this episode is a good one.

We've got a cybersecurity expert that has been in the room when people are

responding to various cyber attacks.

He's got some great stories.

I love listening to them and I know you will too.

Hope you enjoy it.

hi, and welcome to backup.

Central's restored all podcast.

I'm your host, w Curtis Preston, a k a, Mr.

Backup.

And I have with me a guy who once again, has astonished me with knowledge

that why does he know this stuff?

He's gonna solve my office chair problem.

Prasanna Malaiyandi how's it going?

Prasanna,

I am good, Curtis.

I'm good.

So yeah, let's talk about you needing a new office chair.

so it, it

show the listeners.

Just, just squeak.

Well, let's, yeah.

So this is, so, you know, in a, in a podcast, my mic is picking

up my squeaky office chair.

And so either I need a new office chair or I need to lose a few pounds.

One or the other, or maybe both.

But uh, so you brought up what was the, it was Crandall.

Yep.

Crandall Furniture.

Yeah.

Crel Furniture, which is, they're, they're apparently repurposing,

uh, you know, all those office chairs that nobody's using anymore.

Yeah.

Yeah, they buy chairs.

They refurbish them with like new foam.

They fix the lift mechanism.

Sometimes they replace the arms and then they resell it at a discount.

Yeah,

it's crazy how expensive office chairs are.

Like some of the high-end ones are like a thousand, $1,800.

Who wants to spend that on a chair?

Like I get it.

You spend a lot of time sitting in a chair just like you do, sleeping in a bed.

But still, it's a good chunk of money to spend when you can go to like

your local office, supply store and pick up a cheap chair for like $99.

Yeah, and I don't think this was 99, but

it wasn't much more than that.

I don't, I don't have, if, if I had to guess, I probably got it from Costco.

'cause I get.

Many other things from Costco.

Right.

Um, but yeah,

I had one of those chairs.

I had one of those chairs as well, right, where I was like, yeah, it worked well.

And then I'll, once the pandemic hit and we were working from home, I ended up

getting some wellness dollars from my employer and use that to get myself a

nice standing desk and an office chair.

Yeah.

Um, so I, I think I got the same wellness money.

And I spent it on a webcam.

That's what I did.

I,

sorry, this is for my current employer

Oh, for your current employer?

Oh, that's right.

We, because we were at the same employer.

But you're saying you got wellness money from your, your new employer,

um, and, uh, which is, you know, just as good as time as any to mention

that this is an independent podcast.

We're not representing, uh, you know, any employers or non employers in my case.

And, um, I.

You know that, uh, the opinions that you hear are ours.

And also, uh, be sure to rate us, uh, uh, uh, you know, by, uh,

going to your favorite podcast.

You're scrolling down and giving us all the stars and comments.

We'd love seeing comments from listeners.

And if you'd like to be a part of the conversation, I could be

reached at w Curtis Preston at gmail or um, WC Preston on Twitter.

And also linkedin.com/in/mr.

Backup.

That is Mr.

Backup on LinkedIn and you can find me.

And, uh, with that we'll turn off to our guest at this moment.

Uh, he's, uh, specialized in cybersecurity for over 20 years and is a member of

F B I InfraGard, which is A group that I didn't even know existed.

But it's a partnership between the F B I and the private sector for the

protection of US critical infrastructure.

He's now the c e O of Black Swan, a company that strives to democratize

enterprise level security services.

Which one of my first questions is gonna be, what does that mean?

Welcome to the pod, Mike Sailor.

Thank you.

Thanks for having me

so what does that mean?

So

Well, uh,

on your website that it says you wanted to democratize

enterprise level security services.

Sure.

Well, I think in, in, you know, simple explanation is that we're trying to

provide, uh, enterprise class services.

The, you know what, what the big boys pay for Fortune 50, fortune 100.

And make it affordable and scalable and flexible enough for smaller organizations,

small, medium sized businesses.

Uh, part of our mission is to provide that enterprise class service to

what we consider underserved markets.

So, uh, education, uh, family offices, uh, credit unions as an example.

Um, but also understanding that in each one of those situations you've

got a variety of, uh, business sizes.

So you've got a five person credit union and you've got a

billion dollar credit union.

Uh, and they both need, uh, help, uh, understanding and applying, um,

cybersecurity controls and, and services.

So what happens today for those small customers, right?

Or like the five person credit union, like how do they even

approach cybersecurity today?

Or what is their solutions look like?

Uh, they usually don't have one.

Um, I.

And they even have to, uh, in, in a lot of cases, have to outsource their just normal

help desk, you know, hardware support.

And they're relying on that, you know, that technology expertise to, uh, assist

them in cyber to the extent possible.

Um, but that's changing.

Um, and it, and it has to, uh, a lot of, uh, services and.

Protections and controls that any organization today rely

on, like, like insurance.

Uh, in order to qualify for cybersecurity insurance policies, you have to

demonstrate these, you know, kind of, uh, good cyber hygiene practices, uh, whether

you do it internally or you outsource it.

Uh, and so in order just to even get insurance, uh, you have to, uh, spend

some money to check some of these boxes.

Um, and they're just, there's, there's not a whole lot of solutions out

there options for them to, to go with.

Interesting.

Um, and let's talk also a little bit about, uh, F B I in regard.

'cause like I said, I, I did, I didn't even know this in, I'm, I'm

really glad to hear that it exists, but I didn't even know it exists.

Uh, what, what, what does that look like?

Sure.

Uh, well, so it started in the late nineties.

Uh, I think the, the first chapter was, uh, um, in the mid nineties.

Um, and the, the idea is, Uh, for every F B I field office, um, there should be

an InfraGuard chapter, and the objective of the chapter is to tie the office into

the community, thereby, uh, expanding its eyes and ears, uh, but also, um,

helping elevate the, uh, intelligence and awareness of the organizations in the

community, uh, for the things that the F B I and that community is working on.

Uh, so some, some bi-directional, uh, intelligence sharing, which

really didn't happen for a long time.

It's probably only been in the last five or six years that that's, that's

really, uh, become more valuable.

Um, prior to that, you, you might get an infra regard notice,

uh, a few hours or a day before something comes out on the news.

So you really weren't ahead of it too much.

Um, but so now there's, there's 45 chapters.

Of InfraGard throughout the country.

Uh, there's an InfraGard National Alliance that kind of manages

all those independent chapters.

Um, and the chapters are made up of people from the community,

uh, across all sectors.

Uh, kind of initially it was all technology people.

Uh, so 90, 90 plus percent, uh, membership and InfraGard were people and, you know,

CIOs and engineers and help desk people.

Uh, but today we have nurses and doctors and farmers and, um, People

that work in infrastructure, water dams, uh, federal government, um,

agriculture, I mentioned, um, nuclear.

Uh, so each critical infrastructure section sector, uh, has an infra regard

sector chief, uh, at each chapter.

Uh, who is responsible for going out and.

Uh, not just recruiting others from that sector, uh, to kind of

strengthen the, the mix and dynamics of the chapters, uh, membership.

Um, but it's also, uh, both a feeder into the F B I, uh, for intelligence

and threats and awareness of what's going on out in the community, uh,

but also the FBI's ability to, to, uh, To share with them so that they

can do their job better, uh, get ahead of threats, um, be more aware.

Uh, so it's been a pretty, pretty effective, um, partnership over the years.

Uh, I helped stand up the North Texas chapter in the late nineties, and

I've, I've been sector, I'm currently a sector chief over healthcare.

I was a sector chief over technology.

Initially I was the president of the chapter.

Um, and we have a, a pretty strong.

Uh, showing, uh, in our company as far as InfraGard goes, our

c f O was a, a past president.

She's also the past, uh, national regional representative over I think

three or four different states.

Our c o o was the president of the Houston chapter.

He was also a national regional rep for a period of time.

Uh, and then everybody in our company pretty much is a member.

Um, and there's similar, there's a similar, uh, organization

for the Secret Service.

They call it.

They used to call it the Electronic Crimes Task Force, of which I'm also a member.

Uh, and then both of those are kind of related to the, in Texas we have the

North Texas Crime Commission and they have subcommittees like cyber crime.

And then, uh, the fusion centers that police departments, uh, fun, uh, operate.

Um, in north Texas, there's the Collin County Sheriff Fusion Center, uh, from

which I'm also a fusion liaison officer.

So tons of intelligence sharing, information sharing.

Uh, both to support the community, but also naturally with what we do, uh, that

feeds really nicely into the value that we can, uh, we can give our clients.

That's awesome.

I actually, like you said, Curtis, I had never heard about this and Mike,

thank you for going into details because that's actually a really cool program.

Like I didn't realize that the F B I connected in like this in

sort of a systematic way, right?

To all these other organizations.

Mm-hmm.

Yeah, we've, we've come a long way since, um,

the days of the cuckoo's egg, which I'm, I'm assuming you've read a

Cuckoo's Egg or the c the cuckoo egg.

I think, you know, because in that story from Cliff Sto back in the

day when he contacts the F B I about a cyber attack that's happening on

his infrastructure, They're like, well, did they steal anything?

Right.

They didn't, they really weren't aware of the concept of a cybersecurity attack.

So I, I'm, I'm glad to hear that.

You know, things have come a long way since that was the

seventies, so, you know, whatever,

And, and on

the,

while since then.

Kind of along those lines.

Uh, the other benefit of that is, uh, similar to the situation where, you know,

there was an event, uh, we always preach.

Uh, as far as incident response goes, you've gotta get ahead of that so that

on game day, you know what players you can call into the, to, uh, onto the field

and uh, you know, who's gonna show up.

And so, um, you know, we're very adamant about.

Establishing those relationships with law enforcement and subject matter experts

and vendors in the community so that when something bad happens, you're not

leaving a voicemail, you're not having to figure out the right person to talk to.

And so in regard, and the, uh, the Secret Service organizations give you

the opportunity to actually go to, they have chapter meetings and a lot of

times they're at the, the FBI's field office, which is also kind of cool.

Um, and so you get to meet people and exchange business cards and go

to coffee and have their cell phone number instead of a mailbox number and.

Um, and find the right person to talk to so that you can put 'em in your

plan and you know who to call and they already know you, they've met you before.

It's not a first date type of situation.

So when, when, when things are going bad and the the house is

on fire, uh, you know who to call and, um, they know who you are.

Yeah, I preached the, the same thing, Mike, and,

and, and so it's, but it sounds like InfraGard is a, is a organization

that I can contact, go to these meetings that you were talking about.

That, that it, that it could be that liaison.

So that I can start to form those relationships.

'cause you're right, it's like, uh, you know, just reaching out to, to the

F B I blindly, um, you know, Hey, I'd like to talk to you about a potential

future event that might happen.

Right.

So it sounds like Ingar can be that liaison then.

I

And, and you're right.

And they do have, uh, they have, uh, speaker, um, what do they call it?

Um, you can, you can sign up to be a speaker, uh, like as a

resource, uh, subject matter expert.

But then the F b I also has, uh, speakers that can come to your event.

And so very often you can pull in that, that law enforcement, uh, perspective

to, to your message and your content.

And they'll bring their own slides and, you know, whatever data they

can, they can share publicly as far as current events and statistics.

And it's, it's usually a pretty good, uh, value add, uh, as far as content.

And, and sometimes it's a, it's a draw.

Uh, you know, people may not want to just come see me talk, but if it's me plus

the supervisory special agent over cyber, then all of a sudden it's interesting.

Uh, so.

Um,

yeah,

for you, Mike.

Come on.

there's a lot of value.

There's a lot of value in membership.

Um, each chapter has their own dues.

Like our, I think our chapter, it's 25 or $50 a year.

Uh, but that also pays for, um, you know, food at an event or you get

discounts to go into some conference.

Uh, so there's a lot of, a lot of kind of cool ecosystem, um, you belong to

once, once you, uh, become a member.

I am surprised this isn't publicized more

It's infraguard.org I N F R A G A R d.org.

Yeah, I'm all over

you can sign up online.

The, uh, the application process is, is can be kind of long, anywhere

from, you know, 45 to 120 days.

Uh, they do a cursory background and then each office has to do kind

of a vetting, uh, to determine if, uh, You know, membership is for you.

Uh, but then, uh, you're invited to kind of a new member session

and you get to meet people, the board, uh, other members, uh, F B I.

And, and one of the things that I'll mention is, so for every InfraGard

chapter there is a full-time F B I agent that is your liaison.

And they, so they kind of manage from the F B I side.

Everything your chapter's doing, even though your chapter has its

own board of directors and event planning and all that stuff, there's

always a full-time F b I person.

Um, at your event, at your board meeting, um, kind of the liaison

for anything you need that the, that the bureau can, can help you with.

That's awesome.

Now,

Go ahead.

just a follow up, I know you talked about sort of

establishing those relationships, right?

With other people who are in the chapter, do they do things like tabletop exercises

or other things or is that kind of, I.

Outside the scope of this group.

So the, the InfraGard membership, well, and, and different

chapters do different things like the Louisiana chapter is there.

They're kind of known for, um, uh, anti, you know, maritime

anti drone capabilities.

So there are people at, in that chapter that are involved in how to

protect businesses along the river, uh, from drones and drone strikes and

surveillance and all that good stuff.

And so they, they do exercises pretty often and they have

some really good events.

And they're, the Houston chapter's, good New York chapter.

Not only do they do, um, Exercises, but they have a podcast, so

they, they broadcast things.

I, I wanna say it was at least weekly, maybe monthly, but I

think it's weekly and they're very well known for their multimedia.

Um, and so there, there are different chapters kind of

specialize and do their own thing.

Um, But then you're also invited to bigger events.

Uh, so, um, I know that there's kind of a, uh, a large scale FEMA

event, uh, every now and then.

And so we're, you know, we're invited to participate in that.

But as a chapter, as a community, we don't.

The North Texas chapter has not gotten together and said, you know, we could

probably add a lot of value if we start to collaborate and, and participate together.

Uh, maybe this time we help, you know, this, this company or this

set of companies, maybe this, this sector like technology or healthcare.

And, you know, next time we focus on something else, I think it's a great idea.

But, uh, I, I haven't seen it done, but it's definitely something

that they're open to doing.

Yeah, this is great.

Yeah, I'm, I, I was just looking at the site and I, I wanna say, so, so, so

Prasanna, two areas of California where there's like a really big city and then

a smaller city next to the big city.

One of these.

Places has its own San Diego chapter, I'm sorry, San Diego Field

office of the F B I and therefore a chapter of this organization.

The other one does not.

Do you understand what I'm trying to say to you?

No.

There is a San Diego.

There is a San Diego field office.

Prasanna Malaiyandi:

There's not a Santa Clara

There is not a, there is not a E, there's

not even a Southern Bay Area.

There is just San Francisco Bay Area field office.

They, they didn't, they didn't

they also have.

Bay, go ahead.

They also have satellite offices and the F B I does.

So for example, um, Frisco, Texas is kind of northwest of downtown Dallas,

but you know, within 30 minute driving.

Uh, so the Dallas F B I headquarters is in downtown Dallas, but they have

a satellite office in Frisco and they have a satellite office in Fort Worth.

Uh, all of that is considered, uh, under the purview of the Dallas

Field Office, and our North Texas chapter goes from Waco to Lubbock and.

Abilene, uh, I'm sorry.

Um, just east of El Paso all the way out to Shreveport.

So technically, like quite literally all of North Texas is part of one chapter.

However, we have some of the, uh, members that are out in like the Abilene area

as an example, that feel disconnected.

Like we can't keep driving to Dallas.

Every time you guys have an event, we wanna start our own chapter, uh, and.

They got enough support for that, where they did a feasibility study and, uh,

and interest and they were going to help them build their own chapter.

I'm not sure the status of that, but, uh, that is an option.

If, if you find enough interest in membership and you know it's feasible,

um, you know, they'll, they're, they're open to starting other chapters.

well, sadly, there's no one in the South Bay area that

knows anything about technology or.

Not at all.

Yeah.

Yeah.

anyway.

So, well let me just ask you one, one final question about this

topic and then I wanna move on.

Um, and that is, there is a debate when, you know, as I've been continuing to

research incident response, having to do with ransomware, there is a debate as to.

When or if to contact the F B I, right?

Or just law enforcement in general, but in the us The F B I W.

What's your opinion on that?

Uh, my opinion is as soon as possible, however, um, You know,

it's not always up to, to us and us by us, I mean, you know, technology,

leadership, you know, whether you're the CISO or the c I o, unless, unless

you're chartered to do so by executive management, uh, I always suggest that

whoever the IT leadership is, you know, we're just, we're just putting out a fire.

Uh, you know what?

Whatever the incident is, we're putting out the fire.

So from a technology perspective, our job is to recover.

Or from a business perspective, you really need to defer that to your

legal counsel or, or your, whoever your executive is or your insurance company.

Uh, but your insurance company is gonna say, involve law

enforcement as soon as possible.

Your legal counsel, whether it's internal or, or, or outside

counsel is gonna want to know more.

Um, But at, at the end of the day, uh, and I, and I've, I've seen this from,

from a lot of different perspectives.

'cause I'm also, I also do expert testimony in court.

So if this ended up in court, you know, one of the things

that that benefits you from.

Contacting law enforcement as soon as possible is, is a

phrase called due diligence.

So when, when we talk about, all right, so you guys screwed up, but how diligent

were you in trying to prevent this?

How diligent were you in responding to this?

And how diligent were you in, in asking for help from everybody that you

could possibly ask from for help from?

And how open were you in?

Um, And understanding and communicating what the problem was.

And so if, if in any of those phases, uh, you're perceived as less than

diligent, uh, and possibly, um, I.

You know, hiding something or, or, or trying to cover something

up when it gets to damages.

If, if this lawsuit goes to damages, that's where it's gonna come back on you.

Uh, 'cause everybody that, that goes through an incident, obviously you're

guilty of having gone through an incident.

You didn't do enough of something, which is almost impossible.

But, you know, when you're in court, it's kind of black and white and you,

at the end of the day, the fact is you had a breach, you had an incident,

and it, it resulted in these things.

Um, all right, so there's.

You, you, you get a judgment for that.

Alright, well then we go to damages.

And some of that's black and white too, California especially, you

know, for every record of California citizen, there's, it's defined.

But, uh, on top of that, uh, so that's statutory.

But then the, the judge can say, you guys were not diligent in

protecting, responding, communicating.

And, and because of that, I'm going to assess these additional fines.

And so, uh, there's a lot to consider.

And back to the tabletop exercise, that's when you need to start talking

through, this is how this should actually go, and someone's gonna

go, when do we call law enforcement?

And we should look at the people in the room that would typically have

that answer, and let's get that in writing ahead of time, uh, and put

that in our plan as, uh, as part of, uh, how we respond to stuff.

You don't want to be the, the, the, the rogue, uh, incident

response cyber security person just randomly deciding to call the F B I.

Uh, this needs to be decided up upfront.

now I've been through some incidents, uh, just real quick

where, uh, the incident was something illegal and management said, you're

not reporting that to anybody.

We'll handle it internally, but there are certain cases where

you are a mandatory reporter.

Having identified certain types of things, um, and it's kind of up to

you on how to handle that, but I would suggest, uh, even if management

said, don't report it, that's your, your life you're dealing with.

If they find out you didn't report it and you knew about it, now you're going to

jail regardless of what your boss said.

Um, so I would suggest there's ways doing anonymous, uh, reporting and

then just capture that activity as evidence that you did report it.

Um, So there's, there's a, there's a lot of things to consider when you're, you're

responsible for responding to stuff.

Uh, and in addition to that, you may have access to things that, that require you as

a mandatory reporter for doing something.

I was interesting you brought that up, Mike.

I was just reading a, I think on Twitter or read or something like that where

people were saying like as a programmer, right, if you're asked to do something,

which doesn't seem right, right, and the company gets caught in the end,

you're sort of the one responsible because you wrote the code, right?

You did something when someone told you to do something illegal, potentially.

Right?

And it's still your neck on the line.

Versus like, no one ever really gets like penalized like that for

saying no to doing something illegal.

Right.

And so it applies in various cases, including responding to being

told to do something illegal.

Uh, the one thing I did want to ask you, Mike, just going back to the

question Curtis asked about sort of reporting, how do you feel that

companies have done in being transparent about cybersecurity incidences?

I.

Well, I think that's a double-edged sword because it could

seem like they're not being very transparent when really they just

don't have a clue of what's going on.

Uh, and, and I think that's the case.

The majority of the time we got ransomware.

How did it happen?

Someone clicked something, I guess, but they really don't know, or that's

what they were told, even though that's not maybe really how it happened.

So I think understanding and understanding comes from, you know, information.

Well, how do we get information?

Well, you've gotta have the right technology stack.

You've gotta have the right visibility and people and all reporting.

And if, if any one of those areas is lacking, Then your ability to

really know what happened, uh, is diminished to some degree.

So I, I think there's two, there's, there's, there's a couple of perspectives.

I'm not just gonna say there's two.

There's, there's the one where they just really didn't know what happened in their.

They're sharing what they, they know in whatever way they know how.

Uh, and a lot of those cases, it's because they tried to address it on their own.

They didn't bring in the law enforcement or outside help or

professional firm or, or what have you.

They just said, we had a problem.

We're gonna accept the, you know, the, the fact that it happened and pay

our dues or, you know, whatever the consequences are and we'll move on.

And, uh, so there's that perspective.

The other one is companies that truly.

Can't or have decided they can't take the reputational

risk of divulging what happened.

Uh, some of that might be privacy or contractual.

Like you will never tell people that our network was, uh, compromised

because that, because we rely on you for these other things.

And so clients could be impacted by, by your incident, you know, their,

their business or service too.

So, uh, depending on how your business functions and how you, how complex it is

with, with providing services or data to.

To clients or third parties.

Uh, you may be limited in what you can say, um, but I think what you're

getting at is, yeah, there are definitely companies out there that will deny

altogether that there was a comp.

I don't, so, you know, some, some bad guys put all of our customer data on

the, on the internet and you can see it.

They'll, they will still deny to the nth degree that they were not compromised,

that they did not get that data from us.

And I was actually in a case like that with a telecom company.

Uh, the Secret Service called us and said, Actually the F b I called

us first and said, we're seeing your client data on the internet.

And um, this was in the, the late nineties.

Um, we're seeing your customer's data on the internet.

And when we started looking into it, they were all of our internet customers.

And so we went back to our internet provider and said, it looks like all

this data's coming from you, and they denied it Well, Secret Service got

involved, uh, due to jurisdiction.

It was different states and different things.

And so we went, we actually went to that company, uh, onsite with the

Secret Service and said, we're here to talk about this, that, and the other.

And well, it wasn't us.

Uh, it, it didn't come from us.

Well, all the data that we were seeing, and it's not just related

to you, it's got metadata in it.

That said it did come from you.

No, it didn't.

Well, we're not leaving until we talk to somebody, so they

put us in this conference room.

And locked us in there.

Didn't let us out to go talk to anybody.

And we had to, like, someone would come in and say, what do

you want to, what do you need?

And we would say it.

And they would go out and, and look, uh, or, or collect that for us.

And, uh, sometime during the day, I asked if I could plug into their, their

wall jack and, uh, so I could have internet access to, to check email.

And they said, sure.

Well, I started running, running a, a network sniffer, uh, capturing network

you did.

And, and back in the day they were using, uh, I C

Q, the, the chat, the chat app.

And I was capturing in plain text everything they were saying.

And it was all about, ha ha, we've got 'em locked in the conference room.

They'll give up talking to us at some point and just go home.

We're not gonna give 'em anything.

Um, Tell Bob that he's safe, you know that his screw up is we're

gonna brush it under the rug and all.

So I remember this, this little secret service lady, uh, and

I say she really was little.

She was like five feet tall.

Um, her name was Kim.

She kicked the conference room door open and it was, it was the door that

opened in, but she kicked it out.

I mean, she.

She knew how to kick a door and she kicked that door and said, I need

the executive team in this office right in front of me in the next five

minutes where people are going to jail.

And she took control.

And, and it was probably, uh, maybe later that year, we actually

caught the hacker that did that.

His name was Matthew Freeze.

He, uh, we caught him in Corpus Christi with the Sheriff's Department.

Uh, he's in, I think he's still in jail.

Um, But I went down to interview Matt Freeze, uh, and uh, thinking

I was gonna have a chance to talk to him about how he did it and get

the, the, the verbal confirmation that it did come from this company.

'cause they're still denying it.

And, uh, I was there for nine hours waiting in line of, uh, more important

people than me to talk to this guy.

He had hacked NASA and Department of Defense and.

Library of Congress, all these other people were there to ask him how he

did what he did and get his confession.

And so I ended up giving my list of questions to a Homeland Security guy.

Back then, it wasn't called Homeland Security, it was, uh, uh, ice.

Um, and so I got, I got his confession that way.

But, uh, I, I'm, I'm not even sure why, how we got, oh, uh, people

saying that they weren't hacked.

Even though you've got all the evidence points,

Right, right.

Well, that's, that's a great story with the, with, with a, with a great climax.

I love the, the agent kicking down the door.

Uh, yeah, that must have been something to be there.

Um, so, so let me, let, let me do a change of tack here.

So, you know, let's say we're a company, we have done.

From a, so we, you know, we have, we have an incident response plan, right?

We, we've, we've decided whether or not we're gonna contact law enforcement.

We, um, we did all of the things that a cybersecurity company asked

us to do in terms of prevention and, and, and all of those things.

Um, what one, one thing I am.

Interested in is obviously we, we spend a lot of our time with

talking about ransomware, right?

And the, and I understand that ransomware really in the end is

just a payload of a, a much bigger cybersecurity problem, right?

Um, what I'm seeing a lot is that I, I, I'm reading that now.

I think it was like more than 90% of what we used to just call ransomware

attacks are really exfiltration attacks accompanied with ransomware.

Right.

Um, and so I, I have a couple of, you know, sort of questions about.

Uh, starting with, you know, given the way, the way a typical

ransomware attack happens, right?

You've got your, the, the initial, um, uh, I forgot what

actually what the world calls it.

The, the initial access broker, right?

You get the initial access broker, then you get somebody that's in there

and they start probing around, right?

They start seeing how they can, you know, how they can get around.

And then my understanding is as soon as they can, they start exfiltrating data.

So my question is, it is sort of two questions.

you know, beyond the usual, you know, there are some things, you

know, there are some things that we know we should all be doing, right?

You know, in terms of password management and M f A and, um, you

know, all, all of those you, you know, and, and, and, uh, patch management.

Um, can you think of some things.

That a company that wants to take that next step, things that,

that, that could either stop, um, lateral movement number one.

And then, and then just as importantly, if not, if not more

importantly, exfiltration of data.

That was a really long question.

Sorry about that.

And, and I had so many things I wanted to chime in with that.

I've, I've lost some of them, but, uh, I'm, I'm glad you, I'm glad When you

said typical ransomware, you didn't go down, they, they clicked on an email.

'cause that's not typical anymore.

That's, that's statistically the.

Probably the higher probability of success, but in a lot of cases

it's just that user that gets compromised, not not the whole company.

So you're right, typically the, the enterprise, uh, scale attack

is, uh, via some either access broker or the ransomware campaign.

Uh, has, you know, their own.

Uh, squad of pen testers that are finding ways into environments, but you're right.

So typically it is access to the environment that then, you know, as

far as the phases of attack goes, then they start, uh, the reconnaissance.

Uh, to answer your question about, um, how do we, how do we

address the exfiltration piece?

Um, my favorite response is it depends, and I say that a lot in a lot of

different scenarios and, and, Uh, and it's for good reason because it

really depends on the organization.

And so each company needs to go through an exercise of figuring out what's important

to them and where is it because maybe your data's already exfiltrated, it's

out in, you know, a cloud somewhere.

So I'm not even have to attack your company anymore.

I just have to go figure out where your data is and attack that company.

Um, and, or maybe it's a partner or whoever, and there's

tons of examples of, of.

F bad guys.

Figuring out where the, where the important stuff is and making best

use of their time and resources.

So, so it really does depend on the organization, uh, understanding

your technology stack, your architecture, your culture.

I.

Uh, and then obviously where is your stuff?

Is it data?

Is it a system, is it a service?

Uh, because that's what bad guys are gonna figure out when

they're doing the reconnaissance.

They're looking for, you know, who is this company?

'cause in a lot of cases, they don't, they didn't specifically attack you.

Uh, they just, they were running some tools and found a vulnerability and

they picked at it, and now they've got access to some company's network.

So they've gotta figure that out first.

Once they figure out who you are, they wanna figure out what you do.

Uh, where, where is your important stuff?

Including your backups.

Uh, and then to some degree, they're also looking for your financials and if they

can find a copy of your insurance, uh, policy, all these things, well, all right.

So depending on the company, uh, and, and your organization's particular situation,

um, there are ways of addressing.

Uh, the data exfiltration problem, one of those is, well, let's put our ti

put tighter controls around our data.

And that includes like data integrity, monitor file integrity monitoring, um,

restricted access, network segmentation, firewall rules that throttle, you know,

data uploads or alerts of, of doing so.

Um, but I did wanna address one, um, one comment you made.

How do we prevent this from happening?

And I really think.

People need to stop thinking about preventing it and start looking at

ways of identifying it as soon as possible with either automated or

human response as soon as possible.

Uh, and then how do we collect all the information we need to make sure

that we understand how it happened, what they did, and, and capture

what we did to respond to that.

And so that's very important, uh, for a lot of different reasons.

One, if you put too much, uh, emphasis on prevention, then.

A couple of things are gonna happen.

One, you've, you've invested a lot of money that could be more appropriately

used in identification and response.

Uh, two, you're very likely going to become complacent thinking that you've

got everything in place you need, and that's not gonna happen to us.

And then lastly, a lot of those preventative controls don't do

the data collection necessary to figure out how things happened.

Um, and, and we get asked a lot.

We had this incident and all we need to know is, is there

evidence of data exfiltration?

Because that's all we have to report.

So what we had ransomware, so what we had a breach.

If there was no data taken, then we don't have to report it.

Okay, great.

Well, let's look at your technology stack and, and the things that you have

that would've collected that information and they didn't have anything or what

they have wasn't configured well.

And so we didn't have the information to, to determine whether or not

data was exfiltrated to any degree.

Uh, so we could see the, the network connections and the sessions, uh,

but we couldn't see, uh, the data throughput or, or even what the data was.

so.

In that case though, Mike, is it you have to assume worst case, that there

was personal data or other things that was exfiltrated or is it, I don't

know what was happened, so I'll just say I don't know or nothing happened.

There's a couple of things there too.

Uh, so I mean, fundamentally, all of your data should be encrypted as often as it

as it can be, uh, at rest in transit.

Um, so that if it is exfiltrated, you, you, you were diligent protecting your

data so that if it was stolen, there's a small likelihood that it's even usable.

Well, not usable within, you know, relatively, you

know, 10 years or whatever.

Right.

Um, so encryption is very important from a diligence perspective.

Well then in the absence of evidence that data was exfiltrated, um,

and this is something you have to work with your legal counsel on.

How do we then word our communication, uh, to employees or clients or even the state

or regulatory agency about what happened?

And very often it is, uh, stated similar to, uh, no evidence was found to support.

Right.

So it's not yes or no, it's, we didn't find anything that said it did happen.

Yeah.

We've talked about a number of those incidents.

Yeah.

We, we have no evidence that that data was stolen.

That because we had really bad tracking mechanisms that would

give, that would tell us that data.

and it, and it also depends on the threat actors.

There are some threat actors that have a, uh, You know, a good

reputation if you can have one.

Uh, as a, as a threat actor that says, you know, they, they live by their code,

and their code is, you know, if we steal your data, uh, you have, let's just say

three days to acknowledge that you were breached and then you have, uh, and then

we'll, we'll submit to you an offer.

Uh, so you ransom note, and if so, first, if you, if you acknowledge that you are,

were attacked and you contact us within three days, then we won't put your company

on the wall of shame, which is a public indication that you were compromised.

And, and people that know us know that we have some or all of your data.

So we won't do that, and then we'll give you the ransom note.

And if you pay that ransom note, or if we start these negotiations and we get,

we go through this process and you pay us, then we promise to, to destroy all

your data and, and keep it confidential and we'll even give you good tech

support while you're trying to recover.

Um, and so I've been through a variety of, of, of those types of incidents, seeing

the, the gamut of, uh, bad actors that.

Aren't very well organized and don't care, uh, all the way up through

the very organized ones that, that operate like a, like a business and

they've got good customer support or, you know, as good as it can be.

Um, but, um, I will say that, you know, there is a trend towards

data exfiltration with ransomware.

Uh, there's, there's a still a large um, A large occurrence of ransomware where

they don't care about your data, they just wanna make sure you're all locked up.

And that's what they're gonna use for leverage to get you to pay.

Because there's also the, the on the backside of that, even though threat

actors are very risk averse, there's less risk from a, a consequence

perspective, a prosecution perspective of just compromising your network

and, and encrypting your stuff.

Sure, I'll get in trouble.

Sure.

I'll get jail time and all this stuff, but if I also steal your data,

Especially if it's regulatory data, healthcare, p i i, whatever, that's

additional charges if I get caught.

And so in a lot of cases, similar to the data access brokers, you

also have, um, uh, network access brokers in addition to them.

You also have the data brokers.

So you've got the, and so it's this whole ecosystem.

All right, so who do I know?

Who, who can I pay to compromise your network?

Alright, got that.

I have the access.

Who can I pay to develop the payload?

Alright, got that.

So payload's in there, ransomware's running, and now we've got

their environment locked up and we've got this data set.

I don't want the data set 'cause I don't want to get caught with it.

So now I gotta find a data broker that will buy it from me, who knows how

then to kinda like diamonds, right?

I bought the rod diamonds, I gotta find a diamond cutter and then I

gotta find a diamond distributor.

And, you know, everybody makes their own cut.

Um, so there isn't, there are uh, uh, there's still a large volume of, of

attacks where this eco, this whole ecosystem comes into play and, and you're

just, Depending on where you, where you catch the attack, you're dealing

with different, um, threat actors.

Yeah, that, that's interesting.

I wasn't aware.

Um, you know, it sounds like it's kind of like felony murder, right?

Where, you know, like, um, it, it makes it worse, right?

You killed somebody, but you killed somebody in the

commission of another felony.

It makes it, it makes it worse.

Um, the, um, Um, and so like, even if you didn't mean to kill them, right.

That's my understanding.

Like even if it, if it would otherwise be considered like accidental homicide

or whatever, that because you, it happened in the commission of a

felony, it makes it felony murder.

Um, that, that is an interesting concept.

Um, I, I, I, by the way, Mike, even though it sounds like maybe I was saying

differently, I completely agree with you with sort of the, the assumed breach.

Concept, right?

That you need to spend, you need to be just as good if not better, with

detection and response, uh, and recovery than the prevention aspect, right?

Um, you know, having said that, there's nothing wrong with, with

an ounce of prevention, right?

Um, and that's why, um, I, I just, it, it bothers me.

Like, on, on one hand we talk about some of the advanced things that you

could do to, to help, but most people I.

Um, you know, such as preventing, preventing lateral movement

between systems that don't need to have lateral movement, right.

Um, the, there's nothing wrong with that, but you're right, there's a cost and of

doing it initially, there's a cost of maintaining that and there's a cost of.

Of, you know, well, cybersecurity is always a pain, right?

The be the more security you have, the harder it's to do your job.

Right?

Unless you're the si the sc the cybersecurity guy.

Um, the, um, uh, I had a point, I was on my, I was on my way to

a point and it seems to have,

that's why secure, that's why convenience stores are

robbed more than security stores.

I see, I see what you did there.

Um, the, um, The, uh, let's talk about response and recovery.

Um, the, which is generally what we end up talking most of our time about here.

What do you think is, you know, we talked about the things that you

need to do in advance, establishing a communication with the F B I or other law

enforcement, um, you know, establishing a relationship with somebody like yourself.

Um, you know, so, so that you're not, you're not making that conversation the

first time in the middle of an incident.

What else do you think people need to do to be ready to respond,

uh, in, in a cyber attack?

Well, I think, uh, ex tabletop exercises are a great way to kind

of ferret that out for your organization.

Sit down with as many people in your company as you can.

I mean, a lot of it departments are like, let's just do it with us first so we don't

look stupid in front of everybody else.

And that's fine.

You know, you know, have a, have your, have your, you

know, red, blue or red white.

You know, scrimmage game, um, but then involve as many people as possible.

And I've seen this be so successful.

Um, and, and even involve your insurance broker and your outside counsel and invite

the F b I invite the Secret Service, um, have this exercise and, and pick a topic.

Um, and whether you do it yourself or, or, you know, look for a moderator.

Uh, and there's a lot of good moderators out there.

I'm, I, I do these all the time.

I'm considered a breach coach.

But then there's, there's even cybersecurity law firms that will, uh,

will facilitate, uh, a good tabletop.

And the idea is, let's pick a topic.

Ransomware or intellectual property theft or.

Um, our data center gets hit by a plane 'cause we're close to an airport.

Whatever it is, pick a topic, invite as many people as you can

and walk through the scenario.

Um, you know, somebody clicked the link and, and you know, they came to

work and their desktop icons are all changed and they can't use anything.

Well, and then we got another call and then, alright, well

let's start with who do they call?

Who does an employee talk?

Who is their phone number?

Is there an what if email doesn't work?

Uh, so who do they call?

And then what does that person do?

How do we, how do we assess the situation?

And which is, you know, kind of phase one of incident response is how do we

categorize this event into an incident?

Is it a non-event?

Is it critical?

Uh, and then that then based on your plan, would indicate

who else needs to be involved.

Once we categorize, once we categorize the, uh, the incident, well then I.

Having as many people there as possible is, is valuable two ways.

One, maybe you don't know who needs to be in involved.

And you can start asking all the attendees, uh, who are the right

people, uh, because you know, I sent this email out five months ago and

nobody's responded who the right person is, but we're all in the same room.

Let's working out.

But at the same time, uh, you're gonna get some people going.

I.

Would've had no idea that's what's involved with doing X, Y,

or Z unless I was in this room.

And I'll tell you a funny story.

We were doing a, a tabletop for a, a company, uh, I think they're in

healthcare and part of the scenario was, uh, threat actor used the contact us.

Button on their website to say, that's how they said, you

know, we have all your data.

Call us in three days.

Um, and here's the information to do so.

And so that was part of the scenario.

So I, uh, I asked, well, who's in charge of the website?

And there were two people in the audience and they said, we are.

And I said, well, what would you do if you got that email?

And they said, we'd probably delete it.

'cause we wouldn't believe it was true.

Well, okay, well maybe you shouldn't delete it anymore.

You should, you know, forward that to the security team

and let them figure that out.

And they said, good.

Good call, uh, good policy.

So, but there were, there were a lot of people in the audience that said, I'm

glad I was here because I would've had no idea that all these moving parts,

and this is this level of effort and this stuff would, is necessary for

responding to whatever the incident was.

Well then, well now it's a good time to ask the insurance broker who's on the call

or in the meeting, when do we contact you?

And they're gonna say, well, as soon as possible.

And, and from, from an employee, uh, company perspective, I think there

was a misconception that calling the insurance like as soon as possible

is somehow gonna affect your premium.

Like, we're gonna pay more because we called you.

Um, and that's not the case.

They want to be involved as soon as possible to help you make the right

decisions because you may be using third parties and buying, you know,

going through this, this expense that, uh, may not be reimbursable.

You know, you might not be able to get paid back for that

if, even if your claim is.

Is accepted, but at the same time, the insurance company wants to know

about how diligent you're being and they wanna be involved in the process.

And that's gonna help you determine or, or hopefully help you, uh,

towards getting your claim approved.

Um, and then they're gonna be the ones, uh, along with your legal counsel, helping

you make the right decisions about how to communicate, uh, situations to third

parties and outside, you know, clients and what have you, but also internally.

And we walked through this, just adding this real quick.

Alright, so you've got this incident.

And, and we did this, uh, we did a tabletop with an engineering company and

they didn't do anything we suggested.

And then like six weeks later, they got hit with ransomware and they

were down for two and a half months.

But, uh, that's the other important thing about tabletops or, or any type of

assessment, you really need to take the remediation seriously, uh, and take action

on those things as soon as possible.

'cause if, if we found them, bad guys have probably found them too.

But one of the things that we found out in a tabletop, or that

came to mind was communication.

Specifically internally.

So this engineering company got hit with ransomware.

They were down, nobody could do any work and they couldn't even email people.

Alright, so, Do you have a system, uh, that collects

personal emails and phone numbers?

Do you have a system where people can call in to get status?

Like, is it a snow day?

Uh, are we off for the day?

Uh, is there an incident?

When are we gonna hear an update?

That kind of stuff.

But then do you also have a policy that says, in the event of an

incident, you are prohibited from discussing this stuff on social media?

Don't put on LinkedIn.

Oh, we had an incident today.

I got, I guess I got the next two months off.

Um, that you're, you've gotta contain that and or at least, uh, uh,

define the messaging for that stuff.

Get ahead of it.

Uh, go ahead and make your templates for internal and external communications.

Like, what are we gonna say?

Well, you should, uh, plan for that now, uh, instead of wasting time during an

incident, you know, trying to figure it out while the house is on fire.

Um, so having said all of that, um, you know, incident response

exercises are very valuable.

Um, And even though you may want to have your own little huddle to figure

out, you know, how well are we before we invite the rest of the, the crew,

um, you should invite as many people, internal, external, subject matter

experts, partners, um, um, as you can, uh, to get everybody, um, playing on

the same team, on the same field they show up for at the, at the right time.

Um, and they have an idea of what the playbook is.

Wow.

Wow, that's, yeah, very detailed.

And like you mentioned, it's sort of plan ahead of time, right?

I'm sure there are so many companies where it's like, Hey, ransomware

hits, or We have an incident.

It's just IT and the security org that's dealing with this, right?

But like you mentioned, there's so many other folks involved.

And just knowing who those people are, especially if you're a large company, you

don't know, like one department doesn't know who the other department is even.

Right.

And having that.

We had a situation where for, for four days, we were operating under

the un, uh, assumption that they only had a, uh, $3 million cyber insurance policy.

So we were restricting, uh, who was involved to restrict

the expense and the overhead.

Uh, and it wasn't until we were on a, uh, I think it was like 11

o'clock at night on a Sunday, we were on a, an update call and we were

talking about this $3 million policy.

When someone walks, I could see them walk behind the person talking on the

camera, and they go, we have 6 million.

Like, what?

What do you mean?

We have two, $3 million policies?

And nobody knew that.

Nobody else, but this person knew that.

And that completely changed.

We're like, well, look, we need to start getting more resources in here.

You know, call, call the big brand response teams and all.

So that really changed the game because that just happened to come out in a

meeting without, you know, everybody else being really aware of, uh, Yeah.

And the other bad part of that situation, uh, unfortunately, was that,

uh, they had $6 million in coverage.

But what they didn't also know is that it was a self-funded insurance policy.

Uh,

So they were paying into that over, over time and the

insurance company said, we'll cover you, uh, if the day comes, but then

you've gotta pay it back pretty much.

And so, um, they didn't know that either.

So a lot of things

Raid your

policy.

Yeah.

they found that out.

Um, well, listen, um, wait, I'm, did I mute myself?

No.

There.

I muted.

Okay.

Sorry.

Um, listen, Mike, we could talk all day.

I, I, I love the stories by the way.

I,

eh.

you know, you, you know me, Prasanna, I'm, I'm a

storyteller myself, and I, I think nothing, nothing tells the story

like a good story, you know, nothing, nothing drills that point home, uh,

better than a good story, for sure.

Um, and I, I love hearing.

From these real incidents, uh, what, you know, what, what I'm hearing?

So I, I like, you know, the things that I picked up here.

First off, I like the amount of time we spent on the F B

I, uh, and for guard program.

Uh, I definitely wanna look more into that and I think the listeners

should look more into that.

And I like this idea, uh, and of, of using them as a way to establish those

communication channels before an event.

Um, and I like the idea of, well, you know, we, we, we always promote

the idea of, of tabletop exercises and, um, you know, in, in my

world, you know, we call them Dr.

Dr exercises right back before the, the cyber world was also

attacking backup systems.

Um, so I, you know, I think this has been a great conversation, Mike.

So I want to thank you for coming on.

Certainly.

And, uh, Prasanna once again, as always,

you with your, with your wisdom.

Yeah, anytime Curtis, and I hope you'll be ordering a chair

or at least, or uh, browsing chair soon.

And Mike, thank you for the info.

I.

Yeah.

It's always fascinating hearing these real life stories because that's something

that you don't hear about, right?

What did people experience and what was it like going through?

It's just like what you read, like reading the Cuckoo's Nest or Cuckoo's Egg, right?

It's like those are the types of stories that are interesting that

you learn from, especially new people in this space, like myself, right?

Where it's like, hey, what really goes on behind the scenes and

what does it take to recover?

So thank you for sharing.

Certainly.

Yeah.

I've got stories all day.

Sounds like

Prasanna Malaiyandi:

we'll have you back on.

Yeah, you and me over beers, Mike, nobody would

ever get the word in edgewise.

And once again, I want to thank our listeners, uh, and remember to subscribe