Cybersecurity: Amplified And Intensified

Episode 17 - No one cares.

June 23, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
Episode 17 - No one cares.
Chapters
Cybersecurity: Amplified And Intensified
Episode 17 - No one cares.
Jun 23, 2021
Shiva Maharaj/Eric Taylor

Taxing ransom payments to help secure companies, why legacy systems and are low hanging fruit and incident response.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

Taxing ransom payments to help secure companies, why legacy systems and are low hanging fruit and incident response.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. Hey, dude, what's going on?

Eric Taylor:

Now other day, another week of, you know, ransomware and security issues and just the world that makes me want to turn into audio every day.

Shiva Maharaj:

Speaking of ransomware, what's your take on some of these newer groups or older groups pretending to be new, claiming to be Darkside and have affiliations with rebl?

Eric Taylor:

It's really interesting the the fact that people are actually using the postal system to send a letter to potentially affected or not infected people, entities saying, Hey, we got your information, blah, blah, blah, yo pass or we'll go leak it all over the dark web. It's definitely not normal for anybody, really, I mean, that's really uncharted territory. I was thinking about it over the weekend, I don't know of any other ransomware group or any other hacking group period that would actually use the postal system for that. And that's a whole new level of bold.

Shiva Maharaj:

I think it boils down to the fact that they are evolving faster than the defense can. And the second part of using traditional mail, I saw that they are sending out or ransomware groups are sending out USB keys, as well as Fido keys or Fido type keys, like yubico keys to potential victims to try to get in to the authentication cycle. Have you seen any of that?

Eric Taylor:

Yeah, so they are, you know, sending out I think it was a lucky or one of the the hardware tokens, but they would send out a modified hardware token, with a USB storage, soldered on USB storage that would pretty much phone home. So when you entered your recovery keys, it would phone home send that so that way the hackers could, you know, essentially steal your cryptocurrency that you may have. And that's based off of, you know, actual information that's been publicized from breaches, so the whole postal system and everything. A lot of these folks really want to be anonymous, in every sense of the the facet. Yeah, so everything's being done on tour, everything's been done on the quote unquote, Mark darkweb. And, you know, there's no, there's no tracing of it. But now you have people that are invoking the postal service, and potentially probably committing a federal crime. So you know why they try to stay out of the FBI grasp as much as possible by being anonymous, that it's almost like they're giving them the proverbial middle finger, because that is extortion through the federal system.

Shiva Maharaj:

But it's all it's already, extortion to the federal system just by using the internet, when you really think about it, because that's why it's wire fraud. Whereas if you use the Postal Service, it's mail fraud to statutes. I don't know fraud was more so today's version of mail fraud.

Eric Taylor:

But how's that wire fraud when you actually get somebody to knowingly send your money, you know, that's more of a scam, or con job versus a wire fraud, because those were, you know, I hacked into your system and transferred out of your account.

Shiva Maharaj:

Wire just means a cable, a line? Like, got it? I mean, that's, that's the loose definition of it. So either way, they are in the FBI, his area of operation or whichever federal agency, law enforcement agency here, but what I think is really brazen, and I think you're right, it is almost a middle finger, saying, Hey, we are inside the wire, or we are using your resources inside the wire against the continental US to do things.

Eric Taylor:

Yeah. So it's, it's really interesting that the tactics that some people will take, yeah, the quote unquote, easy route, then actually be doing something for a living. So yeah, it really goes back to when you're panhandling. It depends on where you are in the world or the country. You know, panhandling may or may not be legal, it's illegal where I live. But yeah, there's been all those documentaries where people just make gobs of friggin money panhandling, where they don't have to work at work a job, you know, it's crazy. So I think it's kind of goes along that it's just, you know, the whole email scams as in you know, pleasuring yourself and I'm like, oh, send me the picture of the Snickers bar that I was eating. You know, you make you made the joke before cool. Put it up on Pornhub and then we can make a bunch of money off of that.

Shiva Maharaj:

Amen. If you don't show your face, I think you get like 15 grand if you show your face, it's 25. It was about it's worth more than the ransom that they're trying to get. But the other thing is, you know, something you said here, it's like panhandling begging on a real job. I think that's the, that's a common misconception. This is a real job for some of these people. You know, they have affiliates they have horizontally and vertically integrated systems and people that come and attack and one of my concerns is, I think we're in one of those lulls all over again. You know, we talk about it all the time, they go dark for a week or two, and they it's a tidal wave of attacks, and with the seeding of all these USB keys, I have a feeling it's just getting started.

Eric Taylor:

Yeah, I mean, we've talked about before the changing of tactics, you know, are these the folks that are openly hacking into networks and changing their tactic just to do something different? You know, the aka we're pivoting to a new methodology, or is it just some meathead somewhere in a basement trying to friggin you know, capitalize on any of that? I don't know. It's the one thing that was interesting, especially about the dark side w doppelgangers is, they sent out a single Bitcoin address to everybody. And thankfully, nobody bought in nobody, at least last time I checked on Saturday that nobody has made any transactions to that wallet. So thankfully, people are being a little bit smarter about some of this stuff. I'm curious if the FBI is really getting involved by the sheer number of things that were mailed. I'm not sure if that's a meet a threshold.

Shiva Maharaj:

Well, what about, you know, them putting out a single Bitcoin address makes me think of one thing, the FBI recouping some of that colonial ransom, is this, the group's putting that address out to see what type of probes and tactics are going to be used against it? So they can map a response from the FBI or whomever?

Eric Taylor:

That is an interesting thought that I have not entertained? Yeah, I mean, the, the money is supposed to be decentralized, right? So how can they really seize a bitcoin wallet address? Yeah, I know, they had the dark side where they recover, but their speculation where they somebody, either the CIA or NSA, whatever, potentially hacked, the one of the end users of the group was able to steal that hardware token key

Shiva Maharaj:

from warrants that or court paperwork that's been released or unsealed. It seems like someone in the alphabet soup got access to the server that stored the keys for that wallet. So that was a human failure on the part of the ransomware. Guys that, again, the alphabet soup was able to capitalize on and recoup some of that money

Eric Taylor:

when Windows Server 2003. They were using.

Shiva Maharaj:

No, that's the New York law center. And, you know, all of our colleagues are they love this MFA bandwagon. Let's use MFA MFA will protect you MFA will do everything. But no one seems to be talking about the fact that the New York law division or center, whatever they call themselves, we're running on server 2003. End of Life end of support. 2015. So that's a system that hasn't been that hasn't had a security update in six years. And I'm willing to bet they're not even on the most up to date version of server 2003. Because that would make too much sense. Right?

Eric Taylor:

Yeah. I mean, you and I were talking about this, and I had to double check to make sure I was correct. But you can't put MFA on 2030.

Shiva Maharaj:

Yes, you can. All of our colleagues said it would save them. Okay, he's a tech international standard are approved the MFA for server 2003 when MFA probably wasn't even a thing then. Alright, obviously loser.

Eric Taylor:

Without the stuff from when I was a kid, loser anyway. But yeah, I mean, you can't even tie it to Azure. So you can do a hybrid and leveraging Microsoft authentication is? Yeah, I wonder.

Shiva Maharaj:

So there's so many things that go through my head, like, How the hell did they even get to that server? Was it exposed to the web, you know, or do they have an SSH server that was potentially a VPN seems to be the access factor, a user's compromised credentials were obtained. And they got to the box or the network via the VPN. And New York's version of Cyber Command, saw something in this and started shutting things down.

Eric Taylor:

So they got past VPN got to the box.

Shiva Maharaj:

They were on the network. Yeah, before they even knew they were on the network and by all accounts in the public Look media, they were corralling information or data to be exfiltrated. And then they the agencies expected the system to have been crypto. So once they saw that data being put into a centralized location, feasibly on their network, that's when they shut everything down.

Eric Taylor:

I mean, I guess it's good that they at least caught it before it got too bad. But the silver major failure, you know, we talk about this all the time, especially when you're going, we're having the discussions about CMMC. And, you know, NIST 801 71. You know, this is a failure of logging at a firewall level, you know,

Shiva Maharaj:

let's, let's talk about sieges. You know, that sieges and HIPAA are my heart ons in terms of compliance because they are failures, they don't actually do anything. How are you sieges compliant? If you're running server 2003. Without MFA, let's just say for the sake of argument, you could actually put MFA on that bad boy. Now, who signed off and said they acknowledge and accept that risk? Secondly, how much money did they spend maintaining the server 2003 architecture? And wouldn't that have been better spent and probably cheaper, or the same price as updating along the way?

Eric Taylor:

I would imagine it cheaper in the long run, you know, especially when you have an incident like this, because the amount of man hours that are being generated just to comb through logs to make sure there was no data exfiltration. And you know, that everything is of the status quo is got to be extensive, right. So I can't even imagine, I mean, is it possible that maybe that was just one of the domain controllers still in the network? Why is it even still there?

Shiva Maharaj:

By all accounts, they say the system is run on a Microsoft software from 2003. That was end of life in 2015. Now, the other interesting part of this is New York has what they call the shield act, and they define a breach as unauthorized access. What happens to the law department now, when they failed their own system?

Eric Taylor:

When did they pay the ransom workers,

Shiva Maharaj:

it wasn't a ransomware. Nothing was triggered. They, they caught it while the data was being I don't want to say manipulated, but while the data was being collated and put into a form where it would probably have been exfiltrated. Now, you know, me, I'm a skeptic here. I think once they get in, they start pulling data out. I don't see any utility in corralling that data, and then doing one massive data dump. It's far easier to hide that in everyday traffic, as we saw with SolarWinds.

Eric Taylor:

Yeah, long as you got time, because you know, there's still the two ransomware type of mentalities either get in, spread laterally as quick as possible. Drop your payload and bogie or, you know, it's built, they have several weeks to slowly exfiltrate their data not to set off alarms and then drop their payload, you know, the solar winds was they were, we keep hearing where they keep pushing back the timeline of where they actually got into the network. I think the last one was the middle of last year. Now maybe you know that.

Shiva Maharaj:

I know, the timeline goes back to, I think, the middle of 19. So early 19. Plus, by the time, if there's ever a day where the solar wind saga has been identified, we're probably going back to I would say 15 or 16. Realistically, because you have to put human capital in place to do a lot of these things with the I don't think you could do all that over the wire.

Eric Taylor:

No. I mean, so when we talk about the solar winds, and everybody has been so quick, and even to this day to say Russia was behind it, I still haven't seen anybody really come out and say it was Russia. I mean, except for Biden, you know, and I think

Shiva Maharaj:

Russia is Russia is the perfect scapegoat. Now, I'm not saying they didn't do it, but they are the most obvious choice, because there has been a lot of speculation that these groups operate out of Russia. But as we saw with solar ones, you know, they were going to us base IPS, they were going to Azure and AWS infrastructure, there wasn't going back to Moscow or St. Petersburg, or any of the other cities over there. And in March of this year, I want to say they there was a report that 10 other groups are inside of SolarWinds and not just the well now they What do they call them? No Belgium. And Belgium group was the same group from SolarWinds. But there were a couple different AP T's in there.

Eric Taylor:

That's just crazy. You know that? A simple payload and then they just pretty much You know, further out the access to the different things. So, you know, when you're in that long you're like, what could go wrong, right? I mean, frickin, you know, drink all the booze and hack all the things right? So, well, the

Shiva Maharaj:

beautiful thing, and I hate to use that word for SolarWinds is the amount of patience that was demonstrated. They knew how to get around sandboxing to ping live IPS, that were not redirected to internal IPS of a sandbox. They knew to wait two weeks before launching, does get raised so that, you know, they these guys compromised, the code signing, like they went straight to the root of what Ryan is or was. And I don't think we're ever going to know the real impact, whether it's classified or whether the alphabet soup ever even figures that out.

Eric Taylor:

And to the best of my understanding, solar was still allowed in all to do infrastructures, as long as there's an air gap situation, which takes up the purpose of solar winds around,

Shiva Maharaj:

you know, the The problem is once you know, in the beginning, they said, Take it off the internet, don't let it be accessible. But if something has been that compromised for the entire time, it's created other jump points into other boxes, I told you I know of a vendor in God, the alphabet soup, civilian government, everything, as well as private companies and international governments and companies. And they have been popped, and their products are now jump points into anywhere they're plugged in with an IP. And this is all because of how procurement works. Right? Here's a question for you. Your your thing is incident response? How many times have you gone into a situation that started off because of a legacy system that got hit? A lot, I

Eric Taylor:

mean, we're still getting even to this day exchange, exchange 2003 boxes of o-w a that was compromised,

Shiva Maharaj:

but that's okay. Because the FTL patch notes for you. If it's anything exchange, they got, you know, especially if you're in Texas,

Eric Taylor:

exactly. But it's, you know, we see all the time, and especially in the manufacturing industry, and services industry, there's a lot of custom built apps that are created for these industries, and a lot of these legacy manufacturing operation are operational machinery that is used for that. And it's really crazy that that happens that I would have never thought until I got into IR and really started digging into some of these things that this world would be there, you know, you would figure in today's age, there'll be people creating software to do this stuff. But there's not,

Shiva Maharaj:

you can't create software for people who are too damn cheap to spend any money. Right. And I don't care what that what anyone says about the landing a Windows XP machine, there's always access, there's no such thing as a real air gap. And if you're running a legacy system, I created my own hashtag, legacy system legacy means you're too damn cheap.

Eric Taylor:

I mean, I want to push back on that a little bit. Because I know some systems that are in some networks, they're they're not too cheap to pay for the likes of me, but to actually rehaul their entire infrastructure in the machines that run that business will put them out of business when it comes to actually competing with third world labor markets. And I think that may be part of the problem we talked about before.

Shiva Maharaj:

here's, here's my pushback on that. They come to you because they have a direct need. They fucked up, they got popped. And now they need Eric and barricade to save their ass. And they typically have to pay that ransom because the company they had doing their backups didn't do backups, or didn't do effective backups. Right? But how many of these companies have a really well built out IT department? Probably none. How many of those have a well if they don't have a well built out IT department? What's their security department? Like?

Eric Taylor:

They don't have one?

Shiva Maharaj:

What's their CSL? Like other than the guy who got the title because they needed it for a checkbox?

Eric Taylor:

I mean, most of these companies don't even have or are big enough to really consider having a CSO. Yeah, and that's really where as much as I hate to use the term but the the virtual CFO you know, really comes into play with some of these folks, but it's, I don't know, man, it's, you really find these companies that have you know, one guy, just like we see with the quote unquote pizza techs that know a pretty good bit about it, and they become that person and then they hire one or two of their friends. That knows a little bit like but it that they sat around you, you're got a couple of beers and smoking some meat.

Shiva Maharaj:

You know. And then one of the best IR guys I know smokes meat on the weekend and buy meat. I'm talking in a traeger grill. Get your minds out of the gutter people.

Eric Taylor:

Yes. I love that sugar girl. Holy moly. So connected to

Shiva Maharaj:

the internet?

Eric Taylor:

No, I do have the capability. But no, no

Shiva Maharaj:

good man.

Eric Taylor:

I want to though just so I can monitor the temperature. But my I guarantee

Shiva Maharaj:

you there's some legacy system built into that bad boy. Of course it comes from China, oh, then it's safe, they would never put secret chips in anything that would never happen.

Eric Taylor:

Super micro boy.

Shiva Maharaj:

Going back to incident response here. When you go in, and it's a legacy system. What's the first thing that you do

Eric Taylor:

those legacy systems, we got to figure out exactly what it does. Yeah, I mean, and then we got to figure out, you know, once we isolate and contain, make sure that that legacy system is actually stable, and we can be able to use it, you know, we do, you know, we have to put in its own VLAN. And, you know, put in ports that can only cross over to certain to that machine box for whatever reason, then we try to figure out is there a way that we could actually replace that legacy box? that legacy software?

Shiva Maharaj:

Now you're talking about VLANs here. And I know a lot of these companies won't spend for the good Cisco the good palo like the good stuff, right? A lot of these guys are slinging unify microtex dumb switches and the worst of the worst. And you and I had this discussion once I think and your preference is to actually put these legacy systems on a physically separate LAN. Because of how poorly constructed and secure they were from the beginning. what's what's the response, like from your clients, when you tell them, Hey, you guys just got popped, it's probably the legacy system. Let's invest 500 bucks on a brand new switch to physically separate this. What's that conversation? Like?

Eric Taylor:

They're normally pretty open to it. I mean, here's the real crux of the situation that we always find ourselves in, you know, we talked about this numerous times is, you know, we come in as an incident response, you know, and we'll talk to the IT folks or whatever. And it's always, oh, we didn't have the budget, we didn't have the budget, we didn't have the budget. And then as soon as they get popped their wallets open up for at least six 812 months, where they're willing to put in some stuff. But then it goes back to the way it was before. And, you know, budget cuts and everything like that. And we always have to have that round Robins like, you remember a year ago, you remember two years ago? How much you're down how much it costs you you're subjecting yourself to this?

Shiva Maharaj:

Where does that money come from? Because the insurance company likes to reimburse, they don't like to give you an open purse string.

Eric Taylor:

Well, let's talk about insurance for a minute. The a lot of companies that we deal with, they have a cybersecurity policy, but not alone. It doesn't work very well, you know, it's much like your home insurance policy. You know, it doesn't cover flight, it doesn't cover, you know, tornado, hurricane, you wherever you are, you know, whether you get earthquake insurance, or whatever, in an undisclosed location from hackers. A lot of these insurance companies will not pay a ransomware fee. Lot of these insurance companies will only pay for our initial diagnostics of how did this thing happen? Yeah. And companies got to be careful. That's the one thing as soon as I hear they have a cybersecurity policy, literally all breaks of work. Stop is like, Alright, we need a copy of this policy, because we got to go through and see, you know, who is on your panel in? Are we able to work this thing?

Shiva Maharaj:

What you don't like working for free in the hopes of one day maybe somehow getting paid?

Eric Taylor:

Now, I believe in a capitalist system, you know, my kids don't eat and drink offer hopes and dreams?

Shiva Maharaj:

Is there a balancing point for the insurance company of paying that ransom versus paying for the remediation? Or do they just pick one way and go that way all the time. And put this into perspective, let's say? And I'm using specifically low numbers here because I don't want to scare people away, let's say ransom is $1,000. And the remediation or your services would be 15 $100. Would the insurance company rather pay you that 1500? Or would they rather pay the ransom of 1000. And let's be honest rent, you know, both costs are significantly higher in real life,

Eric Taylor:

exactly. Nine times out of 10 they're not going to pay the ransom because it's not in their policy. And a lot of insurance companies will deem that as an act of terror against a business, and they don't have, you know, that put into their policy that a lot of companies will think, Oh, this goes under my general liability or my errors and omissions because, you know, we mistakenly omitted putting in a certain security. And I've had customers actually fight that tooth and nail with customers or with their insurance companies about that. And, you know, they end up losing it, but it, it kind of is what it is they, they don't have the policy. So it's, they need to really spend some time beforehand of knowing exactly what their policy covers and what it doesn't cover, and go through, you know, we talked about this all the time, just doing an incident response or a disaster recovery. And I want to take that one further, like, what happens if a happens? What happens if B happens and put ransomware as part of C, D, whatever that scenario is? You know, what if? What happens if you get hit with ransomware? You know, it's like I'd say, so a lot of customers, okay, okay, I'm going to pull up a box truck out front, I'm going to come in, unplug everything, throw it into the box truck, lock it up, and you can't get it until you pay me money. That's essentially what you've got.

Shiva Maharaj:

Now, when you're doing these IRS and you're dealing through insurance, is it getting to the point where they're practically giving you a playbook of what you should be doing? Otherwise? It's not going to be covered?

Eric Taylor:

Some policies, yes, some of them, we literally have to, you know, go through hoops, and really put together our invoicing in a certain way. Like, we've got one right now where they would pay for the remediation, but they won't pay for the negotiation. They won't pay for the Bitcoin, they won't pay my services do decrypt. But the actual rebuilding of the network putting into new domain putting in the new everything, they'll pay for that, which is like rebuilding a house from a fire. Right?

Shiva Maharaj:

Exactly. What who pays for the non covered items?

Eric Taylor:

The client does the entity business and

Shiva Maharaj:

and that goes back to my question, Where do they all of a sudden get this seemingly unlimited pocketbook from?

Eric Taylor:

I don't know. I mean, I'm suspecting you they have cash on hand, or they're accessing a line of credit, because they always act like they're cash poor. But when it comes time to pay the ransomware, they end up finding it pretty freakin quick. Have you

Shiva Maharaj:

ever done any kind of study or comparison on what it would cost them to have been secured effectively, or enough to a certain level, as opposed to having to go through and pay for this incident, because you have your fees? You have what the insurance will cover. And then you have the ripple effect after the incident and the insurance company has dealt with that specific incident you have increased premiums, loss of coverage, you have your loss of business, where what's the what's the balance point of doing a good job all the time versus having to go and remediate? Not for you, but for these clients.

Eric Taylor:

That really is a case by case scenario, unfortunately, it's these businesses are it depends on how impacted they are, you know, if they are, if they had a really good backup, and they got hit with ransomware, and they got back up and running in 48 hours. They're like, Yeah, whatever.

Shiva Maharaj:

Right? So they go often is that the case? A good backup, getting them up and running. And let's give them four days. Let's give him three days,

Eric Taylor:

about 2% of the time.

Shiva Maharaj:

Okay. So there is a chance,

Eric Taylor:

there is a chance, it's very minimal, but there is a chance. You know, there's, I guess if it's pub, they are a how don't want to use a term lightly but a public facing company. So your aim like Take for instance, a medical practice, you know, you are interacting with the public in a very highly capacitor and very high efficiency way to inappropriately use words. They're a high frequency way, they're a high frequency way, then you're going to have a level of impact that's a lot greater than a used car salesman type of facility, right? So they can just easily pass it off or systems are down for a couple of days. They do things by phone or by paper, they'll get by, you know and be able to recover somewhat from that. But a medical practice you know, when you can't pull up your medical records to do your console post surgery or post incident or, you know, you're going to another specialist and they need to fax over the medical records or email into some god awful multi tenant gmail account. They they can't do it because of a ransomware. So

Shiva Maharaj:

they can because there's a good chance all that data is already on the dark net. So they can get their own patient data as a service out there.

Eric Taylor:

We actually had one that's all ago that wanted to wait until the information was posted on the dark web and we download it all give it back to them. I'm like, I'm not No, I'm not doing that.

Shiva Maharaj:

How many times have you seen that in

Eric Taylor:

the medical field, where they wanted me to just download the compromised data,

Shiva Maharaj:

know that, really, this lays a fair attitude of not giving a shit about security and thinking it's okay for their patients data to be in the public. I mean, you know, we're talking social security number, we're talking health data, biometric data. And these are all things that enemies of our country will use to profile people. You can, you know, you're a vet, you've gone, I'm assuming, you know, you've had interactions with the VA. And I'm assuming you've also had interactions with private doctors that are not a part of the VA system. And the argument can be made that your private doctor is probably going to be targeted more, because there are going to be service members who go there for scheduling purposes, or maybe, you know, there are top physician in their fields. And now this is all sent data.

Eric Taylor:

Yeah, I mean, just to be clear, most all, not all set, but you know, the I have a so most men have private medical facilities. You know, I would say, five practitioners and under really don't care, you know, it's really the whole we don't care about HIPAA, for the most part, it's a

Shiva Maharaj:

Well, did you know that Gmail gives them free email service to us.

Eric Taylor:

Yeah, yeah. But no real protections. The they don't care. You know, I think the ransomware incidents are much like the HIPAA answer and say they see it as a minor blip in the grand scheme of the overall practice.

Shiva Maharaj:

What happens when these guys come around for a second bite of the apple, and this is something you and I discussed with one of our previous guests maybe about a month ago, asking if their SOC service has been seeing this second, come around. And now at least the news articles we are exposed to are talking about companies getting hit two, three times, look at Carnival cruises that you posted a couple days ago, they had four data breaches in the last year and a half to major. What are you seeing there in terms of incident response? Are you seeing the second bite at the apple?

Eric Taylor:

I'm seeing a lot of it. And I've actually got no friends that go routinely on cruises. And you know, I reached out to them over the weekend. I'm like, so do you use Carnival? Like, yeah, so I talked to him about this. And I think this really goes to the heart of it, they don't care, because all of their, you know, their stuff is backed up by the bank. So if you know, their credit cards got stolen, I know my bank. And most of the banks I've ever dealt with, at least recently, you can walk in and get a new card, you know, same day, you file a paper and you can get your funds back within yourself a test is you know, and it's it's really weird that. So I mean, if for a medical practice to be compromised, I don't think most people will care. Because you and I talked about this before, and I think it was you or may about one of my friends that I was talking to over the weekend. They're like, Oh, well, you know, Equifax hauls all of our data. So why should we care about CVS? Or why should we care about Carnival and everything? I'm like, Look, you need to take this from a 30,000 foot view. It's like, Okay, what if one hacking group has all of Equifax data? Now they able to get their hands on Carnival, they're able to get their hands on CVS and all these other ones. And they start correlating this data to fill in any pieces that they may be missing, or confirm pieces that they already have.

Shiva Maharaj:

You know, I look at it as they're building targeting packages on everyone. And they may not want to target you, but there will be a targeting package on you. If they really start cross referencing all this data. Now, in terms of that second bite at the apple, how are the insurance companies handling the IR there because I'm assuming they're gonna say something along the lines of, Hey, we paid for this not to happen again in the remediation? What gives?

Eric Taylor:

Exactly? We had a couple of them where they came back to us. But eight months later than they got put again, in their insurance companies like, well, what did you do differently this time around to prevent it, then they're like hemming and hawing. And they didn't take any of the recommendations that we had,

Shiva Maharaj:

how many times? Do they blame you?

Eric Taylor:

That one, try to

Shiva Maharaj:

let me qualify that statement? How many times do they take the money from the insurance company, they pay you for some form of service to remediate, manage, you know, whatever we want to call it, insurance stops paying, maybe they'll carry you for an extra month. But you and I both know, once they have to start paying they, they caught that bill as much as they can. How many times have they blamed you? And how many times was the insurance company, believe them or needed something from you to prove that you weren't derelict in what you were doing?

Eric Taylor:

Whether the customer blames me or not, the insurance company always wants information from me, even if we are the current provider of security services or not. They always want to know what our recommendations were, were those recommendations put in place at the time of termination? And who was responsible for maintaining those recommendations going forward? And we've had two former clients that got popped again, that tried to blame me for not putting together or putting in place the recommendations that we did, like, we recommended that you said you had your own internal IT, that would handle it, we just need to make recommendations. Here's the email communication. I don't want.

Shiva Maharaj:

you notify internal IT that Webroot does not count as protection. It's like drilling a hole into a condom and then trying to use it.

Eric Taylor:

Yeah, but they have DNS filtering now.

Shiva Maharaj:

Yeah, so the ransomware groups are more sophisticated than anything we have going on. And they're far more coordinated. You don't do what these guys are doing, by being an idiot. It's well coordinated. And there's a yes, there's a financial component. But there's also a component of I keep saying this breaking the hearts and minds of the American people. Oh, yeah. I mean, you keep the ship, you keep chiseling away at something it's going to give?

Eric Taylor:

Yeah, it's Something's got to give, right? I mean, we've seen some articles that I haven't really discussed today. But you know, where ransomware is expected to be even at all time high to this year compared to last year, you know, I can safely say that the first six months of this year of our business, and what we've done, has already exceeded what we did last year, yo, and it's just crazy.

Shiva Maharaj:

qualify those as it because you're building a better reputation in the industry? Or is it really down to more incidences at both?

Eric Taylor:

So I think it's a little bit of both, at least for me, and, you know, the company barricade, right. So, you know, we're building better relationships with other IR firms, you know, because we are a smaller company. So we're not as big as Cove where crawl, you know, some of these other ones just drop names. But

Shiva Maharaj:

one thing that I really wish, and correct me if I'm wrong here, you're in the IR space, you came from the managed services, you know, we probably started serving pizzas at one time, then we got into managed services, and now you're into the IR. And for those of you listening IR is incident response, it seems to be more of a collaborative effort amongst your peers. And there's there doesn't seem to be any tearing down of each other as there is in typical IT services where one provider thinks they're better than the other and, you know, a mouth off about them.

Eric Taylor:

No, and I mean, the IR space, the the penetration space, you know, when I play I because I play both of those sides of the fence, right? And, you know, we all have unless you're again, namedrop, unless you're crawl and your Cove where or whatever, and you just this big, massive company, a lot of us even myself, even today, even when I was doing pen testing over the weekend, we all have imposter syndrome. Like we're not supposed to be in this field, what are we doing over that we do really great work and, you know, our reputation is growing to by doing that, but, you know, we all feel the same thing. And thankfully, those who get into IR and start getting to, you know, start building a little bit of a name for themselves will build either a really good name, or a really bad name really quick, you know, I mean, there's an X Jose, that you know, we'll have to talk about one time around monster cloud, where there was like one or two other ones that was put out by ticker publica that those guys are supposed to be the leading Data forensics folks that will recover files, guess what all they're doing is negotiating and saying, hey, hackers, how much do you want for this key? And then they give the key to the rent to the clients and charge a premium for it. You know, it's

Shiva Maharaj:

just not a bad model. I mean, you're getting the data back, you're feasibly going around OFAC, which probably is not a good idea. Everyone's got some kind of racket that they're going to run, but the guys are doing that. What are they doing to harden the systems? Because I know you even if you are contracted to negotiate a ransom, I don't think you're the type of person that would go into an engagement that doesn't deal with hardening the systems, at least while you're in there. So that it doesn't happen again. I'm not saying it won't happen again. But I know you all have no, you're not you're not going to leave them there.

Eric Taylor:

No, no, we have had a couple of recent engagements of where we are only the negotiation and processing of currency over to the hackers. But we do strongly try to get into the the hardening into the recommendations, and you know, the forensic side of things as much as possible.

Shiva Maharaj:

What's the barrier to entry for the hardening side? Because you, you a company just gets popped? I know and I've come across companies who got popped and they still refuse to spend money. How do you deal with that when you're going into a remediation where Okay, you may not be contracted for it, but there's a chance someone else might be right. And it's a shared workload. But there are going to be companies that say, we just want our data back, we don't care if it happens again. And you deal with that.

Eric Taylor:

We just have to roll with the punches. You know, it really depends on how arrogant honestly, that the prospect is, you know, if they are just blatantly we give zero F's about anything, I'll turn to work away.

Shiva Maharaj:

So you don't work with the medical field? Got it?

Eric Taylor:

Yeah, we just, we can't, you know, that really, that really comes back. And I've talked about it before, I don't think on here, but at least privately is, that's just like, given a drunk a drink. All you're doing is enabling you granted, it's great. For my bottom line, I made a little bit of extra money by doing a negotiation, but I didn't help a freakin damn person. I just enabled them to be bad going forward. So what good am I serving? When I do that?

Shiva Maharaj:

What do you Where do you see? And this may be too early to tell? Where do you see this whole industry of ransomware remediation protection going? If and when the insurance companies stop paying the ransom because I saw something over the weekend. Where and I didn't dig too much of those. Maybe you did. Someone spoke about ransoms being tax deductible. Now,

Eric Taylor:

I did hear about that. I won't speak on that, you know, the least the tax deductible side? You know, it's, I mean, is it an expense? I guess I will talk about it. Here we go. Yeah, it's it is a taxable event. You know, is it a deduction that, you know, that you had to make out? So should it be a tax deduction? Yes, or no. You know, I think there should be a barrier to responsibility on that one, maybe. So, you know, if you want to claim a tax deduction on a ransomware, being able to show that by no fault of your own, or at least no mal intent on your own Anyway, what is

Shiva Maharaj:

that true? And every ransomware incident remediation you've gone into? I don't want to put words in your mouth, but I will. So you don't have to say it. It's because someone willfully neglected to take care of their security. So they got pumped.

Eric Taylor:

Yeah, and is it on the IT person? Or the I wouldn't say

Shiva Maharaj:

it's the C suite. And you know, in the SMB space, it's the owner, it's whatever their leadership is, they don't want to spend money because everyone thinks having an employee that does it means you have an IT department. And as we're learning, it goes so much further than computers. Now, we're talking about cybersecurity. We're talking about risk management, risk mitigation. There's no compliance really in the SMB space. If you're a medical Yeah, you're dealing with HIPAA, but gives a shit. Nobody does. FINRA seems to be the only one with any teeth out there, Sarbanes Oxley.

Eric Taylor:

Remember, that's because they have the SEC or sec that's, you know, really coming down on and that's, that's some that's been known to have massive teeth, you know,

Shiva Maharaj:

because there's a financial penalty, right? It's with HIPAA. Did you get a fine you appeal it and HHS forgets about it moves on to the next idiot and it's one big circle jerk. So,

Eric Taylor:

I mean, when you start talking about some of the stuff, it's like, Okay, you got a small, since we're talking about medical is to keep it all medical they, you got a small couple of practitioner office and they say, okay, you know, we need, you know, Johnny Sue to be able to do medical billing from home. Okay, how, how can we easily open this up? And the IT guys like, Oh, well we just do this well, Jamie 389, but they'd on the internet, they want to be really secure. So we'll change it from 3389 to 5487. And, you know, they'll change it on the internal IP, or the internal device as well. So it matches? Because that's, you know, because we're not on 3389 they're too smart. No one's gonna know. Exactly. So maybe the business owner thought they were doing all right, because their IT guy said, Oh, we can do it this way. You know that. The question always, question always had the question always has to be, but how secure is this process? What are the risks? By invoking this process?

Shiva Maharaj:

How long before insurance companies and business owners start going after it companies for their mistakes, their inadequacies, their incompetence, their whatever?

Eric Taylor:

I think that goes back to gross negligence. You know, we we talked about this. And, you know, legally, I can't talk about the company or anything like that. But we have a case, that's probably wrapping up today or tomorrow that literally their entire network, all computers, workstations, servers, everything was running kms Pico, which is a known software to bypass the Microsoft licensing, and when it's when it's okay. Yeah, and I mean, these, they're known to have backdoors in them, right. And you'll, we, I've seen it where we'll have Sumo logic, or we'll have Rita put installed, and we can see a beaconing. Back, you know, and opening up doors, it will, especially if you have a residential consumer grade router, it will open UPnP and allow people to come in,

Shiva Maharaj:

but that's okay. It's the least you can do for getting free software. Let's be honest.

Eric Taylor:

Yeah, I mean, it's really stupid.

Shiva Maharaj:

But I really think we're getting to the point where you're gonna see insurance companies subrogated claims against it, providers are doing a peer support job. And where I think that's really going to come down to bear is when these some companies are getting that second round of ransomware. And the IR guys or the guys, we're dealing with the remediation are promising one thing, and they're not actually doing it, like, take you, for instance, there's a vendor, we'll leave them nameless for now. I've been raving about them for the last year, you're coming on board with them right now, how many people in our sphere won't deal with this company because they don't want to make that investment. But that investments gonna pay dividends for your clients.

Eric Taylor:

It goes back to the old mentality. And I always keep saying company has got to do things as cheap and as long as possible until they're forced otherwise,

Shiva Maharaj:

you know, how you force them.

Eric Taylor:

They got to have they got to get breached. They got there's got to be everyone's getting breached. No one cares. it till you feel a pain, point it till you feel it in your ass that you're got a dog biting and nibbling from your backside.

Shiva Maharaj:

I figured it out. I've cracked the code. socket, we can all go home. I know how to stop ransomware Biden, any money that any money that is spent on remediation, ransom or anything like that should not be tax deductible. Aren't business expensive, still tax deductible though, they should carve it out because you can do whatever the fuck you want. If you're a politician, you can make a rule or law, whatever you want to call it. But seriously, if you make IR or you make the ransomware if you take away its ability to be tax deductible, a lot of companies will not pay that ransom. They will rather spend the money on the security which is tax deductible. Yep. Or give the money you spend because you know fraud will never happen. on cybersecurity, a multiplier you spend $1 you can claim $1.50 deduction.

Eric Taylor:

Yeah, I mean, we've seen it before. I mean, think about the old days when we were growing up because I mean, you're about the same age as I am, if I remember right. Yeah, at least down here. We always had those, those yearly inspection vehicles that you have for your car, go into the emissions tests. Stuff like that. You mean when you go to the DMV, you somebody would pay somebody 20 bucks for the sticker?

Shiva Maharaj:

Yeah, I know that.

Eric Taylor:

Yeah. So I mean, that will be the kind of same thing where, you know, some consultants that you know are out there will probably just funnel in the cryptocurrency payment and through the consulting so that way stocks adoptable?

Shiva Maharaj:

No, I think what you got to do is you you have to get invoices from your vendors line item and everything. Here's my here's what I've been paying for AV for this timeframe to this timeframe. My SOC my this, you know, whatever the bells and whistles Are you make you allow those to be? Well, they are tax deductible, but maybe you give them a multiplier. Maybe say multiply by 1.25, you spend $1, you can claim $1.25 deduction, or $1.50. But if you have to go through an incident, none of that money can be deductible,

Eric Taylor:

tax it or repaid within the first five years. What do you mean rebate? So if you go through, if you claim you're doing the, the the methods, and you just submitting whatever Bs, invoices or whatever, and you get pot within the first five years, you have to repay it off,

Shiva Maharaj:

I think you'd get pop whenever?

Eric Taylor:

Well, I don't want to put whatever because I mean, you know, just well as I do these things change all the time, right? So you know, the tactics and stuff like that could be new stuff that your current stack wasn't protecting you against.

Shiva Maharaj:

But there's the effort. And there's the fact that you actually invested into your systems.

Eric Taylor:

Yeah, that's I'm saying,

Unknown:

Yeah,

Shiva Maharaj:

right. I'm talking more about the guy that says, We're taking security, you know, make itself at the station, in this case. The one time that hot steaming Polish shit might actually make sense. You're saying you're spending all this money, you're doing this, you're doing that you're checking your boxes, you're changing your Maxi pad, you get popped? Someone comes in and audits you to make sure you actually spent your money for what you got your deductions on and your multiplier. And if you don't, you get taxed five times what you say you spent.

Eric Taylor:

Welcome CMMC

Shiva Maharaj:

I don't think CMMC is gonna change shit. But yeah, I like it. I just don't think it's going to help anything. But I think that's what we need to get to if we want to stop ransomware put the onus on the on the business owners where it's in their best interest financially, to protect their company, protect their data, protect their people protect their customers,

Eric Taylor:

there's got to be an initiative somewhere, it's not a bad idea.

Shiva Maharaj:

No one else is going to do it. The insurance companies don't give a shit there, you know who's knows? Well, that too. But the insurance companies, they want you to self attest, so that they can come and say, too bad.

Eric Taylor:

You said you wanted this stuff.

Shiva Maharaj:

Exactly. I mean, I told you, we have clients where we fill out the questionnaires for the insurance policies, and we send them all the documentation backing up the answers to those questions, and they get so pissed off, because we make it very clear. This is why I answered this question in this manner. If you have any questions, please let us know if it's insufficient or doesn't answer the question, please let us know. So now we're putting that onus on them. They fucking hate it. But you know, this goes back to my thing with making it punitive. On the business owner put the onus on them to secure their house. If they don't do it, tax the shit out of them. I think we're good at doing that OS. But you know, governments get that right, tax the shit out of them. If they don't do what they say.

Eric Taylor:

No, they say that the US has the most complex, frickin tax laws known anywhere in the world.

Shiva Maharaj:

You know, if you understand them, it's probably a benefit to you. If you don't understand them, it's probably not. But at the same time, what I'd like to do and if you're game for this, is create a little mini series around incident response, because I think you have a wealth of knowledge and experience that would help people. And furthermore, you know, if you guys have an incident or you have something brewing, whether it's an insider threat, or you just want to test your systems, I highly recommend airacobra barricade cyber and it's barricade cyber comm, you can find them on LinkedIn ransomware, I think is your username on LinkedIn. Very original, I sure. Even the bad guys what wish they got that one. And it's barricade cyber on Twitter. And I don't know how else do they get in touch with you when they need you?

Eric Taylor:

Call 911 say I want to direct it to Eric and I'm just going

Shiva Maharaj:

to get you a 911 email address.

Eric Taylor:

Do that that'd be awesome.

Shiva Maharaj:

That would be you know that maybe that's our project for the next week. Get Eric a 911 email address that you guys can use. If you are mid post or post incident or, hey, it's okay to test your systems and make sure you're doing it right. Eric doesn't want to take your IT guys business. That's me. What Eric wants is to make sure you guys are secured and he's more than happy to test it for a few Bitcoin here or there. Maybe that's it ain't free

Eric Taylor:

Bitcoin Alright everybody thanks again for joining us for another episode a tip of the spear monkey tip of the spear monkey. As always, please subscribe to us on the podcast amplified and intensified calm. Subscribe to us here on YouTube If you liked the video side and give us a thumbs up give us a comment and your favorite me social media of choice and let us know how you liked this show

Shiva Maharaj:

if you want to hear from us. Thanks again for joining us for the cybersecurity amplified and intensified podcast.