Cybersecurity: Amplified And Intensified

Episode 15 - Fear-mongering and ransomware.

June 09, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
Episode 15 - Fear-mongering and ransomware.
Chapters
Cybersecurity: Amplified And Intensified
Episode 15 - Fear-mongering and ransomware.
Jun 09, 2021
Shiva Maharaj/Eric Taylor

On this episode we discuss the need to focus on security despite what compliance wants and dictates, CISO’s unrelenting quest for help from the government, the colonial pipeline and the fundamental lack of security employed by companies.

 Eric Taylor | LinkedIn
Twitter: barricadecyber
Podcast Episode #15 - Talking more about Colonial Pipeline and Ransomware - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   

Articles Referenced;


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

On this episode we discuss the need to focus on security despite what compliance wants and dictates, CISO’s unrelenting quest for help from the government, the colonial pipeline and the fundamental lack of security employed by companies.

 Eric Taylor | LinkedIn
Twitter: barricadecyber
Podcast Episode #15 - Talking more about Colonial Pipeline and Ransomware - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   

Articles Referenced;


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast.

Eric Taylor:

Oh, hilarious if it just started showing 10 at what kind of Shouldn't I just walk into?

Shiva Maharaj:

I'm telling you, man, it's been a while since we did one solo with just you and I, we had a couple great guests. And now we got to bring it back around to recenter our audience into the piss and vinegar. That is you and I

Eric Taylor:

this is true, and we are now. Well, it's like we are completely live all the way around the spectrum of the social crap.

Shiva Maharaj:

So So what's on the docket for today, sir?

Eric Taylor:

Well, I think we need to circle back. And as we're finding more and more information about the whole colonial pipeline, like we always do all the new the information you first see is never the full and complete story. So you know, definitely want to circle back to that. The SOC, of course, more and more about ransomware. Because why not? And what CSOs are wanting from the federal

Shiva Maharaj:

government, and I think that we are in primetime for fear mongering and wartime profiteering, just this morning, I saw a salesperson from my favorite vendor of all time, talking about colonial could have avoided paying a $4.4 million ransom. If they had dark web monitoring. Let's be honest, it wouldn't have done jack shit.

Eric Taylor:

Does this person actually read the news? No, he's

Shiva Maharaj:

making his own news. He's, he's a creator. He's got a LinkedIn live now.

Eric Taylor:

Oh, boy. What are those guys? Yes. So I mean, let's dive into it. Because, Alright, so let's just say with a big asterisk, let's just start that off. Right now. This is still new, we're still trying to go down this rabbit hole, even with solar Wednesday blamed a VPN, you know, or not FTP server with a password of SolarWinds 123? Was that the root cause of the compromise? I personally don't think so. But according to the Hacker News, or some other sources, they actually compromised, a VPN password that did not have to FA turned on

Shiva Maharaj:

is to FA some new technology that was just released in the last few months.

Eric Taylor:

No, no, not at all. But even though Biden's executive order makes it sound like it is though is that new fame dangle two factor authentication. Most partners that you use, most technologies that you use have some form of to FA most of them are Google Authenticator. You know, even much as I've beaten up on ring and stuff like that in the past, even they have to FA on their garbage, but most firewalls don't support it.

Shiva Maharaj:

Well, in all fairness, you know, the real world has to deal with legacy systems that we that they were too cheap to upgrade 15 years ago, which is why they're paying the price now, but it's okay, their legacy systems,

Eric Taylor:

we'll see there's, there's that argument to have, right? You can have legacy systems inside of your network that are separated from the rest of your trusted environment. You know, those legacies are going to be a central point of vulnerability, but there's no excuse for a legacy firewall, there's no excuse for improper maintaining your edge.

Shiva Maharaj:

But they're so expensive. I mean, why would you upgrade if you already have that sunk and fallacy? Cost fallacy?

Eric Taylor:

Well, I mean, why ever upgrade your car? Because there's a new LED Exactly. It might it might firewalls got a new Blinky light,

Shiva Maharaj:

you know, another part with the colonial pipeline is a lot of people are talking about the SCADA systems, being the ones that were breached, which is untrue, based on all the public facing knowledge, it was their billing system. So I think information is rife with inaccuracies in reporting. And I think a lot of vendors and solution providers are using this fear mongering to sell more services in that is actually not going to be beneficial to any of these companies. Because you and I both know, you may the pizza tech down the block, we can all use the same tools, no vendor is going to say No, we won't take your money, the real value is in the team that's putting the solution into play isn't going to work? Is it going to line up with the security that you need? And unfortunately, there's not a lot of that in our industry. And now I hear a lot of people banging that drum saying the government has to step in and do things. Well. Let's take that apart for a little bit. I don't think the FBI or the DOJ has jurisdiction in Russia or China. So what exactly are they going to do when a company is not going to secure themselves? If you don't take the first step? There's nothing the government can do for you. Exactly. And I think it's

Eric Taylor:

the FBI did a bad precedent not too long ago, when they went into the municipal or into networks inside of Texas and started to that's a funny way to say they went into networks inside of Texas through a warrant and said, You know, we're going to secure these Microsoft Exchange servers, because they have vulnerabilities. Now, you and I have speculated there's probably some really interesting information inside those networks. That's maybe why they were targeted. Maybe they were they knew something, of course that we didn't. So that's why they wanted that information, to be able to get root access into those Exchange servers to go through it but reading through this article that we have from CSO online, take a look at it and correct me if I'm wrong, but the the 30,000 foot view that I'm getting from this saying is CSOs really don't want to take responsibility for shit anymore. They just want the federal government to do it. And I wonder how much is because of what f The FBI is already done,

Shiva Maharaj:

you know, in the cisos, defense 99.9% of them are absolute fucking idiots. They took a CISSP course at a sans, which is a fantastic course. But that's about testing. Well, that's not actually about doing anything effectively. Right? And cisos are so enamored with balancing budget and risk, that budget always wins out. So they believe that the government can do can save them. And that's not true. Because if you're putting RDP open on the internet, if you're not using MFA, doesn't matter what the government does.

Eric Taylor:

I mean, not even just see. So I mean, I had to warn me, I had a number of them. But at least two of them last week of my new incident response cases that came through two of them said verbatim, how about we call the FBI and see if they'll pay this ransomware note for me know, what do they have for that? Can they you know, help us out with this. I'm like, Yeah, they can help you out, then come in as our season all your stuff, and start looking at all your data. And we still have one client, as of right now, six months later, the FBI still has their servers with exactly no friggin eta of when they're going to get their crap back. I'm not bashing FBI by any means. I mean, they're, you know, they're a bunch of great people doing fantastic work. But the FBI really doesn't need to be on the front line on the same set

Shiva Maharaj:

up for this. There is going to be a learning curve for them to be able to jump in, do their imaging, their, you know, grab their forensics and get the hardware back to people in a timely manner. So they can resume operations. And I, you know, they'll get there probably sooner rather than later with the with the uptick in attacks. But again, it boils down to what is a domestic law enforcement agency going to do against an international threat?

Eric Taylor:

Well, their deck, I'm sure not going to pay for the ransomware note, I can tell you that. But your clients think they will, it's got to be true. No, we definitely need to have a conversation here soon about actually insurance. But I don't want to dive on to the whole that but a lot of companies are really misled about who is there to protect them who's there to save them in the event of an incident, whether whether it's ransomware, PCI, whatever the case is, you know, they always think their insurance or some government entity is going to save the day.

Shiva Maharaj:

That's because they all think they all believe in transference of risk. And there are a lot of msps out there who sell their services by saying we will become your in house it, we will do this for you, when they're probably the only vendors out there for and customers that are willing to accept that risk, which let's be honest, our vendors don't accept our risk

Eric Taylor:

of being in the middle of it, you know, between the client and the vendor, we'll just say the technologist so that we've include everybody under the sun on it, they, they accept any and all risk, you know, whether the cloud provider or the SAS provider of the software, you know, whether it be an on premise or whatever, you know, they'll say it's about environmental, it was improperly configured, you know, your firewall wasn't configured properly. And then your firewall folks just say, No, it was configured properly, there was poor code execution, the person in the middle really needs to know what in the world is going on what the hell they're doing. So that way, they know how to navigate this thing. It's not all you know, oh, let me go in here and fix the slow computer. Let me just reinstall this printer driver. And you know, that's, you know, how MSP technology supposed to work. It was completely not it, you're supposed to take a complete solution of products and services and provided to them and most of them are not, I can go on a soapbox for about three days on this garbage.

Shiva Maharaj:

How do you feel about, you know, this narrative that's been building for the last few months that hackers are shutting down schools, hackers are destroying businesses, hackers are doing this. And the vendors are vendors and solution providers really capitalizing on that fear mongering and wartime profits hearing, because at the end of the day, if a company does not want to spend the money, they're not going to get the necessary protection. And there is a possibility, no matter how small it is that you could do absolutely nothing for cybersecurity, and you'll never get hit, you really want to take that chance.

Eric Taylor:

So yeah, I've always, or I've really been recently saying over and over again, a business is going to do things as cheaply and as long as possible until they're forced to make a change. There really are. No and unfortunately, most of the time it is a ransomware incident. It is some sort of incident that brings them to their knees, shakes them to the core where at least for a year, maybe a little bit more, they actually care enough to actually do something. It's sad that these companies have to get to that point where they are rocked so hard that they care now is that oh, well, I guess I really should do this. And you know, there's always the whole fight or flight, you know, anytime we're going in on these incidents where they're like, Oh, well, nobody ever told us And there's time and time again, you know, the technologist, I want to say that from now on show the technologist, what if they're just really good at making pizzas? They could, they could still be a technologist. He's a technologist, okay, a lot of times they got a printer sitting there printing out the orders, right?

Shiva Maharaj:

This is very true.

Eric Taylor:

Now going back to my old first jobs is working at Pizza Hut,

Shiva Maharaj:

you bring up an interesting thought to me, everyone's going crazy for compliance these days, you know, you and I are going down that rabbit hole or businesses, and we're doing it more as a way to show that we have proper controls in place. I think we both understand all too well, that compliance does absolutely nothing for security, there's a mad rush for people to prepare for ransomware attacks. And I'm starting to think it's a lot easier for a company to build up some kind of continuity plan to get them back up and running post incident than it is for them to be secured. Like we could go deploy a bcdr in an hour, there's an incident, we could probably restore within a couple hours, depending on how much data there is, is money better spent that way initially, and then you build out your security practice for that client or that customer.

Eric Taylor:

Yeah, we've, I have had that exact same thought. And it's weird that you say that, because, you know, we say it on this podcast a lot that you know, we always talk about stuff privately and then bring it into here. But this is not one that you and I have had. And it's really interesting because the over the weekend, and some last week I was having this exact same thing is like we need to start backing up the data first. So no matter what if we're having snafu is built in VPN, we're having snafus with this website, we have a really damn good copy of your data. As long as you're not overly worried about data that you have, you know, intellectual property or, you know, some sort of federal compliancy, where you have to secure you're gonna get real dangerous, but I don't want to make it where companies like, Oh, well, as long as you have a good continuity plan, we have a good backup, we don't have to worry about our security at all, but saying, Let's get a really good backup plan first. So while you're implementing security, we all email whoever does security knows, this is a good couple month process, right?

Shiva Maharaj:

If you're us, if you're other providers, and it's probably a five year plan in 10 years,

Eric Taylor:

gonna get that's gonna get changed and mitigated at least half a dozen times, right,

Shiva Maharaj:

just submit a form and we will differ. I'm starting to look at backup and disaster recovery continuity as that is what should be that low barrier to entry, get that in place, get a good backup, ship it off site, test both of them then get started on your, your cybersecurity, or if nothing else have two teams inside your organization. But there are too many, there are too many one man shops, dude, either, they only have 24 hours in a day, they have to go make pizza for the other 90,

Eric Taylor:

get a geotech or something that can be able to do backups or something while you're doing the firewalls are doing this they are there. So thing is to deploy, test and verify backups. And for the love of god stop using a screen share or screenshot as your verification that a backup works. It just shows Yep, it booted.

Shiva Maharaj:

And let's dig into those for those listening, because I'm hoping we get a lot of end users here to not just our community, but a screenshot of a log on screen doesn't mean your services are starting. It doesn't mean that when you log in, if you can even log into that box, it's functional. So that's where it takes time to restore log in and check the services. And there are backup solutions that will do that for you when when a backup is as important as it is to me, I would manually test it every time. Now I'm not saying you got to do it every day, you probably should, but at least once a week, because you never want to be more than a week behind on lost data, although you should be backing up every day.

Eric Taylor:

And I do remember there are some companies out there. And I don't want to say the names of the companies because I'm not 100% sure if I'm thinking of the right ones or not. But I knew their solution to the whole, you know, log on screen was to create a script where it would log in and show you the desktop

Shiva Maharaj:

datto. Does that a Cronus? Does that and I believe solar wins. Does that.

Eric Taylor:

So question for you. Now you're storing domain, domain admin credentials inside these cloud providers that can log into your boxes.

Shiva Maharaj:

You're not storing any credentials in the case of datto or a Cronus.

Eric Taylor:

Then how is it logging in

Shiva Maharaj:

agent runs in system interesting, at least you're not leaving me Kerberos tokens everywhere.

Eric Taylor:

But see, I didn't know to be on this is some mic editors here? I didn't know system could actually bring up a desktop.

Shiva Maharaj:

I don't think that it's actually logging in. What I do think is happening is it's making sure it's starting services. So you're not getting to the actual desktop but you're getting that screenshot showing Hey, our backup worked and to prove it work these services that you wanted us to test to make sure they're starting have started, which is better than just a screenshot but nothing's better than logging in yourself.

Eric Taylor:

Yeah, that makes sense because they get back into the old days when we were with Connect was using ScreenConnect there was that part called backstage where you could be able to launch you know separate command prompts, you could go Launch Services, MSC you can do all these other things and be able to do that kind of verification that makes it But a little bit more sense.

Shiva Maharaj:

But going back to my question, how do you feel about the fear mongering out there? You think anyone's gonna buy? Or do you think they're just being desensitized? As usual?

Eric Taylor:

I haven't seen into the same here. I mean, I've seen that link that you posted earlier, but you know, the Kaseya partner, or the sales consultant, but I'm really a mixed bag as a security company and security professional infosec, whatever, whatever coin, a term we're going to use this week, that tells me, you know, that screams to me that look, if we are able to get more people secure through any method possible. Hallelujah. Do it right, because I mean, we talked about it before where this country is years behind on its cybersecurity policy kids, man,

Shiva Maharaj:

I think one of the major benefits for our country's enemies or our enemies, whatever you want to call it with all these cyber attacks, is it's chipping away at the morale of us as a people, government agencies and national infrastructure, the companies that are getting popped can directly affect each one of our lives in a negative way. So I mean, let's

Eric Taylor:

say the fear mongering secured 1% of the medium sized businesses just 1%. It's it's not enough to get that wait for it, wait for it, that herd immunity herd dadgum, Fauci,

Shiva Maharaj:

we should do a whole nother cast about the emails from the boy Oh, God, we

Eric Taylor:

almost had over counter If I hear in a minute, we'll do that this week.

Shiva Maharaj:

Oh, man. But you know, this goes back to companies need to own their shortcomings. And they need to understand that they have to spend the money to get a cybersecurity solution in place. And to be clear, there's no single product that will be the silver bullet for cybersecurity, you're probably looking at half a dozen to a dozen different things weave together by a team that actually knows what they're doing. I had a conversation with the family friend over the weekend. And he said, there are so many other clients that buy fireeye to check a compliance box, but they never do anything with it. They said yeah, it checks the box. We are doing x, y, z check the box. But three years later, it's still out of the box configuration, which is doing nothing.

Eric Taylor:

Yeah, we got it. We pay for it. Yeah, it's a it's a deduction on the bottom line. And some of the people that we know, for the CMMC group that know or was a mutual colleague, just be respectful. I brought this conversation up to them where CMMC says you must do vulnerability testing. What exactly does that mean? Am I gonna just use a Nexus scan? fireeye scan? He'd be like, Oh, yeah, these Oh, Dan. Yeah. You just showed in? Is that what that means? Or you're going to actually engage with a company like mine or anybody else?

Shiva Maharaj:

Well, that depends. Do you take Monopoly money for payments? No, then they probably won't go with you and a company of your caliber, because our industry, we get no respect. Everyone just looks at it and says anyone can do it. And yeah, that's true, but we're fast learning that not everyone can do cybersecurity, but going back to your CMMC group. How's that come along? Where are you guys at with anything there?

Eric Taylor:

So it's a very slow process, unfortunately, and to the group's credit the other group was it was taking a while for the group to get its own traction. Yeah, started getting traction started getting momentum and everything like that. And then it seems like CMMC kind of just fumbled all over the place where there's now one company one's company that's ranked to be an auditor as a C three p O, or time I stayed I think a Star Wars. That's why they

Shiva Maharaj:

named it that. I think

Eric Taylor:

for the longest time I thought the guys that were on the call that you know, a lot of the bigger terminology and I do I thought they were disagreeing with me but I was really what they're called see three Theo's, but um, there's only one auditor that's approved for a CP PFC threepio status. And that was supposed to be done in January, maybe February, and we are June and in February, there's supposed to be a dozen of them certified. It's government. We're from the government, we're here to help

Shiva Maharaj:

its government. And you're on the backdrop of what was there is COVID. There are 1000 different reasons why it will be delayed. But I'm more curious, you know, how far along the process Have you guys gotten? Have you done your self assessments? And have you sent that

Eric Taylor:

in? I have not, I wouldn't I'm not completed. I've got a couple of things coming up in the next six months. But I'm taking mine a lot differently than I think some of the other ones.

Shiva Maharaj:

Why? Because you actually want to improve your security as a box.

Eric Taylor:

Yeah, this is true. I mean, I'm taking this the problem I've had with a lot of these compliancy groups, you know, there's some of them that are out there. We just had one not on the show not too long ago, where they helped generate a report of what their product is doing for CMMC compliancy. But I guarantee you so many people are just gonna be like, Oh, yeah, we do that because these guys over here are doing that but they're not evaluated their entire stack.

Shiva Maharaj:

Well remember Kaseya was doing it since before CMMC was even finalized. So they are tip of the spear monkey right there.

Eric Taylor:

Yep, speared monkeys. It's crazy that I mean, so as much as I throw shade, and you still shade, I do want to give a moment there, there is a spot in Kaseya, where they are claiming they want to be CMMC compliant, I think they're only talking about internal processes. They're not talking about their software that they resell and their whole SAS platform, you

Shiva Maharaj:

know, the problem with becoming CMMC compliant. And you and I learned this when we demo the platform that was gonna help us get there sometime last year, you can look at a control and you can just say, I accept that risk. And now that box has been checked, and I joked around with the person from that company saying so you can tell me your what you're telling me is I can literally go through an entire compliancy say, I accept the risk. And now I am compliant, which takes us to the point. And you know, we had a really smart way a couple of really smart guys on the on the podcast recently, Vince kressler oversee so the White House and CEO of dark cube and we had john Murchison, former NSA operator and now CEO of Black Point, cyber. And I noticed something very similar between these two guys who on the face of it don't know each other, they both don't believe in compliance. They both think it's just a exercise to generate paper and I'm paraphrasing here, so please, I'm putting words in their mouth. Anyone who wants to go cry to mommy, they were more focused on improving and increasing their security posture than they were printing paper and coloring are reinforced.

Eric Taylor:

This is actually true. We've talked about this number of times we don't know what is going to be the driving force to compliance you know, we keep saying we need the industry needs to be more compliant needs burger plant, blah, blah, blah, but what's gonna be the driving force what is going to shake the industry to the core like I was telling the story about these clients? So I'm just gonna shake it to the core of where people actually give a shit until the end user

Shiva Maharaj:

is so completely fucked nothing's gonna happen or scared of being fucked. No, I'll tell you why I say that because who's had more massive breaches than experience?

Eric Taylor:

Let's see. top my head I'm experience a pretty I mean, Wells Fargo had a good number of them.

Shiva Maharaj:

Yeah, but Wells Fargo got pop because they were defrauding their own depositors and charging them fees up their ass experience had two or three multi 100 million dollar I'm sorry, multi 100 million person breaches of records within what the last five years. What's happened to them? Not a damn thing. I mean, maybe what a couple 100 million dollar fine, which to you and I is life changing money to them? It's Sunday or Sunday morning?

Eric Taylor:

I mean, heck, I think maybe people from the presidents of the social media companies have it probably brought it to Congress more than those experienced folks are?

Shiva Maharaj:

Well, they have more money in lobbying, I would say and they run the credit markets in some way, shape or form?

Eric Taylor:

That's a really good question. I'll be quiet for so to get as good as question but I don't

Unknown:

know if there is anybody who's got more vulnerabilities popped on them than experience not just how many they not just how many records were breached. But how many times it's happened.

Eric Taylor:

It's been a couple times. I'm gonna say there's some in this apologies down in Florida that will it'll at least match the frequency or the number of but definitely not the impact.

Shiva Maharaj:

I think the easiest way to get into government, the federal government systems is go through the municipalities, their cybersecurity is so atrocious that if they can access sieges control systems going through there, you have members of the staff who sell access or bought or access away, or they probably insert more USBs than pn Why?

Eric Taylor:

Yeah, yeah. You and I got a friend of ours that we both know, and reminds me because he's got a municipality he takes care of, I think he or somebody in that group was talking about how their seizure system was completely unprotected, like you can walk by this terminal, not log in at any given day or time and do any lookup you want. Worse than that

Shiva Maharaj:

is he has raised that issue to them over and over agents don't give a shit. But this was the state of our government connected infrastructure and systems across the country. It happens here where I am, where you are, it's just endemic. these are these are what I would call systemic failures in our infrastructure. And that's because of self attestation. If this was a real compliancy, where you needed to be audited properly, then you'd be better off Now see, threepio from Star Wars was going to be doing the CMMC audits, I think the worst thing you can do is put the audit under a private organization. I think if CMMC is for the DOJ, it should be by the God and they should spin up a department or retask people to do the audits because a third party company can and will be compromised and breached.

Eric Taylor:

Alright, the same argument can be made for an internal government entity to have just the corruption. Now, granted, you can have corruption very easily from an outside party, but I may be off on this one than I probably am. But I would think that there's more corruption from an internal government bureaucracy than there ever would be from an outside third party vendor.

Shiva Maharaj:

I'm not worried about the corruption in that sense. I'm worried about the infiltration and the Russians. The Chinese getting it or any other country that wants to talk us

Eric Taylor:

to talk about the corruption my my idea of the corruption is, here's five or $6,000 sign off on his paper, we're compliance.

Shiva Maharaj:

Yeah, but you know what your your that your are sorry, I know you guys are always Marines, there's no was talking about the ucmj? Would you rather go up against that? Or would you rather go up against civilian law enforcement? Because with the ucmj, if you run afoul there, and you get popped by them, when they're done with you, they're carrying you over to civilian authorities?

Eric Taylor:

Mm hmm.

Shiva Maharaj:

So it's two birds, one stone,

Eric Taylor:

if it warrants it, right. So a lot of times when you're under a ucmj, you, once that is done, then it's done, you know, government acted, they took care of the situation, whatever the case is, they did their ruling, you know, unless it's a massive civil, you have Armed Forces started going around killing civilians or something, yo, then yes,

Shiva Maharaj:

we have bigger problems at that point, if that's happening, but look at it this way. You are a officer or enlisted attach to the god, it's your responsibility to do these audits. And you go through the ucmj, for whatever, you know, you're accused of what have you that's ended, now there's a trial for your counterpart in the civilian space that was corrupt, or asked you to do something, you're probably gonna get roped in there, too. So now it's a double whammy. And that's why I think the god like why is it Western countries are the only ones that love outsourcing this shit?

Eric Taylor:

I don't know. I don't know. I mean, I think it's, I may be part of the corruption aspect that we're kind of talking about a little bit here where we somebody buys their chance to be an auditor, they buy their chance to do X, Y, and Z. So they can't do you got the whole lobbyist, you got all these little fun groups and everything else, you know.

Shiva Maharaj:

And lobbyists only have access when you involve third parties. Think about that. So I think it should be one of two things that God does their auditing and accreditation for CMMC. Or they don't do it at all, and stick with the self attestation bullshit that they have did

Eric Taylor:

was appointed the CMMC. If we're going to go self ascertaining because we've already got that witness.

Shiva Maharaj:

Well, that's what I'm saying. I think it's a colossal waste of time and resources. If you're letting a independent third party company, do your accreditation, your auditing, how long did it take us to build at start to design the F 35, most six years now It took us less than five years to lose at the China. And that's my point, right, there was a time that never would have happened or if it happened there, it would have been disinformation. And when they pulled up on the yoke, they would have been doing those dives. It's just it's systemic failure for cybersecurity that has trickled over into the civilian space. And my concern is that, again, I keep going back to this, that the companies are just not going to own their mistakes, they're gonna keep kicking the ball down to the insurance companies, to the government to anyone else.

Eric Taylor:

Again, like I keep saying, they're going to do what they can for as long as they can as cheaply as again to sell they're forced to do it. Or they are fear that they're going to get fucked. There should be a punitive

Shiva Maharaj:

damage for every breach, make it $1,000 or $10,000. For every record, it gets popped. But we're going to get into one of my hot topics here. hot button topics, you're in IR what's the number one press release comments out of all these companies, major companies that get popped?

Eric Taylor:

Everybody's talking about some sort of intern that caused the whole breach worse,

Shiva Maharaj:

every one of these companies, the first thing that comes out, there's no indication that any data has been exfiltrated. Oh, you know what? You don't have access to your systems. They were probably in there for two to three weeks beforehand. Why don't we define a breach as unauthorized access? Cuz that's what that's what it is. Right?

Eric Taylor:

Exactly. Of course, you have no indication because like I said, there's no logs, these ransomware guys are gals, trying to be whatever. But these ransomware folks are clearing logs, they're clearing the logs out of your firewall, they can get it if you've got a NAS device, yo and they know how to breach into that they're clearing the logs out of that I your domain controllers on your workstations. They are clearing it will when you bring up your event viewer it will say deleted item deleted item deleted item yo Yeah, there's a lot because you don't forget have any.

Shiva Maharaj:

And you know the beautiful thing about that deleted log is they're replacing the log, they're overriding the log data, which makes retrieval even that much harder.

Eric Taylor:

It's impossible though because you're not recovering. Well, it's just safer as possible, but you're not trying to recover lost data you're trying to recover overwritten data which makes it a metric f time more complicated.

Shiva Maharaj:

What else do you seeing out there in the Lando incident response

Eric Taylor:

Darkseid is going quiet and I will say this again for the love of everything sweet and holy Darkside was not taken down by government entity where they disbanded. I don't think so. There's there's definitely some operators to work in there. Are they as prevalent as they used to be? No, will they come back more than likely But anyway, there's a lot of actors that are starting to come more and more vocal that we haven't heard from in a while you and I kind of joke about a little bit I made the kind of comment that I really am starting to wonder if you think about the movies that you walk into an office space, it's just that big open area, right? You've got these pods of people, like those big tech companies, I almost want to know, are those ransomware groups like that? And you're just in a pod? So your dark side, your despod, your net? Walker,

Shiva Maharaj:

I think you're 1,000%? Correct. I think they're grouped by nation. If you're any of the Russian groups, you're all it's one big massive group. The persistence is there by a handful of things that there was a motet there's trick bot, there's, you know, dried x and other ways to get in. And depending on who's in the news recently, and they want to spread it out to other groups, they just choose the tactics and techniques from someone else. The persistence is there. Yeah, it makes, you know, it's a lot harder for intelligence to track multiple groups than it is to track one. And I think there's a huge disinformation campaign in regards to how many groups there really are. So yeah, I think they're all sitting in cubicles on the same floor

Eric Taylor:

with each other. And it's really interesting to see that I mean, it's when you have things like that, you know, I mean, we're being a little facetious. But when you have companies that have CSOs, and they're wanting the government to fix all this, there's no way that these guys are going to do that. There's, I don't know, man, it's just have you read that? Have you gone through the article? I know sent that to you a little late in the day?

Shiva Maharaj:

I haven't see. So I don't even know what they want the government to do for them. They just want the government to do something. And I'm sorry, I'm sorry. But you can't just fire a tomahawk missile at this problem.

Eric Taylor:

I mean, are they wanting more? like we mentioned before, of the whole exchange situation where they want FBI to look at showdown reports and stuff like that, and potentially fix public vulnerabilities? No, I

Shiva Maharaj:

think what they're looking for is for the government to shut down the operate the evil operators, the hackers and all the bad guys that are, you know, a stain on the existence of small business who just doesn't give a shit about their customers to actually spend money securing. And that's the narrative, right? It's look at these little guys look at these companies there, they have to pay all this money, you know, it would have been cheaper than 4.4 million MFA. And not even using the ad agent, dark web scanning is a hot steaming pile of bullshit. Whenever.

Eric Taylor:

And then one thing I had a conversation with some folks over the weekend, myself is Yeah, we you start taking a look, at least from a global threat and a global market standpoint, I get the site, the point that US based companies are competing with a global market that will make it cheaper, sometimes better, faster than we would so you know, you got us labor costs that are, you know, higher now, capital gains, taxes, you know, all these things that are higher in the US and other countries. I mean, everything's higher here in the UK, in the US and in third world countries. So it's hard for me to compete on profitability. So I get that to a certain degree too, right. So I there's no right answer for a lot of this stuff. I don't know what it's going to be when you actually start factoring that mentality in there. I think it's going to take time for us to undo the decades of globalization outsourcing.

Shiva Maharaj:

It's not something we can fix overnight. And people want people to say, yeah, we can we could do anything we want here. But okay, slept by your natural resources from China, from Russia. We don't really own anything outside of the continental US.

Eric Taylor:

Yeah, we're a state of consumption. Oh, absolutely.

Shiva Maharaj:

Now, one thing I wanted to talk to you about, did you see that mandiant and fireeye are splitting?

Eric Taylor:

I did not see that.

Shiva Maharaj:

It was announced last week, I look at this as mandiant saying, I don't give a shit, what type of services you have, or where you run, you still need the people behind the scenes to do the incident response. And you know, maybe this article in itself is biased to that opinion. So they're staying standalone as a services business and getting rid of the technology part, which really underscores you need that human talent, which is why I think you're so good at what you do, and why I think I'm so good at what I do. But I think I'm great at everything I do.

Eric Taylor:

Yeah, and I mean, this really, you know, we'd beat up on this before, but this really drives home the conversation that we've had the difference between human Intel versus machine AI, machine learning, whatever term that you want to use, how it's this honest, I have to read this, but on the surface, this kind of makes me want to jump down for joy for a little bit. Because, you know, while they're, they're getting rid of technology, and potentially the advancement for quicker response is from what I'm thinking, I'm reading from this, again, just you know, seeing this for about 30 seconds here, but putting the power back into the analyst to actually figure out what's going on but it does put that barrier back into the equation where I get torn from so much like okay, if you had a machine AI or some sort, just like machine AI but if you had some sort of If This Then That rule set and whatever, you have your log monitoring and it fires at least be able to stop the connection, stop the possibility of something bad happening and then flag for human review, I think would be a more Pro active stance and just removing technology as a first line,

Shiva Maharaj:

I think what mandiant is doing here is saying I don't care what you're using, if false, the analyst to really parse it. So give us CrowdStrike give us that no one give us anything because I guarantee you companies or major vendors were less likely to work with mandiant because they had the firearm product now that they're going to be by themselves and they are software product agnostic. They will get a lot more business out of this. And let's face it, the two top guys when you're talking, you know 678 figure ransom, you're looking at CrowdStrike you're looking at mandiant

Eric Taylor:

Yeah, how many the one that I haven't seen in a while is crawl. Those guys are pretty big Cove was pretty big.

Shiva Maharaj:

It would put words on the shortlist for a dark side.

Eric Taylor:

But that is a Mac Azhar says not around anymore. They've been disbanded. Right? But

Shiva Maharaj:

they're still there. Exactly. Beside dark

Eric Taylor:

now. There we go.

Shiva Maharaj:

You know, you have Evil Corp, and you have Evil Corp. It's all one big game of musical chairs,

Eric Taylor:

man. Yeah, it is. It is. Well, man. Anything else you want to talk about today? That's been kind of it's been great just to sit back and the shit that exactly.

Shiva Maharaj:

Told you man, I had the piss and vinegar, because the fear mongering annoys the shit out of me, man, I'm seeing all of our peers, all of our vendors pumping out the same content, be afraid. But if you use our product, you'd be a okay. And you know what, if you used Eric or myself, you'd probably be better off, at least in my mind.

Eric Taylor:

Now it just goes back to the whole supply chain hacking thing with solar winds. You know, everybody was quick to jump out like, Oh, well, we stop supply chain hacks we do. If you're using us, you wouldn't have that problem yet shut the EFF up.

Shiva Maharaj:

You just don't know you have that problem? Because I don't think SolarWinds was the only one they all got popped.

Eric Taylor:

I've said it before and I'll keep saying it. So their wins, information keeps changing, keeps coming out are actually lilu overdue for some more updates from that clusterfuck i think

Shiva Maharaj:

you know, the shortened new cycle that we have there too many other things you had the USA fishing reach from last week which was done by that no Belgium yet. Who is supposedly the solar winds guys even we don't know who the solar ones guys are because you had multiple nation states popping. It's it was Russia. Dude, have you looked at attribution by most of the recent attacks, the government's not coming out and saying anything. It's third parties saying the government says it's this guy or that guy or sorry, this person or that person because we have to be politically correct. With equal rights. hackers can be ladies or men or whatever they identify, as I know, that's gonna get me in so much trouble. I think we really need to get back to vetting the information at hand in general, and not just relying on any, any website that posts news, we definitely

Eric Taylor:

got to start doing a little bit more of these in some of the interviews that we've been doing lately.

Shiva Maharaj:

good ones there. I learned a lot from Vince and john.

Eric Taylor:

Yeah, it definitely got us thinking differently about how we do some of our infrastructure and the monitoring of things, you know, the separation of the layers and stuff like that.

Shiva Maharaj:

And I think that's good, right? Because you can't just keep doing things the way you've always done it, you're never going to progress. Exactly. And it really took them to open my eyes into compliancy versus security.

Eric Taylor:

Absolutely. Once again, thanks, everybody for joining us. Please like and subscribe us on YouTube, please go to our podcast, subscribe, they're amplified and intensified.com is a new homepage for it. And you can be able to be directed right to a podcast where you better subscribe and listen to us all the time and until next time,

Shiva Maharaj:

take care. Thanks again for joining us for the cybersecurity amplified and intensified podcast.