Cybersecurity: Amplified And Intensified

Escalate, Exfiltrate & Encrypt - Round 3

August 23, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
Escalate, Exfiltrate & Encrypt - Round 3
Chapters
Cybersecurity: Amplified And Intensified
Escalate, Exfiltrate & Encrypt - Round 3
Aug 23, 2021
Shiva Maharaj/Eric Taylor
Show Notes Transcript
Shiva Maharaj:

Good morning and welcome to yet another episode of cybersecurity amplified and intensified with your host Eric Taylor of barricade cyber.com. Myself Shiva Maharaj continuum calm and that's with a K folks not to see what's up, Eric, I know our phones and devices were going off like crazy all weekend with listeners asking, or one thing to be discussed in particular couple others, but specifically one

Eric Taylor:

yet because of the outreach in via what we've been seeing on Twitter and everything. This one's going to be, you know, a special release, if we will. So, you know, typically we released these things on Friday, you know, record on Thursday release on Friday, but we want to be able to talk about this a little bit more. And I'm sure, Episode Four that will come out later this week will be more of the same, unfortunately. But let's talk about what's been hitting the news that we don't have a whole lot of information on except for the State Department has reportedly been packed. There's a couple things that we've seen that I've noticed on is I'm going to love a question over to you see if you got it because I've been doing some digging over the weekend, I haven't been able to get a whole lot of information except for only the information was released to a fox reporter. Not to get political, but

Shiva Maharaj:

it's got to be true. If it's false.

Eric Taylor:

That's right, orange man bad. Um, but the one thing I did notice that least Gizmo, Gizmo, Gizmo or whatever, how old How do you pronounce this for good sight. But um, this the one site that I seen that actually mentioned this, that an analysis of the State Department's systems found that the agency failed to address vulnerabilities, you know, we'll start talking about CMMC. And the state under was 71, and stuff like that, because you know, what the hell 10 systems were found to contain 450 critical risks. And 830 36 high risk, outstanding vulnerabilities. 7x 736 Thank you. Um, so that really raises the questions to you that maybe you have an answer to shivers, what exactly was hacked, because I have

Shiva Maharaj:

no answers to anything, I'm just an idiot. Don't mind me, I just give good advice that no one wants to listen to because it's too hard. So last month, or the month before, a think it was maybe the Office of the Inspector General, or one of those guys did a test of federal agencies and found that most of them were severely severely deficient in terms of controls and security. And I think that's what that part of the article is speaking to, because God forbid anyone actually report on factual stuff, as opposed to taking, you know, their two sons like what we do, because I think we're the only ones that should give our two cents, but hey, whatever. Now, I read one article that this hack happened last month, as in July, not in August. And it was only recently that it was disclosed to the public. And I believe based on the severity of this attack, Congress has to be notified within seven days, which I think puts us around the 28th, maybe because this was dropped on the 21st or shortly after. But this underscores an issue where we don't have transparency. Now, if they are reserving the right to not tell us what got hit, because of operational security for ongoing actions. I understand that let's not put any more people in harm's way. But I would like a timeframe as to, you know, when we can get a post mortem on these things, because as you know, the State Department is I believe, running the operations for the evac over in Afghanistan. And the safe return of our people and our friends should be of paramount importance, at least in my opinion.

Eric Taylor:

Exactly. You know, that's the one thing that always rubbed me the wrong way. You know, i, you and i both agree that operational security cyber security of the government. Now, if it is something to that effect, yes, don't disclose, you know, that type of information, right. But why not just come out and say, Look, we had some stuff happen. But it is classified, you know, because of ongoing operations or whatever. I mean, please say it all the time. I'm not going to comment.

Shiva Maharaj:

I think it's our big measuring contest. But honestly, maybe I think the more important thing is let's focus on the latter part of what you read out, there are the 736 systems that have critical vulnerabilities. Let's focus on how do we get the competency competent competency of our security? When I say our the government security hire, make it better than what it is? let's not let's stop getting distracted from everything else that's going on and make ourselves stronger. How do we do that?

Eric Taylor:

Is that part of the executive order that Biden put in for the 871?

Shiva Maharaj:

Yeah, but I feel like it there needs to be more than that. Right? An executive order is just really saying, These are what you have to do for us to buy from you. That's essentially what it is. It's not law. It's not codified into anything. If he wins another term grade stays, another president comes in next term or the term after they can read And executive orders. I mean, that's just how it goes, right? So what can we do to bring up our state of security. And that's where I like to CMMC. However, CMMC has a very narrow focus on the Department of Defense and the drB. It's not going to affect the Department of State. We mentioned last week, that Department of Homeland Security wants to mirror something like the CMMC for perhaps the civilian side of the government. Personally, I'd like to see one compliancy, five level or four levels, because I think level two is a piece of shit, we'll get to that. I'd like to see that one standard. And then you have the military auditing for the DMV, and the DMV. And then maybe you have a civilian arm, whether it's seaso, or maybe the FBI doing the auditing for the civilian side of the CMMC.

Eric Taylor:

That's possible. I mean, because CMMC definitely is for, you know, the classification of information, right? So if you're dealing with a C UI, then it's, I'm really torn up because, you know, we need to do something, right? And take the costs of compliancy. And going through the auditing out of the picture, do we I think we should have something going on. Right? So all these different NIST frameworks and ISOs and this and that, and everything else, it's just it muddies the water way too much, in my opinion, where it needs to be simplified, whether you take CMMC and take the cure of it that would apply to the government entities and make everybody to hear to that maybe, you know, CMMC, version 2.8, or I don't know, but something right, that's all I'm all. Good. I'm all for coming together for compliancy. And I'm all for, you know, a lot of the aspects of CMMC I really hate the the politics around the and the scandals that are going on with the leader of the CMMC of the lady who was running it Plus, you know, one of the CPAs that was auditing and all the crap, but I mean, oh, they got approved on July 23.

Shiva Maharaj:

Right. Yeah. So no matter what they did there, they're a okay to go because it's pay to play, right. Let's be honest, that's what compliancy is. And the only people that benefit from compliancy. Are those doing the audits? Yeah, the users of compliancy? Well, not really. So we need to stop it from being a profit center for people and let it be a patriotic center. That's why I say by the God, for the God. Yeah, I know, that's not a popular sentiment, because a lot of people are going to lose money. But what else is there, you're going to bring in third parties that you cannot control, you have no jurisdiction over because they are civilian? You are military.

Eric Taylor:

If you want access into our network, we must do the audit. I totally agree that the

Shiva Maharaj:

rumor that there are certain thought leaders in our industry, who are looking for a level two, to be the baseline for it providers, and CMMC How do you feel about that? And then I will be happy to tell you how I feel about it.

Eric Taylor:

Yeah, this goes back to what I was saying. I think there needs to be something we are taking the COI out of it, there needs to be something I don't know when it's your because we're getting approached by msps. Um, you know, it, evangelists and technologists and all that, like, you know, we want to do something, we want to do something. So, you know, we're, we'll take a look at maybe just doing the sans top 20. And, you know, then migrating over them over to CMMC. You after they get a taste of the compliancy aspect. But you know, I know that they're, like I said, CMMC has some of its flaws, and its holes and things of that nature. But at some point, something has got to be better than nothing. When it comes to this self presentation. Bullshit.

Shiva Maharaj:

I don't disagree, because we all know how much I dislike self attestation. I think it's a waste of time. I think it should be a prequel to get you to real audit. But correct me if I'm wrong here. CMMC. Level two does not deal with logging that kicks in at level three? That's correct. It does not deal with logging your IR all day, every day. What can you do for IR? Or how limited? Are you in IR if you do not have logs to go back through?

Eric Taylor:

If we don't have logs? We're just dead in the water? That's all there is to it.

Shiva Maharaj:

It's basically a new campaign, right? And or because you don't know what the vector was, you don't know how long they're in there. And that's hard to determine even if you have the logs.

Eric Taylor:

So it's billed. As a lot of times when we get brought into IR and insurance companies are involved they want to know was can we prove data exfiltration and when logs are purged. We're like we have to assume data exfiltration because we can't prove that it hasn't Well, if

Shiva Maharaj:

if logs were purged that's affecting data, so I would call that breach. Now. To me a breach is unauthorized access. It's not proof of exfiltrated data, I think you need to assume the data was taken and work under that premise.

Eric Taylor:

Now, granted, there are some threat actors you know, like lockback gaji. All these other ones that are known, you know, we, you see their node was like, okay, day has been exfiltrated, you know that. But when you're going through some of these other lower levels or you go through PCI, you know, or whatever type of incident, when you don't have any logs to prove whether you owe a lot of the no tools to exfiltrate and go to some of these cloud storage providers for hosting data, we have to say, look, we can't prove it hasn't been so you gotta assume it is they purge their records, they cover the tracks,

Shiva Maharaj:

but that goes back to the typical press release on these companies. There's no indication of data exfiltration, which come on, they got into your system, they're not going to come in there and do nothing.

Eric Taylor:

Right. Don't get me wrong, some of a lot of the lower level ransomware groups will just drop their payload and run.

Shiva Maharaj:

Yeah, but you're not getting a lot of the big guys doing that, right? Because part of the payout wasn't ransomware correct me if I'm wrong here, because this is your area of operation. ransomware now is about getting the data and threatening to release it to get payment. Otherwise, what's the point if some of these larger companies have good backups? Right? So exactly, the data is what's valuable

Eric Taylor:

it is, but there's still a lot of, you know, quote, unquote, fly by night ransomware operators that

Shiva Maharaj:

again, just never happened.

Eric Taylor:

Not because no industry has any fly by night industries that are not ours.

Shiva Maharaj:

Everyone in our industry is tip of the spear, especially those calling for a baseline minimum of CMMC. level two.

Eric Taylor:

So what would you What would you say that a baseline should be for it providers? Yo, MSP is technological lists, whatever you want to call them this week,

Shiva Maharaj:

I think you should have three levels, if you take level one of CMMC, you take level three and level five before this quality, you said you know, level twos, just the jump from one to three level forces to jump from three to five level one are the pizza tax trunk Slammers, idiots, who are just getting into the industry, give them somewhere to start, okay? Let them work towards three, that's where they should be within two years, if they're not there within two years, then leave them at a level one for another two years, make them pay their dues, and rate their insurance risk based on their CMMC level. And then for a fully mature shop, maybe level five, get rid of, you know, get rid of level two and level four, you know, full level four into level five, because you're gonna have it there anyway,

Eric Taylor:

this is your this to a one and two, and then, you know, for the public sector

Shiva Maharaj:

and no, do a one, three and five, like get rid of tune two and four. Yeah, so that's level one, level two, doing more than level one,

Eric Taylor:

I think it's introducing a lot of the report generating, making sure you have your policies and procedures documented before going.

Shiva Maharaj:

I love that. So let's say leave to win to give you that step. So you spend your first year at level getting level one, you spend your second year getting level two, and by you're at the end of your second year, you should be a level three. And if you're not, you got to wait another two years from the go round. Put that time penalty on there. Yeah. And then after three, you know, it's self selection for level five. But again, each step has to be audited. And you shouldn't be audited by a different agency. And I think you should be audited every year.

Eric Taylor:

Yeah. What would you say just some of the pushback that I've seen, you know, I even agree with a lot of it is, you know, the 100 150 or even higher price point of the auditing process for CMMC levels, you know, those

Shiva Maharaj:

are di D prices, as far as I know, or as hard as they should be. Because this is not a civilian based competency. There's got to be a barrier to entry for people to do this, right. Our vendors aren't helping by giving us a $50 minimum to get into things. And you know, that's datto I'll say that openly. Spend $50. There, YouTube can be an MSP and YouTube can be all you can be. There's got to be teeth in the game. There was a time to open a business you had to scrape together funding. You couldn't just fly by the seat of your pants, because when you're flying by the seat of your pants, you are putting people at risk. There's no there's no slps there's no TTP is there

Eric Taylor:

it's Yep. So what would you I guess, transition into the next thing? Have you been looking at this all Virginia Defense Force garbage has been going on? Yeah,

Shiva Maharaj:

I have. Well, you and I, we were trying to get one of their people onto the podcast, they politely declined, probably because they don't want to be tracked down and ended in whatever legal way they would. But we follow you know, these guys on Twitter, and they've been threatening to release the vdf. Virginia Defense Force data for almost two months now. And it looks like they finally did. But what's more interesting is the fact that they're their leak site is being DDoS. Now, I'm of two minds here. cybercom is basically saying, fuck you. We're gonna mess with you. Or the marchetto. guys were just saying that to get some more for us on them for attention.

Eric Taylor:

Yeah, so me and Marketo we have like I said, we've had several discussions. publicly, you know about them coming on and stuff like that. But when that's like standing out of the street size side of the street and be like, hey, we'll sell you drugs stop, you know, just pull over now you're in this market to sell leaked data. Now from my understanding, well Marketo is doing is they're going to the ransomware. Folks, when a company has not paid and they're going to sell the data, they are in the bidding process from content leak, bid all these other companies to acquire that data. And then they're just becoming the middleman broker of that data from the ransomware group. So However, they really get the date, I guess, is really irrelevant. But the fact that they are leak they are selling and advertising late data is going to put themselves real a big Bullseye on their their back. I mean, how are you? How's it not going to do that?

Shiva Maharaj:

I don't think they care. And I think opsec wise for the ransomware groups, it's really good, because now you're putting out a cut out between the ransomware group and the victims or law enforcement. Yeah, right. How many times in the last few months we've seen public data sites go down for major was dark side. were evil, all these guys. So now if they're outsourcing the leak to a third party, that's one less public facing gateway, that can be a vector of attack for them.

Eric Taylor:

Yep. It just to be fair, and Marketo is not the only people in the game, there's at least that I know, there's like six or seven different other companies like them, but marketer for people in the game,

Shiva Maharaj:

China, Russia, Iran, North Korea. Okay. And I think depending on who they want to be that day, those are the ttps and software they use. This is true. Yeah, we always keep making the jump to just changing their cubicles this week. I think that's what it is, you know, these guys rebrands more than Well, not more than I changed about the war, but pretty damn close.

Eric Taylor:

So it's gonna be interesting to see how all this really pans out, especially State Department for Rossini more information this week or not, it's going to be keeping a close eye on it. So hopefully things will

Shiva Maharaj:

I really want to know what systems were accessed. Yeah. You know, you don't want to say what kind of data? I mean, once we know the type of system, you could probably figure out the data. Yeah. But more importantly, I'd like to know how long it took them to figure out there was breach or an incident in progress. Exactly. Yeah. It was Congress notified about it beforehand. Like they're supposed to they're No, they they're that seven day rule depends on how that internal agency rates the breach, if I read that correctly. So if it was a medium to moderate, I don't think they need to even I don't think they have that time limit to report it to Congress. If it was a solar winds type of breach or level, then within seven days, they'd have to send the report to Congress. I believe.

Eric Taylor:

That's why we're potentially debating the whole 30 day notification that's been going on or now.

Shiva Maharaj:

Okay, I think there's got to be 24 hour notification. I think that's fair. Hey, nothing happened. We don't know. But we'll get in touch with you. Just Exactly. Unless we're talking real operational security or national security then you know, I get it. I understand that. So what else you got on the docket there?

Eric Taylor:

That's it for today, to be honest with you guys. Thank you and discuss today.

Shiva Maharaj:

CMMC level two should not be the baseline for wiping your ass it start with level three. Please. If you're not logging, you're not doing security.

Eric Taylor:

This is true. So so true. Where's the live bye bye shivah log everything.

Shiva Maharaj:

I could change my mind tomorrow. I might say it's level four.

Eric Taylor:

Oh, let's not get too crazy yet.

Shiva Maharaj:

Crazy is what I do, sir. This is true.

Eric Taylor:

Thanks everybody again for tuning in for another episode of amplified and intensified. Please check us out on the website of amplified and intensified calm and check the YouTube channel at YouTube dot bear Gator cyber.com. Please follow us. Share us with your friends colleagues that will benefit from this information and send us some more requests. Let us know what you want to talk about. Until next time, take care