Cybersecurity: Amplified And Intensified

Episode 18 - Building trust without trust.

June 28, 2021 KONTINUUM
Cybersecurity: Amplified And Intensified
Episode 18 - Building trust without trust.
Chapters
Cybersecurity: Amplified And Intensified
Episode 18 - Building trust without trust.
Jun 28, 2021
KONTINUUM

On this episode we begin to talk about the difference between zero trust and zero knowledge, ransomware groups going dark for the moment and recent tactics and techniques.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

On this episode we begin to talk about the difference between zero trust and zero knowledge, ransomware groups going dark for the moment and recent tactics and techniques.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. I think you record a little too late. You missed out on that one.

Eric Taylor:

I think it was like, every time I hit record, we're laughing or we say something and we start laughing. What the hell? Oh, man, what's going on man that another week. Surprisingly, it's kind of slow. But I do know we were talking before that, not really much to talk about. But I want to stress, I guess we actually had a family incident. And it happened to me a couple weeks ago as well. But an old trick that people are starting to use when you're trying to sell stuff online, is you get your Google Voice number ported over to them, it's been a big scam that's going on swear. If you're not familiar with it, you'll be selling something on Craigslist, or Facebook or whatever. And they're like, Oh, you, we need you to authenticate that you're a real seller, or we're gonna report you as a scam. And they will say, okay, you know, you'll get a Google Voice that will come up Google Voice authentication will come over. But you'll get a Google Voice number that will come over our Google authentication code for you to verify. And then you're essentially giving somebody the ability to mimic your phone number. I haven't seen if anybody's trying to port numbers away or anything like that. But it's definitely a huge scam that's going on for quite some time. Now,

Shiva Maharaj:

I saw what you posted in our slack about it maybe a week or two ago, with more people moving to MFA. And using text base MFA, I think we're gonna see a lot more of those vectors of attack. I'm happy that people are using MFA. But there are better ways to do this, you know, even if it's a to TP code, or Duo Duo offers a free version for consumers. I use it I have, you know, my personal stuff there. And I have my professional stuff. On the other side of duo.

Eric Taylor:

Yeah. So I guess I'll go into what we're going to talk about, eventually, it's just a zero trust work. You just don't trust anything anymore. You know, I mean, you really can't, the, if you start getting weird notifications from platforms have to authenticate. And you personally did not request it, you shouldn't really trust it, you know? Absolutely. And you're going to, as I said, you're going to see a lot more of this.

Shiva Maharaj:

I don't know if you saw the link I sent over earlier, Microsoft signed off on a another piece of malware this time for Halo. So last week, it was their customer service system. This week. It's Halo, and it underscores how much we need to start moving to zero trust, zero knowledge architecture. And, oddly enough, the only way to begin trusting systems is to stop trusting them.

Eric Taylor:

Yeah. And I mean, for those who don't understand that don't know where you are in this world, yet. Zero trust and zero knowledge are really two separate things. You know, zero trust is, you know, from us from the tech, the technologist, technologist, yeah, the technologists, we don't trust anything, you know, it's no longer trust, but verify it's trust and verify, right, and zero knowledge is your vendor has zero fucking knowledge of what the hell's in your tenant.

Shiva Maharaj:

But let's be honest, almost every vendor out there can reach in and touch your data to some

Eric Taylor:

degree, you know, a number, that's really where, you know, FIPS and FedRAMP is really supposed to be separating the boys from the men, if you will, around that whole scenario where they, they are going through some sort of proof saying that they have a segregation data for clients or for their client data. So like, my data can't be seen, you know, by a vendor, you know, it's not sitting right next to yours and some hybrid SQL database.

Shiva Maharaj:

How many of your vendors are actually zero knowledge? I'll tell you the answer for mine. Not enough.

Eric Taylor:

No, yeah, there's definitely not but I think I got only two right now. We're going still going through a bunch of stuff, you know, and it was really alarming cuz we were just having this conversation in slack. I really thought LastPass was more advanced than what it is. Yeah, I thought they were FIPS and

Shiva Maharaj:

elite SOC. Modern client standpoint. Correct. Not a emotionality.

Eric Taylor:

Yeah. So when you get close,

Shiva Maharaj:

I think a lot of these guys don't play in the federal space because they don't want to have that level of oversight. And also, whether a vendor wants to admit it or not, the value the data they collect from their users is far more valuable. And having that zero knowledge architecture prevents them from data mining you and selling its advertisers or any number of companies that want your data.

Eric Taylor:

It's more of an infrastructure build out to you have to make sure that all of your tenants are in no way shape or form multi tenant in any way, shape, or form.

Shiva Maharaj:

Well, you can be multitalented I think, look at Sumo logic who we both use, you have to go in and give them access to the tenant to come in or support datto RMM. They collect what they call level zero data with is the type of computer a type of processor or a generic data? But what's it like the metadata or whatever, not even metadata, you know what type of processor Intel, what version of the processor, that kind of stuff, SSD or not. But if you want them to be able to come into your tenant and actually do anything and operate have to give them you have to explicitly grant them access. And those are probably the only two vendors I have. From a zero knowledge standpoint. I don't know about you, who else do you have?

Eric Taylor:

40 minutes, zero knowledge Microsoft is supposed to be now Microsoft can come

Shiva Maharaj:

in and get whatever they want, quite honestly, when you're talking about 365 unless you're going into GCC GCC high.

Eric Taylor:

Yeah, that's what I'm referring to those ones not the junior I should have elaborated, definitely not the generic 365 tenant that most people get

Shiva Maharaj:

most of the csps. And for those listening csps are who we as providers buy Microsoft licensing from to resell to you guys. So you have Microsoft, then you have the CSP, then you have us the indirect CSP, and then yourself. So you have three levels of people that can get into your tenant. Now I know Eric and I, we remove the CSP his ability to login to the tenant to see data.

Eric Taylor:

I don't like it. Fuck them.

Shiva Maharaj:

If they don't, if if they don't like it, get into a different business. Because why am I going to give a CSP access to my clients data and tenant when I don't know who the hell they are?

Eric Taylor:

It's just, you know, was having a big argument about it. You know, in the CMMC class meeting a week or two ago, I flat out slammed Pax eight over again. They're like, well, we need to have admin access. No, the if you don't, you know, they're like, Oh, we need it for licensing? No, you don't,

Shiva Maharaj:

dude, I have been selling Microsoft for Microsoft 365 licenses for four or five, six years. However, I don't even know at this point. In those five or six years, I have only ever opened up a support ticket once. And I was with packs eight at the time. And they're 24. Seven support wasn't 24 seven that day, I guess I ended up solving it myself. But my point there is, if I'm opening one ticket across 5300 licenses in five years, why do they need delegated admin access, or any CSP not just to pick on taxes?

Eric Taylor:

It's interesting to see them talk about it, you know, they they're trying to justify it. But if they need access, we'll do just like we do a datto. And everybody else, you know, will grant you access for as long as the ticket needs to be worked on. And then you get removed again, it's not that hard. But why do they want?

Shiva Maharaj:

Why don't they want to do that? What are they going in and doing because I remember, I was using purchase security once upon a time and I got an alert that kicked off of a new login to one of my client tenants. What I looked it was a arrow because that's who packs it used at the time user logging into my tenant. When I opened a ticket with packs a to find out they said we just wanted to go into Make sure your Azure AD provision properly, are you telling me they couldn't do that from their own telemetry and dashboards,

Eric Taylor:

I think when before Pax eight really got big enough and got their big boy britches on it can become their own direct CSP, instead of using arrow, they didn't have a way to really do that. But now that they are a direct CSP with Microsoft, they have access into the graph API.

Shiva Maharaj:

But when arrow is much bigger than tax eight, they should have had access to that API to make sure that Azure provisioning was provisioned.

Eric Taylor:

I don't know if that would have, you know, their integration or collaboration or whatever with arrow gave them that fist. visibility and insight knows a lot of back end stuff that we just don't know,

Shiva Maharaj:

that was it was an arrow email address that locked in

Eric Taylor:

Yeah, cuz they had to use arrow to do it. Right.

Shiva Maharaj:

Right. But you know, my question is, why do you need to do that? If you guys are just giving me licensing, you don't need to get into by tenants. And as you said, you had that conversation with them a week or two ago, and they told you they needed delegated admin access to provision licenses, which is completely untrue, because I pulled all delegated admin access from csps, three, four years ago, and I've been provisioning licenses like no other. Yeah, I'm gonna follow that under What the fuck?

Eric Taylor:

I'll follow him on our giant pile of bullshit. But yeah, there's

Shiva Maharaj:

a CMMC coming along, because that is directly related to what zero trust and zero knowledge should be

Eric Taylor:

is a very, very slow process. It's a lot slower than even I anticipated, you know, um, you know, we both know but I'm part of a group of other security minded folks that are they are though they are I mean, most I do think there's a couple people in there that are like, well, what are you doing in here, but to be nice, most of them, you know, they want to better themselves. I really feel you'll because I'm not really in the MSP space anymore, right. So you know, I feel a little out of place in that group. And it's kind of good and kind of bad because

Shiva Maharaj:

Oh, you get to see the dark underbelly of incompetence? Well, some of them I'm not gonna say all because I don't know who's in that group. But

Eric Taylor:

I wouldn't say incompetence. But I would say educated. Yeah, lack of knowledge. You know, you know, we've had Brian on Brian Weiss on here before and I still beat him up all the time. I'm like, What are you doing? Brian? Shut up.

Shiva Maharaj:

But Brian's Brian's got he's come a long way. And he has a lot of good things. You know, I speak to a mom on chat sometimes. And he's, he's got some interesting text that really makes sense. from a security perspective. Here's a question for you. And it goes back to CMMC. All these companies, all these msps that are aiming to become CMMC certified? Are they even in the DMV space?

Eric Taylor:

I don't know. I don't think so. You know, I know in the group that I'm in one, maybe two, maybe three people are trying to be do D and I want to get the D ot. That's why I'm in there. Because I want to be able to do you know, managed security services penetration?

Shiva Maharaj:

You'll get in?

Eric Taylor:

Oh, yeah. Oh, God. But yeah, there's a level of services that I definitely want to be able to provide to God and the subsidiaries of that, you know, definitely won't be a prime by any means. Probably ever, I probably would definitely ever get to the level of being a prime. But you know, being a sub prime, and being able to do those kind of things will be kind of cool. I really like to play a part in making things a little bit better for this country a little bit more secure.

Shiva Maharaj:

Do you think CMMC is going to check all the boxes for security?

Eric Taylor:

No, of course not.

Shiva Maharaj:

You know, what do you think is missing?

Eric Taylor:

Right now it's going to be what are the fines for non compliance? That's the biggest one, you know, there's, we've actually have one approved auditor, we actually have, you know, folks who are going through self agitation, which we all know, is a big pile of crap,

Shiva Maharaj:

but it gets you there, right. And I think if you go through self attestation, to scad, get to schedule your audit for CMMC. And you completely screwed the pooch and lied. They're probably they should jam you up when you go for your actual audit.

Eric Taylor:

That's what I'm hoping, you know, I'm really hoping that, you know, when you look at people who go through FIPS, and then go through FedRAMP, moderate or high, you know, they get raked over the coals, not publicly, but I mean, do they release, the auditor's will rake them for the stories that I've heard Anyway, I've never been, you know, at the quote unquote, table during those type of rankings, but I've heard they get slaughtered verbally in meetings over this stuff.

Shiva Maharaj:

But do they still get their certification?

Eric Taylor:

I think so. But they probably get slowed down a good bit. It depends on the severity of non compliance, the out imagine as well, right.

Shiva Maharaj:

One thing that I haven't really seen what CMMC is, what's the process to keep your level certification?

Eric Taylor:

I haven't seen that either. The speculation that I've heard from some people who are, you know, definitely at least seem higher on the totem pole than I am that it may be a three every three year certification.

Shiva Maharaj:

I would love to see it the every one year I want to because I have so much faith in any type of compliancy.

Eric Taylor:

Well, the ISO, love the ISOs are what every three or five years.

Shiva Maharaj:

Yeah, but they're not national defense. Right?

Eric Taylor:

Well, exactly. So that's why I'm trying to base it off. So you know, if you've got ISO, and those are about every three years, and yeah, we should be doing at least every year

Shiva Maharaj:

should be every year and you should never get the same auditor twice in three or five years.

Eric Taylor:

What are the FDIC does that you get a different auditor every time? I have no idea. That'd be interesting.

Shiva Maharaj:

Okay, some homework for later. I still think the DOJ should be the one that's doing the audits and not an independent third party.

Eric Taylor:

Yeah, I mean, I do think that opens up a lot to bribery,

Shiva Maharaj:

dude, it's gonna be the same whether it's a third party a C, three, C three pa Oh, yeah, it's gonna happen one way or the other. But at least this way, you're under ucmj. And then you can go under civilian penalty. It's two bites at the apple. Go back to the circle back to ransomware. Speak. Yeah. What do you seen for ransomware? Is this what things are slow down things

Eric Taylor:

are really, really slow. They really are. I mean, a lot of groups have quote, unquote, disbanded. You say disband, and I just think rebranded. Me I think they disbanded. They are retooling and regressing major spikes and when do you think that's going to come usually it's about a two week low and I feel like we're in that second week. When avataan went under or decided to withdraw they released almost 3000 encryption keys then one of the other big ones I forget they just started going on a tear your revivals still taking dignitary things. They're really the biggest player and I seen something come across my feet. I haven't looked at it before yet but re evil is actually going after VMware ESXi hosts right now. But that why the hell do you have your VMware publicly exposed? I mean,

Shiva Maharaj:

well, because there are many good it practitioners or as you call them, now technologists wants To be easily accessible to their clientele, and that's double edged sword, right? If it's easily accessible to your clientele, it's going to be easily accessible to everyone else. But therein lies the problem, right? It's that low barrier to entry for our industry. And then you have companies and you've said it over and over, they'll keep doing things, the cheapest amount possible until they get burned. As long as insurance is gonna pay for that remediation. they'll fix it. Once insurance stops paying, they're gonna start cutting

Eric Taylor:

costs. Again, this is so interesting, we were talking about one of the things I was I was like, Oh, this is gonna be a crappy show. But you keep saying. But did you see I don't want to have the link in front of me. But where a lot of the insurance companies are getting together and putting together their own little like collaborative Insurance Group or whatever,

Shiva Maharaj:

I saw that it's all the big names led out of Europe with you know, the reinsurers, AIG domestically, and a couple of the other big ones

Eric Taylor:

Nick Chubb was on there, if I remember correctly,

Shiva Maharaj:

they are just trying not to lose their shirts. So I would assume on one end, they're doing that to get their threat intelligence together. And on the other side, they're probably using a lobbyist to go through and get ransomware to be a crime or paying ransom to be a fine a crime. So they don't longer have to pay it out where their liability will be limited to the remediation sounds

Eric Taylor:

really hoping that maybe some of it would be where they're actually gonna start holding businesses a little bit more accountable, how can they auditing,

Shiva Maharaj:

okay, but they're going to audit a business and say, what we're going to pull your policy

Eric Taylor:

or you're going to have limited scope of availability of coverage?

Shiva Maharaj:

Well, I think they're, they're gonna do that with how they write the policy. Right? Let me look at looking at auto policy, you have limits for different things. And I think that's where cyber is going to go. But they want that self attestation model because they don't want to miss out on remember,

Eric Taylor:

man. I mean, that's why there's still a lot of companies who, especially insurance companies, that will you know, they'll just do the blanket, you know, here's a three or five questionnaire type of thing versus the ones that are doing the, you know, 5060 questions.

Shiva Maharaj:

I'm seeing more and more of those 5060 question applications. And it's, it's a documentation exercise, so that if you have an incident, they can come back and say, okay, provide us these things that you said you had, and when you don't have it, they're just gonna say, Thank you come again.

Eric Taylor:

Yeah, it's gonna be interesting to see what's going to end up happening, man is definitely an interesting time.

Shiva Maharaj:

What are you doing for your clientele in terms of zero trust and zero knowledge?

Eric Taylor:

Do the three monkeys which are speak no evil, See No Evil? Hear No Evil?

Shiva Maharaj:

What do you what would you say is the core tenet of zero trust? Are the first five things you do going into a company to establish the trust structure? Who has access to your Well,

Eric Taylor:

let's see, that's a good exercise, um, who has access to your data is that access being logged was last time those logs have been reviewed? Probably the biggest ones that are really go down. And most companies can't answer that, you know, they they just don't know. Even to this day, there's still people who are under the impression just because things are in the cloud that is secure. I'm like, No, no, when you talk about it's not no lies that I really wish I knew when my book was, but there's a whole other people's computer are always more secure. My hacking computer is your computer.

Shiva Maharaj:

Exactly. It's a pentesting Guide. How do you feel about MAC address whitelisting? Love it.

Eric Taylor:

You knew there was some customers? Yeah, it definitely causes an administrative nightmare,

Shiva Maharaj:

but it's worth it. Right. small price to pay now.

Eric Taylor:

Yeah, uh, you will go through some major headaches, major, major headaches, like we have a couple clients that we put it on where they have mobile devices that will dock and undock and go across the facility and making sure that you have both the physical and the wireless ones permit set up that gets interesting sometimes, like crap,

Shiva Maharaj:

what I've been doing is creating two corporate networks. One is for work devices, meaning laptops, and desktops, you know, the big boys that goes on to a specific network that is using Mac address whitelisting. And then there's another network for mobile phones and tablets, where I'm not using Mac address whitelisting. But that the land cannot speak to the core, because I don't want to deal with people, especially now with Apple creating synthetic MAC addresses when it joins, I don't want to deal with that hassle. It also allows me to restrict Spotify, say on the desktop land, but on the mobile land, they can use Spotify, they can go and tell the other

Eric Taylor:

one thing, it's going to be a problem with now we're actually running into his max doing, you know, the whole round robin Mac addressing because they out some of these companies have art departments that are heavily using Macintosh. And you know, it does cause a problem.

Shiva Maharaj:

Well, you know, the good thing is you can use a MDM platform to block the ability for that, that randomize MAC address. And if you're doing that, then yes, you can go back to your mac address whitelisting which i think i think people are going to need because One of the things you discussed was figuring out who has access to your data. And that's near impossible, unless you have considerable resources to sift through all of the access,

Eric Taylor:

or at least being able to look at the access when you suspect something is going on.

Shiva Maharaj:

Yes. And that that takes me back to using the identity to really filter stuff. And that I think that's the low hanging fruit for how to begin auditing that data. But I think you need the identity and I think you need to whitelist the MAC address. No, we'll

Eric Taylor:

just because of my lack of knowledge is Microsoft 365 MDM allow for the Macintosh MAC addresses, are you not messed with

Shiva Maharaj:

those? Gotcha. So the cool thing about Apple MDM, and I'm not really big on droid or Android mobile devices, I've got four of them over here, you want one, I have enough paperweights. All of the functionality for controlling a Mac, an iPad, or an iOS device is actually done by Apple and the Microsoft 365, the mass 360, kanji, jam and all these other platforms, they send the commands to Apple, and then Apple sends those commands to the devices. So it's not like you're getting direct access or control over device, Apple's business manager, now they call it or use call a dp is brokering that connection. But yes, to answer your question, you can stop the use of those randomizes MAC addresses, because it's a administrative nightmare. Do you think 365 is going to be a platform that will offset mastery 60? Absolutely. I love mastery 60, I think it was one of the best platforms for managing iOS devices. And in the last year, Microsoft 365 has come to parity to the point where I have most of my devices moved over to endpoint manager slash Intune. And the only ones I have not moved off of mass 360 are so critical and are far away where it would be really hard to get hands on. But I would say what makes MDM from Microsoft even better is when you really start to blend it in with Cloud App Security. And now you are really sealing that envelope or attempting to

Eric Taylor:

No, there was I don't think it was mastery. 60 It may have been but there was one of the MDM 's that was out there that would allow you to have users bring their own mobile device BYOD infrastructure, but it would put the corporate applications inside of its own container or its own little bucket.

Shiva Maharaj:

That's most of the platforms. It's how you configure it, really, you can have the let's call it the outlook application for email and not allow it on the core iOS email platform. So if they remove their provisioning profile, they lose access, which is pretty cool, especially for BYOD policy, especially in the last year, which is I think, where a lot of that stuff got flushed out

Eric Taylor:

now, are you seeing DLP policies being able to be applied to 360? And the MDM

Shiva Maharaj:

365? Yeah, I think, well, Microsoft, they AOL Azure Information Protection. And now it's some other version of DLP. That doesn't work or has, it's incomplete. It doesn't work as effectively as AIP did. But they'll probably get there the next couple months. Now, if you can take Device Management, you can take Cloud App Security, and you can take DLP and really stitch that together, you're probably gonna be one of the more secure entities out there. And obviously throw on something like a next gen AV with EDR.

Eric Taylor:

Do you say 365? getting to that point? And if so, when? In what sense? I guess being able to round everything out like you, you're talking about here,

Shiva Maharaj:

I think they're already there. I think the only misstep they've made is they have updated or upgraded DLP. And it's not as fluid as AIP was, but AIP was in production for a long time. Microsoft is a big company, they'll get there and they'll get there sooner rather than later because it is an integral part. McAfee is probably the best DLP engine out there that a lot of the financial firms use right now, I would have never thought that their DLP engine is pretty damn good. Are you doing anything with Cloud App Security and DLP,

Eric Taylor:

just the 365. They'll get that configured to the point now where a lot of users can't even copy and paste outside of, you know, Outlook that's on there.

Shiva Maharaj:

So the way I limit that is they're allowed to copy and paste but only to other corporate controlled and owned applications, like you know, the OneDrive and what have you. We also disallow the ability to bring your own OneDrive or Dropbox onto device, even if it is your own. If you're going to use it for BYOD. We're not allowing it. That's just how it goes. And I think that's going to be good for the hardware manufacturers because you're going to see companies getting away from BYOD and start supplying devices to their employees. This is a supply chain actually picks back up again, I don't know if you saw this last week, we sanction three or four companies that produce the silicon for solar panels in China and a few days later, everyone's complaining of a solar panel. shortage here, or our Clean Energy Initiative, so you can't spank. Unfortunately, if you're going to spank China in that sense, you really have to consider you're cutting off your own arm despite someone else.

Eric Taylor:

Yes, the whole ramifications of what you're proposing. Now, it's like, you know, to kind of circle back just a little bit. A lot of what Biden in some of the DOJ is doing is classifying certain ransom groups as acts of terror. So they are not covered under insurance. And it makes a lot of my work and companies like mine, you know, crawl Cove, where his stuff like that just name some of the other big boys makes our jobs freaking impossible, because we can't make a payment to what is being classified as a terrorist state, I

Shiva Maharaj:

think not being able to pay is going to be derivative of being on the OFAC list from Treasury, they can't keep up. Remember, for us insurance, you can get terrorism coverage,

Eric Taylor:

that's a premium or it's a it's a,

Shiva Maharaj:

it's an upcharge as is everything with insurance, but if you have that writer, you'll probably get some type of coverage until the insurance companies realize they need to whittle down or put limits on certain types of actions or incidents. As far as I know, the OFAC list is really the only thing that says you can't pay certain ransomware groups. But as quickly as these guys can spin up a new name. You're right, it's gonna be really hard for Treasury to do that. Now, I saw this week four states are introducing legislation to make the payments of ransomware illegal but when you actually read deeper into the articles, it is that state funds can't be used to pay ransoms, which doesn't do anything for Joe Schmo. Exactly. Or as Miss Palin once said, Joe sixpack,

Eric Taylor:

I'm actually looking here on the OFAC list now as we're talking to there are no cyber related so like the cyber related sanctions is over two months old for the OFAC list on the IRS right now. Yeah, and a lot of these a lot of the bigger ransomware folks um you know, avedon, mais Darkside right? re re evil, all those most people are still not quite understanding is the fact or the how these guys are operating carefully. Oh, yeah. But they're they don't understand that that wallet that they're making that payment to is tied to a tumbler that just gets mixed up with a bunch of other transactions and spits it out the other side.

Shiva Maharaj:

How long do you think before the DOJ and other government agencies start running their own tumblers? If they're not already doing it?

Eric Taylor:

They probably are. Yeah, I, I know of at least for tumblers.

Shiva Maharaj:

I honestly think and I have no basis for this, that they recovered ransom, or the pipeline because of the government operated tumbler

Eric Taylor:

could be I mean, there was speculation that the one of the government official into our government entities, either here or somewhere, was actually able to compromise one of the operators or computers, it was able to get that master wallet. I'm like, really, based on the amount of money recovered?

Shiva Maharaj:

It was the affiliates cut and not the core ransomware is they got 2.3 billion back 2.4 billion a million. Sorry.

Eric Taylor:

Let's see that's, you know, if they were able to go through the chain that far down that link, either it had to be a state sponsor tumbler,

Shiva Maharaj:

I think so. And I think that's why they spoke out this last time. You said one of the ransomware guys put out a single address. I think it's, it's about recon, what's going to be poked, what's gonna be product and how it's being scanned. And I think that's also why we're going through a lot of these guys are they move quickly, and right now they are probably adapting their techniques to sidestep what they've seen in the last month. ransomware is not going to stop not because, you know, we now have an agreement of what is not allowed to be targeted, it's still gonna happen.

Eric Taylor:

Yeah, just because Biden's like you stop it.

Shiva Maharaj:

Now. It's Pandora's box. You can't put it back in. That's just what happened.

Eric Taylor:

They're making too much money on it. You especially when you got ransomware as a service, have you seen that

Shiva Maharaj:

there was a article done on North Korea and sponsored state sponsored ransomware. It's not about creating issues for the US or US companies. It's also a source of funding for them. There's so many sanctions against that country, and so many people will not do business with them that ransomware is what's helping to keep the lights on

Eric Taylor:

here. That's why everybody's like, Oh, it's Russia is Russia. It's Russia. Like, really?

Shiva Maharaj:

Think about it, who are the two big ransomware countries with sanctions Korea and Iran, Korea and Iran? Exactly. It's probably in North Korea and Iran's best interest to continue with ransomware regardless of what do with Russia or China.

Eric Taylor:

I mean, some of these groups may be in Russia. But I mean, I really do think there's more of that coming out of the middle, Middle East than I think there's a lot of masquerading,

Shiva Maharaj:

there could be I think a lot of these groups and I had a conversation with someone recently, where some of these groups are located. You'd be very surprised they're not in the eastern hemisphere or not in the US, but they're they're physically close enough and A lot of these heavy hitter incidents, they actually start with physical compromise, not just acting interesting. Think about it. Is everyone that insecure, where you can get an over the wire that easily all the time?

Eric Taylor:

Well, I know a lot of the threat actors will use RDP in other forms, you know, being able to connect, right? So it's interesting to see that but there's only but so many vectors inside of a network over the wire. Exactly.

Shiva Maharaj:

And the easiest vector in is having a plant high enough inside of a company opening a phishing email, knowingly doing it and acting all surprised when it happens. Think about that. That's one of the easier ways I think

Eric Taylor:

now a lot of those times they're, they're able to go in there scrub their logs, you're not gonna find that anyway.

Shiva Maharaj:

Forget scrubbing your loss, plead ignorance. Oh, my God, I clicked on a bad link. Why didn't it do something about it? What are we doing the scan links

Eric Taylor:

or the whole spy stuff where, you know, I've mentioned it before where Tesla's one of their senior engineers or whatever was they were trying to pay him off. They It was a he but trying to pay them off to put it to get in there into their network by doing a USB drive. Robert, was last year, I think, right? Last year earlier this year. Certainly that

Shiva Maharaj:

was that it was January. So it was either last year or this year. And the guy notified Tesla and the FBI basically set up a sting, and they got the people but you know, that's one success. It's like narco trafficking. Dude, that's one success, versus how many keys that get through or how many bricks or packets in this case?

Eric Taylor:

This is true.

Shiva Maharaj:

When do you Well, how slow is ransomware been last couple of weeks

Eric Taylor:

pretty pretty. So like we were going getting three or four leads per day over the weekend. So it would start right around Thursdays and go through on Monday, the on each one of those days, we'll get two or three leads in I probably haven't had a lead come in at about two or three weeks.

Shiva Maharaj:

So this is well before the law started.

Eric Taylor:

Yeah, mine started slowing down. But right before it right, as soon as avedon shut down.

Shiva Maharaj:

Clearly the persistence is still gonna be there.

Eric Taylor:

If they don't have a good IR team. Yeah.

Shiva Maharaj:

Then I'm saying not on the host incident companies, the companies that haven't been breached it well haven't been knowingly breached yet. I'm assuming the persistence is still there waiting to be employed by the ransomware groups.

Eric Taylor:

Yeah, maybe the next wave of whatever they're called. Did anyone

Shiva Maharaj:

figure out where Avalon was based out of

Eric Taylor:

Not to my knowledge, to be To my knowledge, they haven't, you know, fully said where any of these guys are, you know, they took down that part of network or they never said a word that was did they really though, supposedly, you know, they took down supposedly ways or mace

Shiva Maharaj:

glop. They took they arrested some people in Ukraine, and the next two days clop went on a rampage rep doing and collecting a lot of ransomware.

Eric Taylor:

Because he was because I ransom Sorry, I think clop is another ransomware as a service.

Shiva Maharaj:

They all are at this point.

Eric Taylor:

I don't know. I mean, avataan? Well, I don't think you have it on was

Shiva Maharaj:

on now that avid ons core code was released on the dark web? It could be

Eric Taylor:

Yeah, I mean, there's a lot of them that are getting released on GitHub. And I'm just like, why? why you're going to allow really bad people are really stupid people the ability to create their own payloads. It's good for it's good for the ransomware groups, though,

Shiva Maharaj:

I'll tell you why. You got you're gonna get all these script kiddies taking the ransomware and they're gonna start crypto on so many systems and overwhelm law enforcement, keep them so busy chasing minor targets, that when the bigger guys strike, law enforcement is going to be too busy.

Eric Taylor:

Well, here's the problem, especially like with retrievals, version one and a couple of the other ones that were released, there was no GitHub repository created for the decrypter use how the encryption process, you don't have a decrypter. So I'm not sure if we Evo, so part of that equation or not,

Shiva Maharaj:

well reveals a ransomware as a service. So once you deploy, they take over negotiation and decryption. So there's no need for it to go the decrypter keys to go public

Eric Taylor:

or to go back and look at it. But I do believe it was like the old wanna cry ransomware where it had a Bitcoin address posted on the message.

Shiva Maharaj:

I think there's a version of emotet that's going to be coming back very quickly. Dude, I

Eric Taylor:

really think emo 10 has been actively deployed. Now. I don't

Shiva Maharaj:

disagree with you, from what I've heard it is going to be it's coming back more so than it was before they took it down or reached it earlier this year. It's a different source code with the same name or the same people.

Eric Taylor:

I believe it because I mean, when you look at the ability to have persistence, emotet was king. Oh, absolutely. They just sat there like Okay, we got this network, highest bidder. And I think that's coming back very

Shiva Maharaj:

soon. And I think maybe that's why you're seeing this low because one thing about us is even post incident was very hard or the typical IR firm to get it out of the system, despite what they thought and what they did.

Eric Taylor:

imitates nasty little bitch. Let's

Shiva Maharaj:

Yes it is.

Eric Taylor:

I am not looking forward to that one of that was coming back would be good for business. It'll be good for business, but it's gonna be fuckin nightmare, man. Oh my God, that's gonna be a nightmare.

Shiva Maharaj:

What else are you seeing out there in terms of IR?

Eric Taylor:

As much as I hate to keep saying this? I'm not seeing a whole lot? Well, most of our conversations right now, thankfully are, you know, how do we secure our network?

Shiva Maharaj:

Now? Are people really having that conversation to fruition? Or is that just a conversation they're having to make themselves feel good? And most of it, I'd say about 80% is to make sure or make them feel good about stuff that they talked about it

Eric Taylor:

Okay, and what are they doing? About 20% of them are going through an actual engagement with us, or like Black Hills information security, or somebody else like that?

Shiva Maharaj:

What does that look like when they engage you for security, awkward,

Eric Taylor:

it's a full on penetration test. Like we're not running a Nexus scanner, we're not running in map where these people actually understand that we are trying to exfiltrate data, we're trying to be the vet the paid bad guys without, you know, holding you, ransom, so to speak, that scares a lot of companies. So I'm like, would you rather pay somebody to see if you're secure? Or would you like to pay somebody when you're not secure? And then have to pay somebody like me to get you there?

Shiva Maharaj:

Well, that's an easy answer. Which one's insurance gonna pay for?

Eric Taylor:

The ladder? Unfortunately,

Shiva Maharaj:

exactly. So that's what it's actually going to be because not many companies want to go out of pocket for anything

Eric Taylor:

as cheapest possible as long as possible until they are forced to do something else.

Shiva Maharaj:

any event, then, at that point, they're less likely to do something. They just want to get back up and running at that point.

Eric Taylor:

Oh, man, I think it's been a good conversation this week. What do you think your thought was going to be? 20 minutes,

Shiva Maharaj:

we're good for at least 49 minutes. The counter says, even though they missed out on the greatest joke ever. In the beginning,

Eric Taylor:

I think we're, by the end of the year, I think I need to go back and see how many times I hit record. And we are laughing our asses off at the beginning.

Shiva Maharaj:

Maybe we should just hit record as soon as we pop on screen. You know, for those of you listening, watching, we are working on getting a representative from one of the ransom Well, from one of the data marketplaces on the dark web on and this person has shown interest, I'm assuming they are trying to figure out how to do this without getting popped. So we look forward to hopefully bring that to you guys in an unedited format.

Eric Taylor:

I'm really looking forward to that meeting, I really eager, eager, eager, because you know that while they are from the surface, you know, they are just an information broker. There's nothing stopping even me from going on no avataan when they were up going on re evil ways and downloading all that data that they make available publicly. As long as you know where to go and posting it up on a website. It's interesting, you know, I'm sure that they're not in the US or anything like that. I am curious to see if they'll tell us where they are. But

Shiva Maharaj:

we can ask. Yeah, you know, and whoever's listening, if you have questions for them, leave them in the comments. And we will we'll try to get to as many questions as we can.

Eric Taylor:

Yeah, because we're lining them up.

Shiva Maharaj:

For those of you here's this is the marketto marketplace, or data, not WordPress and all the other, not the other version. This is the interesting version, to say the least.

Eric Taylor:

Yeah, I was gonna be good. So hopefully that will come to fruition soon, and that'd be a good debate. Good time. Thanks, again, everybody for tuning in, either on YouTube or the podcast. We greatly appreciate you listening all the way through, please, you know, subscribe, like and comment, you know, let us know that you like this crazy, crazy show that we put together every week. And if you have any questions, let us know. We'll try to get them answered as soon as possible for you. Until next time, I'm Eric.

Shiva Maharaj:

I'm Shiva. Thank you guys. Thanks again for joining us for the cybersecurity amplified and intensified podcast.