Threat Intelligence with Ryan Westman

Welcome to the Security Cocktail Hour. I'm Joe Patti. And I'm Adam Roth. Adam, glad to see you today. I know we had a lot of technical difficulty before we started this, but we're all here.

Well, I can tell you this. There's a lot of activity with UFOs causing electronic issues. And I've heard that some UFOs have been flying over Staten Island and creating these electronic beacons that cause machines to fail. But of course, my Windows machine just out surpassed all the Mac machines and protected me.

Well, your Windows machine was having difficulty. Mine is fine. And also, our esteemed guest also has a Mac and is able to join us without any issues. Today, we welcome Ryan Westman. Ryan, how are you? Hey, Joe. Hey, Adam. Thanks for having me on today. Nice to see you, finally. Yes, finally, after trying to get this set up. So Ryan, why don't you tell us a little bit about yourself and what you do?

Yeah, for sure. So my name is Ryan Westman. Currently, I'm a senior manager at the cybersecurity firm eSentire, where I lead the Threat Intelligence team. Prior to eSentire, I spent three years at Deloitte Canada, so I helped Bill develop, establish a Threat Intelligence and Analytics team over there. And prior to Big Four Consulting, I was a member of Canada's Federal Public Service for over five years. So I was employed by Public Safety Canada. Comparable agency down in the States is DHS, as well as the Canadian Armed Forces. I hold two master's degrees, and I'm also a GAC certified Threat Intelligence Analyst and a Forensic Analyst. Wow, you've like got more certifications than Adam.

That's pretty impressive. I like that.

Well, how many do you have, like six? So you have seven more than me. We based that, are you in Toronto or?

So I'm about an hour outside of Toronto. Waterloo is the headquarters for eSuntire, so that's, I'm in the surrounding area, yeah.

Okay, well that's cool, but I gotta tell you that, you know, I think that if you happen to say, like, a boot, that's gonna be a joke, okay? I mean, it's got to.

I did some work for some of the banks up in Canada and also for some of the public service for one of my former consulting companies. I enjoy it up there, it's very nice. It's like being in New York City, just maybe three quarters the size of New York City. It's actually, Toronto's pretty big, I'm surprised.

Yeah, so when I was working for Deloitte Canada, I lived just north of the downtown and I was lucky because I've always managed to have a pretty reasonable commute and where I was living at the time in Vaughan, I was close to the subway system so it took me about 45 minutes to get downtown. Bay Street is one of the other locations that I would work in. Yeah, downtown's nice, can't complain at all.

I can complain, I'm gonna book a plane, book a plane, and then we're gonna move to what we're drinking, because I definitely need to drink. So when I went up to Toronto, and I flew up there, and I took the, your train, your transit system, I was like, great, this is great, right from there, right to the hotel, almost, the International Hotel, I forgot the, it's like on the main street over there. Fairmont. Yeah, yeah very much. Yeah, so I get out I go into the hotels like walking maybe a quarter of a block I was so happy. I've walked to my customers then the day I'm supposed to leave. I'm like, oh great. Let's go jump on the train What train your trains don't start like 8 or 7 p.m. Or so. I had 7 a.m I'm like 6 45 to 7 a.m And then I said to them I said I said to the transit people because I actually dealt with him a little bit I said what's what's the deal goes? Listen, we're not like New York City. We have to maintain our trains. There's only one track going in and out or something like that. So he goes, yeah, we don't run it 24-7. So all the Canadians that are listening to me, please don't bash me. I'm just saying that you guys don't run it 24-7. That's all I'm saying.

Where do the homeless sleep if the trains aren't running?

Oh, no, there's plenty of that. Don't worry. There's plenty of that. Sorry, Ryan.

No, no, no.

Sorry.

Okay.

So what are we drinking?

Yeah, what are we drinking here? So I have Buffalo Trace. It's a nice Kentucky straight bourbon. Yeah.

OK. Well, I have to admit, well, Adam, what do you got there? That's not bourbon, is it? No. Tequila. You're just a problem. I'm a rebel. You are, seriously. I'm a rebel. I also have bourbon. I can tell you, Ryan, you picked quite the obscure bourbon. I couldn't find Buffalo Trace locally easily. Of course. It might have also helped if I didn't go looking for it just yesterday, because I forgot I had to get it. So I was not driving around North Jersey all day. But anyway, so I have some Woodford Reserve. It's become my favorite. Yeah, that's pretty good. So cheers, everyone. Cheers. Cheers.

I remember my first drink, Adam.

I definitely deserve that.

So Ryan, you are in Threat Intelligence, right?

That is correct.

I personally love Threat Intelligence. It sounds incredibly cool. I have a feeling many of our listeners might have heard it, but don't quite know what it is So why don't you tell us a little bit about it and what you do?

Yeah for sure so, I mean the the way that I typically start is By saying it's a niche field inside of a niche industry You know, it means a lot of things to a lot of people but the simplest way I would describe it or the the technical way I would describe it is it's a the collection and analysis of information about threats and vulnerabilities, and then you're taking that information on those threats and vulnerabilities, you're analyzing them, and you're articulating the risk posed so that decision makers can make informed and knowledgeable decisions for managing the risk posed by the threat and or vulnerability. So you're taking in information on things that are occurring in the wild, and you're making assessments to decision makers on the risk that a threat or vulnerability poses.

Can we also like dive into the threat intelligence that some other people like or think about and that's when you go on the dark web and you basically betray that you're one of the threat actors trying to solicit information or that's not something that you do as part of your threat intel?

So it's actually interesting because I was just talking about this earlier today. There's, and that's kind of where the confusion lies I think for a lot of folks, because you have the traditional use cases of threat intelligence for a stock, and then you have these digital risk monitoring platforms or digital risk services. And so. Where I see the industry going is a convergence of the two. So eventually you're gonna have MDR or MSSPs that are offering the SOC as a service, and they're offering the digital risk monitoring as well too. Traditionally, the role of cyber threat intelligence is to support a SOC or enable a SOC, whereas the digital risk monitoring side of the house is more about supporting supporting the organization with identifying brand impersonation or or things like lost credentials and things. Yeah well and and so that's where that's where it kind of that's where it kind of weaves together because a CISO is interested in in in understanding where the exposure lies on the dark web for things like credentials and and domains right so.

Let me give a little background just for everyone, the digital branding stuff and everything. That kind of service and going to the dark web, that's the thing where, and we've talked about this before on the show, where people go to the dark web, they act like bad guys. and they impersonate there and you know as Ryan was saying people use that for things like to see has someone stolen their passwords for the company or are they people trying to impersonate their brand or do you know stuff like that so that's looking at the bad guys whereas a lot of the other stuff Ryan's talking about that he's more involved with is really looking at the, I guess it's looking at the vulnerabilities, looking at everything that's out there, because you need to give it to the SOC, the Security Operations Center, to, I guess in really simple terms, tell them what to look out for, for what they're looking at when they find something. Exactly.

Yeah, yeah. And I mean, the The more mature the team is, the more ability you have to support other areas of the business. So in the case of our team, we're at the point now where we're enabling the SOC and we're doing it in a way that allows us to then also support the CISO team and then marketing and sales and customer support teams as needed.

So traditionally when I think of threat intelligence, and when Joe was lucky enough when I was working for him, he said that every day. We dealt with a lot of threat intel companies in multiple different ways. Some of them was kind of like an RFI, a request for information about a specific individual. It could be a CEO, it could be a VIP, it could be anybody that was involved with a deal. Then it could be something specific about credentials, and it was even to a part where we did, you know, website takedowns. People that were trying to emulate our website, so this way they were hoping somebody would log into that website if they got a phishing link. Oh, it looks like XYZ, and they put the credentials in. Now the threat actor now has the credentials. Maybe not the MFA, but if there was a CVE or some kind of security vulnerability, and for those who don't know what I mean by CVE, it's basically something out there talking about a vulnerability for a certain software or hardware. You can do privilege escalation or an exploit, and that basically means we're going to compromise that equipment to get in there. That's what I think of threat intel a lot too.

Well, I kind of think of it in terms of what the bad guys are up to. So, to give everyone a little context, it's like, you know, you have, it's like, Ryan was talking about the SOC. So, you have the SOC, we've talked about it before, the Security Operations Center. That's where you got the guys looking at the screen. and all the information coming in of stuff that your security systems think might be bad or wrong, right, an attack or something, and the systems are programmed to recognize that. And, you know, the threat intelligence comes in, part of it is actually defining those things. What, you know, so you're out there, you know, I mean, I guess at the simplest level, you're out there constantly looking for what all the new attacks are, all the new TTPs as we call them, tactics, techniques, and procedures. What the bad guys are doing is what you're looking for, so your people can see it, or when they see it, they'll know it.

Yeah, so I mean, as I said, it depends on the maturity level of the team. where we're at is we're able to actually review, because we have such a large customer base, we're able to review the true positive incidents, so the incidents that are actually malicious, and then without the constraint of a service level agreement. So, you know, a lot of companies will tell a certain amount of time that they will contractually be obligated to respond to something that is malicious. So my team doesn't have those constraints. They can take that deeper analysis in order to extract the indicators of compromise, the indicators of badness, as well as looking at the TTPs or the behaviors in terms of how these bad guys are actually able to get someone in an environment to click on something or download something or abuse credentials to gain access to the environment. And then we help support another team inside of what we call the threat response unit with detection engineering. So we're looking at the threats that are emerging in the wild and we're looking at how those threats are getting in from other vendor blogs and open source reporting. And we're looking at our own detections and how we can bolster our own detections to protect from those specific threats and vulnerabilities as well.

Right. So all that stuff you're talking about, you get it. You get all that information, all these things to look at and analyze. You get it from a lot of different sources. Yeah, exactly. I was just going to say, they're the ones that are available to everyone open source. But then one of the things that is interesting, I think, Brian, about your business is that because you have so many customers, you see a lot more stuff. Exactly. And that's one of the benefits to using a service provider. And we talked about this with Monty a little while ago in a previous episode. Because when you're running your own socket, it's not only hard, but you only see the stuff coming at you. You see so much more. because you have a lot of customers.

Yeah. There's a lot to say about crowdsourcing and that's why when people use certain sims, those sims also provide those feeds of threat intelligence as well, which is really great. So crowdsourcing. But to me, threat intelligence is not one thing. It's a whole entire framework, kind of like DLP. When people think DLP, They don't think, oh, it's my email or DLP being data loss prevention for those who don't know. It's a whole entire framework of different things that you encompass together to create that threat intel.

Yeah. Yeah. I mean, it's a lot of, it's a lot of different things to a lot of different people and depending on who you're speaking to inside of a business. So if you're speaking to a CISO, he's probably thinking of indicators and you know, reports on threats and vulnerabilities, threats being malware groups. And then if you're talking to people on the fraud side of the house, you're, you're talking about, you know, monitoring for brand or, you know, um, you know, chatter on the dark web about, about your brand. So, yeah.

Yeah, one of the things I always wanted, and I fell into the CISO camp, you know, being a security manager. CISO is the Chief Information Security Officer, the head security guy. We get, when you're in security, you constantly get inundated with information. The number of vulnerabilities, the number of possible bad things, the number of things you hear about is overwhelming. It's absolutely incredible. And a lot of what you do is actually having to weed out the ones that are relevant to you and aren't. But even if something's relevant to you, like, you know, say there's this, we used to do a lot of time, oh, there's this big Windows vulnerability, or there's a zero day, like this is being actively exploited. I'm like, Okay, so a lot of people are getting hit. We got that from our vendors. But what I always wanted to know is I'm like, okay, so there are these I look at it like, you know, okay, so there were these barbarians out in the countryside attacking, you know, I'm like, but which ones are just over the hill from me and are about to come at me, you know, that's what I always

Yeah, what always challenged me, you know, and that's and that's why everyone like the MSPs using or managed service providers using managed service security providers using MDRs, XDRs, managed detection and response or XDR being that next step up. with automation and everything everyone's trying to find that perfect formula okay now we got this intel and that intel and we're going to look it up on virus total or we're going to look it up on this site we're going to look it up on that site and we're going to compare it to mitre and then we're going to look at our endpoints and see whether or not they're experiencing that from a certain ip address that's a known bad ip from a known you know it's so much information to weave together and try to kind of figure out, is this really a threat? Is there a high, kind of like the CIA. CIA supposedly never does absolutes in the US, right? It's like, we are 80% confident this is a threat, or we're 75% confident, softly, that this might be an issue, but we're not sure.

Yeah, yeah, I mean, Adam, it's about assessments, right? And I think one of the big myths around, or for the misinformed, people think that threat intelligence teams are looking into a crystal ball, right? To say, yeah, yeah, right, Joe? It's like, oh, wow, you got a crystal ball? Where do I buy one of those?

I'm paying you a fortune and I want you to predict the future. You know, that's it, yeah.

Yeah, and I mean, really what, you know, The way that I look at it is that you have like in traditional intelligence, you have strategic intelligence, you have operational intelligence, you have tactical intelligence, right? And so it goes back to supporting the SOC. So at least in the traditional sense with CTI. And so if you're being asked to provide that traditional role, you're really hyper-focused on tactical intelligence. So like Joe said, the vulnerabilities that are specifically inside of your environment that are being exploited. So I would want to know that, or the groups that have historically targeted your industry.

And so, yeah. And I would also add, Ryan, it's like, you know, say traditional people sound like it's boring, but listen, that's the bread and butter. It is so valuable because like, you know, because everything's up to date when you're doing the threat intelligence. You know, it's like we don't have to worry when someone's like, oh, this thing came out, are we gonna be able to find it? And I'm like, well, our provider, these guys knew about it before we did.

And it really depends on the use case, right? That's another part of it, right? Yeah. So if you're a regular financial institution that might get generically attacked so somebody can get money from you or do a swift transfer, yay. if you're a company that's a manufacturer making food coming out with a secret formula for your best cheesecake and your competitor wants it they might have the money to hire cyber you know cyber threat actors to maybe try to exfiltrate that data and that gets very specific right that's when you really got to get threat intel but If it's somebody who's trying to exercise a vulnerability on your outside forward facing internet firewall, that's gonna try to use a CVE or some kind of exploit, that's a little different, right? So it really depends on what the use case is there.

Yeah, and I mean, not to paint a broad stroke, because there's definitely targeted incidents like the hypothetical you just shared there, but a lot, A lot of these criminals are operating on a spray and pray model. So, I mean, while there is definitely targeted attacks, from my perspective, a lot of it is just a lot of spray and pray.

I guarantee every customer that you speak to, they're targeting me. They're targeting me. Meanwhile, It's somebody in a third world country that belongs to another organization that gets paid a certain percentage to spray and pray through emails and Outlook and everything else and hoping that you click on the link and they get compromised and they pay a million dollar fine and they get $100,000 or something.

where things get interesting is those ecosystems though right so i mean like it's it's most prevalent with the with the ransomware gangs where there's clearly some some relationship to other groups um specifically when i think of ransomware i think of russia and so how that criminal ecosystem supports the broader geostrategic goals of that state is where things get interesting and I mean at the end of the day not every single ransomware attack is necessarily a targeted attack but there are people that will say that simply because of the fact that the ransomware ended up on some sort of critical national infrastructure like a hospital that it was targeted to a degree and I mean it is it's one of those things that you can debate about with and go deep on with semantics, with nerds, basically. Like us.

It looks better to the customers and the attorneys if you say, oh, they targeted me, they were going after me, then rather than, oh, our person working at the front desk opened up an email from the CEO saying go buy me gift cards, and they clicked it and created that backdoor.

So, yeah. Okay. So, Ron, we cut off on a little bit of tangent. You talk about the tactical threat intel. What about the other parts, the strategic and operational? Because that's not a distinction that I've heard before. I'm kind of interested to hear about that.

Yeah. So, I mean, the way that the way that I like to think about it is from the perspective of your priority intelligence requirements. So your macro level priority intelligence are things like, I was just thinking about this earlier today. It's like, what industries are being targeted? And then you can go down another level and it's like, it's staying on the industry's theme. It's like, what sub industries are targeted? And then going even further down to the tactical level, what are the sub industries vulnerabilities that are specifically being targeted. So, you know, when I think of strategic intelligence, I think of the macro level trends, so the forest, and then the operational intelligence would be a tree, and then the tactical level intelligence would be that leaf. So that's the way that I visually think of it. So that strategic level analysis is helping you understand the forest, the operational level is helping you understand the trees, and then the tactical intelligence is the granular level product or analysis that really helps you understand the granularity or the leaf in that context of that analogy.

Yeah, I think it's pretty interesting the way you talked about industries, because the The threats will vary by industries and the things that are exploitable in terms of like the fairly obvious stuff of, you know, like an airline has different equipment than a factory, than a professional services firm or something, then there's that. But they also have different, you know, vulnerabilities, kind of different, you know, pain points, even if it's, you know, non-technical. One of the things we ran into a lot when Adam and I were You know, we're at a law firm where, you know, the gift card scam was interesting because the bad guys knew which psychological buttons to push in a law firm. Like they know that when a partner asks for something that he gets it and that people are afraid and trying to, you know, they're trying to impress them or not piss them off or whatever. So they tend to go and do stuff, they can be tricked more easily sometimes. So it is interesting how things do change. And I guess at that level you guys are on top of that kind of stuff, looking at what the trends are per industry for the customers, right?

Yeah, for sure. I think going back to the analogy, you can only provide that strategic analysis once you have a very polished tactical program. And going back even a little bit further to Adam's point, by the very nature of having over a thousand customers, we have the ability to see a broad swath of what's going on in the threat landscape, right? And I think it's one of those areas which we could definitely tell a better story about because you wouldn't get over the number of people that, you know, are not inside of our industry that I'll be casually talking to. And the perspective is that, you know, the government agencies that are charged with the responsibility of protecting government networks are seeing what's going on against industry. And I mean, to a certain extent, I'm sure they are, but at least up in Canada, you know, the visibility that we have in the threat landscape, it's not necessarily that it's better, but it's a lot different. So when you're protecting government networks, you're defending against different kinds of threats versus when you're protecting across all sorts of industry, you're seeing different threats, right?

But it's not to say that it's funny how some government agencies weren't compromised by specific tactical threats as they were by spray and praise. And that's happened too, which is kind of interesting in itself. Look, let's be honest, right? A really, really good threat actor, and I'm not talking about the spray and praise, but a really, really good threat actor can pretty much compromise anything with the right amount of time and the right amount of effort. But this is why governments that have threat actors have a ridiculously large open pocket and they can spend a lot of money in order to fulfill their pursuit. Whereas also some of these really good criminal threat actors, these cyber gangs looking to make money, their pockets are pretty deep too. So they get a lot of money, they hire people, and for those who don't know, and we've said this on other podcasts, these threat actors have brick and mortar buildings, they have They have a pantry the heat they have a help desk and they have it's scary people are not gonna believe it and they have You know support. So if you get compromised, let's say by ransomware You can call a 1-800 number and ask for support and they will give you support and it's almost like a money-back guarantee, too And I'm not kidding either

Yeah, no, absolutely, Adam. I mean, I think that there's also, yeah, there's a misunderstanding of just how sophisticated this has gotten. Yeah, absolutely.

Well, I know that, you know, it's gotten on the ransomware gangs that, you know, we've talked about it before, how they're like businesses, they're more sophisticated, they got it down, there's this whole business ecosystem of everything, and yes, they're like companies and all. I'm curious, though, if what you're seeing along those lines, what you're seeing lately, because it sounds frankly like a maturing industry, if anything, although we know it changes a lot. Do you see them, and I'm talking in terms of the technology, do you see them lately getting more sophisticated in terms of the technologies and attacks, or is it still They're going after known vulnerabilities, they're going after stuff that's been around. How's it looking these days?

I mean, I think it's one of those things where it's like economy of effort, right? So if there is a 2020, 2021 or 2020 or 2022 volume that hasn't been patched, groups are going to go look to exploit those, right? The really interesting one that kind of speaks to your legal backgrounds is uh, the bat loader and, uh, fake bat pieces of malware. So they've been distributing their payloads through, uh, what are called in a technical sense, drive by downloads via the, uh, via Google and Bing. So really what they're doing in a very simple way is they're polluting the search engine results for certain terms. And then when you, if you're, Legal assistant or is it a paralegal down in the States? Is that is that the gas center? Yeah So if you're a paralegal you're doing some research on on case law or you want a template or whatever you know you go and you run this query and In in Google or Bing and what will happen is the the results that are returned to you are poisoned so meaning that these threat actors have gone and compromised and the web pages that are being promoted as results for that term, and then when that paralegal or whomever goes to that page and downloads this template that they think they're downloading, they're actually downloading a piece of malware. It's interesting because the tactics evolve over time, but the way that you actually get in, a lot of it ultimately is social engineering. There's technical components too, but at the end of the day, you still need someone to interact with a file or click on a link, right?

So Ryan gave me a good thing, Joe. Those guys are SEOs, and we should be using them to promote our podcast.

Yeah, really. Well, that's it. You're right. I guess we can either use SEO or we can compromise some sites when people go for stuff. We'll just redirect them to us. Yeah. But you know, it is interesting because I was at first thinking, and I guess this gets into the criminal mindset and how they think, because I know a lot about criminals, not really. But at first when you were describing it, I was thinking, oh, so are they doing SEO to get things up there in the rankings? It makes me think like, that would cost too much money. It sounds like they're instead going and compromising the things that are already in there, which is a lot cheaper. Is that what's happening? Yeah. Yeah, exactly. Yeah. Oh, that's interesting. And certainly not buying ads, because damn, Google's expensive.

So there are groups that do actually use the...

Google AdWords?

Yeah, they use the revenue that they get from installing their crypto miners or whatever, and they do purchase Google Ads. Some do purchase Google Ads, but others will just compromise the search engine results.

We're going about this the wrong way, Joe. Our podcast could be at 50 million users tomorrow.

Yeah, there we go. We'll just hire some Russian hackers and like, you know, there we go. We're done.

Yeah, Adam, you sound pretty knowledgeable about how to get things done on the dark web. I'm sure you've got some connections that you can leverage.

Yeah, I just know. Oh, please.

No, I don't know too many Israelis. They'd shut him down in five seconds if he went bad, believe me.

Yeah, well, whatever. But it's still a viable way to get 50 million users by tomorrow. Not only will they inject ransomware, but a redirect to our podcast. Let's start with this one. For those who are listening, I'm just joking. I'm not talking about doing any malicious.

This is all comedy. We would never do this. No. Unless this was misdirection. But in fact, speaking of misdirection, that's the other really interesting thing that I heard of what you're saying, is that it's a very indirect attack. You go after one target, and then you're exploiting them to get into something at Google, so the other people who use them will get it, so they can be exploited. That's really interesting. I think it gets to their sophistication, and I guess they have the scale to make it worthwhile. I guess it works.

When you got money, you can make more money that way. Yep. And it's a self-fulfilling prophecy because, you know, once you get somebody to get in that loop, you can do it again and again and again. It just helps you to just... Let's put it this way. We spoke about this, Joe, many times in many episodes. These affiliates, these ransomware people, they have quotas. They have teams. They have to make a certain amount of revenue, and they know how to do it. They're pretty, unfortunately, well-versed in business and sophistication.

They are. And I can tell you, those Lamborghinis, they don't tune themselves. I mean, they're expensive. Those guys need money. So Ryan, interesting stuff. What have you seen lately, or even not so lately, that's really cool, or that you found that's really cool, because you guys say a lot of stuff, and I know a lot of it can be very mundane, but some of it can be really interesting.

Yeah, well, I mean, you know, what we were just talking about there with Batloader and Fakebat, it is really interesting, because, you know, when a user searches for these things, it can be, you know, like, for example, oftentimes they'll spin up a Zoom lookalike page. And so basically they're ensuring the social engineering scheme is consistent end to end, meaning the victim searches for Zoom, lands on a Zoom imposter page and downloads a Zoom installer package or thinks they're downloading a Zoom installer package and sees, well, in this case, they'll actually see a Zoom application launch alongside the malware payload. And I mean, So for the average user who's listening to this, it's not just all doom and gloom because you're at least listening to this conversation. And one of the things that I would say if you're going to take anything away from this is that you share this information with your colleagues at work and teach your friends and teach colleagues that these kinds of threats are happening. And not to be corny, but knowledge is power. Being able to recognize these potential dangerous websites is going to actually benefit you and benefit your organization. And it helps encourage a cautiousness when clicking on links or downloading files from unknown sources. I would be remiss to say that, especially coming from an MDR provider, that if you really want to protect your environment, the best way to do that is with an endpoint detection and response solution. So we actually just launched our own agent. It's called eSentire Agent, and it's an MDR offering that we've brought to market. So those are the big things that are interesting to me today.

Okay, and along those lines, Adam, since we're going right into the plugs, please share the podcast with your friends too. Like and subscribe on YouTube and follow us on Spotify and Apple and everywhere else. So definitely.

Thank you, Ryan.

Good segue.

And if you bring in 50 to 100 listeners, send me an email and I'll give you an autographed picture of Joe.

You bring in a couple hundred subscribers, I'll get you all the buffalo trace I can find.

So two things I want to bring up, right? Number one, that also leads to a whole zero trust thing, right? Go into websites that you shouldn't be going to, websites that you trust, and we can jump on that in a second. But my favorite compromises or my favorite things are people living off the land. Have you seen anything like that, like someone who compromised an IoT device? I've seen and I've heard stories of people, some nation-state friendly threat actors that have seen compromises of people's DRACs or their remote management cards on their servers and then using that sub Linux to use tools to move laterally to a network. Seen anything like that?

Wait, what are DRACs? Even I don't know that one.

Tracks it's a remote access. So if you have a server and you want to manage the service, it's a boob out of out of band Network management, you can turn the server on and off you can send commands to it. Oh that thing I Lose whatever they call them. It's not like your tracks. Oh

It's like remote console, you know.

Yeah, but it's built into the server.

It's for everyone. It's the management machines, another way into the machine to get to it. They call it iDRAC. Adam's trying to sound smart, you know.

I'm not smart. I know I'm not smart. So, but anyway, in the DRAC, in the DRAC, like most IoT devices, let's move away from DRACs. Let's talk about, let's talk about maybe possibly like a camera. Some cameras that are very cheap have a sub-Linux system in there and if you're able to SSH or connect to that camera you can use Linux commands. Some people compromise IoT devices and move laterally through a network. I love hearing stories about that. So even at one point Six years ago, people were compromising the sub-Linux inside of a Windows machine in order to use a wrapper so the MDRs or EDRs, Endpoint Detection Response, would not pick it up because it's within its own environment. Those are the things I love to hear about.

Yeah. I was just going to say, I got to translate sometimes. Sub Linux he means is Windows you may not realize it has a something called the Linux subsystem, which is a little version of Linux that'll, you know, different operating system that'll run in it. And yes, some people had found a way in Windows to get into that. So sorry, I got to translate at times.

It's not in all of these.

That's right. So, Adam, to answer your question, I have to go into the recesses of my mind to think of the big ones that we've been recently dealing with. But the big research that we have been working on is, like I said, the bat loader and the fake bat stuff. But for the most part, what we see on a fairly regular basis is the basics. I think One of the things that's really interesting and really telling to me is that, for the most part, if you really want to run a good security program, if you're doing the basics, so if you are actually actively testing your users through user awareness training and phishing training, and have competent people successfully passing those tests, and you're running a vulnerability management program and you have some kind of EDR or MDR service, you're going to, for the most part, be protected. But that doesn't mean that people aren't still going to get phishing emails and they're not going to keep on or click on links. Right. But the fancy stuff is more unique. It's not that it doesn't happen. It's just when I'm thinking about the past 30 days, it's been You know, it's the it's the holidays and there wasn't a major attack like solar winds. There wasn't a long 4j, right? So You know, we've been knock on wood kind of lucky, right?

So At least the past 30 days have been yeah, I've been extremely lucky and I say this all the time I I've been on purple teams I'm not gifted, but the people that I worked with, some of them were really good. And when I say purple teams, gifted, really good, I'm not talking about the adversaries, the red team, I'm talking about the blue team. And we did a lot of crazy things, whether it was utilizing certain tools or getting onto our network switches and doing things like shutting down ports or redirecting VLANs. We did some crazy, sophisticated stuff. And those are the things that I love doing. Fortunately, when we worked with that red team, they were former nation state threat actors and they told me some really cool stories. But look, when you're operating at that level and you have access to that, and one of the things that I always remember was watching a TV show that was on vice. cybersecurity show I go if you want to really learn how to attack the only game in town is the government so if you want to be I mean NSA is not even really sanctioned to attack it's really military right but if you want to learn to attack you got to be part of a nation-state you know military well those are the

The high level, you know, the A player is the most sophisticated ones. But, you know, as a security manager, as an InfoSec professional, you know, I mean, I got to echo what, you know, Ryan has said. It's very true that the truth is most of the ways people, you know, organizations get compromised is not anything exotic. It's attacks that are known things, known vulnerabilities that didn't get patched, a misconfiguration, which means someone made a mistake or something got missed a decision that was made that this is too hard or too expensive it takes too much time or it'll be too hard for people to use it's you know 90 95 percent of security frankly is You know, just basic blocking and tackling. Blocking and tackling. I mean, Ryan, you got real football up there in Canada, so you know what I'm talking about, right? Not that other stuff.

Well, I saw real football with soccer. My son plays soccer. But, you know what, even Ryan, we saw this red team take one of our whitelisted URLs in a proxy, and then because it was whitelisted so broad, they created their own website and used it as command and control. Those are the things I'd love to see.

Yeah, but I mean, you know, they're exotic. Yeah, they're exotic. It's not that it's not that it's not that it doesn't happen. It definitely happens. But the vast majority of people are going to the way that they're going to experience cybersecurity is some mass email from some guy in Africa, who's trying to get you to send them $5,000 or something, right?

Whoa, whoa, whoa, whoa. Are you telling me she wasn't a real princess? I sent your money in a picture of me.

No, but it's very true, you know, the exotic stuff, the high-level stuff, it's fun, it's interesting, it's scary, no one likes to get, you know, beaten, but again, when you're running a security group, your resources are limited and you need to find that balance. Are you spending too much time and too much money, too much resource on the exotic stuff and you're not covering the things that frankly you're much more likely to get hit with? That's a real important thing to consider.

Yeah, and Joe, it can often come across as a bit of a soft plug, but it's true. If you are doing the very basics, so like I said, running a vulnerability program to minimize the vulnerabilities that you have inside of your environment, you have actually... I got the new Mac. I have the new Mac OS, so I can do all the interactions. I haven't seen that before.

Wait, does mine do that? Let me try the Windows. Hold on, wait.

Are you on Sonoma? Yeah, there you go. Yeah, I had no idea.

Wait, wait, my machine's not doing it. Oh, it's Windows. That's because you got Windows. Sorry, so sorry.

Just as an aside with the reactions, I was in a meeting earlier today speaking with a senior person in the firm and I did that, but I just was gesturing and it did the thumbs up and he had this moment of like, what are you doing? And I was like, it's part of the new OS, I'm sorry.

What about the other gesture?

finger in no no not that one oh no there's no it's pretty tame no come on it's mac it's apple right i don't know if there any uh that's i'm guessing it doesn't do rude italian gestures i know what you mean As I was saying, if you're doing the basics correctly, if you're running a vulnerability program, if you're actively testing your users and you have protections on your endpoints, then you're in a good space when it comes to risk management, and really at the end of the day. Joe, you can speak to this better than anyone, I'm sure, at least on this call. It's that, you know, as a CISO, what you care about is reducing risk. There is acceptable risk and, you know, there's unacceptable risk. And if you're doing those three things, I think you're probably running a program that has a level of acceptable risk, right?

And also, you got to remember that, you know, it's like, while if you get, God, It doesn't matter how you get beat. You still got beat, you know? I mean, it's like, you know, it's like, it may sound cool to focus on the exotic stuff and say, oh, we fought this great attacker, but it's like, yeah, you know, it's like, it's like diversion. It's like, yeah, okay, you fought off, you know, this sophisticated attack, but then, you know, some, you know, some kiddie or someone fell for the Nigerian prince thing, you know, or some totally out of date stuff.

Or Nigerian princess, but I never fell for that. Princess, yeah. I told you.

But you still got beat at the end of the day and you had a really bad day or now, these days, you had a bad couple of weeks over it, you know.

So, Ron, I got a question for you. I want to stop for one second because I want to see Joe's face. What do you think about doing Gator? packet analyzing as part of the program to look east, west, north, south to see whether or not there might be threat actors going to, you know, your treasures or something like that.

So we do do network, like we do network detections and you know to a degree you can get that level of granularity. There's more to the question, I'm sure, here.

Adam wants you to say that to have a real detection program you need full packet capture. I thought he was going to bring up PISM, the physical and information security. We'll save that for another one. But Adam has been Adam has been trying to get me to buy full packet capture, probably for six or seven years. We're not even working together anymore and he's still trying to get me to buy it. It's crazy.

Well, I mean, I think if it, I mean, I could be wrong here, but my understanding for the most part is network, network detections are mostly inbound outbound. Like you're not really looking, I mean, generally I don't think people are looking east west all that often.

Yeah, I was kind of doing that a little bit, but I found a certain sim that allows you to install packet capture on each of the nodes, and we did it on the VIPs. It's almost like doing Sysmon or something like that, but what you're doing is you're looking to see, wait, wait, wait! why do I have an inbound connection from my, you know, from my IoT device to this machine? And when you see these rare connections, it's almost like doing the opposite, but similar to micro segmentation. Instead of you blocking inbound, outbound ports and destinations, and source, you're actually looking for the detection of an anomaly that wouldn't normally connect and stuff like that.

So what I would say, Adam, is that, you know, MDR or XDR really means endpoint monitoring, network monitoring, and log monitoring. And if you want to do a good investigation, you need all three. But if you have to pick, you probably want it on the endpoint. Because yeah, the network traffic is important, but you're going to actually need to respond to it on the endpoint, right? Of course.

I was just looking to see if I could agitate Joe.

You're taking that so calmly.

When I say that, you're like, Joe, come on, whatever. I showed Joe the cost. He's like, $2.5 million? That's coming out of your bonus. I'm like, that's only half my bonus. It's fine.

Joe sounds like a great boss, Adam. I just gotta say.

You noticed I left.

Yeah, you left, exactly. But no, you know, it is true. It is very old school. And it is true that the network always tells the story. There is stuff there. These things are not magic. All the bad guys have to get there somewhere. But it's very expensive and it's very difficult to analyze. I mean, Ryan, to your point, that's why a lot of the detection has moved to the end point, to the individual computers, because it's more, in my opinion, it's more realistic, but also you can see what they're up to. That's where they're popping the machines. That's where they're getting involved.

Except for the SSL and all the other encompassing, and that's why proxies are good too, right? You know, you need to set the certificate, you give a new certificate, it turns pink, and then you wonder why somebody's looking at your HIPAA or your PII, PHI, you know, whatever.

All right, with that, as Adam starts spitting out the acronyms, as fast as he can. We've got to do an acronym counter, so we've got to get a little counter in the corner. Is this another gesture? No, that doesn't do anything. All right. With that, I think we're headed for last call here. So...

I'm going to take my second first drink. That's it.

Well done. So Ryan, any... Parting thoughts, anything else you wanted to talk about while we're here? This has been a good discussion. This is a topic you can talk about for days.

Oh yeah, I mean, like I said at the beginning, threat intelligence is a lot of things to a lot of people, and it really depends on who you're talking to, the use case you have for it, but I think the only other thing I would say is thanks guys for having me on. I've enjoyed having the conversation and yeah, appreciate the drink.

Thank you for joining. This is also the part where we normally do the plugs, but I think you got yours in, but you can do another one if you want.

I mean, yeah. So I'll go ahead and just say again that East Sun Tire is a managed detection and response firm. We have 2,000 customers in 85 countries. We provide EDR services, network services, managed vulnerability services, log services, and professional services. If you are interested, please do reach out and continue the conversation at that point.

Does that mean that our podcast is going to be in 85 different countries for everybody? Is that a guarantee?

I don't know. I don't know. You'll have to talk to our marketing team about that.

Yeah, I don't know if there are any guarantees in life, especially on that one, put it that way.

Oh, there's a guarantee you'll die.

and taxes.

Well, that's true too, but some people just don't pay. But you're guaranteed to die. You can't beat that.

If we've gotten to death and taxes, we either got to cut it off or start drinking more.

Or have another drink. That's right. Thank you, Ryan. It's been a great talk. Thanks a lot.

This has been a great talk. We really appreciate it. It's been great having you on. Take care, everyone. Thanks for listening. Thank you.