Have you ever watched the movie sneakers and wondered if

companies like that really exist?

Well, they do.

And we've got the head of one of those companies here as our guests this week.

I'm super excited, man.

His stories are amazing and we learn what it's like.

To attack companies.

Essentially on their behalf.

Right.

Basically, he's the head of a red team and, uh, boy, was this a fun episode?

I hope you like it too.

hi, and welcome to backup Central's Restore it all podcast.

I'm your host, w Curtis Preston, a k a, Mr.

Backup.

And I have with me my Google Sheet consultant Prasanna Malaiyandi.

How's it going?

Prasanna?

I am good, Curtis.

I have years and years of experience with Google Sheets,

Yeah.

So, so we've been, we've been going through this, uh, you know, as of

my recent purchase, two weeks now, as of as of yesterday, I now have my

proud owner of a Tesla model three.

Base model, 270 miles of range.

And I've been trying to figure out whether or not it makes sense for those

that don't live here, electricity, that here being San Diego, electricity is

very expensive and you have to choose, you, you have all these plans to choose

from that offer different costs for different times of the day, right?

It's a time of use plans and especially for those of us that have solar and uh,

there is an EV plan that offers super cheap rates, you know, way late at

night, but it pumps up the rates, the other rates, one of them ridiculously.

So it goes from 50 cents a kilowatt hour to 81 cents a kilowatt hour for

the, for the peak time, which is four to 9:00 PM So I was like, Uh, I'm not

sure if this will work out for us.

Right.

I could, I could potentially save a lot of money.

I could potentially cost myself a lot of money, so I created this

gigantic spreadsheet and Prasanna's been helping me through it.

What do you think, how, how do you think we are on the how

Yeah.

No, I think, I think your spreadsheet makes sense.

Um, I think it's not too, I'm actually surprised that no one has built

an online calculator to do this,

I should have just given this to chat G P T.

Here's my usage chat, G P T.

Here's my usage for the year.

'cause that's what I have is I have my usage for the peak off, peak and super

off peak periods for the last year.

And then plug in the rates for all of those and then the

new rates for all of those.

And it turns out, in my case, the break even point was if I'm going

to charge at least 80 kilowatt hours per week in my Tesla, then it

makes sense to switch over, which

250, or it's like 350 miles, right?

Yeah, which is not gonna be a problem

based on my driving patterns.

There's a $16 a month thing to be on that plan.

Um, and I,

but why do they charge you $16 a month?

That's just highway robbery.

You know

it, it's not like anything really changes.

You're still paying the transmission fees.

it's called a utility.

It's called a monopoly.

You can't just go get electricity somewhere else, right?

can live in a city that provides its own electricity like me.

Oh, shut up Prasanna.

Prasanna pay, what is it, 15 cents a kilowatt hour.

So we pay 12 cents a kilowatt hour for the first 300 kilowatt

hours, and then it goes up and get this, it goes up, it's astonishingly,

astonishingly high to 14 cents.

And this is no time of use.

You just use it whenever you want.

Yeah.

So in order to do that, I just have to move from San Diego where the

average home price is a million, up to Santa Clara, where the

average home price is twice that.

That's what I have to do to.

Santa Clara is not as expensive as the rest of the Bay

So it's only like 1.8 million.

uh, you can get like one and a half, maybe something

we'll see.

We'll see that.

Yeah.

that's a lot of miles driving in your car to make up

that half a million dollar difference.

it is.

I would be driving probably back and forth from here to there.

Stopping.

Stopping at a supercharger along the way.

Uh, anyway, our guest, uh, I'm sure has gotta be antsy at this point.

He, uh, let's bring him on.

guest today has specialized in offensive cybersecurity for over 20 years.

He's the C T O and red team leader at Pulsar Security, which offers a

comprehensive package of services designed to bring maximum security benefits at

minimal cost without sacrificing quality.

He's also a host of the Security this week podcast.

Welcome to the pod, Dwayne Laflotte.

Yeah, great.

Great to be here.

Thank you so much for, uh, for the invite.

Um, and I was, I was itching at that electricity talk.

Do you use any solar or No solar?

Yeah, I have solar, but the solar system was

designed for when I didn't have an ev.

All I'm saying is how did they read how much electricity you use?

They use that smart meter outside,

yeah.

The smart

And they drive by and they pick up a 900 megahertz

signal or a 2.4 gigahertz

signal from

that

the, I like the way you're, I.

if you were to, if you were to saturate that band, uh, you

probably would be using no electricity.

Just throwing that out there and this is what my job is.

How do we break, how do we break these things where they

so unfortunately Dwayne for me, so we have a smart

meter too, but what our city has done is they've put basically wifi

access points all throughout the city.

And so you get free wifi anywhere in Santa Clara, which is great, but at

the same time, they don't have to drive by anymore, and it just automatically

connects to those and downloads the data.

the other thing that's interesting is your smart meter,

it probably has a Mac address to connect into that particular thing.

So if you d off your own smart meter, it will never connect to the wifi.

Which means,

You would of course not

suggest doing such things, but

No, of course

you're saying theoretically speaking,

Theoretically, from a networking red team standpoint,

it might be what I would do.

Um,

if per chance you were doing a, a pen test for SDG and e or um,

Yes.

Is this where you guys put the legal disclaimer in the,

yeah.

Oh, actually, you know what I

Dwayne says,

Yeah, yeah.

No.

What I, well, what I will share out is our, our usual disclaimer that

this is an independent podcast, and the opinions that you hear are ours,

not our employers, if we have one.

And, uh, also, if you wanna be a part of the conversation, please

reach out to me at w Curtis Preston at gmail, or, uh, WC Preston on

Twitter or linkedin.com/in/mrbackup.

That's Mr.

Backup on LinkedIn.

And, uh, we'll get you on here and talk about what you like to talk about, uh, as

long as it's stuff we like to talk about.

Um, anyway, so, so, Dwayne, for those that I, I think most people probably

know about Red team and Blue Team, but why don't you tell us what a red team

Prasanna Malaiyandi:

Isn't there a purple team?

There is, yeah.

Purple's, purple's kind of the new thing.

Um, it used to be they would just pit the teams against each other.

So Blue team is defense, right?

It's the guys who really like reading through logs and looking for bad guys.

Um, the, the red team, we are, uh, we are the offensive team, so we

like pretending to be the bad guys.

Um, and thinking all of the, well, how could I get my smart meter

off of the electric grid thoughts?

Um, and then putting those in action, um, and, and, and attacking an organization.

And that involves everything from, um, you know, 'cause a lot of people

throw around terms like pen testing or vulnerability scanning or red teaming.

And those are three very different things.

From the red teaming side.

It's holistically looking at the company.

So it's everything from the employees, um, to what sites they view, uh, you

know, from the company to, uh, who are your partners as a company that we could

use to maybe leverage to get into the organization, um, to, uh, we've had teams.

Uh, the reason I talk about jamming sensors and whatnot, we

actually do have teams that will physically break into organizations.

Um, and I can tell you that all the motion sensors on most alarms are 900 megahertz.

And I can saturate that, walk through a building with that

emotion sensor going off.

So there's like all sorts of really cool things that we as a

red team will be trained to do.

It looks very much like thievery.

Um, but we're the good guys, I promise.

So that's, that's our job.

And purple is the mix, right?

It's people who know a little bit of that offensive and a little bit of defensive,

um, just to be better on both sides.

So would another term for that be ethical hacking?

Yes.

Yeah.

Ethical hacking, um, is definitely another term people use for that.

They, people have moved away from ethical hacking.

Um, a little bit more to more focused terms.

'cause cybersecurity's so big at this point.

Um, it used to be like if you were in cyber, you kind of did the same thing.

You looked a little bit at, you know, offensive, you did a little bit of

coding, you did a little bit of whatever.

Um, and, and that ethical hacker is really that generalist.

Um, then you move into like, the really focused sides of

even offensive cybersecurity.

Like if we just talk about offensive, um, I have people on

my team who are reverse engineers.

So what they will do is tear apart a system, take, um, there's one company

we broke into the company through a tv, um, that, that was sitting in their

lobby that was connected, the wifi.

So how did we do that?

We literally bought one of the TVs, tore it apart.

Um, attached a, a bus pirate and a J tabulator to the, the, the system

ripped the firmware off the chips and read through the firmware and

found an exploit and then used that to, to break into the tv.

Um, that's a specialty in and of itself.

Then you have, you know, your, your web developers who are really good offensive,

you know, web certified experts who know how to tear apart things like angular

and.net and understand how all that works, but wouldn't necessarily be your reverse

engineers and wouldn't necessarily be your network guys who are offensive network

who understand, you know, spanning trees and how I can manipulate a network and

how M D N S works and like how to break all that, who are entirely different

from the guys who are cloud, like how to manipulate, pulling universal keys from

the cloud and how to get the cloud to, how to get two clouds to attack each other.

'cause they're never gonna block each other.

Like, that's all tactics as well.

So it's definitely like been been specialized since the

ethical hacking term came out.

That is like my, sorry, my mind is just like blown just

hearing what you just talked about.

'cause that covers such a broad spectrum.

Right?

And I.

I wonder when people think about defending themselves from hackers, right?

Are they sort of pigeonholing themselves?

Because I know Curtis, we've always talked about, okay, make sure you prevent

lateral movement, make sure that you have multi-factor authentication, right?

All the rest of these things.

But there's, like you were saying, Dwayne, there's other ways, like through

partners, through like that tv, right?

You didn't even think about that as an IT person maybe, and you're

like, ah, it's just a tv, whatever.

Of course, I, I would tell, tell me, Dwayne, tell me, tell me,

tell me I'm wrong and it is totally okay.

'cause this is not my bag.

The, the, the problem, the, the, the, uh, mistake that that company

made was that this smart tv, this network-based TV was on the same

network that the rest of every, that the rest of their corporation was on.

Yes.

Yeah.

So part of it, absolutely, this particular customer, it was on the same network.

Um, but what we have seen before is a guest network, right?

Um, isolated no devices.

And then we'll see people connected to the guest network who are also connected to

the executive or to the internal network.

And the reason they do that is because in the lobby, they

don't get the corporate network.

So they're like, oh, well the guest network's here, so I'll connect to it.

So what's really nice is once they connect to it, like when they leave the building,

we can emulate the guest network.

They'll connect to us.

We'll drop a piece of, uh, malware or, or a captor portal or

whatnot on their, on their device.

When they walk it back into the building, that portal will then

beacon out to us, and now we have access to the corporate network.

So, you know, we, we definitely see, even though you isolate it, you can't

pull the humans out of the system unfortunately, for the most part.

If we could just get rid of all those

damn users, the, our computer

right.

would be a lot.

Yeah.

A lot safer.

Absolutely.

Um, yeah.

Goodness gracious.

Yeah.

I, when I talk to somebody like you, I've, I've had, I've had a handful

of conversations with, you know, folks on the offensive side, uh,

throughout my career, and I always walk away just super depressed.

I'm just like, like, why even try, you know, um,

you

did you have that story, Curtis, about the guy

who, with the various uniforms who would break into buildings?

oh yeah.

I mean, yeah.

So I, I, I know a guy that does physical, uh, pen testing, right?

Um, and his job is, is to physically get into a place that he's not

allowed to be, take a selfie and, you know, G T F O, right?

And, um, and he just, uh, and uh, he just told me, he's like, I have

never, never not been able to get into where I was supposed to get into.

Right.

It, it's all about social engineering and, and sometimes it's about,

uh, But, uh, card scanning, right?

Um, you know, scanning somebody's, uh, uh, what are those called?

The what?

No, I know what it's called, the badge.

But

yeah, yeah, yeah.

The R F I D,

that, that's what I was thinking, the R F I D badges, right?

Um, I heard, I heard a talk, um, you know, it was, uh, Kevin Mitnick once

talking about, you know, the scanning badges in a bathroom, which just, it

was just wrong, but it was, it was just like, it's just so easy, right?

Because you're just a little weird, a little weird.

Um, but, um, yeah.

Well, well, let me ask you, so here, so here's what's funny.

So it, when I think back, I, I'm a, I'm a big movie buff, right?

When I think back, the only like red team type stuff that I've seen

depicted, uh, a lot or like an entire movie based around it was sneakers.

Um, do you remember that movie?

Oh, like a fantastic movie.

Sneakers.

Yeah,

pretty good, right?

I mean, it's, it's funny, I immediately thought of sneakers when you were

talking about the motion sensors, because you remember what they did.

They raised the, they raised the temperature of the entire room to 98.6,

And what's what's funny about that is that's not far off.

So, you know, looking from my red team's ex, like as the red team leader, I'm

playing Robert Redford's job, right?

So I'm going through an understanding like, okay, cool, we got this

target, how do we attack it?

And, and I have my specialists, I have my mother who, who understands, you

know, sensors and, and understands, you know, uh, different wavelengths

and signals and that sort of stuff.

And I, you know, I have my, uh, you know, my, my face guy who's good at

talking to people and that sort of thing.

So I'm planning this out.

I'm like, okay, here's how we're gonna attack, here's how

we're gonna do whatever we do.

But looking at sneakers from, from my perspective, my job, you go, okay, cool.

Well, they got access to the temperature control system.

Is that even possible?

Um, and, and sure enough about, uh, about a month ago we were pen testing a bank.

Um, I, I like to call it the bank job.

We were doing the bank job.

Um, and, and as we were, as you were doing the bank job, this is, uh,

it's about a month ago, so it was.

In May, early May cold up here, cold-ish at night.

Um, we did sure enough, get access to the HVAC system.

Um, and, and what could we have done with it?

We were like, okay, we could shut it off.

Um, and it gets cold enough at night where maybe pipes freeze

and burst and that sort of stuff.

We could crank it up, I guess, but then, you know, I started

thinking about sneakers.

I was like, oh my gosh.

So if they're using infrared and we could crank it up, we could get in the bill.

But yeah, so it's, you know, it's entirely as you go back and look at

that movie, um, it was impressive how much stuff they got Right.

From a, you know, what you might do as a red teamer is very cool.

Yeah,

Have you Prasanna, have you seen this movie?

I'm trying.

I don't think I have.

It is, uh, it's a, I mean, I don't know.

Yeah, I don't know.

I mean,

list.

Yeah.

I don't know how much of it is just complete bss, but

it is a fun movie to watch.

They get, I think they get a lot of stuff, interestingly.

Right.

Um, I mean, just the, just the whole thing of like the scene where Robert

Redford's got a bunch of packages, he's got balloons and he's like, can you,

can you just buzz me through, you know?

Um, and, uh, so what you're telling me, Dwayne, is you, you

play the role of the devastatingly handsome disarming guy who disarms

that's what I like to, yeah, that's, I mean, I wouldn't, I wasn't

gonna put that label on it, but thank you.

Yes.

Um, but you know, honestly, it's a great movie to watch.

I mean, you've got really good actors in there.

You've got Robert Redford, Sidney Poitier, um, Dan Royd.

Ben Kingsley.

Right.

Um, yeah, there's, uh, river Phoenix is, there's like a ton of really

good actors in That's fantastic.

So speaking of movies or entertainment, I know

Curtis, you had put me on to a TV show called The Undeclared War, Dwayne.

Have you seen that?

I haven't, I have not

It was on Peacock.

Yeah, it's on Peacock, and it's basically a fictional story about a

cyber attack by Russia against the uk.

Ooh, okay.

I'm adding it to my list.

I've, I've looked it up.

I've added it's my list.

I'm excited about

yeah, it's a series.

Go ahead Prasanna.

Well, and so, sorry, go ahead.

No, no, no.

Go ahead.

I was gonna say, it's, it's interesting when we bring

up movies and whatnot because you, you find polarizing, um, people in

the cybersecurity space where some people in cybersecurity are like, oh

my God, I can't watch those movies.

'cause it's, it's, it's like being a doctor and watching, you

know, uh, er and you're like, they would never do any of that crap.

Um, and I'm on the other side of it where I'm like, I love watching these movies

'cause they like, they're part of the, it's the passion of cybersecurity and

hacking that I got in the nineties, right?

And I watched Hackers and I watched sneakers and I watched war games

and, and it was that, that awe of how could you tear a system apart?

How could you make it do things that it was never even designed to do?

Um, and, and bend it to your will as a red teamer.

And, and that's what these movies and these shows do for me, is they

bring that, that awe back, right?

Um, even though some of it might not technically be true, it doesn't matter.

Um, so yeah, it's on my, definitely on my list.

So given that you do offensive security, right, red teaming,

and I know we'll talk more about that.

I guess the question is, in your personal life, doesn't it freak you out a bit?

Like what do you do to protect yourself against some of those things?

You know, like the fact that you're surrounded by this all

the time, trying to break things.

Does that sort of translate into your personal life where you're like,

okay, RFIDs can be hacked, so I'm gonna get one of those wallets that

block RFIDs all the time, right?

Wifi network.

I'm just gonna keep everything unplugged all the time.

Like nothing comes on my network.

Yeah, it's a great question.

And I also have, um, I have probably three of the, uh, um, I.

Worst end users from a cybersecurity standpoint.

You could imagine.

I have three children and they're they'll, they, like, you can never

tell them what to visit or not visit or click on or not click on.

It's just, it is what it is.

So, um, so it's interesting, it's twofold.

One, yes, there are certain things I take into account in my daily life that

I notice a lot of people don't like.

I use a password manager all the time for all my passwords because, you know, using

the spreadsheet, if the spreadsheet gets compromised in some ways somebody gets it.

I'd rather have a company who focuses on managing passwords and

sometimes they do it wrong, right?

Like KeyPass, but more often than not they're gonna get it right.

So there are little things like that where I get paranoid and

I go, yes, I wanna do that.

I turn on two f a for everything.

I have all of my accountant credit locked through the three different, uh, you know,

providers, your credit, Equifax and all those guys, uh, Experian and whoever else.

So there are certain things I do because I'm a cybersecurity professional

and I can see, you know, we have access to all the deep dark web.

Information on all the people, and I'm like, oh my God, I can see all this info.

But from another standpoint, I worry less because I know how hard

it is to break into a smart device.

Like I know how hard it is to reverse engineer a chip and

figure out a way to break into it.

So from that standpoint, if I just, yeah, you know what?

I'm gonna set a strong password on my wifi.

Like I, we have a crack cluster at the office, um, that has, at

this point, I think it has 40 or 50, um, 30, 90 GPUs in it.

So, and talk about electricity.

Woo.

Um,

you might consider moving that to Prasanna's neighborhood.

I might have to think.

I'm gonna have to, um, so we can guess about we, if we grab a, a

crack, a hash from a password.

So just a little bit.

If your users aren't breaking into wireless networks all the time, um, I.

Uh, if, if I go up to a wireless network, I can see all of the clients

that are connected 'cause it's all over 2.4 gigahertz wireless.

Everybody can see those signals.

They're open, um, but they're encrypted between the client and the access point.

But I can tell the client to get off the access point.

I can d off it, I can say, Hey, I'm the access point.

Get off the, get off the, the access point just for a couple minutes

and it'll de off that client.

And then the client, when they reconnect, we'll see a handshake, right?

And that handshake's an encrypted password.

But we can take that and then we can try and crack it.

So I can then take that handshake, take seconds to get, I can pull

it on my offline cracker and, and our offline cracking device.

Can guess 3 billion passwords a second.

Wow.

Wow.

So you say, you say to yourself, well, okay, shoot, my

wireless is probably not secure.

Um, but if you start looking at the math of it, you say, listen, if it's,

if your password for your wireless is in any list of passwords ever, Right.

Um, so if you go to have I been p.com right?

And you type in your wireless password and click check and it's in the list.

Yeah, they can get it in seconds, but let's say it doesn't show up on that,

that in any list now it's a mathematics, uh, problem to, to brute forcing.

So let's say minimum password's, eight characters.

And I can do that in, uh, let's say a day.

And that's actually quicker than that.

It's about an hour for me to do an eight character.

All uppers, lowers, numbers, whatever.

If you put nine characters on that, and, and let's say we don't do, um, all uppers,

we don't do all special characters.

We don't do all numbers.

That's still 26 times an hour.

So we're looking at a day now.

We do an, we do a 10 character password.

It's 26 days.

We do an 11 character password.

Right now we're ending up at 26 months.

We're at two years for us to break that, and that was just

all lowercase characters.

So the longer that password is, as long as it's not in a list, I personally

know how hard it would be to crack.

So I'm like, ah, we gotta have 15 character password.

It's reasonably good.

Some uppers and lowers.

Nobody's gonna crack it.

It's just not gonna happen.

Um, so it's a great question because a lot of people are like, you know, oh my gosh.

And for me, I calm down on certain things, but other things I do reasonable stuff.

My family, however, like my wife, like, she will give valid

emails from family members.

She's like, I'm not clicking on that.

No, I know, I hear all the dark stories.

I'm not, I'm not clicking on anything.

Like, if she gets a phone call from someone, she's like, Nope.

And I'm like, I, I think that was our bank.

She's like, Uhuh, I'm not.

I'm so, yeah.

I think my family takes the brunt

You know, my

f my favorite thing, and it used to, it was a different bank that I'm at right

now, but they, they would call for, basically it was a fraud alert, right?

That, that I would have a, I would have a potentially fraudulent

charge and then they would call me, they call me from Rando number.

Right.

Um, and even if it said different number, I wouldn't believe it.

But they call me and they're like, this is a b, C bank.

Um, we'd like to talk to you about a potentially fraudulent charge.

Please authenticate yourself.

And they want me to like, they want me like, you called me, right?

You want, and they're like, this is the process.

Like, you want me to give you, like, they wanted like, like my social or

something for me to authenticate my, like, you called me like you don't, like,

you don't understand how stupid this is.

Like, I was so angry.

I was like, I like, I'm glad you called me for a fraud alert.

But I'll tell you what, I'll call you, right?

I will call the, the known number for the bank, and then I will authenticate myself.

I'm not giving my social to some rando who just showed up on a phone number.

Like, what, what are you thinking?

And I think what the, the worst part of that.

Um, you, like, you are savvy in the security world, so you're like,

okay, this, this doesn't feel right.

But I think the worst part is the bank is training their normal, you know,

right,

that this is the normal process, right?

We're gonna call you.

So when they get a call from a spammer, they're like, oh, well this is the normal

Yeah, exactly.

Just like they used to train if you click

on links and emails, right?

Just like, uh, years ago when I worked at, uh, at a bank, we

would, uh, train, they all, everybody got regular cybersecurity training and it, and

one of the things that we told 'em was, no one in it will ever, ever, ever call

you and ask you for your password, ever.

Right.

And then the next day after training, someone from IT would call them

and ask them for their password.

And it worked like 20% of the

yeah.

And they'd always give it, they're like, oh, they're from it.

Of course.

Yeah.

from it.

We're like, oh, you're

what could you do though to train users, though?

I think that's like the hardest challenge, right?

Or one of the biggest challenges,

So I, I think it is, and I think it's not, I think we, I

think in some ways we've been trained as people to stop listening to that voice

in your head that says, this is weird.

Um, so I like to think of humans as almost like networks.

'cause I understand networks, uh, and they kind of make sense.

So imagine you are a, you're a network and you have this, this

intrusion detection in your head.

And there are certain times we've gone through, we've all gone through this

where we're on the phone, somebody asks us a question, we, we answer

it, then they ask another question.

We go, wait, this is weird.

Like, I've never been asked this question over the phone before.

Nobody's ever asked me for my social.

Nobody's asked me what the last four digits on my credit card like, No, no,

but then we go, oh, well this, you know, I wanna be nice, I wanna be polite.

I'm not gonna, right.

So we get to that, that where we just disregard all the alarms we,

we have in our head because we're like, well, I'm on with this person

and they must be well-meaning.

Um, and I think we need to get back to you listening to those voices in your head.

There's, you know what?

This doesn't feel right then.

It probably isn't.

Um, if it's not something you normally do, if it calls you up every day and

asks for your password, you know, great.

I, I get it.

Yeah.

You give them the password and no harm, no, no, uh, fault on yours.

But if they've never called you up and then they call you up, like, that's weird.

Even if really is it?

So, you know, I wouldn't, yeah.

I think you need to, I need, that's how I like to train users is like, really

listen to that voice in your head.

If it's something you've never done before, um, don't start now.

Right.

Find other ways to verify.

But then how do you train them?

Taking that and the flip side of that, right.

How do you train them to start doing things then?

Because if they've never done it before, then how do you start to

build that voice in their head?

Yeah, so that's a good question too.

Um, what I typically do then is say, listen, when that voice goes off in

your head, um, and, and you're like, this is odd, this isn't the right thing.

What you need to do is start thinking about alternate paths,

alternate uh, communication paths.

So, like Curtis had said, when the bank called him, he said, this is weird.

I'm out.

What I'm gonna do though is I'm gonna look on the back of my credit card.

I'm gonna find that number that's on the back of my credit card

and I'm gonna call you back.

Now would that be fail safe a hundred percent of the time?

Uh, listen, if you're getting attacked by a nation state, they

would've tapped into the phones and it wouldn't have mattered, right?

So we gotta assume a nation state's not coming after each of us.

'cause at that point, we're kind of in trouble anyways.

Um, but if it was a random spammer yeah, you verified via an alter channel.

So that's typically what I'll do is say, listen, if something's weird,

get outta that particular thing.

Whether it's an email, whether it's text messages, um, whether

it's, you know, a phone call.

Just get outta that and find an alternate way to communicate.

Hmm.

Now I say alternate way and I stress that because

we, we had a customer, um, that unfortunately lost, uh, hundreds of

thousands of dollars in a a scam.

And, um, their boss sent them an email saying, Hey, we need to change our a C H.

That should have been red flag.

How often do you change your a c h for bank to bank transfers

for a particular vendor?

Um, and we said, and they, and that person then said, listen, I verified,

I did what you told me to do.

I verified to make sure that this was right.

And we said, okay, cool.

What alternate channel did you use?

And, and we said, they said, well, I sent an email to my boss asking, you

know, if this was a real transaction.

We're like, but didn't your boss communicate over email?

And they were like, yeah.

And we're like, that's not an alternate path that you used the same path.

So what had happened is the hacker actually, and 'cause a lot of us would

notice that like fake Gmail account saying, it's your boss, this particular

boss, their email got compromised.

So they were in their inbox.

So it's like, no, there's nothing you, you like different path.

Call them, talk to them face to face, especially when we're

starting to talk with big money.

Right.

Yeah,

would be my suggestion.

yeah.

I've seen the, I've seen and heard of that, um, and I've seen it and heard of

it where, where basically they have hacked the entire email system and the, and then

customers are using email as their M f A.

Right?

And so they, they, they, you know, basically, and they use that to basically

at that point, they've taken over, right?

They can do whatever they want.

They can reset passwords, they can then authenticate that with

the m ffa, uh, which is why email and, and SMSs suck as MFAs.

Um, and you know, and speaking of, speaking of which, you know, uh, we, you

know, recently in the last few years, right, you know, I've been pushing

more of m f A on, on myself as well, which includes pushing it on my wife.

And there's a lot of things that she doesn't do very often.

And then she'll, I, I remember a couple of weeks ago where she went to go

log onto something and she got angry.

She says, oh crap.

Like, that's right.

I gotta go get that thing right.

I gotta go get the M FFA thing to get the thing to put in the thing.

And I remember getting angry at that moment going, yeah, who cares

about having So having security, like, I'm sorry that you gotta spend

an extra 30 seconds to protect all the money we have in that account.

Uh, anyway,

I

I remember that.

I actually remember that conversation,

Curtis.

Um, so let me, let me ask you this, Dwayne.

So, you know, I, so I like the password manager.

We're, we're a big fan of those here.

Um, and we've covered, we've also covered the, you know, the major, I believe,

just pause, it was LastPass, right?

That was the major hack

Uh, last pass.

Yeah.

What's last pass Was last pass?

Yeah.

Um, and I, yeah, so yeah, we've also covered like the big LastPass hack and it

just, like, it sounded bad, it got worse and it just, it just never got better.

Um, and so it's, so no, no one password manager is, is perfect.

Uh, and if, if something becomes compromise, it's time to move.

But that doesn't mean the concept of password managers is wrong and

tell me something that's better.

That's what I want to know.

Right.

Um, because, you know, you talk about password length, I've just been over

it because I have a ridiculous number of passwords in my password manager.

Um, the, um, I, I just, I keep setting 'em to like 20, like 20

has been my, has been my number.

Right.

And, um, by the way, while you were talking about it earlier,

I counted the number of.

Characters of my wifi password.

It's is 18, so I felt I

I'll see.

You're good.

You're good?

Yeah.

Um, and it, and it, and it's not, it's not, and I've been

pod um, I am definitely, I've definitely had some accounts that got, um, that

got hacked or whatever, but who hasn't?

Um, so besides password manager and M f A, uh, and, uh, and, um, pa um, sorry, patch

management, what would you think are, are the next sort of best bang for the buck?

That, and, and, and again, let's just, let's just do context.

What are audience is typically really worried about is the ransomware

hacks and Exfil and exfiltration, um, of, of that data, which what we're

hearing is that exfiltration is now step one of a coordinated attack.

Right.

Um, so that's why we talk a lot about lateral movement, right?

Trying to limit, limit lateral movement.

Uh, what would you say are the next.

Few things that would stop a guy like you,

Yeah, that's a great question.

So here I'm gonna, I'll, I'll spill some of the secrets, um, from

our, from our red team tactics.

Um, and, and sadly I'd say all of these are going to deal distill down to policy.

That's it.

It's gonna be, here are the policies you should be following

to make yourself more secure.

Um, so xFi is always one of the big things, um, that, that a lot of

our customers are concerned with as well, especially when we're doing

banks, um, financial organizations, embassies, that sort of stuff.

Anything we can ex fill is important and, and that's why there's this

massive d l P market out there.

Right looking for exfiltration of data.

Did it go over email?

Is somebody trying to upload a file to a website?

Something along those lines.

Um, I can tell you, uh, the red teamers as well as the, the hackers out there

are not uploading data over Port 80.

They're not uploading data over port 4, 4, 3.

Um, they're not, you know, they're not using the standard channels because

there are so many other ways for us to exfil data out of an organization.

Um, so for example, um, the first thing we do when we break

into a company, um, and we

can I, can I, sorry to interrupt you,

but can I ask you a question

sure,

Why not?

Because if they were uploading over that port, it would seem like

it would be a lot easier to do.

it's absolutely a lot easier to do, but it's,

it's a, it's too watched.

Um, so everybody knows to watch all the web traffic.

Um, so even, even if I were to break up what I'm exfil into small parts and

then like turn it into hex and then try and post it to a website, A lot of

your D L P solutions are looking at the reputation of the website I'm posting to.

Right.

And they're, they start doing that analytics of that communications chain.

Um, and, and H T M L communications, h t p communications are very well understood.

So it's easy for a corporate organization to go, well, we're

not gonna allow anything out other than through this proxy.

And we, we are going to then mount in the middle with a certificate

so we can see all that traffic.

So it's, it's risky for somebody who wants to break into a company and, and steal

data, um, to, to go over those ports.

They just won't anymore.

It just doesn't make sense.

And that is, it's super, it's, it's like, it's like we're, we're

sitting out in a field, right?

And, and port 80 is this steel door in the middle of the field.

And, and we go, well, we could go through that steel door, um, or we

could walk around the side of it.

not use the steel door, right?

So for us, we're like, it's just easier not to use the steel door, for example.

I'm guessing at least your home networks, but probably your corporate

networks, you don't block traffic out.

Most people don't.

They block traffic in, right?

And then for d l P solutions, they look at web traffic, they look at, you

know, um, maybe even, uh, they look at, you know, other ancillary traffic,

but most of the time not, um, like web sockets and that sort of stuff.

But most of the time they don't.

So when we get into an organization, I mean, one of the first things

we do, ha have you guys ever, um, you take a file, uh, I assume

you've used Windows in the past.

Um, we use Linux a lot, but take a file, right?

Click on it, drag it to your desktop, and create a shortcut, right?

Pretty simple.

And then you double click on it and it opens up the shortcut.

Well, what if that shortcut reached out to a file server, right?

Well, you could do that.

You could grab a file off a file server and create a shortcut.

When you double click on it opens up the file on the file server.

Well, what if that file server was on the internet?

Can you do that?

Well, you can.

Yeah.

4, 4, 5, which is Ss and B.

Traffic does travel out over the internet.

Oh,

Most people don't ever do it.

So it's easy for us to, what we do is we'll go to a w s, spin up a server turn

on 4, 4, 5, and responder and a listener.

Um, and then we drop this shortcut at the customer site.

Um, and then we just wait.

And what happens is everybody who browses that share doesn't even touch the file,

but browses the share your file Explorer wants to put an icon on every file.

So when it does, it touches that file and it goes to figure

out what type of file it is.

So it reaches out to us and gives us your hash, your handshake.

For the network because it assumes it's connecting to.

And, but who would stop SS m b traffic going out over the internet?

Right?

So this is one of the tactics we'll use.

So then, you know, we were working with certain organizations where they're like,

we have D L P, we have blah, blah blah.

We have all this other good stuff.

And, and literally all we had to do to x fill the data was map a windows,

drive out to the internet and copy the data from one server to another

and it just copied with Windows copy.

And they're like, yeah, we didn't see 10 gig worth of data, customer

data just go out over s and b 'cause nobody's watching it.

Um, so the, so this is where I say a lot of it comes down to process.

It's, you know, uh, least privileged process on traffic

going out of the organization.

If it's a not a port that you need, shut it down.

Uh, 4, 4, 5 should never go out to the internet ever.

There, there's no reason for it.

Um, I.

A lot of your home routers will actually block it by default.

But corporate now, they're okay with it, which is just weird.

Um, so I'd say part of that, part of that is process lease

privileges on the way out.

If you don't need a port, lock it down.

That's gonna shut down a lot of the xFi tactics that we would use.

Um, there are still some xFi tactics, tactics that we will use that

would be hard for you to shut down.

Um, there was one, I can't remember.

Uh, there was one system, we had an administrator, we got access to this

box and, um, he said, listen, I'll give you a jump station 'cause most, most of

our engineers work on a jump station.

And, and he gave us this jump station.

And, you know, God bless him, he was, he, he really wanted to get the gold,

the gold star on the, the, the pen test.

And the drum station had access to nothing.

Like, it didn't even have access to the internet.

Like when we connected to it over remote desktop, this thing couldn't

open files, couldn't, like, couldn't go anywhere, couldn't do anything.

Um, And we're like, okay, what do people use this for, honestly?

And he's like, ah, you know, they, we may have applications on there at some point.

It's like, okay.

So it was completely locked down and the way we were able to get our tools

in and on that box was through d n s.

I was gonna ask about d n s.

Yeah.

Yeah.

Um, and listen, this thing couldn't communicate with the internet,

but it's on a Windows domain.

So we would then request through the domain controller to go out

to our hacker.com website, and it couldn't pull down files.

This is D N Ss, but you can request text records, which is the associated

data with the d n s records.

So we would encode like the first 64 bytes of a file in hex, pull that down.

And once we had all the hex bits, we reassembled it into an executable.

Um, at the local station.

So, and, and it works both ways.

You've got xFi and infill that way.

So, uh, there are some that are really hard to block.

You'd have to have very specialized tools watching, um,

for those types of infill xFi.

But I'd say just start with the basics.

Shut down the ports that are going out that you don't absolutely need.

And it gives you a lot less to look at.

Like, did we have a hundred thousand d n s requests yesterday and now

we have two and a half million?

That's probably weird.

We probably should look at that.

Right.

Um, it'll give you less of a, a surface of attack.

Hmm.

It is, it is.

It was interesting because I, I had a conversation with a cyber person.

Um, and he was crapping all over the idea of using D N Ss as an attack surface.

Um, just like, it's like, it's just not, it's just nobody does that.

And I'm like, okay.

Um,

In a totally lockdown environment.

I, I'll tell you, it's a pain in the butt.

Um, because it's slow think, um, like if you guys ever used a, a 14 four modem back

in the 1990, it's, it's like that where you're like, okay, d i r from our side.

And it's like,

This

so from nostalgia standpoint it's pretty cool.

But, um, so yeah, I get that it's not, it's not the best channel,

but if it's the only one available, yeah, we'll absolutely use it.

Right.

Interesting.

Um, man, I could talk, I could talk to you all day.

It's

both, it's both, very interesting and exciting and super depressing.

Um, yeah, the, um, because you know, we, we had, we talked to somebody

yesterday and basically their.

Point.

And, and it's a point that I agree with, but, um, you know, and that is, you

know, I I would summarize it as this.

Don't spend all your time trying to stop this stuff.

Learn how to detect it when it's happening, and learn how to respond

when it, when it has happened.

Right.

Learn how to watch for xFi.

But in your case, you're, you're saying that some of this stuff is

gonna be nearly impossible to detect.

Look, you know, stop.

I think what you're saying is stop the really obvious stuff, right?

Uh, you can, you can do the, you can watch the port 80.

Right?

But you're saying that nobody's gonna, so, because I, I had heard that they're still

using like these, um, and their names are escaping me, but like, these file sharing

sites, um, like, like mega mega file

mega uploads and mega

download and Yeah.

Mega file.

And wouldn't those go over port 80?

Yeah.

And they do, and that's why most, most people aren't using those anymore.

Like it used to be, um, what was it?

Uh, pay bin and that sort of stuff.

Like people were finding these sites where you could paste up a lot of data.

And, and the problem is d l P solutions really have caught onto those.

Uh, and I can tell you as a, so as a developer, uh, and as a, um, a guy

who's trained in writing viruses that bypass any antivirus on the planet,

it's really not that hard to open up any other port and start transferring data.

'cause nobody's looking for it at that point.

Right.

Um, silly things like, um, say, okay, uh, S S H.

Okay.

So if every, if every you've ever, uh, you know, gone on a Linux box or whatever and

you wanna connect to it remotely, use ss s h, which is a secure tunnel, um, well it's

a secure tunnel 'cause it's encrypted.

So if I just s ss h and s c p copy of file to a remote Linux box,

that's an entirely encrypted channel.

Nobody's gonna see what's in that.

So why are you not blocking like port 22 out?

Right?

Oh, well, you know, one of our developers said they need to connect

to some remote, uh, you know, Linux box in a w s like, okay, well there's

better ways to do that, right?

Um, so yeah, I you'll start to see a lot of, and, and you'll start to see a

lot of these people using things like, um, you know, even like, so a lot of

the Cobalt beacons, uh, cobalt Strike Beacons and that sort of stuff are,

are starting to use different ports just so that they're not detectable.

'cause everybody's looking for 80 and 4, 4 3, right?

Mm-hmm.

Mm-hmm.

and it's just easy to use something else.

So my summary of what I heard all over that is

blocking outgoing ports that, that you don't need right di disallow all.

And allow the ones that you know you need, you'll break a couple

of things, I'm guessing, right?

You'll break a couple of things in the beginning, you'll fix those

things and then you'll be better.

but but isn't that sort of supposed to be the way

you approach network firewalls, right?

It's always a deny all, and you add access for what you need.

But I think,

but I think Dwayne's making the very valid point that people haven't

historically done that going out.

Yes.

Yeah.

And it's weird because like, um, and, and it's the same thing with windows, right?

Windows in initially started with everything's open and

you need to lock it down.

And that's why they got the, the bad rep of being the unsecured operating system.

And, and Linux started the entire opposite.

There's nothing running on it unless you open it up.

Um, networking has always been trust the inside and not the outside.

Right.

So we, we've been trained to, if they're on the inside, oh, they already have

access to the juul, so to who cares?

We don't need to worry about them going out.

But, but the problem is, especially with ransomware and whatnot, the going out

part is the important part at this point.

Um, so yeah, you absolutely want it.

And, and I like to think of it as a least privilege, uh, network stack, right?

So exactly what you're talking about is what privileges do you

need going out and let's say we manage a $22 billion organization.

Yeah.

You're not gonna set everything to deny out and then open it up.

But what you could do is you probably have pretty sophisticated firewalls.

You set them in monitoring mode, uh, and at the end of a month

you see what ports are in use.

Maybe you allow those and everything else gets blocked, right?

So there are ways to do this without sort of breaking the organization.

But I'll tell you the same thing applies to win like, um, corporate resources.

We see far too often where we we're in an organization and it's like, oh, here's a

public share that everybody has access to.

And oh, by the way, it's got, uh, you know, we've seen things like, um, social

security numbers, we've seen applications for mortgages, we've seen, uh, HR

files, and we're like, why do we with no account have access to these things?

And they're like, I don't know, people just put 'em in the public share.

It's easy for anybody to access it.

Um, so lease privilege needs to be used everywhere, but,

um, including

That's your policy thing that you were talking about,

Yes, exactly.

Yeah.

concept of least privilege.

Yeah.

Um, that is a really good concept and policy that people should have everywhere.

Let me, let me ask you this.

So what, so a company comes to you and, and, you know, and

they're like, hack us or whatever.

I don't know exactly exactly what they say, but they, so what, what

do they say and what do they get out of it right when they walk away

from having, having been summarily beaten, um, and, and, and shamed.

Um, what, what, what did they get out of it at that point?

Uh, that's a, that's another good question.

So we do, um, the way we do red team engagement is a little bit different

than most cybersecurity companies.

Um, so the heart of our organization is very much a training company.

Um, you know, I was a Microsoft certified trainer for decades.

Um, my c e O was also a certified trainer for decades.

We're all about teaching as much as we possibly can.

So we bring that into our red team engagement.

So the way it starts is t typically people do come to us and say, Hey

listen, we're not really sure what our SEC cybersecurity posture is.

Can you test it?

Right?

Can you hack us?

Um, and we'll get some information from them.

We'll obviously get the TS and CS sign that says you can't throw us in

jail, and all that other good stuff.

Um, 'cause we have had people come up to us.

We had one guy come up to us, say, I'd like to engage you

to, to, to hack into this bank.

You know, I'm, I'm their IT manager.

And we're like, okay, cool.

But we don't see that you're their IT manager on LinkedIn.

Um, or anything along those lines, you No, no, no, it's okay.

It's fine.

Um, but all things will go through me.

So, and I was like, okay, so we can't talk to the bank and you want

us to, no, we're not doing that.

Um, so we talk to somebody at the bank, but for the most part they come to us,

say, hack us, here's the resources.

Um, you know, ideally they say, here's our IP addresses

that are valid to hit go nuts.

Um, sometimes they, they kind of tunnel us into, I only want you to

focus on these systems, but they get kind of a better risk assessment

if it's let us look at everything.

And then what we typically do is, uh, we'll literally open up a, a zoom

meeting, um, from nine in the morning till usually two in the morning, um,

where their blue team can join and watch what we do and we'll talk 'em through it.

But like, I know, and it's, it feels weird.

It's like, Hey, I'm, I'm beating up your child, but let

me explain how I'm doing it.

Um, and they have to sit there and watch.

I guess that makes it

let me explain why your child is ugly.

right.

Exactly.

And we'll show you empirical proof.

So, um, what's nice about that is far, you know, a, it

gives, it's more collaborative.

It's not like I'm delivering a report at the end, and the blue teamers are like,

well, those red team guys suck, right?

It's, it's, Hey, we wanna work with you, we want you to know these tactics and

watch how we're moving around in network.

Um, and, and b what we typically see from the blue team is they'll go, Hey guys,

guys, you know that system over there?

You haven't looked at it yet.

Yeah, it's been causing us troubles.

We wouldn't mind if you, you know, kind of tried to push

that over a little bit, right?

So we're like, all right, cool.

We'll take a look at that system.

So, um, so we, we use it as a training engagement, usually for like a week with

their blue team and or red team if they have one, giving them other ways to think

about the network and lock things down.

And if we find something mission critical, we stop and we work with them to fix

whatever it's, we find another hacking team in there, um, which we have, um,

or we'll find, uh, yeah, we've, we've definitely found indicators of Compromise

IOCs, um, for, for other teams in there.

And that's an, that's an all engagement stop.

And we call in

And, and, and when you say other teams, you mean,

you mean bad guys at that point?

Yeah.

Yeah.

And we'll, um, my team will go into forensics mode.

We'll track 'em down and we'll be like, all right here, here's where they came in.

Here's who they are.

Here's right.

If the, especially if the customer doesn't have a threat hunting team.

Um, so that's typically what we do.

And then, and then the report we deliver to them.

Is very actionable.

It's here was the issue we found, here's the risk, here's what could happen.

Here's how you fix it, and here's how you run the commands yourself

that we ran to exploit it.

So until these come back clean, there's no need to, you know, check

back in or anything like that.

Just go through.

So we want them to have all the tools, um, and, and we even tell customers

after being with us for a year or two, like, go find another security vendor.

Like, no, it behooves you.

Like we look at it one way and we, and we start to get tunnel vision when we

hit this network over and over again.

Go find somebody else who's gonna look at it in a different way, right?

Um, so that's, that's how we approach it.

So what they get from us is, you know, training a report that gives

them some actionable intel and how they can test their own network.

Um, and then advice that they can hopefully learn, uh, and we'll,

we'll adopt more customers.

Oh,

I like

awesome.

Yeah.

W. Curtis Preston:

Yeah, I like that a lot.

W. Curtis Preston:

I, I'm curious to know if you've ever had a situation where like

W. Curtis Preston:

you've got the blue team there and they get like angry because,

Oh

you know, it's

Yeah.

Oh yeah, yeah.

Okay.

Yeah, we've, we've, okay, so we've had situations where we've had, uh,

developers of applications on the line where we just tear the application apart

and, and they're, they're very much like, oh, man, like, and we tell them

that, like, they're like, what the f And I should have been better at this.

And I'm like, listen, like if you're not a, if I've been a developer, uh,

act since the early nineties, mid nineties and, and, and a cybersecurity

focus since, you know, 2000 so.

And, and there are a lot of these things I miss and I'm solely focused on cyber.

So don't beat yourself up.

This is what we do, right?

We specialize in these things.

Um, and I like that type of mentality 'cause that person wants to be better.

Um, I have had, we did have one blue teamer on a, uh, it was a

massive, uh, fortune 500 company.

Um, and he was the network security guy and he was on the call and, and every

time we run into a finding, we'd be like, oh, all of your, your switches actually

are doing, uh, T F T P automatically from an IP address that doesn't exist.

We just switched over to that IP address and that we can feed configurations to all

of your switches and that sort of stuff.

Anyway.

Go.

Well, you know, that's, uh, that always by design, um, that's the whole way.

Like, and we're like, oh, okay, that's cool.

We're just, you know, we're just saying this is, and, and every single time.

We would get this.

And, and we finally, we finally at one point went through and exploited it, um,

a particular switch config, and was able to pull down all the information on switch

config and decode this guy's password.

And we're like, oh, well, the way that we broke the entire network and became

domain admin is because this administrator here, here's his password on the switch.

And by the way, it's the same password on the domain.

And he's just like, I was like, yeah, yeah.

We try not to be adversarial, but occasionally we will get someone who,

uh, will, will invoke the ire of the red

Yeah, your, your goal is to bring them along with you,

like you said, for them to be educated.

But, uh, you know, a as a person who's been on the receiving end of that kind

of stuff, sometimes it's hard to, to

Oh, absolutely.

it personal.

Right.

Um, yeah.

So, all right.

I, I, I, um, I have one final area and we've gone a little

longer than we typically go.

But I have one final area that I want to ask you about, and that is, so, you know,

at its heart our podcast is about backups.

Mm-hmm.

What, what do you know about backup and recovery

systems as an, as a, as an, uh, a, um, what's the term that you use?

Uh, an attack surface.

Ah,

about backup systems as an attack surface?

so I have a very poignant example.

Um, we just recently, um, we're doing a pen test two weeks ago,

uh, in an organization where we breached it over the backup system.

Um, and I.

So they were all virtualized, of course.

Um, and they were backing up all of their VMs and we got access to the

backup manager because the password for the backup manager was weak.

Um, it was actually default passwords.

'cause people think to themselves, it's a backup manager, what do I care?

Right?

What are they gonna restore it?

Yeah.

And that's what we did.

We actually took the backup of the domain controller and pulled it over the internet

to us and restored it in my own lab.

And then we're able to tear it apart, pull every single username and password.

Not like, except.

And they, and at that point, so, so I would be careful that repository is just

as sensitive as your primary network.

It's not only your path to recovering from disaster, but from an attacker.

I'm always looking for backup systems, um, and what I can pull out of

filtration, right?

right?

Yeah, exactly.

So it's like pulling that data off.

Um, you know, uh, backup accounts should have strong

passwords and should be audited.

Backup systems should be audited for who's trying to log in, et cetera.

Um, backup service accounts that are running on boxes, we've seen far

too often just have weak passwords.

Um, and it's super easy for us to then compromise.

And the thing about backup, backup is awesome, actually.

Um, the, the backup service right on Windows gives you the ability to

read any file without being audited.

So, so you have all these auditing tools looking for users like reading files

and opening secure files and whatever.

But if you can request the se backup, right?

You can touch anything and nobody ever sees it.

So from a, from a, from a surface of a tax standpoint, like backups

are like a win button for us.

We're always looking for like, Hey, do they have a backup system?

Is there an account we can compromise that has se backup rights?

'cause if so, you know, money, we can go open any file we want and

nobody will know we were there.

So yeah, I, I would absolutely say, uh, surface of attack is large there.

Um, and you really need to go back to basics.

Make sure good passwords, strong auditing on backup systems and, and don't just

think it's your path for recovery.

It could also be an attack target.

that's crazy.

I did not know that about the Windows roll.

It's so cool.

So many cool things you could do.

Privilege escalation from ransomware can be done through backups.

I mean, there's so many cool things.

Uh, okay.

I was, I was, I was,

is,

I was, I was excited and then I, and then I just, I just got

really depressed right at the end there.

I was like, God, it could be used for, yeah.

You know, the thing that we try to tell, like I've been trying to, I

I what this, this is gonna sound really weird, uh, especially given

that you joined that, you know, you crossover into cybersecurity in 2000.

What I think we're having at this point is a nine 11 moment.

And, and here's what I mean by that.

Up until nine 11, The thinking was, oh, well, just like, don't do anything crazy

with the guys that are control, you know, that are the, the, the hijackers.

Uh, okay, they can have access to the, the thing, but what are they gonna do?

Right?

They're gonna, they're gonna wanna land the plane, they're gonna wanna

hold everybody hostage so that they can release some prisoners.

And a pri, you know, no one had ever said, Hey, let's go train, you know, train

the hijackers on how to, how to land a, you know, a 7 47 so that they're gonna

use the, the plane as a bomb, right?

Um, as the weapon itself.

And, and what, that's what's happened with backup in the last, let's say five years.

Is that the ransomware folks are definitely, um, they're, they have

started seeing that two things.

One is that if they can take out the backup system, you're

more likely to pay the ransom.

And two, the backup system is, like you said, this massive attack service that

that could be used for exfiltration.

I did

pot of gold.

until you, until you mentioned I didn't think about it

being used for privilege escalation, uh, which makes it even more depressing.

Uh, and, and the, the thing is that so many times the backup system

is administered by the new guy.

Right.

It's,

That was my first

the

first job I ever got.

Oh, it was your first job

Yeah.

Mine too.

And, uh, and I'll date myself.

It was, it was these d l t tapes I was pulling out every day and then

putting in these new, these yeah.

Yeah.

Yeah, yeah.

Good times.

Good times.

Uh, well, well, dway, I, this has been fascinating.

Um, I don't know if I'm gonna be able to trim any of this

down to our usual show size.

So I hope that folks have enjoyed staying, uh, staying with us this amount of time.

I want to thank you so much for coming on

It was my pleasure, honestly.

And this is, this was super easy, super comfortable.

Honestly, any guy, anytime you guys wanna talk cyber or

latest attacks, just hit me up.

I'd love to chat.

the time, right, Pana all the

Yes.

Oh, that's exactly what I was thinking.

Yeah.

I was like, just hearing the stories you talk about Dwayne, it's like fascinating.

It's like a world that like I've never really been exposed to and

just hearing the stories firsthand.

Like Curtis always talks about backup stories, which is great 'cause

I've never cut my teeth on backup.

But like hearing like the stories you or the experiences you have.

I think it's eye-opening.

And horrifying.

And, and you notice me, I get giddy when things break.

Like the internet's on fire.

I'm the guy going, woo-hoo.

Like, let's see where this goes.

Which I know is a little sadistic.

I get it.

But,

Yeah.

Well, um, yeah, so thanks, uh, thanks again also to our listeners.

Uh, you know, we'd be nothing without you.

And remember, remember to subscribe so that you can restore it all