1 00:00:00,410 --> 00:00:03,490 [Music] 2 00:00:06,440 --> 00:00:08,880 World Health Organization researchers 3 00:00:08,880 --> 00:00:10,960 and he mailed them all a floppy disc 4 00:00:10,960 --> 00:00:12,799 this was his like get-rich quick scheme 5 00:00:12,799 --> 00:00:14,759 based on nature this is a picture of the 6 00:00:14,759 --> 00:00:16,800 floppy disc that he mailed them AIDS 7 00:00:16,800 --> 00:00:18,960 information so of course at the time 8 00:00:18,960 --> 00:00:21,080 AIDS had just become this big epidemic 9 00:00:21,080 --> 00:00:22,920 researchers were studying it everybody 10 00:00:22,920 --> 00:00:25,240 wanted to open this and they popped it 11 00:00:25,240 --> 00:00:26,160 into their 12 00:00:26,160 --> 00:00:29,400 computers and when they ran uh when they 13 00:00:29,400 --> 00:00:32,360 did they got this popup that said dear 14 00:00:32,360 --> 00:00:34,640 customer it is time to pay for your 15 00:00:34,640 --> 00:00:37,120 software lease from the PC cyborg 16 00:00:37,120 --> 00:00:39,160 Corporation complete the invoice and 17 00:00:39,160 --> 00:00:41,160 attach payment for the lease and then 18 00:00:41,160 --> 00:00:43,440 they actually had you mail a check to 19 00:00:43,440 --> 00:00:45,879 Panama I don't know exactly what Dr pop 20 00:00:45,879 --> 00:00:47,480 was planning here but he thought he was 21 00:00:47,480 --> 00:00:48,719 going to be getting a bunch of checks 22 00:00:48,719 --> 00:00:52,440 for $189 mailed to a po. box in Panama 23 00:00:52,440 --> 00:00:54,000 where I guess he was going to just cash 24 00:00:54,000 --> 00:00:56,440 out and live happily ever after turns 25 00:00:56,440 --> 00:00:58,719 out it wasn't very hard to track this 26 00:00:58,719 --> 00:01:00,640 down uh the attack was very quickly 27 00:01:00,640 --> 00:01:03,399 traced down to him he was EXT extradited 28 00:01:03,399 --> 00:01:05,040 to the United States where he was 29 00:01:05,040 --> 00:01:08,479 declared mentally unit unfit for trial 30 00:01:08,479 --> 00:01:11,360 so that is the beginning of ransomware 31 00:01:11,360 --> 00:01:14,400 times have changed since then obviously 32 00:01:14,400 --> 00:01:15,920 it's not your grandma's ransomware 33 00:01:15,920 --> 00:01:18,360 anymore and um what we have seen today 34 00:01:18,360 --> 00:01:20,880 is not just malware that locks up all 35 00:01:20,880 --> 00:01:22,320 your data of course but we're seeing 36 00:01:22,320 --> 00:01:25,079 data exfiltration threats to leak data 37 00:01:25,079 --> 00:01:27,400 denial of service attacks so in this 38 00:01:27,400 --> 00:01:29,960 talk and also in our book we discuss not 39 00:01:29,960 --> 00:01:31,560 just ransomware but really cyber 40 00:01:31,560 --> 00:01:34,040 extortion in general any threats to the 41 00:01:34,040 --> 00:01:36,159 confidentiality integrity and 42 00:01:36,159 --> 00:01:38,240 availability of 43 00:01:38,240 --> 00:01:40,439 information okay I jumped a little bit 44 00:01:40,439 --> 00:01:42,159 ahead and didn't tell you who we were so 45 00:01:42,159 --> 00:01:43,920 let's back up a second who is this 46 00:01:43,920 --> 00:01:45,399 person speaking at you my name is Sher 47 00:01:45,399 --> 00:01:48,680 davidof I'm the CEO of lmg security and 48 00:01:48,680 --> 00:01:51,479 I've been in the industry for 23 years 49 00:01:51,479 --> 00:01:53,320 um along with Matt I'm the co-author of 50 00:01:53,320 --> 00:01:55,000 ranor and cyber extortion and I've 51 00:01:55,000 --> 00:01:57,200 written two other books as well and I 52 00:01:57,200 --> 00:01:58,600 think my claim to fame is that the New 53 00:01:58,600 --> 00:02:00,159 York Times called me a security dirty 54 00:02:00,159 --> 00:02:02,399 badass ones that's like my biggest life 55 00:02:02,399 --> 00:02:04,479 achievement uh Matt take it away talk 56 00:02:04,479 --> 00:02:06,520 about yourself uh yeah so nice to meet 57 00:02:06,520 --> 00:02:07,840 everyone my name is Matt Duran I'm the 58 00:02:07,840 --> 00:02:08,919 director of training and research for 59 00:02:08,919 --> 00:02:11,840 lmg security I have not been in uh cyber 60 00:02:11,840 --> 00:02:13,440 security as long as Sherry by by any 61 00:02:13,440 --> 00:02:15,640 stretch but uh you know I try to keep up 62 00:02:15,640 --> 00:02:17,080 uh but yeah we uh we we're really 63 00:02:17,080 --> 00:02:18,680 excited to be here and ransomware 64 00:02:18,680 --> 00:02:21,200 honestly is is kind of a uh a a passion 65 00:02:21,200 --> 00:02:23,000 project of ours we've uh we've been uh 66 00:02:23,000 --> 00:02:24,360 working through ransomware cases and 67 00:02:24,360 --> 00:02:25,760 dealing with this these kind of cyber 68 00:02:25,760 --> 00:02:27,959 attacks for years uh put it all into our 69 00:02:27,959 --> 00:02:30,280 book and so if you'd like to go ahead 70 00:02:30,280 --> 00:02:31,560 and swing by our booth after the talk 71 00:02:31,560 --> 00:02:32,599 we're actually going to be doing a book 72 00:02:32,599 --> 00:02:34,480 signing starting right as soon as we get 73 00:02:34,480 --> 00:02:35,519 done here which was supposed to be at 74 00:02:35,519 --> 00:02:37,239 noon but a little bit after uh we'd love 75 00:02:37,239 --> 00:02:40,640 to see you guys come by thanks Matt So 76 00:02:40,640 --> 00:02:41,959 today we're going to start off by 77 00:02:41,959 --> 00:02:44,920 talking about MGM uh the big Ransom case 78 00:02:44,920 --> 00:02:46,680 that we've got a lot of questions about 79 00:02:46,680 --> 00:02:48,720 lately we'll discuss the impacts of 80 00:02:48,720 --> 00:02:50,159 cyber extortion and then we're going to 81 00:02:50,159 --> 00:02:51,720 walk you through a couple more case 82 00:02:51,720 --> 00:02:53,400 studies in a demo we'll talk about the 83 00:02:53,400 --> 00:02:56,560 Royal ransomware gang the anatomy of a 84 00:02:56,560 --> 00:02:58,599 ransomware attack and a demo from our 85 00:02:58,599 --> 00:03:00,879 laboratory where the leite giraffe gang 86 00:03:00,879 --> 00:03:03,480 hacks hack me Inc and then finally we're 87 00:03:03,480 --> 00:03:05,159 going to uh conclude by talking about 88 00:03:05,159 --> 00:03:08,080 the top security controls of 2023 we 89 00:03:08,080 --> 00:03:09,120 want to make sure that we're giving 90 00:03:09,120 --> 00:03:10,840 people consistent recommendations on 91 00:03:10,840 --> 00:03:12,760 what to do for both response and 92 00:03:12,760 --> 00:03:15,680 prevention um and so we'll conclude with 93 00:03:15,680 --> 00:03:18,519 that all 94 00:03:18,519 --> 00:03:21,440 right so last month of course hackers 95 00:03:21,440 --> 00:03:23,159 took down MGM and for those of us who 96 00:03:23,159 --> 00:03:25,280 were just in Vegas this was like a shock 97 00:03:25,280 --> 00:03:26,879 how many of you were in Vegas for hacker 98 00:03:26,879 --> 00:03:29,239 summer camp by the way yeah super fun 99 00:03:29,239 --> 00:03:30,720 and I was like did I party with the 100 00:03:30,720 --> 00:03:33,480 person who did that um but no it turned 101 00:03:33,480 --> 00:03:35,159 out uh that it was a well-known 102 00:03:35,159 --> 00:03:37,120 ransomware gang linked to Alpha V and 103 00:03:37,120 --> 00:03:39,080 Scattered spider and it caused a 104 00:03:39,080 --> 00:03:41,920 systemwide outage at MGM so everything 105 00:03:41,920 --> 00:03:43,640 was down you can see on the screen here 106 00:03:43,640 --> 00:03:46,239 the uh gambling machines were down cash 107 00:03:46,239 --> 00:03:48,040 only at restaurants I honestly can't 108 00:03:48,040 --> 00:03:50,000 even imagine that can't get into your 109 00:03:50,000 --> 00:03:52,040 room with the digital room key half the 110 00:03:52,040 --> 00:03:53,480 time that doesn't work for me anyway so 111 00:03:53,480 --> 00:03:56,200 whatever the websites were down the TVs 112 00:03:56,200 --> 00:03:58,120 were down I I don't even know what 113 00:03:58,120 --> 00:04:00,159 people would do anymore at that point so 114 00:04:00,159 --> 00:04:02,120 this was extremely impactful of course 115 00:04:02,120 --> 00:04:03,799 for MGM and they did their best to 116 00:04:03,799 --> 00:04:06,040 muddle through but a couple nuances 117 00:04:06,040 --> 00:04:08,400 about this case that are very indicative 118 00:04:08,400 --> 00:04:11,280 of the trend today number one it wasn't 119 00:04:11,280 --> 00:04:13,799 just lack of availability right the 120 00:04:13,799 --> 00:04:15,640 hackers also made a point of stealing 121 00:04:15,640 --> 00:04:17,440 information and threatening to release 122 00:04:17,440 --> 00:04:19,199 it to the world and you can see on the 123 00:04:19,199 --> 00:04:21,839 screen here this is Alpha V and we can 124 00:04:21,839 --> 00:04:23,199 never be sure that the hackers that 125 00:04:23,199 --> 00:04:25,000 claim that they hacked somebody actually 126 00:04:25,000 --> 00:04:27,440 did by the way that's a problem um but 127 00:04:27,440 --> 00:04:28,960 anyway they said we posted a link to 128 00:04:28,960 --> 00:04:30,720 download any and all exfiltrated 129 00:04:30,720 --> 00:04:32,639 materials up till September 12th blah 130 00:04:32,639 --> 00:04:35,280 blah blah um and they were trying to get 131 00:04:35,280 --> 00:04:38,000 a big payout by threatening to release 132 00:04:38,000 --> 00:04:40,080 this data which unfortunately for them 133 00:04:40,080 --> 00:04:41,960 did not work they also said we still 134 00:04:41,960 --> 00:04:44,199 continue to have access to some of mgm's 135 00:04:44,199 --> 00:04:45,600 infrastructure so the importance of 136 00:04:45,600 --> 00:04:48,400 threat hunting is really it cannot be 137 00:04:48,400 --> 00:04:50,520 understated okay so then because of that 138 00:04:50,520 --> 00:04:53,080 MGM had to disclose a data theft and 139 00:04:53,080 --> 00:04:54,360 again this is part of the Playbook that 140 00:04:54,360 --> 00:04:56,520 we see all the time so this is a 141 00:04:56,520 --> 00:04:58,240 screenshot of a letter that was sent to 142 00:04:58,240 --> 00:05:01,280 employees and in that letter they said 143 00:05:01,280 --> 00:05:03,440 that employees um oh sorry criminal 144 00:05:03,440 --> 00:05:05,000 actors obtained certain personal 145 00:05:05,000 --> 00:05:07,120 information belonging to some customers 146 00:05:07,120 --> 00:05:09,240 including name contact info gender date 147 00:05:09,240 --> 00:05:11,919 of birth and driver's license and then 148 00:05:11,919 --> 00:05:14,039 also a limited number of social security 149 00:05:14,039 --> 00:05:16,440 numbers and passports I do wonder why 150 00:05:16,440 --> 00:05:18,440 MGM had Social Security numbers for 151 00:05:18,440 --> 00:05:19,560 customers I'm sure there was a good 152 00:05:19,560 --> 00:05:21,080 reason know your customer verification 153 00:05:21,080 --> 00:05:22,319 know your customer verification that 154 00:05:22,319 --> 00:05:24,639 makes sense also some employee usernames 155 00:05:24,639 --> 00:05:27,039 and passwords um and so they had to 156 00:05:27,039 --> 00:05:29,120 announce a data breach because of this 157 00:05:29,120 --> 00:05:31,360 this is part of a growing Trend what 158 00:05:31,360 --> 00:05:32,560 you're seeing on the screen here are 159 00:05:32,560 --> 00:05:34,440 statistics from the Beasley cyber 160 00:05:34,440 --> 00:05:36,360 insurance company I was just actually at 161 00:05:36,360 --> 00:05:38,759 one of their conferences and you can see 162 00:05:38,759 --> 00:05:40,440 that over the past few quarters 163 00:05:40,440 --> 00:05:44,160 somewhere between 80 to 95% of incidents 164 00:05:44,160 --> 00:05:46,240 have had data exfiltration as a 165 00:05:46,240 --> 00:05:48,120 component these are specifically cyber 166 00:05:48,120 --> 00:05:50,680 extortion incidents So Gone are the days 167 00:05:50,680 --> 00:05:52,800 when people could say oh ransomware it 168 00:05:52,800 --> 00:05:55,000 just comes and cleans it off pretty much 169 00:05:55,000 --> 00:05:56,680 every ransomware case you see you have 170 00:05:56,680 --> 00:05:58,400 to treat it as though it's a potential 171 00:05:58,400 --> 00:06:00,800 data breach 172 00:06:00,800 --> 00:06:02,840 exposure extortion in my opinion is here 173 00:06:02,840 --> 00:06:05,360 to stay and if you think about it it's a 174 00:06:05,360 --> 00:06:08,319 lot of work to deploy ransomware and 175 00:06:08,319 --> 00:06:10,720 then keep track of the keys and try to 176 00:06:10,720 --> 00:06:13,400 unlock it the criminals end up basically 177 00:06:13,400 --> 00:06:15,199 having to do customer support for their 178 00:06:15,199 --> 00:06:17,280 victims and in fact a lot of times when 179 00:06:17,280 --> 00:06:19,160 we're working with these criminal gangs 180 00:06:19,160 --> 00:06:20,840 it sure feels like they are like 181 00:06:20,840 --> 00:06:22,160 professional customer support 182 00:06:22,160 --> 00:06:23,319 Specialists like they'll help you 183 00:06:23,319 --> 00:06:25,160 troubleshoot the decryptor and things 184 00:06:25,160 --> 00:06:27,880 like that um or one one time they 185 00:06:27,880 --> 00:06:29,120 actually said tell us what country 186 00:06:29,120 --> 00:06:30,840 you're from and seemed like they were 187 00:06:30,840 --> 00:06:32,199 gathering statistics on their 188 00:06:32,199 --> 00:06:34,360 performance so anyway ransomware is 189 00:06:34,360 --> 00:06:36,759 complex when you think about the ROI on 190 00:06:36,759 --> 00:06:39,160 Data Theft it is much higher all they 191 00:06:39,160 --> 00:06:40,960 have to do is steal some data and then 192 00:06:40,960 --> 00:06:42,800 threaten to release it to the world and 193 00:06:42,800 --> 00:06:45,240 they're done right um we've even had 194 00:06:45,240 --> 00:06:46,440 cases where we're pretty sure they 195 00:06:46,440 --> 00:06:48,199 didn't actually steal information they 196 00:06:48,199 --> 00:06:50,759 were just fooling um but out of an 197 00:06:50,759 --> 00:06:52,919 abundance of caution The Ransom was 198 00:06:52,919 --> 00:06:54,360 actually paid and sometimes that's 199 00:06:54,360 --> 00:06:56,879 covered by cyber insurance so it's much 200 00:06:56,879 --> 00:06:59,680 much easier likely to remain widespread 201 00:06:59,680 --> 00:07:02,960 okay we're also starting to see um much 202 00:07:02,960 --> 00:07:05,479 much quicker disclosures in part because 203 00:07:05,479 --> 00:07:07,680 of the new SEC guidelines that say you 204 00:07:07,680 --> 00:07:11,080 must disclose within four business days 205 00:07:11,080 --> 00:07:13,400 that's huge we already were getting some 206 00:07:13,400 --> 00:07:15,199 visibility but four business days means 207 00:07:15,199 --> 00:07:16,680 there's really not a whole lot of time 208 00:07:16,680 --> 00:07:18,840 to do an investigation to rule out an 209 00:07:18,840 --> 00:07:21,680 issue in the case of MGM we just got 210 00:07:21,680 --> 00:07:23,800 handed a lot of information about the 211 00:07:23,800 --> 00:07:26,720 financial impact very very quickly after 212 00:07:26,720 --> 00:07:28,919 it happened in fact I can't remember a 213 00:07:28,919 --> 00:07:30,919 case uh before where we got an estimate 214 00:07:30,919 --> 00:07:34,160 so quickly um they estimated overall it 215 00:07:34,160 --> 00:07:36,080 would be a $100 million loss and that 216 00:07:36,080 --> 00:07:38,199 included both the operational outage as 217 00:07:38,199 --> 00:07:40,759 well as fees the fees included legal 218 00:07:40,759 --> 00:07:43,400 fees um Tech Consulting 219 00:07:43,400 --> 00:07:45,919 fees when you have a ransomware cyber 220 00:07:45,919 --> 00:07:47,759 extortion case the immediate impact 221 00:07:47,759 --> 00:07:50,159 seems huge but often that's just the tip 222 00:07:50,159 --> 00:07:52,159 of the iceberg from a cost perspective 223 00:07:52,159 --> 00:07:54,599 so in the case of MGM their Q3 224 00:07:54,599 --> 00:07:56,960 expenditure was $10 million but again 225 00:07:56,960 --> 00:07:59,080 they're estimating that another 90% of 226 00:07:59,080 --> 00:08:00,919 that will be happening in the future 227 00:08:00,919 --> 00:08:02,120 after the 228 00:08:02,120 --> 00:08:05,120 fact we also see other consequences that 229 00:08:05,120 --> 00:08:07,720 are not as easy to me to measure the 230 00:08:07,720 --> 00:08:10,319 ponon Institute had a great report last 231 00:08:10,319 --> 00:08:12,319 year about the medical effects of 232 00:08:12,319 --> 00:08:14,039 ransomware and other types of cyber 233 00:08:14,039 --> 00:08:17,120 extortion cases so check this out when a 234 00:08:17,120 --> 00:08:18,479 healthc care facility gets hit with 235 00:08:18,479 --> 00:08:21,120 ransomware 64% of the time there's 236 00:08:21,120 --> 00:08:24,520 delays in in care uh and excuse me 237 00:08:24,520 --> 00:08:26,319 delays in procedures and tests that have 238 00:08:26,319 --> 00:08:28,560 resulted in poor outcomes so boom right 239 00:08:28,560 --> 00:08:30,479 there it's hard to quantify but you see 240 00:08:30,479 --> 00:08:32,399 that occurring there's a longer length 241 00:08:32,399 --> 00:08:34,440 of stay which means it's more costly and 242 00:08:34,440 --> 00:08:36,719 the one that's most frightening is that 243 00:08:36,719 --> 00:08:39,399 it leads to increased mortality in 244 00:08:39,399 --> 00:08:41,440 patients as well so literally ransomware 245 00:08:41,440 --> 00:08:43,958 can be a life or death 246 00:08:43,958 --> 00:08:46,839 situation we also see layoffs and 247 00:08:46,839 --> 00:08:49,959 resignations um in legal and Retail the 248 00:08:49,959 --> 00:08:53,240 number of organizations that do layoffs 249 00:08:53,240 --> 00:08:55,399 after a ransomware attack is close to 250 00:08:55,399 --> 00:08:57,920 50% and in other Industries it's still 251 00:08:57,920 --> 00:09:00,640 very significant we we also see 32% of 252 00:09:00,640 --> 00:09:02,519 organizations hit by ransomware lose 253 00:09:02,519 --> 00:09:04,240 their top leadership e either because 254 00:09:04,240 --> 00:09:06,800 they resign or because they're fired and 255 00:09:06,800 --> 00:09:08,839 of course we also see lawsuits both for 256 00:09:08,839 --> 00:09:10,760 privacy reasons and because of the 257 00:09:10,760 --> 00:09:13,360 operational impact so I think all of us 258 00:09:13,360 --> 00:09:15,160 have been seeing privacy lawsuits for a 259 00:09:15,160 --> 00:09:16,760 while and a lot of them do get thrown 260 00:09:16,760 --> 00:09:19,720 out because the uh victims can't can't 261 00:09:19,720 --> 00:09:22,519 show harm what happened in the U UHS 262 00:09:22,519 --> 00:09:24,880 case is that multiple patients sued many 263 00:09:24,880 --> 00:09:26,519 of those were not allowed to continue 264 00:09:26,519 --> 00:09:28,600 because they couldn't show harm but one 265 00:09:28,600 --> 00:09:30,720 patient was was able to demonstrate that 266 00:09:30,720 --> 00:09:32,720 he suffered Financial damage because he 267 00:09:32,720 --> 00:09:35,000 was scheduled for a surgery that surgery 268 00:09:35,000 --> 00:09:36,680 got delayed because of a ransomware 269 00:09:36,680 --> 00:09:38,519 attack he no longer had the same 270 00:09:38,519 --> 00:09:40,839 insurance coverage and so he could 271 00:09:40,839 --> 00:09:42,959 calculate the difference in financial 272 00:09:42,959 --> 00:09:44,839 costs and so his lawsuit was allowed to 273 00:09:44,839 --> 00:09:46,800 proceed so we're seeing many different 274 00:09:46,800 --> 00:09:48,760 types of lawsuits a lot of gray areas 275 00:09:48,760 --> 00:09:51,320 some conflicting rulings um which means 276 00:09:51,320 --> 00:09:52,640 everything's up in the air right now 277 00:09:52,640 --> 00:09:56,720 legally speaking okay the total revenues 278 00:09:56,720 --> 00:09:58,519 generated by ransomware have been going 279 00:09:58,519 --> 00:10:00,200 up and up up and up and you can see 280 00:10:00,200 --> 00:10:01,320 already in 281 00:10:01,320 --> 00:10:03,640 2023 the revenues that the criminals are 282 00:10:03,640 --> 00:10:06,160 making are significantly higher than the 283 00:10:06,160 --> 00:10:08,560 year before of course it's hard for us 284 00:10:08,560 --> 00:10:10,480 to track ransomware revenues and how 285 00:10:10,480 --> 00:10:12,240 much money they're making for those of 286 00:10:12,240 --> 00:10:14,600 you following cersa the new federal 287 00:10:14,600 --> 00:10:16,839 incident reporting law that will go into 288 00:10:16,839 --> 00:10:19,079 effect in the next year or two um soon 289 00:10:19,079 --> 00:10:20,880 we will be required to report Ransom 290 00:10:20,880 --> 00:10:23,160 more payments within 24 hours if you're 291 00:10:23,160 --> 00:10:25,120 part of critical industry and as a 292 00:10:25,120 --> 00:10:27,279 result of that sisa will be producing 293 00:10:27,279 --> 00:10:29,120 quarterly reports that give us 294 00:10:29,120 --> 00:10:30,920 statistics so even though it's a little 295 00:10:30,920 --> 00:10:32,079 scary to think hey we're going to have 296 00:10:32,079 --> 00:10:34,320 to report Ransom payments in 24 hours 297 00:10:34,320 --> 00:10:35,880 that is going to give us a lot more 298 00:10:35,880 --> 00:10:37,800 visibility into how big this industry 299 00:10:37,800 --> 00:10:38,800 really 300 00:10:38,800 --> 00:10:42,160 is okay so how did the MGM hack happen 301 00:10:42,160 --> 00:10:44,360 it was a social engineering attack we're 302 00:10:44,360 --> 00:10:45,959 actually seeing a lot of ransomware and 303 00:10:45,959 --> 00:10:48,360 cyber extortion cases beginning this way 304 00:10:48,360 --> 00:10:49,800 according to Bloomberg it was a social 305 00:10:49,800 --> 00:10:51,720 engineering attack on the company's help 306 00:10:51,720 --> 00:10:54,480 desk and MGM has not confirmed a lot of 307 00:10:54,480 --> 00:10:56,519 these details um but according to a 308 00:10:56,519 --> 00:10:58,519 former MGM employee the help desk was 309 00:10:58,519 --> 00:11:00,720 vulnerable to an attack because it was 310 00:11:00,720 --> 00:11:03,200 too easy to do a password reset for 311 00:11:03,200 --> 00:11:06,440 someone who calls in the good news is 312 00:11:06,440 --> 00:11:08,480 that MGM was using multiactor 313 00:11:08,480 --> 00:11:10,120 authentication so even if you could 314 00:11:10,120 --> 00:11:12,360 reset somebody's password no worries no 315 00:11:12,360 --> 00:11:14,600 sweat they still have uh MFA on their 316 00:11:14,600 --> 00:11:18,200 phones right wrong um attackers are 317 00:11:18,200 --> 00:11:20,680 calling help desks and pretending that 318 00:11:20,680 --> 00:11:23,279 hey I lost my phone I need I need my 319 00:11:23,279 --> 00:11:26,040 multiactor authentication to be reset 320 00:11:26,040 --> 00:11:28,079 and this is called a cross tenant 321 00:11:28,079 --> 00:11:30,160 impersonation attack it's a trend that 322 00:11:30,160 --> 00:11:32,720 OCTA has been warning about for a while 323 00:11:32,720 --> 00:11:34,560 in fact OCTA has uh published a whole 324 00:11:34,560 --> 00:11:37,519 blog post on it several months ago it 325 00:11:37,519 --> 00:11:39,959 service desks are targeted so your help 326 00:11:39,959 --> 00:11:42,200 desk may be targeted think about how you 327 00:11:42,200 --> 00:11:44,839 verify those employees when they call in 328 00:11:44,839 --> 00:11:46,880 particularly if they call in and need a 329 00:11:46,880 --> 00:11:50,200 multiactor authentication system reset 330 00:11:50,200 --> 00:11:52,040 and then once they were in the system of 331 00:11:52,040 --> 00:11:54,079 course the hackers were then able to add 332 00:11:54,079 --> 00:11:56,200 new accounts and promote other users 333 00:11:56,200 --> 00:11:58,399 remove multiactor authentication those 334 00:11:58,399 --> 00:11:59,560 are the typical things that they're 335 00:11:59,560 --> 00:12:01,959 going to do once they're inside 336 00:12:01,959 --> 00:12:04,040 according to journalists the MGM attack 337 00:12:04,040 --> 00:12:06,519 was drop dead simple and this is an 338 00:12:06,519 --> 00:12:09,279 organization that invests a ton in cyber 339 00:12:09,279 --> 00:12:12,000 security but they said uh based on what 340 00:12:12,000 --> 00:12:14,920 the hackers told them all alphab did was 341 00:12:14,920 --> 00:12:16,959 hop on LinkedIn find an employee and 342 00:12:16,959 --> 00:12:19,440 call the help desk a 10-minute 343 00:12:19,440 --> 00:12:22,639 conversation again MGM has not confirmed 344 00:12:22,639 --> 00:12:25,000 this um to wrap up our discussion of 345 00:12:25,000 --> 00:12:27,320 social engineering another big Trend we 346 00:12:27,320 --> 00:12:28,399 were seeing in a reason this is 347 00:12:28,399 --> 00:12:30,360 successful is because of the prevalence 348 00:12:30,360 --> 00:12:32,760 of caller ID spoofing so this is spoof 349 00:12:32,760 --> 00:12:34,800 card at lmg we actually do social 350 00:12:34,800 --> 00:12:36,440 engineering testing and we like to use 351 00:12:36,440 --> 00:12:39,000 spoof card to change your voice to to do 352 00:12:39,000 --> 00:12:42,240 call or ID changes um there's also many 353 00:12:42,240 --> 00:12:45,160 other similar tools like this the FBI 354 00:12:45,160 --> 00:12:46,680 came out with their annual report 355 00:12:46,680 --> 00:12:49,519 recently on crime statistics and warned 356 00:12:49,519 --> 00:12:51,160 that um there's an increasingly 357 00:12:51,160 --> 00:12:52,920 prevalent tactics in this case by 358 00:12:52,920 --> 00:12:54,560 business emaa compromise actors of 359 00:12:54,560 --> 00:12:56,920 spoofing legitimate business numbers to 360 00:12:56,920 --> 00:12:58,880 confirm fraudulent banking details with 361 00:12:58,880 --> 00:13:00,360 victims so we're seeing more and more 362 00:13:00,360 --> 00:13:02,440 call or ID spoofing in different 363 00:13:02,440 --> 00:13:04,519 contexts and of course over the next few 364 00:13:04,519 --> 00:13:05,800 years we're going to have to worry about 365 00:13:05,800 --> 00:13:07,959 voice cloning um I think you need now 366 00:13:07,959 --> 00:13:10,160 what is it 30 seconds of audio in order 367 00:13:10,160 --> 00:13:11,920 to be able to clone somebody's voice so 368 00:13:11,920 --> 00:13:13,120 I guess anybody watching this 369 00:13:13,120 --> 00:13:14,560 presentation on the internet can now 370 00:13:14,560 --> 00:13:16,519 clone my voice 371 00:13:16,519 --> 00:13:20,040 great um but there are strong ways to 372 00:13:20,040 --> 00:13:22,519 verify callers uh one that many of my 373 00:13:22,519 --> 00:13:24,720 bank clients use is just to integrate 374 00:13:24,720 --> 00:13:26,600 with a multiactor authentication system 375 00:13:26,600 --> 00:13:29,360 like OCTA so you can actually have a pin 376 00:13:29,360 --> 00:13:31,399 sent to the person's phone and read to 377 00:13:31,399 --> 00:13:34,199 you uh over the phone um which I think 378 00:13:34,199 --> 00:13:36,839 is a pretty decent uh way to do it and 379 00:13:36,839 --> 00:13:38,440 then also there's tools like pin drop 380 00:13:38,440 --> 00:13:39,959 that will actually sample the audio in 381 00:13:39,959 --> 00:13:42,480 the background of the call and Link it 382 00:13:42,480 --> 00:13:44,440 and uh check a database of known 383 00:13:44,440 --> 00:13:47,000 fraudulent uh call samples to see if it 384 00:13:47,000 --> 00:13:48,519 matches things like that so they're 385 00:13:48,519 --> 00:13:50,639 actually doing audio analysis and 386 00:13:50,639 --> 00:13:52,839 looking at call metadata and things like 387 00:13:52,839 --> 00:13:55,480 that so bottom line we need to be 388 00:13:55,480 --> 00:13:57,199 training our our employees we need to be 389 00:13:57,199 --> 00:13:58,720 including things like voice social 390 00:13:58,720 --> 00:14:01,079 engineering MFA in order to resist these 391 00:14:01,079 --> 00:14:03,519 extortion attacks and other types of 392 00:14:03,519 --> 00:14:06,000 attacks finally attackers another Trend 393 00:14:06,000 --> 00:14:07,639 we're seeing which came up in MGM is 394 00:14:07,639 --> 00:14:09,519 that attackers are kneecapping 395 00:14:09,519 --> 00:14:12,360 virtualization so in the MGM attack uh 396 00:14:12,360 --> 00:14:14,560 their esxi servers were allegedly 397 00:14:14,560 --> 00:14:16,600 encrypted by The Ransom more gang so 398 00:14:16,600 --> 00:14:18,079 Matt I'll turn it over to you to go 399 00:14:18,079 --> 00:14:20,040 through some of these details perfect 400 00:14:20,040 --> 00:14:22,120 yeah so when we're talking about uh the 401 00:14:22,120 --> 00:14:24,320 the prevalence of going after hypervisor 402 00:14:24,320 --> 00:14:26,000 specifically I mean this has become a 403 00:14:26,000 --> 00:14:27,160 big Trend and we're seeing a lot of 404 00:14:27,160 --> 00:14:28,920 Brans more groups go for this there's 405 00:14:28,920 --> 00:14:30,519 good reasons why they would do that 406 00:14:30,519 --> 00:14:32,279 though and uh MGM unfortunately felt the 407 00:14:32,279 --> 00:14:34,440 brunt of this the uh the esxi host they 408 00:14:34,440 --> 00:14:36,079 were running actually managed most of 409 00:14:36,079 --> 00:14:37,360 those critical systems inside their 410 00:14:37,360 --> 00:14:39,320 Network so their Players Club their 411 00:14:39,320 --> 00:14:41,399 hotel uh uh reservation system their 412 00:14:41,399 --> 00:14:43,240 phones those were all virtual systems 413 00:14:43,240 --> 00:14:44,360 and the attackers really took these 414 00:14:44,360 --> 00:14:46,079 things down to like the base bare metal 415 00:14:46,079 --> 00:14:48,000 level I mean they annihilated these uh 416 00:14:48,000 --> 00:14:50,839 these esxi host which is is pretty nasty 417 00:14:50,839 --> 00:14:52,759 so why go after a hypervisor well when 418 00:14:52,759 --> 00:14:53,839 you think about it it actually makes 419 00:14:53,839 --> 00:14:55,240 quite a bit of sense why you would want 420 00:14:55,240 --> 00:14:57,399 to go after a system like that first off 421 00:14:57,399 --> 00:14:58,959 we all use them I mean everyone is 422 00:14:58,959 --> 00:15:00,639 moving towards virtualization as kind of 423 00:15:00,639 --> 00:15:02,519 the default in their environments now 424 00:15:02,519 --> 00:15:03,920 how many of you run all bare metal 425 00:15:03,920 --> 00:15:06,000 servers inside of your environment I'd 426 00:15:06,000 --> 00:15:07,399 be surprised if I saw very many hands 427 00:15:07,399 --> 00:15:08,959 come up right yeah everybody's moving 428 00:15:08,959 --> 00:15:11,000 towards things like VMware towards uh 429 00:15:11,000 --> 00:15:12,880 things like hyperv towards esxi I mean 430 00:15:12,880 --> 00:15:14,920 there's there's reasons why we do this 431 00:15:14,920 --> 00:15:16,639 the other thing too is that those esxi 432 00:15:16,639 --> 00:15:18,720 hosts those uh those virtualized uh uh 433 00:15:18,720 --> 00:15:20,560 hosting platforms are usually a lot more 434 00:15:20,560 --> 00:15:22,079 powerful than just a standard 435 00:15:22,079 --> 00:15:23,920 workstation they've got a lot more RAM 436 00:15:23,920 --> 00:15:25,040 they've got a much more powerful 437 00:15:25,040 --> 00:15:26,959 processor set it makes sense why the 438 00:15:26,959 --> 00:15:28,959 attackers would want to go for that more 439 00:15:28,959 --> 00:15:30,680 efficient on their part and finally if 440 00:15:30,680 --> 00:15:32,079 they can take down a hypervisor at a 441 00:15:32,079 --> 00:15:33,360 root level that means they don't have to 442 00:15:33,360 --> 00:15:34,680 go through and encrypt every single 443 00:15:34,680 --> 00:15:36,399 computer inside your network one by one 444 00:15:36,399 --> 00:15:37,800 by one they don't have to do a massive 445 00:15:37,800 --> 00:15:39,319 software push they don't have to deal 446 00:15:39,319 --> 00:15:40,959 with something like PS exec they can 447 00:15:40,959 --> 00:15:42,440 just hit the hypervisor take everything 448 00:15:42,440 --> 00:15:44,800 down in one Fell Swoop that also means 449 00:15:44,800 --> 00:15:47,279 from an investigation standpoint I can't 450 00:15:47,279 --> 00:15:49,040 get data off of any of those hard drives 451 00:15:49,040 --> 00:15:50,680 anymore because everything is encrypted 452 00:15:50,680 --> 00:15:52,000 all the way down to the uh the the 453 00:15:52,000 --> 00:15:54,800 kernel level that that sucks for me uh 454 00:15:54,800 --> 00:15:56,279 and we have an example of this actually 455 00:15:56,279 --> 00:15:58,720 happening so uh the Royal ranser group 456 00:15:58,720 --> 00:16:00,880 has been pretty prolific as of late they 457 00:16:00,880 --> 00:16:03,040 are one of the bigger names uh when we 458 00:16:03,040 --> 00:16:04,519 when we talk about modern ransomware up 459 00:16:04,519 --> 00:16:06,959 there with black hat and Alpha V uh lock 460 00:16:06,959 --> 00:16:08,319 bit and some of the other more kind of 461 00:16:08,319 --> 00:16:10,519 you know notorious uh names that we hear 462 00:16:10,519 --> 00:16:12,440 in the industry we were working with a 463 00:16:12,440 --> 00:16:14,319 state government agency and they had 464 00:16:14,319 --> 00:16:16,399 about 5,000 individual users they had a 465 00:16:16,399 --> 00:16:18,680 big esxi farm that was hosting a lot of 466 00:16:18,680 --> 00:16:20,120 their infrastructure their domain 467 00:16:20,120 --> 00:16:22,040 controllers their file servers 468 00:16:22,040 --> 00:16:23,399 application servers their Citrix 469 00:16:23,399 --> 00:16:25,000 environment and then most importantly 470 00:16:25,000 --> 00:16:27,360 they had their backup system hosted in a 471 00:16:27,360 --> 00:16:29,279 virtualized platform uh that is a 472 00:16:29,279 --> 00:16:30,560 mistake for any of you who are thinking 473 00:16:30,560 --> 00:16:32,240 about doing that so so please don't do 474 00:16:32,240 --> 00:16:33,800 that when we talk about immutable 475 00:16:33,800 --> 00:16:35,920 backups we want really immutable backups 476 00:16:35,920 --> 00:16:37,279 not something where if I take out your 477 00:16:37,279 --> 00:16:39,240 hypervisor I also kill your backups 478 00:16:39,240 --> 00:16:40,680 which we'll we'll get to that here in 479 00:16:40,680 --> 00:16:43,160 just a second so let's talk about the 480 00:16:43,160 --> 00:16:46,120 attack as we see in a lot of cases this 481 00:16:46,120 --> 00:16:47,440 really started with a fishing email 482 00:16:47,440 --> 00:16:49,040 social engineering and ransomware tend 483 00:16:49,040 --> 00:16:51,360 to go kind of hand inand they are 484 00:16:51,360 --> 00:16:54,199 they're like peas and carrots uh and the 485 00:16:54,199 --> 00:16:56,079 other problem that we ran into here was 486 00:16:56,079 --> 00:16:58,079 another very common issue the attackers 487 00:16:58,079 --> 00:16:59,279 were able to to get into the network 488 00:16:59,279 --> 00:17:01,160 they were able to uh exploit local 489 00:17:01,160 --> 00:17:02,880 administrator credentials on a single 490 00:17:02,880 --> 00:17:05,919 computer at first but all the local 491 00:17:05,919 --> 00:17:07,439 admin credentials were the same all the 492 00:17:07,439 --> 00:17:09,640 way across the network uh again very 493 00:17:09,640 --> 00:17:11,119 very common mistake that we find our 494 00:17:11,119 --> 00:17:12,720 pent testers find this one very very 495 00:17:12,720 --> 00:17:14,959 frequently as well and it is just a 496 00:17:14,959 --> 00:17:16,720 death nail to an environment once this 497 00:17:16,720 --> 00:17:19,199 uh once this gets hit uh once they hit 498 00:17:19,199 --> 00:17:20,599 there they were able to get into an IT 499 00:17:20,599 --> 00:17:22,679 manager's computer scrape a locally 500 00:17:22,679 --> 00:17:24,959 stored clear text password file that had 501 00:17:24,959 --> 00:17:27,400 the SSH credentials for their hypervisor 502 00:17:27,400 --> 00:17:28,960 system so now they're not even logging 503 00:17:28,960 --> 00:17:30,200 in with the graphic interface anymore 504 00:17:30,200 --> 00:17:31,200 they're not going through the browser 505 00:17:31,200 --> 00:17:32,480 they're just going straight in through 506 00:17:32,480 --> 00:17:34,440 SSH they have root level access on this 507 00:17:34,440 --> 00:17:36,919 device uh and then they uh they they 508 00:17:36,919 --> 00:17:39,320 went ahead and uh kind of locked out the 509 00:17:39,320 --> 00:17:41,000 uh the ATT or the uh the regular users 510 00:17:41,000 --> 00:17:42,880 at that point so one of our big 511 00:17:42,880 --> 00:17:45,120 recommendations here if you're able to 512 00:17:45,120 --> 00:17:46,760 because this is not always as easy as it 513 00:17:46,760 --> 00:17:48,520 sounds is to include things like your 514 00:17:48,520 --> 00:17:50,600 root level hypervisors in your security 515 00:17:50,600 --> 00:17:52,760 program uh in a lot of cases though 516 00:17:52,760 --> 00:17:54,799 there may not be an EDR or an antivirus 517 00:17:54,799 --> 00:17:56,320 agent that you can actually drop on that 518 00:17:56,320 --> 00:17:58,159 system pretty common actually I mean 519 00:17:58,159 --> 00:17:59,600 they're really not built for that kind 520 00:17:59,600 --> 00:18:02,159 of uh that kind of work and also in a 521 00:18:02,159 --> 00:18:04,440 lot of best practice configurations 522 00:18:04,440 --> 00:18:06,039 those hypervisors are excluded from 523 00:18:06,039 --> 00:18:07,760 things like AV scans in the first place 524 00:18:07,760 --> 00:18:09,000 mainly because we don't want to 525 00:18:09,000 --> 00:18:10,159 interfere with them we don't want to 526 00:18:10,159 --> 00:18:11,440 Brick the system and we don't want a 527 00:18:11,440 --> 00:18:13,679 bunch of unnecessary uh resource 528 00:18:13,679 --> 00:18:16,080 draining software running on those hosts 529 00:18:16,080 --> 00:18:17,960 it makes sense I I used to be in it I 530 00:18:17,960 --> 00:18:20,480 get but uh we we still need to keep an 531 00:18:20,480 --> 00:18:21,919 eye on those so uh make sure that you're 532 00:18:21,919 --> 00:18:24,159 able to catch issues quickly there and 533 00:18:24,159 --> 00:18:25,320 uh you know make sure you're not leaving 534 00:18:25,320 --> 00:18:27,600 those things out in the cold so this 535 00:18:27,600 --> 00:18:29,080 brings up another that we're seeing in a 536 00:18:29,080 --> 00:18:30,520 lot of our in a lot of our rans more 537 00:18:30,520 --> 00:18:33,280 cases and that is the basic practice of 538 00:18:33,280 --> 00:18:34,880 the hackers locking people out of 539 00:18:34,880 --> 00:18:36,679 systems this is uh you know passwords 540 00:18:36,679 --> 00:18:38,280 being changed it is Network 541 00:18:38,280 --> 00:18:40,080 configurations being changed there's a 542 00:18:40,080 --> 00:18:42,080 lot that can happen here to keep someone 543 00:18:42,080 --> 00:18:43,679 who is a who is responding to a ransom 544 00:18:43,679 --> 00:18:45,720 more attack from being able to actually 545 00:18:45,720 --> 00:18:47,720 respond uh in this case the attackers 546 00:18:47,720 --> 00:18:49,000 got in and they changed the passwords 547 00:18:49,000 --> 00:18:51,440 for every user they had their own user 548 00:18:51,440 --> 00:18:53,240 password set up at this point and uh 549 00:18:53,240 --> 00:18:54,600 they were uh they were basically in 550 00:18:54,600 --> 00:18:56,200 control of the entire network the IT 551 00:18:56,200 --> 00:18:58,760 staff had no way of actually getting in 552 00:18:58,760 --> 00:19:00,039 uh the other thing too they securely 553 00:19:00,039 --> 00:19:02,039 deleted those virtual backups uh all the 554 00:19:02,039 --> 00:19:03,240 way down to the root level of the drive 555 00:19:03,240 --> 00:19:05,640 so at this point again it did not matter 556 00:19:05,640 --> 00:19:07,039 that the uh the victim at this point 557 00:19:07,039 --> 00:19:09,640 actually on paper had a pretty robust 558 00:19:09,640 --> 00:19:11,240 immutable backup system the attackers 559 00:19:11,240 --> 00:19:13,080 didn't need to worry about that because 560 00:19:13,080 --> 00:19:14,720 they went underneath that backup and 561 00:19:14,720 --> 00:19:16,799 just took it out of the hard drive uh 562 00:19:16,799 --> 00:19:18,159 this is this is a bad place to find 563 00:19:18,159 --> 00:19:22,039 yourself if uh if you couldn't imagine 564 00:19:22,280 --> 00:19:24,880 that the Royal ransomware gang one of 565 00:19:24,880 --> 00:19:26,200 the things I think is funny about them 566 00:19:26,200 --> 00:19:29,200 is they have value added services oops 567 00:19:29,200 --> 00:19:31,280 um so for example if you look at the Roy 568 00:19:31,280 --> 00:19:33,080 Royal's website on the dark web this is 569 00:19:33,080 --> 00:19:35,159 their contact form and they say 570 00:19:35,159 --> 00:19:37,200 fortunately we got you covered Royal 571 00:19:37,200 --> 00:19:40,360 offers you a unique deal for a monest 572 00:19:40,360 --> 00:19:43,120 royalty uh for our pentesting services 573 00:19:43,120 --> 00:19:44,720 we will not only provide you with an 574 00:19:44,720 --> 00:19:47,039 amazing risk mitigation service blah 575 00:19:47,039 --> 00:19:49,120 blah blah but also a Security review for 576 00:19:49,120 --> 00:19:51,880 your systems so sometimes you can pay a 577 00:19:51,880 --> 00:19:53,600 little extra and the attackers will give 578 00:19:53,600 --> 00:19:55,240 you a Security review or or it might 579 00:19:55,240 --> 00:19:56,200 even be 580 00:19:56,200 --> 00:19:58,760 included um you don't want the hackers 581 00:19:58,760 --> 00:20:00,320 to be the ones pentesting you it's 582 00:20:00,320 --> 00:20:02,919 better to have a real penetration test 583 00:20:02,919 --> 00:20:05,120 ahead of time uh not after the fact so 584 00:20:05,120 --> 00:20:06,679 that's one of our top 585 00:20:06,679 --> 00:20:08,320 recommendations all right so tell us 586 00:20:08,320 --> 00:20:09,880 about the damage Matt all right so yeah 587 00:20:09,880 --> 00:20:11,240 let's go over the damage uh really quick 588 00:20:11,240 --> 00:20:13,039 though I do want to point out we did do 589 00:20:13,039 --> 00:20:14,799 a negotiation with the black hat uh 590 00:20:14,799 --> 00:20:16,120 Ransom more group at one point and they 591 00:20:16,120 --> 00:20:18,600 did send us one of those pens reports uh 592 00:20:18,600 --> 00:20:20,159 pretty thorough we we actually got a 593 00:20:20,159 --> 00:20:21,200 pretty good idea of what was happening 594 00:20:21,200 --> 00:20:22,960 on the network formatting was crap the 595 00:20:22,960 --> 00:20:25,039 formatting sucked but and it cost like 596 00:20:25,039 --> 00:20:27,960 $750,000 so I mean a regular pen cheaper 597 00:20:27,960 --> 00:20:29,880 better but yeah anyway sorry tangent 598 00:20:29,880 --> 00:20:31,679 there uh so the damage uh the local 599 00:20:31,679 --> 00:20:33,080 backups inside of this network were 600 00:20:33,080 --> 00:20:34,240 completely annihilated these guys were 601 00:20:34,240 --> 00:20:36,640 dead in the water all the other hosts on 602 00:20:36,640 --> 00:20:38,120 the network their domain controller 603 00:20:38,120 --> 00:20:39,679 their app server their file server all 604 00:20:39,679 --> 00:20:41,520 this stuff is just dead at this point 605 00:20:41,520 --> 00:20:43,039 machines won't boot we can't collect 606 00:20:43,039 --> 00:20:44,760 evidence I mean this is this is pretty 607 00:20:44,760 --> 00:20:46,480 rough and now we're in the situation 608 00:20:46,480 --> 00:20:48,120 where we're likely going to need to 609 00:20:48,120 --> 00:20:50,280 rebuild their entire network from the 610 00:20:50,280 --> 00:20:52,480 root hypervisor level all the way up to 611 00:20:52,480 --> 00:20:55,039 fully functional that's a big lift 612 00:20:55,039 --> 00:20:56,400 especially for a 5,000 person 613 00:20:56,400 --> 00:20:57,640 organization I mean that's that's going 614 00:20:57,640 --> 00:20:59,240 to take quite quite a bit of 615 00:20:59,240 --> 00:21:01,919 time this brings us up to why we need to 616 00:21:01,919 --> 00:21:04,400 focus on backup so much as a means of 617 00:21:04,400 --> 00:21:06,880 both proactive security and well 618 00:21:06,880 --> 00:21:08,720 recovery from ransomware attacks if we 619 00:21:08,720 --> 00:21:11,320 are using true immutable backups ideally 620 00:21:11,320 --> 00:21:13,640 offsite completely that gives us the 621 00:21:13,640 --> 00:21:15,679 ability to recover from even some of the 622 00:21:15,679 --> 00:21:17,600 most catastrophic style of attacks if 623 00:21:17,600 --> 00:21:19,600 the uh God forbid The Burning uh or the 624 00:21:19,600 --> 00:21:21,080 building burns down or something like 625 00:21:21,080 --> 00:21:23,320 that we still have our infrastructure 626 00:21:23,320 --> 00:21:24,880 available especially if we have like a 627 00:21:24,880 --> 00:21:26,880 replication site or some kind of uh you 628 00:21:26,880 --> 00:21:28,679 know nice Dr switch over we can uh we 629 00:21:28,679 --> 00:21:31,760 can jump into configuration does matter 630 00:21:31,760 --> 00:21:33,480 too if you think you have immutable 631 00:21:33,480 --> 00:21:35,360 backups please test that make sure they 632 00:21:35,360 --> 00:21:36,799 are truly immutable if you're not 633 00:21:36,799 --> 00:21:38,919 testing your backups you don't have 634 00:21:38,919 --> 00:21:41,799 backups pretty simple concept there now 635 00:21:41,799 --> 00:21:43,200 in this case our victim actually got 636 00:21:43,200 --> 00:21:44,679 lucky and this is not something that we 637 00:21:44,679 --> 00:21:46,480 run into very frequently we were very 638 00:21:46,480 --> 00:21:47,880 happy to find this they actually had a 639 00:21:47,880 --> 00:21:50,919 decommissioned esxi system that they had 640 00:21:50,919 --> 00:21:52,799 uh they had moved off into it storage 641 00:21:52,799 --> 00:21:54,600 about a month before the attack actually 642 00:21:54,600 --> 00:21:56,200 happen so this is sitting completely 643 00:21:56,200 --> 00:21:57,840 offline just collecting dust in an IT 644 00:21:57,840 --> 00:21:59,520 store storage closet this is great news 645 00:21:59,520 --> 00:22:01,559 for us because now we have a ton of that 646 00:22:01,559 --> 00:22:03,200 data that was now encrypted that we 647 00:22:03,200 --> 00:22:04,600 could get back not all of it there're 648 00:22:04,600 --> 00:22:06,200 still we're still losing about 30 days 649 00:22:06,200 --> 00:22:08,000 worth of data at this point which is 650 00:22:08,000 --> 00:22:09,240 significant I mean that's that's going 651 00:22:09,240 --> 00:22:11,600 to be a problem but it's now much less 652 00:22:11,600 --> 00:22:13,679 of a problem it also meant we didn't 653 00:22:13,679 --> 00:22:15,000 have to buy decryptor from the Royal 654 00:22:15,000 --> 00:22:16,600 ransomware group to get those systems 655 00:22:16,600 --> 00:22:18,440 back online which is uh which is pretty 656 00:22:18,440 --> 00:22:20,240 nice when we're when we're talking about 657 00:22:20,240 --> 00:22:23,039 you know an overall ending for the 658 00:22:23,039 --> 00:22:25,080 victim so this brings up another thing 659 00:22:25,080 --> 00:22:26,480 that we wanted to talk about here and 660 00:22:26,480 --> 00:22:28,039 that is the importance of conducting 661 00:22:28,039 --> 00:22:29,240 actual response training this is 662 00:22:29,240 --> 00:22:30,440 something that the victim in this case 663 00:22:30,440 --> 00:22:32,400 had not done and their IT staff kind of 664 00:22:32,400 --> 00:22:33,919 had to shoot from the hip a bit when we 665 00:22:33,919 --> 00:22:35,279 were getting into the initial parts of 666 00:22:35,279 --> 00:22:36,520 this response that's not where you want 667 00:22:36,520 --> 00:22:38,679 to find yourself when you're in a very 668 00:22:38,679 --> 00:22:40,760 very high stress uh High severity 669 00:22:40,760 --> 00:22:41,919 situation like this you want to be 670 00:22:41,919 --> 00:22:43,760 rehearsed you want to be practiced 671 00:22:43,760 --> 00:22:45,360 understand your incident response plan 672 00:22:45,360 --> 00:22:46,880 understand who does what make sure that 673 00:22:46,880 --> 00:22:48,520 you can move through a situation like 674 00:22:48,520 --> 00:22:50,360 this as efficiently and smoothly as you 675 00:22:50,360 --> 00:22:52,000 possibly can I mean it's not going to be 676 00:22:52,000 --> 00:22:54,480 easy but it's good to practice you know 677 00:22:54,480 --> 00:22:56,400 I think one thing we've seen recently is 678 00:22:56,400 --> 00:22:59,120 the importance of ack knowledging Shadow 679 00:22:59,120 --> 00:23:01,159 it when you're doing tabletops how many 680 00:23:01,159 --> 00:23:03,840 of you have a shadow it or one or more 681 00:23:03,840 --> 00:23:05,600 Shadow it groups in your organization 682 00:23:05,600 --> 00:23:07,159 yeah so the problem is you go through 683 00:23:07,159 --> 00:23:09,000 tabletop exercise thinking everything is 684 00:23:09,000 --> 00:23:11,159 centralized and then push comes to shove 685 00:23:11,159 --> 00:23:13,400 um there was a public entity recently uh 686 00:23:13,400 --> 00:23:15,799 that we worked with that had a major 687 00:23:15,799 --> 00:23:19,679 ransomware issue and they had Shadow it 688 00:23:19,679 --> 00:23:21,600 that did not want to give them the 689 00:23:21,600 --> 00:23:23,360 password to the backup system it was 690 00:23:23,360 --> 00:23:26,200 totally a political issue um it delayed 691 00:23:26,200 --> 00:23:29,120 them for weeks and eventually they got 692 00:23:29,120 --> 00:23:33,039 it sorted out there was some HR uh HR 693 00:23:33,039 --> 00:23:35,120 issues that came out of that um but the 694 00:23:35,120 --> 00:23:36,279 bottom line is make sure you're 695 00:23:36,279 --> 00:23:37,799 including Shadow it you're being 696 00:23:37,799 --> 00:23:39,200 realistic when you're doing these 697 00:23:39,200 --> 00:23:41,159 tabletop exercises I like how you 698 00:23:41,159 --> 00:23:42,559 describe the threat of physical violence 699 00:23:42,559 --> 00:23:45,039 as an HR issue 700 00:23:45,039 --> 00:23:48,240 oh okay so now it's time to see what 701 00:23:48,240 --> 00:23:49,960 happens in our laboratory so we wanted 702 00:23:49,960 --> 00:23:51,799 to do a demo for you guys and just sort 703 00:23:51,799 --> 00:23:53,720 of take a ransom or attack all the way 704 00:23:53,720 --> 00:23:55,480 from beginning to end or really to the 705 00:23:55,480 --> 00:23:58,720 extortion Point um so in this case we 706 00:23:58,720 --> 00:24:01,279 have set up a organization called hack 707 00:24:01,279 --> 00:24:03,760 me Inc hack me Inc manufacturers widgets 708 00:24:03,760 --> 00:24:05,320 if you can't tell we pick on hack me Inc 709 00:24:05,320 --> 00:24:07,760 in our laboratory a lot um very 710 00:24:07,760 --> 00:24:09,679 important widgets and they also serve 711 00:24:09,679 --> 00:24:11,600 the public so they have 24/7 uptime 712 00:24:11,600 --> 00:24:13,120 requirements and they also of course 713 00:24:13,120 --> 00:24:14,960 collect highly sensitive customer data 714 00:24:14,960 --> 00:24:17,240 so there's a risk of data exfiltration 715 00:24:17,240 --> 00:24:19,159 um because for some reason you need pii 716 00:24:19,159 --> 00:24:20,760 in order to manufacture widgets so 717 00:24:20,760 --> 00:24:22,760 that's hack me Inc hack me gets hit with 718 00:24:22,760 --> 00:24:25,840 a ransomware attack as we're going to go 719 00:24:25,840 --> 00:24:28,039 through this um you'll meet two people 720 00:24:28,039 --> 00:24:30,240 at hack me Inc one is Le ability she is 721 00:24:30,240 --> 00:24:32,240 their Finance Clerk and the other is 722 00:24:32,240 --> 00:24:35,039 just in time our it 723 00:24:35,039 --> 00:24:37,200 administrator so Lei of course has 724 00:24:37,200 --> 00:24:39,760 unprivileged access uh to the 725 00:24:39,760 --> 00:24:41,640 environment obviously she has access to 726 00:24:41,640 --> 00:24:44,200 sensitive data but nothing special from 727 00:24:44,200 --> 00:24:47,520 an IT admin perspective and then Justin 728 00:24:47,520 --> 00:24:49,440 has the keys to the kingdom and let's 729 00:24:49,440 --> 00:24:51,880 meet your criminals we decided the leite 730 00:24:51,880 --> 00:24:54,640 giraffe gang would be our criminal gang 731 00:24:54,640 --> 00:24:57,960 they're about to strike and uh as as 732 00:24:57,960 --> 00:25:00,840 part of that there's the radman in lmg's 733 00:25:00,840 --> 00:25:04,080 laboratory wow he looks familiar 734 00:25:04,080 --> 00:25:08,720 criminals um okay so this is our anatomy 735 00:25:08,720 --> 00:25:10,720 of a ranser attack and by the way um 736 00:25:10,720 --> 00:25:12,840 anybody want a cyber slap bracelet we 737 00:25:12,840 --> 00:25:14,440 have instead of handouts little wrist 738 00:25:14,440 --> 00:25:16,919 outs that's right hey Spike nice to see 739 00:25:16,919 --> 00:25:20,600 you uh boom they're also at our booth 740 00:25:20,600 --> 00:25:22,080 you can stop by our booth afterwards and 741 00:25:22,080 --> 00:25:23,640 I think we have like a couple hundred of 742 00:25:23,640 --> 00:25:27,120 them um okay so you can see on these uh 743 00:25:27,120 --> 00:25:29,000 wrist outs the anatomy of a cyber 744 00:25:29,000 --> 00:25:30,960 extortion attack we start with entry we 745 00:25:30,960 --> 00:25:34,679 go to expansion appraisal um priming 746 00:25:34,679 --> 00:25:36,559 leverage and extortion so what this is 747 00:25:36,559 --> 00:25:38,960 trying to illustrate is that from the 748 00:25:38,960 --> 00:25:40,840 point of entry you actually have often 749 00:25:40,840 --> 00:25:42,720 quite a bit of time to detect the 750 00:25:42,720 --> 00:25:44,799 attackers before they actually hold you 751 00:25:44,799 --> 00:25:47,360 hostage it's a whole process for them an 752 00:25:47,360 --> 00:25:49,760 opportunity for you so where do we want 753 00:25:49,760 --> 00:25:52,520 to start first of all we started off by 754 00:25:52,520 --> 00:25:54,640 looking for a remote access troan how 755 00:25:54,640 --> 00:25:56,440 are we going to get into the environment 756 00:25:56,440 --> 00:25:58,279 we're going to find that rat and install 757 00:25:58,279 --> 00:25:59,440 it and in this case we are going to 758 00:25:59,440 --> 00:26:01,840 install it with a fishing attack y um 759 00:26:01,840 --> 00:26:03,919 this is let's see which one was this the 760 00:26:03,919 --> 00:26:06,679 xorm of rat this is written in Rust and 761 00:26:06,679 --> 00:26:08,440 that's another Trend we're seeing of 762 00:26:08,440 --> 00:26:11,240 these evasive programming language that 763 00:26:11,240 --> 00:26:14,399 uh can run crossplatform that are very 764 00:26:14,399 --> 00:26:16,600 fast um there was a headline last year 765 00:26:16,600 --> 00:26:19,240 that black hat the black hat gang was uh 766 00:26:19,240 --> 00:26:21,799 looking to rewrite their code in Rust I 767 00:26:21,799 --> 00:26:22,919 know Matt you were just reading this 768 00:26:22,919 --> 00:26:25,120 news article this morning yeah I mean 769 00:26:25,120 --> 00:26:26,840 it's it's one of the uh again it's one 770 00:26:26,840 --> 00:26:28,120 of the trends that we're seeing 771 00:26:28,120 --> 00:26:29,919 uh similar to When anybody remember the 772 00:26:29,919 --> 00:26:32,440 Zeus banking Trojan am I am I dating 773 00:26:32,440 --> 00:26:33,919 myself here there's there's a couple 774 00:26:33,919 --> 00:26:35,240 hands I see okay so the Zeus banking 775 00:26:35,240 --> 00:26:36,799 Trojan kind of like the grandfather of 776 00:26:36,799 --> 00:26:38,559 all Banking and information stealing 777 00:26:38,559 --> 00:26:40,880 Trojans uh it was uh it was built and 778 00:26:40,880 --> 00:26:43,200 released by a hacker named Hamza Bendel 779 00:26:43,200 --> 00:26:44,679 also known as The Smiling hacker if you 780 00:26:44,679 --> 00:26:46,159 ever look at news articles with him he's 781 00:26:46,159 --> 00:26:48,520 always got this big grin on his face uh 782 00:26:48,520 --> 00:26:50,279 but when he realized he was about to be 783 00:26:50,279 --> 00:26:52,279 apprehended by federal law enforcement 784 00:26:52,279 --> 00:26:53,679 he released that source code publicly 785 00:26:53,679 --> 00:26:55,399 and because of that we saw this 786 00:26:55,399 --> 00:26:57,039 explosion in the number of banking 787 00:26:57,039 --> 00:26:59,760 Trojans trickbot Emet uh gim all of the 788 00:26:59,760 --> 00:27:01,080 big names that you think of when you 789 00:27:01,080 --> 00:27:02,880 think of information stealing Trojans 790 00:27:02,880 --> 00:27:04,600 have their Genesis in that Zeus source 791 00:27:04,600 --> 00:27:05,600 code and we're seeing a kind of 792 00:27:05,600 --> 00:27:07,440 resurgence of that pattern with rust 793 00:27:07,440 --> 00:27:09,240 based information Steelers there's a ton 794 00:27:09,240 --> 00:27:10,360 of them that are out there some of them 795 00:27:10,360 --> 00:27:12,880 just on GitHub even uh and attackers are 796 00:27:12,880 --> 00:27:14,600 grabbing the source code modifying it to 797 00:27:14,600 --> 00:27:16,840 fit their needs and then using it to uh 798 00:27:16,840 --> 00:27:19,159 to do things like evade antivirus uh to 799 00:27:19,159 --> 00:27:21,240 evade EDR software in some cases and 800 00:27:21,240 --> 00:27:22,919 again to run crossplatform it can run on 801 00:27:22,919 --> 00:27:24,480 Linux it can run on a Mac it can run on 802 00:27:24,480 --> 00:27:26,600 a Windows PC and there's there's a lot 803 00:27:26,600 --> 00:27:29,559 of of of useful uh kind of uh uh well 804 00:27:29,559 --> 00:27:31,559 uses for that kind of 805 00:27:31,559 --> 00:27:33,960 software so let's get started here how 806 00:27:33,960 --> 00:27:35,399 do we actually get something like a 807 00:27:35,399 --> 00:27:37,200 remote access Trojan onto a network well 808 00:27:37,200 --> 00:27:39,039 we went ahead and went with the same way 809 00:27:39,039 --> 00:27:40,399 that most attackers do we just sent a 810 00:27:40,399 --> 00:27:42,320 fishing email in this case you can see 811 00:27:42,320 --> 00:27:43,559 exactly what that looks like we have 812 00:27:43,559 --> 00:27:45,720 accounts payments yahoo.com but we're 813 00:27:45,720 --> 00:27:47,399 going to spoof that to a name that the 814 00:27:47,399 --> 00:27:49,279 you know victim probably recognizes at 815 00:27:49,279 --> 00:27:51,399 this point that's trivial and easy to do 816 00:27:51,399 --> 00:27:52,519 and we're going to include something 817 00:27:52,519 --> 00:27:54,760 like a Word document Microsoft Office 818 00:27:54,760 --> 00:27:57,080 documents especially one note uh Links 819 00:27:57,080 --> 00:27:58,679 at this point are really really 820 00:27:58,679 --> 00:28:00,799 prevalent in dropping these kinds of of 821 00:28:00,799 --> 00:28:02,519 pieces of software on the network so uh 822 00:28:02,519 --> 00:28:04,600 there's our there's our maloc and in the 823 00:28:04,600 --> 00:28:06,519 back end of this thing uh I'm sorry when 824 00:28:06,519 --> 00:28:07,880 when we open it it's it's going to look 825 00:28:07,880 --> 00:28:09,399 something like this and if you've worked 826 00:28:09,399 --> 00:28:11,039 in cyber security or even worked with 827 00:28:11,039 --> 00:28:12,760 email for a while you've likely seen a 828 00:28:12,760 --> 00:28:14,399 document like this pop up at one point 829 00:28:14,399 --> 00:28:16,200 or another it's going to say something 830 00:28:16,200 --> 00:28:17,440 like the operation didn't complete 831 00:28:17,440 --> 00:28:18,880 successfully because this was created in 832 00:28:18,880 --> 00:28:20,679 an online version of Word or you need 833 00:28:20,679 --> 00:28:23,440 admin access or something realistically 834 00:28:23,440 --> 00:28:24,399 what they're trying to get you to do is 835 00:28:24,399 --> 00:28:25,840 hit that enable content button at the 836 00:28:25,840 --> 00:28:28,360 top of the uh of the banner 837 00:28:28,360 --> 00:28:30,679 uh reminder don't click that ever please 838 00:28:30,679 --> 00:28:32,480 don't otherwise you and I have to have a 839 00:28:32,480 --> 00:28:33,760 much different conversation than we're 840 00:28:33,760 --> 00:28:36,559 having today and i' really rather not uh 841 00:28:36,559 --> 00:28:37,760 once we click that button that's going 842 00:28:37,760 --> 00:28:38,919 to hit some VB script that I have 843 00:28:38,919 --> 00:28:40,279 embedded in the document that's going to 844 00:28:40,279 --> 00:28:41,480 reach out to the internet grab my 845 00:28:41,480 --> 00:28:43,200 payload drop it onto the computer and 846 00:28:43,200 --> 00:28:44,799 just like that we are now infected and 847 00:28:44,799 --> 00:28:46,440 you can see my little proxy servers I I 848 00:28:46,440 --> 00:28:48,159 ran this through any.run just to to get 849 00:28:48,159 --> 00:28:50,080 some nice visuals for it but we ran 850 00:28:50,080 --> 00:28:51,519 through the US for one of our servers 851 00:28:51,519 --> 00:28:52,840 and then I ran through two proxies in 852 00:28:52,840 --> 00:28:54,440 Germany uh at this point which was uh 853 00:28:54,440 --> 00:28:55,640 which was kind of fun to 854 00:28:55,640 --> 00:28:58,039 do now once we have the the uh that 855 00:28:58,039 --> 00:29:00,399 initial foothold on the device we uh we 856 00:29:00,399 --> 00:29:02,559 get a view from the attacker side of our 857 00:29:02,559 --> 00:29:04,440 victim computer and we can get just 858 00:29:04,440 --> 00:29:05,919 basic shell access right now if I just 859 00:29:05,919 --> 00:29:08,240 run to Who Am I you can see that I am 860 00:29:08,240 --> 00:29:11,559 the hackme domain user lay lay ability 861 00:29:11,559 --> 00:29:13,880 this means that now I have access uh and 862 00:29:13,880 --> 00:29:16,480 I can uh I can use that access to do any 863 00:29:16,480 --> 00:29:18,240 number of things uh mostly what I want 864 00:29:18,240 --> 00:29:20,720 to do though is uh steal data establish 865 00:29:20,720 --> 00:29:22,640 persistence and then move throughout the 866 00:29:22,640 --> 00:29:25,559 network in a much wider 867 00:29:25,559 --> 00:29:27,399 fashion so let's see what that looks 868 00:29:27,399 --> 00:29:28,600 like oh yeah so I've got username I've 869 00:29:28,600 --> 00:29:31,120 got IP address I've got my uh my windows 870 00:29:31,120 --> 00:29:33,240 version I've got my privilege level and 871 00:29:33,240 --> 00:29:35,000 uh then I've got my my interactive shell 872 00:29:35,000 --> 00:29:36,360 so one of the very first things I'm 873 00:29:36,360 --> 00:29:37,960 going to do and I'm I'm modeling this 874 00:29:37,960 --> 00:29:39,760 off of The Playbook of a pretty Infamous 875 00:29:39,760 --> 00:29:40,960 ransomware group we'll tell you who that 876 00:29:40,960 --> 00:29:42,840 is here in just a second but the very 877 00:29:42,840 --> 00:29:44,240 first thing I want to do is gain 878 00:29:44,240 --> 00:29:45,720 persistence outside of that remote 879 00:29:45,720 --> 00:29:47,360 access Trojan now despite the fact that 880 00:29:47,360 --> 00:29:48,519 this is written in Rust it's going to 881 00:29:48,519 --> 00:29:50,000 evade antivirus it's going to be tough 882 00:29:50,000 --> 00:29:52,399 to see I can't guarantee that nobody's 883 00:29:52,399 --> 00:29:53,880 going to notice a piece of unauthorized 884 00:29:53,880 --> 00:29:55,080 software running on the network so 885 00:29:55,080 --> 00:29:56,440 instead I'm going to drop a piece of 886 00:29:56,440 --> 00:29:58,080 legitimate remote access software in 887 00:29:58,080 --> 00:29:59,559 this case I'm going to use the Splashtop 888 00:29:59,559 --> 00:30:01,840 uh streamer and I can just send a direct 889 00:30:01,840 --> 00:30:04,320 command line uh uh uh command over to 890 00:30:04,320 --> 00:30:05,960 this computer install the streamer and 891 00:30:05,960 --> 00:30:07,919 now I've got full RDP access instead of 892 00:30:07,919 --> 00:30:09,120 having to worry about going through the 893 00:30:09,120 --> 00:30:10,679 shell and going through my remote access 894 00:30:10,679 --> 00:30:12,720 Trojan it's a you know pretty standard 895 00:30:12,720 --> 00:30:14,679 way of going about 896 00:30:14,679 --> 00:30:18,600 things this was not detected by any anti 897 00:30:18,600 --> 00:30:21,039 antivirus or antiu and you can see three 898 00:30:21,039 --> 00:30:23,000 of them here sorry Mt my eyes are not 899 00:30:23,000 --> 00:30:26,120 that great oh yeah you're fine um but uh 900 00:30:26,120 --> 00:30:27,960 yeah you can see three them here I think 901 00:30:27,960 --> 00:30:30,480 it was um we ran it through virus total 902 00:30:30,480 --> 00:30:32,200 and it didn't find it at all uh did we 903 00:30:32,200 --> 00:30:33,679 run this one through Windows Defender 904 00:30:33,679 --> 00:30:35,120 yeah we ran Microsoft Defender which I'm 905 00:30:35,120 --> 00:30:36,799 surprisingly did not catch any of it 906 00:30:36,799 --> 00:30:38,720 yeah and that's uh unfortunately not 907 00:30:38,720 --> 00:30:40,720 that uncommon that's why you need EDR to 908 00:30:40,720 --> 00:30:42,360 level up yeah the other one was Bit 909 00:30:42,360 --> 00:30:43,600 Defender Bit Defender didn't catch this 910 00:30:43,600 --> 00:30:45,799 one either but yeah we we saw nothing 911 00:30:45,799 --> 00:30:47,120 and a lot of that has to do again with 912 00:30:47,120 --> 00:30:48,440 the fact that we're using a rust based 913 00:30:48,440 --> 00:30:50,120 info stealer here the way that Russ 914 00:30:50,120 --> 00:30:51,960 packages their programs uh means that 915 00:30:51,960 --> 00:30:53,600 signature-based identification becomes 916 00:30:53,600 --> 00:30:55,240 incredibly difficult it's not the same 917 00:30:55,240 --> 00:30:56,760 as a virus that's written in C or 918 00:30:56,760 --> 00:30:58,440 something like that that uh those those 919 00:30:58,440 --> 00:31:00,159 signatures just flat out don't really 920 00:31:00,159 --> 00:31:02,000 exist which means again our traditional 921 00:31:02,000 --> 00:31:04,440 model of antivir software is reasonably 922 00:31:04,440 --> 00:31:05,720 ineffective against these types of 923 00:31:05,720 --> 00:31:07,799 malware it's why we need EDR software 924 00:31:07,799 --> 00:31:09,320 the other Trend we're seeing a lot of is 925 00:31:09,320 --> 00:31:11,000 that hackers are just using legitimate 926 00:31:11,000 --> 00:31:15,159 tools and um Matt was referencing the uh 927 00:31:15,159 --> 00:31:17,000 the group that we modeling this after 928 00:31:17,000 --> 00:31:18,919 three guesses uh what group is this 929 00:31:18,919 --> 00:31:21,200 anybody know for a slap bracelet that we 930 00:31:21,200 --> 00:31:24,519 modeling this off of what Ransom or 931 00:31:24,519 --> 00:31:26,159 gang is 932 00:31:26,159 --> 00:31:27,880 that 933 00:31:27,880 --> 00:31:29,519 did you say Cony 934 00:31:29,519 --> 00:31:33,600 bear bear close yeah there's one in 935 00:31:33,600 --> 00:31:36,799 particular that leaked A 936 00:31:38,039 --> 00:31:40,799 playbook than you uh thanks for being an 937 00:31:40,799 --> 00:31:42,399 interactive audience I can't quite see 938 00:31:42,399 --> 00:31:45,760 you guys um yeah this is based on the Ki 939 00:31:45,760 --> 00:31:46,720 Playbook and we actually have a 940 00:31:46,720 --> 00:31:48,440 screenshot a little later but kti's 941 00:31:48,440 --> 00:31:49,919 Playbook actually got dumped to the 942 00:31:49,919 --> 00:31:51,240 world and you could see that they were 943 00:31:51,240 --> 00:31:53,320 actually Distributing legitimate tools 944 00:31:53,320 --> 00:31:56,039 any.run was one um which means that it's 945 00:31:56,039 --> 00:31:57,240 going to be harder to catch them with 946 00:31:57,240 --> 00:31:59,399 things like antivirus software so again 947 00:31:59,399 --> 00:32:01,200 that's why EDR is so important you 948 00:32:01,200 --> 00:32:02,639 really need to level up and do 949 00:32:02,639 --> 00:32:04,519 behavioral based analysis and things 950 00:32:04,519 --> 00:32:06,360 like that and not just rely on 951 00:32:06,360 --> 00:32:09,000 signatures um so our next phase of the 952 00:32:09,000 --> 00:32:12,799 Cyber extortion attack is expansion um 953 00:32:12,799 --> 00:32:15,440 what uh the elite giraffe gang did here 954 00:32:15,440 --> 00:32:17,159 was they started scanning the network to 955 00:32:17,159 --> 00:32:19,240 see what other opportunities they had to 956 00:32:19,240 --> 00:32:21,200 expand so Matt take it away yeah and in 957 00:32:21,200 --> 00:32:22,320 this case I'm not going to do anything 958 00:32:22,320 --> 00:32:24,480 loud and obnoxious like use n map or 959 00:32:24,480 --> 00:32:25,720 anything like that I'm just going to use 960 00:32:25,720 --> 00:32:26,919 another piece of it software I'm just 961 00:32:26,919 --> 00:32:28,279 going to use Advanced ip scanner it's 962 00:32:28,279 --> 00:32:30,159 free it's lightweight it's easy to use 963 00:32:30,159 --> 00:32:32,159 and again it's legitimate software it's 964 00:32:32,159 --> 00:32:33,559 signed by a legitimate company it's 965 00:32:33,559 --> 00:32:35,320 probably not going to set off any anti 966 00:32:35,320 --> 00:32:37,200 software alert so that's going to give 967 00:32:37,200 --> 00:32:38,519 me a pretty good view of the network and 968 00:32:38,519 --> 00:32:39,600 you can see what I'm pulling back here 969 00:32:39,600 --> 00:32:41,360 I'm pulling back the the open shares the 970 00:32:41,360 --> 00:32:43,840 host names the IP addresses and the Mac 971 00:32:43,840 --> 00:32:45,080 addresses of all the devices on the 972 00:32:45,080 --> 00:32:47,240 network again this is one that we find 973 00:32:47,240 --> 00:32:49,840 in a lot of aftermath when we do ranser 974 00:32:49,840 --> 00:32:51,360 investigations the next thing I'm going 975 00:32:51,360 --> 00:32:52,120 to do is I'm going to scrape some 976 00:32:52,120 --> 00:32:54,840 credentials off of this computer and the 977 00:32:54,840 --> 00:32:57,039 uh the cony Playbook itself uh will 978 00:32:57,039 --> 00:32:58,559 we'll reference the software to use here 979 00:32:58,559 --> 00:33:00,480 but uh I uh if I drop something like 980 00:33:00,480 --> 00:33:01,919 mimic hats on a computer like this I 981 00:33:01,919 --> 00:33:02,880 mean it's going to light up like a 982 00:33:02,880 --> 00:33:04,799 Christmas tree any antivi software even 983 00:33:04,799 --> 00:33:06,399 Windows Defender is going to catch that 984 00:33:06,399 --> 00:33:07,559 I don't want that right I want to be 985 00:33:07,559 --> 00:33:09,080 able to you know stay in the network for 986 00:33:09,080 --> 00:33:11,840 as long as I can so instead if there is 987 00:33:11,840 --> 00:33:13,720 a specific set of misconfigurations 988 00:33:13,720 --> 00:33:15,240 which we unfortunately find fairly 989 00:33:15,240 --> 00:33:17,080 frequently in the wild I can just pop 990 00:33:17,080 --> 00:33:19,399 open your uh your task manager and I can 991 00:33:19,399 --> 00:33:20,840 dump your elsass right from there this 992 00:33:20,840 --> 00:33:22,200 means that I can now scrape clear text 993 00:33:22,200 --> 00:33:24,279 credentials on my computer not have to 994 00:33:24,279 --> 00:33:25,760 load any malware on your computer other 995 00:33:25,760 --> 00:33:27,320 than the rat that I already have and 996 00:33:27,320 --> 00:33:29,000 this is going to give me things like our 997 00:33:29,000 --> 00:33:31,240 local admin passwords and occasionally 998 00:33:31,240 --> 00:33:32,760 depending on how the session systems are 999 00:33:32,760 --> 00:33:34,880 set up I may get more credential access 1000 00:33:34,880 --> 00:33:36,639 than that in this case I find Justin 1001 00:33:36,639 --> 00:33:38,600 times uh password sitting right there on 1002 00:33:38,600 --> 00:33:40,880 the computer this means now I can move 1003 00:33:40,880 --> 00:33:42,799 laterally so I'm going to go ahead and 1004 00:33:42,799 --> 00:33:43,919 uh test this out on the network I'm 1005 00:33:43,919 --> 00:33:46,559 going to RDP to any host that I can in 1006 00:33:46,559 --> 00:33:47,919 this case because Justin time is an 1007 00:33:47,919 --> 00:33:49,440 admin on the system I'm able to get 1008 00:33:49,440 --> 00:33:51,840 myself into one of their uh their domain 1009 00:33:51,840 --> 00:33:53,159 controllers I've basically got the 1010 00:33:53,159 --> 00:33:54,519 Kingdom at this point I've I've got 1011 00:33:54,519 --> 00:33:55,960 access to everything that I 1012 00:33:55,960 --> 00:33:58,559 need now what I'm going to do is fully 1013 00:33:58,559 --> 00:34:00,720 expand so uh I'm going to use a again a 1014 00:34:00,720 --> 00:34:01,919 legitimate toolkit I'm just going to use 1015 00:34:01,919 --> 00:34:04,039 the PS exec toolkit shove this remote 1016 00:34:04,039 --> 00:34:05,720 access trojen out to every computer on 1017 00:34:05,720 --> 00:34:07,200 the network because well I want 1018 00:34:07,200 --> 00:34:08,639 everything I don't know where the data 1019 00:34:08,639 --> 00:34:10,159 really lies on the network at this point 1020 00:34:10,159 --> 00:34:11,918 and I want to be able to steal it so the 1021 00:34:11,918 --> 00:34:13,918 more access I have the better using 1022 00:34:13,918 --> 00:34:15,480 something like PS exec I can push this 1023 00:34:15,480 --> 00:34:16,679 to anything on the domain that's going 1024 00:34:16,679 --> 00:34:17,918 to respond and I've got the admin 1025 00:34:17,918 --> 00:34:19,280 credentials to do it at this point you 1026 00:34:19,280 --> 00:34:21,079 can see my uh my my list of victim 1027 00:34:21,079 --> 00:34:23,239 computers growing in the bottom there 1028 00:34:23,239 --> 00:34:24,719 again we mentioned this is the kti 1029 00:34:24,719 --> 00:34:26,119 Playbook uh we we were following right 1030 00:34:26,119 --> 00:34:27,520 along with the instruction they give to 1031 00:34:27,520 --> 00:34:28,679 all of their Affiliates at this point 1032 00:34:28,679 --> 00:34:30,239 including the use of mimic hats and they 1033 00:34:30,239 --> 00:34:31,960 give you uh some it's we didn't 1034 00:34:31,960 --> 00:34:33,359 translate this it's in Russian but they 1035 00:34:33,359 --> 00:34:35,199 give you some advice on moving these 1036 00:34:35,199 --> 00:34:36,679 files off of the network to avoid 1037 00:34:36,679 --> 00:34:38,520 detection it's a you know pretty smart 1038 00:34:38,520 --> 00:34:39,719 way of going about they actually get to 1039 00:34:39,719 --> 00:34:41,760 the point where they tell their um 1040 00:34:41,760 --> 00:34:43,879 Frontline hackers what to look for what 1041 00:34:43,879 --> 00:34:45,839 kinds of files and things like that 1042 00:34:45,839 --> 00:34:47,159 which is interesting because like the 1043 00:34:47,159 --> 00:34:49,560 cases you see where for example they're 1044 00:34:49,560 --> 00:34:51,879 reusing a dirty wallet often that's 1045 00:34:51,879 --> 00:34:54,040 because you have a total newbie just 1046 00:34:54,040 --> 00:34:55,719 following these instructions step by 1047 00:34:55,719 --> 00:34:57,400 step not realizing that they need to 1048 00:34:57,400 --> 00:34:59,520 replace it with a new clean wallet that 1049 00:34:59,520 --> 00:35:01,320 they've just create that they have just 1050 00:35:01,320 --> 00:35:04,160 created um so Ki of course is operating 1051 00:35:04,160 --> 00:35:06,119 using the franchise model so they have 1052 00:35:06,119 --> 00:35:07,960 these centralized resources which are 1053 00:35:07,960 --> 00:35:09,920 then getting distributed to Affiliates 1054 00:35:09,920 --> 00:35:11,400 we had a conversation with Mark grins 1055 00:35:11,400 --> 00:35:13,480 from digital mint at loat this year and 1056 00:35:13,480 --> 00:35:15,560 uh the he was talking about the use of 1057 00:35:15,560 --> 00:35:17,200 uh of sanctioned cryptocurrency wallets 1058 00:35:17,200 --> 00:35:19,520 and how he very infrequently sees them 1059 00:35:19,520 --> 00:35:20,839 and when he got to the conversation 1060 00:35:20,839 --> 00:35:22,800 about how amateur hackers will sometimes 1061 00:35:22,800 --> 00:35:24,359 reuse dirty wallets and they can't 1062 00:35:24,359 --> 00:35:25,800 actually even pay them a ransom because 1063 00:35:25,800 --> 00:35:28,599 they're sanctioned by by by ofac his 1064 00:35:28,599 --> 00:35:30,119 feeling of disappointment sounded like 1065 00:35:30,119 --> 00:35:31,680 so palpable at that point just like 1066 00:35:31,680 --> 00:35:33,760 shaking his head like an angry father or 1067 00:35:33,760 --> 00:35:36,599 something okay so then uh just to zip 1068 00:35:36,599 --> 00:35:38,040 through some of these the attackers are 1069 00:35:38,040 --> 00:35:39,960 going to do an appraisal of what they 1070 00:35:39,960 --> 00:35:41,760 have they often these are not targeted 1071 00:35:41,760 --> 00:35:43,000 attacks you know they're just sending a 1072 00:35:43,000 --> 00:35:44,200 bunch of fishing emails and then they're 1073 00:35:44,200 --> 00:35:45,960 like oh what do we have and we'll see 1074 00:35:45,960 --> 00:35:47,880 that later I'm doing a talk later today 1075 00:35:47,880 --> 00:35:49,920 uh where we study the mov it attack and 1076 00:35:49,920 --> 00:35:51,760 the Klo Ransom gang just comes out and 1077 00:35:51,760 --> 00:35:53,440 says uh let us know if you've been 1078 00:35:53,440 --> 00:35:55,319 hacked cuz they have no idea what 1079 00:35:55,319 --> 00:35:57,240 organizations they've actually gotten so 1080 00:35:57,240 --> 00:35:58,839 they'll look for pii they'll look for 1081 00:35:58,839 --> 00:36:00,280 financial information they'll look for 1082 00:36:00,280 --> 00:36:02,400 proprietary information for a couple 1083 00:36:02,400 --> 00:36:04,480 different reasons one because of course 1084 00:36:04,480 --> 00:36:06,280 they want to hold you hostage and use 1085 00:36:06,280 --> 00:36:08,200 that as leverage but they'll also use 1086 00:36:08,200 --> 00:36:09,960 that to do things like set the ransom 1087 00:36:09,960 --> 00:36:12,599 demand um we've had case after case 1088 00:36:12,599 --> 00:36:14,800 where uh they clearly have inside 1089 00:36:14,800 --> 00:36:16,839 knowledge it's clear that they know the 1090 00:36:16,839 --> 00:36:18,599 amount that of the Cyber insurance 1091 00:36:18,599 --> 00:36:19,640 coverage and they're willing to 1092 00:36:19,640 --> 00:36:22,079 negotiate to just below that cyber 1093 00:36:22,079 --> 00:36:23,680 insurance policies are usually very 1094 00:36:23,680 --> 00:36:25,880 readily accessible in email and places 1095 00:36:25,880 --> 00:36:27,400 like that and then they're looking at 1096 00:36:27,400 --> 00:36:30,040 the finances and they seem to set the 1097 00:36:30,040 --> 00:36:31,920 ransom demand based on like a percentage 1098 00:36:31,920 --> 00:36:34,040 of Revenue or a percentage of net income 1099 00:36:34,040 --> 00:36:35,680 things like 1100 00:36:35,680 --> 00:36:38,960 that okay so whoops sorry meant to be on 1101 00:36:38,960 --> 00:36:41,240 that slide um so the next phase is that 1102 00:36:41,240 --> 00:36:42,640 the attackers are going to start speel 1103 00:36:42,640 --> 00:36:44,359 lunking through the files and apps that 1104 00:36:44,359 --> 00:36:46,079 hack me Inc and what were you looking 1105 00:36:46,079 --> 00:36:47,960 for evil Matt whatever we could find 1106 00:36:47,960 --> 00:36:49,960 honestly I mean we're we we don't know 1107 00:36:49,960 --> 00:36:52,040 uh and from an attacker standpoint they 1108 00:36:52,040 --> 00:36:53,440 don't have a road map to where your data 1109 00:36:53,440 --> 00:36:55,240 sits at this point this this is where 1110 00:36:55,240 --> 00:36:56,240 this was a great opportunity for 1111 00:36:56,240 --> 00:36:57,359 detection too because they're going to 1112 00:36:57,359 --> 00:36:59,200 start making noise uh we're looking for 1113 00:36:59,200 --> 00:37:00,480 anything that we can possibly find we're 1114 00:37:00,480 --> 00:37:01,599 looking for spreadsheets we're looking 1115 00:37:01,599 --> 00:37:02,880 for Word documents we're looking for 1116 00:37:02,880 --> 00:37:04,720 database files anything that might 1117 00:37:04,720 --> 00:37:06,440 contain something valuable to us 1118 00:37:06,440 --> 00:37:07,839 something we can use to extort you 1119 00:37:07,839 --> 00:37:10,000 further on down the road uh in this case 1120 00:37:10,000 --> 00:37:11,599 because we uh we had gotten into a 1121 00:37:11,599 --> 00:37:13,480 finance person's computer uh the local 1122 00:37:13,480 --> 00:37:15,079 file system actually had quite a bit of 1123 00:37:15,079 --> 00:37:17,440 uh of useful information for us uh not 1124 00:37:17,440 --> 00:37:19,079 quite not quite enough though I mean we 1125 00:37:19,079 --> 00:37:21,839 we really want to expand outward from 1126 00:37:21,839 --> 00:37:23,960 here uh but the next thing we wanted to 1127 00:37:23,960 --> 00:37:25,359 do was look at the groups that Leah was 1128 00:37:25,359 --> 00:37:26,760 uh was available with and this is going 1129 00:37:26,760 --> 00:37:28,160 to give us a little bit more information 1130 00:37:28,160 --> 00:37:29,839 about the domain specifically it's going 1131 00:37:29,839 --> 00:37:31,599 to tell us kind of where we need to go 1132 00:37:31,599 --> 00:37:32,760 uh where do you think we would go next 1133 00:37:32,760 --> 00:37:34,680 if we've got the local file system if 1134 00:37:34,680 --> 00:37:37,079 I'm a ransomware operator based on your 1135 00:37:37,079 --> 00:37:38,680 network experience alone where am I 1136 00:37:38,680 --> 00:37:40,240 going to go after I hit your local file 1137 00:37:40,240 --> 00:37:43,359 system file shares file shares where 1138 00:37:43,359 --> 00:37:47,040 else storage I'm going to hit your Cloud 1139 00:37:47,040 --> 00:37:48,119 that's that's where I'm going to go next 1140 00:37:48,119 --> 00:37:49,280 and this is again this is another one of 1141 00:37:49,280 --> 00:37:50,880 those big trends we're seeing peanut 1142 00:37:50,880 --> 00:37:52,359 butter and jelly R somewhere in the 1143 00:37:52,359 --> 00:37:54,599 cloud yeah so I mean if I've got access 1144 00:37:54,599 --> 00:37:55,920 to your computer odds are pretty good 1145 00:37:55,920 --> 00:37:57,079 you've either got to save session in 1146 00:37:57,079 --> 00:37:58,599 your browser or you've got a local app 1147 00:37:58,599 --> 00:38:00,119 that's going to take me to SharePoint 1148 00:38:00,119 --> 00:38:01,520 now I've got access to your cloud system 1149 00:38:01,520 --> 00:38:03,400 I've got your entire network so uh we we 1150 00:38:03,400 --> 00:38:05,520 can just kind of move on from 1151 00:38:05,520 --> 00:38:08,000 there uh once we had Justin's 1152 00:38:08,000 --> 00:38:09,240 credentials too we were able to get to 1153 00:38:09,240 --> 00:38:10,640 his computer and this is uh this is 1154 00:38:10,640 --> 00:38:11,720 something we've seen in a number of 1155 00:38:11,720 --> 00:38:13,680 cases this means I can also get access 1156 00:38:13,680 --> 00:38:15,520 to something like your Microsoft 365 1157 00:38:15,520 --> 00:38:16,760 admin portal and if you listen to my 1158 00:38:16,760 --> 00:38:18,359 talk yesterday that admin portal can be 1159 00:38:18,359 --> 00:38:20,200 very very impactful when we're talking 1160 00:38:20,200 --> 00:38:23,000 about obscuring our uh our activities 1161 00:38:23,000 --> 00:38:24,839 inside of a cloud tenant we can also do 1162 00:38:24,839 --> 00:38:26,640 things like change access permissions I 1163 00:38:26,640 --> 00:38:28,280 get access to everyone's shared folders 1164 00:38:28,280 --> 00:38:30,000 at that point uh in the in the cloud 1165 00:38:30,000 --> 00:38:32,040 system it's a bad place to find yourself 1166 00:38:32,040 --> 00:38:34,640 so uh yeah again watch out for that 1167 00:38:34,640 --> 00:38:37,160 one all right so then they do priming 1168 00:38:37,160 --> 00:38:39,280 priming is when the hackers are getting 1169 00:38:39,280 --> 00:38:41,480 the environment ready for ransomware to 1170 00:38:41,480 --> 00:38:43,119 be pushed out once they've collected 1171 00:38:43,119 --> 00:38:44,640 your data typically this is the next 1172 00:38:44,640 --> 00:38:47,359 step and this is also an opportunity to 1173 00:38:47,359 --> 00:38:49,760 detect them so evil Matt what did you do 1174 00:38:49,760 --> 00:38:51,720 to Prime the environment yeah so priming 1175 00:38:51,720 --> 00:38:53,440 the environment is again one of those 1176 00:38:53,440 --> 00:38:55,240 opportunities for detection where we 1177 00:38:55,240 --> 00:38:56,400 start to make a lot of noise how many of 1178 00:38:56,400 --> 00:38:57,680 you you guys remember when holiday in 1179 00:38:57,680 --> 00:38:58,800 got hacked 1180 00:38:58,800 --> 00:39:01,240 recently a couple of you so the the 1181 00:39:01,240 --> 00:39:02,760 reason holiday in they were they were 1182 00:39:02,760 --> 00:39:05,480 hit with a uh a data deletion uh attack 1183 00:39:05,480 --> 00:39:06,839 instead of a ransomware attack and the 1184 00:39:06,839 --> 00:39:08,240 reason that happened was because the 1185 00:39:08,240 --> 00:39:09,480 attackers couldn't figure out how to get 1186 00:39:09,480 --> 00:39:11,800 their ransomware to run uh mainly that's 1187 00:39:11,800 --> 00:39:13,119 because of security software and other 1188 00:39:13,119 --> 00:39:14,359 controls on the network if I've got 1189 00:39:14,359 --> 00:39:15,800 admin access I can kneecap those 1190 00:39:15,800 --> 00:39:17,319 controls so right now I'm pushing out 1191 00:39:17,319 --> 00:39:19,800 some group policy objects they they're 1192 00:39:19,800 --> 00:39:21,119 going to turn off things like file 1193 00:39:21,119 --> 00:39:23,640 access control and uh antivirus software 1194 00:39:23,640 --> 00:39:24,760 this means I'm just going to have a more 1195 00:39:24,760 --> 00:39:27,079 clear path towards uh completely 1196 00:39:27,079 --> 00:39:28,839 compromising the network as a whole and 1197 00:39:28,839 --> 00:39:31,160 this should be sending up alerts it 1198 00:39:31,160 --> 00:39:32,760 absolutely should yeah new GPO should 1199 00:39:32,760 --> 00:39:34,240 should totally alert you that something 1200 00:39:34,240 --> 00:39:35,839 something is going wrong uh the next 1201 00:39:35,839 --> 00:39:36,920 thing I'm going to do is enumerate the 1202 00:39:36,920 --> 00:39:38,520 file server I'm look for all the shares 1203 00:39:38,520 --> 00:39:40,839 that I uh I have access to and I'm going 1204 00:39:40,839 --> 00:39:43,240 to uh then change those file permissions 1205 00:39:43,240 --> 00:39:45,359 to give myself or anyone else access to 1206 00:39:45,359 --> 00:39:46,680 that that means when I dump my Ransom 1207 00:39:46,680 --> 00:39:48,560 more executable I can hit absolutely 1208 00:39:48,560 --> 00:39:50,440 everything and uh this is going to uh 1209 00:39:50,440 --> 00:39:52,200 again maximize my 1210 00:39:52,200 --> 00:39:54,079 impact the next thing I'm going to do is 1211 00:39:54,079 --> 00:39:56,160 create my own account on the system so 1212 00:39:56,160 --> 00:39:57,680 right now I've compromised a domain 1213 00:39:57,680 --> 00:39:59,400 admin I've compromised a standard user 1214 00:39:59,400 --> 00:40:00,839 I've got a remote access Trojan sitting 1215 00:40:00,839 --> 00:40:02,760 out there but what if I'm discovered 1216 00:40:02,760 --> 00:40:04,200 what if somebody realizes that account's 1217 00:40:04,200 --> 00:40:05,440 been compromised and they Chang the 1218 00:40:05,440 --> 00:40:06,760 password well I'm kind of locked out of 1219 00:40:06,760 --> 00:40:07,839 the system at that point and I don't 1220 00:40:07,839 --> 00:40:09,440 want that so instead I'm going to make 1221 00:40:09,440 --> 00:40:12,680 myself the radman uh and uh I I tried to 1222 00:40:12,680 --> 00:40:14,640 pick up a more you know smart assy name 1223 00:40:14,640 --> 00:40:15,839 to to put on there but this one seemed 1224 00:40:15,839 --> 00:40:17,640 to work pretty well but yeah this this 1225 00:40:17,640 --> 00:40:19,480 means that now I have my own persistent 1226 00:40:19,480 --> 00:40:22,280 admin access to the network and if as we 1227 00:40:22,280 --> 00:40:23,920 see in a lot of cases uh I detonate 1228 00:40:23,920 --> 00:40:25,560 ransomware and the IT staff just rolls 1229 00:40:25,560 --> 00:40:27,119 back to right before the Ransom were hit 1230 00:40:27,119 --> 00:40:28,640 they might be restoring my account again 1231 00:40:28,640 --> 00:40:29,839 so I can just get right back into the 1232 00:40:29,839 --> 00:40:32,560 network a very common thing that we see 1233 00:40:32,560 --> 00:40:34,280 uh so now I've got my own admin access 1234 00:40:34,280 --> 00:40:35,880 I've opened up the shares for everything 1235 00:40:35,880 --> 00:40:38,000 and it's time for us to probably steal 1236 00:40:38,000 --> 00:40:39,960 some data before we uh before we encrypt 1237 00:40:39,960 --> 00:40:41,760 everything right so how are we going to 1238 00:40:41,760 --> 00:40:43,720 do that well again we're going to use 1239 00:40:43,720 --> 00:40:45,280 some legitimate software to do this I 1240 00:40:45,280 --> 00:40:47,119 don't want to uh I don't want to set off 1241 00:40:47,119 --> 00:40:49,480 any big alarm Bells so if I uh if I 1242 00:40:49,480 --> 00:40:51,440 don't need to use my my Trojan to steal 1243 00:40:51,440 --> 00:40:53,599 data uh I will I will go for something 1244 00:40:53,599 --> 00:40:55,800 like arone and uh arone we see very 1245 00:40:55,800 --> 00:40:58,920 frequently as a uh is a you know pretty 1246 00:40:58,920 --> 00:41:01,119 common addition to an attacker's toolkit 1247 00:41:01,119 --> 00:41:02,359 uh one of the things that's nice about 1248 00:41:02,359 --> 00:41:04,119 it is it's very easily customizable it 1249 00:41:04,119 --> 00:41:05,680 can link directly up to a cloud shared 1250 00:41:05,680 --> 00:41:08,560 folder and it staggers the actual upload 1251 00:41:08,560 --> 00:41:09,920 of data so this isn't going to set off 1252 00:41:09,920 --> 00:41:11,359 any usage alarms we're not going to see 1253 00:41:11,359 --> 00:41:13,240 any big bandwidth spikes very kind of 1254 00:41:13,240 --> 00:41:14,839 sneaky way of pulling data out of the 1255 00:41:14,839 --> 00:41:16,359 network uh if I'm not worried about that 1256 00:41:16,359 --> 00:41:17,520 I can actually just use the rat that I 1257 00:41:17,520 --> 00:41:18,800 already have on the system and and pull 1258 00:41:18,800 --> 00:41:20,280 data that way but it's going to be a 1259 00:41:20,280 --> 00:41:22,760 judgment call on my part there and then 1260 00:41:22,760 --> 00:41:24,440 we went to the dark web to pick out our 1261 00:41:24,440 --> 00:41:26,760 ransomware exactly yeah we we to detate 1262 00:41:26,760 --> 00:41:28,480 some ransomware and when we when we 1263 00:41:28,480 --> 00:41:29,960 looked for a ransomware what I really 1264 00:41:29,960 --> 00:41:31,440 wanted to do was make this basically 1265 00:41:31,440 --> 00:41:33,520 ransomware for dummies uh what kind of 1266 00:41:33,520 --> 00:41:34,880 ransomware strain can I grab that's 1267 00:41:34,880 --> 00:41:36,200 going to automate most of these 1268 00:41:36,200 --> 00:41:37,760 processes for me I want to just be able 1269 00:41:37,760 --> 00:41:40,720 to double click this and go so we uh we 1270 00:41:40,720 --> 00:41:42,040 did some searching we went through Alpha 1271 00:41:42,040 --> 00:41:43,400 Bay we went through versus we went 1272 00:41:43,400 --> 00:41:45,319 through the cipher market and uh we 1273 00:41:45,319 --> 00:41:47,680 settled on the Dharma ransomware strain 1274 00:41:47,680 --> 00:41:49,319 now Dharma if you're not familiar with 1275 00:41:49,319 --> 00:41:52,480 it is uh is is a lower dollar ransomware 1276 00:41:52,480 --> 00:41:54,119 but they go in high volume this is kind 1277 00:41:54,119 --> 00:41:56,599 of the Gan crab method of of somewhere 1278 00:41:56,599 --> 00:41:58,200 they kind of shotgun blast this out to 1279 00:41:58,200 --> 00:42:00,480 anyone who they can get as a a victim 1280 00:42:00,480 --> 00:42:01,920 they charge a reasonably low cost and 1281 00:42:01,920 --> 00:42:03,280 they just work on volume to actually 1282 00:42:03,280 --> 00:42:04,240 make their money and they're they're 1283 00:42:04,240 --> 00:42:05,960 very successful uh with Dharma you're 1284 00:42:05,960 --> 00:42:07,800 looking normally at about $5,000 per 1285 00:42:07,800 --> 00:42:09,480 computer that they uh they encrypt so if 1286 00:42:09,480 --> 00:42:10,920 they get your file server five grand you 1287 00:42:10,920 --> 00:42:12,040 get that back and they're they're out 1288 00:42:12,040 --> 00:42:14,440 the door but it uh it automatically 1289 00:42:14,440 --> 00:42:16,319 ruins a lot of things for us inside the 1290 00:42:16,319 --> 00:42:17,640 network the very first thing it does is 1291 00:42:17,640 --> 00:42:19,559 delete uh Shadow volume copies this 1292 00:42:19,559 --> 00:42:21,559 means that after the ransomware executes 1293 00:42:21,559 --> 00:42:23,400 uh I can't go back to a previous version 1294 00:42:23,400 --> 00:42:24,559 of that file and get around the 1295 00:42:24,559 --> 00:42:26,559 encryption this is very common almost 1296 00:42:26,559 --> 00:42:27,960 all ransomware does this at this point 1297 00:42:27,960 --> 00:42:29,599 in time and you can see the uh the 1298 00:42:29,599 --> 00:42:31,000 thread indicators this is from the miter 1299 00:42:31,000 --> 00:42:33,520 attack framework down below the next 1300 00:42:33,520 --> 00:42:35,079 thing it's going to do is kill some 1301 00:42:35,079 --> 00:42:37,160 annoying services so it's going to stop 1302 00:42:37,160 --> 00:42:38,760 things like your uh your Print Spooler 1303 00:42:38,760 --> 00:42:40,040 it's going to stop things like your SQL 1304 00:42:40,040 --> 00:42:42,760 Service uh uh vsss Rider uh and it's 1305 00:42:42,760 --> 00:42:44,520 going to uh get the environment into a 1306 00:42:44,520 --> 00:42:46,240 position where I can encrypt pretty much 1307 00:42:46,240 --> 00:42:47,480 everything on the network if some of 1308 00:42:47,480 --> 00:42:49,200 those services are running files may be 1309 00:42:49,200 --> 00:42:50,920 locked I may not be able to to hit them 1310 00:42:50,920 --> 00:42:52,240 so we want to make sure that won't 1311 00:42:52,240 --> 00:42:54,559 happen then Derma also automatically 1312 00:42:54,559 --> 00:42:56,880 does anti forensics which I think uh 1313 00:42:56,880 --> 00:42:58,880 makes our job very hard you can see it 1314 00:42:58,880 --> 00:43:00,359 right here that they clean out the event 1315 00:43:00,359 --> 00:43:01,720 logs automatically there's really 1316 00:43:01,720 --> 00:43:03,880 nothing manual that evil mat had to do 1317 00:43:03,880 --> 00:43:05,680 oh no no yeah I hit start on this one 1318 00:43:05,680 --> 00:43:07,640 and it just did all the work for me kind 1319 00:43:07,640 --> 00:43:09,520 of frightening uh the other thing it did 1320 00:43:09,520 --> 00:43:10,880 was search the network find all the 1321 00:43:10,880 --> 00:43:12,280 shares that were available Mount those 1322 00:43:12,280 --> 00:43:13,599 shares and encrypt the files in those 1323 00:43:13,599 --> 00:43:15,079 shares and it did this first before it 1324 00:43:15,079 --> 00:43:17,040 actually encrypted the local file system 1325 00:43:17,040 --> 00:43:18,359 uh normally this is done to avoid 1326 00:43:18,359 --> 00:43:20,000 detection because if a user sitting at 1327 00:43:20,000 --> 00:43:22,160 their desktop and this executes and 1328 00:43:22,160 --> 00:43:23,720 their desktop files get encrypted all of 1329 00:43:23,720 --> 00:43:24,520 a sudden they're going to know 1330 00:43:24,520 --> 00:43:26,160 something's wrong if they're shared 1331 00:43:26,160 --> 00:43:27,880 files get encrypted that's going to take 1332 00:43:27,880 --> 00:43:29,400 them a little bit longer to identify and 1333 00:43:29,400 --> 00:43:30,760 I've got a better chance of completing 1334 00:43:30,760 --> 00:43:32,359 that encryption cycle so that's again 1335 00:43:32,359 --> 00:43:33,880 why that order of operations runs in the 1336 00:43:33,880 --> 00:43:37,400 way it does we're seeing uh Ransom get 1337 00:43:37,400 --> 00:43:39,200 faster and faster and one of the 1338 00:43:39,200 --> 00:43:40,839 techniques that the criminals are using 1339 00:43:40,839 --> 00:43:43,480 to make sure it's um extremely fast is 1340 00:43:43,480 --> 00:43:44,880 that they're not even bothering to 1341 00:43:44,880 --> 00:43:46,520 encrypt your whole file in a lot of 1342 00:43:46,520 --> 00:43:48,079 cases they realize if they just do a 1343 00:43:48,079 --> 00:43:49,920 partial encryption of your QuickBooks 1344 00:43:49,920 --> 00:43:52,160 datab base or whatever it happens to be 1345 00:43:52,160 --> 00:43:53,280 um that you're going to be dead in the 1346 00:43:53,280 --> 00:43:54,680 water at that point and it's going to be 1347 00:43:54,680 --> 00:43:56,559 very difficult for you to reass assemble 1348 00:43:56,559 --> 00:43:58,520 things um so that is a trend that we're 1349 00:43:58,520 --> 00:44:01,440 seeing Splunk did a great research study 1350 00:44:01,440 --> 00:44:02,839 where they took different ransomware 1351 00:44:02,839 --> 00:44:04,440 strengths and lock bit adver was 1352 00:44:04,440 --> 00:44:06,200 advertising itself as the fastest 1353 00:44:06,200 --> 00:44:08,319 ransomware strain you can get and so 1354 00:44:08,319 --> 00:44:09,559 they were like okay is there truth in 1355 00:44:09,559 --> 00:44:11,200 malvertising which I thought was kind of 1356 00:44:11,200 --> 00:44:14,319 cute turns out there is um in the case 1357 00:44:14,319 --> 00:44:18,400 so they uh they set up 53 GB and 100,000 1358 00:44:18,400 --> 00:44:21,000 test files and they timed it to see how 1359 00:44:21,000 --> 00:44:22,240 long it would take the different 1360 00:44:22,240 --> 00:44:24,319 ransomers strains to go through it and 1361 00:44:24,319 --> 00:44:26,520 what they found was that lock bit uh the 1362 00:44:26,520 --> 00:44:29,040 median duration was 5 minutes and 50 1363 00:44:29,040 --> 00:44:32,119 seconds and the fastest time that it had 1364 00:44:32,119 --> 00:44:35,040 was just a little over 4 minutes I mean 1365 00:44:35,040 --> 00:44:37,640 that is impossible to respond to if it's 1366 00:44:37,640 --> 00:44:39,240 going to be less than 5 minutes for 1367 00:44:39,240 --> 00:44:41,440 ransomware to encrypt um over 50 1368 00:44:41,440 --> 00:44:43,359 gigabytes of data that's really ripping 1369 00:44:43,359 --> 00:44:45,559 through your network and that's again 1370 00:44:45,559 --> 00:44:48,079 because of that partial encryption 1371 00:44:48,079 --> 00:44:51,680 strategy all right so then once they've 1372 00:44:51,680 --> 00:44:53,160 primed your environment they've gained 1373 00:44:53,160 --> 00:44:54,520 their leverage whether it's through 1374 00:44:54,520 --> 00:44:57,319 exfiltration or through uh affecting the 1375 00:44:57,319 --> 00:44:59,240 availability of your information then 1376 00:44:59,240 --> 00:45:02,000 they're going to extort you so this is a 1377 00:45:02,000 --> 00:45:03,720 um I think this is a lock bit Ransom 1378 00:45:03,720 --> 00:45:05,119 note is that right Matt no this is our 1379 00:45:05,119 --> 00:45:07,240 Dharma Ransom oh this is our D Ransom 1380 00:45:07,240 --> 00:45:08,559 sorry this was how you ended our 1381 00:45:08,559 --> 00:45:11,119 scenario yep yeah so your files are 1382 00:45:11,119 --> 00:45:12,400 encrypted don't worry you can restore 1383 00:45:12,400 --> 00:45:14,520 them all there's a cool Skull this is 1384 00:45:14,520 --> 00:45:16,599 another ranser gang that we worked with 1385 00:45:16,599 --> 00:45:18,400 the vice society and these guys were 1386 00:45:18,400 --> 00:45:19,640 great because they were very well not 1387 00:45:19,640 --> 00:45:21,680 great they were evil um but they were 1388 00:45:21,680 --> 00:45:23,760 very verbose they wanted to explain why 1389 00:45:23,760 --> 00:45:25,200 they were there they wanted to have 1390 00:45:25,200 --> 00:45:27,280 relationships with journalists so I 1391 00:45:27,280 --> 00:45:29,160 wanted to show you a few examples first 1392 00:45:29,160 --> 00:45:31,079 there's the victim portal of course 1393 00:45:31,079 --> 00:45:32,680 where they just list all their victims 1394 00:45:32,680 --> 00:45:35,079 that's become standard on the dark web 1395 00:45:35,079 --> 00:45:36,440 and then here's a section for 1396 00:45:36,440 --> 00:45:38,520 journalists um if you're a journalist 1397 00:45:38,520 --> 00:45:40,400 and want to ask some questions they say 1398 00:45:40,400 --> 00:45:42,440 write to them and they're trying to get 1399 00:45:42,440 --> 00:45:44,760 back to everybody within 24 hours a lot 1400 00:45:44,760 --> 00:45:46,440 of these Ransom or gangs appear to have 1401 00:45:46,440 --> 00:45:49,240 like professional PR folks that are uh 1402 00:45:49,240 --> 00:45:50,920 watching their emails and responding on 1403 00:45:50,920 --> 00:45:54,040 a regular basis they had an FAQ on their 1404 00:45:54,040 --> 00:45:56,640 website um how did do decideed to team 1405 00:45:56,640 --> 00:45:58,720 up and start a dedicated ransomware 1406 00:45:58,720 --> 00:46:00,319 group group of friends that were 1407 00:46:00,319 --> 00:46:03,040 interested in pentest we decided to try 1408 00:46:03,040 --> 00:46:04,359 it that's funny that's how I started my 1409 00:46:04,359 --> 00:46:07,520 company too um can you explain your 1410 00:46:07,520 --> 00:46:09,599 decision to publish a certain company's 1411 00:46:09,599 --> 00:46:12,319 data they didn't pay they're just very 1412 00:46:12,319 --> 00:46:14,160 black and white about this 1413 00:46:14,160 --> 00:46:16,440 one so anything else you want to add 1414 00:46:16,440 --> 00:46:18,599 Matt about the extortion piece no no I 1415 00:46:18,599 --> 00:46:20,000 think we we covered basically everything 1416 00:46:20,000 --> 00:46:21,359 we wanted to go into yeah they're 1417 00:46:21,359 --> 00:46:22,680 getting they're just very professional 1418 00:46:22,680 --> 00:46:24,920 about it and that's the bottom line here 1419 00:46:24,920 --> 00:46:26,880 um you know we looked at some some 1420 00:46:26,880 --> 00:46:29,079 financial statistics early on and talked 1421 00:46:29,079 --> 00:46:30,880 about the fact that ranser Gs are making 1422 00:46:30,880 --> 00:46:33,480 more and more money uh but the amount of 1423 00:46:33,480 --> 00:46:35,119 money that they make has consistently 1424 00:46:35,119 --> 00:46:37,280 been underestimated a couple years ago 1425 00:46:37,280 --> 00:46:39,079 if you looked at some of the blockchain 1426 00:46:39,079 --> 00:46:41,839 analysis reports um like uh the Bitcoin 1427 00:46:41,839 --> 00:46:43,640 Ledger and things like that we were 1428 00:46:43,640 --> 00:46:45,640 estimating about 400 as an industry 1429 00:46:45,640 --> 00:46:48,000 about $400 million in ransomware 1430 00:46:48,000 --> 00:46:50,319 payments and then the Russia Ukraine war 1431 00:46:50,319 --> 00:46:51,880 came out and the hackers hacked 1432 00:46:51,880 --> 00:46:53,240 themselves they had a big internal 1433 00:46:53,240 --> 00:46:55,400 conflict within kti you can see that on 1434 00:46:55,400 --> 00:46:58,520 the screen here um and so glory to the 1435 00:46:58,520 --> 00:47:00,520 Ukraine they dumped out 150 1436 00:47:00,520 --> 00:47:02,440 cryptocurrency addresses so all of a 1437 00:47:02,440 --> 00:47:05,000 sudden boom we know what addresses Ki is 1438 00:47:05,000 --> 00:47:06,640 using we can calculate the amount of 1439 00:47:06,640 --> 00:47:08,400 money that we've been making and what we 1440 00:47:08,400 --> 00:47:10,760 found was at the time they had made up 1441 00:47:10,760 --> 00:47:14,680 to $2.7 billion worth of bitcoin that is 1442 00:47:14,680 --> 00:47:16,960 one Ransom Our Gang and that was eye 1443 00:47:16,960 --> 00:47:19,119 openening because it dwarfed all prior 1444 00:47:19,119 --> 00:47:21,359 estimates for the entire industry so 1445 00:47:21,359 --> 00:47:23,200 that just shows us how much they're 1446 00:47:23,200 --> 00:47:25,160 making and the fact is that they are 1447 00:47:25,160 --> 00:47:26,920 reinvest ing some of that in their 1448 00:47:26,920 --> 00:47:28,079 businesses so they're getting 1449 00:47:28,079 --> 00:47:30,280 increasingly sophisticated they have 1450 00:47:30,280 --> 00:47:32,160 ransomwares of service platforms they 1451 00:47:32,160 --> 00:47:34,480 have franchise models with very detailed 1452 00:47:34,480 --> 00:47:36,760 instructions they have employees they 1453 00:47:36,760 --> 00:47:38,520 have contractors they have public 1454 00:47:38,520 --> 00:47:41,000 relations teams they have sophisticated 1455 00:47:41,000 --> 00:47:44,160 data leak portals and we need to be not 1456 00:47:44,160 --> 00:47:47,319 just reactive but also proactive so we 1457 00:47:47,319 --> 00:47:49,760 talked about a few of the controls um 1458 00:47:49,760 --> 00:47:51,559 that you can use to prevent ransomware 1459 00:47:51,559 --> 00:47:53,760 we'd much rather prevent uh than have to 1460 00:47:53,760 --> 00:47:55,839 respond to it um if you do want to stop 1461 00:47:55,839 --> 00:47:57,319 by our booth we have the top security 1462 00:47:57,319 --> 00:48:00,040 controls of 2023 an actual handout not 1463 00:48:00,040 --> 00:48:02,359 just a wrist out um and that includes 1464 00:48:02,359 --> 00:48:04,400 things like deploy endpoint protection 1465 00:48:04,400 --> 00:48:06,040 cyber security training and awareness 1466 00:48:06,040 --> 00:48:08,880 pen testing nextg backups um and 1467 00:48:08,880 --> 00:48:10,880 incident response testing and training 1468 00:48:10,880 --> 00:48:12,880 and all of those are now nuanced it's 1469 00:48:12,880 --> 00:48:15,079 not just enough to check the checkbox on 1470 00:48:15,079 --> 00:48:16,559 backups they need to be a mutable 1471 00:48:16,559 --> 00:48:19,400 backups they need to not be sitting uh 1472 00:48:19,400 --> 00:48:22,440 in a virtual in a virtualized system so 1473 00:48:22,440 --> 00:48:24,000 um we have a little bit more detail on 1474 00:48:24,000 --> 00:48:25,960 each of those because it really the in 1475 00:48:25,960 --> 00:48:27,599 the details when it comes to ransomware 1476 00:48:27,599 --> 00:48:30,520 prevention these days so with that I 1477 00:48:30,520 --> 00:48:32,000 think we actually managed to whip 1478 00:48:32,000 --> 00:48:33,280 through these slides a little bit early 1479 00:48:33,280 --> 00:48:35,640 get you closer on time thank you guys so 1480 00:48:35,640 --> 00:48:38,240 much um 1481 00:48:38,240 --> 00:48:41,060 questions we'll take Applause and then 1482 00:48:41,060 --> 00:48:43,000 [Applause] 1483 00:48:43,000 --> 00:48:45,800 questions so when this type type of 1484 00:48:45,800 --> 00:48:48,319 thing happens and I have got to call 1485 00:48:48,319 --> 00:48:50,799 someone to help what's the Fe structure 1486 00:48:50,799 --> 00:48:54,319 how's that work like employee endpoints 1487 00:48:54,319 --> 00:48:56,799 servers like how do I get charged for 1488 00:48:56,799 --> 00:48:58,680 that so I believe your question is how 1489 00:48:58,680 --> 00:49:00,160 do you get charged for ransomware 1490 00:49:00,160 --> 00:49:03,839 response yeah okay so um in a lot of 1491 00:49:03,839 --> 00:49:05,680 cases companies have already set up a 1492 00:49:05,680 --> 00:49:07,640 retainer with their incident response 1493 00:49:07,640 --> 00:49:09,880 organization and it's actually it you 1494 00:49:09,880 --> 00:49:11,119 need to know who you're going to call 1495 00:49:11,119 --> 00:49:12,680 ahead of time you probably want to 1496 00:49:12,680 --> 00:49:14,520 understand if you have cyber Insurance 1497 00:49:14,520 --> 00:49:16,040 um who is covered under your cyber 1498 00:49:16,040 --> 00:49:18,359 insurance policy how you get approval to 1499 00:49:18,359 --> 00:49:20,720 engage a third-party vendor whether the 1500 00:49:20,720 --> 00:49:22,559 insurance you know exactly how you 1501 00:49:22,559 --> 00:49:24,240 interface with the insurance company to 1502 00:49:24,240 --> 00:49:25,880 get coverage for those things so that's 1503 00:49:25,880 --> 00:49:28,079 just one thing to think about um and 1504 00:49:28,079 --> 00:49:30,559 yeah you may have uh if you want 24/7 1505 00:49:30,559 --> 00:49:31,599 response you're probably going to be 1506 00:49:31,599 --> 00:49:33,640 paying a retainer for that ahead of time 1507 00:49:33,640 --> 00:49:35,240 because the IR firm will have staff 1508 00:49:35,240 --> 00:49:37,359 available um otherwise you just pay by 1509 00:49:37,359 --> 00:49:39,000 the hour in a lot of cases did I miss 1510 00:49:39,000 --> 00:49:40,720 anything uh no your incident response 1511 00:49:40,720 --> 00:49:42,559 plan ideally should have a an order of 1512 00:49:42,559 --> 00:49:43,920 operations if something like that hits 1513 00:49:43,920 --> 00:49:45,720 so who do you contact First how do you 1514 00:49:45,720 --> 00:49:47,200 contact them uh how do you contact them 1515 00:49:47,200 --> 00:49:49,319 after hours or on weekends and what is 1516 00:49:49,319 --> 00:49:51,880 the what is the next step from there yes 1517 00:49:51,880 --> 00:49:54,520 what is theity of 1518 00:49:54,520 --> 00:49:57,599 a response on retainer versus just 1519 00:49:57,599 --> 00:50:00,400 reaching out to somebody Insurance great 1520 00:50:00,400 --> 00:50:02,440 question uh do you need to have an IR 1521 00:50:02,440 --> 00:50:04,280 firm on retainer vers versus reach out 1522 00:50:04,280 --> 00:50:05,920 through Insurance you know honestly 1523 00:50:05,920 --> 00:50:08,760 these days I see companies that have an 1524 00:50:08,760 --> 00:50:11,079 IR firm on retainer but they haven't 1525 00:50:11,079 --> 00:50:12,480 checked to make sure they're covered by 1526 00:50:12,480 --> 00:50:14,280 insurance and so what happens in in an 1527 00:50:14,280 --> 00:50:16,680 incident is that the IR company starts 1528 00:50:16,680 --> 00:50:18,319 uh they're not covered by Insurance the 1529 00:50:18,319 --> 00:50:19,680 insurance company takes that 1530 00:50:19,680 --> 00:50:21,200 investigation away and all of a sudden 1531 00:50:21,200 --> 00:50:22,160 you're with a company you've never 1532 00:50:22,160 --> 00:50:24,520 worked with so it's really important to 1533 00:50:24,520 --> 00:50:25,680 make sure that those things are 1534 00:50:25,680 --> 00:50:28,000 harmonized um and sometimes when cyber 1535 00:50:28,000 --> 00:50:30,079 Insurance changes it doesn't know 1536 00:50:30,079 --> 00:50:31,920 security doesn't know or they don't know 1537 00:50:31,920 --> 00:50:33,359 the details it's like oh yeah we have a 1538 00:50:33,359 --> 00:50:36,119 new policy and um a lot of the work I've 1539 00:50:36,119 --> 00:50:37,640 been doing lately is just making sure 1540 00:50:37,640 --> 00:50:39,920 that incident response plans are being 1541 00:50:39,920 --> 00:50:41,960 are realistic and are taking into 1542 00:50:41,960 --> 00:50:44,520 account the Cyber Insurance piece of 1543 00:50:44,520 --> 00:50:48,720 it yes for um small companies 100 1544 00:50:48,720 --> 00:50:50,960 employees they don't even have an IR 1545 00:50:50,960 --> 00:50:54,000 plan they one it manager but uh 1546 00:50:54,000 --> 00:50:56,160 ransomware is assess be their biggest 1547 00:50:56,160 --> 00:50:58,520 threat there's like reporting tools like 1548 00:50:58,520 --> 00:51:01,559 you know siza has uh their Ransom 1549 00:51:01,559 --> 00:51:05,920 reporting uh yes stage FBI has there U 1550 00:51:05,920 --> 00:51:08,880 cyber crime reporting about sides if 1551 00:51:08,880 --> 00:51:10,160 they don't you know they they haven't 1552 00:51:10,160 --> 00:51:11,839 even they're kind of shocked they're 1553 00:51:11,839 --> 00:51:14,720 surprised by an attack what are there 1554 00:51:14,720 --> 00:51:17,680 resources like is Sia offering resources 1555 00:51:17,680 --> 00:51:19,119 it's just two small potatoes unless 1556 00:51:19,119 --> 00:51:20,440 they're like critical infrastructure you 1557 00:51:20,440 --> 00:51:22,280 know what I mean like what what what can 1558 00:51:22,280 --> 00:51:24,359 they do if they're behind the game they 1559 00:51:24,359 --> 00:51:26,359 don't have backups 1560 00:51:26,359 --> 00:51:28,319 yeah what can small businesses do and 1561 00:51:28,319 --> 00:51:30,160 every every organization is behind the 1562 00:51:30,160 --> 00:51:32,119 game honestly but it's especially hard 1563 00:51:32,119 --> 00:51:34,240 for small businesses um sisa does have 1564 00:51:34,240 --> 00:51:35,760 some resources I'll turn it over to you 1565 00:51:35,760 --> 00:51:40,280 in a second but not to not overemphasize 1566 00:51:40,280 --> 00:51:42,920 this um cyber insurance is critical for 1567 00:51:42,920 --> 00:51:46,000 smbs especially breach response 1568 00:51:46,000 --> 00:51:47,720 insurance so for those of you who aren't 1569 00:51:47,720 --> 00:51:49,119 super familiar with cyber Insurance you 1570 00:51:49,119 --> 00:51:50,760 can get coverage for the cash loss you 1571 00:51:50,760 --> 00:51:51,839 can get coverage for business 1572 00:51:51,839 --> 00:51:53,760 Interruption all those are important 1573 00:51:53,760 --> 00:51:56,000 pieces for preparing for ransom attack 1574 00:51:56,000 --> 00:51:58,640 but I think the biggest uh most helpful 1575 00:51:58,640 --> 00:52:01,400 part for smbs is the breach response 1576 00:52:01,400 --> 00:52:03,920 support and certain cyber insurers not 1577 00:52:03,920 --> 00:52:05,480 all of them actually have their own like 1578 00:52:05,480 --> 00:52:07,480 meta incident response team so you call 1579 00:52:07,480 --> 00:52:09,000 them and you say it's like kind of like 1580 00:52:09,000 --> 00:52:10,599 AAA I'm stuck on the side of the road 1581 00:52:10,599 --> 00:52:12,119 you call them and say I'm experiencing a 1582 00:52:12,119 --> 00:52:14,280 ranser attack and they have someone that 1583 00:52:14,280 --> 00:52:16,359 handles these things day in and day out 1584 00:52:16,359 --> 00:52:17,760 jumping in guiding you through the 1585 00:52:17,760 --> 00:52:19,079 investigation you'll probably get a 1586 00:52:19,079 --> 00:52:21,240 breach attorney assigned to you uh 1587 00:52:21,240 --> 00:52:23,400 you'll probably get an IR firm assigned 1588 00:52:23,400 --> 00:52:24,839 to you and somebody who knows what 1589 00:52:24,839 --> 00:52:27,480 they're doing is overseeing that um if 1590 00:52:27,480 --> 00:52:29,119 you don't have cyber insurance it's a 1591 00:52:29,119 --> 00:52:31,359 good idea to have like a virtual ceso a 1592 00:52:31,359 --> 00:52:33,520 fractional ceso guiding you through that 1593 00:52:33,520 --> 00:52:35,240 as well um I've had the privilege of 1594 00:52:35,240 --> 00:52:36,760 working with my some of my clients in 1595 00:52:36,760 --> 00:52:38,520 that capacity too and you know just 1596 00:52:38,520 --> 00:52:40,040 having that oversight to make sure that 1597 00:52:40,040 --> 00:52:41,640 you're crossing the te's and dotting the 1598 00:52:41,640 --> 00:52:43,240 eyes um do you want to speak at all to 1599 00:52:43,240 --> 00:52:45,240 the sissor resources yeah I I'll speak 1600 00:52:45,240 --> 00:52:46,359 to that first off though just have them 1601 00:52:46,359 --> 00:52:48,920 call me we we'll take care of it uh no 1602 00:52:48,920 --> 00:52:50,160 when you're when we're talking about 1603 00:52:50,160 --> 00:52:51,319 response if you if you don't have a 1604 00:52:51,319 --> 00:52:52,680 formalized plan you don't have a you 1605 00:52:52,680 --> 00:52:54,160 know a big cyber insurance policy or 1606 00:52:54,160 --> 00:52:56,440 something like that I mean I it it it 1607 00:52:56,440 --> 00:52:58,119 seems fairly intuitive when a crime has 1608 00:52:58,119 --> 00:52:59,280 been committed but contact law 1609 00:52:59,280 --> 00:53:01,000 enforcement uh the the FBI actually has 1610 00:53:01,000 --> 00:53:03,040 a a great uh amount of resources that 1611 00:53:03,040 --> 00:53:05,040 can be useful for an organization in 1612 00:53:05,040 --> 00:53:06,720 that initial kind of response phase they 1613 00:53:06,720 --> 00:53:08,280 can guide a little bit of the action 1614 00:53:08,280 --> 00:53:09,160 there I mean they're they're not 1615 00:53:09,160 --> 00:53:10,480 obviously going to take over and do any 1616 00:53:10,480 --> 00:53:12,119 remediation but they can provide some 1617 00:53:12,119 --> 00:53:13,960 advice on kind of where to go next well 1618 00:53:13,960 --> 00:53:15,440 they don't advertise when they have a 1619 00:53:15,440 --> 00:53:17,079 decrypter you know that might be 1620 00:53:17,079 --> 00:53:18,240 something that they're keeping close to 1621 00:53:18,240 --> 00:53:19,599 their vest that they can provide to 1622 00:53:19,599 --> 00:53:21,440 victims but law enforcement may not 1623 00:53:21,440 --> 00:53:22,520 advertise that because they don't want 1624 00:53:22,520 --> 00:53:26,119 the bad guys to know they have it yep so 1625 00:53:26,119 --> 00:53:28,280 any other questions yeah we got one yeah 1626 00:53:28,280 --> 00:53:31,079 so you mentioned that you have the help 1627 00:53:31,079 --> 00:53:34,160 a person to read a one time passcode 1628 00:53:34,160 --> 00:53:35,760 you're trying to reset their password 1629 00:53:35,760 --> 00:53:37,359 how do you effectively train your 1630 00:53:37,359 --> 00:53:40,160 employes readback one time pass people 1631 00:53:40,160 --> 00:53:42,240 on the phone and other circumstances but 1632 00:53:42,240 --> 00:53:45,079 do do it in this one specific C yes so 1633 00:53:45,079 --> 00:53:46,440 the question is back to social 1634 00:53:46,440 --> 00:53:48,559 engineering attacks and helped us and 1635 00:53:48,559 --> 00:53:49,799 that's a really good point how do you 1636 00:53:49,799 --> 00:53:52,880 train employees to read codes only to 1637 00:53:52,880 --> 00:53:55,880 certain people on the phone um and 1638 00:53:55,880 --> 00:53:58,640 remember by the way we just did a whole 1639 00:53:58,640 --> 00:54:00,920 in-depth talk on this um if you look at 1640 00:54:00,920 --> 00:54:03,680 our YouTube channel it's scams and fraud 1641 00:54:03,680 --> 00:54:05,280 um and so we can really go into depth 1642 00:54:05,280 --> 00:54:08,440 there but um first of all in the case 1643 00:54:08,440 --> 00:54:10,599 where your employees or your customers 1644 00:54:10,599 --> 00:54:12,640 are calling a call center they should be 1645 00:54:12,640 --> 00:54:14,119 contacting a number that they already 1646 00:54:14,119 --> 00:54:16,280 have on file that they trust as opposed 1647 00:54:16,280 --> 00:54:18,119 to people who are getting callers from 1648 00:54:18,119 --> 00:54:20,640 all over the place right so it's kind of 1649 00:54:20,640 --> 00:54:22,799 flipped um if you're calling a number 1650 00:54:22,799 --> 00:54:24,760 that you know and trust that's different 1651 00:54:24,760 --> 00:54:27,319 than you receive a call and you need to 1652 00:54:27,319 --> 00:54:30,640 verify that identity um humans are 1653 00:54:30,640 --> 00:54:32,240 always going to make mistakes and I 1654 00:54:32,240 --> 00:54:34,160 think we just be need to be moving away 1655 00:54:34,160 --> 00:54:37,280 from fishing prone authentication uh our 1656 00:54:37,280 --> 00:54:39,240 federal government has already banned 1657 00:54:39,240 --> 00:54:41,960 agencies from doing that um and so check 1658 00:54:41,960 --> 00:54:44,520 out our talk uh because we do talk about 1659 00:54:44,520 --> 00:54:47,599 Alternatives maybe last 1660 00:54:47,599 --> 00:54:49,960 question all right cool oh one more in 1661 00:54:49,960 --> 00:54:56,200 the back sorry on 14 you have 0% off for 1662 00:54:56,200 --> 00:54:58,680 government oh yeah I was wondering if 1663 00:54:58,680 --> 00:55:00,240 someone would notice 1664 00:55:00,240 --> 00:55:04,880 that uh yes on slide 14 um the report 1665 00:55:04,880 --> 00:55:07,440 the stats are that government has done 1666 00:55:07,440 --> 00:55:09,559 zero layoffs at least in this particular 1667 00:55:09,559 --> 00:55:11,079 survey did you have a question about 1668 00:55:11,079 --> 00:55:13,760 that you know 1669 00:55:13,760 --> 00:55:16,079 why well I think it's unlikely that 1670 00:55:16,079 --> 00:55:18,119 government's going to go out of business 1671 00:55:18,119 --> 00:55:19,559 and they don't have quite the same 1672 00:55:19,559 --> 00:55:22,000 issues um obviously they do suffer you 1673 00:55:22,000 --> 00:55:23,240 know these organizations suffer 1674 00:55:23,240 --> 00:55:25,319 tremendously but it's not the same as if 1675 00:55:25,319 --> 00:55:26,559 you know a small Health there was a 1676 00:55:26,559 --> 00:55:28,400 small healthcare clinic in Florida that 1677 00:55:28,400 --> 00:55:29,799 got hit with ransomware and had to lay 1678 00:55:29,799 --> 00:55:31,799 off 50% of their staff because they just 1679 00:55:31,799 --> 00:55:34,200 literally didn't have the cash flow um 1680 00:55:34,200 --> 00:55:36,359 and some of these uh smbs in particular 1681 00:55:36,359 --> 00:55:38,680 are already like handt mouth uh paycheck 1682 00:55:38,680 --> 00:55:40,920 to paycheck essentially as a business 1683 00:55:40,920 --> 00:55:42,799 and so A disruption of two to three 1684 00:55:42,799 --> 00:55:46,559 weeks can be devastating for them so on 1685 00:55:46,559 --> 00:55:48,720 that happy note uh thank you guys so 1686 00:55:48,720 --> 00:55:50,039 much for coming we appreciate it and 1687 00:55:50,039 --> 00:55:52,720 we'll be in our booth 1688 00:55:54,000 --> 00:55:57,000 afterwards