Autonomous IT

Landon Miles (00:00)
All right. Hello everyone. And welcome back to Autonomous IT Live brought to you by Automox. We've got a really exciting show planned for you today and we'll be doing an incident response drill. So why are we doing an incident response drill? Well, there's a reason pro athletes, musicians, firefighters, and many other occupations still practice. Repetition builds instinct. The same applies to incident response. So when something goes wrong, your team won't have time to stop and think about every move. Drills build muscle.

memory, clarify responsibilities, and help you spot breakdowns in processes, communication, or tooling. And in a lot of industries, they're required for your insurance or for compliance reasons. And running realistic exercises strengthens your incident response plan under pressure. And you'll learn where things fall, where people hesitate, and how to fix them, and all without real world consequences.

That's what we'll be doing today. So with me today, I have Tom Bowyer and Ryan Braunstein. ⁓ Would you guys like to go ahead and introduce yourselves real quick?

Ryan Braunstein (01:03)
you

Tom B (01:07)
Sure. Hey everyone. And thanks for joining and continuing to support our journey here at Automox. I'm Tom Boyer and I run my title as Senior Director of Security and Technical Operations and I run security and IT and SRE at Automox.

Landon Miles (01:26)
Well, in anyways, I am Landon Miles. am the technical content manager here at Automox and we're going to run through this live show. So we'll give Ryan a second to hop back in and then we will get started. But.

Tom, do you have anything you want to add kind of about incident response drills and kind of why they're important?

Tom B (01:48)
You know, it's really about getting your reps in, right? As security practitioners, as IT practitioners, the worst possible time to understand who to call, when to call, who you should be talking to both inside your company and outside your company is when there's an actual incident going on when stress is at, you know, level 1000. So it's really important.

to just have some semblance of a incident response process at your organization, whether it's, you know, whether you're a fortune 500 or even just a small mom and pop business, knowing who to call at your cyber insurance provider, knowing who to contact at the FBI, knowing who to contact. Um, you know, if you have breach counsel or any outside counsel supporting you in your day to day is really, really important and really important to exercise on a few times a year. So when, those times come, you're not as

unprepared as ⁓ you would otherwise be in the event that you don't exercise on it. just having those things even typed up and having a playbook, having checklists, having all those things that are so important, ⁓ prepped and ready to go will make you better off in the long run. So yeah, that's, I'll say that's kind of my, the best advice I could give in the very beginning, right? Just know who to call is really important.

Landon Miles (03:07)
Sounds good.

Absolutely. hey, we got Ryan back now, so...

Ryan Braunstein (03:16)
That was very

weird, my mic was completely grayed out, but...

Landon Miles (03:20)
All right. Well, ⁓

Tom was just talking about kind of the importance of incident response drills, but we'll have you go ahead and introduce yourself real quick also. And then we'll go ahead and get started with the incident response drill.

Ryan Braunstein (03:32)
Awesome. Yeah, I'm Ryan Braunstein I am the ⁓ manager of security over here at Automox. I've been in every random bit of field of tech at this point from IT to security to infrastructure. So that's pretty much what I do here.

Landon Miles (03:49)
Yeah, and most importantly, as Ryan pointed out, the reason we asked him on is because Tom and I are both bald and Ryan has hair. So, you know, that works too. His hair looks magnificent.

Tom B (03:56)
That is the key reason. Yeah.

Ryan Braunstein (03:58)
Yeah. For now, for now, I assume

a few more years in security will really thin this bad boy out.

Tom B (04:02)
You

Landon Miles (04:04)
Hey, it'll get you.

Tom B (04:06)
Yeah, eventually it runs this way and then it runs this way, you know,

then you'll just have to grow a beard to compensate, right? That's the trick.

Ryan Braunstein (04:14)
I'll do my best. It doesn't really come in as well as yours.

Landon Miles (04:14)
thing.

Tom B (04:17)
Hahaha

Landon Miles (04:19)
All right, so I'm

going to give a quick overview of the incident response drill. ⁓ So with these, you want to make sure that they're fairly tailored towards what you're actually going to be facing. So for this one, ⁓ attacker, well, an employee had some reused credentials in SSO. An attacker was able to access some internal tools, impersonate IT, send out some Slack messages to have people install other software.

email kind of push stuff around that way. And our objective is to contain the breach, remove the attacker hard in the environment with any of these breaches. mean, it's kind of contain, fix, understand, and improve so it doesn't happen again. ⁓ So with that, I'm going to hit pause and then we're going to go and pretend like we're in an anomaly. so kind of, so we've got problems. All right, so here we go.

Ryan Braunstein (05:13)
You

Landon Miles (05:16)
All right, Ryan, you just got a SIEM alert of an unusual GEO graphic or IP based login. ⁓ Automated Triage confirms SSO access from a strange location. And we've got a few user reports saying that, hey, they got some weird Slack messages from IT asking them to install software. There's been a few emails going around. ⁓ There has been some calendar invites for fake remote support sessions.

So one of the Slack messages we have right here is from employee made up named Jim Reynolds and says, hope you're doing well and crushing it this week. Arm emoji. Just a heads up, I recently moved to the IT team. Crazy, right? And we're rolling out some internal updates to help with endpoint support and diagnostics. Could you do me a favor and install this tool on your laptop? It's called remote help setup.exe. It's nothing fancy, just a part of our new support stack. And then it has a links and click here to download it.

So the interesting thing, and I'll let you both weigh in on this, and we'll pause to discuss this a little bit, is that with the advent of LLMs and chat GPTs and AI, you can create really specific sounding things that's not full of typos like they used to be or misspelled words. You can kind of craft something that sounds realistic for phishing or for any of these. ⁓

Ryan Braunstein (06:38)
Yeah.

Landon Miles (06:44)
that takes just a few seconds in now, and it doesn't have to be someone that is very familiar with your industry, with your tech stack, with anything, ⁓ or even speaking necessarily your language, they can just kind of put that in there, pull it out, and have it going, and have them pointing to the software that they want you to install. So Tom, Ryan, what are your thoughts on this attack surface so far?

Ryan Braunstein (07:09)
You want me to start first time or you want to go first? All right. And I'll probably talk about this a little later, but we are very close with our IT team over here ⁓ at Automox. And I encourage most organizations to develop that relationship very well. ⁓ So that would immediately stand out to me as not something that was ever communicated to us by IT. So I would immediately spin up an incident on that ⁓ and get as many hands on deck as possible.

Tom B (07:12)
No, you can go.

Ryan Braunstein (07:39)
to pull as much information and start containing the breach as a whole ⁓ without destroying too much and logging. Yeah, what about you, Tom?

Tom B (07:53)
Yeah. I mean, there's a lot here to unpack on this incident specifically. You know, the first thing right is we have a, an alert from our SSO provider that says, you know, new Geo-IP detected. And to me that's like, okay, let's fire up our, let's fire up our incident insecurity. Let's begin triage. Let's pull in logs. Let's look, you know, let's take a Slack backup. You know, those Slack logs are going to be so important both from

Ryan Braunstein (07:56)
Yeah.

Tom B (08:21)
where they logged in from, who they were impersonating, and also the messages that they sent. And, you know, we're a big Slack shop here internally, but, you know, whether you use Slack or not, it's important to understand if you're, everything is retained because sometimes they'll delete the messages after. So they'll send a message like this. They'll have the user download it and they'll delete the messages after.

And if you don't have that kind of retention period or those retention capabilities set up in your messaging platform, then you're going to miss a lot of context. You know, sometimes your employees will take screenshots like the, I got this suspicious message is this it, but it's good to have kind of, you know, the backup data to prove whether it was or wasn't some kind of suspicious activity. So make sure that kind of stuff is, kind of, you know, practice and rehearse and you're, pulling that stuff into your.

You're a SIEM if you have it, or you're working with your IT team and say, Hey, how do I get a copy of the last 30 days of all of our Slack transactions? And how do I browse through these things in an event of an incident? Cause just having a basic understanding of how those systems work on the backend can save you so much time. And really when these incidents kick off and you're in the weeds fighting the fire, just having some capabilities built out.

Landon Miles (09:35)
Yeah.

Tom B (09:44)
internally is really important.

Landon Miles (09:44)
Yeah, and think that's a,

I do think that's a good note also that most of the corporate messaging platforms, whether it's Microsoft Teams or Slack or whichever other one you're using, ⁓ that is most of them will have that retention policy active. And that's kind of the sign of a good solution also is that if, Hey, like we, if we need to audit this, can internally. ⁓

Tom B (10:07)
Yeah,

Ryan Braunstein (10:08)
Yeah,

Tom B (10:08)
absolutely.

Ryan Braunstein (10:09)
he also highlighted something that I think is also really important. Our security team is very transparent internally with our employee base. so the screenshots of the messages and stuff like that, getting communication out to your other end users is a great non-destructive way to contain a breach. Because it's also sometimes concerning. There are some platforms where you'll

shut down a user and killing that access sometimes destroys logs.

Tom B (10:44)
Yeah.

Be a familiar face is really what I try to, you know, exactly. The last thing you want is the security team only communicating when things are bad or never at all. So they're like, is this, what is this, right? Who are these people talking to me right now?

Landon Miles (10:48)
Yeah, yeah, make friends.

Ryan Braunstein (10:52)
Yeah.

Tom B (11:07)
Instead of, know, we're, very, very transparent on the team here. We post stuff in Slack when we see new phishing trends against our employees or new, you know, SMS phishing campaigns hitting our employees. We're immediately posting in our announcement channel, like, Hey, the CEO phishing is back. You know, he's never going to ask you to buy gift cards. So please don't do that.

Landon Miles (11:26)
Yeah, good rule of thumb.

Ryan Braunstein (11:27)
Yeah.

Landon Miles (11:28)
Your CEO will never ask you to buy a gift card via text message.

Tom B (11:31)
You

Ryan Braunstein (11:32)
I think we even put that in our security training. ⁓

Landon Miles (11:34)
Yeah.

Tom B (11:35)
Yes, yes.

Exactly.

you know, something, something I always keep in mind and, know, there are plenty of playbooks around incident response and containment and, you know, NIST has a great one, but something that helps me and has helped me throughout my career is just always having a theory in mind of what's going on, you know, as an incident commander, responding to an incident or even just being a participant, understanding kind of like

What the working theory is between everyone involved is really important. So you can, you know, try to prove or disprove what's going on in, you know, Landon showed this one specifically for this, you know, the IT one, right? Like what's going on? have an IT actor in our system. You know, he possibly came via the IDP. So he's in the SSO. he got, he or they got in to Slack through the SSO provider.

Right? Like that's the running theory. How do they get in? What other systems did they access? What other adversaries in the industry work like this? Is this like a scattered spider attack? ⁓ you know, they're very prevalent right now against airlines as we saw and, ⁓ other types of industries like that. Right? So if you're in those industries, just understanding the capabilities of your adversary and having that, you know, front and center as you're working these incidents of like, okay, here's their capabilities.

Here's where they like to pivot. Here are the systems they like to target because it's often not random. They're not just randomly poking around at things. They're very targeted. They have a plan in mind of how they want to execute. running that theory in your head as you're going through these responses is incredibly important.

Ryan Braunstein (13:19)
Yeah, and as important as that, I would say as much as knowing their strategies, understand how your environment works. What direction would you take if you were trying to get to the crown jewels? You know where they are. So understanding how someone could move through your environment. It's something that you should really be working on daily, but especially as you go through incidents, work that muscle of understanding where someone would go next or where someone could go next.

Landon Miles (13:47)
Yeah, it's the old, if I was a bad guy, what would I do questioned. Yeah. Yeah. So, but yeah, so kind of we've identified that this is a problem. We've kind of gone through a little bit. So to contain the breach, what are, what are our next steps? So we disable this, the Slack profile, we disable the SSO account temporarily, and we start trying to revoke.

Tom B (13:50)
You

Ryan Braunstein (13:50)
Yeah,

attacker mindset, yeah.

Tom B (13:55)
Absolutely.

Landon Miles (14:15)
active sessions here. Can you guys go into that a little bit? What would you do to start to contain this breach?

Ryan Braunstein (14:23)
Yeah, so I mean, you really kind of covered it, especially if you have a central identity provider, disabling those accounts will be key. I know we have a lot of things set up that like, most of the time, if skim is shutting down a user or freezing a user, it will kill the sessions. But we actually have some automations and workflows in our store and some of our other products here that end up going through and resetting sessions, like directly with like one of our security.

Landon Miles (14:40)
Yeah.

Ryan Braunstein (14:52)
tokens into one of our SaaS platforms. And we usually focus on most important ones first. Obviously, we're going to immediately reset sessions for AWS, ⁓ our IDP, ⁓ places where people could just dump information from, like ⁓ your confluences, your ⁓ SharePoints, stuff like that.

Landon Miles (15:18)
Yeah.

So anywhere where there's important confidential data stored, that's like, yeah, get exactly. So where you don't, you don't, where you don't want, if there's anything that you don't want going out to the world, that's where you kind of go to make sure is locked down first.

Ryan Braunstein (15:23)
Yeah, GitHub, yeah. Nah.

Tom B (15:26)
Nothing sensitive there.

Ryan Braunstein (15:32)
Yeah.

Yeah,

and I would even say, especially if you can find not only that user, but users that receive that message going in and immediately burning their pet tokens or any kind of API ⁓ token, getting in there and just blowing those out immediately.

Landon Miles (15:47)
Yeah.

Okay. Yeah.

And then, so we talked about this a little bit earlier, but kind of sending out an internal alert at this point is good, whether it's just, a heads up, IT is never going to ask you to install software via a link in a Slack message or an email. Like just getting kind of ahead of that. mean, people, lot of times people are more attuned to watching for phishing emails. ⁓ but with a Slack message, people are kind of assuming that, this person is actually who they say they are.

⁓ which kind of goes to this modern kind of the theory behind this is that attackers don't necessarily break in anymore. They just, it's a lot easier for them to log in. It's easier to steal a credential than to find a back door into somewhere. ⁓

Tom B (16:23)
Great.

Great. Yeah,

Ryan Braunstein (16:36)
Yeah,

Tom B (16:36)
exactly.

Ryan Braunstein (16:37)
I would even say, yeah, there's not only that, yeah, having great like tooling that you can like quarantine a device while still having access to it, especially in a remote workspace is huge. Like we have secure network solutions where we have the skim group that will immediately move someone to restrict all network access except to, you know, our remote agents to get into it. And then our EDR also does the same.

Landon Miles (16:48)
Yeah.

Ryan Braunstein (17:05)
So knowing those ways of cutting off movement as well ⁓ is a good idea.

Landon Miles (17:10)
Okay. And then what about kind of if scanning your environment for that software, removing the software that was installed maliciously. ⁓ so, mean, obviously we're, we're auto mocks, but I mean, so one of the ways that we would do this is through a worklet, which is just a way to scale an automation script. So it can scan that endpoint, see if it's installed, see if a registry key has been changed or something. And if it has, can flag it say, Hey, this is an issue and you can go ahead and do that.

Tom B (17:11)
Thank you.

Landon Miles (17:40)
⁓ Remove the malicious tool, block any C2 domains at that endpoint level, and then tag any of those devices like you were talking about for forensic review. Is there anything else we're kind of missing in those steps?

Ryan Braunstein (17:57)
Yeah, I mean, like you covered like the worklet, like we use a worklet here and like any kind of solution like in Audimox can do this, but like during the XZ vuln situation, it wasn't even as like critical as like an immediate somebody's in our stack incident, but we still use a script to search for that vulnerable version within our stack and output a report of users that are affected and then deploy another one to patch it and then compare that list again. And so...

Landon Miles (18:21)
Yeah.

Ryan Braunstein (18:26)
Yeah, just knowing your endpoints, knowing your stack, think, it's just, it's always going to come back to that.

Landon Miles (18:33)
Yeah, just being able

to see into those endpoints also is it like, because if you didn't have visibility into your endpoints, you'd be blind at this point. So like, it's like, Hey, there's a big problem going on, but I can't, I can't do anything. can't see anything. ⁓ but having a tool that says, okay, this is what's running on these endpoints. This is how it operates being your, with your EDR, with your endpoint management solution that like without those solutions, you're blind.

Tom B (18:46)
Right.

Ryan Braunstein (18:50)
Yeah.

Landon Miles (19:03)
So.

Ryan Braunstein (19:04)
Yeah, we're kind of spoiled here where we have a lot of visibility into our infrastructure and in our endpoints. So if any threat actors watching, we have a lot of visibility. We're very spoiled here. ⁓

Tom B (19:04)
Yeah.

Landon Miles (19:09)
Yeah.

Don't even try it.

Tom B (19:16)
Yeah. And I think,

I think outside of the, end point kind of quarantining and similar actions, it's also important to, ⁓ you know, have the security team download this malware. You don't have to be an expert in, you know, reversing or, or similar, right. Just having, having some sort of detonation capability, even through a lot of these, you know, online providers, a place you can upload an EXE and see.

Kind of what it's doing, what network calls it's making, how it's operating is really important as well to understand kind of exactly like what's, what's the blast radius here. And then building some detection rules around, you know, that, that, that feature set and uploading that to your, your EDR, your soul or your SIEM or whatever, whatever you're using it to build detections in is kind of the next step because not only that, not only that the first piece.

Landon Miles (19:48)
Yeah. So what's it going to do if someone actually runs this thing? ⁓

Ryan Braunstein (19:53)
Yeah.

Tom B (20:13)
The blocking, the containment, the eradication is really important, but there's an expectation now in the industry where if a breach, you know, say this blows up into a large breach, you know, the industry expects you to provide some kind of after actions report and having like hashes and IP addresses and malware samples and how those things are executed. It's really important to show, you know, you know, Hey, we're not just some mom and pop. This is, know, how we responded. This is how we contained it.

Here's what we saw, here's what you should be looking for in your environment. know, attackers often reuse techniques and playbooks and infrastructure sometimes and capabilities. just providing that back to the industry is so very important to keep not just us safe, but the industry as a whole safe. So make sure you're documenting, you know, those hashes, IP addresses, all those good things to provide a good after actions report to, you know, your board.

the industry, your team, those kind of things. Keep that in mind.

Ryan Braunstein (21:16)
Yeah.

Landon Miles (21:17)
Yeah. So now that it's kind of we've contained it, we're starting to try to figure out why this happened, how this happened. So at this point, like, do we, how do we figure out if it's a targeted attack, if it's an inside job, if it's an attack of convenience, like was it, was it really Jim Reynolds or whoever sending out this from his own work laptop saying, Hey, I'm going to Jim's rogue. Jim's gone rogue. Yeah. So like,

Tom B (21:36)
Jim's gone rogue everybody. ⁓

Ryan Braunstein (21:40)
Yeah,

why would Jim do this to us?

Tom B (21:43)
How dare him.

Landon Miles (21:47)
How do you figure out, mean, do you just call the guy and say, hey, like, saw this weird login or inside job attack of convenience, whether it's Shodan or something, somebody just found those credentials, logged in and said, hey, this works, I can get in now. So like, at what point do you start trying to figure out how this happened?

Tom B (22:06)
Yeah. And I think we're moving now from like, I call it from like the easy part, even though it's not necessarily easy, like the containment, the initial response, everyone's on a hundred and we're all responding quickly, solving the problem and getting it done to like the long tail remediation piece. And right. Like what happened? How did they get in?

Ryan Braunstein (22:07)
to.

Landon Miles (22:25)
Like how do I make this not happen again? Yeah.

Ryan Braunstein (22:27)
Yeah.

Tom B (22:31)
And how do I make this not happen again? And, sometimes this involves engaging, you know, an incident response provider outside of your business, through your cyber insurance. Sometimes you're already doing it internally as a team. And this is like the week's work, right? The first, the first, when they're first in, that's like the hours work containing it quickly. Now we're moving into like weeks worth of work. Eyes on glass, reviewing logs, like line by line, by line, by line.

And, you know, maybe new agentic AI, it'll be a little bit easier for this phase, but, you know, we're reviewing line by line by line, understanding the timeline of the incident. He got in, they got in here through this user, through this IP address, using this credential set. Well, you know, it wasn't the user because we asked them and Navit's like, was it bad credentials? Potentially they reused some credentials in some other system and

Ryan Braunstein (23:11)
Yeah.

Tom B (23:30)
that system was breached and then, ⁓ you know, they were able to capture it. Is there some form of, you know, credential stealing software on our end point that our EDR is not detecting? That's always a possibility, you know, and there's the other scarier situations of like, you know, were they paid to give their credentials up, which is not out of the ordinary these days. Sometimes people are paid off and they, give direct access to systems. So that that's the, you know,

That's the hard part is really finding that ⁓ almost needle in a haystack of like, this is how they got in. Let me look at all my logs. And I literally have to look at all my logs and see, you know, I have to prove, you know, you have to prove your theory, right? We kind of like, like, and I'll go back to that theory idea over and over again, right? Like we have this theory now we have to prove it. Well, how do we prove it? Well, we prove it with data. We prove it with logs. We prove it.

Ryan Braunstein (24:15)
Yeah.

Tom B (24:27)
with discussions with the individual. Obviously they're in sales and they're not trying to fish the organization. So they probably were compromised. Well, how do they do it? ⁓ maybe LinkedIn is compromised and that's a whole nother mess. Or maybe they use their email, their work email on some personal sites and that thing got compromised, right? Like that's kind of the, how do we get from compromise and work our way back to how this actually happened? And then, you know, making things more secure from there.

Ryan Braunstein (24:39)
Yeah.

Landon Miles (24:56)
Yeah, absolutely.

Tom B (24:56)
And you know, you can jump

Ryan Braunstein (24:56)
Yeah.

Tom B (24:57)
in Ryan. don't mean the hog though. Hog everything.

Ryan Braunstein (24:59)
No, no, mean, look,

I've been I've been bebopping in and out, like interrupting when I when I feel need, but that that's all very true. Like, I still remember one of my first incidents here, like four or five years ago, and I was just here pulling IT logs for I think you on a security incident. And I was just like, I assume they got in like this and you were like, well, don't assume. Bring show me like.

Landon Miles (25:22)
You

it.

Ryan Braunstein (25:26)
And that's

Tom B (25:27)
Okay.

Ryan Braunstein (25:27)
always

stuck with me through my whole career in general at this point. Yeah, and I think that's just a really good talking point there is engaging with the individual. Because sometimes that even happens in the hours section, like the investigation section. You'll bring them into it. But in this case, it's a compromised Slack account, so you don't know if you're bringing in the threat actor or...

that person so a lot of times it's good to have protocols in place as well for external communications with users ⁓ to just kind of like...

Landon Miles (26:04)
Yeah, and so like reaching

out to your HR department saying, hey, like you call this person on their cell phone instead of like any internal means.

Ryan Braunstein (26:07)
Yeah

Yeah, yeah, because like data will provide a lot too. And then there's a lot of enrichment around that data by talking to the affected individual and other individuals that engage with them. That's the week's work, probably that Tom is talking about as well. We've, you know, when we've ever had an investigation like that, we pull people in and like we start talking to them. And that's when it's good to have a good incident commander. Because like when you first spin up an incident, you're probably hands on the keyboard going going hard, it just

trying to lock this down and triage it on your own until your team can swarm and then you have to kind of stand up above that and go, okay, I need you to do this, I need you to do this, grab these people and talk to these people. it's another reason why you do these reps, you know, so that you can have that practice. ⁓ In terms of, I mean, are we in full remediation talks here now or are we talking about still just kind of gathering the data?

Landon Miles (27:13)
Yeah, think we can, I think we can, whichever point you want to go to next. You had a beat on something, I'll let you go for it.

Ryan Braunstein (27:19)
Yeah,

yeah. mean, then it just kind of turns into this situation where you're trying to keep your security controls in place, understanding how those affect the users, understanding how they got around your current controls in general. ⁓ And as you find that, you can talk with your team and go, hey, how can we stop this one from happening again? And I'm talking about like...

You know, ⁓ people get a lot, think something we've experienced here is MFA fatigue. Like when you get that push notification and a lot of like big providers use that and it's very good. Like as long as your users are like not getting that fatigue, it's a very, very like good system. But one thing that we've, you know, moved to here is like hardware tokens because like it's a very deliberate action of logging into something. And we've been...

Landon Miles (28:11)
Yeah, kind of like a

phishing resistant MFA where you're not getting the spam for, hey, like 20 different notifications, log in, log in, log in, log in, or no.

Ryan Braunstein (28:16)
Yeah.

Yeah, like you can sleep at night, you won't get a ping in the middle of the night from someone trying to log into your account, you know, on your verification app. ⁓ you know, again, making it very deliberate for your users to log in while still kind of keeping it ease of use. It's kind of like the park ranger thing where you've got a trash can that you don't want to bear to get into. And like there's a very, you know...

Landon Miles (28:46)
You

Ryan Braunstein (28:49)
thin line between the smartest of bears and, you know, the, yeah. So ⁓ you have to kind of think around that as you're thinking about these remediation steps.

Landon Miles (28:52)
the dumbest of humans.

Yeah. we did

have a, a interrupt real quick. had a question come through on LinkedIn. So kind of asking about, so we had talked about downloading the malware, extracting the malware, kind of running through that. Can you go into kind of how, how you would do that? How, how you would see what the malware, malware is doing.

Tom B (29:20)
Yeah. And to answer the question in the chat, right? Like VX Underground, ⁓ it's really great, especially if you download it on your work computer and you're not in security, right? Like, absolutely. ⁓ So it's really about, you know, having some place to detonate malware, having some kind of capability internally on your team to, know, whether you're using a virtual machine or whether you're hosting kind of like a malware zoo internally within your security team, just having a place where you can

Ryan Braunstein (29:20)
⁓ we go.

Hahaha!

Tom B (29:49)
download malware safely and then detonating it, whether that's, like I said, internally, you're doing it yourself, you you're clicking the executable and just watching it, you know, recording that word traffic with Wireshark or something, or you're uploading it to Joe's sandbox or something where you can just upload the executable and then it, you know, it detonates it for you and provides you kind of like a summary report around, you know, what capabilities it has or.

What's it contacting? What registered keys it's using? Those kinds of things. So, you know, there are lots of places, but you know, having that workflow down is also really important. But yeah, shout out to VX Underground. ⁓ It's a great place.

Landon Miles (30:31)
You

Ryan Braunstein (30:31)
Yeah, would

also with in a cloud environment, I feel like I should also bring up like, you know, sometimes like full pods or instances are going to get infected and you need to run, you know, some kind of scans on them or not. One thing that we do internally is we have a sandbox cloud account that's separate from the rest of all of our environments. And we have a bit of a workflow that can then send

like that, you know, just isolate and like clone that, like that EC2 instance and move over there and run through processes of scanning it and whatnot. And I think that's something that as you move more into the cloud space, you should be aware of like the, this case, it's an endpoint, but that endpoint could quickly spread into the cloud if they have network access. So having a plan for that as well is a huge deal.

Landon Miles (31:27)
Yeah, absolutely. Absolutely. Well, I think that's coming kind of to the end. We're coming close to the end of our time here. But so kind of about to start playing the music about to start. yeah, so kind of wanted to go through some some lessons learned here a little bit. So, mean, real credentials plus real tools is kind of the stealthy way to get in. mean, it's not you don't have to spend a lot of money on a zero day or back door.

Tom B (31:36)
He's playing the music. He's playing the music. You're talking too much.

Ryan Braunstein (31:38)
Play me off, Johnny!

Landon Miles (31:56)
It's like, it's easier just to, I can log in instead of, can pretend that I'm the right person instead of having to go through a back door. ⁓ these things can be weaponized pretty quickly and identify identity is not always equal to trust. So Tom Ryan will go through this one and then we'll, we'll, ⁓ wrap up, but I just kind of wanted to the identity trust. There's been a lot of talk about that recently also. So.

Zero trust, all that stuff, kind of zero, what are you guys's, can you guys talk about that a little bit?

Tom B (32:30)
Yeah, I say, you know, understanding your environment like Ryan alluded to earlier and alerting on deviations, you know, where we use one certain tool for our IT team to remotely access systems and any deviation outside of that should be an alert. You know, that's, that's just a really, really common way attackers get in. And sometimes they'll disguise things as like other legitimate software. You know, sometimes they'll impersonate zoom or

Slack or whatever, right? But having digitally signed software and learning on those deviations is another great example of like, you know, kind of trust, but also verify what we're running, alert on deviations and working closely with your IT team and understanding what tools are deploying and, you know, having just having that repertoire down around.

When they deploy, how do they deploy? What does that look like? You know, cause most teams deploy through, they deploy applications through a certain workflow, whether it's an RRM tool or a tool like automox or, sometimes they're manually running PowerShell scripts on the endpoints, but just understanding that workflow and how are you protecting that workflow for them? And it is really, really important. And you know, make sure you're setting, you're setting yourself up for success from

remote communication standpoint, know, tools like Slack, have the, the ability to lock down changing your name. And, know, you can only change your name if ⁓ it gets changed and like the HR payroll system, you know, having that integration set up because in Slack today, or for a long time, even here internally, you could impersonate other people where you would just change your display name. And, you know, you could have two Tom Boyers running around.

And we will do it to each other in the security team. you know, we finally, we...

Ryan Braunstein (34:21)
Yeah, that was extreme. That

Landon Miles (34:21)
So that's why that didn't work the other day.

Ryan Braunstein (34:25)
was a very confusing day for me.

Tom B (34:28)
Yeah, exactly. And it wasn't

Landon Miles (34:28)
No.

Tom B (34:31)
like a top down thing either, right? Like a lot of the stuff bubbles up from, from internally within the teams of like, Hey, I can impersonate people. We should get this taken care of. And yeah, you want people to be able to set their display name and stuff, but you don't just make it done in the HR system and not in Slack because you could easily impersonate people on Slack. And then it causes a big mess.

Ryan Braunstein (34:38)
Yeah.

Landon Miles (34:39)
Yeah

Ryan Braunstein (34:56)
And I would say, speaking with the policies and procedures aspect of things, like having good procedures, like Tom said, it creates a lack of deviation. so, if you're lucky enough to have a solid compliance team, legal team, lean on them to get a lot of these policies in place ⁓ to kind of support that standardization of workflows within an organization, because that only helps.

to kind of embolden your control making within like your SIEMS and stuff like that. So, you know, we're very lucky and we have a great legal team and compliance team that kind of helps us, you know, ⁓ bottleneck it a bit. Yeah.

Landon Miles (35:38)
Yeah, absolutely. Yeah. And so to expand on Ryan's point too, is that like, yeah, as much

Tom B (35:41)
Yeah, add a little resistance, you know.

Landon Miles (35:45)
as we always talk about the importance of, ⁓ of IT and security working together, it's just as important for those to work with other people within the other departments within the organization. Talk with your HR, talk with your accounting, like work with everybody to be able to understand what their workflow is, what their pain points are, and be able to kind of understand your systems.

So being able to understand everything, being able to understand your network, how everything works sounds trivial, but it's critically important too. So the people are important.

Ryan Braunstein (36:16)
Yeah,

I would say security, like the mindset should be security is everyone's responsibility within an organization. And so you should not be a stranger to any org within your organization.

Landon Miles (36:28)
Yeah.

Yeah, absolutely. Well, ⁓ thanks so much, both of you for joining. Thanks everyone for watching. do have, I'll put this in the comments here shortly and in the description for anybody watching this later, but we do have kind of a, if you've never done an incident response drill before, put ⁓ together a little document, I'll share my screen right here, that is just kind of an incident response checklist. We'll put, again, we'll put this in the...

in the comments in the descriptions of these live shows also. It just kind of walks you through choosing a scenario, running the drill, post-drill, of what we did here, tabletop walking through. ⁓ So that is, so be looking for that. It'll be in the description, like I said. ⁓ But yeah, so that is the live show. Thank you so much, Tom, Ryan, for joining. If you guys enjoyed this, be sure to tune into their Patch Tuesday podcast.

very similar to this one. but yeah, is there any parting words of wisdom for that you guys would like to share?

Tom B (37:33)
Take care of your people.

Landon Miles (37:35)
Yep.

Ryan Braunstein (37:36)
Yeah,

and then-

Tom B (37:37)
Always have a

running theory. Those are my two.

Landon Miles (37:39)
Ha

Ryan Braunstein (37:40)
Man, those are hard. I mean, again, I would just say know your environment and lean on your team. So, yeah.

Landon Miles (37:50)
All right, sounds good. Well, thank you guys so much and we will see everyone soon.

Ryan Braunstein (37:58)
See you everyone.