Cybersecurity: Amplified And Intensified

Episode 19 - Unpacking the Kaseya VSA incident.

July 05, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
Episode 19 - Unpacking the Kaseya VSA incident.
Chapters
Cybersecurity: Amplified And Intensified
Episode 19 - Unpacking the Kaseya VSA incident.
Jul 05, 2021
Shiva Maharaj/Eric Taylor

On this episode we’re joined by Brian Weiss, Founder of ITech Solutions as we unpack the third REvil and Kaseya incident that began Friday July 2nd 2021.

Despite Kaseya VSA not being FedRAMP, by it’s own disclosure VSA was being used by Federal Agencies. While details continue to emerge we're getting the outline of what may have caused potentially over one million computers to have been encrypted and an initial ransom request for 70 millions dollars.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   

Brian J. Weiss | LinkedIn
ITECH Solutions: Overview | LinkedIn
www.itech-solutions.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

On this episode we’re joined by Brian Weiss, Founder of ITech Solutions as we unpack the third REvil and Kaseya incident that began Friday July 2nd 2021.

Despite Kaseya VSA not being FedRAMP, by it’s own disclosure VSA was being used by Federal Agencies. While details continue to emerge we're getting the outline of what may have caused potentially over one million computers to have been encrypted and an initial ransom request for 70 millions dollars.

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   

Brian J. Weiss | LinkedIn
ITECH Solutions: Overview | LinkedIn
www.itech-solutions.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast.

Eric Taylor:

What is going on? Gentlemen? Happy post, July 4, two gentlemen, Today is July 5. How's everybody doing?

Shiva Maharaj:

Doing? Well? How are you guys? I'm, I'm still waking up, you know your lacquer. It's, at least for the three of us, it's a good day. None of us are Kaseya partners.

Eric Taylor:

Now. And before we get really started in this one, I really want to definitely say, I take great some great joy, because we are going to slam this shit out. I can say it today

Shiva Maharaj:

with peace and love

Eric Taylor:

with peace and love to some degree.

Shiva Maharaj:

I think you guys should ask me how I figured out compliance was absolute bullshit.

Eric Taylor:

Hey, shivah. How did you feel? How do you figure out compliance was total bullshit?

Shiva Maharaj:

Well, yesterday, our favorite vendor in the channel Kaseya, as they're now called, I refuse five we'll call them hot steaming pile of shit. On their update, they put out a notice saying that if you are a federal agency, and you have been affected by this, because of your instance of Kaseya, the ESA and you're on the West Coast or the East Coast as a different field office handling it. Now I went on to the FedRAMP marketplace. And I started searching for Kaseya BSA virtual systems administrator and I didn't find it.

Eric Taylor:

So how any version of Kaseya on FedRAMP,

Shiva Maharaj:

nothing from Kaseya is on there. And I know my it glue rep told me that to say is also in the Air Force are being used by the Air Force. So how is a non FedRAMP platform and vendor in the federal system? I'm just leaving that there. But hey, go compliance.

Eric Taylor:

You know, it's actually brings up a really good point. And I'll direct us a little bit to you, Brian, cuz you and I are in the same group for CMMC. and stuff like that, even though notably, I am much more down the rabbit hole of going down CMMC than you have, that you're going down right now. Um, I don't remember anywhere in CMMC, or anything like that when you're going through any of these NIST or Sox, or any of these platforms or certifications, or compliances, I should say, Sorry, there you go and down these federal compliances that are actually compliant and not self agitation. I don't remember any of them actually saying you have to hold yourself and go with anything that is a FedRAMP or meets a certain criteria. We do talk about logging, we talk about a bunch of other stuff, but nothing around that. Do you remember anything?

Brian J. Weiss:

The only thing I can think of is if you consider it part of your supply chain. Technically, you should be checking all your vendors to make sure they meet criteria as well, right. It's how we supply our services. So it's I mean, that's the only thing I could think of that touches on that.

Shiva Maharaj:

So what's the point of having FedRAMP? Other than a spending exercise?

Eric Taylor:

I think it's just like, Brian's datto box back there, there's gold box. It's just to say, Hey, we are a certain thing. And that's about it.

Brian J. Weiss:

We've we've read enough about it. I mean, I do feel like compliance without proper accountability is kind of best effort and smoke and mirrors in certain cases,

Shiva Maharaj:

I think in every case, but I want to throw something out to you guys.

Brian J. Weiss:

I'm about it. So

Shiva Maharaj:

nice. This is not the podcast for that.

Brian J. Weiss:

I get to be good cop.

Shiva Maharaj:

Okay, we could we could rock with that. What would you guys say to the comment? The supply chain is lost. We should accept that. move on and start over?

Eric Taylor:

I don't agree. Yeah, I know that. So to me, from my hacking world, right, because they really take a step back. It's like, Okay, this was not supply chain, they didn't compromise the development of the code, which is supply chain. In Kaseya. world they they compromise an exploit that is available in the Kaseya vssa.

Shiva Maharaj:

If I may, sorry to interrupt you here. Let's be clear. This is a vulnerability that was disclosed by the di di vd csirt and Kaseya was working on a remediation which they seemingly put into place via a web application filter or firewall, sorry, in front of their SAS platform, and they just left their on prem partners hung out to dry instead of advising shutting down servers until this was patched because this is a injection, an SQL injection vulnerability that bypasses authentication. Why didn't they warn their partners to shut down or move faster?

Eric Taylor:

I don't know. I mean, just because the fact that they don't take their security seriously right?

Brian J. Weiss:

I mean, it's got to be one of two things, right? They take it seriously and figured it was bad press. And maybe they're gearing up to do an IPO and they don't want to tarnish anything. Or like Eric said they were being complacent. Is there another reason they wouldn't tell people about it? I don't know,

Shiva Maharaj:

PR, I think it's bad PR. I think what they, they thought they could keep it under wraps and get the fix out before it happened. And it's my understanding that the most up to date version released by Kaseya, up until July 2, was vulnerable as well. patching would not have stopped this MFA as our colleagues love to cry for would not have stopped this.

Brian J. Weiss:

So here's a bit better question, are we at the end of on prem RMM. Now with the fact that they can't be immediately patched like you can with a platform in the cloud.

Shiva Maharaj:

So my take on this is, I would never run an RMM platform on prem ever again. Because despite what your contract says, if your vendors hosting the platform for you, and they act with gross negligence, you have recourse against them. Why am I going to accept the risk for my vendor being an absolute dumb ass when I shouldn't?

Brian J. Weiss:

Or I mean, here's, here's why we move from non current RMM the cloud is why do I want to take on the responsibility of ensuring that that server is secure, I don't have a sock in house, I don't have someone to make sure they're staying most msps, I should say, don't have someone to stay on top of really what's needed to ensure that that servers secure, they're too distracted by other day to day things in their business.

Shiva Maharaj:

But how many msps out there, how many it providers out there suffer from that same issue. And by suffer, I just mean having to deal with it lack of resources on the security side? As we know, it takes more than just collecting logs to make yourself a security practitioner or a threat Hunter, which is very different?

Brian J. Weiss:

Yeah, I mean, the collect the logs is what the compliance part they're worthless if you don't have someone properly doing threat hunting with them. Right,

Shiva Maharaj:

exactly. What are you seeing from any of your clients that you took over from Kaseya? shops? Are you seeing agents coming back?

Brian J. Weiss:

We found one client that had a deprecated agent on it, that wasn't checking in. And we had we used our RMM, monitoring the data released to basically kill that process, and then run it on install,

Shiva Maharaj:

or any of your clients reaching out to you and asking, Hey, Brian, are we affected by this Kaseya thing.

Brian J. Weiss:

So that's something I've been thinking about all weekend. I feel like I haven't reached out to our clients yet, because I didn't want to alarm them of something that I didn't find a reason to be alarmed for, especially during the holiday weekend. But settling into this week, I think msps mean, we need to be reaching out to our clients, because you know, they're hearing about this in the news, and they're wondering what's going on. So there needs to be something said, right. And if anything, I think this is a great opportunity to go back to those clients that have been potentially pushing off or turning down security thinking they don't need it and making them realize, hey, if we don't do this, maybe we can't be working together anymore, because it's just too much of a risk. And when I say risk, there's, you know, yeah, you can make sure you don't have risk with your clients with proper contract terms or discussions. But I'm, I'm saying just, if you've got a client that you're managing day to day, whether they're paying for security or not, if they have an incident, you're going to have to focus resources on it. And those are going to it's going to be stressful on your team, it's going to take your focus away from your other clients. And it's going to be a reactive situation that you're trying to clean up, which could potentially cause reputation harm, even if it wasn't your fault. So the question is, do you want to even risk having that type of client where one morning you can get that call? that you now have to clean up a you know, a shit show, if you will? And hopefully make them understand it wasn't your fault, right?

Shiva Maharaj:

Yeah, I think clients are not educated in the IT space, which is why they outsource to us, right? It's all about delivery. You can take two methods. There are two ways I think you can do this. You can be like the vendors in our space who sent us email saying they are vigil, vigilantly watching what's happening with the SE and what's on unfolding and monitoring the situation, which means they're googling just as much as we are. Or you can reach out to your clients and say, Hey, we're not affected. But we have a sock in place to monitor for potential indicators of compromise. should anything happen, we will be in touch with you directly. And I think that's I think we should go the latter way. Right is the The subject line should be, hey, we're not affected. Because you don't want them to jump to that conclusion, and then just explain to them, there's nothing we can do. There's no factors and move on.

Eric Taylor:

Well, now that I got my internet working again, gotta love traveling.

Shiva Maharaj:

You should get an MSP to help you with that. You know what, somebody who used to say, mbsa, though,

Eric Taylor:

open up all the breaches don't even you only have to drink the beer. It's just all the breaches are there. Exactly. So the here's the question I have. And forgive me if y'all have already said this, because again, internet and first world problems. Have y'all talked about the whole payment? situation? Yep.

Shiva Maharaj:

No, I was waiting for you. Because I know IR is your jam. And the only good thing I think Kaseya has done in this wall, they've done two really good things. They told everyone to shut down their VSA instance, and in my opinion, should never start it back up, whatever. And the other thing is they they brought in fireeyes mandiant. For the IR. Now, I'm curious why. And this is just, I mean, Eric, you know me pretty well, Brian, I think you're getting to know me pretty well. Since the MSP space is filled with so much top tier talent, why are they going to mandiant and not supporting one of their vendors and their channels to do the IR?

Eric Taylor:

Because I don't think any of them really know what the hell they're doing, you know, when it comes to? So again, you know, there's not the right shade. But I mean, everybody, it will get to the IR in a minute, because now I'm triggered, but everybody's in the space talking about Oh, yo hunters would have been able to stop it. No, no, they wouldn't have did they know?

Shiva Maharaj:

So then? How would they have been able to

Eric Taylor:

the only thing hunters may have been able to alert on is a ransomware Canary

Shiva Maharaj:

and you know, to huntresses credit, they were one of the earlier companies to identify what's going on. And they published iocs very quickly, I am going to go out them and I believe blackpoint did as well. And we're gonna have john on so we can get that from the horse's mouth so to speak. But I'm a little curious, why are the other managed SOC vendors in the channel so quiet?

Eric Taylor:

So, you know, you asked me that question the other day, and I'm really curious. It may be where they are doing professional courtesy. If I was I datto, or I was a connectwise. company?

Shiva Maharaj:

Oh, no, I'm sorry. I'm not saying I'm talking about the Manage cool admin Sox. Not cool. That's right. We're talking the rocket cybers recently acquired by Kaseya. And said to have been rolled out to all Kaseya infrastructure, we're talking about perch, we're talking about vigil and SOC Sodor. And there's one other little scout or whatever Scout, who just they're on their second acquisition by Barracuda. Now. They were it's crickets from all of them.

Eric Taylor:

Again, you know, when I say when I was saying, If I was a datto, or if I was a connectwise, including her or anything else, I'm sure there was backend communication, say, hey, if you need us, help us out, or let us know, we have resources that you know, we can allocate to help out, you know, the professional, courteous courtesy. But you've already got hunters in there spewing stuff all the time. Really, unless datto, or perch, or any of these other guys are really in the mix of it. Maybe there's been quiet because they're just like, we have nothing to say, oh, we're just watching like the rest of everybody else. You know, we haven't been brought into help at all.

Shiva Maharaj:

Okay, so take part out. Because chances are, if you're a first customer, you're on automate. Take some of the other guys out. Let's talk about rocket cyber.

Eric Taylor:

Oh, boy, here we go with some more triggering

Shiva Maharaj:

acquisition in February. So March, April, May, June, four months, I'm hoping it's such a good platform to say it could have deployed throughout their architecture, even though the ESA supposedly is not being used on rocket cyber assets. Why didn't they stop this? How did Kaseya actually figure out what was going on? I've read reports that partners were calling and saying, Hey, we're getting popped. It wasn't to say from what I read, it wasn't to say of figuring out that partners were getting popped.

Brian J. Weiss:

Yeah, I saw I actually saw screenshots between a partner and a rep because say, for the rep made comments, like can you give us more information we're looking into this now, you know, and it definitely didn't come off as if they already knew about it, you know, from what I read. So that's interesting.

Shiva Maharaj:

People I've spoken to said that the attack started unfolding around 10am. Eastern Time. Cassia did not well, I don't want to put this out under the bus for this one. Read it. The national news agency for msps. I think around 230 made it public about a Kaseya. Or hunters posted that there was an incident underway. How long did it take Kaseya to figure out there was an attack underway on IT systems. And Eric, I do agree with you. It's not I don't think the supply chain was attacked. I don't think this is a supply chain attack, if that makes sense.

Eric Taylor:

Yeah. Because I mean, it's not the same as solar wind or solar

Shiva Maharaj:

wind eautiful. and elegant and sexy. Like, it was pam pam Anderson, circa 1994.

Eric Taylor:

Oh, yeah. Before she became a steaming hot mess, got it. But this one was still elegant, you know, it's not solar wind, elegant, but it's still elegant. Right. So in the IR space when I am doing a bunch of, you know, I think we just broke over 300 cases from last year and this year of IR.

Shiva Maharaj:

Congratulations.

Eric Taylor:

Thanks, man. We're still small, we're still growing. So. But the the fact that re evil there they are a ransomware as a service, the fact that one of their affiliates had the patience to exploit over now a fat potentially 1000 vssa? And is where some of the stuff, the news is still iffy.

Shiva Maharaj:

Can I just hop in here for a second, please? That 1000 number came from hunters based on their clients that use based on hunters clients that use GSA not the entire thing.

Eric Taylor:

No. Last time I checked that Reddit, it said, looking at the the feed and I had to pull it up here. That's that's huntresses thread though, on Reddit. Hmm. But the raw hunters was not crediting the that they are clients, they were crediting that to you know, comments in the feed were over 1000, or whatever it is, is actually, you know, potentially ransomed. Right? You know, we're even seeing the Kaseya BMS is currently down. I'm not sure if that's anything to do with vssa. I don't know what BMS is backup management system, maybe. Then it looks like there was over 1000 potentially guys, who were guys and gals, companies that were actually attacked the guests 900 customers have requested the, the Kaseya detection tool, I do know, there are some international companies that were compromised. So back to the train of thought before I go completely squirrel. re evil, their affiliates are really, the best way I can describe them is like a three year old in a candy shop, they find an exploit. They go in, they reach massive amounts of fucking have a grip, encrypt everything. And they're done. Right, the elegance that they took to compromise all of these, and weight, or was the affiliate for it re evil so large that they were able to do it all at one time. I think the former I do think that they sat and waited early on.

Shiva Maharaj:

Us cert identified this as a supply chain hack, indicating or potentially indicating that the files were pushed out by ca se as part of an update. If that's true, then yes, this is a supply chain breach, not an attack on the supply chain.

Eric Taylor:

From what we know now. And again, you know, just like with any news story, that friggin I mean, even take a look at solar winds, we still take a year and still trying to find out information, right. But this doesn't look like a supply chain. They don't look like they actually compromise the development of Kaseya vssa.

Shiva Maharaj:

Well, you know, here's, here's something that not many people are talking about. And you know, this is your area of operation. This was the This was reveals third bite of the apple at Kaseya. The first one when reavell was grand crab, and the connectwise manage plugin was exploited. Then the Webroot plugin or what have you was exploited against the SEO? And now this is reveal all over again. Why is it in three years? There have been three here? Yeah, 2018 was the first one. So why is it in three years the same ransomware group has successfully gotten to Kaseya partners at increasing scale each time.

Eric Taylor:

Yeah, one of two things. Either they have a hard on for Kaseya.

Shiva Maharaj:

And we're not reavell even though we have a hard on for to say I'm just throwing that out there whoever's listening

Eric Taylor:

or, you know, and they are just actively exploiting the crap out of it. Or somebody is tipping them off.

Shiva Maharaj:

I think what if they have persistence and

Eric Taylor:

Kaseya they could. But here's the part that still doesn't sit well with me and I don't you know as a CH and we do you know pentesting against datto and synchro and stuff like that, you know, so the security company that went through the disclosure, you know, I, I sit with them pretty good, or I feel for them a little bit, you know, they're like, crap, you know, for whatever reason, you know, did we get compromised or something like that because you know if somebody inside of that penetration company actually compromised or leaking data to retrieval, because it's really suspicious that they found an exploit, right, the same time that retrieval did.

Shiva Maharaj:

I think there is persistence. And you know, I always said that SolarWinds was nothing more than a mapping exercise by whomever did it, whether it was state sponsored or not, but I think with the scale of the Kaseya breach, this is about and I think, you know, you and I had this conversation earlier, this is nation state backed whether or not people want to admit it, this was an aapt, or we think it is an eight aapt? What if this is about stretching us enough to see the holes?

Eric Taylor:

It could be? Yeah, this is the thing that I really toyed with, because a lot of the information that was coming out was really, really sketchy or evil is not known for true supply chain vulnerability, you know, actually breaching side of code and doing the solar wind 2.0, which what we originally thought this thing was, and thankfully, it doesn't seem to be, it doesn't seem to be at this moment.

Shiva Maharaj:

Well, actually, it kind of is, if they are in the federal space,

Eric Taylor:

maybe. So there was a lot of things that just kind of really threw me off something this big, normally retrieval goes stupid and posted all over their, their sites, Huntress posted an onion site on their feed during one of the updates. And I'm like, that's not one of retrievals ransomware pages, I went to it, those blank tests are poking around. I'm like, Why are y'all posting this is not reavell site, and there's nothing on here. So I started really wondering, I'm like, okay, is this an actual ATP, you know, a sanctioned state backed threat actor that's mimicking maybe version one of re evil that was posted on GitHub a month or two ago, you know, a throwing che, like, this is really evil, and kind of confusing the crap out of people, you know, making them think in different directions. Or, you know, what exactly is going on here, because nothing was really adding up, where I really was about to start screaming from the mountains, like I don't think is really evil. Because there was so many indicators, you know, everybody was saying supply chain, supply chain supply chain, and all the threat feeds everything else that was coming out. And the fact that Riva wasn't talking about it, yet, especially something that's massive, there was just too many red flags, you know, and I still don't I still wonder how re evil got ahold of this exploit? You know, and I'm not trying to say there's something, you know, malicious going on with the security company who did the vulnerability disclosure, but it makes me wonder if there was something there as well.

Shiva Maharaj:

I think maybe there's persistence in Kaseya. Three bytes? That's the vector I would look at first.

Brian J. Weiss:

I mean, isn't that the first thing you do, Eric, when you go in on IR is try to look for persistence, because you got to stop the bleeding, right?

Eric Taylor:

Yeah, we do that we look for any persistence. We see any processes, registry keys and things of that nature, you know, because we have to contain the network. You know, we can't go in and start in triage and everything. If there's actual persistence in there. That was another thing that kept coming up on huntresses. IOC is all about the registry, key of Black Lives Matter. And I'm like, I'm sitting here looking on registry key.

Shiva Maharaj:

Yeah. Okay. Here, I'll

Eric Taylor:

show it out here real quick. Since I've got it up. On all the threat feeds, there was literally nothing about it right, there was nothing around, I can't do because I don't have two monitors going on. Right now. I've never seen retrieval put registry keys of the encryption codes inside of there. Because anytime I do any sort of persistence testing or anything like that, the and I look at the payloads that they put in, they're always saying, or they always do a PowerShell, which will do a random encryption key, they will save it as a variable, send it to a third party website. And they will do a post command to that website that will store it and they move on with the whole bunch decryption, the fact that they actually stored that in an encryption key in our in our register key.

Shiva Maharaj:

I'm sure you remember this, but we discussed the law that they've been on for the last two weeks as a way for these guys to redo their their programming, their tactics, their techniques, and we've seen that trick bot, as new code we've seen reveal has adjusted and we've always the part that is left to be seen. They're asking for 70 million in your experience. How long does it take to get the decrypter key once they get their crypto,

Eric Taylor:

typically within about two hours.

Shiva Maharaj:

Okay? Now based on the pipeline ransom being recovered, don't you think there's going to it's going to take more time for them to actually give up the decryption keys to make sure they tumble that money, get it where they want it to be secured, and then issue some decrypter keys?

Eric Taylor:

Yeah, I really do. Because most of the Riva ones are, it's, once you start the engagement with them on the communication, their, their system is an automated system. So once they receive the payment, the system automatically generates the decrypter key, because I'm sure that, you know, they've got whatever actor, the affiliate actor was doing it, they've already, you know, submitted the decryption files or decryption process when they submitted up to reavell. So they've, you know, their headquarters, if you will, will actually post it in there, or they will actually put it when you take a look at this. If you scroll down a little bit, just kind of sites out, keep going, keep going. Keep going right there. The last bullet point right there, were talking about the registry key and the Black Lives Matter. That's something we haven't seen before. Yeah, I don't know what significance that may have been. Anyway,

Shiva Maharaj:

you know, what this makes me think of? Do you remember when Secretary state Blinken had the meeting with the Chinese delegation earlier this year, just after inauguration? And they were trying to talk them about the ukar issues going on and treating their people? Well, and you know, not doing that committing mass genocide? And I believe the Chinese replied, Well, look at how you're treating your own people. Is this a veiled association to that? Maybe it's a maybe it's not real? Maybe it's a Chinese hacker taking credit for this? That could be a far stretch.

Eric Taylor:

Yeah, that could be beyond like, we keep saying the rain reveals a ransomware as a service. So you know, was this potential threat actor, part of that nation, you know, the Chinese nation or something like that? There's, there's really no telling, right? You know, everybody's like, well, we got to go after Russia, for all this stuff. You're not going out to Russia for this, because it's a ransomware as a service, you're not going to know Who in the world actually did this, you know, which are,

Shiva Maharaj:

unfortunately, not all of these attacks are launched from Russia, China, Iran, or North Korea. You know, working theories are a lot of them are in the Ukraine and former, you know, Eastern Bloc, Soviet Bloc countries. But the fact of the matter is, a lot of these operators are not in the US, but they are in the Western Hemisphere.

Eric Taylor:

And we just don't know where I mean, you know, that's from the general public, right? So anybody I always talk to, because I always want to know, where are these guys located that you know, so I'm asking people, you know, on private channels and stuff like that, does anybody know? Does anybody know? Does anybody really know? And they're not saying it to me whether they just don't want to tell me or really the fact that nobody freaking knows where the hell these guys really are.

Shiva Maharaj:

We assert our suspicions. Europol and some other agencies they shut down or the double VPN last week. Yeah, I think this attack is also slapped in the face to say, hey, look, how many people we can affect, if reveal is being truthful, that there have been over a million devices that have been affected? This is probably the largest incident in the history of ransomware. Brian, I mean, I don't know. Do you know of anything larger?

Brian J. Weiss:

No, it definitely is. And I keep thinking back to the Why didn't they come out right away. And listening to all the pieces, you know, the fact that this is automated ransomware as a service, maybe they didn't know what their impact was going to be initially. So they wanted to wait and see before they came out with a statement, right? Because the larger the impact, maybe a different message than a smaller impact.

Shiva Maharaj:

This is true. I don't think we are as people or as non rants, more people are gonna know the full impact of this, or anything close to it for at least a couple days. When people go back to their office tomorrow, they put on their computer and they see whatever the message is. And speaking, which I have not been able to track down a screenshot of what that message looks like.

Eric Taylor:

They've been I've asked for it even when, over the weekend, everybody was like supply chain. And you know, we were still debating retrieval and all that stuff. I'm like, sorry, please send me the readme note. Because again, like I said, the one that Huntress was posing was not the original or is not known to be part of the retrieval or evil group are one of their evil groups. So it was really interesting that they even posted a blank onion site. So I was really curious about that. So But yeah, I never dig out get a readme Nope. But some of the images that I've seen come out of the actual negotiations, I can confirm that is a reavell negotiation blog. It's definitely interesting. Do you guys think that Kaseya either one will pay the $70 million because of a profit Possible code exploit that's now been no shade has been thrown by the security firm saying, hey, they did this, because of what we reported. Do you think they will do that? Or do you think they're going to say, and you know, it's your environment, you should have better protections in place and not pay the 70 million? And to the second thing that I'm curious about, if they don't pay it, will you do you think there'll be a class action lawsuit because of what I said, you know, none of their SaaS platforms were supposedly ransom. Now, we could find out in a couple of weeks that they were, we'll find out tomorrow, maybe? I mean, the SAS platforms are still down. Right.

Shiva Maharaj:

So allegedly, even though some on prem systems are still accessible to the interwebs.

Eric Taylor:

Yeah, that reminds me, Clorox company, shut down your freaking Kaseya server, because we found your internal IT guys. And they won't answer the phone. But anyway.

Shiva Maharaj:

And that's part two of responsible disclosure by barricade cyber. Brian, you've, you've come through an incident involving Kaseya. What do you think? I mean, I'd like to hear how you answer that. And then I'll throw my two cents in.

Brian J. Weiss:

So based on my personal relationship, and other people's relationships that I've heard about Kaseya, is I don't see them offering to pony up and bail everyone out with the $70 million payout, probably because they have to keep a stance that, you know, they're not liable until proven liable, right? It's kind of that situation. But that doesn't mean there won't be a class action suit, which is could end up costing them a lot more than the 70 million. So it's like, and then the question then becomes, okay, if we've done the math, and a class action is going to cost more than 70 million, and we decided to pay the 70 million, where's the backlash there? Right? Are they going to now set a precedent for vendors bailing out msps? Are they going to cause issues with their insurance company, maybe not wanting to insure them moving forward? Or have certain limitations? You know, what type of insurance Do they even have for this type of event? And what's the coverage? Do they have 70 million sitting aside that they could easily use? I mean, there's, these are all questions that I think would go into making that decision, I guess, that are coming to mind.

Shiva Maharaj:

So my take on this as they should probably pay the ransom a couple of reasons. First one being it's a responsibly notified vulnerability from the Dutch company. Secondly, Kaseya, put in a web access firewall rule to block this vector of attack on their SAS platform, allegedly. And thirdly, they did not inform their partners have anything to do with this vulnerability. They didn't say, hey, put a watch on, Hey, shut your shit down. So to me, that's negligence. They knew they knew they knew of a considerable threat. And they chose to protect their own infrastructure, and not that of their partners, I think, yeah, they should probably pay the ransom. And I still think that the Kaseya partner should band together and serve them up some good old class action lawsuit, because the reputation damage is going to be far reaching to the msps. And let's be honest, you myself, Eric, we're not on Kaseya. But now we are going to have to field questions from our clientele about the command and control known as RMM.

Eric Taylor:

Yeah, and I'm already getting them, right. Yeah, they're asked video, do I use any Kaseya products? I'm like, nope. Go watch any of my podcasts that I've ever talked about. I hate to say, you know, we use you know, as full disclosure, I was using rocket cyber, until the day they announced they were, you know, they were being bought out by Kaseya. And I talked to Beth, who was my sales rep and account manager over there, you know, impolitely tutor up and down one way than the other. And I said, I can't believe Billy screwed us like this, because you and I share that have had numerous talks with Billy and never once did we ever get the impression that he was going to be selling things out?

Shiva Maharaj:

Well, you know, he was under NDA, more than likely and couldn't say anything. But you know, if I were him, I would have just been like, you know, guys, I'm too busy. I can't take the call. Instead, what, you know what, what all these vendors do is, and if you look at your contract with them, any idea you give them becomes their property and its entirety. And what all these vendors do is they put together these advisory panels, and they get you to brain dump. They take your ideas, they sit on them, they may use them. What do you get? Another feature you may have to pay for a platform you already pay for? So that's probably what Billy was doing. You know, he promised a whole lot of things coming. I don't know if they materialized because the day it was announced as the day I went into rocket cyber and hit on install on everything. Question for you guys. What did you do in reaction to hearing of this Kaseya breach On Friday,

Eric Taylor:

I mean, me personally, I was all in the threat feeds just because I'm not in, you know, the Kaseya world, right? So I wanted to start getting as much information from threat feeds that I could, let's just be honest. Again, not to throw shade at hunters, but I really don't think we're going to get the full story from hundreds. They're doing trying to do some great stuff for this stuff. But I will guarantee you, there are things that they know that they are not going to disclose for the good of the channel.

Shiva Maharaj:

Well, I mean, you're an IR that's almost a given right? about you, Brian, would you do in response to your alma mater, getting popped,

Brian J. Weiss:

I, you know, immediately had a ton of empathy for all the msps out there and had this weird kind of excitement, slash nervousness, where, you know, I wanted to get involved, reach out, learn as much as I could reach out to all my peer groups. And I felt I felt the need to help. You know, it sounds like similar with Eric, he's like, Alright, we got to figure out what's going on here. Like, we got to get to the bottom of this. And I was extremely disappointed by the lack of transparency from Kaseya. Because you had all these other vendors that have no, you know, connection to Kaseya, financial Lee wise, getting involved in helping the channel and I even reached out to rocket cyber thinking, Hey, you know, I thought I remember rocket cyber becoming the SOC, for Kaseya. That was part of the reason they, they bought them trying to get an answer from them, just to even see if there's a vulnerability. We still have rocket cyber, but just for the office 365 monitoring. I had all their agents it out. What's that? rip it out? Exactly. So I'm in that process. And so I I'm just, you know, I'm trying to think, Okay, is there anything that can be concerned about my own house? double, triple checking, you know, talking to my guys making sure I got an ear on the ground? And then like, what are we being told? What do we need to do? I mean, shut down the Vsat servers, all I heard from Kaseya.

Shiva Maharaj:

In their defense, that's all they can really do, right? It's like, Hey, we have an incident, shut it down until we can figure out what's going on that I I respect that because there's really not much else you can do. And when you really think about it, for the MSP, it's really hard to sit there and wait for information. But it's even harder for Kaseya to sit there waiting for information, knowing you have 1000s of people waiting for information when you have your dick in your hand. Because that's what happened. Are any of you it will users? How about network detective? Because I did hear someone say that? It may have been affected. But then that evaporated. No one said anything anymore?

Eric Taylor:

No, I tried network detective long before because they ever got their hands on them. So I haven't been with it. You don't

Shiva Maharaj:

like generating a 300 page printout of absolute bullshit to scare somebody. Come on, man.

Eric Taylor:

I've even I remember doing this now that you say that I have flashbacks to some of my early MSP years of you know, having that platform and dropping one of those big freakin three inch binders on their desk. And they're going through and they're like, What am I supposed to do with this is all the crap is broke? Yeah. And there's they just they look at they're like, yeah, whatever, we just really can't deal with this. And we just move on. Right? So it's, there's so much information, supposedly, that are in those reports that it just becomes they just mentally shut down?

Shiva Maharaj:

How do you guys see yourself moving forward with our men in general?

Brian J. Weiss:

I mean, person, my personal situation is I want to be able to have my sock with eyes on what's going on the RMM to be able to identify something more proactively, and then trying to get a message from my arm in vendor on how something like this would be prevented in the future. I mean, it sounds like if the wireless access, no firewall rule was put in place for the SAS platform that Kaseya had, they were able to secure that, obviously, but not all the on prem servers, I'm probably would be advising don't use it on printer on prem RMM anymore, right?

Eric Taylor:

But see, here's where the pushback comes in on that, because I know I got disconnected a little bit there. But you know, when you have an on premise RMM solution, you have greater visibility, visibility to the logs, you're able to. I mean, as long as you're at you know the heck you're doing, you can actually monitor that stuff for SAS, you can't

Shiva Maharaj:

so to the bad guys.

Brian J. Weiss:

First point I brought up I want better visibility on my SAS RMM right.

Shiva Maharaj:

Do you think RMM is here to stay with the emergence of 365?

Eric Taylor:

No, I do think something's gonna something's gonna take the place of it. But here's the so like, I am in a really funky spot, right half of wild saved more than half but about 80% of my client base is 365. The rest of them are G Suite or some other solution until I can get everybody under a 365 tenant or some sort of Central management like that. I want to have to use some sort of our RMM as a software deployment. GPOs are great, don't get me wrong. But unless you're in there, you got something in there to monitor GPO changes and stuff, you still need something to be able to communicate back to you. That's the biggest problem that I have.

Shiva Maharaj:

Well, here's here's an interesting thought for you. You use Sumo I use Sumo. If you put their collector on an endpoint, you can run scripts, and that script can download and deploy software, the only thing you're missing is going to be that remote access to get onto the box, which you can buy anything for.

Eric Taylor:

And I'm really thinking about doing the sumo for just at least for the one or any other domain controllers. There, there's actual RDS or something like that, you know, the server level, but I'm definitely not going to be using Sumo for the workstation just because as much noise they use, yeah, that's where I really think our EDR really needs to step in and be able to do the quote unquote, threat hunting on an endpoint for that,

Shiva Maharaj:

Brian, what are you using RMM for today, as opposed to what you may have been using it for 2345 years

Brian J. Weiss:

ago, you know, when I think of the five minutes pillars, you know, the first one identify, it's really an area where I can identify all the devices that were responsible for managing. So I've got a single source of truth for that. And that's where I'm kind of split between Intune and RMM. Right now, because I've got Intune we're using for mobile devices, which aren't in my RMM. And then I've got RMM for network devices, which aren't an in tune. So you know, I'm looking for I'm pushing, you know, my arm and vendor datto to do a tighter integration with a one to run relationship between into and on our man. But then tune ever gets to the point where I'm also able to see network devices there, right, and I've got a better multi tenant capability to manage everything. And I'm not heavily reliant on GPOs with an on prem domain server I see in the future, everything being able to be done on the Microsoft stack.

Shiva Maharaj:

If you use Azure Sentinel, you can deploy a network probe to identify everything. Only problem is, I only know of one PSA that integrates with any of that stuff. To give you that one to one relationship. None of the Big Three, do it.

Eric Taylor:

This comes back to what I always scream from the top of the mountain side. I mean, don't get me wrong. I know the PSA you're talking about, you know, Halo, PSA. But having that single pane of glass is scary as hell, right? I mean, if I have if I have everything going back into one and tell me if I'm wrong, right? If I have everything go back into one that is that one product that you have to breach, or I have to breach to get complete visibility. So having all these API integrations and things of that nature, it just opens up a big effing gateway.

Shiva Maharaj:

Here's the interesting thing about getting that single pane of unicorn glass into a PSA with the right permission structure, you're only getting a view. However, with an RMM chances are you're getting the ability to do whatever the hell you want.

Eric Taylor:

And most of them are that way. Like even with rocket cyber when we were with those and we started looking at the permissions that rocker cyber wanted for 365 It's a frickin ton. I'm like, you don't need that you're pulling logs. You don't need right permissions.

Shiva Maharaj:

Brian, you're Are you using black points? 365 fees for

Brian J. Weiss:

our own house? Yes. And that's what I'm going to be moving everyone over to they're currently white labeling sure web for that, but they're building out their own custom integration.

Shiva Maharaj:

What are their permissions look like? They're are they just getting read only access or being your SOC? Are they getting full admin access?

Brian J. Weiss:

I that's a great question. My in my talks with them, I would hope they're only getting read only because they don't really need right. But I guess that's really a question for sure. Web, right? Because it's their tool. Go ahead, Eric.

Eric Taylor:

So I'm gonna trigger triggered your comms asshole. So when you go in there, and you set up the permissions you don't read through the descriptions of everything you've given it access to when you set up that integration?

Brian J. Weiss:

I do? Yes, I

Eric Taylor:

think you would know then you would know what permissions they have.

Shiva Maharaj:

Hey, man, we're getting old our memories aren't as good as they used to which is why we use it glue brought to you by Kaseya

Brian J. Weiss:

Give me a break brother. My coffee still hasn't kicked in.

Shiva Maharaj:

Man. It's so it's not even nine o'clock for for Brian yet, man. We've been up for four or five hours at least you and I each.

Brian J. Weiss:

I will tell you this. I don't remember any red flags when I was reading through it. But again, I don't want you to quote me on it right now.

Eric Taylor:

But after this when we go into our super secret Zoom Room, if you want help going through your 365 logs, I'm sure Me and chevak about to help you that.

Shiva Maharaj:

Oh, that's so sweet.

Brian J. Weiss:

So should I say put a ticket in for that?

Eric Taylor:

Yes, please do to my kit Kaseya portal please.

Shiva Maharaj:

When it might be slow as fun today

Eric Taylor:

SLA is have gone out the window today, please contact us next year.

Brian J. Weiss:

Real quick. I never finished answering the question earlier. So RMM I mean, you've got your remote access to devices, right? You've got your monitoring and alerting?

Shiva Maharaj:

What are you monitoring on with SOC?

Brian J. Weiss:

What's that?

Shiva Maharaj:

What do you need to really monitor with an RMM that you're not doing with a sock? And please don't tell me disk space?

Brian J. Weiss:

No, it'd be you know, a Well, yeah, it's the basic stuff up time. You're right. I'm just telling you, what, what, what are the pillars of RMM? For us, right? And then are you gonna let me finish my thought I just lost track. So remote monitoring, alerting, automation, automation of onboarding, off boarding scripting, right. Okay. And then really identify that vacation, the identification of assets were responsible for monitoring and maintaining compliance in the sense of understanding when devices are missing software they need to have or things like that,

Shiva Maharaj:

you know, it really sucks about datto for compliance, where automate beats them, you can make a UDF for an EDF and automate that's an actual checkbox for compliance. datto is just a text box. That's the that's the one thing connectwise does better than datto, in my opinion, but hey, what do I know, I'm just a guy trying to be an MSP,

Eric Taylor:

pretty much that Welcome to the steaming pile that continues to be 2021.

Shiva Maharaj:

Any advice you guys have for practitioners or end users out there?

Eric Taylor:

So we're actually I've actually gotten four calls so far, over the weekend, from Kaseya partners who are wanting to know what they do

Shiva Maharaj:

have a question? How free do they want it? Very free.

Eric Taylor:

But they're there want to know what they do? You know, and I'm like, you're in the middle of a big friggin mess.

Brian J. Weiss:

I mean, the first step should be contacting their cybersecurity insurance. Right,

Shiva Maharaj:

they don't have one,

Eric Taylor:

they don't have it. Somebody don't have proper backups,

Brian J. Weiss:

that sucks.

Eric Taylor:

So they don't have proper backups, they don't have proper in for their own stuff. They don't have the proper insurances to you know, deal with this. So they're, they're scared out of their mind. They're they are looking at a massive backlash from their clients. They don't know what to do.

Brian J. Weiss:

So then the next step would be what contact your lawyer, if you don't have insurance,

Shiva Maharaj:

if they can't afford insurance, you think they can afford a lawyer?

Eric Taylor:

The lawyers that I referred to are going to be outside of the price range anyway. So So never designed a panel. So

Brian J. Weiss:

find a lawyer that's setting up a class action lawsuit, then

Unknown:

maybe, but at the same time, you're How do they get through the incident? Yeah, you got to get through this.

Eric Taylor:

And I don't know, no response firms that are out there, including myself, or croal, or anybody else, is just going to sit on whatever money that is being used. That's what really, as much as I hate to say it, I really hope that Kaseya does the right thing. And they pay the ransomware note. Because there's a lot of you know, pizza techs and very small shops, it just they can't weather this storm.

Brian J. Weiss:

So really, their next choice or the clients choice, if they can't get through this is to go find a bigger MSP that's willing to bail him out of this as part of some acquisition deal, or the clients just left off on their own trying to have to find someone else to clean it up for them and

Shiva Maharaj:

then use hopefully, the clients insurance, right? Would you buy an MSP Brian that's going through an incident like this? Or would you buy their assets and customer list? No,

Brian J. Weiss:

I wouldn't even consider it just because of what I've been through this the last thing I'd want to introduce to my team, but I could see larger msps out there using this as a fire sale to try to gain more market share, because they feel like they want to take it on and they care more about growing and

Shiva Maharaj:

especially the ones with the close ties, the law enforcement might behoove them to do that.

Eric Taylor:

But here's the here's the thing that so let's just say hypothetically, your business was compromised. You're the grocery store with 500 locations that I've seen in the news that's shut down because there's ransomware because it can say

Shiva Maharaj:

and giving away free goods.

Eric Taylor:

Yeah, giving away free goods because they can't process anything. Are you really going to be like, Oh, hey, you know, I just bought out your existing company. We're going to come in and do this. Are you really going to feel all that comfortable with it? No, cuz I'm probably as a business owner, just my mindset. I'm like f all you guys I am heading over here. To talk to somebody who I can actually build a relationship with. And trust us, I don't think there's going to be any real fire cells. Because there's, the assets are tainted, right? It's fruit from a poisonous Bush, if you will, for history,

Brian J. Weiss:

I guess what it would be is smaller MSSP reaching out to bigger MSSP to help bail them out. And the reward for the bigger MSSP is maybe getting those clients.

Eric Taylor:

I don't know if they would want them. I don't know, I don't know if those clients would stay,

Shiva Maharaj:

I would go. I I know, this is not a welcome sentiment in the MSP channel right now. I have no problem going out for those clients. Because when SolarWinds had their incident to say, uh, called me thinking my company was on solar wind saying, Hey, have you heard about the breach were more secure. But now everyone's saying you know, don't don't fit. Don't be a fair mom don't sell on fair, which I don't do but at the same time, look at it from the end, the business's point of view, they've got 510 dozen, two dozen couple 100 workstations that are completely fucked. What do they do sit there with their thumb up their house while the MSP waits for Kaseya to maybe patch this thing? Or do they engage with their insurance hire someone like Eric, to go through the remediation, or at least the imaging of the memory and the workstations and the servers and then go to town with a new provider, not MSP, but anyone any service provider, and rebuilt? Who can wait, I guess how many end customers can wait for Kaseya to figure their shit out?

Eric Taylor:

Oh, no, I really think there's gonna be weeks probably in weeks thing, because I really think that there's gonna be a bunch of msps and customers that are waiting to see what Kaseya does. And they're going to hold out for dear life. They can that they're that they're going to come through, and they might find out they're going to be holding the bag at the end of the

Shiva Maharaj:

because they may do it. Because now that while cc has been involved, FBI has been involved. The President has issued an order or directive something that the Intelligence Committee has to get involved to figure out what's going on. There are too many eyes on this for Kaseya to just try to brush it under the rug. And to me, that would be the only way the only thing that would really force Kaseya to take action

Brian J. Weiss:

can the government for us to pay that

Eric Taylor:

note because they're their private entity? I don't leverage is the government I'm gonna have shorter inside of a

Brian J. Weiss:

government kid like they did the banks and bail them out and just print a bunch of money and say here you go nationalized.

Eric Taylor:

The banks are under FDIC and the other one the end, NCI, NIH as the IFC, the other community one I forget, but it's under federal regulations.

Brian J. Weiss:

Yeah. That's a good point,

Shiva Maharaj:

I think I said has the is in the unenviable position of having to navigate this. And one thing I wanted to discuss because I know we're coming up on time here is that. Do you guys remember when solar winds happened? And news broke a Sunday night? Now I slept since then? It was in December? Or was it November, whatever. Within 48 hours a patch was issued? How long has it been since the incident, there were over 48 hours now we're way over 48 hours, and they don't anticipate a patch being released for at least another couple days. So this underscores the difference between solar winds are really a real company and a Kaseya. That is a monster in the MSP community. Let's remember because they have been working on mitigation for this pre incident. So the fact that they couldn't push something out within 48 hours is concerning would be concerning to me. Had I been a Kaseya BSA partner.

Brian J. Weiss:

Well, they're not in the enterprise space, like solar winds though, right? So they just don't have the resources.

Shiva Maharaj:

Yeah, but they like to sit they like to come out and be that pretend they're a big swinging deck. I mean, when you talk to Kaseya reps, there's no one better than them their tip of the spear. And we're, what 5060 hours out, and still no patch for their partners. I mean, come on. They did. How long? Did it take them to mobilize? Ir?

Eric Taylor:

Nobody knows.

Shiva Maharaj:

To me, it seems, you know, Eric, this is again, your area of operation, it seems for the first 24 hours they were shooting from the hip. Yeah. Or at least the first 12 till

9:

10am. Saturday morning,

Eric Taylor:

when you're having just random people calling in saying hey, we got a problem. We got a problem and they're trying, you know, a time you got to think about like, Okay, you got X number of partners, flooding level one support with claims of ransomware claims or whatever, you know, they're starting to triage that you know, before it even goes level two, what's their typical SLA for level one support couple hours out imagine

Shiva Maharaj:

three hours in the month of February.

Eric Taylor:

So let's just say you have 300 msps, you know, creating level one support tickets and then Going through their default scripts of troubleshooting before it even gets escalated.

Shiva Maharaj:

So here's, here's an interesting question for you. And Brian, this may be your cup of tea. do either one of you have anything in place to identify tickets with the same root cause across multiple clients to see if you are under siege?

Brian J. Weiss:

Yes. I was just trying to think in my head, like, why would ransomware tickets come in as a level one initially, because we have a separate security incidents queue that everything gets dumped into, which are immediately emergencies.

Shiva Maharaj:

Okay, you're a panicking end user. You shoot out something to support at Brian's company.com or sorry, I tech dash solutions.com. It's going to go into your regular queue, wouldn't it?

Brian J. Weiss:

So yeah, most of our clients are trained to not do that.

Shiva Maharaj:

I mean, think about it from these guys are under siege, they're seeing the shit pop up. And they're like, Fuck, what do I do?

Brian J. Weiss:

Wait. So we have Service Delivery Manager who monitors the queue, if for some strange reason, they all came in via email versus using our client Porter or calling where they actually get triage, more automated, it would definitely be a red flag immediately. I mean, my guys are on standby just with PTSD. I mean, my guys had PTSD coming back from this, you know, even though it has even affected us, I can imagine and we're in a little bit different of a case we get a pretty high alert, even if someone's email box becomes compromised. I mean, we're like double, triple, quadruple checking things to make sure there's no persistence, you know.

Shiva Maharaj:

So that goes back to my question, how do you if it's coming in via ticket or an email ticket? Do you? Are you parsing for certain keywords to dump it into a more critical queue security queue? Like are you parsing for ransomware? Bitcoin, and words like that?

Brian J. Weiss:

No, because we get very, we get, we get probably 20 to 30% of our tickets via email, and they're all low priority. In fact, when someone creates a ticket via email, they get a response back saying, hey, you created this via email, therefore, its priority five business days, if you want higher priority, you either need to call us or you need to use the portal where they can define their priority while selecting it or payment,

Shiva Maharaj:

or pay more pay more so on every ticket is an important ticket.

Brian J. Weiss:

But in our portal, there's literally a security incident thing, and then ask them all these questions. And that comes in automatically as an emergency, they don't even have a choice to pick priority on that. So, you know, again, if if I was an MSP that heavily relied on email, I would have Parsi, I would recommend setting up parsing. Or if you don't have someone that can monitor it 24 hours, or I guess the other option would be someone monitoring it 24 hours to identify that manually.

Shiva Maharaj:

But I think parsing is really something everybody should do. It's built into the platform, right? At least on an alerting piece. And keep digging. Someone told me

Brian J. Weiss:

Yeah, the tricky part for us is we have an on call person and an answering service after hours. So I'd hate for a false positive to come in and wake someone up because at some part some unintelligent parsing that happened,

Shiva Maharaj:

you know, parse for ransomware and parse for Bitcoin. Now. We have compromising video from your webcam,

Eric Taylor:

which is usually not the case. But eat me in my Snickers. Wait, we

Brian J. Weiss:

actually had a an emergency over the weekend from someone who installed the ring camera and then got one of those emails and was freaking out

Shiva Maharaj:

anything else, boys or gentlemen,

Eric Taylor:

gentlemen,

Brian J. Weiss:

forward to talking to john later seeing what his input is, I feel like I'm still in kind of a learning process, because there's just so little information out there, you know,

Shiva Maharaj:

I'm gonna ping him and see if he wants to hop on sometime tomorrow. If your game forward, Brian, I don't know what your schedule is, like, we can discuss that offline instead of Oh, sending your entire daily schedule to the interwebs

Eric Taylor:

Oh, I thought he had his calendar put up on a public forum of ICS now just just look at all of the stuff that he's doing. What it's,

Shiva Maharaj:

it's you know, it's just shows when he's available, not you know, who he's talking to.

Eric Taylor:

When you contact the NSA for that.

Shiva Maharaj:

Thank you guys for joining us for another episode of cybersecurity amplified and intensified with Eric Taylor of barricade cyber.com Brian Weiss of I tech dash solutions.com and myself, Shiva Maharaj of continuum.com. Continuing with the K, please like subscribe, share, drop us a line, let us know what you want to hear about ask us questions. You know, we're game to help and have some really candid discussions and Brian anything else you want to add? And if you want to get rid of some of your customers because you couldn't service them properly, because he chose Kaseya I'm open to taking them. I don't know if Brian wants any of them, but I'll You can pay them.

Brian J. Weiss:

I'm here to help msps more than I care about getting new clients. So definitely hear at the very least for moral support. Be careful when you say help in the MSP world, they

Shiva Maharaj:

think free, free tools.

Brian J. Weiss:

That's why I said at the very least moral support. That's that's what I can offer for free.

Shiva Maharaj:

Fair enough. Thank you all. Thanks again for joining us for the cybersecurity amplified and intensified podcast.