CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Modern ransomware: How hackers are targeting your organization

In this episode we sit down with legendary pen tester Adriel Disatel and Noah Tongate to discuss how modern cyber criminals are operating to deploy modern ransomware attacks. The conversation is full of real life hacking stories and to the point information on how you can protect yourselves against modern threats.

Video Transcript

and this kills me one of the most basic defenses is the most effective and that's honey pots I mean think in terms of the networks that have been breached that have been famous I mean I don't want to pick on one that they pick on all the time but there are a few out there that have been really famous and if they've had just a simple Honeypot even honey py deployed right behind the point of entry when those attackers begin to make way through the network they could have triggered that and the I.T Staffing that was part of a conversation that we had with Adriel disadel and Noah tongate now I know I get excited about guests on this podcast a lot but I'm really serious when I say that this is a very special episode Adriel and Noah are top of their game penetration testers and they come with them so much stories and knowledge about hacking and how to break into systems that I really feel like this episode should probably have some kind of disclaimer so here it is don't do anything nefarious or dumb with the information that you hear on this podcast that out of the way I want to introduce who's going to Be Our Guest on the podcast today Adriel desotel may be a name that you're even familiar with that's because he's been on many documentaries contributed to many articles and been in many news Publications Adriel is the founder and CTO of net regard which is a top tier penetration testing that's really founded on the promise of delivering realistic and high quality penetration testing now Adriel has so many qualifications that I could really spend a long time rattling the more loss but a few of the highlights is that adriel's been in the industry for over 20 years in fact in 1998 when I was still playing with Tonka trucks he founded the secure network operations Inc which was home to the Sno soft research team now this group gained worldwide recognition for its vulnerability research while running Essa nostov Adriel founded the zero day exploit acquisition program the EAP and has also provided X expert witness and testimony in U.S federal courts and of course if you're a reader of Forbes The Economist Bloomberg or have watched the recent viceland documentary on Cyber War then you may recognize him from there but Adriel isn't alone in this episode he's joined by Noah tonkate Noah is a senior offensive security engineer for net regard which is basically a fancy way of saying Noah is a very good hacker for net regard Noah conducts a variety of different penetration tests for instance on web applications on networks and even diving into social engineering which we'll touch on in the coming episode Noah isn't just a hacker for his day job he's also a hacker in his free time by participating in many different hacking events such as capture the flags and gaining many accolades in these competitions he also volunteers as a red team member in the Colgate cyber defense competition the CCDC for multiple different regions around the US with the introduction out the way I can't wait to dive in to this week's conversation that's all coming up but right now we're going to take a very quick look at our Bridge of the week the this week is interesting because this week we're looking at Twitter Twitter's tonal source code was leaked publicly through one of their employees potentially an ex-employee but also some evidence to say that as a current employee and this is interesting not because it posed a massive security risk to Twitter but it reminds us of the security risk that our source code needs to be considered source code very frequently contains Secrets when twitch's source code was leaked it had over 6 000 credentials inside it we saw a similar story when Samsung's source code got leaked and that's just the tip of the iceberg Nvidia Microsoft Rockstar Gaming were about a few companies that last year had their source code accessed by malicious actors so what makes the Twitter source code story a little bit different well this time it wasn't threat actors that attacked Twitter to leak their source code this time the leak came from within a new GitHub user they created an account on January 3rd called free speech enthusiasts clearly a reference to Elon Musk Free Speech sense created an account on GitHub from January 4th to March 10th they were leaking huge amounts of internal source code belonging to Twitter the prolonged period suggests that perhaps they were still employed or had access to the source code now Twitter recently open sourced a lot of their code concerning their algorithm so why is this a concern well it goes to show that we need to stop considering source code as a locked asset attackers know that this is very easy to gain access to and also hacking groups like Lexus just pay employees to grant them access to networks and code repositories why because it's knowing that these contain lots of that sensitive information Twitter made a request to GitHub to take their source code down through the proper means and are also pursuing legal action to force GitHub to reveal who this person was now personally I hope that that doesn't happen but it does illustrate a point as organizations we need to make sure that we consider our source code an open asset even if we put it behind internal systems and behind authentication we need to understand that there's a risk that this will be exposed and the best way to prevent that risk is to make sure that no sense of information is hiding in there for attackers because developers have become a predominant Target for attackers speaking of those attackers we're now going to dive into our main conversation with Adriel and Noah and exactly how attackers operate to gain access to your infrastructure so today's topic we're going to be talking about ransomware but we're going to be talking about ransomware and kind of how it's changed over the last decade so this is something that both our guests has experience in so with that said let's get straight into it I want to start by kind of getting everyone onto the same page here I guess most people probably familiar with ransomware but what's a kind of quick high level overview of it adriela I'll direct this to you uh first what's a high level overview of what ransomware is and what we're talking about today ransomware is is a unique piece of software um that's used to encrypt data on select systems after those systems have been identified by the attacker so an attacker will first find their way or make their way into the infrastructure using different methods using different technology identify the endpoints and then upload download whatever it might be the ransomware uh you know to to encrypt and the idea is attackers will say hey uh you know we have your data it's encrypted if you want access to it uh yes so it's extortion and we will decrypt it of course there's no guarantee that if you pay it's going to be decrypted and chances are they've already exfiltrated all of your data um so I think no you can probably give a bit of a deeper deep review to that yeah absolutely um yeah I think Asia kind of provided a good overview I think that ransomware essentially is just a type of malware that encrypts the user's data on the system and usually they'll ask for a ransom or some kind of payment via cryptocurrencies uh more so nowadays we're seeing a lot of ransomware kind of going into just siphoning the data off the system so maybe there might be like a part two to the ransomware of maybe an operator has to uh hop onto the computer and then maybe leverage that data on the system or maybe even pivot within the network and then gather more data from that and kind of use it as blackmail or anything like that right so it's it's it's evolved a little bit in there so so ransomware today when I I guess when I first started learning about ransomware it was kind of like these or I'm going to say self-propelling viruses you know which would get on and automatically lock something and move it on well that's not really the current state of ransomware right now is it right right and unfortunately the the way that I perceive it anyways it seems that we're still marketing proverbial Solutions as things that will stop this self-propagating malware I don't feel like uh I don't feel like there's enough discussion around or maybe even understanding around um exactly what you said it's if you have rent somewhere that's been deployed in your infrastructure it's most likely because the threat actor has already breached your infrastructure maintained a foothold and they've been in there for a while and they've probably already exfiltrated your data so by the time you end up getting that rent somewhere notice your infrastructure is ready in a pretty deep state of compromise uh historically way back when my idea of time anyways um uh ransomware was the kind of thing where you might receive an email from automatically have your system encrypted and then you could pay it and you may or may not get you know your your desktop files or whatever else might be attached and uh I think that there is sort of an interesting thing that began to happen when ransomware begin to encrypt not only the you know the desktops but also the attached file systems because then the business impact became more and more and more uh prevalence and of course that's how things sort of evolved into today um I think no you probably give a pretty good rundown on really the methods of breach on this stuff since that's one of your Fortes yeah so um I think you kind of hit the nail on the head essentially um kind of feeding off what I said before uh like like we're saying that essentially that malware operators are pretty much conducting what we like to call nowadays is a penetration test or maybe even a red team engagement so not only are they trying to do the external uh testing of the network but they're also looking for weak points inside the network to be able to breach get a hold and kind of persist with on the network or with on that system and then maybe sit dormant or kind of sit quietly on the network and then maybe laterally move to other systems where there's more valuable data and then essentially lock up the computer and hold that for ransom and possibly even use that data for other means such as blackmail or even kind of targeting what the the companies fear the most so and then interesting what they fear the most um it seems like it used to be individual machines individual specific targets or individual like we're gonna go after this one server with this one bit of data but more and more I'm hearing about the entire universities where everything gets locked out uh not just the student database but literally payroll if faculty staff everything uh manufacturing where they're not going to just you know one piece of it but they're going after everything what's um can you talk a little bit about that Evolution we've seen and really what's driving that is it just it's a bigger Money Pot that they're going after or technical sophistication what's the the driver here I think at least from my perspective I've seen I know that I believe crypto Locker was the very start of kind of the ransomware boom and Industry and that was around 2013. um but I think that it was not only just the the money portion of it of you know collecting going after these larger organizations but also uh the success rate that crypto Locker had back in 2013 uh and really due to that it's kind of you know made other threat actors want to hop on the same boat as them and and go after these larger Targets in general um I think another interesting point that it's not really covered in a lot of blogs and things like that um is that now we're seeing that a lot of these ransomware groups are kind of feeding off the fear um of these companies because they'll have their fear of the data being publicly posted and public opinion kind of hindering the the company uh maybe hindering their market value in addition to that you also have Regulators that uh companies are trying to be within compliant of PCI Compliant or gdrp or things like that and they're trying to stay within those regulations so usually you'll have companies that will try to cover up these big ransomware operations um and with the data that they're able to siphon off it's it's a good way for operators to not only lock the system and encrypt the actual physical device but also leverage it outside of the network too by kind of blackmailing kind of like what I was saying before just blackmailing the organization saying you know if you don't uh give us what we want we're going to publicly pretty much bring down your what the public opinion the stock market value of your company and maybe even possibly have your company shut down due to Auditors or Regulators um you know coming after you yeah absolutely an important artifact too that I don't think we hear talked about a lot with the data they get stolen is um whether or not you pay the chances of the data being monetized is fairly high and I one of the ways they monetize that data is by selling access to the infrastructure so you'll find that businesses that have been ransomed and paid uh are sort of put in a hot list for other threat actors uh or even the same threat actors that might come back again later they'll maintain access using all kinds of interesting you know the Trojans malware Bots that they deploy as they're making their way into deploying the ransomware software and then of course you know if they do happen Ducks filtering anything long lines of uh you know really sensitive Trade Secrets or something along those line they'll monetize that too so you you might say hey I'm going to pay the ransom and maybe or maybe not get access to your data back but if your data's already been stolen I think that the payment of the ransom which should be least of the concern but it still seems to be taking priority to pay do we not pay I say don't pay because your data's already been had and you're going to be contending with that and the damages realized by that for quite a while yeah okay let's get into let's get into the the the what to do section now if you're an organized you you your own team don't pay which I I totally understand but what can you do like can you do anything once you're someone's come into your systems you've had a deep compromise they've ransomed you they're blackmailing you all of the all of the fun stuff we've just been talking about what what can you do as a business do you have any options um no I was going to kind of add a portion to what adriel's saying a little bit I think um when it comes to really paying I know that there's a lot of agencies like the CIA and FBI that have public come out and have said don't ever pay the ransom and there are cases and it's sad to say that there is uh times when you might have to pay the ransom you might have companies that are smaller companies that are targeted um and in order to keep this company afloat they're going to have to get their data back whether they like to pay their Ransom or not and really just comes to it really just varies on the company itself in my opinion if you have a large organization it's kind of expected that they have backup Solutions um or kind of other prevention methods in place like EDR and things like that um but really what it comes down to is kind of knowing the context of the company and uh deciding really does it fit to pay the ransom or not so yeah and I say you ask what can you do um and this is going to sound a bit self-serving but it's what you can do um because ransomware actors these these different groups are breaching infrastructures by hacking them you know which is technically what a good pen testing firm should do the number one thing that you can do and this is true for most offenses is you can expose yourself to a threat right a penetration test that operates at levels that are uh the same using the same ttps or similar as what you're going to encounter in the real world and if you're testing at a realistic level of threat right against the right threat model and so on in theory you're going to identify the same types of vulnerabilities that these threat actors will be looking for in theory they're going to go after a guy that's similar to you but that's not running quite as fast so that's what we call realistic threat penetration testing and there's actually a ransomware attack simulation service that does exactly this so the idea is you go and you have your test the test produces results what those results really are are intelligence about how that actor is going to align with your risks and more importantly perhaps how that attacker will move through your infrastructure without detection exfiltrate your data then deploy their technology while evading everything if you have that kind of insight you can build effective defenses and can I tell you and this kills me one of the most basic defenses is the most effective and that's honey pots I mean think in terms of the networks that have been breached that have been famous I mean I don't want to pick on one that they pick on all the time but there are a few out there that have been really famous and if they've had just a simple honey pot even honey py deployed right behind the point of entry when those attackers begin to make way through the network they could have triggered that and the I.T staff even would have said hey you know our web server running Apache struts shouldn't be you know uh running the scans across the infrastructure uh we should go shut it down before something significant happens um yeah for the listeners that that may not understand what what is what is honeypy how how would that have stopped or how would that have alerted you to to an attacker in your infrastructure all right so so I imagine you have a computer system this is what honeypy is in theory imagine you have a computer system that sits on an infrastructure and it does nothing it serves no business purpose under no circumstance should anybody ever try to connect to it but if you were breaching the infrastructure and you saw the system perhaps it might look interesting to you oh it's an old version of Windows an old version of Linux whatever it might be now what honeypy will do and what most if not I think all honey pots will do usually based on configuration but the moment a connection is initiated to these systems they'll say hey somebody is connecting to me and because they serve no purpose because nobody should ever connect to them it's never a false positive it could be because you have a piece of malware trying to propagate in the infrastructure it could be because you have an employee doing something Rogue it could be because you have an I.T admin running a process and forgot about a specific system but in all cases when you get a connection to a Honeypot it's a positive um we've actually we're running just for tests a while back um honey pots on several different infrastructures just to see you know the rates of false positives and you know and so on and so forth and we found that they had an incredibly low volume of noise right so it was very rare that we would get an alert and we found that when they did get touched it was always something interesting might not necessarily be a breach could be a misconfiguration could be something else but it was always interesting so if you understand how attackers right I.E through realistic testing if you understand how attackers are going to move through an infrastructure you can deploy honey pots in sort of a strategic manner along what I call or we call the path to compromise and then as the attacker moves along that path you're gonna let like a Christmas tree and all you have to do is respond to the first instant dig into it and say hey this isn't normal and you can prevent you know damage substantial damage and honeypy is free so the ROI on that is pretty significant excellent um so yeah definitely you described a couple things there that it sounds like if you are the top of your game if you have a security team and the resources honeypy definitely something to look into especially if you're uh the the free tier there sounds pretty good uh uh and then yeah full-on pen testing obviously that's what we should be doing and making sure the infrastructure is secure but do you have any other just general advice for maybe companies that don't have that level of maturity uh like just how do you prevent malware um or how do you prevent uh ransomware from getting in the system in the first place just general advice tips I think um on this one uh just kind of add what adriel's saying uh is that when it comes to honeypots it's it's a good solution but in this case uh you may have companies that are a bit smaller and they can't really afford those or maybe not have the IT team to the know-how to set those things up I think it's really kind of a multi-layered solution in my opinion uh so you can see how how you want fit Adra I think explain it best of maybe starting with a penetration test or something even small just to kind of get the attack surface and see those weak points uh and then kind of build off of those points so uh if we conduct a smaller penetration test we're able to say Hey you know you don't have antivirus maybe we suggest that you start installing antivirus or kind of endpoint detection Solutions or hey I noticed that the antivirus is able to collect me but you didn't respond fast enough maybe we should look into having some kind of central management system where we can kind of aggregate logs and then figure out how to respond to those things uh and really the the most simple solution is just even providing that security training for your employees and being having those employees tested and and constantly tested maybe not during a specific time but just randomly throughout the year to to make sure that they are up to date and they are aware of making sure that they're not clicking on those legitimate websites or downloading or running illegitimate software so it's not only just putting the trust in the employees it's also a multi-part solution of the employees have to be aware and know that this is not a good thing to go to or click on these sites but also the security is in the hands of the company to also you know enable those kind of Av Solutions or EDR Solutions so I only say that because uh I think that a lot of companies there's a misconception that companies will try to put a lot of the point the blame at their own employees when really it should be um kind of both the company that's doing the action of securing the network but also training the employees too so yeah I think I think one of the things that you hit on Noah that's critically important that just doesn't seem to get played on all that much in the industry as a whole is the importance of continued testing the importance of of keeping people under threat and within that most importantly knowledge transfer right one of the things that we have noticed just in our you know almost what since 2006 doing in this right is the consumers that we have that benefit the best are the ones that interact with us the most so if we can if we can transfer knowledge and uh by that I mean teach them to think in a similar way like to Noah myself or any other people on the team they almost naturally begin making decisions that will afford uh you know the inbound threat uh and that's not done by just you know having one test and then thinking it's going to go the one test is going to give you a foothold but every time you test as the tests repeat there are a couple of things that happen hey we'll build more knowledge so we can operate at a higher degree of threat and we'll also understand where certain things are that need to be fixed and every year or six months or whatever it might be come back in and reassess and see where the customer is at and actually help them drive that footprint forward we have had cases uh which have been good and bad where we've effectively uh almost worked ourselves out of positions because we went from customers that on year one uh you know we're able to breach all the way up to about year seven and then year eight nine and ten you know all of a sudden it was like going up against a brick wall because they'd learned so much uh that their their infrastructures were just reactive and they were sharp and they knew what to look for um we still work with them but it's at a different level now because of how far they've gone um so that continual effort that knowledge transfer is so much more valuable than saying hey you have a vulnerability here it's well why do I have a vulnerability how do I deal with it how could I have found out how to respond to this what wasn't I thinking about right the moment you get that thought process in mind not only can they do that but they can also say well what is a real risk right and how do I address that in an effective manner there's a lot that goes into it yeah I definitely appreciate that that perspective of we can't just blame everyone else in the org and saying hey this is your problem you're causing this uh without providing some kind of training some kind of ramp to say okay this is how we fix that as well it's very easy to throw that number around like 87 of all security issues are human based but just end the conversation there and it's like oh well now it's on you to fix that um so definitely continued education is something we believe in as well and think that that's very important we're not just ransomware but all malware all all security um I want to switch up just a little bit going from talking about human side of things to the AI side of things and the emergence of AI uh here recently we've seen a lot about or heard a lot about chat GPT how are these things factoring in if they are at all have we seen anything on the horizon of how this is affecting the ransomware game yeah um honestly I think it's kind of an interesting question because there has been a lot of hype around platforms for these AI Platforms in general just kind of like jet chat GPT but in my opinion I've played a little bit around with them and I've asked them hey can you can you write a malware that can encrypt a file or encrypt an entire directory or maybe even just Snippets to kind of piece together things and it does a half decent job but it's nowhere near the level of sophistication essentially of what we'll see in these Advanced adversaries so I don't think really uh at least from the AI perspective something that we really have to worry about at least right now maybe in a few years when it gets a little bit more uh more perfected and more uh I guess down to a t then then it might be a little bit more of a concern turn but for now I think that we're not really too concerned with it with AI yeah I have to agree I think it doesn't have enough uh really high quality sample sets to learn from to be able to do anything mind-blowing but I agree I think in a few years the landscape might be very different yeah it's really interesting because it does run on the sample set so it would need to it would need to be able to have access to to to a lot of high quality malware to be able to reproduce it I I think probably you know but I what I think might it might do is lower the barrier to entry for someone wanting to do something malicious something simply malicious right you know so it might okay so chat DGP isn't going to be able to hack Google when you write a command into it but it may produce some malware something that you can send in an email you know to to do something to do something minor um which is which is interesting I don't know the whole AI the AI side of things is scary is scaring me I I spent I spent an hour running code the other day and kept getting an error and I plugged it into chat GDP and it was and it gave me a solution and I'll say oh oh God we're done for I have a I have a close friend that um focuses on uh AI uh safety not security but safety and a lot of the concerns that he's that he's had are coming to fruition which is really unfortunate um and uh writing code and you know uh developing malware or analyzing things or uh any of that I mean it's powerful and it really runs the risk of displacing a lot of things or creating a lot of new things of Nefarious continuing on from this kind of theme or you know we said that it could maybe make the targets a bit different one of the one of the things that you were talking about in there when you were talking about Solutions is that that I think some people might be surprised at is that when you're talking about penetration testing when you're talking about doing you know conducting these you're not only talking about large organizations you you you kind of alluded to like that lots of organizations so how big of an organization or how small of an organization you know should should you know what's the size of an organization that should start considering pen testing what how big should they be and what and what can they expect if they go down this path yeah I mean I so when I founded natural guard I one of the I guess philosophies was that you know everybody should be able to afford good security and by product I guess we service a small bar in New York City that was worried about their cash registers all the way up to uh you know some of the largest multinational companies Las Vegas casinos I mean you name it um what companies really need to do is they need to have an understanding of what the threat is looking for and what types of threats will align with them we're going to be most interested in them and they have to keep that sort of refreshed and then as they move forward and building up their infrastructure or doing whatever it is they're going to do they have to deploy uh the right security measures or Technologies or mindsets to kind of help them get along that path and they should not I mean we have best practices everywhere and we have recommendations everywhere they should not read those and believe that those apply to them exclusively because you have one organization that does things in a unique way hiring and you know Jimmy Joe Bob Bill whoever it might be that has a strange philosophy about doing God knows what and maybe these standards do not apply to what this person has created and what this person's done so from day one they have to understand what it is that they've done how it's Unique and really kind of keep that security up front if they if they work that way if they kind of grow their infrastructure that way it was secured at the front of their mind um they'll be able to do what I believe anyways if it's not right in an efficient and an effective way it doesn't have to cost an arm and a leg right not if it's done right um I hope that kind of answered the question it sounded kind of convoluted but I hope that's right I've answered the question um and uh larger companies you know when they're looking at uh I guess building a security posture they might have to take some steps back because they might have made uh or I guess implemented certain Technologies or or begin to believe in certain philosophies and then just their test and they realize these things aren't effective and we've seen that and ironically going back to I guess something I kind of said a related to before a lot of times when they step back the solutions they step into follow that keep a simple stupid mindset right they're able to deploy solutions that are are are just almost surprisingly simple and extremely effective um so it goes back to know your enemy from day one uh don't make assumptions um and uh you know work with a firm that will uh charge you based on what the work is that they have to do not based on something else right so if you're small you'll be charged one thing it's affordable if your large you charge something else but it's still affordable and what about and what about so this will this will make sense and I think a lot of the audience will be coming from Tech organizations your startups maybe Logitech companies now this will make sense but is it just tech companies let me rephrase tech company is it just kind of software houses they should be doing penetration testing you mentioned a bar that you did some pen testing for so you know if there's someone if there's someone that's kind of not in this world they're saying hey this is interesting but it's not for me um I used to be a building architect I have stories about uh when when certain people had you know their their weeks worth of work ransomed well who are we talking about what organization should be getting pen tests done I think I I was sickly everybody but it should be at a level of threat that's consistent with reality right um and that's going to change I mean look at what's going on with Healthcare and Healthcare and hospitals and high schools I mean education right versus what was happening 10 years ago um as the Bad actors recognize new opportunity they're going to shift whatever that industry is so you don't know when they're going to shift to you they can shift the security companies right you don't know when they're going to shift to you and you don't know when they're going to shift away from you when you go into this type of thing you need to you need to any kind of business is what I mean doesn't matter what kind of infrastructure organization you're running when you have one and you have people behind it you really should be doing penetration testing that uh you know is consistent with reality and what I mean by that is most pen tests even today I mean they're like they were in 2004 when PCI came out right it's a vulnerability scan that gets vetted by a person and that's one of my old analogies that everybody I guess some people hate it love it but it's like testing a bulletproof vest with a squirt gun right you need you need to um you need to make sure that you don't do that you need to make sure that you keep it consistent with what's going to happen in reality and and drive that forward but like you said I mean you know you were doing architect work or somebody encrypts all your files or steals your files it's a hard time um it's the same thing across the board I mean education Healthcare it doesn't matter manufacturing construction you know so yeah definitely I think it's so important to keep spreading the message of our cyber security awareness and training for everyone so thanks for coming on the show today uh just so we can have you know one big takeaway for people that might have skimmed through the episode and are looking for those big takeaways here at the end could you maybe give us like top five things that an organization can do to protect themselves today sure I think really just doing a security penetration test or or red team engagement would be number one for us uh number two really would be for you to kind of implement or figure out those kind of solutions whether that be antivirus or endpoint detection solutions to make sure that they're installed on the network that's really kind of preventing those attacks I think the next big bullet point number three would be essentially detecting those so that would be going along with honey pots or intrusion detection systems and things like that to make sure those are also implemented um and I think uh the fourth one would be essentially just taking all that data because once you have all those systems installed you're going to have to kind of aggregate that data and be able to parse through them or be able to have a platform where you can kind of narrow down those targets uh and figure out what security issues are and what those attackers might be looking to kind of breach and lastly but not uh most important in my opinion too would be doing the security training because really at the front lines it's going to be those employees they're going to be the ones usually either being fished or the ones that are going to be picking up the USB sticks outside of their company and trying to plug it in or they'll be the you know the weakest link essentially to be able to get on a phone call and and talk to them to try to convince them to install some kind of malware and then further breach within the network so security training is a is a huge thing yeah and I would add to the security training continued knowledge transfer uh I find when you mentioned their USB sticks so you're the one thing that always blows my mind away is that no matter what cyber security conference you go to there's at least one vendor that's giving away USB sticks as like swag and it's kind of like what what are we doing a QR code at the background having scan this at a at a USB stick we we do it because we think it's hilarious that people will still take them and I've actually not been allowed to but I've actually wanted to put something in the USB stick to say you shouldn't have taken this a little rubber ducky in there that you have been pawned exactly I have one sitting right here actually so yeah yeah that's right so moving into the next one I wanted to ask you guys uh do you have a story a funny story that you can share about a pen test that that happened you can remove names if needed but is there a funny story that we can uh we can share here yeah sure I think the number one that comes to mind is is uh this one client is a client of ours that was in the manufacturing industry and essentially uh during this portion of the penetration test I was focusing more on the external portion and the social engineering so I was trying to come up with the ploy to try to get them to either click on a phishing link um and I figured out you know why continue with just doing the a phishing email with the regular um kind of sending official email hope they go to the link and type credentials why not try to give them a phone call so I started off by essentially doing some password spring so I use database breaches things like that to kind of collect a big password list and then use LinkedIn to essentially uh get a list of all the employees and try to authenticate to their any kind of their external network infrastructure uh from there I did identify several accounts and once I identified those accounts I noticed that they had multi-factor authentication and I think there's a big misconception that once you know the attacker hits that multi-factor authentication that's the end of it in reality it's not kind of like the USB sticks um I was able to kind of gather more data so I knew at this point that they were running Duo so they were running do as their multi-factor multi-factor Authenticator um so doing some research or just previous experience with Duo and know that they have a bypass code so I was trying to figure out a way what can I do to kind of get that bypass code from either the help desk or or whoever the admin is at that time so did some Googling I was able to call up the company and get a hold of their help desk and ask them some questions over several days to make it not as noticeable and figured out that they require two pieces of information for getting this bypass code one of them is your birth date and the second one is the last four of your Social Security number so as soon as I hopped off that call I immediately started to go research some of those people that are already identified as password spraying victims or using common passwords and was able to essentially figure out their birth dates or several of them pretty easily through social media posts or posts that were on LinkedIn saying it's my birthday celebrate with me so I was able to leverage that um took note of all this and I I took note of other kinds of information like new employees and things like that just in case you know I had to kind of go a little bit deeper and explain what I did decide to make that phone call to the company so the next portion was uh to try to figure out how to get that social security number uh a lot of there's been a lot of breaches for example like the Equifax breach where uh Social Security and information has been leaked so usually it's pretty obtainable but for this client I couldn't find anything or at least for these these victims I couldn't find anything um so my next step essentially was to take all the data that I've gathered and to make a phone call directly to these people that have already identified with weak passwords and that I've already identified with their birth date so I went ahead and called one of the victims they had a a phone right there in their desk so it was a direct line directly at their desk I called them and impersonated I.T and asked them uh I've wanted to First build some rapport with the client so I said hey uh I provided a real it help desk person's name after getting that from LinkedIn and then was able to essentially build some Rapport by saying this is your your boss is John Smith correct and they said yes it is your title is this is this correct and then try to kind of build that rapport with the client so they s or the victim so they can kind of trust me and then once they trusted me I asked him for the data that was the most important which was the Social Security number so the very end of the call when I was trying to wish this client I said well I just need to confirm some last bit of data can you please confirm the last four of your Social Security number and they happily provided it to me so I was able to essentially gather all the data that I needed without even sending a phishing email so there was no hard evidence for the organization to essentially attribute to me other than one phone call to one employee so once I got that uh what was really interesting was they had a Citrix Gateway that was running externally and that was also had multi-factor so I used that to essentially log into their Citrix Gateway and in the Citrix Gateway you could spin up virtual computers or virtual machines and I was able to pretty much pivot from an external attacker's perspective internally uh and then kind of laterally move all the way ultimately until gaining the administrative access of the entire network so complete compromise from external perspective pretty pretty fun engagement that's that's very impressive all your base star belong to us right I take away there is don't answer the phone that's some good advice but you might not be able to you know operate that's such a good point to end on that MFA isn't uh there'll be an angel you should have it um but don't think that it's impenetrable you know Uber had a recent uh case where an attacker bypassed it and was able to access the Pam system so you know a similar complete takeover well we've come to the end of the episode I want to thank both of you so much for for coming on it's been an awesome episode oh go for it Dwayne go for it one last thing uh something I heard at a conference uh recently I want to know if you guys had heard this as well uh how did the hacker get away from the FBI they ran somewhere [Laughter] I'm stealing that that's like a dad joke I'm totally stealing that again and the software our secure WV all that joke and get somewhere talking that's awesome well I want to thank you both for coming on the podcast it's been an awesome episode there's lots of takeaways um and I do hope that one day you will uh join us again and uh share some more stories so thank you both for for coming on we appreciate it thank you for having us yeah for having us and the beer pleasure to come back anytime thank you