You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're gonna talk about the cybersecurity concept

of a honeypot server through the lens of Mr. Robot episode or season

one, episode seven and eight.

We'll look at what makes one so effective, uh, how it can catch external hackers,

as well as, uh, insider threats.

Why?

The key to success is that nobody knows that it exists.

We also talk about proper log storage and why that's crucial for forensic analysis.

That's gonna be important if the bad guys actually come knocking.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that there were no backups of the production

database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me a guy who

probably should just be taking me to the hospital instead of talking

to me on a podcast recording.

Prasanna Malaiyandi, how's it going?

Prasanna,

I am good Curtis, and I would love to take you to the hospital, but unfortunately

by the time I get down there, uh, I don't think it would help your cause.

you could probably be, I would be expired.

well, hopefully not, but hopefully you'll just be better about that.

Yeah, so hopefully this is short term, you know, short-lived.

So for this, yeah,

listeners

yeah.

This, this is, this is,

know what?

It's actually been a while since you've had an injury, knock on wood.

But

this count as an injury.

I, I self-inflicted I think does count.

So, all right, so I have this product, uh, you know, called Pure Cleanse.

By the way, for those of you who watch us on YouTube, thank

Yeah.

who are

Uh,

you can watch our

I, I'm,

Faces on

I, yeah.

Uh, same, same name.

Uh, so I'm holding up a, a, a cup that looks like it's full of pea.

It is not full of pea.

So it, it's a product used for like cleansing, like a room,

Yeah.

Especially of smells.

Right.

And, um.

disinfectant, basically.

an industrial.

Yeah.

And, and, um, but, but from an air perspective.

So you drop a tablet, um, let me see here.

Oh, this is, this is a, this is the way it comes.

You get, you get this, you get this tablet, right?

And you put, you fill water up to that, to the red line, and then you

in.

drop the tablet in, and then you leave the room.

And it, it smells kind of like chlorine, but like really strong chlorine.

And, um, and, and then you, and then once, once that's done

and I

and then you,

is, uh, leave the room.

yeah.

Leave the room.

Wow.

Definitely still some.

So I did that.

I did all the stuff right and then.

I went in and I took it out, and then I was showing it to, uh, my cleaning

person and I was showing it to her.

And then I was like, it smells kind of like chlorine.

And I like popped the lid off and took a whiff and my nose was like

literally this close, and I thought I was gonna have to go to the hospital

yeah.

not convinced that I shouldn't be in the hospital.

Uh, my, my lungs, my, my airways closed up.

Yeah.

Yeah.

And, uh, that was, that was not a good move.

like you dummy, you're not supposed to be sniffing that stuff.

Yeah,

you.

yeah, yeah.

You, you're right.

You're probably right.

It was probably a, uh, yeah.

And basically it was like, it was like I sniffed fire into my air pod, you

know, into my air, long air airways.

Yeah.

It burned like a lot and it's still, and then like immediately, you know,

my nose started running and I couldn't breathe and I, I, I thought I was

gonna pass out, but luckily I did not.

And, uh, it's now an hour later and I'm still

Feeling it.

yeah, I'm still feeling it.

Um, yeah.

you do need to take a break during the podcast and go see, seek

medical attention, I think our listeners would totally understand.

Um, I think, you know, just, uh,

Yeah.

good times, good times.

Uh, so don't do that.

Uh, I like the product.

I like the product a lot, but, uh, don't, don't breathe it afterwards.

Not, you know, something that's meant to be an industrial

strength, like cleanse five.

It's, it's supposed to cleanse 500 square feet.

Then I just sniffed it like a maroon.

Oh, Curtis, Curtis.

Curtis, what are we going to do with you?

Nothing, nothing.

There's, it is just hopeless sometimes.

Sometimes I just ask myself, you know?

But, uh,

But it has been a while though, since you've injured

since I've done something really stupid.

Yeah, yeah.

Well, since I've,

well, no, no.

no.

I, it's probably been 2, 3, 4 months.

What was the last thing?

What are you, what are you thinking of?

Uh, remember when you, uh, were disinfecting a different room in your

Oh

uh, you decided to walk in while said

yeah, I was, that was an ozone machine and um, for those of you that aren't

familiar, so ozone is like oh two.

Right.

I think it's like two oxygen molecules and, um, I have a, again, an industrial

strength ozone machine, and you know, when you have an ozone machine, you're

not, you're not supposed to be in there.

And I, I went in because like, I, I was just sorting out

the, like, the timing part.

And, uh, I went in there and, um.

I was only in there maybe 30 seconds.

And same thing like this, like I, I, I had to go, I had to go sit down

for a while 'cause I couldn't breathe like my, again, my airway constricted.

So I think maybe, uh, for future reference,

Yeah.

seems potentially dangerous, don't sniff it.

Don't breathe it.

Well, I, I held my breath when I went in the room.

Right.

I ne I, I was just in, in there to sort out the timer.

I held my breath when I went in, but I was just in just a little bit too long

and so I ended up having to inhale and I inhaled, uh, and it was not good.

I'm just saying.

Yeah.

Yeah.

yeah, so for those listeners, if Curtis sounds a little under the

weather, that is why we wish him all a speedy recovery and hope he

comes back to his normal self soon.

Yeah.

So, uh, this will be an interesting episode.

We're gonna, we're we're gonna, we're gonna take two episodes, one episode

of Mr. Robot in our continued series.

Spoiler alert, we're gonna talk about all kinds of stuff.

And our continued series on stuff that we can pick up from Mr. Robot.

And the first episode, which is episode 1.6,

Yeah.

right?

Uh, and then second episode 1.7, 1.6.

Didn't have a whole lot in it from a cybersecurity perspective.

It did have a whole lot in it from a crime perspective, but, but not from

a cyber crime perspective so much.

You wanna, you wanna summarize, uh, 1.6 or you want me to do it?

Uh, I'll let you go ahead and do it.

Okay.

Right.

So this,

said, it was all like backstory, which

yeah.

the story, but not so much from a tech perspective.

Yeah.

So you may remember from the last episode, uh, it ended with Shayla's death.

So Elliot's neighbor.

Friend, uh, ended with her death.

This episode opens with like a flashback of when, when he first met her.

And, um, the, um, uh, and then we also see that Angela makes a deal with Terry

Colby, the former CTO of evil corp, that she will testify that she broke

the chain of custody with this DAT file.

And why does that matter?

It's because it renders it inadmissible in, uh, in court, right?

And

Uh,

the

yeah,

like their smoking gun to say

yeah, it's, yeah, exactly.

And so he, he's gonna, um, she's gonna say that she broke chain

of custody, which will then essentially let him off the hook.

But in, in, uh, she, he, he's going to in, um, what, what would you call that?

Um, what would you call that in exchange for him saying that he was

there when they decided to poison, you know, her family essentially.

Right.

Um, then we start to see the beginnings of this meetings with this

mysterious individual known as White Rose, the leader of the Dark Army.

Right.

We've, uh.

and I think in.

1.6. We don't actually know who white rose is.

No, no.

they've kind of talked about it before.

It's like the person who leads a dark army, but like we have

no idea who this person is and they just wanna set up a meeting.

And do you wanna talk about why they wanna set up a meeting?

I.

Um, well this is, this is because they want to do, they want to

be able to do attack all of the different, uh, steel mountain.

Um.

Data centers all at one time, and they need the dark army to be able to do that.

Right?

Yep.

Yeah.

Um, and then, um, you know, we get this, um, we get this, uh, this confession

from Elliot to, to his therapist that like, you know, he's act everything

and he's actually quite open with her, but in the process of opening

with her, he scares a crap out of her.

Like

Um,

Yeah,

yeah.

Yeah.

Uh.

says, I hacked you.

I know everything about

Yeah.

don't take your medicines.

I know all those things about you.

Yeah.

I know your, I know your,

Deepest secrets.

yeah.

Your deepest secrets.

Uh, yeah.

And then, and then, uh, Tyrell, uh, does a little thing.

Yeah, so Tyrell, if you remember from the last episode, he and his wife had gone

and had dinner with Scott and Sharon and there's sort of that entire scene in the

Yeah.

of that.

And

Yeah.

now it's actually where Scott gets officially announced as a CTO and

they throw a shin dig at the office.

once again, Tyrell is like, Hey, I'm gonna go meet up with Sharon.

He is like, come up to the rooftop, I know what you want.

And she shows up and uh, yeah.

And then he basically kills her

Yeah, he just strangles her.

Uh, that was a, that was a sort of an unexpected, you think

they're about to, you know,

yeah.

t wow.

And then next thing you know, it's,

Yeah.

and, uh, that was not good.

Yeah.

Um, so if we forward to, uh, the next episode.

Which is 1.7 AKA white rose.

So you see Darlene stealing a gun, right?

Because she's very worried about the fact that they're gonna meet

white rose and she, you know, she's scared of, of whoever white rose is.

Um, and then, um, we, we learned from, um.

Gideon visits Tyrell, and sort of says, Hey, this is all the stuff

that we've been doing on your behalf.

And he mentions that there actually is a honeypot.

We're gonna talk about that.

That's sort of, I think they're gonna be the key thing we're

gonna talk about in this episode.

But, uh, uh, and, and nobody, nobody but nobody, but uh, uh, Gideon seems

to want this honeypot to exist.

Um, and then, um.

The, we find out, uh, obviously there's this whole thing about, uh,

sort of the, the subplot is Tyrell freaking out about the fact that people

are looking into Sharon's murder.

Uh, his wife finds out about Sharon's murder.

Uh, but then we get, um, the whole big reveal about Mr. Robot.

So there's been a lot of, up to this point, there's been a

lot of people theorizing that Mr. Robot was all in his head.

And it's still, I'm still a little confused because Mr. Robot is his

father, and he's not, he's not old enough to be his father, so that

means he's gotta be in his head.

But that doesn't make any sense because we also have the scene of

him meeting with, with, uh, Tyrell.

Tyrell, and also he's talking to Darlene and all sorts of other things

He's not old enough to be his father.

Right.

Well, eh, I think he's old enough to be his father at the point, because Elliot

goes back right in this episode and he, so, because towards the end, right?

Um, he goes and tries to kiss Darlene.

Right.

Oh yeah.

Oh, I forgot about that.

And Darlene is like, Elliot, do you not know who I am?

Yeah.

like, you're Darlene.

And she's

Yeah.

am I?

then he's like, oh, you're my sister.

You're Princess Leia.

yeah.

And then he, and then he freaks out because he's like,

uh, what all am I forgetting?

And so if folks remember, he like would.

Compromise someone then delete all the data.

But before he did, he would burn it on a CD and keep the CD and name it with like

different bands and things like that.

Yeah.

he goes back and looks and he finds a CD that's not labeled and he looks

at it and he realizes it's his.

And

Yeah.

looking at the pictures and he sees like a picture of Mr. Robot, right?

And he sees pictures of his sister, Darlene and all the rest.

And then he starts putting together.

And then he's like, what is going on?

And that's when the episode ends with Mr. Robot pounding on the

door and saying, we need to talk

we need to talk.

It doesn't, I'm, I'm still confused.

And that, that's because like he's basically the same age

as a

as, as the picture, so.

Yeah.

So I'm very, so, you know, because I'm, I'm all confused,

but, uh, remind me who is Krista.

Krista is the psychologist

Oh, right, right, right.

Okay.

Um, okay.

Uh,

all right.

yeah.

And there's also, so one thing we didn't touch upon, and maybe we'll talk about

it uh, maybe in a different episode, maybe in this episode, right, is one of

the scenes is Cisco, who's the person who works for the Dark Army, right?

Yeah.

Ollie the cd.

Right.

Ollie and was like, Hey, I need you to do this for me.

Yeah.

And then there's this entire scene where Ali is basically in the middle of

this attack that happens on All Safe,

Right.

He goes up to Elliot and is like, Hey, I need you to go drop these

hard drives off at this place

Yeah.

And it was all the setup to, yeah.

It was all a setup.

And that is where he meets, uh, white Rose.

Yeah, play.

It's, you know what's funny is I knew BD Wong was in this episode

because it was in the thing.

And if it hadn't been for that, I'm not sure I would've recognized BD Wong.

But, uh, 'cause he is, he's playing, uh, you know, a trans, uh,

woman essentially in the episode.

Uh, and, um.

Uh, I, yeah, I'm not sure I would, I would've recognized him, but, um, so yeah.

So we're, we're gonna come back to that.

We're gonna, I think we're gonna do a separate episode on that aspect.

But today I, I wanted to talk about this idea of a honeypot, which is a really

cool idea that you can use, uh, and is frequently used in cybersecurity.

And I first learned about the concept of a honeypot.

When reading, um, a cuckoo egg,

Yep.

you read a cuckoo egg.

Right.

Um, and you wanna, you want to do a quick summary of a cuckoo

egg for those who haven't read

a Cuckoo's Egg is a nonfiction recount of Cliff Stoller, I think.

Ital?

Yeah.

Right.

who used to be, uh, employed at Berkeley, and he was managing computer

infrastructure and he once noticed that a mainframe, like the timing

would be off on the mainframe.

he was like, who's using the resources?

This is way back in the day when you shared CPUs and

all the other things and you

it was like a, it was like a three second difference between

the two different time, um, yeah.

Accounting system.

he basically was trying to understand where this was, what was going on,

and he unravels this like giant espionage plot of like, I think it was

hackers in Russia using resources and

Yeah.

use resources and

Yeah.

And,

networks in the us.

and it was early days of cyber hacking and so like they, he went to the FBI

and the FBI's like, I don't understand.

Did they steal anything?

And,

He's like, no, but they're in our network, you know?

yeah, and this is before like the normal internet as we think of it today, right?

Right.

Right,

DARPA back in the day, and the connectivity between like research

institutes and the Pentagon and other things, like it wasn't

as widely open as it is today.

right, right, right.

It's a

Uh

but people should go read.

Take a look at it.

uh, where, where did the term, where did the term Ferage Cage come up in there?

Faraday Cage came

I.

he was going into meet White Rose.

Oh, the whole, the whole room's a Faraday cage.

Okay.

And then there's just this one little thing in there.

There's this, uh, a

Steganography software, uh, that Elliot uses to.

Encrypt or to decrypt some, um, uh, information that he had in his wallet.

There's this thing called Deep Sound, which used to, um, uh, to encrypt

stuff inside a, uh, inside a music, which is kind of interesting, uh, way.

Back to.

Cliff stole in the middle of that story, he does set up a honeypot, and

so you, you want to just sort of give the basic concept of what a honeypot is.

Yeah, basically a honeypot is you create something that's so enticing for the

attackers that they will then focus on that instead of everything else.

And then this thing that you've created, you're monitoring, you're making it

obvious, and you're able to detect when someone is attacking, so you

know that someone's in your network.

Yeah, because the, the one really key thing of a honeypot, at least

a proper honeypot, I, I'd say a couple of things in there, right?

One is we don't want to put anything in there that's actually valuable, right?

Uh, because the whole point is to entice the, the hackers, uh, into that thing.

And then the other thing is that it needs to not.

That no one needs to ever log into the honeypot for any valid business reason.

Yeah,

Um, and and why would that be?

because then it might be used for legit traffic, and you want to

I.

basically know when someone's actually hit it and nothing else should have

hit it except a malicious person.

Yeah, exactly.

So you've got this server that looks very interesting, you know,

a server with, with the name.

Like, here's where all our important stuff is, right?

Um, uh, like, like priority one, documents, so we, we name it

like our 11, herbs and spices,

Hm.

corporate financial stuff.

Um, you know, um, I'm, I'm, I'm hearkening back to being in a, I was at a. It

was a vendor actually in, in my area.

So it was up in the Irvine area and it was a vendor that I was working

with and I just asked for a conference room to like make a phone call.

And I went in the conference room and while I'm in this conference room, I

look up at the whiteboard and all the corporate secrets were on the whiteboard.

And it was like, it was like, um.

No one should see this.

Literally, they, they, they, they, no one needs to know this.

It was something, something I was like, I was just like, uh, I don't

think I'm supposed to be in here.

take us picture?

but I did not take a picture.

Uh, for the record, this was before every phone had a camera on it.

Yeah.

Um, but yeah, so you, you, you, you, you, I guess you, you wouldn't want to

make it super obvious, but you want to.

Basically, um, included in the, in whatever naming convention

that you typically have.

And what, how would they find it then?

Right.

this is where they're doing like network discovery and right.

Right.

attacker gets into a network, they're probably gonna look and say, okay, what

other systems can we try to compromise?

And they will scan the network and say, okay, here's a system.

Okay, are there any ports open?

Are there any, what uh, operating system is it?

Can I actually get into it because maybe it'll allow me to escalate privileges.

Maybe that system has access to other resources.

All the

Yeah.

Yeah.

So during the reconnaissance phase, right, they, they identify

this potential resource and then they, um, they get in it.

And, and what you could also do is you could, uh, you could.

Include maybe some common exploits, right?

Do you remember what my favorite exploit is, or my least favorite exploit?

Depending on how you look at it.

No.

The ransomware deployment protocol.

Oh, RTP.

Right.

Uh, so you, you, you leave RDP on, you leave the administrative

share on, uh, in Windows, right?

Uh, you allow some well-known exploit, uh, to, to be there, right?

So you, you, you, you, you, it's like you, you have this, you have this,

uh, this, this building that's like.

It's flashing red sign, really important stuff.

And then you unlock all the doors,

Yeah.

right?

So you leave RDP open, you leave, uh, you don't have to do all these

things, but you could do one or more of these things where you leave RDP

open, you have a common exploit.

There's two times when you might want to have a honeypot.

One is just a honeypot all the time.

That's a server that's just there, just 24 7 that no one should ever access.

And if they do access, it sets off the klaxon on alerts.

Right?

Um, and then, uh, the other would be if you believe you have been infiltrated.

You don't, I mean, it takes a lot of chutzpah to do this second one,

right, where, you know, you believe that someone's in your network, but

you're not going to cut them off.

You want to see what they're up to.

Yeah.

you could actually sort of turn on this honeypot

And.

and, and, oh, the reason why I was bringing that up is

if you know that they've.

They have a compromised, uh, account.

They have access to a particular account.

You would wanna make sure that that account is available in that server.

The one other thing I was gonna mention, a honeypot, which you haven't mentioned

yet, is you might also run a honeypot just to look for insider threats as well.

Really?

Yeah.

It's a really good point, right?

Yeah.

Curtis, you should not have access to the financial data and.

are you going and accessing a random financial share

Right, right.

Yeah.

That'd be a really great way to find, uh, and you know, and I, I'll say this again.

I'm gonna, I'm gonna think about another one of my favorite TV shows.

I am The Danger No, no.

I am the Danger.

I got nothing,

I, I am the one who knocks nothing.

nothing.

Um.

Breaking bad.

Oh,

So the whole thing with, with, with the, the reason why he was so, one of

the reasons why he was so successful is the concept of hiding in plain sight.

Right?

Once that veneer was off, it, it took five minutes to figure out, to, to

prove that he was who he, who he was.

He, what was it?

What was his thing?

What was his name?

the German, the.

Heisenberg it o once the, once the whole, the, the, the,

the book on the toilet thing.

Once that came out, hiding in sight only works.

I if, if no one is looking

Yep.

right.

Um, and so, like, for example, uh, Marty Bird, uh, in, in Ozark, he was.

Not hiding in plain sight.

Everybody knew he was up to the, the, the genius of that was that he,

the FBI's looking directly at him and he manages to not get caught.

Why?

What, what's relevant in this case, a honeypot only works

if nobody knows it's there.

Yeah.

And so when we have this in the episode, uh, Tyrell, uh, finds out that the

honeypot and what, so it's kind of funny.

him.

Gideon tells him that there, that there's a honeypot and it, it's

like, why did you tell, I mean, I guess Gideon, you know Gideon's

didn't wanna

a, you know.

he didn't wanna lose a business.

Right.

Oh, that's right.

He wanted him to know about all of the different stuff that

they were doing to make sure

because he also had to tell him about, uh, Angela and the DAT file and

I.

Kolby,

Right?

Yeah, yeah, yeah.

So good news, bad news, good news, right?

So he's like, I want to, I want you to know about all the things we're doing

to try to find the, the bad guy, right?

Um, and what I don't yet remember is why, what was Tyrell doing with the Honey Pot?

So he wanted to go because he realized that, so here's the thing is I don't

think they quite got Honey pot, correct.

Okay.

well, I think what they were referring to is they knew that,

or they, Gideon suspected that that server was still compromised,

Right.

and so he set up monitoring on that

Uh.

than creating a new instance.

So it's still essentially a honey pot because he's monitoring it.

He's like firewalled it off from everything else so no one

Right.

it

Yeah.

He, he makes a point of saying that he, they think they're on

the network or the on the main network, but they're actually not.

Yeah.

They fired a while it off.

Yeah.

Right.

And so, so then Tyrell wants to go and look and say, okay,

what have they compromised?

Right.

Which is when he starts digging in and that's when you're like,

oh, we don't know what's going on.

And he has to leave because of the murder investigation.

Yeah.

Yeah.

Yeah.

Um,

also interesting though because even though he said yes, I fired it

off from the main network, Tyrell from his desktop PC was able to

SSH into it and connect into it.

LA la show is great.

I don't wanna hear any facts.

Um, yeah.

You know, I was gonna, yeah,

Which,

has his station over there.

it's all like V land off, and it only allows inbound connections

into that honeypot, right?

So,

Sure.

We'll, we'll, yeah.

Um,

being nitpicky as a

yeah, it's okay.

person.

It's, it's suited.

But, um, but in terms of, so I, I would just say that, you know,

if you haven't thought of the idea of having a honeypot server.

Or multiple honeypot servers.

Again, you know, you wanna, you wanna leave it with some common exploits,

you wanna leave it, uh, available.

You wanna make it look like it has some interesting stuff.

Um, and again, I I, there's all these TV references that keep coming up

in my head when I think about this.

And, and a lot of them have to do actually with, uh, with Alias a TV show alias.

There was, there were a lot of.

Systems in there.

There were a lot of episodes there where they would, they would

want to make the, the bad actor

It's almost like

believe that they Yeah, they, well, they want the bad actor to believe

they got something great when in reality they gave them garbage data.

Yeah.

Right.

Um, and, uh, so, um.

But, but, but that is the point.

A again, it only works if, um, it only works if they don't know it's there.

Yeah.

It only works if they're able to get in, right?

And again, if there's anything sniffing at those ports, it's a bad actor, right?

And so then you can do some, some, um, forensic, um, analysis and you

can figure out where that person is coming from and perhaps that will then

allow you to shut off that person.

Or the other thing is maybe it'll help you understand what are they looking for,

Right, right.

Because that's almost as important.

Actually, that's probably more important than just shutting them out, right?

Agreed.

And you know, because you know when I've talked with Mike a lot, right?

Our, you know, my.

Dr. Mike.

Mike?

Yeah.

Mike Sailor, my fellow co-author.

Fellow co-author.

That's redundant.

Yes.

co-author for my upcoming book, learning Ransomware Response and Recovery,

which by the way, I just found out today is actually already on Amazon.

Woohoo.

You can, you can pre-order it on Amazon.

Nice.

I was like, well, I should probably finish the day

we're in.

Um, we're in the fa we finished tech review.

The tech reviewers, uh, gave it overwhelmingly positive reviews.

Uh, you know, if you, you know, change this, change that emphasize

this deemphasize that, um, we, one of the things was that we did was we

reduced, there was a history session, like the history of ransomware,

and they're like, nobody cares.

Nobody cares about the history.

It was just, I think the only point of the history was.

To say, you know, this has actually been going on for a long time, you know,

all the way back since the eighties.

The first,

like it

um,

one page rather than like an entire

yeah, that, yeah, it was like five pages.

Yeah.

Um, and, um, so the one page, or the, the, the first known, the first

malware that's considered to be ransomware was actually called the

aids, um, Trojan back in the eighties.

Um.

But, uh, anyway, so, oh, go back to Mike.

One of the things that Mike talks a lot about is once you've like, stopped

the, you know, the attack, uh, or while it's going on, but, but, but generally,

once you've stopped the attack.

Now's the time to do forensic analysis to figure out how did the attack happen?

How did they get in?

And the honeypot system would be a prime way to do that, right?

Because if, if it's a good enough honeypot, perhaps there's many honeypots,

Yeah.

you're gonna see them logging in and you're gonna say, oh,

they logged in from this system.

Then you can go look at that system and you can see where that system,

and you can follow the trail

It's

where it leads.

Yeah, exactly Right.

And then the other thing, the other key to that is, is that log storage, right?

Uh, as, as much as you can set up log storage systems so that logs

don't get just randomly deleted by the, by the threat actor.

and preferably don't log locally.

Yeah.

Yeah.

That's what, yeah, that's kind of what I'm saying, right?

Se set up a system by which these important logs are stored

remotely, uh, and, and immutably.

Yes, I was gonna say, protect that log system just like you

would protect your backup system.

Yeah, exactly.

Uh, it's a great use for an object storage system with immutability turned on.

Right.

Yeah.

Just as the logs are, you know, created, shipped them off to the, um,

you know, this other storage system, uh, because it is, it is very common.

Um, you know, I was just, uh, you know, I just got to the part of the book where we

were talking about how that, you know, um.

Intrusion detection systems and, and, uh, EDR systems and all these

things, they're really only great at stopping the initial attack.

Once someone has access, one of the first things they do is shut those off.

Right?

And,

there

okay, go.

an article earlier this week, or maybe it was last week, talking about how

a lot of these malware operators now either have custom tools or off the

shelf tools to actually disable EDR.

Yeah.

Yeah.

Uh, and so, and, and another thing they're gonna do is to, is to basically

wipe the logs that will show the, you know, the, their, their trail.

And, um, and so the, the key to that is to store that stuff, uh, externally.

what Elliot did during the hack, right?

Would he?

Yep.

Yeah, he did exactly that.

Um, can you think of any, like, additional thoughts on the idea of a honeypot?

Uh, not so much on the honeypot.

No, I think that was it.

The one thing I did wanna bring up, not around the honeypot, but just

to quickly cover, is, um, also like Darlene was trying to set up this

meeting with White Rose, right?

And so she kept pushing the dark Army and do you remember what she did to Cisco?

No.

So Cisco is a guy, her contact at the Dark Army.

Yeah.

hacked his system, impersonated him their IRC chat channels and

basically is the way that she, uh,

Oh, right, right, right,

to be able to get a meeting on the books with white rose.

right.

was like, don't talk to me.

We're done after this.

I can't believe you hacked me.

So.

Yeah,

No honor amongst ths, I guess.

yeah, yeah.

Um, yeah, that, that, that was, uh, you know, when you're dealing with people

like this that are this, that this good at like, getting into your systems,

uh, kind of all bets are off, I think.

could have benefited from a.

Yeah.

Yeah.

Uh, it's, um.

Just thinking about, um, you, you know, you know, it's funny, um, I

got, I got, what was her name again?

What's her name?

Darlene,

Darlene.

Yeah.

I got, I got, uh, uh, my wife and I got Darlene this week.

Oh really?

Yeah.

So we got this, uh, this text message from my daughter.

That said, Hey, um, when do you guys, do you guys have time on Sunday to

do stuff for Lily's birthday, right?

were mentioning, yeah.

Yeah.

And so, you know, we worked it out and we, we, we were working it out.

You know, I want to make sure my, my other daughter's there and, and um, and so I

called, I called my daughter and I said.

I was like, Hey, so, you know, um, you know, da da da.

We're try to work this out.

And she's like, you know, I, I work on Sunday, like I work Sunday evening.

She works nights.

She's like, I work Sunday evening.

And I'm like, well, you're the one that sent the text.

And she's like, no, I was not.

I was asleep.

Lily took my phone and sent the message, asked me, when do you guys

want to come over for Lily's birthday?

Oh my gosh.

That girl.

So in, in four hours, we'll be having dinner with Lily, um,

as orchestrated by Marissa.

That is hilarious.

My, my granddaughter, the hacker.

Hmm.

Uh, she got access to her cell phone.

She must know her pin too.

Yeah.

Yeah.

All right.

Well, uh, hopefully you found some inform, you know, you found

some useful information here in our discussion on honeypots.

We're gonna continue talking about this episode in our next week.

Uh, and, uh, I, I think that'll be good as well.

Dun, dun.

Wait to hear, to

Done.

us talk about persistent access.

Yes, absolutely.

All right, well, thanks, Prasanna for having another chat.

Uh, I hope your breathing gets better, Curtis, but you do sound a lot

better than when we first started, so

I don't feel any better.

Um, literally I feel like, like I inhaled chlorine.

Like it's just not, it's not good.

do you still have your scuba tanks with oxygen?

Those don't, those aren't oxygen.

They're just air.

Okay.

You don't put oxygen.

Air,

Don't, don't, don't, don't stay in your lane, buddy and with

that, thanks folks for listening.

Uh, that is a wrap.