Cybersecurity: Amplified And Intensified

5. FBI Managed Security IT Services.

April 14, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
5. FBI Managed Security IT Services.
Chapters
Cybersecurity: Amplified And Intensified
5. FBI Managed Security IT Services.
Apr 14, 2021
Shiva Maharaj/Eric Taylor

The FBI, sealed warrants, compromised Microsoft Exchange servers, cloud printing, RDP, less than secure SSO, daily patching and more.

Eric Taylor
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com

Bleeping Computer article referenced;
https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/


BARRICADE CYBER
Barricade Cyber provides Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to support that's actually supportive.

Otter.ai
Otter.ai provides audio transcriptions services to help you get your message across.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

The FBI, sealed warrants, compromised Microsoft Exchange servers, cloud printing, RDP, less than secure SSO, daily patching and more.

Eric Taylor
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com

Bleeping Computer article referenced;
https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/


BARRICADE CYBER
Barricade Cyber provides Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to support that's actually supportive.

Otter.ai
Otter.ai provides audio transcriptions services to help you get your message across.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj  0:00  
This is the cybersecurity amplified and intensified podcast. So what's on the docket for today? 

Eric Taylor  0:06  
Not much. On my side, I know you wanted to talk pretty extensively a little about the FBI situation that has been going on or them going into Exchange servers via a warrant that you brought up earlier today. 

Shiva Maharaj  0:20  
I think it's a good way to dovetail into patching in general, with all the CVE's that are going around, now's the time to really start patching on a shorter cycle. I know a lot of people say they test their patches for 3, 7, 10 days, whatever that number is, and we know they're not really testing it. They're just waiting for all the rags to tell them what works, what doesn't work. But with the rate of new disclosures. I think you have to do daily patching and almost hope things don't break at this point. 

Eric Taylor  0:20  
It's a real fine line that we got it to them, too. So I guess let's go ahead and dive into the FBI situation. Let's go from there. 

Shiva Maharaj  0:57  
Sounds good. So this morning, I read a link that one of our colleagues posted in our private slack. And it indicated that in Texas, a magistrate judge signed off on a search warrant to allow FBI agents to go into a list of Exchange servers over the course of 14 days, to not only take forensic copies of the web shells, but to also remove the web shells. Nowhere in that article on bleeping computer, does it indicate the servers have been patched? So is this the case of the FBI going in? Doing whatever it is they did, and the servers are still left vulnerable. And the reasoning behind the FBI warrant was in house it or the outsourced it? Some of these companies were using did not have the skill set to track down the web shells? What are your thoughts? 

Eric Taylor  1:47  
So here we go. Let's just dive into a whole treasure trove. So for clarification, when you look at the warrant information, some of the leaks that are going under bleeping computer, they had a carte blanche access to Exchange servers for no more than 30 days. So they were allowed to go in and exfiltrate or penetrate into Exchange servers that have the ability to have a web shell exploited on them. They simply said that their argument was to be able to go in and patch these things, kind of like what you said, because the FBI felt that these companies may or may not have the technical ability to update the servers in a meaningful fashion, which to everybody's knowledge as of this moment, according to the FBI, what bleepingcomputer or some of these other articles are saying there's credit saying the FBI has removed this exploit, but it has not been confirmed. And the FBI has not disclosed which companies they have had access to, you know, what did they do when they actually had it because somebody is Exchange Server exploits work really, really, really nasty. So being able to fully actual trade, any and all data on these Exchange servers and be able to have lateral movement inside of a network because of exchange server has been noted in a lot of these exploits. So that's really a massive issue for me. So not only were you able to get a quote unquote, no knock warrant, if you will, non disclosure warrant, but nobody is freaking disclosed. To what we can tell to the company is that a FBI was in here, they patched this for you. Nothing to worry about now. Right? So why are they taking the stance on Exchange servers, according to the FBI provides such a grave security issue to businesses in America, but they don't do anything about open RDP ports. 

Shiva Maharaj  3:48  
Did you read the last paragraph of this article? And I'm going to read it off here. And for those curious, this is the bleeping computer article entitled FBI nuked web shells from hacked Exchange servers without telling owners. The last paragraph of this article, and I quote, The FBI is now in the process of notifying victims whose Exchange servers were accessed during the operation. The FBI will send these notifications via email from an official fbi.gov email accounts. Or if contact information is not available by using a service provider in brackets ISP to contact the victim and quote. Now, here's my question, if they requested the warrant, because these companies didn't have the internal personnel with the skill set to deal with the web shells, wouldn't they already know how to get in contact with these companies? 

Eric Taylor  4:38  
Oh, absolutely. And this is where everything throws a massive red flag. There was zero vetting at all, because they just had an open. It's almost like running a SHODAN report saying, okay, I want to find anybody with this type of CVE that's been indexed on the last 15 days. All right, I'm gonna submit a warning on that. It's almost what they did. 

Shiva Maharaj  4:58  
take it one step further.

Part of the affidavit for the warrant indicated that these companies may not or do not have the expertise required to remediate. Now, if you don't know who these companies are, how do you know? These companies don't have the talent? Was it a matter of random selection? Was it a fact that maybe these web shells were left out there far too long for the FBI? comfort? Or were they targeted? And are we ever gonna get a list of who these companies are now that the risk has been mitigated for this report?

Nacho  5:34  
So, yes, there is. It's very interesting that, you know, there is that line in there that they were, quote, the act by request that this war because they believe the owners of the still compromised servers did not have the technical ability to remove on their own and the shell posed significant risks to the victim. The one thing I want to state here is, they believed that the owners didn't have it. There's no proof. You know, I'm going to get a little bolder, apparently a little hot on this one. So anybody's listening, forgive me, because here we go. But there's no fucking vetting. You know, they just went in and said, Hey, we don't care. All these people are still able to be compromised. We want to close this shit up. And I guarantee you dollars to doughnuts, while the FBI is in there their data exfiltrating your ass? 

Shiva Maharaj  6:24  
No.

What are you talking about? Come on, 

Nacho  6:29  
who the last point of are we ever going to know now without a FISA warrant or not without a Freedom of Information Act or freedom, information disclosure, and even that probably heavily redacted? 

Shiva Maharaj  6:40  
is a FOIA request really going to be responsive? If it's wrapped up in FISA? 

Eric Taylor  6:45  
This wasn't a FOIA, though. 

Shiva Maharaj  6:46  
No no, FOIA is a Freedom of Information Act requests, if someone made that request, who's to say there's not a second warrant? Under FISA for the data? exfiltration? part? I can't imagine they're going to run it through regular DOJ channels? 

Nacho  6:59  
No, because I mean, the warrant is public record. So I would imagine the FOIA would be able to be implemented. Your the files are, 

Shiva Maharaj  7:08  
it's live on the internet, it was sealed, and it was just unsealed, which is why the story broke.

Nacho  7:15  
So I still want to know why they went after Exchange servers, and not all these other exploits

Shiva Maharaj  7:19  
is RDP a bad thing to leave it open on the internet.

Nacho  7:21  
No, no. VNC, you know, just leave that open on the internet to please,

Shiva Maharaj  7:26  
I just put printers with a live IP on the internet cloud printing at its finest. And for those listening, we are being completely sarcastic here. Please don't put anything live on the internet without protection. Thank you.

Nacho  7:38  
Well, to be fair, we do know a company that I don't know if they're playing or not. But they actively like, yeah, just ipv6 it and put everything on the internet. Because whatever, we have a firewall that's in place that will protect it. And yes, no, 

Shiva Maharaj  7:56  
that is just to tip of the spear for me, man, I

can't comprehend the complexities needed to pull that off successfully. I see nachos here with us. Hey, Nacho, what are your thoughts on the FBI, no knock warrants. To remove the web shells?

Nacho  8:10  
Well, the warrant is just like a pen tester scope, they have to have a scope of what they're looking for. And it has to be detailed. Unless the judge gave him the full freaking go out of town.

Shiva Maharaj  8:22  
I'm looking at the article here. And they have screenshots of the request. And it's basically to delete the web shells themselves. And the following is an example of one of the Delete commands that will be sent through the web shell anonymized located at and they give you a redacted URL. But my concern is that they went into these systems without notifying the owners. It's not like they don't have the manpower to do an in person consultation with the owners if they want their excuse was to keep it off the email system. So the bad guys wouldn't see it. But there are tremendous privacy risks here, don't you think?

Nacho  8:57  
Don't even get me started with that dude. I happen to know a whole bunch these no nuts. higher up actually, and the stuff that I've seen with warrants and warrantless things that they've been pushing, just recently, I had a huge argument, because something similar with being and the maybe it might be related to what you're referring to, just by chance once in a while, they come and ask me why I do not know. But the query was, what do you think of this has to do with child porn? And they were saying, well, we can go in without a warrant? Because the way they work the child porn, is there certain code and certain images, right? And those images get floated around stuff like that, and that's how they get their head.

Shiva Maharaj  9:41  
Right. But that's an operation where they put out certain images or they tag certain images where they can track it. So you technically may not need a warrant in that case.

Nacho  9:49  
Well, I mean, you're going to go into a machine or you're going to go into someone's home, busted door open, go get the CPU, do you need a warrant or not?

Shiva Maharaj  9:58  
Yeah, you need a warrant for that and Unless there's imminent danger to a child or something like that, listen, if there's imminent danger to anyone, by all means, right?

Nacho  10:06  
The argument was that they didn't need a warrant for that. Because the ISP is the one that notifies them, hey, boom, we got this. So we already have knowledge that that machine has it so we can bust the door and get the CPU without a warrant. That was what they were asking. I was like, No, I don't think you can do that.

Shiva Maharaj  10:24  
I'm pretty sure they would bust the door in slap a warrant on someone, then slap the cuffs or vice versa, whatever the case may be. 

Nacho  10:31  
They were

saying without a warrant grabbed the device without a warrant, because we already have knowledge that that system has it because the ISP verifies it. So we don't need a warrant to get in. Okay.

Shiva Maharaj  10:45  
I mean, I get that, but I don't want to steer off the topic of the Exchange Server, because I think that could potentially be two different scenarios.

Nacho  10:51  
You're right. Sorry. In my example of what I've gotten, 

Shiva Maharaj  10:55  
you know, with the Exchange Server,

what got me about this article, the affidavit for the warrant states, there was a need to patch these by the FBI, because they don't know if the company's IT services, internal or not, we're capable of doing this, then at the end of the article, it states, they don't even have contact information for some of these companies. So how did they make that determination that there wasn't enough talent in house or under service contract to remediate? And that's my real question here.

Nacho  11:25  
I think that really goes back to what I was mentioning a moment ago, I think they run something like a showdown report for certain CVE see that are still exploitable. And that's how they,

Shiva Maharaj  11:35  
you know, could very well be, I'd really like to see how this plays out in the coming weeks. And I hope it doesn't get killed by other news stories in a day or two

Nacho  11:44  
Palintir is the reason for this?

Shiva Maharaj  11:47  
Of course, palantir is just I joke around with some guys, I know that palantir is the real life version of the AI and person of interest.

Nacho  11:55  
Yeah, man, that stuff they do is insane. You know, when

they sell it to the highest bidder? 

Shiva Maharaj  12:00  
That's just the way it is. Right? I mean, it's pay to play, unfortunately. And some of the people that probably have access to these things outside of the US shouldn't But hey, that's a whole different thing. That not sure. What's your take on patching, updating Windows updates, third party software, device firmware and such like that?

Nacho  12:17  
It's a must, especially for solarwinds, you know what i mean? 

Shiva Maharaj  12:19  
Well, no no no

let me rephrase my question. I yes, it is a must. I think that's the bare minimum, anyone should do amongst other things, however. But with the frequency of new vulnerabilities being disclosed, should we be holding back patches for three days, seven days, whatever the case may be, and just start patching as soon as it comes out?

Nacho  12:37  
If you wait three days, or you wait, whatever, some individuals or organizations are not aware, this obligation by the company to go ahead and do it. It's a real tricky situation on that. Because I mean, I understand where you're coming from. But you're damned if you do, you're damned if you don't, we need to go ahead and pass. I mean, I'm looking at one that just came out. I don't know if you guys, I know. Sorry, going off the rails again. I don't know if you guys heard about the new one that just came out for the Mac and Linux Oh, S. That's one just came out, you know, and there's no patch for it. Because antiviruses can pick it up.

Shiva Maharaj  13:09  
That's almost a firmware or hardware issue. At this point, they probably need to rewrite the core code.

Nacho  13:15  
Yeah, no, I think this form has to do with forgot the name of it, I have to go back and look at it. I read it earlier today. And I was looking into it because I was looking for a patch for that. And they're like, no, there's no patch for it. Here's where you find it, run the code, and it's there. So it's not a hardware thing. It's a software vulnerability having to do with a web browser. And how Linux and obviously because the underpinnings of Mac, are BSD, how they work with that particular software. And it mimics a legit software just like other ones that you've seen before. But anyway, sorry, 

Eric Taylor  13:48  
to get back to the topic. I think a lot of this really goes back to kind of what Nacho was saying a little bit, but I'll hone in on a little bit better, or a little bit more, I should say not saying better. But at what point are you applying patches, whether Microsoft or third party to mitigate a potential threat in lieu of potential complications or downtime affected by from various integrations or line of business apps or processes inside this stuff? You know, it's really what it boils down to and you know, I think, even in the pentesting world, not seeing a lot of us because you know, for most of us are middle level id say, with the exception of some really high high end and duration guys who just are insanely brilliant, but it always takes pentesters and stuff like that to at least a couple of days. After even zero days disclosure really build out a working proof of concept. So how know I'm more in line with you Shiva on we need to almost get to a zero day patching policy, you know as soon as it's implemented and it's released.

Just push it and you know mitigate the specific sort of security issue versus the business implications or

Nacho  15:09  
the impact on the business that may, you know, said patch may actually have. And I think that may be where you're going with it.

Shiva Maharaj  15:15  
I'll tell you what my patching looks like for my clients, it's a five to seven day hold, depending on the type of patch, however, the patch windows every day. So if there's an out of bound patch put out by various companies, after its hold, period, doesn't matter what day of the week it is, it will get installed. And my clients are fully aware to save everything because they could potentially be patched every night. Now, the question is, do I just go ahead and remove that hold or make it one day? Or do I accelerate my testing process?

Nacho  15:47  
Now? I mean, you kind of hinted on this, how many msps security firms are actually doing a vetting process of the patches versus, you know, watching everybody else, and listservs complain about a potential patch before they whitelist or blacklist a patch?

Shiva Maharaj  16:04  
I don't think there are many providers out there who are actively testing updates for like hardware that they have, whether it's windows, third party software, firmware drivers, I actually know it providers who haven't touched drivers in years, because they're afraid of something breaking. And I just laugh.

Nacho  16:23  
Yeah, I mean, one of the biggest things that we always joke about though it's always a bane of our existence is printers pushing out. Now we're actually finding some of the latest HP printer updates that was released, trying to get those frickin installed. And some of these are applying firmware changes and stuff like that those are connected by USB, and it's just a giant pain in the backside. Where are we at a spot where a lot of msps are avoiding driver updates, because of situations like this, you know, maybe they're just too small and are not equipped enough or whatever, to be able to take on that type of burden. Like, whatever, it's a printer, there hasn't been one of those HP will smoke your toner exploits in a couple years. But, you know, I guess it really depends on where you're at, in your security lifecycle.

Shiva Maharaj  17:09  
This really goes back to the low barrier of entry complaint I have about our industry, there's no baseline, there's no standard to follow. If you want to be an IT professional, it's get a laptop, hope it works, and go sell your time. And that's it. That's the barrier to entry.

Eric Taylor  17:27  
Yeah, exactly. I mean, we know plenty of vendors that are out there that you literally have no minimums or a $50 minimum, you know, to get in the business and start doing so it's crazy, not to disclose what we've got, you know, i was telling you about this earlier that we just got pulled into a deposition, where we were quoted as the incident response, and they are kind of going back and forth about who is to blame about the breach. And the insurance company wants someone's head on the platter.

Shiva Maharaj  18:00  
Yeah, because they want to subrogate the claim.

Eric Taylor  18:03  
It's kind of the stuff that we've always we've been talking about for the past couple weeks, they want to see who's to blame and they want me to point the finger at him. I'm like, I don't know if they can't. Because one there was little though no logging two the ISP was selling a managed security application to the customer that under their own admission had zero policies because the owner at the time of the order and implementation of the circuit with the firewall did not want any, evidence was destroyed in our entire scope. Before insurance was even question was, we want to get back up in business. We don't want to delay in finding out the forensics, we don't want to delay to find out how those came in. We're just saying come in. I mean, me and my team, we got a strong suspicion of how exactly how they got into their network and the path that they took, but there's no logging. So there's no proof of anything. And we couldn't really spend a whole lot of time again, because a client wasn't paying for it. And they didn't want that

Shiva Maharaj  19:05  
without going into too much detail here by what you just described. I would venture to guess this client did not have an IRP in place for anything. They did not, you know, in this day and age, you cannot not have IRP's for everything. It's just the nature of a connected world that we're in.

Cristina  19:24  
Yeah, great. So I just did a two hour training with this on ransomware, which was very, very insightful and very interesting. If you guys don't mind. So I'm working in the legal field right now. I'm kind of used to work in cyber And now back in legal and trying to pivot back to cyber. What are the current trends and how are you mitigating, you know, the ransomware risks? Could you talk about that a little bit.

Shiva Maharaj  19:50  
Eric loves talking about the onion.

Eric Taylor  19:55  
Yeah, so that's, you know, I'm listening to him oger and many layers of security. We're so you don't know us at all, you know, Shiva runs a managed service provider, he is a security first managed solutions provider and managed security solutions provider. I'm an incident response firm, and penetration company. So we're definitely into those. But the ransomware, I would definitely ask you if you have time, at the same time a monday to come back, because we didn't really have another discussion on ransomware all day long. I don't want to shy away from that. ransomware just conversation by any means. But I do want to kind of keep at least in line somewhat around kind of this whole exchange thing, if you will,

Shiva Maharaj  20:40  
we could lay into the web shells that could have been used to launch ransomware.

Nacho  20:44  
You know what, that is a good segue, because how many Exchange servers were actually breached with ransomware? Because of the remote code? Not at all. I want to say I've seen some reports about that before. I don't think nachos available.

Encrypted  21:01  
Are you talking about the Verizon data breach report? 

Shiva Maharaj  21:03  
No. hafnium? 

Encrypted  21:05  
not familiar with that one? Can somebody drop it in their bias? I can look it up.

Eric Taylor  21:09  
Yeah, if you're following me on Twitter, I'll drop it over there just 

Encrypted  21:11  
Challenge accepted.

Shiva Maharaj  21:12  
A quick synopsis. hafnium is basically a remote code execution, web shell vulnerability that was found in Microsoft Exchange, I want to say maybe 2008 comm forward, supposedly not affecting office 365 systems, so only on prem, and the FBI mitigated the risk at some Exchange servers without notifying the owners prior to.

Nacho  21:36  
So I want to push back on that a little bit and say, I don't know if it's really only affected Exchange servers online. You know, if you look at the downtime of Microsoft 365, over the past year, they've had more downtime issues around exchange and things that interact with exchange, more than ever. So I'm almost say that 365 was impacted, the level of impact is questionable, but I do think there was some impact possibility there, and they were scrambling to patch things. And that's what may have brought down but it's pure speculation. Right. So

Shiva Maharaj  22:12  
How about you encrypted, anything new in your world last week since we spoke?

Encrypted  22:16  
Yes. Every day is a new day new challenges keeps me on my toes. I am currently looking at Okta, I find it mind blowing that for us to self serve. It's supposed to be more secure. But it only allows you to set up one security question. So if you're an end user and trying to reset your account, it would send you one push notification, which is something that you have somebody that to your phone or and then the second it would ask you to answer the one security question. I'm not sure why doesn't allow you to set up more than one security question. And be why does it give you an error message? That is very prescriptive of what you did wrong and a self serving process? Does anybody know? Does anybody have familiarity with Okta?

Nacho  22:58  
So why don't I get it from a penetration standpoint, I can tell you this that from the lot of times where we do cloud integration, penetration testing, did you know that I could set up or at least as of two weeks ago,

Eric Taylor  23:11  
I could set up a free trial, awesome. I could input anybody's address that I want to whether they're part of my corporate domain or not, and send them a password reset, put them in the middle there. So when you put in your pocket password reset information, I now capture that, I don't think aka is the end all be all security. Yeah, I would highly recommend looking at a different solution, if at all possible. 

Shiva Maharaj  23:35  
My preference for identity management and such like that is going to be some version of Microsoft 365, Azure Active Directory, and or Duo Security. Everything else out there just does not sit well with me for various reasons.

Encrypted  23:51  
Yeah, I'm a huge fan of Okta, and so many other things. But yeah, I need this is just mind blowing. Why would they allow you only to set up a question and then set up a free account and then send, like, why would they do that?

Shiva Maharaj  24:03  
It's poor architecture and design.

Eric Taylor  24:05  
I think. And I think the what Shiva says a lot of times that we actually joke about is the low barrier of entry, trying to make a path of adoption as the resistance free as possible. That's why they do it. 

Encrypted  24:16  
I have a dry erase board. And then we track zero days and Steven accidentally installed office 2016.

Keep adding days. We had a guy that would install outdated EOL software, and he had it on a machine. Yeah, it was just one of those and he's really passionate about security can't really blame the guy but we almost call the self induced DDoS it was delightful. So we have this joke in the office where everybody has a dry erase board and write down how many days has been stolen outdated software.

Eric Taylor  24:50  
oxymoron, right where you got somebody who is security minded, installing out of date, an end of life software.

Encrypted  25:00  
No, no. I

mean, I didn't give you the context, Eric, his role is to basically pretend to be the dumbest user in the organization, somebody that found the Free Software online, they happen to have local admin rights. Let's see how far I can go that sort of stuff. But yeah. insider threat. Yeah.

Eric Taylor  25:17  
Clever they should do in that as context. That is interesting. That's almost Table Talk worthy, right there.

Shiva Maharaj  25:24  
I'd like to set that up somehow internally.

Encrypted  25:26  
Are you clear to your stakeholders, man, I mean, you can't just post up and start putting stuff in your network and and installing

Eric Taylor  25:33  
what the owner so stakeholder approved,

Encrypted  25:38  
stuff approved to talk about what toxic combination or incompatible duties were.

Eric Taylor  25:44  
I think he destroyed the rest of my week, trying to set up some Azure stuff and start playing again,

Shiva Maharaj  25:49  
the engagement agreements we have with our clients, we pretty much get carte blanche to do whatever we want, as long as it's in the course of making them better prepared for dealing with incidents. So this is definitely something I am going to look into this week 

Eric Taylor  26:02  
in, your world Shiva

Nacho  26:02  
will correct me if I'm when I think maybe work in some of my conversations, too. So we tell the owner of the company, that's our client, and say, okay, have your X number of team members inside of the organization, click one, and tell them to see what they can do inside the network. Before we detect something. Yeah, so you really have that almost double blind stuff. So you're not advising your team, they're going to do something, you don't know who in the company is doing. You know what company but your team is blind to it. And let the fun begin. They start hitting the fan, you promise the business owner that you'll step down, calm everybody back down, and let them know this was an exercise and good work all the way around. Whether we learned from this,

Shiva Maharaj  26:52  
I would take that one step further. Have one of my people in the pre COVID days go into that office and get the user to allow them to raise hell with their users identity. Because I know my guys are very capable of breaking stuff if they wanted to, and really put it through the paces. So now the client knows what's going on. They know it's a type of war game, and it's on my other team members to determine what's going on and mitigate and work the problem.

Eric Taylor  27:21  
Oh, wonder how much that new software the CISA released that was mimic after the movie wargames of how much that plays into this?

Shiva Maharaj  27:32  
I don't know. Let's find out next week. Let's get a project.

Eric Taylor  27:37  
Encrypted has given me some idea. Thank you, ma'am. 

Nacho  27:41  
What's the fastest you guys gone in with timewise? 

Shiva Maharaj  27:44  
What do you mean fastest?

Nacho  27:46  
In other words, into the system you've breached? You're good to go. 

Eric Taylor  27:51  
So I mean, if we swapped out just the reconnaissance to infosec side of things that could take a day or two, maybe a little bit longer, depending on the size of the organization, right? If we just take that out, typically a day or two, we're I mean, that's what I was doing a ton of homework on the front end, right? So we've mapped out the entire attack vector, we know how we're going to try to go in before we even go. So you're having something as little as a domain name. And just going through that is kind of what we do. So our answer the question, but that's really a loaded question was like, How fast can you breach an RDP password?

Shiva Maharaj  28:27  
I think the fastest I've ever seen a pen test be successful is when there has been human compromise. And that can happen in as little as minutes of being on site or on a phone with someone. But as Eric said, that does take time for preparation. You can't just go in cold without doing some homework on the targets.

Eric Taylor  28:48  
Yeah, I mean, that brings up the conversation I have, I think with you Shiva earlier this week, where another one of our internal response clients that we were working on, want to know if we were playing a war game with them, because they just one of their team members of the company went and bought come to find out I originally thought it was 1300. But in there being 20 $600 worth of gift cards, scratch them off, instead of off to the hackers taking them as the owner of the company. Originally, the Assistant thought, Oh, well, it's just air cleaner, quote, unquote, war game, or, you know, really tested are no real money loss. And I'm like, No, we really didn't have anything going on with you guys right now. The owner would know, if we were we just lost 20 $600 we will not try to exfiltrate money out of your organization by any means. So it's crazy that people still fall for garbage. Right?

Shiva Maharaj  29:44  
I think part of it is lack of training. And then some providers just don't install the tools and configure the necessary tools to help mitigate these phishing attempts. You know, I don't know if that was by email or if that was over the phone. If it's over the phone, God help you but via email, there are tools out there to help block some of these things. And the last mile, which is usually the most important, is user training. As long as you're not whitelisting domains,

Nacho  30:12  
yes, definitely, this wouldn't disclose anything, but it's definitely Microsoft 365 tenant So, and looking into it, we could definitely see where the existing IP provider is not configuring the 365 tenant properly. So I advise them, but there's a bunch of stuff that can be done, you really talk to your provider, set this thing up, because it's really not there.

Encrypted  30:34  
So just verify that was the key message.

Nacho  30:36  
Exactly. Exactly. First, conversations are always funny, especially when we are doing subdomain takeovers, and just getting those first introductions. There's like, yeah, love. Yeah, I mean, it. You know, we come here with peace and love as some of my buddies like to say,

Shiva Maharaj  30:52  
okay, Eric, do you want to take us out?

Eric Taylor  30:55  
Absolutely. So thanks, everybody, again for joining us for another episode of cybersecurity. We look forward to our next conversation where everything we do we settled at we will be talking about ransomware. We hope everybody enjoyed today's conversation around patching and the exchange of owner abilities and the potential issues with the FBI. And until next time, we hope everybody enjoys their week, and stay curious my friends. 

Shiva Maharaj  31:19  
Thank you. Have agreat week. 

Thanks again for joining us for the cybersecurity amplified and intensified podcast.