s one of the biggest things we talk about around is the inability to communicate. But it’s also and it’s two sided. Like maybe it’s us sometimes explaining things to those sea levels, but also maybe sometimes it’s those sea levels, just not wanting to hear those messages or dismissing those messages. I can tell you, I mean past lives, I’ve screamed out loud for for years to those sea levels about things that are going to get us if we don’t take care of them now, this is going to be a problem. Was it a problem now? Well, no, but it’s going to be well then I don’t care about it. That’s a message. A lot of those sea, uh, the sea suites deliver and you know, I hate to say I told you so. But I can say that those things later came back to get us and it was a problem with that trust, internal communications between leaderships and teams.

[00:57:35] Evan Francen: And I’ve always, you know, I mean sea level of, you know, executives, they deserve, you know, I understand, you know, kind of a conundrum that they’re in. They they’ve got a billion things on their plate. Right? I know sometimes, you know, we, they’re super. Most of them are very, very smart, right? You don’t get to be a ceo of a company by accident usually except for this guy. But you know, once you, they got so many things on their plate and then here’s another thing and you’re telling me. And, and I think one of the things we’ve done in our industry that kind of shot ourselves in the foot is we cried wolf damn times that were just the boy who cried wolf, here’s security again, what you know what I mean? So we have a long ways to go before we really start to get, I think Ceo, S and C level executives understanding that this is to be treated just like anything else. You know, business like sales. Well, the business doesn’t run anymore. If we don’t keep selling stuff. Right, The business doesn’t run anymore. If we don’t keep track of our money so we need to have a cf, CFO the business doesn’t run anymore if ransomware takes us down for two weeks so we need to have a C. So right, but you need to elevate this this role to where you’ve got the same voice. You know, I mean the same tone because I don’t think there’s many ceos that are like sitting around going Yeah, I just like being negligent so screw security. You know, we got to figure this out because there’s just so many times you come into an incident and they’re like caught completely off guard. I mean the one that you were talking about, you know, a couple weeks ago uh where they you know, they’re kind of forced to negotiate. Mhm with the attacker. It’s like just pisses me off so much that you have to negotiate because you didn’t take the proper precautions, you know, to protect your backups and what have you that prepare face. Right? How important to prepare phases.

[00:59:37] Oscar Minks: Yeah. I think we should talk about that story for a minute. I didn’t touch on that. Uh So what Evans talking about? We had a partner who was ransom and unfortunately their backups were also encrypted destroyed. And so that’s like we talk about number one things you can do besides preparing if I’m just telling you one tip, I always say that the people secure your backups, make sure, make sure not just you have good backups. Because I talked to a lot of people that have these great sophisticated backup systems that are all network connected. And at the end of the day, uh, if it’s network connected, our Attackers are going to find those backups before they encrypt the rest of the environment. They’re going to destroy those backups first because that’s the guarantee they’re going to get the money from you. And so the one thing you can do is like Evans said, get out that old tape library fired back up and uh, put some stuff on tape and store it off network. Um, so that way you’ll secure data anyway, they don’t have any backups. They were gone. Uh, so they had to begin um, negotiations. And we’ve seen in the beginning that process isn’t quick. Um, the attacker was went dark multiple times dark for over a day at one point. And so here’s the company down that’s ready to pay because they want to get their business back up and operational with an attacker who is uh, not always around, I guess we could say. Um, and then we go on, uh, to find out that the attacker in this situation uh, was actually on the United States terrorist organization list, which means that there federal government prohibits negotiating with a terrorist organization. And so essentially government said, no, no, you can’t pay these guys if you pay them, you could be held criminally liable for funding that organization and so on top of that. Now our client then my backups. I don’t even have an attacker to negotiate with their data is gone. It’s completely gone. And so now they’re working through that painful process of rebuilding their entire infrastructure and also at the same time accepting at a large portion of the historical data they need would need for that business is gone. You can’t recover it and still Don’t Always Trust # one. If you get ransom, you’re gonna get your data back. That’s one story. There’s 10 other stories about the encryption keys not working Attackers disappearing. There’s so many things that can happen in that situation and I don’t want to fear monger and scare people. But this is reality if you get ransom, there is a and you don’t have backups that are offline that are recoverable. There’s a really good chance even if you want to pay that ransom, you don’t get it out of back. So prepare step one of the six step process is the most important step of instant response

[01:02:46] Brad Nigh: on that one. Right? They have no way of telling there was data X ville, everything’s locked up all that history is unavailable. So you have to almost assume that it was

[01:03:03] Oscar Minks: Yeah, that’s a really, really challenging one right now and everyone wants to know that, right? We come into these cases. It’s especially if legal is involved. That’s typical many priority number one is um is there evidence of X. Ville and there are things that we can do to look for that like you know even if the you know the servers are not boo double um Sometimes when you look at network data right to see anomalies network traffic and network data to determine there was a surge of egress over this three day period going to this I. P. And I don’t want you know eastern europe. Um But we often see too that that that is not available unfortunately. Uh you know it’s it’s kind of a crapshoot if we see that people are gonna have a good network logging and they’re even gonna store it for over a couple of days. It’s a big problem in these two like um you know people aren’t storing artifacts for long enough and that’s logs I mean it’s your system logs that your network blogs that your device logs, it’s your storage logs all of those things and there’s things that we could do to pattern to determine if you have the next pills. If we have those good storage logs, if I start seeing your sand performance logs are getting hammered the same time there is a network spot and we see there was a mass ton of zip files that were created but deleted. I’m gonna go ahead and say they zipped up yourself and shipped it out the back door. Um But again if those things are destructed. Um it’s really difficult to be able to determine truly what was touched from what was X. Field. Um We do know like was we’re learning more and more about a Pts and that’s something we’re focusing on is trying to identify who the attacker group is that’s deploying these things. The ransomware as a service model throws a loop into a lot of that. Um You know and so but if we can’t have those statistics we have to rely a lot on what are these A. P. T. Is known for? Do they X ville do they shame? Um things like that. But at the end of the day yeah it’s a huge huge challenge for all of us.

[01:05:18] Brad Nigh: So uh great conversation. I know we’re running up on time and there were a couple of real quick uh uh stories that I think are important. First one that we have out there is a web logic has an open exploit that is allowing installation of cobalt strike which is uh that span of control. And so uh if you have a web logic server the patch right now

[01:05:49] Oscar Minks: I got good news on that one brad. I did do a little bit of research on that uh last night we are sending a blurb about today um Some data I seen from the Sandstorm Center I think they estimated there’s only about 100 to 120 somewhere in there. Of vulnerable systems publicly available publicly. Now there could be internals. Right. But um so that made me sleep a little better last night but exactly what you said patch that today.

[01:06:16] Brad Nigh: Yeah there’s a patch out there that came out a couple of weeks ago and it’s being actively exploited if they get into your network and they can get cobalt strike in. I mean how we see that as that main

[01:06:30] Oscar Minks: Yeah I mean that’s just when we’re done penetration tests. That’s how we start our penetration test. That’s a

[01:06:36] Brad Nigh: good thing for people. Yeah. Uh the other big one is around Cisco, they put out some zero days there’s a zero day for their any connect client and there’s no catch yet which is not not good allows an arbitrary code execution um and then they also turned out and kind of like got hidden was uh what was it? There was 13 other ones around arbitrary code execution flaw and webex meeting desktop and three arbitrary code execution glitches in the Webex network recording player and Webex player and uh so that’s that’s not good.

[01:07:21] Oscar Minks: No it’s that’s not uh have you seen any proof of concepts on that yet? I really

[01:07:27] Brad Nigh: uh No yeah I haven’t seen I don’t think so. This is the one I had was from threat post. I don’t see that it’s been executed yet.

[01:07:41] Oscar Minks: Um it will be given a day. Right? Yeah.

[01:07:46] Brad Nigh: Hey there are some mitigations around it feel like the any connect they have to have a an ongoing session by the targeted user at the time of the attack and then the packer needs valid credentials. Uh, the system that any connect is running well. Yeah. So that, that does mitigate it a little bit, but we see, how many times do people have bad passwords

[01:08:08] Oscar Minks: every every time. Right? For every time

[01:08:12] Brad Nigh: if you’ve got the other ones where the Cisco SD wham which includes a file creation bug, privilege, escalation flaw and denial service law. So check your, if you got Cisco in your environment, you’re using the SD when or webex or any connect, check that out and you know, apply patches or apply the mitigation controls that are documented.

[01:08:38] Oscar Minks: Yeah. And I would say to, you know, I don’t have numbers like on this vulnerability like compared to the way of logic. But I can tell you they’re gonna be way higher as far as systems that are publicly available and vulnerable to this right now. So I think it’s important people get on those updates immediately.

[01:08:55] Brad Nigh: Yeah. Yeah. And the last one, we don’t really need to talk about it. That was interesting. But it was the Campari group on the rocks after a ransomware attack and you never want to see this. But I won’t, I won’t lie. That headline made me laugh when I realized it’s a alcohol basically they do while Turkey, Grand Grand marnier and Appleton Estate. So

[01:09:19] Oscar Minks: you know, that actually makes me really sad because uh, as a Kentucky and love bourbon and wild Turkey is my favorite of all the brands. Well Wild Turkey and Buffalo Trace, I’ll give them both a shout out, but I hope it doesn’t affect their rare breed production. Maybe I needed to drive over there. It’s Lawrenceburg today and see if they need any help because that facility up and running as fast as possible.

[01:09:40] Brad Nigh: So they’re saying it was bragging their locker that was on there. But I thought it was a pretty interesting uh, funny headline for an unfortunate situation,

[01:09:50] Oscar Minks: a very unfortunate situation, which uh, which those guys luck in the fight forward. Hopefully they can get up and running again. Hopefully they had good backups and hopefully they had a plan. So

[01:10:01] Brad Nigh: yeah, All right, well that’s it for episode one of five. Evan did have to drop off. We went a little long here today, but that’s, well, we could go for hours on this stuff. Any shout outs, uh, this week, Oscar

[01:10:18] Oscar Minks: oh, just shout outs to my whole team, reiterate what I said before. Uh, Team ambush one team. Um, just can’t be more proud of everybody on that team and uh, feel more lucky to be part of what we’re doing than I do and uh, I know those guys are working incredibly hard and doing great work and uh, so just, yeah, huge shout out to the whole team with an awesome,

[01:10:44] Brad Nigh: yeah, I’ll kind of mirror that and say shut up to the consulting side as well. You know, had to completely redo how we do assessments and everything being remote and they’re just flying and they are

[01:11:00] Oscar Minks: killing it. We saw complete, like we got hit with complete curveball right for them and the type of work we did where hey, guess what? You can’t go outside anymore and they were able to quickly adapt and keep our quality of work the same level. It was before and yeah, second rather than an awesome job

[01:11:17] Brad Nigh: and I’m also going to give a second shot out for and this goes for both teams is the back end support because you know, our resource managers, project managers, customer success managers, all those like juggling all these analysts and making sure things don’t get dropped and just the amount of work that they’re putting in is

[01:11:38] Oscar Minks: yeah, they’re like helping babysit my teams and theme to and at the same time keeping our customers happy, keeping our projects moving. Oh my gosh, they’re doing so much work right now. They’re doing such a great job. Um, yeah, they are. And

[01:11:54] Brad Nigh: what’s amazing is I don’t think I’ve heard any analyst complaining or any customers complain and they, they’re just the amount of projects that they’re managing and like you said, babysitting, try to babysit ox. Come on.

[01:12:08] Oscar Minks: I think it’s Renee calls them, they’re like analyst Wranglers. Yeah,

[01:12:14] Brad Nigh: yeah,

[01:12:15] Oscar Minks: pretty good time.

[01:12:16] Brad Nigh: So All right. Well thank you to all our listeners. Uh, send us things, send things to us man. It’s tough to, to read by email and insecurity of proton mail through the social type socialize with us on twitter. I’m, I’m @BradNigh and Evan is @EvanFrancen Oscar I know you uh, keep a low profile so people can just reach out. Your contact info is on our website is probably the best way to get a hold of you.

[01:12:43] Oscar Minks: You have to shoot me an email. Um, well, I’m sure you have the security podcast. You guys know how to find me all the time too, so yeah.

[01:12:51] Brad Nigh: Alright. Lastly be sure to follow security studio @StudioSecurity and FRSecure @FRSecure for more things. Thank you guys. And we will talk to you all next week.