Cybersecurity: Amplified And Intensified

13. Finding faster with Jon Murchison.

May 26, 2021 Shiva Maharaj/Eric Taylor/Jon Murchison
Cybersecurity: Amplified And Intensified
13. Finding faster with Jon Murchison.
Chapters
Cybersecurity: Amplified And Intensified
13. Finding faster with Jon Murchison.
May 26, 2021
Shiva Maharaj/Eric Taylor/Jon Murchison

Jonathan Murchison, the founder and CEO of Blackpoint, started his career in Network Engineering and IT operations, but quickly made the switch to the quiet world of the intelligence community. He has since spent over twelve years planning, conducting, and executing high-priority national security missions.

As a former NSA computer operations expert and IT professional, he is bringing a unique perspective to the mission of developing cyber defense software effective at detecting and detaining purposeful cyber intrusions and insider threats. Murchison holds multiple patents in methods of network analysis, defense, pattern analytics, and mobile platforms.

Jon Murchison | LinkedIn
Blackpoint Cyber | 24/7 Managed Detection and Response

Eric Taylor | LinkedIn
Twitter: barricadecyber
barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

Jonathan Murchison, the founder and CEO of Blackpoint, started his career in Network Engineering and IT operations, but quickly made the switch to the quiet world of the intelligence community. He has since spent over twelve years planning, conducting, and executing high-priority national security missions.

As a former NSA computer operations expert and IT professional, he is bringing a unique perspective to the mission of developing cyber defense software effective at detecting and detaining purposeful cyber intrusions and insider threats. Murchison holds multiple patents in methods of network analysis, defense, pattern analytics, and mobile platforms.

Jon Murchison | LinkedIn
Blackpoint Cyber | 24/7 Managed Detection and Response

Eric Taylor | LinkedIn
Twitter: barricadecyber
barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. Today we'd like to welcome john Murchison of Black Point cyber. Hey, john, how's it going? What's up, man? Thanks for having me. You want just give us a little bit about yourself? And company?

Jon Murchison:

Yeah, absolutely. So, you know, I think myself I, you know, run the business, I consider myself a tech guy at heart, you know, I got I got started in this game kind of doing network engineering A long time ago. So more like this kind of Cisco route. And, you know, that kind of quickly led to getting into the intelligence community, because, you know, I'm from upstate New York came down here to go to school. And obviously, the guy in the Baltimore DC area, the Intelligence Committee is a big employer. So I ended up spending 12 years at National security ag ncy in cyber operations. We cal it CNO. Right, which encompass s a lot. But really, we were on the kind of foreign intellig nce collection side of the ho se. So, you know, did that f r a bunch of years. And at one point, I got injured, bad en ugh that I couldn't really wor on site for a while. And th t's when I decided, watch wha is blackpoint cyber today. You know, really, we we prima ily serve the MSP community. We' e a cybersecurity soft are companies, we make our own detection platform. And the we delivered as a match detec ion and response kind of product and service at the end. So th t's pretty much the real conde sed version of of me and what we do. Nice, E

Shiva Maharaj:

anything you want to ask john over there? I'm

Eric Taylor:

sure I'll have a barrage of questions as soon enough. Sorry. I'm a little heavily distracted today. So we may see a team version. I mean, I don't know. We'll see.

Shiva Maharaj:

That's no fun. We were just talking about the net Walker and Darkside stuff, what are your thoughts on them and how they've been operating? And what have you been seeing on your side of the world?

Jon Murchison:

So obviously, you know, the riots and net walkers, the dark side, guys, what we what we saw, we saw a couple interesting things First up, leading up to the election, right? Because remember, last March, if you listen to any cybersecurity vendor and their marketing team, the move from home as cost attacks to go through the roof, and I was thinking the whole time, that's bullshit. We're not seeing that at all. Don't worry, I'm allowed to curse I guess. I won't go full me, which is really unedited, but you're seeing we didn't really see a material change in that time. We did come June, July, start seeing some of the mass ransom activity uptick a bit. But really, August, September, October, I can tell you, at least from our experience, I don't know if these trends hold, we saw a 2,000% increase in responses we had to do that meant bad guys, and they have domain admin creds, they're trying to spread through the network, and they're trying to tee up to mass ransomware, you guys. And you know, by and large, each of these groups, you know, they have, they might have their own kind of, I would say, kind of maybe vertical, they focus on right to hit people like the darkside guys are known as the big game hunter, right? So they're trying to look and understand like, who has a lot of money who can pay? And who can we really bring the pain to, you know, where they're gonna pay? Because they want it to go away? We see that but I would say by and large, what is it from our experience and our SOC, so you know, take it with the lens, I'm looking at this through what enabled most of these breaches from these groups that I saw were actually unpatched firewalls for those 2019 vulnerabilities. And the the that I think is so vulnerability in that and the 40 gates and a whole bunch of other other platforms that shared those libraries, allowed the bad guys to essentially mass scan, identify, like, we have a list of 50,000 IP addresses that are all vulnerable that was floating around the dark web by the bad guy groups. That means any of those companies, you could hit that that clients get the clear text username password of anyone VPN, that's where the COVID effect I think amped it up a bit because so many people remote, the admins are VPN and all the time. And so really, the bad guy rolls in as domain admin. And then all the groups almost do the same thing once they're kind of testing creds for testing shared drive clouds and then just getting ready to push out a mass all little thing like we we didn't incident responses, that's something else we do as well. So it wasn't a customer of ours. They got hit by the darkside group in about three months ago. They wanted 30 and a half million dollar answer and this was about a sick let's just call it 600 employee company in the kind of you know, energy sector similar to Colonial that was a really interesting one because they they actually deployed some code to turn off the next gen AV EDR that was running. So they had a little jump up code exploit technique, are they able to defeat that stuff, but really everything before that one kind of on the box technique was the typical really noisy testing creds, seeing where they can spread and getting ready to pop this pop this real quick. I mean, honestly, I think nation states anyone who wants you're in a network, a lot of the hack looks the same because you have all the same problems you have to solve as a bad guy.

Shiva Maharaj:

So when these guys were in there making noise before they shut off this vendor that is a next gen Kool Aid. Yeah. Why didn't they get caught?

Jon Murchison:

Well, we weren't protecting him for one because I think we would have caught them pretty easily. We just caught this group many times. And stop them. I don't think they got caught. Because, you know, like, I think, and I might be at odds with some other folks in the security community and this to take it, you know, just take this as my personal opinion. I always felt like no matter how many exploits or code execution techniques, you know, backdoors persistence techniques you have, we all love in the security world to nerd out on the tools, and what did they use and what little technique in the weeds but at the end of the day, you never have enough techniques to get a whole job done generally. And so so much of hacking to me looks more like clever windows domain is ministration network engineering. So like a basic thing, you land in a network? I got to figure out I mean, if the guy is at home, is he is he at his real corporate network? Next thing I might do is I might trace route out to Google, let's just see how many hops right see where ICMP traffic filter tells me like, oh, maybe there's a, you know, firewall device here, might sh the default gateway, see? Do they even allow me as a Cisco shop? Do they have a banner on the Cisco device, I was an NSA recommendation, I thought was really stupid, but it just tells you that, hey, you've landed in the right place, Good, keep kicking ass. So I think if you're not looking for that gray area, where techniques that are done all day long by IT professionals that are used by bad guys, you're gonna only be successful if you catch the malicious toolset, and not the operation itself. And so I think that's why

Eric Taylor:

I think it's much higher level than that, where people are not doing simple fucking logging or monitoring alone. No, I mean, there's so many things that are, you know, introduced into your network, you know, from an edge perspective, from a firewall from is from whatever, I mean, unless it is a midisport, which is a crafted deployment of a certain exploit, most of the time, they are fuzzing the hell out of your network, your IIS server, Apache server, whatever it is, or, you know, their brute forcing their way and there's so much stuff out there that they will try to breach in that should, you know, I use a word law, you know, set your hair and your neighbor's hair on fire run around like a god a cut off. I mean, there's plenty of that stuff out there. The simple fact that, you know, I'm working right now. That's why I'm kind of team I got a 350 user IR that I'm dealing with that, and I don't care I'll call out at hours all day long. But apparently Malwarebytes has an EDR. Now that's complete and total shit and the simple fact that you have to go into your EDR and set a policy to have a uninstalled password for your frontline to visit your workstation makes me want to turn this table over. Yeah, that is stupid. Yeah,

Jon Murchison:

it's it's, it's tricky. And there's other like just little nuance things like you guys are pros in it, right? Like, how often should you see someone try and mounted $1 sign chair on every device, and then that person be connected to VPN? Does it happen? Absolutely. Do you want live eyes on it? Absolutely. And so, you know, I just think, I just think in general, you won't catch these guys. Unless you have a really blended mix of good the best you can not the kind of anti malware detection, like it's kind of binary, it's either picking up on some techniques or a known bad file or it's not, but then also a good live view into what we call, they're always privileged, and they're always high consequence activities. You know, one, one specific example I can think of is like, you know, how a lot of the network monitoring products will use Wi Fi remotely. Alright, so they off against the box, ask questions like we don't like that model, right? But because if you don't do that, and you're letting the agent which is probably running a system do that better. And you're not littering creds everywhere, when the bad guy goes to remotely execute a process on the remote machine, it looks almost identical to those those kinds of network monitoring tools. So they're bad running them that way for two reasons. One, you're littering creds and leaving Kerberos tokens and crap everywhere. And two, it makes the environment a lot noisier. And so you have to now start tuning it out. And because anytime someone's off into a box with a privileged account and asking a process to run remotely, that is important stuff that is stuff like if you're actually good at MDR that's the type of stuff you have to have some wise I've live eyes on I see

Eric Taylor:

that reminds me back. And I guess this, you know, you start kicking on some key points that derived my focus. So here comes whole jackwagon mode. The I remember back when, before connectwise, bought out labtech. And he was actually getting, you know, actual custom installations done on our servers. But there was a module in labtech called Ignite. That would be a noisy, noisy sob and their de facto was Oh, what let's just start disabling all this stuff. Oh, there we have it in there to begin with. I mean, you're supposed to be developing an automation platform that creates a bunch of noise that apparently we have to pay attention to, but now we're going to disable it.

Jon Murchison:

Yeah. There's Yeah, IT operations by default, you want maximum speed, maximum flexibility. And boy, some of those things run head into good security practices jerky. But I think again, back to a point like I always felt, you know, maybe I'm biased because I was more of a network guy. I was not a software engineer, you know. And I feel like software engineers tend to be really good at the guy's you know, fuzzing an application, finding code execution techniques, figuring out how to persist. But I did always find like the IT guys who were kind of steeped in hacker tradecraft were better at moving around a network. And that's why I felt like when you're doing a good, so so if you ask a dev to go catch a hacker, it's good. They're almost all malware focused, is what I've seen over the years. And I feel like you really want that blended mix. Because the tool, the malicious toolset, could be part of it, you know, the code execution technique can be part of it. But there's so much that other part of the OP that is really looks like it and that's where the good practitioners will be able to know the difference.

Shiva Maharaj:

Speaking of that, I know Darkside recently shut down or they were shut down. Yeah, it's gonna trigger Eric here. But have you seen any new incidents? By by those guys use those techniques? Because I think they're just gonna come back as a difference.

Jon Murchison:

Yeah, you know, I'm, I don't know what the heck happened. I read the same stuff you did. I don't have any insight baseball. I thought the timing was kind of clever on it halfway right after they're probably most famous attack ever, whether it's dark side or any of these other groups? I mean, to me, they all behave the same when you're in the network, just maybe Darkseid spent more time researching their targets? I would say so I would not be surprised if they come back in some other form or fashion or, or different name. I mean, you know, I see like the rise in breach report. You know, phishing is the main source of infections and all this, which I totally agree. Like, there's a lot of that going on the questions through what lens? is it like? Fishing is a vector to get into a network is the number one way you get ransomware? Is that the number one way you get a malware detection with your AV? Because what we see is RDP. And unpatched firewalls, at least in our SOC, are the number one way someone's in position attempting to masquerade? Did you guys see many incidents with via pulse secure tons and tons of fat that was the most prevalent? Are you still seeing them? Because I'm

Shiva Maharaj:

willing to bet a lot of them are not patched?

Jon Murchison:

Yes, we see what we see on with all the vendors still.

Eric Taylor:

Are you seeing any without,

Jon Murchison:

like throughout the whole exchange thing? We are definitely I mean, we just on boarded a PA trial customer. And we're like, you know that our SOC doesn't look at trial customers. But one of our Automated Analytics was like, this thing's got web shells on it. So we're definitely seeing that. We didn't want it for the first day. They went wild. Like there's every box that was online was already popped, and had some now no one was leveraging the access. We saw about two weeks later, people attempted the leverage. Well, they were they were trying I mean, most of our customers, we had gotten them squared away in the first day or so have that stuff come up. But we absolutely see all those techniques still happening

Shiva Maharaj:

is that how many guys do when you see a owned box? If they are not a trial customer? You guys go in and remediate? Or do you need to ask permission? Or how's that work

Jon Murchison:

for us? Like when when the are, you know, the response side and MDR means everything to us, we actually mean it like we're getting proxies, you know, take machines offline, doing whatever, in a case like the like the exchange exploit. That one is kind of like, hey, we'll show you exactly what we just don't have the capability to do all this custom sort of remediate, you know, post breach remediation.

Shiva Maharaj:

Why not? The FBI did.

Jon Murchison:

Yeah, well, yeah, they did. But we do. But yeah, I mean, we had all those knocked out like within 24 hours of of it becoming public. So I think we were pretty on top of it, mostly because like, there's a couple things, certain things bad guys in he's got creds, we're stopping them all day long. We just take action. And we've really, we've actually had to push in our customer base. We had a big issue. Normally, you're onboard with us. And then we had here's a response playbook. You need to fill out customer tell us the rules of engagement. We have some recommendations, but tell us what you want. Oh, give me example. Chevy maybe you're cool with me, like popping windows seven or Windows 10 boxes, but don't touch my domain controllers. blackpoint right, call me first. We had such an issue with customers not filling out the response playbook. Then they're out. So now we're kind of in like view only mode, right? And then I'm getting woke up in the middle of night my VP of threat ops is like, hey, this house is about to burn down and we can't get ahold of anyone at the customer site. What are we gonna do course, I did what I thought was the ethical thing, which is to not let their house burned down and we stopped it. So we've moved we've had to move to like default playbooks, like you're gonna have to go out of your way to give us different rules of engagement just because we were being too handcuffed and it was happening almost weekly. Where it's like these guys get advanced Ranson, what do you do? Let it happen. And so you didn't felt the playbook or do we say? So it's been, you know, a couple little nuances there, we've had to deal with that. Do you think that's related to the end client or the MSP MSP, because then client has no clue, you know, most time that we're involved unless we're part of the sales, you know, as a bigger client or something. So, yeah, I was always, you know, I sympathize with you guys a lot. Because not only are you running a crap ton of tools, you have a lot of networks to manage, and a lot of users who are challenging to manage on a lot of networks with a lot of tools and a lot of vendors and billing and, and all that type of stuff. I think it's just purely like time,

Shiva Maharaj:

I think, you know, I like to think Eric, and I don't fall into that category, only because we don't have the vast number of tools most of these msps are using. But also at the same time, I think we we vet our tools pretty well and make sure they're set up

Eric Taylor:

correctly. Yeah. Number one. Are you pitching a single pane of glass? Yes. All right. to you later. Yeah.

Jon Murchison:

It really feels good to say hey, I may be Miss invested in bought too many IoT security tools. Now I'm not looking at now I got a compliance thing. Now I got to get a single pane of glass log dumpster. And I'm gonna bring it all together. That feels good. Right. And but it doesn't work very well. Practice your point, Eric. So that's a we call that the jazz hands a cybersecurity.

Eric Taylor:

Yeah, cuz I mean, you pop that friggin thing. And you're like jazz? And like?

Jon Murchison:

Yeah, well, and it's really like, okay, now it's in here. So, okay, what's the next step, I got 10,000 logs, I'm trying to correlate all together. Now, I got to pick, which Am I jumping into EDR tool, and I gotta log into that, you know, and then if you want to orchestrate, now I got to put an orchestration tool on top, then the API's change. And what happens, we've seen this over and over again, it's usually the larger companies that that are trying to, you know, align their cyber, you know, security setup with some framework, they got the next gen a vdr, the DNS tool, they have the firewall, they got the mail filtering to they get all these tools. And then they bring it into a SIEM. And they realize no one's actually looking at the data, they can't manage it. So then they need to SIEM consulting company. And then they're like, Oh, we need automation, because that's how you're going to get out of this jam. And then they go by a sore tool, which is like If This Then That, you know, workflow type tool. And what I found is, they inevitably, I'm sure there's some that have pulled that off, just because they can they have the resolve to stay with it and spend the money. But what I find is they spend more time building the damn mousetrap, and tweaking the mousetrap than catching mice. And that's why it's cool to hear you guys saying use less tools, because we're a huge believer in a much more lean, but efficient and effective stack. It costs a good solds better, you guys make more profit, and it works better, you're not getting useless crap thrown at you. And that's a big issue we see a lot.

Shiva Maharaj:

are you guys doing anything with cloud services like bringing in 365 logs?

Jon Murchison:

We do have a 365 offering right now. In fact, it we had an event with someone very close in her orbit, who turned out to be a customer of Friday night. And my, my deputy and SOC was in town from Florida. And so we're all sitting by the fire the VP and director and me when I get a call, you know, from someone on my board. And yeah, we saved them for an event with that. On Friday nights. How

Shiva Maharaj:

old is your 365 product? Cuz I think when we spoke the last time it was either in dev or not really released?

Jon Murchison:

Yeah, we Yeah, we're leveraging some partner technology for that one. So it's been around for a while. But we've heavily modified a lot of like, what actually caught this kind of breach on the backend was actually another analytic we ran that was bouncing logins off known bad proxy addresses and cloud addresses. So it wasn't something actually in in that kind of that capability there. So we'll be continuing to invest heavily in that one. In fact, it just hired another developer starts in a week is going to be focusing more on that because we see like, if I take a step back and look at kind of the product ecosystem, like so there's MDR, that's our normal thing, that snap defense that's kind of handles is your environment, like the, you know, hosted servers, and on prem really well. So it's hybrid environments, well, then the next bundles, kind of check the box stuff, right logging, compliance, file integrity, monitoring, all that. That's our new product logic, which you'll see a public announcement in like two weeks on that one. So that's, that's kind of like help make the otters go away and be comfortable, you get your crap together. The third bundle is gonna is cloud. So we're started with 365. But I think you'll watch us go hit Amazon and other cloud services because one of the areas in we don't see a ton of it in MSP but you know, kind of, if you're running some of your infrastructure like AWS, or using EC two instances, like I always get freaked out. When I see companies where there's like, one app and he's the only guy can log in or you know, they don't realize like the eggs are really kind of all in one basket if that account gets taken over. And so I think you know, a lot of these Cloud services if you asked me or less like point and shoot, stop an active hacker and process like you wouldn't sitting in like a real environment like a machine or, you know, server. They're more like pulling hygiene to the front. And like smacking the user across the face to enable it and then alerting when, when any rules hit around there, like, you know, just like simple things like we get an alert, right when an email forwarding rules added, could be totally legitimate and fine, but it's definitely stuff you got to watch.

Shiva Maharaj:

Now, are you seeing more breaches or a compromise of 365? In the last few months than you did last year?

Jon Murchison:

For sure, for sure. And it's always this, it, there's like two main vectors we're seeing. And a third one I'm worried about that will tell you about one. No MFA. I mean, you have to have your head examined in 2021. If you're not turning this stuff on, but the client doesn't want it, it's too complicated.

Shiva Maharaj:

We can't do it.

Jon Murchison:

I think this is the case where it's kind of like the, the doctor, you know, you guys, the best msps I've seen have a security then offering and that's the offering it's like client like, like, this is this is how it works. You know, you don't really get to our cart pick, you know, if you want seatbelts in your car. And so I think those models work really well. And then I would say so just people getting tricked. Hey, I just shared a OneDrive document log in and we watched them they tried to log in like five times if it creds it's not worked, and the bad guys get the credit every time. And then the bad guys log in. So we see that that's probably the most common the one I've seen more lately is smtp. Though this is kind of nerdy in the weeds, but SMTP authentication is on by default. And it's single fact. And so what we find is folks are getting creds, because in we've noticed some of the groups doing it seem to be like those kind of old school, you know, kind of African email scammer guys are the ones that we've seen some of this come from, I'm sure everyone's doing it, but and then what happens there is I think they're able to off single factor. Now they're sending emails, like their, you know, whoever they want to be in the org, and they use that is there, kind of now I'm saying in emails, if i'm john, and I'm socially engineering folks, and to get in banking information, stuff like that. So they're clearly after to use that little bit of access to have a better, more believable social engineering operation.

Eric Taylor:

So the talk on that are you getting to a spot inside of your organization where you're going to start making a recommendation or at least alerting you know, users, your your, all your clients, against the compliancy, manager in Microsoft 365, to whatever framework you want to use, like, Hey, Mr. Customer, you know, or MSP. You got six tickets over here, that are so far away from 871. That guy could drive 10 Mack trucks through this, you want to come over here shortest thing up, or, you know, you offer service actually do that for them touch stuff, or,

Jon Murchison:

yeah, we're actually, I don't know, if it's a little too early to announce this. One of the things, we're working on some m&a at the moment, you know, to bring, you know, some more capabilities in one of the positions I want to create out of this is going to be compliance concierge. Really, just to help a lot. You know, if you read any of these compliance frameworks, there's no one the world compliant with them. If you asked me, they're crazy, they contradict themselves half the times, and people kind of need so we look at everything is what is the spirit and the intent of PCI requirement or recommendation. And then we try best to kind of counsel people separately specific to your question 365. In the onboarding, with this product, there are a bunch of like that hygiene stuff that gets pulled to the surface. Now we only see that tenant, right, we don't see their other customers. So that is part of it. I will say, Eric, we have I'd love to know your guys's like feedback, we have a massive issue still with RDP, open to the internet. I mean, hundreds and hundreds and hundreds and hundreds of them. And we send notes non stop, we call we do everything, we can't seem to change behavior. I'm joking, we should start charging $1,000 a month for that service to change the behavior because it is literally you're just playing with fire at that point. And we worry you know, someone pops that server, their domain admin already put your time between like that going really sideways could be so fast. Maybe even we don't get our risk. I mean, hasn't happened to us yet, but maybe we don't get a response in time. And so that is a huge, huge issue.

Eric Taylor:

It is and you know, I may make the comments a little jokingly but you know, until they actually get pop, the clients are not going to give a shit.

Jon Murchison:

I know the province. They're looking at us to protect them. I'm like, I'm not sure I can protect you at your front door open like, you know, like, I mean, we have so far but I worry we take our success rate really serious.

Eric Taylor:

I mean msps have got to get to a point where they're like look, either we change you find a new fucking partner.

Shiva Maharaj:

The problem there is Most msps are afraid to walk away from any type of money no matter what the end liability is going to be for the or they just do not have the talent in house to close an RDP port. As bad as that sounds.

Jon Murchison:

We saw an interesting one the other day where it was actually, so RDP wasn't open. It was like a VPN client running on a server. I don't remember the brand, otherwise had mentioned it in that one guy exploit like, there's a code execution technique, no off. And so that was another new one. You know, again, I think the real buy there kind of, I guess, advice. You know, I remember when I started network engineering, the DMZ was like the thing, right? You know, that was old, really old school. But to me today, besides maybe a VPN ports, there should be nothing open externally on your firewalls and we need to move more towards even the VPN crap isn't open your more cloud broker, like a zero trust, you know, cloud brokered access into the environment where you can really control the applications. Because this inevitably, like, oh, here's a real world example. 4000 endpoint customer of ours, we rolled out on a two years ago on them, they had the Iranians. And they're like an actual aapt real nation state tool that we got a hold of, and it could do a lot of neat things. And a ransomware group getting ready to ransom, the root cause was a misconfigured DMZ firewall rule. It's just it opens up too many. There's too many moving parts there where people just screwed up, or they opened something that is supposed to be for like an hour just to get something working. I know how that works. We've all done it. And then they forget about it. Why external vulnerability scanning, I argue is almost more important than internal.

Shiva Maharaj:

Are you guys do you guys do external gains,

Jon Murchison:

we have it built into our partner portal for free. So feel like you're a customer, you get it? It's, you know, full cards on the table. We just hit the showdown.io API. And that does it and I don't think it's the showdown is cool. But as far as like a vulnerability scanner, I think we're I think we're probably going to swap it with something a little bit more robust.

Shiva Maharaj:

You're gonna give us nessus for cheaper price.

Jon Murchison:

Yeah, well, that's what we've been testing all the obviously, you know, we're based out of Columbia, Ellicott City, and the tenable guys are right down the street and, you know, their founder as well. So they're good folks over there. So who knows what we'll use, but I But yeah, I mean, right now you can see if you have any CVS and open ports and, and that in fact, we built the thing, you can do it for your prospects to the portal. You know, if you have a new customer and you want to walk in, but like listen, you get Swiss cheese here, I just my experience, like I'd rather be running like and mapper nessus. Personally, I trust the results that wasn't missing something.

Shiva Maharaj:

I saw recently that a lot of the ransomware groups once zero days, and now it's the first thing they do is get onto a tool like showdown and start scanning for every hacker the world gets, like showdown to start. Oh, yeah. Do you guys mitigate that? Is there a way to mitigate when the CVE gets announced? And the scans are coming in on your client machines? or external servers?

Jon Murchison:

Yeah. So usually, when those things come out, the first thing we're doing is checking your own customer base, you know, just to see what's there. Like, it was interesting we had we did a response on a financial firm that had an unpatched, I think, pulse, pulse secure, they got popped. And then so it's all good, they're really happy to close down, we knew it came through that vector, the cool part was, so we didn't have like full scans of every single one, because you know, every single one's boundary stuff, but if it's something our agents running on, you know, we'll definitely look at it, you know, we're just kind of a line where a firewall is a little bit trickier. All you got is really a vulnerability scan, just to know if it's patched and that vulnerable services running. But then we got the list of 50,000 IPS from the dark web from some of the hacker groups online. And this IP was in there. So it was actually kind of it was clear, like that list was going around. And the bad guys are actioning it which is kind of neat. Generally, though, I would say by and large, exploits are bad, they go quick, you know, we get the coms out. And you know, we just make sure there aren't any crazy issues. But at the end of the day, our whole model of what we do assumes someone got in one way or another rose exploited Edward Snowden a bad guy, you know, Insider, like we don't really care, it's more about learning that really bad damage. So I'm always willing to give up like one boundary device or one thing here, you know, as long as the whole company doesn't get taken down, as long as you can catch those follow on, you know, kind of the rest of the off. I think that's one of the things many times that separates nation states from criminal groups is the method of x initial access is more clever, and there's a lot more techniques because, you know, it doesn't matter who you are, is it's just, you know, fundamentals when you get in network, you still got to figure out where you are, if your credits are good, what other services are running, you know, you don't just magically see other subnets you know, fundamentals of networking one on one, it's one of my questions is sale to Jews by interview, like our broadcast pass by default between subnets No one's answered it right yet. It's It's always like, you know, those basics matter in this game?

Shiva Maharaj:

Have you guys seen a lot of repeat incidents? meaning no, someone got popped an IR was done not necessarily by you guys. And then they get popped again and it lands in your arms and you have to deal with it. And it was probably because the first IR didn't clean it up effectively

Jon Murchison:

for I can't. I can't say that I've seen it. But I'm also can't say I wouldn't, we would know that it had something that has happened in the past. I will say there's one very specific case. And this was kind of out of them as some larger company. And these guys, were thinking about onboarding us as a customer, they got popped by the net Walker group during that deliberation time, this was because of the unpatched firewall. So we found that right away. And then the first thing to do is get our product rolled out with some other IR firms use us as like the first thing just because it makes a map and we see all the accounts and everything is being used. And so in that case, we found out how they got in, we got it patched. Unfortunately, they had to pay a ransom because they were kind of screwed at that point. But we got him a forensics firm that we trust, to help consult and get them back up and running. And then we're okay, all those good. Two weeks later, they're all back up and running. And we're doing our MDR thing, we had another major attempt. That was the first second bite of the apple I had seen in our base. Now what we don't know what's it the same group because their tradecraft looks the same through most of these groups. So it's kind of hard to tell like, you can't really tell the see dollar sign amount looks like different than the other one, you know, and but what the root cause of this one was, we asked him, did you reset every password in your domain and for the VPN? Yes, they did that because the bad guys came in with a previous username and password, just VPN. So what we don't know sometimes I have no direct evidence to I will so I want to be really clear. But I think some of these criminal groups will sell off like passwords, and IPS to other ones. And it could have been another group that came in hit him again. But that would have been bad because we helped him get out of the jam we rolled out and if we missed obviously, that would have been hyper embarrassing. But we stopped it. But that was the one time I've seen what felt like someone coming back to get more. I just can't say it was the same group.

Shiva Maharaj:

Are you guys seen a lot of movement from avedon, that relatively new group? Let's move around. They're pretty active, I'd say in Asia, Europe right now, and they're touching in on the US.

Jon Murchison:

I was gonna say I hadn't heard of them yet. So I can't guess that. I'll send you the onion link off one. Okay, cool. So I think the answer's no, but I'm not sure a lot of times she we know which groups doing what I mean, the attribution, part of it usually comes when that ransom messages on the screen. And so we tend to never see that because we're stopping it. But we're usually catching it in that phase, when they're just trying to figure out is their axis good or their creds good. And that's when we're smoking them and locking things down generally. So we have a really hard time with attribution just because there's just not enough You know, they use an angry IP scanner, you know, net scan or something like that. It's just benign stuff at them. How are you guys figuring out if the firewalls are unpatched or have vulnerabilities on usually, me this vulnerability, scan immediately, and port scan, just see if it's already here, this and then the other thing, it's, you can always tell, like, we do all this, like live network mapping, right, we're using our IP configs. If we have, you know, kind of integration with rakhee turned on, we see all their VLANs. And it's usually very clear when it's a VPN based, they look different than the other ones. So that's usually our first clue when we didn't see like, you know, something that seemed to get spawned from, you know, user clicking on an email or opening a Word doc that launched some macros or something, when it's like, immediately a privileged account is just starting to RDP, to critical servers, or the this VPN account is lighting up, you know, shared drives, that is usually a good indicator to us that it's came through kind of a boundary appliance of some sort. That's a good question. No one's ever asked me that one before that would actually matters.

Shiva Maharaj:

Does because you know, it, I think it's it's one of those low hanging fruits that people overlook all the time.

Eric Taylor:

So john, here's what the average Just so you know, when you're going into an IR situation, these guys are known, like she was saying was mostly in in the UK and things of that nature, but their fame the claim is, if you don't start paying them, they're gonna start DDoS in your entire network afterwards.

Jon Murchison:

These are the guys who actually we're just talking about though now because they're really hammering aren't they hammering Central American South American banks really bad? Yep. We actually yeah, we actually we have here you know, Run startups and will is another ex NSA guy like me, we're sitting around the fire talking about these groups on Friday night to like two in the morning that are targeting a lot of the Mexican banks. Actually. They seem

Shiva Maharaj:

to want to operate everywhere. But in the US. Yeah. I mean, they're coming. Smart.

Eric Taylor:

You can see, you know, five days are counting down for these guys. These guys are about to get released. There's a ton coming up. Oh, my gosh. Like I said, I'll share the audio mic with you offline on believable. I don't want to publicly put it out there and just whatever.

Jon Murchison:

Yeah, yeah, that's, uh, it's hard enough to run a business and make it successful and build things, any of these assholes, you know, to make it worse. You know, the worst part about it like this, I'm definitely gonna probably get flamed by some of the security community The worst part it, I have not seen a tool yet from a criminal group that wasn't an open source pen test involved in the app. So we do all this stuff for the interest of good we release all these tools, yet they're continually used by bad guys. That's kind of interesting. I know, we know. I know, we need to do this stuff. But it's always kind of strikes me as man, if you didn't have all those open source pentesting tools and no cryptocurrencies it'd be kind of hard for me to get paid. I think they'd figure out a way to get a diamond I think too, but it just makes it so easy for missionaries, that truce lower Exactly.

Eric Taylor:

Here's, and this really goes back to the whole login is really goes back to, you know, securing your own stack. So we definitely have a problem here in the United States, where guys like us are few and far between, to, quote unquote, you know, be the unicorn to be able to be able to go in there and actually stop threats, remediate against threats, blah, blah, blah, but it's definitely a shortcoming in supply. So I'm grateful to those that are, you know, releasing the tools. By Do you see where it's a double edged sword where even though these things are being released, you know, I'll go through as are looking at them and seeing if I can use them on my own. But that's a short my situation, but there's a ton of people out there that really don't shore up their own. And that's kind of where I really want to get to on the next one, because I know we're getting a little bit short on time. But to talk about security and compliancy. You know, this has been something that, you know, a lot of people have been going out and you know, really touting what Joe Biden has done about his whole executive order. Have you read up on this thing yet?

Jon Murchison:

I read some of it. And obviously, I'm losing over most excellent board members, because Joe Biden just hired him to be the National Cyber director, the first one good when he gets there, can you smack him, please? I know, I know. So, you know, the

Shiva Maharaj:

Secret Service is gonna hear that and come pay you.

Eric Taylor:

My address is 123 Sesame Street.

Jon Murchison:

Yeah, I can tell you though, Chris Angelis I don't think they could have picked anyone more qualified. In my opinion. Others might disagree. He was the most respected civilian leader I'VE EVER EVER SEEN NSA is. And he knows this stuff. It's, it's a really challenging all the I have a real love hate relationship with compliance frameworks. Because you know, I look at this way like this, the adversary give a goddamn if you are SOC to compliant? Or did they care that you miss patching that pulse secure thing by day? Right. And so now they're good frameworks to try and level up the maturity. But they're written so obtuse, that it's hard to even make sense. I'll give you a perfect example. We went round and round engineering, this file integrity monitoring. It's mandated and like all these compliance frameworks. I see almost nobody do it ever. And the real answer is like, so I always go back to what was the spirit my interpretation of the spirit of why someone wrote famine in made it and confusing language and compliance framework. It's because like, healthcare company gets popped or defense contractor gets popped, and they want to know what files were stolen. Right. I think that was really kind of it. And what in so what do I do you ever see crystal clear guidance from the government on like, hey, for example, maybe these are the default directories, you would always want to watch. And here are some recommendations of, you know, kind of a specific directory, you need to roll out as a policy. I'll give you a real world example. I'm a radiology for. And I'm a radiologist, and I'm bringing images down from patients and patient records, and I'm analyzing them on my computer, to me than the spirit of FIM, I probably want to monitor system 32. So that's something our new product does by default, I'd probably want to monitor any user on the box. It's like documents, desktop, places where real files sit that you know, humans use. And then for an org, I would probably want that location where that specific application we've deployed across an enterprise stores that sensitive data, but you never get that layman's, you know, description from these compliance frameworks. So people just go check the box and we collect tons of logs and we create a whole bunch of noise, and no one ever looks at it. And it's, I just wish there was some way to Make that's our attempt with having mdrs are no BS stop a hacker. And this other thing is a check a box where we store the logs and we have at all, we're just I just wish, I think the government needs to do a lot better and pragmatic, practical recommendations instead of these pot, you know, really kind of confusingly worded compliance decrees.

Shiva Maharaj:

Do you think there's anything in that executive order? In terms of what needs to be done to actually secure systems that hasn't been codifies somewhere else for the government? Because it seems just to be a complete rehashing of existing standards that should have been in place anyway.

Eric Taylor:

I'll take that one a little further, if you don't mind. Yeah, there's a bunch of executive orders where a bunch of people are going to go fucking sit in a corner and look at a bunch of shit and does supposedly right back, oh, we did these things. And this is supposed to come up with a framework, and then report back in 180 days, well, motherfucker. They've already got seven damn frameworks. Think one a lot. You know, you have 90 or six months to implement MFA? How about six fucking minutes? Yeah. How about that for a change?

Jon Murchison:

I guess that's the thing. There needs to be these compliance frameworks. I don't know who writes them. It's clearly not cybersecurity guys. Not real ones.

Shiva Maharaj:

It's the company selling the training and the setup. But the documentation because like some I read it, I read it three times, like what the hell are they trying? Like? What is the point of this?

Eric Taylor:

The great thing about it is data regime because this is the part where I really get triggered at, you know, if you go in there and look depends on what smoke crack you're smoking that day, and who you're talking to. There's people who actually claim that this thing is going to impact msps there's not a verbiage in there that applies to the public sector. So this would not have fixed solar winds or stopped it, it would not have fixed or stop colonial pipeline or any damn thing other it only applies to government entities. And those who who have a government contract or federal contract.

Jon Murchison:

We've had a lot of internal discussions about, you know, just because we think about the stuff we came out of the government, you know, and it's like, to me, is it? Are there parts of the government, we have four nation states trying to hack and steal data, hook them, disrupt them make their life terrible? Yes. But the real battlefield seems to be against corporate America by criminal groups, predominantly, and then some intellectual property theft, you know, and and the government way they threat Huntsville today. To me, it's like so old school, it's unbelievable. It's, you know, and and i think in in all these compliance frameworks, if you read them, they will lead you down to the only tool I should ever run as the same. You know, I should pump everything into that. And they create so much work. And it's like, maybe go pick the last 10 really major notable breaches, like for big companies, I'm willing to bet they had an outsourced team as a service.

Shiva Maharaj:

That worked for you. I had an outsourced SOC. And soon as a service that was banging on the doors, and to this day, they never figured it out. So yeah, yeah, I get it. It he loves that story.

Jon Murchison:

Yeah, that's, that's the, you know, that's just kind of that that weird mix. But I yeah, I don't know the right answer. I think it's a really hard problem. But we somehow need like, you know, some just pragmatic, like examples, like an example. So here's a fictitious company. This is the compliance front. These are the types of technologies you know, domain name a vendors that they rolled out and how that would be a good, you know, maybe like, here's a good example of compliance medium and crappy example of of it. And it would just be kind of cool to see the government lead that way, because they need to be doing that. And then they need to be focused on engaging those bad guys and getting them shut down as fast as they can treat them more like our counterterrorism operations. Because the they're they're just operating with impunity.

Shiva Maharaj:

It's hard to get those guys right. If they're operating in countries, we have zero jurisdiction and potential reach into I would

Jon Murchison:

say yes or no. I think I put it this way, if we made a conscious effort, my opinion, chivas, like the United States going to go solve that problem, I think I think it would make a serious dent, we might not have legal jurisdiction, but there's a whole nother national security arm of our government. You know, it does overseas operations. And I think I think the problem is

Shiva Maharaj:

here, we look at it as a legal remedy, or we're looking for legal remedy to I guess, a counterterrorism incident. We don't really think about it right. So maybe you're right, put it into that category. And let's that this group of guys go after it.

Jon Murchison:

They are like just ruining people's livelihoods. They're they're taken out hospitals like it is not to mention stealing just massive amounts of money. It's such a huge issue and I guess selfishly it keeps companies like us in business, right. But, but at the end of the day, I no matter what they do, there's always going to be enough. I think for

Shiva Maharaj:

folks like us figure it out. We'll still be able to eat dinner,

Jon Murchison:

but I still want them to make a meaningful dance. Because it's, you know, when you combine that with, you know, some of like the purposeful, built, you know, intelligence agency driven disinformation campaigns that are being pushed on the us all the time. I mean, that is that is an active part of foreign intelligence, or they dedicate tons of people to doing that. Because when you can't agree on what, you know, something is a factor not affect anymore, your systems are getting attacked and disrupted. A lot of the way we work in the West is based on like a mutually understanding of some common facts. You know, you can't trust your data get and then your systems you lose continuity of operations from a ransom event. I mean, it's a pretty gnarly I look, it's an economic and social, what's

Eric Taylor:

the point where you know, what I'm going into stuff, even, you know, in a non IR, you know, we got a prospect that we're dealing with right now. And I realized I am getting to the point, I think a lot of infosec is I started talking to a lot of them, where we start getting really jaded where we just go into a network, and we're just like, this whole entire thing is fucked until proven otherwise.

Jon Murchison:

Yeah. Yeah. And like, crap. Easy to get jaded. In this this one.

Shiva Maharaj:

A lot of these ransomware events, I always, I think, yes, money is an important factor to it. But it's beating down the resolve of the American people. It's showing you say, hey, you're not protected. You're not safe anywhere. And your government's not doing anything about it. Yeah, as far as going after corporate America, with the way Federal Procurement goes, you want to get into the government just reach their supply chain, which is corporate America, who's going to do everything for the cheapest price possible.

Jon Murchison:

It is, I mean, you just nailed you just nailed the nuance and nation state activity they think is really important. Actually, something I've, you know, especially a lot of msps are gonna listen to this. I'd love to get it out. There it is. So first off, I think most people will agree and speak up if you disagree that any network connected to the internet is probably a viable target for criminal group, right? Because they'll, you know, if they think they can answer, they don't care, you're on the nation state side for an espionage or intellectual property theft. There are types of companies that I think will generate a lot more interest than other types. And so if in msps, I will say they serve tons of small boutique defense contractors who make some really important widget that goes into a missile or an airplane or something up the supply chain, I can promise you, the bad guys will systematically if their job is to get you know, Intel in designs on a new weapon or space part, they will systematically try and break down and make a whole network analysis of every company involved in the supply chain, instead of let's say it was Northrop that was the head of the product, instead of maybe going right after them, they're going to go hit all these mom and pops that are served by msps down the supply chain. We had a real world case of that. And this is this was a customer that. Obviously, I can't I'm not even gonna say what they made, but they made a part, you know, that was was on an aerial platform of some sort. And

Shiva Maharaj:

I think I know what you're talking about. Yeah. And and yeah, right. I know a similar situation.

Jon Murchison:

Okay. And what was kind of interesting, and this one is fat guys, I think came in extra this a long time ago. I think it came in through like a either stolen VPN creds or an unpatched firewall is one of those. So again, hard one, like those are ones were really spun up because there's such a short time. But in this case, they immediately went, they'd so did the normal net commands, interrogate the domain controller, of course, and not to throw shade on the AV EDR. Because those have caused a lot of this tradecraft Webroot does not count as EDR I didn't say I didn't name any names, but this was more of a more of a, like, you know, kind of a newer company EDR, you know, like you'd expect, and no alerts, but not surprising, because I hadn't really done anything, there was no malware yet involved. So they interrogated the domain, but they met and went immediately to the CNC machine. So we stopped them right away. But I know damn well what they were after. That is where you get the AutoCAD files for the production part

Shiva Maharaj:

on a legacy system, that in

Jon Murchison:

bodies intellectual property theft, one on one via cyber means. And so, you know, that was a good we felt good about stopping that one. But I'm sure they're gonna get targeted a ton of times. I mean, nation states that's the other thing they only have to like, they don't stop they just everyday you wake up and your job is do x.

Eric Taylor:

If you take solar winds from 1000 30,000 30,000 foot view and what happened to them what you said very much makes exact sense. You know, it really drives home that they will take the time to map out your entire network and get to the bottom of whatever they're after to get that information. You we've got social network. Yeah.

Shiva Maharaj:

I've got a question for you, john, you came? I mean, you came from the government space. And I don't know if you can talk about this all of our compliancy sets or public knowledge. Yeah. If you want to do business with the defense industry, or VOD, you can go onto a website and see exactly what checkboxes you need to check. Is that the same with the Chinese and the Russian? Boy?

Jon Murchison:

I don't know the answer to that. Actually, I don't know if they have compliance frameworks, to be honest. And sure

Shiva Maharaj:

they have a ton of security framework that says, you know, go to Siberia, if you do this, you go to the Gulag if you do that, but my question is more based on how easily accessible is that information to someone wants to carry out Austin's operations or anything to figure out how to breach a supply chain, whereas, you know, we're, we're bare to the internet with our compliances.

Jon Murchison:

Yeah, no, it's that's a really good question. I can't say I've ever used like a kind of compliance capability and targeting, you know, as far as to narrow in but you raise a really good point, I'll say like, there's a couple things that always stand out to me is, I don't remember as Eric, you that said it, that the the nation states will take time to systematically map out your network. To me, it's mapping the network out, mapping the exact tools that are used. So you know, though, we'll focus on procurement where you buy your stuff from. And then the third part is the social network. So we'll map out the org structure in where they're online are, you know, touch points are where you can get open source intelligence. You know, for me, like when you're chasing bad guys who don't want to be found and don't have formal companies like they don't have any of this stuff, it's way easier to attack a real company with a well engineered network, if you ask me. And in because they have a reason to communicate with the outside world. So what I always used to have a presentation I give sometimes, and said MSP I want you to think of you and your customers, like think of three buckets, like those that create data, you know, that a bad guy might want to steal. So your electoral property careers, those that control the environment to you it, and then those that have a reason to communicate with the outside world sales, marketing, you know, finance, right, that's how a bad guy many times I think a sophisticated adversary will think about you, and then think about what you're putting online. So instead of maybe going to a compliance framework, where I'd say, Oh, they require the file integrity monitor, I better not like touch this certain directory or something, I would be more going trying to get, you know, I'd be more interested if I were a bad guy in the resume of some of their employees, because it guys, right, the tools they use on the resume. And the tools they use are what I would expect to run into when you get into the environment. That's the type of stuff you think about, right? You know, so that's where when I see on LinkedIn, hey, I'm the head of windows, you know, I'm head windows domain administrator for MSP XYZ, we run 2008, server 2012, you know, cache or whatever, for our, you know, kind of RMM tool, you know, they start listing all that down, and that's the stuff I want to count. So I'm like, Guys, first off, that's private information. I think in two, there's no need for that to be on the internet. So it's free to do a little audit and maybe have a policy on your social media. So you not telling the bad guys what you're running. It's another reason like, I know, we have, you know, some customers that talk publicly about us, but we don't try to make a huge habit of dragging around every notable customer to say they're using blackpoint. Because I'm just doing this tell him the bad guys, the because we did a response had was running to a VPS. And this is a Swiss cheese network. So the bad guys had frayed, they could come in and out like the firewall, there's so many holes, there's domain controllers, they didn't even know about, we stopped wave one, because they tried to hit every server. Right? And in this particular, you know, municipality, and we stopped it, two hours later, wave two came back, but you know, it's two commands, we saw them attempting to execute to defeat the two aviz because they thought that's who it was. So I'd like preserving a little bit of element of surprise on the response side, I think I think all those lessons that whole Was it the combined arms sort of dilemma that you know, the Marine Corps really honed after world war two and beyond is a really all those lessons learned directly apply to offensive or defensive cyber operations in my what's your

Shiva Maharaj:

take, or your I mean, your policy for your employees on social media. For me, they're not allowed to say to post that they work here.

Jon Murchison:

Our policies are more geared on you can't talk about the type of stuff we're running. Just because everyone's on LinkedIn, you know, so you're gonna find them even the fixer. Hmm. Even the fakes the fakes. Yeah, problem. I

Shiva Maharaj:

found a found someone tried to add me who run cybersecurity conferences in the UK. And he has a striking resemblance to Tom Colicchio from top chef. Oh, weird. And when you take his picture and you do a reverse image search, it only brings up Tom Colicchio. Little Harris, I was on clubhouse in a cybersecurity ama last week. There was an attorney in there from the state risk Board of Massachusetts didn't sound like an attorney. But that their measured approach and how they speak, look profile littered with typos. Take a screenshot sent it to her actual work email address in Massachusetts, right? Just like Yeah, no, that's not me like, well, you should probably take care of that. Wow. Yeah, I

Jon Murchison:

will say I'm a little bit appalled at some of the groups. When I see groups on LinkedIn of former intelligence professionals, you know, or so that one, okay, it's former, the one that really gets me is the one I saw one that was cybersecurity professionals for critical infrastructure. And so like, if you wanted like one locate, and there was like, 1600 members or something crazy last time I looked, I mean, think about think about a collection of one human assets to go work on develop, if you're a foreign nation, state, adversary intelligence, Oregon, to who probably has like highly privileged keys to the kingdom in those environments? Well, there you go, you don't have to look very far, because they just told you, and there's a whole collection of them. And that's how you can infiltrate the social circle, you know, and this type of shit is just like, you know, unfortunately, in our industry, as you guys know, there are very, very, very few cybersecurity professionals that have ever actually been the bad guy for a living because it's illegal, right, unless you work for the government or something like that. And so there's, I think there's just that that a little kind of slice the knowledge that's missing on the pragmatic targeting side, because if you've never targeted someone or an organization before, you just don't think of certain things like, that would probably be a bad idea to make a collection of the people and a list of everyone who's responsible for just carrying major utilities and all this other stuff.

Shiva Maharaj:

You know, everyone wants to be heard these days, right? So that are joining those groups, like

Jon Murchison:

it's going out of style. It took me forever to ever save that Santa say, to be honest with you. But I mean, at some point, it'll be the worst kept secret in the world. So it is what it is. Yeah,

Eric Taylor:

well, if we ever get back around to having cokes, and beer and all that stuff. I'll tell you about some of my exploits. And I'll be one other person, you'll know that was a bad person before they weren't good.

Jon Murchison:

Yeah, yeah. No, I knew the first time we met the questions you're asking was coming from experience. So how that made it easy to say, cool, we can have an honest conversation. I'm not going to be asked about the mat mat, the next how our sweet AI machine learning is solving all of hackings problems.

Eric Taylor:

I think I just got triggered in so many different ways.

Shiva Maharaj:

AI is the easiest way to trigger a trigger either one of us, because it's just

Jon Murchison:

saying, I love it. We're misapplied. let's not let's not claim, you know, it's magic. Because 90% of these next gen ed alerts that come into our sucks. We have tons of integrations are all false positive.

Shiva Maharaj:

It's all if then I mean, you said earlier. One last question for you. Yeah. Are you guys doing anything with monitoring how enterprise applications within three say office? 365?

Jon Murchison:

Yeah, I wanted to bring up actually I remember I mentioned three things. I'm like an idiot. I said, cuz that's my hot button for 365. No

Shiva Maharaj:

one audits those things.

Jon Murchison:

This Yes. The answer is yes. In fact, we have it set up to so we get alerts. So there's a couple things I think is I think this is going to be one of the worst attack vectors moving forward for for by working best for the

Shiva Maharaj:

bad guy.

Jon Murchison:

Yeah, yeah, exactly. It goes as follows. For those that aren't familiar, whoever's watching. When you by default, any user in 365, at least last time, I looked personally myself, could say hey, you know, we use HubSpot for CRM, right? I want to integrate HubSpot and my calendar or something and so log on if your 365 creds and magic happens, it's integrate behind the scenes, you're literally giving that application, whatever permissions and ask for up to your level of permissions. And so the the by default, it is the most beautiful opportunity for socially engineering a bad enterprise app into an org that can touch all of their OneDrive stuff and, and you name it. And so that is a huge concern. So step one is you can definitely immediately set that so only admins can do it. And anytime someone asks it emails, all the admins that's like a free step, do instantly we through the 365 tool do get alerts when these things you know, in theory are added. But I think we saw that one with with the kind of larger outfall, the solar winds attack, I think they leverage some of that capability. And I just think it's just so ripe for really bad things to happen, then you get this whole game where you can start, you know, executing PowerShell back in the on prem from the cloud stuff and it's, it can be a runaway train real quick. So I'm glad you brought that up because it is single handedly one of my biggest fears right now and I think 99% of companies or more would never catch it. Ever. If you asked me,

Eric Taylor:

you want something else that make you make you crack your pants for a little while, yeah. Take a non global admin user and log into the Azure portal. You're welcome to done that. You're welcome. Is it ugly? You'd be surprised what not what a non global advocacy in the Azure portal.

Shiva Maharaj:

Just so you know, there's a CIA policy you can lock down. But again, it's not by default, you have to build those on your own. Yeah. But you know, my question goes a little deeper in the sense that maybe it's too new in its headlines for these applications. Are you guys running threat hunting? against what applications in the environment do see if they're stepping out of bounds

Jon Murchison:

we have on our own, not as part of our, our service? Just, I don't think we you know, we have to build a lot automation for it to ever, like, make dollars and cents, but we have a lot. And I've been, I was actually shocked when I saw our own environment. You know, months and months ago, when we were looking at this stuff. I was like, Damn, some of these apps ask for like a water. Here. I'll tell you one, that's like, what's the worst? If you have a old school Synology NAS on prem, and you want to backup your 365 that thing can do anything at once?

Eric Taylor:

forever. Yep, it gets global admin rights cued up,

Jon Murchison:

Rudel, it is brutal. So we have looked at it. I don't think we've done any kind of, you know, kind of auditing like as a service, or people are paying us money to do it. But we have looked at ours. And for some of our bigger customers, where we're just trying to get like, Guys, you need to get eyes on, we'll help you, we'll show you what to look at. We've looked at some of those. And I'm always just blown away how many freakin apps are in there. I've

Shiva Maharaj:

never heard I wish Microsoft would have a tag that says this came with your tenant because they don't identify themselves properly. You can see an Outlook app and you don't know if it's Microsoft signed, or if it's China signed,

Jon Murchison:

I almost think Microsoft needs to have a little bit of the apple model where it's like every single one of those apps, and maybe they claim to be doing, it doesn't seem to work that is just going to the net task detail on an app like, Okay, this app is blessed for, you know, kind of what to see from a company like you

Shiva Maharaj:

guys is because I know how expensive these applications can operate. Yeah. is to really hone in on what they're doing with PowerShell. Oh, yeah, for sure, I think would be a nice, easy target for you guys that are someone like you to threat hunter because it'd be super easy. And every time they use it. Why does a contact application or scheduling application need to trigger a PowerShell? out of certain bounce? Yeah, no, that's, that's actually a really good one. I know, we'd see that we take royalties, just so you know.

Jon Murchison:

Yeah. It will, will we see it that stuff live on the endpoint, when it leverages it that way? But yeah, I totally agree with you. I mean, that there's, like, it is a very open area. This is like, I think the security community and msps, we need to wrap our head around it really fast, because I think it's gonna get worse and worse and worse.

Eric Taylor:

But what's worse is we're seeing it, we'll say who our vendor is. But we have a vendor that we leverage that their policy is any type of scripting, you do leverages PowerShell. But it comes from the command prompt, elevating itself into command via our PowerShell xe through command, command lit, right. I'm like, please stop,

Shiva Maharaj:

please, aren't they aren't they? Weren't they launching those commands from the services that

Eric Taylor:

he originally Yes, so the agent, but it will be a layered approach. And until you actually go in your EDR and look at it, it's the agent service, launches a command as administrator then launches, PowerShell E, xe, and then that pipes in and it just creates a bunch of friggin noise in the EDR. And I'm like, you're secure. You tout yourself to be a security product RMM tool. But this keeps happening. And your answer is to whitelist PowerShell. Now, I got my backside up kiss. Yeah,

Shiva Maharaj:

I think people need to understand that an RMM is not a security tool. It's a convenience tool. It's a command and control. It's a C two. But it's it's a it's a convenience factor. It's nothing more it gives the ability, it gives the MSP that extensibility to operate across 1000 endpoints with one technician as opposed to 100 endpoints with one technician. Nothing on the market was built with security in mind,

Jon Murchison:

I would agree we see a lot in fact good at it. We can't really automate it because there's too many variables in it. But we've had to build an alert for folks that write custom scripts that they deploy via their their RMM. And we kept seeing, because you know, we're getting all the command line arguments and stuff. We kept seeing the

Unknown:

passwords. Yep. I was like, Oh my god, guys, don't stop this. Don't

Shiva Maharaj:

do this.

Jon Murchison:

So we've had it we've made that's a formal alert now. Guys, we're seeing clear text passwords. So you might want to like not do it this way. Because it's The bad guy that gets on now it's gonna go look for that turn on that extra auditing and the event logs and get it themselves.

Shiva Maharaj:

All speaking about logs. Eric, didn't you find a third actor that was deleting the event logs?

Eric Taylor:

Yeah. re evil actually is now deleting event logs again. So we did one of the recent ones we got that we started going through and CSOs are seeing a bunch of deleted they're not. It's actually saying deleted file, like the old NSA exploit where it actually would say deleted, it wouldn't be just purge the system is the leading the actual record, which is weird. Yeah. So you remember that old NSA tool where they would actually go in and start deleting those accurately related jobs?

Jon Murchison:

Not the Yeah, I definitely Event Log in the Appalachians the thing in the bad guy world for sure. Yeah, we're actually we're kind of excited about this new thing we got just because it's, it's just so push button to start getting all these event logs. Now we don't

Eric Taylor:

button, huh, you got an easy button?

Jon Murchison:

Well, it's kind of an easy button. This is our new logic projects, if you were not selling it independently, because we're afraid folks are gonna try and claim this. As you know, the next thing to stop hackers, it's really geared at storing the data, you need to check compliance boxes, and then auto mapping the answers into a whole TurboTax like framework to say because you have MDR, this requirements checks the following reason, because we're collecting file integrity, monitoring events, you know, this, this thing's checked. So the idea is you have MDR, your agents are out there, you press a button, and then it will be doing file integrity monitoring, Windows Event Log collection. And then depending on where you want it, you can also say start a syslog, you know, service, so that you can capture that. And then it basically shifts all that data in a real efficient, compressed way up to the cloud. And then we'll start really cheap. And we're not charging events per second. And then the kind of final output is this UI that you can say, I need to be CMMC, level three, you click that button, and everything we've been able to automatically fill out for you is already filled out. And then you can say, Okay, here's the link to my phishing or, you know, awareness or security awareness training, here's this, you press a button, and then you have a final sheet that you can hand to an auditor. This is our attempt at trying to have a pragmatic mix of the MDR, the real security and then orchestrating all that log collection. because traditionally, if you don't do it that way, you got to go that sim route, which we all know is kind of a runaway train, and might be great for compliance. But it's hard to stop breaches in real time. In those style platforms. It's just my our opinion, others will heavily disagree because they sell Sims, but

Shiva Maharaj:

how do you feel about CMMC in the MSP space, because I know a lot of msps are going that way, Eric and I are but we actually have clients that are going to require it from us whenever it goes into effect. Anyone certainly government's going to have to deal with it one way or another. And I think that there's a real need. And just based on what you just said, there's a real need for our tools to at least be able to match who CMMC Yeah, maybe you won't be certified or what have you. But at least you'll know where you stand. And that's half the battle.

Jon Murchison:

Well, that's it because most people never get a like formal audit to be certified and almost never happened. So it's almost like I hire a company. They kind of bless me get into documentation, we self certify. We have our documentation. But like, you just pulled the thread on our vision with this product, which is step one, let's make all that data collection easy to off camera,

Shiva Maharaj:

I'll tell you how to monetize it.

Jon Murchison:

Okay, cool. Well, we're, I mean, we, we have our pricing model, so we'll see if it works. But the but as we keep adding more integrations and more integrations, what we want to do is like, we'll know, okay, our NBR covers this, or snap aging covers this or log collection covers this. Oh, you have sent in a one. Cool. It's already integrated, because we have an API integration that auto checks these bots, right. Yeah. So we our plan is to do it with them this year, it's actually been kind of slow to get them to kind of respond on the API side. I would say you'll probably watch us do a TCP defender next. And then I would say to CrowdStrike like and I just have our latest stats on AV breakdown across our customer base. It just from a pure like business standpoint, they're huge and really wildly successful markup and MSP there's, it's like,

Shiva Maharaj:

they don't count tiny. I don't want to say they don't care about it. They understand how price sensitive msps are. And when when you're dealing with the enterprise who consumes like the government does? Yeah, you don't want to deal with the little guys. We're gonna haggle over a 25 cent discount.

Jon Murchison:

Exactly. So you know, we I think right now we do so foce we do Webroot we do. bitdefender

Eric Taylor:

now bitdefender EDR gravityzone bitdefender because yeah, it's like Microsoft. They got 1000 skews.

Jon Murchison:

Yeah, yeah. They're their babies. Yeah, we're just hitting the API. So I think they deliver for either one of them. I maybe I haven't personally looked at the Lord to say this is the EDR alert, but uh, the whole intent of our deployment was support that. And then I think we have Malwarebytes coming out here soon, we finished the dev on that one. I will say, Eric, I'll tell you. I know you had a bad experience. But from our testing, it actually caught a lot of stuff for what it's worth. Well, I

Shiva Maharaj:

remember our first call, you were impressed by Malwarebytes. And but there was another product, you were able to stop its communication back home. Yeah. I'm not talking about that. But the day picks it, we won't say who it is. But

Jon Murchison:

no, I mean, honestly, like, you could probably do that same technique to every cloud based tool on the market. The difference with that one was, I think it was a timing of like, so some of these edrs collect a lot of data, and some have the smarts on their agent to start doing I think CrowdStrike is actually wonderful that does it that way, if I'm remembering correctly, others are more like, okay, it's signature based on the endpoint, all this other telemetry, we're gonna batch it up and crap it up to the cloud, then the cloud will chew on the data and generate an alert, what we found is, so any cloud based one, clearly, if you can disrupt the DNS request, or if it can't get home, you know, it's it's good as whatever it has locally, but some batch it and send it in blobs. And it's just that little window of delay that I think opens that one out, because that tool that you're talking about actually caught the most stuff from what we've seen, but it did have a just a kind of a concept in there. But I would say most all of them are. There's a few in there that are kind of like clearly have a lot of marketing. But what has caused bad guys to move so much live off the land is actually because ABS got good at catching their persistence techniques or this and that not all of them, but it just forced them like, well, we can't be so absurdly sloppy on our malware where all we have to do is just change a PE header, and we're back in business again. Because that is where kinda I think ml does work a bit. And being able to say this is looks like mostly the same damn binary as this other one, where we don't see it work great is on all the specific in the weeds, command line arguments and tradecraft. So we both noticed most of all edrs are hard coded, like looking for a string or a parent child process. You know, that was created with a specific string, we'd see very little learning. That's us. I'm sure they'll come correct me, but I just haven't seen it. So it's been my experience. Right?

Shiva Maharaj:

We're coming up on time here. So I do want to be mindful. Yeah, no, I appreciate it. This is fun. I had no idea what to expect. This is cool. I want to do more. Do you want to tell people how to get in touch with you and your team now? blackpoint Yeah, a little bit bonded through me and Eric, but you know,

Jon Murchison:

so if you're if you're interested to learn more, do a free trial, you know, do a little ransomware simulation tool, just go to Black Point cyber.com and you can set up a time immediately with you know, one of our one of our reps and sales engineers and they'll do the dog and pony show.

Shiva Maharaj:

Thanks again for joining us for the cybersecurity amplified and intensified podcast.