Insight ON Ransom Attacks Are the New Heist — And They're Easier Than You Think

Audio transcript:

Ransom Attacks Are the New Heist — And They're Easier Than You Think

Jillian Viner:

We are gonna play a little game, and I'm gonna make you a role that I know you're not comfortable with, but I'm gonna have you be my bad guy. And we're gonna walk through the, the common steps that the bad guys might walk through to actually infiltrate an organization.

Jeremy Nelson:

Oh my goodness. I'm nervous. I'm literally sweating. <laugh>. I I'm getting chills already. I spent my entire career trying to be the good guy. And you're gonna make me the bad guy.

Jillian

Yeah. It's gonna be a stretch for you, but I know you can do it 'cause you have the knowledge of what those bad

Jeremy

Guys are for the good of our community. I'm gonna take one for the team.

Jillian

If you're making technology decisions that impact people, budgets and outcomes, you're in the right place. Welcome to Insight on the podcast for leaders who need technology to deliver real results. No fluff, no filler, just the insight you need before your next big decision. Hi, I am your host, Dylan Weiner, and today we're talking to Insight ciso, Jeremy Nelson, on the frightening and easy ways that threat actors are infiltrating your business. Let's get to it. Well, Jeremy, it's October, finally, getting some cooler weather here in Phoenix.

Jeremy

Needed desperately.

Jillian

Are you a big Halloween fan? Do you watch horror movies? You go trick or treat with the kids? Well, your kids are grown now. Horror

Jeremy

Movies down on those, but um, actually Halloween is huge in our neighborhood. Yeah. In fact, uh, so we've got this little rectangle, uh, where our house is. We're kinda sit on the corner of this really cool, rectangular collection of houses. And I don't know how it happened, but just over time as we've moved in, so we've been in this house for 20 years now. Mm-hmm <affirmative>. And this neighborhood has embraced Halloween to the point where we got people who do cotton candy. We got, uh, boil, we got, uh, boiled dogs, we've got pulled pork sandwiches. We do like a big movie screen and we'll play nightmare before Christmas. And we get thousands of people will come through our neighborhood on Halloween. So

Jillian

That's so charming. I feel like that's It's awesome. Like dying in America. It

Jeremy

Really is. It's so nice to, but it's not in our neighborhood. That's awesome. Not in our neighborhood.

Jillian

That's awesome. Okay. So trick or treating with the kids Halloween block party. Uh, okay. So you don't do horror movies. What about like, thriller movies? You like thrillers?

Jeremy

I don't like thrillers. I don't, I I, I like, uh, I I I do a drama here, here and there, but when you think about the work that I do, yeah. I tend to lean on the lighter side of media that I consume. So I'm a big stupid comedy guy.

Jillian

You don't need any more reasons.

Jeremy

That's my no. To

Jillian

Not sleep all at night. I,

Jeremy

I got plenty of other stuff, <laugh> to keep me anxious and up at night. Yeah. Well,

Jillian

We're gonna try to go through some things today to prevent some CISO nightmares. Yep. Um, and help y'all sleep a little bit easier. Last time you were here, you dropped this really, um, I won't call it a bombshell because we talked about this as being like, of course this is happening. But, um, you mentioned that when an attack happens and you go into that war room where that's where the mitigation starts, that's where your resources, everybody kind of takes a breath and go, okay, what do we have to do? And that's when you realize that, oh, we're not safe here. There is an infiltration happening in the war room. The war room has been compromised. The

Jeremy

Call is coming from inside the house.

Jillian

There you go. So there

Jeremy

You go back to your hoarder.

Jillian

Well, you can't say that and then not revisit that topic. Yeah. And help us understand how did we get there and how do we keep that from happening? So Jeremy, I'm really excited for our conversation today. Uh, we are going to play a little game and I'm gonna make you a role that I know you're not comfortable with, but I'm gonna have you be my bad guy. And we're gonna walk through the, the common steps that the bad guys might walk through to actually infiltrate an organization. Um, so we're gonna take this from the very beginning steps all the way up to the moment of, oh no, there's a problem. And then we're gonna have to come back for another conversation to figure out how to get out of that scenario.

Jeremy

Oh my goodness. I'm nervous. I'm literally sweating <laugh>. I've spent, I've been still, I've spent my entire career trying to be the good guy. And you're gonna make me the bad guy.

Jillian

Yeah. It's gonna be a stretch for you, but I know you can do it. 'cause you have the knowledge of what those bad guys

Jeremy

Are for the good of our community. I'm gonna take one for the team. Thank

Jillian

You <laugh>. Let's do it. You're gonna be the bad guy.

Jeremy

Alright.

Jillian

Do you have a name for your black hat

Jeremy

<laugh>? Uh, I don't. And maybe that's a good sign. <laugh>. Um, let's, let's go with, uh, the black serpents. Oh,

Jillian

Okay. We're going there. All right. Black serpents. Um, I'm going to be the CEO of Bear solutions. Sounds tough, right? No. Very tough. You're not gonna get through my

Jeremy

No, no way.

Jillian

No, it's not gonna happen. So, alright, first move. This is like the chess boards on the table, right? Pawns are out. What do you do?

Jeremy

So coming back to you asked about horror movies mm-hmm <affirmative>. Now, one thing I am a big fan of is I love heist movies. Same. So there was, I think one of the greatest genres ever invented, in my opinion, <laugh>. Um, it was funny, we were, you know, just kind of thinking about good guy, bad guy. We'll kind of toss that aside in the spirit of the heist movie because I think that gets a little bit murky. Um, but really if you go back, it, they serve as kinda like a blueprint for this exercise that we're gonna be going through today. And so I think if you look at a lot of those movies, ocean's 11, by the way, happens to be my favorite. And, uh, it always starts off with reconnaissance. Yeah. Just understanding who is this? Like who is it that we're potentially targeting? And there's a lot of different components to that.

Jeremy

So everything from, is this a target that's going to have a propensity to pay? Do they have the financials to give me something that is material and worth that time and investment that I'll be putting into them? Um, and then understanding who are the players, who are the major players that I'm working with, and what are the ways that they might have weaknesses or exposures that I can use that as a means to be able to kind of execute my infiltration activities. So, so that's the first thing. And let's just face it in, in the post 2005 era, right. Everyone knows what happens in 2005. Do you know what happened in 2005?

Jillian

I, I mean, I was there, but what was the big thing?

Jeremy

Facebook came out. Facebook became a public accessible social media. So social media. So we had MySpace. Mm-hmm <affirmative>. We had Facebook, and you know, MySpace was a thing, but we really didn't see the expanse of social media until really Facebook kind of took over. Twitter was there in the background, but now part of just everyday life is social media. Yeah. And so there's,

Jillian

You didn't even mention LinkedIn. That's where we're all on.

Jeremy

We're all on it. Yeah. Like if you go through, there are very few people, um, that aren't on any type of a social media platform. Um, but there is some digital footprint that everyone leaves behind through social media. So the first thing you do is when you talk about social media, you're looking to investigate an organization specifically. Where would you think about starting?

Jillian

I mean, if you're looking for the players, you're probably perusing those social platforms and you're Yep. You're gonna what? Come on my page and see my title LinkedIn, who I engage with. Who

Jeremy

Am I with? LinkedIns a great place to start. Yeah. You literally, the, like the company will usually have a page, and that page will usually have connections to the officers of the company. Mm-hmm <affirmative>. It'll tell their title, it'll tell a little bit about their mission statements. So you actually learn a little bit about like what are the underpinnings, what, you know, maybe what does the lexicon and communication language of that organization look like based off of the vertical and some of the things that they share on social media. So you can kind of get like a feel for the tone. AI actually even makes this easier. Now you can go out, type it into AI and be like, Hey, can you do a little bit of research on this company? I'm trying to craft a communication. Can you gimme something that would mirror their tone, the way they communicate you're, what are their values and

Jillian

Things like that. You're a very innocent prompt. So it has

Jeremy

Idea because you could be, you could just be somebody who's looking to engage with them to create a partnership to either help them or to help potentially position a product that you've developed mm-hmm <affirmative>. And so it's a very innocent prompt, but it, under the covers really what are you trying to do? You're trying to immediately start to impersonate a persona that exists within that organization. You could

Jillian

In theory, scrape all of my LinkedIn posts. Maybe you find a Facebook page, whatever. And you're aggregating all that to understand my voice and tone

Jeremy

A hundred percent.

Jillian

And now you have my writing style.

Jeremy

Well, I'll even take it one step further for you specifically. Okay. As the host of insight on, oh,

Jillian

My voice is out there, your

Jeremy

Voice, your face. Like you're, you're not just a voice and tone as far as like communication style, but like literally you have enough content out there to directly replicate you.

Jillian

But most CEOs do. Like what? CEO O isn't doing interviews, videos. Yeah.

Jeremy

That's the role. Yeah. That's literally the role. You are the face of the company. Okay. At the end of the day.

Jillian

So already exposed. Yep. Last time we talked, you also talked about oversharing.

Jeremy

Oversharing. Yep.

Jillian

How much of that plays into that reconnaissance?

Jeremy

Oh, a ton of it. Now. So if you go back, so over oversharing can take a number of different forms and fashions. Yeah.

Jillian

Right. We were talking ai, but Yeah.

Jeremy

So we, we talked about ai and AI is, has the ability to go in and, and look and decipher and be able to kind of create themes out of an aggregate mm-hmm <affirmative>. Right. Whereas there are a lot of things as human beings, we'll go out and we'll share and sometimes we'll share accidentally. So, uh, everything from typing, you know, like you think you're sending a message to one particular email and you send it to another one. And, you know, you can't necessarily recall that unless they're within your organization. Even then it's semi limited. Um, but the same thing happens with social media. Dms end up going public, um, a variety of different things where just an accidental mistype and something that was intended to be private goes public. Mm-hmm <affirmative>. And I think one thing we've all learned is that, uh, once something goes public, especially if you are a public facing person mm-hmm <affirmative>. Uh, it's never gone. It's forever. It's captured instantly. Yeah. It's archived. Yeah. And it will come back to haunt you. Yeah.

Jillian

There's no world today in which any C-level leader can be invisible from social platforms. No.

Jeremy

No.

Jillian

So is there any defense I can do there?

Jeremy

So here, here's really where that comes into play, right? So I'll actually throw out an example. This ha this happened, uh, just over a year ago. Um, DeepFakes were really kind of coming along. Generative AI was, I wouldn't say in its infancy, but it wa it was relatively established, but I think people were still trying to figure out like, what were the true implications? How could this impact me individually mm-hmm <affirmative>. And, um, there was a a just an individual, like not even a high ranking person working in a finance department for a multinational company. And they get a meeting invite asking them to join with what they thought was their CFO and a series of other executives. And they jump on this video conference call, video audio, having a conversation with this group of people. Um, and they were basically talking about some type of acquisition or other activity that they're looking to engage in. And this CFO basically at, you know, provides direction to this financial operations person to wire $25 million to an external entity. They're on a full on video conference. They feel like they're looking dead in the eyes of their CFO, their CEOA series of other executives, potentially board members mm-hmm <affirmative>. And so they carry out the order unintentionally sent $25 million to a threat actor group. And it turns out that a single person on that call with him was real. Wow.

Jeremy

All deep fake. So when it comes back to that question Yeah. Is how do you protect yourself? It's less about protecting yourself. There's only so much that you can do by putting that information out there. Like it's going to be out there. Now, there's a lot of different things that can go out. So there's threat intelligence platforms that will go out and be able to look for various and ingest. Um, so it's, it's AI versus ai. Mm-hmm. Right? So you got AI that's able to create these, create these DeepFakes based off, based off of the data that's put out there, but in similar fashion, you can combat that with threat intelligence that's able to go out and identify various different, um, content that's being produced by some of these high profile personas within an organization and identify if messaging is off or if it's not necessarily necessarily something that was scheduled as part of a pre-planned type of a production or release or something like that.

Jeremy

And being able to flag and kind of take proactive measures to try and remove that or curtail it as best as possible. The more important one is, is better internal verification processes. So everything from, if you get a sensitive request, what are some ways for you to kind of follow up on that? There, there should be specific processes, policies, and procedures mm-hmm <affirmative>. On how to respond to something like that. And we're getting even into the case of like even a password reset. So we're talking about a, a request to wire $25 million. Like that's a pretty extreme case, right? Um, even just something as simple as resetting a password. Like are you going to like a support desk technician? That call comes in that should trigger some type of heightened verification protocols where you go through and do some type of real time validation that the person on the other end of that call is actually the identity that's calling in and asking for the password reset.

Jeremy

So it's, it's less. So there are some things you can do to try and monitor and manage mm-hmm <affirmative>. For, we'll call it identity hijacking that's happening out there and just the general digital space. Uh, but really what it comes back to is good solid identity verification procedures internally. So being suspicious of joining video conferencing communications or video conferencing bridges and meetings that are outside your company's normal platform of choice. Mm-hmm <affirmative>. Right. Looking at email addresses, making sure that they match up, all that kind of stuff. So just little checks and balances for like, if you see something, say something, this feels a little bit off. Yeah. I know that it involves me. That little feeling in your belly. Yeah. And, and even in that, uh, use case that I shared with you, the individual kind of called out that, oh, they started feeling a little uncomfortable Yeah.

Jeremy

During some of this, but they use the right language. Like, that's the other thing. A lot of these threat actors, they like to use, you know, for intensity pressure and kind of fear tactics mm-hmm <affirmative>. In order to get people to respond, nobody wants to be in trouble. Especially when you're talking to what you think is a senior executive or could be a senior executive. Um, and so people respond differently to that. And so they use those types of tactics. So even if you feel uncomfortable, that gets outweighed by potential risk of employment and things like that. Yeah. So,

Jillian

Yep. We're gonna come back to that when we're playing the recovery game. But before we move on to the next move, you've already mentioned that you're like, you're scanning social platforms, the obvious places, maybe video interviews, podcasts, et cetera. Before we move on, is there any other maybe less obvious place where some of that sensitive or overshared information can be found and

Jeremy

Scraped? All right, this is gonna seem a little weird. Okay. So, so go with me on the ride. Lay it

Jillian

On me.

Jeremy

Dating apps.

Jillian

I'm sorry, what?

Jeremy

Dating apps. So think about that. The whole intent is to go on to connect with other people, to share information, to probably try and impress them to a certain extent. Mm-hmm <affirmative>. And so when you think about deep fakes and fishing, catfishing has been around for ages. Yeah. It's had different purposes, <laugh>, but think about you go out, do a little bit of searching, um, you find some executives, you go out, you look at specific dating apps, you kind of pull that up. You go through, just do some searches, see if they're out there. Fact, there's like AI apps that will go out and search for specific personas on the dating apps. And then you go out, you create a good profile and you just start doing a little phishing.

Jillian

Interesting. We're gonna protect the innocent. But have you actually seen that play out?

Jeremy

I have not. Okay.

Jillian

I have not. But you know, it's

Jeremy

After I've not seen it personally. There have been records of it. Yeah. But I have not. Wow.

Jillian

Okay. All right. You've got my name, you've got my, my personality, essentially the way that I speak, the people that I engage with, you know, about my company. So you've got your, your recon. Now what?

Jeremy

So, so once you've identified your targets, the next place to go to be just very honest. Mm-hmm <affirmative>. Is the simplest path. Right. We always wanna go just like, just like everybody, people looking to do these types of nefarious things. Wanna follow the shortest and use path. Yeah. Make it easy. Right. Path of least

Jillian

Resistance. We don't make it that hard.

Jeremy

So if you think about it, you go out and if you're managing passwords, okay? Mm-hmm <affirmative>. So you're, you're, you live in this digital world and you have a password. Right? And

Jillian

For everything

Jeremy

You log into about like 9 million different websites every single day. Yep. Most of them. What's your user ID now by default?

Jillian

Oh, usually my email.

Jeremy

Your email address, right? Mm-hmm <affirmative>. Guess what? It's pretty uniform. Yep. How often do we re do people reuse passwords? Uh,

Jillian

Probably a lot or variation of

Jeremy

The same password. Almost explicit. Almost, almost exclusively, I would say. Oh, people tend to reuse passwords. So one of the things that you do is you go out and you find this persona, uh, credentials are super cheap on a dark web. So you go out and you just do a little bit of searching to see if you can find password, email, password combinations, and then you start using that as a way to potentially insert yourself into email communications. Mm-hmm <affirmative>. By far, one of the most frequent entry points for threat actors because it's asynchronous. There's a massive, like, we all get buried under mountains of emails. So it's easy for things to potentially go unnoticed. Yep. Um, it's also pretty easy to clean up after yourselves. So if you don't necessarily want traces of those emails being left around, um, and so going out, looking to see what can you get off the dark web to help you kind of advance like what's for sale? Mm. And so you use that as kinda like that next kind of, we'll call it phase one and a half of reconnaissance. Right? Okay. So once you've kind of built your picture, you understand who your target is, you understand who you're going to leverage to get yourself in, then you go on and you just see what's available to me. So there's a couple of different styles of trying to come in.

Jillian

I've got my, I got my iPhone. Kudos to iPhone. Okay. It's got my passwords. Yep. It's got my notification that like, Hey, your password shown up in a, in a leak. I'm like, yeah, sure. Whatever. Yeah. Right. I so I, I've missed that. Right. So now you've got my password. Yep. You bought it off the dark web, now you've got access to my email. You're probably logging into stuff and changing passwords without me even realizing it because you're deleting the emails that come through with a password reset.

Jeremy

So chances are you're not doing that yet. No. Okay. You're not, you don't wanna do that yet. Okay. Because that, that exposes you, oh, the whole intent is you wanna operate as long as possible undetected. Okay. You know, you don't wanna expose your hand until it's go time. Okay. So it's just like the heist movies, right? Mm-hmm <affirmative>. You always wanna play it cool. Like they'll, you know, maybe there's a few little signs here and there. They get dismissed, but at the end of the day, you wanna go undetected as long as humanly possible. Yeah. Are

Jillian

There any red flags that I might catch at this point?

Jeremy

So there's a lot of different tools. There's a lot of different things that can kind of be used. Now, you as an end user, you may not, to be honest with you. I mean,

Jillian

It did tell me that my password had been

Jeremy

Leaked. Now that would be a great, that that would actually be a phenomenal sign and probably a reason for response and for you to take some remediative action mm-hmm <affirmative>. Um, but as far as like just general detection, like, it's very, very challenging. Okay. Um, and so typically what we do is we have to come back to, again, looking at things in the aggregate. And so when we talk about like, various different technologies that are out there, collecting log data, analyzing various different activities, and then correlating it across different aspects of your IT environment mm-hmm <affirmative>. And then mapping it to behavioral analytics. So looking at, Hey, is it normal for Jillian to be logging into her email at two o'clock in the morning from China? Maybe That'ss, probably that's, but we also call it the impossible travel situation, right? Yeah. So if you are in China at two o'clock in the morning, and then at six o'clock in the morning, you log in from Phoenix mm-hmm <affirmative>. Right? Like, there's no flight on earth that's going to get you from China to Phoenix. And we have systems in four hours

Jillian

That can detect

Jeremy

This a hundred percent. So that's where the behavioral analytics come in. Sure. So, again, for you as an individual, again, especially using some of these more traditional communication platforms, it's really easy for these threat actors to cover their tracks. Okay. And so it's, it's pretty challenging. Now, what could happen is, you know, if their own, they'll, they'll probably start off just monitoring and again, consuming, looking, identifying other people that they might wanna communicate with, who are other folks that might, uh, allow them to pivot and go into other places within the organization. Or maybe it's just a quick smash and grab. Hmm. Like, I've seen that before too, where they'll come in, they'll take a, they, I've seen, I've seen a situation where they were able to compromise the CEO's credentials, logged into his email box, literally sent an email to his EA asking for, um, a $6,000, um, $6,000 in gift cards, um, and had them just do it transmitted. Yeah. Right. That's

Jillian

All

Jeremy

They were after. So, and it was $6,000 smash grab out. They go, huh. And, and that, that was it. And so they obviously, unfortunately this executive assistant carried it out. Yeah. It came from the CEO's inbox. Yeah. Had no reason to believe this wasn't an authentic request. So made the purchases, sent 'em where they, where they were asked to be sent. Um, by the way, it wasn't like she shipped them to China, it was just right down the road to a, a warehouse that grabbed them, distributed 'em, and did what they do with the, with those types of, so it

Jillian

Might have been weird for the amount and the urgency, but everything

Jeremy

Else looked Exactly. Had urgency, but everything else looked good. Yeah. Um, and then obviously they detected something was wrong. They went in, did the password resets. Um, this was a, a catalyst for implementing multi-factor authentication as you can imagine. But you still have to go through and do forensics to see if anything else was done Right. Was any other data exfiltrated and things of that nature. So, um, but

Jillian

$6,000 is a fair

Jeremy

Price to pay. It's a decent amount

Jillian

To

Jeremy

Recognize this. In fact, they got off pretty easy. Yeah. I mean, had this, had this particular in whether individual or group, you know, not exactly sure what it was, but, uh, had they recognized what had access to, if they would've been a little bit more patient, they probably could've gotten away with a lot more.

Jillian

The lurking is the piece that's giving me a little bit of the heebie-jeebies right now.

Jeremy

Yeah. Yeah. It should. Yeah. It's giving you the heebie-jeebies for the right reason. Yeah. 'cause we don't like to be spied on. Nobody like to be spied on, especially, we don't like to be spied on with the intent of they're going to carry out some type of malicious act against you. Mm-hmm <affirmative>. Like, that's terrible. That's a terrible

Jillian

Feeling. I mean, I can't think of a positive reason why I'd wanna be side on No, but yeah, no. All right. So you, you've got my information, you've got some passwords. Step three is what,

Jeremy

So, so it depends on, obviously there's a number of different attacks that we talked about, right? Yeah. So, um, it really comes down to what, what's the best way, what's, what's your path to the biggest payout? Okay. That's really what it comes down to is path of least resistance. Mm-hmm <affirmative>. Biggest payout. Um, unless

Jillian

Of course you just want $6,000 gift cards,

Jeremy

$6,000 in gift cards. Yeah. I mean, for some of these, that's a win, you know, for some of these scammers. Yeah. Like, that's, that's a relatively good payout maybe. Right?

Jillian

And they're just testing the

Jeremy

Waters. Nothing near a $25 million payout for a deep fake phone call with some executives, but, um, but, you know, 6,000, 6,000. Um, so it really comes down to what is it they're trying to carry out mm-hmm <affirmative>. So the big one these days is ransomware. So one thing we didn't necessarily touch on, we've talked a lot about the social aspects of this, and I think that's one of the biggest areas, right? It really is social of

Jillian

It. Yeah.

Jeremy

Let's, let's just be honest, we're called spade a spades. So we know that there's vulnerabilities in all the different technology that we use. Um, but at the end of the day, it's well known fact the human beings that use those systems are the weakest link in the chain. We

Jillian

Are quite flawed.

Jeremy

The weakest link. Yeah. Every single time. And there's a lot of different reasons. So I, I'll throw out one other negative use case. Okay. Um, and it really comes down to insider threat is when you look at just general employee sentiment and where we're at right now, both economically geopolitically, there's a lot of just unrest. There's a lot of, you know, uh, employees who aren't necessarily, uh, particularly thrilled with some of the directions and things that are happening within, I'll, I'll speak predominantly around like the corporate America space mm-hmm <affirmative>. And so a lot of them that, that loyalty, that allegiance is relatively low. And so another thing that we're seeing a fairly significant rise in is that these threat actors are basically either straight up intimidating or even bribing employees to basically hand over their credentials and to kind of just open the door and step aside.

Jeremy

Right. So I think about, uh, any, so you talked about thrillers. Again, I, I'm a big comedy guy, um, but I do like action movies and in fact, like John Wick is one of my favorites. Okay. <laugh>. Um, and I always think about that scene where he is going into the, the nightclub mm-hmm <affirmative>. And he walks up to the big bodyguard and he obviously threatens him there. And, you know, basically makes it known that he's going in whether he wants him to or not. So he can either, you know, suffer the consequences of trying to block him, or he could just let him pass. Yeah. What does he choose?

Jillian

Most employees are just gonna let him, it, just

Jeremy

Let him in. Do it. Yeah. Just let him in. Um, and, and by the way, a lot of these tactics, these threat actors use, it's not just simple. Like, they literally threaten family members, and so it's pretty scary. Yeah. Right. The tactics they'll use. Yeah. So you, you can't necessarily blame somebody. Like if they're coming in, they're threatening your family, your livelihood, all they want is your credentials.

Jillian

Well, I mean, it's kind of the same philosophy of a police officer would tell you, if you ever get mugged on the street, like all you did, throw your bag, give, put your hands down, whatever it is that you had, can be recovered.

Jeremy

Walk away, walk away, walk

Jillian

Away. Your life's not worth it. Yep.

Jeremy

Yeah. So that's a real threat as well. So, so when you think about those various different entry points, so again, coming back to, we've talked a lot about the people aspect, and I, that's going to be the most primary entry point that you'll see from the various different, uh, bad actors that are out there. The other pieces is we haven't talked about like the bru force entry through gaps in our overall technology that are intended to protect us or, um, what else, or, or even help us conduct business that we have to permit some level of data exchange to happen. But it inevitably allows, uh, you know, we create holes in our security perimeter specifically to allow these things through. And so those technologies will have flaws. Those flaws can be exploited, and then that can be used as another means to be able to infiltrate an organization.

Jeremy

And we, we've seen that happen as well. And so, uh, the other piece is, is the vulnerability management, continuous detection, good security, perimeter identity, best practices, things of that nature. So coming back to what's next, right? So we're gonna go down the path of, um, we'll go ransomware. Okay. Right. Ransomware is a pretty common thing these days. Mm-hmm <affirmative>. Um, we're gonna stay on the path of, 'cause we could go in lots of different directions. We'll stay on the path of the user. So, uh, we, we basically get access, we profile an individual user, and really what the intent is there is that they use those credentials to either, um, drop something into like a shared storage space or to send them an email or, you know, create some type of way of delivering a malicious package of software to them like that. That's really what the, the aim is. Mm-hmm <affirmative>. Uh, once they actually have that, that endpoint, that desktop is the number one. It's, it's basically patient zero. Um, if you were to think about like, some type of a, of a viral outbreak or something like that. So

Jillian

If you're sending me something Yep. You are going to, you're not gonna send something to me from me. So how would you get that packet to my

Jeremy

Computer? So the whole intent would be not necessarily to send it as you, to you, it would be to use, you know, to profile you as an individual to craft, craft a message that you would then send to that mailbox that would, in, that would incite you to actually opening it up. Okay. Like sending it from another trusted entity. 'cause usually you're not just gonna take one mailbox, you're gonna have multiple mailboxes. And so you'll start off, you'll kind of figure out like what your attack approach is going to be. And then you'll log in as one account. You'll craft a message that you know will be received by the other person that will incite them to open whatever attachment that you send them. You put the, or maybe it's even a link. It may not even be an attachment, it could just be a link of, Hey, we're gonna be transitioning to this new financial form. Here's the new link. Go out, download it from, from this website. Um, I, I need a copy of this like as soon as possible. If you could get this onto my desk by the end of the day, that'd be awesome. Mm-hmm <affirmative>. Send it to that person. They get it, they click the link, they download what they think is just a financial processing form. They open it and it ends up being an actual malware package.

Jillian

When I'm picking up on our couple of like, psychological ways that we could, we ourselves are vulnerable, you kind of hit on earlier with like the dating profile, phishing or mm-hmm <affirmative>. So it's definitely our vanity Oh yeah. Creating that weakness.

Jeremy

I think fear is a bigger one, though. Fear's a bigger one. I can be honest. Yeah.

Jillian

But the, the one that you just said is, is really targeting more of like the rule follower. Mm-hmm <affirmative>. I, there's a sense of urgency here. Yep. We know urgency is a big one.

Jeremy

Urgency is always at play.

Jillian

Is there another psychological approach that maybe we don't think of that we should be aware of?

Jeremy

I, I love that you put it is it is psychological. 'cause it really just comes down to the human nature, right? So emotional finger things that, things that trigger mm-hmm <affirmative>. High emotions that allow us to act without necessarily a lot of cognitive processing to think is this right? Mm-hmm <affirmative>. Right? Like, you either are afraid of the outcome or you're excited about the outcome. And so you're going to make a choice, instinctive choice to do something, to get to whatever that outcome is, either to avert it as a risk or a threat, or to get you there faster because it's something that's going to bring you joy. Yeah. So it it is very psychological.

Jillian

Yeah. And I think that's important to point out. 'cause I feel like when we hear these stories in the news about the CEO, the financial officer, whoever it was that fell for a scheme, it's really easy to watch that story unfold and be like, how did they not know that that was a phishing attempt? But it's so different when you're in the moment.

Jeremy

It really is. It really is. And there's just, especially when you work in a role like I do, and a lot of the other people that I tend to connect with, is that we just, we're not very trusting people. I know. It seems weird, especially like, I come off as a very, you know, trusting and open person deep down, like trust

Jillian

New

Jeremy

One, you, you're just constantly questioning everything. Yeah. Right. And so, so there's, for us in the security industry, like that's just kind of part of the game. Yeah. Right. Like this, just who we are as people. Um, and, but, but there's other people that, that aren't like that. Right. And so they, they tend to trust first and learn, learn from the mistakes after. Right.

Jillian

Well, I appreciate that's why our team does a really good job of doing like the, the fake phishing attempt emails. Mm-hmm <affirmative>. Because it will catch you when you're just in your normal workflow. You've got a hundred other things you're trying to get done, you're task switching, so you're not paying fully attention. Then that email comes in with something you urgently have to do, or here's a gift card and it's like, you know, I appreciate that our emails have a little flag at the top.

Jeremy

I love that. External email's,

Jillian

External email. I love it.

Jeremy

Yeah. Because I'm a fan.

Jillian

There's been a couple times where it's supposedly from someone at Insight. Yep.

Jeremy

Like, nope. Nope. So I, uh, I will, I will be vulnerable here with our insight on friends. Ooh. Um, I got nabbed once <laugh>, they've gotten me one time over the 12 years that I've been here with Insight. They got me one time and they did exactly what a threat actor would do. They learned my behaviors mm-hmm <affirmative>. And they understand like, where do I see urgency and what will, what will drive me to maybe click or do something that I ordinarily wouldn't do mm-hmm <affirmative>. And so, you know, working for an organization like ours, uh, you recognize that there are ebbs and flows to the business and usually, you know, this isn't a big surprise to anybody, month end, quarter end are high intensity moments. Yep. Right. And one of the things that I do a lot in my role is I process contracts. And so, you know, we, we use a digital signing platform for that.

Jeremy

And, uh, it was at the end of the month, end of a quarter, and I get one of our, you know, fake phishing, you know, uh, educational <laugh> phishing emails, and it looked like a document signing request. And because of the date, the time, you know, I was over, you know, really trying to make sure that we stayed on top of these things because timing is extremely sensitive and important. Yeah. I went to, and as I was hovering over and going to click it, I literally was clicking it as I saw the little thing pop up with the URL that it was taking me to. And I saw that it wasn't our document signing platform, and I knew within that

Jillian

Low motion

Jeremy

A hundred percent, like, we're literally talking like microseconds, milliseconds, whatever it was, I knew I'd been nabbed. Mm. And as soon as it popped up the screen, I get another email letting me know that I had been generously enrolled in our cybersecurity training program. Oh. It was so embarrassing. But I have have vowed ever since that moment, I will never get caught again. Yeah.

Jillian

What did, what did you learn? How did, how do you prevent that from happening again?

Jeremy

So I, and now every single time I get any, so I would never click a, a link without just double checking that URL first to make sure that it's taking me exactly where I expect to go.

Jillian

The mouse hover. Yep.

Jeremy

And, and even then, it's an external, so I can't necessarily use the banner to say, oh, this is coming from an external source, but I slow myself down. And so that was my big lesson learned was I allowed myself to get anxious. I allowed myself to get pulled into the emotion, and I stopped doing best practices because I felt like the immediacy of a response was more important than me being safe mm-hmm <affirmative>. And so now I don't, I really force myself not to let that that happen anymore. Yeah.

Jillian

You're like, Joyce, sorry, those contracts are late, but I was being vigilant.

Jeremy

There you go. Yeah.

Jillian

All right. We're getting close to the end. Yep. In the sense that you're getting closer and closer to the crown jewels here. Yep. Um, we talked about the

Jeremy

Safe, the, in

Jillian

The,

Jeremy

That's right. In Oceans 11, if you'll

Jillian

<laugh>, you are in the facilities, you're doing your social engineering, you've dropped the packet mm-hmm <affirmative>. With a horrible ransomware. Yep. Uh, but you're still undetected. So what's happening now?

Jeremy

So the big thing is, is that once you land on that one end point, your job is to spread. Now you have to be very careful. You don't necessarily wanna spread everywhere depending on the actual attack that you're trying to carry out. You wanna be very targeted in what you're going after. Mm-hmm <affirmative>. So what you do is you usually land and you do se a series of scans, um, to try and either collect more account information, uh, to do a scan of what their infrastructure looks like, understanding what the various different systems patch levels basically going through. And the same thing that we do on the, on the good guy side of this, we're going through, we're scanning, we're looking for patches, we're making sure that vulnerabilities are managed, we're making sure that firewalls are on, that they've got endpoint protection enabled, all these good things. Right. How

Jillian

Long does that take?

Jeremy

Not as long as you would expect.

Jillian

That's what I thought you were gonna

Jeremy

Say that. So, I mean, we've seen some that go from literally point of entry to full encryption of an IT environment in less than 28 days.

Jeremy

Pretty scary. Yeah. So, but that's 28 days of being undetected. So there's a lot of other challenges there. So when we talk about like, some of the things we can do to mitigate and protect, there's a lot of, you know, everything from endpoint detection to, uh, sims o data collection, log analytics, all that. You know, having a good, uh, vigilant SOC team that's 24 by seven. There's a lot of things we could do to predict that mm-hmm <affirmative>. But in these instances, they've kind of gone past those defenses, or those defenses don't exist. And so what they do is they scan, they look for other vulnerable areas, but then they look for vulnerable areas that are high value. And so what they do is once they find those, then they use the access that they do have to then drop another package further and deeper into the environment with the intent of getting to data.

Jeremy

At the end of the day, data is what it's all about. If you can take the data away, the data's what makes the company run, it's what makes applications function. And so if you rip that out from underneath everything, the whole house of cards falls down and that creates another level of desperation and panic and financial impact. And that's what gets people to pay. And so that's really what you're looking to do at that point, is you're trying to look for those soft areas that have high impact mm-hmm <affirmative>. And have access to highly sensitive data. And you get your way deeper and deeper until you have either the entire IT environment or some of their most critical systems and data sets identified. And then you use that exact, and then you basically load that ransomware package, you detonate it, you initiate an encryption, uh, event, and you lock them out.

Jillian

Checkmate,

Jeremy

Hopefully not. So one of the other things to always consider is, is that one of the most important things that these threat, threat actors will look for is isn't necessarily just the live data. The live data is extremely important, but that's usually the second attack. You wanna make sure that you're identifying what their data protection strategy is. Because if it's too easy to recover, they're not gonna pay. Right? So there's still the activity of identifying them and expelling them from the environment, but being able to recover their data too efficiently and too effectively is bad for them. So what you wanna do is you also wanna make sure that you're there, that you're identifying the, the data protection platforms, seeing what you have access to, how far back does it go? That way you understand your data gap and that data gap. Like what is the value of that data gap to an organization? So you usually wanna target data protection first, then you go to live data and you leave them in a situation where they can't easily recover. And the only option that they have is to negotiate with you.

Jillian

I have so many questions about that. We're gonna get that in the, once we get into the war room, I think. Okay. But, um, are, are we there yet? Are we at the, the point

Jeremy

We are now at, how

Jillian

Do I know

Jeremy

We're, we're now in the blast zone, so it's, we are now fully encrypted. Operations are down, people aren't doing their jobs.

Jillian

So I as A CEO know that there's something bad going on because I'm not getting, something bad is happening, my email data is down something. So Correct. You Okay. Terrified. Yep.

Jeremy

Appropriately. So

Jillian

I'm panicking my <laugh>, I don't wanna be the next headline, Jeremy, so No.

Jeremy

Well, you are now based off of our scenario. You're, you're on the brink of a headline. Alright.

Jillian

So Jeremy, we're, we're pretty far into this thing. It's, it's been a journey. Just briefly walk us back through again, what were those key steps that are happening before we even realize anything's going on right down. Okay. So

Jeremy

Let's walk it through the various different phases. Step one is reconnaissance. Mm-hmm <affirmative>. Identifying, understanding your target, um, going out, collecting information. Step two is understanding where you have vulnerabilities, whether that's people, whether that's technology, you're gonna do that, various different levels of scans and understanding. Um, it's just that next evolution of reconnaissance. The next step that you wanna take is that initial entry point, that initial, um, basically penetration into their environment, whatever that attack bean might look like. Um, but with the expression intent, and again, we're talking about this through the lens of ransomware, once we've actually been able to land inside their environment, it's all about lateral movement. You wanna scan, you wanna identify the most valuable targets within their environment with the intent of getting as close to the data as possible. Recognizing that number one target is data protection. Number two is life data. Once we know that we've got that, we understand their ability to respond, then it's time to detonate. And that's when we go offline.

Jillian

I'm picturing Ocean's 11. Brad Pitt just finished his hotdog is, that's right. He's zone it in. The team is getting ready, they're doing their thing. It's, it's, it's game on. That's

Jeremy

Right. Now we're standing inside the room. Mm-hmm. We're looking at the monitors of the vault. Mm-hmm <affirmative>. We're picking up the phone and we're calling the SWAT team.

Jillian

And with that to be continued, we're gonna have to come back together and meet up in the war room. That'll be our next episode. Jeremy, I am excited to have you back because I'm terrified. This is getting scary.

Jeremy

That's where, that's where the bad can turn into. Good. That's, I, I think that's the best part about the next time that we get together is that we talked about all the scary parts. Mm-hmm <affirmative>. Now we get to talk about like ways to prepare. And it's all about recovery. So it's hard, it's dark, it's scary, but at the same time, there's that pin prick of light at the end of the tunnel. And I think that's what's exciting to talk about.

Jillian

All right. You're gonna hold my hand outta this haunted house. We're gonna make it through. We're

Jeremy

Gonna get out together.

Speaker 3:

Thanks for listening to this episode of Insight on If today's conversation sparked an idea or raised a challenge, you're facing head to insight.com. You'll find the resources, case studies, and real world solutions to help you lead with clarity. If you found this episode to be helpful, be sure to follow insight on, leave a review and share it with colleague. It's how we grow the conversation and help more leaders make better tech decisions. Discover more@insight.com. The views and opinions expressed in this podcast are of those of the hosts and the guests, and do not necessarily reflect on the official policy or position of insight or its affiliates. This content is for informational purposes only, should not be considered as professional or legal advice.