Webinars – Cybersecurity

  • CYBER SECURITY OUTLOOK: UNDERSTANDING THREATS, TARGETS, AND TRENDS

    FEATURING: STEVE STASIUKONIS

    Read more: Cybersecurity Outlook
    Click here for full transcript

    Speaker (00:00)
    Welcome everyone. Thank you all for joining us today. My name is Gershon Morgulis. I am the founder of Imperial Advisory. We are a fractional CFO firm. So we’ve got a team of CFOs and we go into businesses that need help. Some businesses we work for the CFO, if there is one. We help them with things like audit readiness, financial planning and analysis, mergers and acquisition, support.

    And for businesses that don’t have a CFO, we go in as the CFO and we give them access to a top notch CFO on a part time basis. And we work on everything with the smaller businesses from strategy straight through to execution. So we work with your team or we take care of things that your team can’t take care of as well as obviously leading and working with the CEO on planning and charting.

    the path of where the business needs to be.

    I’m going to take a moment to welcome the people from our team. see we have a few people. I don’t see that many faces. So welcome to all the people who do not have faces and also welcome to Dean. Welcome to Stephanie and welcome to Brittany who gets these things all set up. Thank you very much for all of your help. And again, welcome to everyone who’s all our guests and people on our team who I don’t see.

    So back to finance. One of the things that we view as the role, as a piece of the role of the CFO is protecting the assets of the organization. I don’t know if reputation counts as an asset, but we can just say protecting the reputation as well, right? So company needs to make money. They got to, they have to sell, they have to sell profitably. But in order to do that, you need to have

    the right systems and processes in place. And that applies to all sorts of things. You got to the right marketing in place. You got to have the right people in place and you have to have the right IT in place.

    If you end up in trouble that can cost you money, could ruin your reputation, can hurt your clients, which is obviously the worst thing. thinking about IT, while we’re not experts, thinking about IT and making sure that that is something that clients are thinking about is something that’s very important to us as well. so therefore it’s appropriate to have IT and cybersecurity related things as part of our webinar series.

    We are appreciative to Dean for inviting Steve to join us on this webinar. And we look forward to Steve’s insights on cybersecurity and everything else he’s gonna tell us about.

    So I’m ready to go. You guys ready? And I’ll kick things off if that’s okay. Yeah, introduce yourself and. All right, well, yes. Steve Stasiukonis, Secure Network Technologies. was the managing partner, I’m a founder of the company. Started it back in 1997. We’re essentially professional white hat hackers. We test network security from all aspects of it too. Like we’ve got a full blown red team.

    I mean, we do everything from the aspect of being a threat actor. We just go in there as a, almost like the adversary to show the weaknesses of a company’s network. We do things very much like the bad guys do. ⁓ And doing this over the course of several years, we’ve learned a lot, but the real learning part came from becoming an incident response business. And this is where we come in when somebody was compromised and they were taken over or there’s a ransomware activity, some redirection of payment.

    is this email compromise. And that actually makes us better pen testers. When you learn from the adversary, you’re seeing what’s happening from how the threat actor does what he’s doing. And it gives you a better understanding of what you need to do to protect your environment. And we share all that information with our client base and so on, so they can go out there and harden things properly. Last thing you want to have happen is getting compromised. This presentation is all derived from stuff that we’ve seen that’s actually happened.

    So, hopefully you’re going to learn a lot about what you’re up against. And really the problem we’re seeing now is hacking versus protecting. And I’ve got one slide here that I’m going to show you that’s rather interesting. was done out of a group on Boston, Boston Consulting Group. And they did it around 2020 and what they showed was something really interesting. The cost to hack a network is getting cheaper. If you’re a bad guy and you want to get into the world of crime and make bank, all you got to do is figure a couple of things out.

    leverage some skills from some other people, and you’re going to be off to the races to make some serious money. The problem in today’s world, because of that, is it’s getting harder and more expensive to then protect your network and protect your business as well. So this is unfortunate, but the data that we have to show you really kind of backs things up. And ultimately, the threat actor today is getting really smart. So…

    Everybody always asks the question, who are the bad guys? The first thing that happens when somebody gets compromised, they don’t understand it. Like, well, who are these hackers? And we call them threat actors now. We don’t call them hackers, but threat actors are essentially the group that we’re after. And what we try to show them is that it’s now known as the advanced persistent threat. And this was the term that was coined by the US government and the Air Force on really labeling the threat actors or the slash hackers on who they are.

    and they’re broken down into three groups. And these three groups are foreign national nation state bad guys. And how does this work? So you’re living in Russia, China, the Middle East or some other country where, you know, they state sponsor bad guys. What you do is you tap a young individual early on, you find out that they have promise and you bring them into the world of offensive security. You train them to be hackers. And the country is like Russia and China. They’ve got campuses of individuals.

    that they bring into the fold and they give them the tools and the capabilities to become cyber warfare machines. And that’s our first group that’s out there. The other groups are hacktivist and anarchists. And those are individuals that band together much like Lulz Sack, or if you’ve heard of anonymous, Cult of the Dead Cow, Lizard Squad, Wolf. These are groups that are out there that essentially band together and if they have an ax to grind with somebody, they go after them. But they got some political views they don’t like, they go after individuals or organizations. But that’s our second APT.

    But the third one is the one that’s raising really the problems that we’re seeing across the globe. And that’s the organized cyber criminals. And these are the ones that band together. They actually, I’ve had a theory that’s out there that I actually had vetted from an individual that was one of the ex directors of CIA. I had said, you think some of these nation state guys are getting old and retire and becoming the organized cyber criminals? And he said, without question. And he goes, that’s what’s feeding the machine. And they bring other people into it. They train them, they show them.

    They have the relationships with the countries and there’s big money in it. And with the invention of cryptocurrencies that are out there and you’re pseudo anonymous, in some case anonymous, well like Monero, you’re able to then have that payment made to you, launder that money into a fiat currency and it’s incredibly lucrative. And that’s why this has gained so much momentum. Now, the thing about the countries that are actually sponsoring it, like China, this is Xi Jinping, we all know that.

    And ultimately these guys have more hacker groups that are out there that are hacktivist, anarchists, as well as their organized cyber criminals. But there’s groups like Hafnium, there’s Deep Panda, there’s going to be TA428. There’s a group called Bronze Starlight. There’s another one called Bolt Typhoon, Salt Typhoon. There is a boatload of them. And the groups get larger and larger and larger. And the cyber machine of the country is really cranking out these individuals and these groups that are out there hacking.

    So there’s no shortage of them. And in fact, these guys are out there once again hacking on behalf of their country. They’re bringing currency into their country and know, she’s got no beef with it. So it continues to happen. Brighting thing about these groups like Bronze Starlight is they’re using hacking tools that my pen test team uses. They’re using, you know, Metasploit, they’re using Cobalt Strike, they’re using Mimikatz, they’re using all these other crazy tools that my guys use and they’re using those against us.

    So they’re well trained and they’re well versed and they understand our environments very well. The other group that’s out there is this guy. And if you don’t know who this is, this is the leader of North Korea, this is Kim Jong Un. So Kim Jong Un has been sanctioned by who knows how many countries, his father, his grandfather, same boat. They’re always making money based on some sort of illicit trade. Ultimately, they’ve got groups like Lazarus. ⁓ They’ll hack anybody, infrastructure, financial services, anyone for anything if there’s money to be made.

    There’s groups like Kim Suki, there’s Temp, there’s Kermit. ⁓ Anybody that’s a company now, say, know, predominantly financial services, these guys actually broke into an organization. I forgot the bank that was in the Middle East someplace, but they almost swindled about a billion dollars. There was a transaction that did go through. They did capture some of that money, North Korea did, but they didn’t get the whole, the whole, you know, whole billion. But ultimately this is how

    Kim finances his missile program. According to the FBI, 50 % of the money that North Korea brings in from ransoms actually goes into their missile program. So that’s a lot of money. The other group, this is kind of the 800 pound gorilla right here, it’s Russia. And since the war with Ukraine has been happening, we’ve just seen a lot of new organized cyber criminals coming out there. There’s Fancy Bear, Cozy Bear, Berserk, Conti Klopp. I mean, the list goes on and on and on. These guys will hack.

    anyone for money. They don’t care. And why not? They’re successful at it. They’re bringing crypto into Russia. They converted it into a cryptocurrency, into a fiat currency. And ultimately Russia wins. it’s very difficult to stop this type of activity where they’re sheltered in a country where there’s no extradition. And know what? Putin’s got a lot to smile about because once again, I think what we see what’s happening right now, they tend to be winning. So with that,

    we’re seeing the threat actors that are expanding. And this is kind of an interesting thing that’s out there. So as I’ve been in this industry for almost 30 years now, I’ve seen the trends and activities of bad guys, but the popularity that’s gaining right now is almost frightening. And we’re seeing things where hackers are franchising their brand. And what happens is, this is kind of interesting. If you have a group that’s ransomed a few organizations, you’re deemed successful,

    and you want to make the next step, you join an affiliate program. And this is an example of an affiliate. So LockBit 3.0 is a gentleman named Dimitri. Dimitri out there goes, okay, join my program and I’m going to take 10 to 30 % of the ransom. But in the meantime, I’ll teach you how to do some certain things. And then that’s what’s been happening. He’s actually gaining or giving them the tools to be successful to then branch out and then, and once again.

    ransom more companies, more businesses, because he’s just making the money on the backs of other threat actors that are out there. He’s doing things like this. He’s teaching them how to negotiate. And this is a great example. So with LockBit, if you join his LockBit environment, now called Dark Vault as well, they’ll teach you how to negotiate. They’ll say, listen, break into the organization, get the certificate of insurance, understand the limits that they have.

    you know, when you’re dealing with the incident response people, it’s almost like a course. It’s ⁓ a training session on how to make sure you’re get the most out of a ransom. So once again, he’s giving them everything they know they need to be successful, because he’s making more money if they’re successful as well. Frightening thing, the guys at Darkside, these guys had hacked into a lot of places. I believe they hit Colonial Pipe back, way back when. But when you went to their wall of shame, when they were still posting their stuff,

    They had said this, they were like, dear victims, we don’t cooperate with any of the following recovery companies, which are incident response companies like Coldware. They said, you can contact any other recovery company or write to the guys at Darkside and they’ll refer you to an incident response company. So they know who they want to negotiate with, who they don’t want to negotiate with, and clearly this is how they do their deed and how they do their business. ⁓ If you want to go back and look at this wall of shame here,

    This is typical of everything that’s out there. It gives you the ransom. They’ll say, okay, this is a million five. It’s going to be based on this many Bitcoin. ⁓ But if you pay now or if you wait, it’s going to be doubled. ⁓ And then it shows you the time left. And then there’s a leak site that’s going to show you the data they exfiltrated. This is everything to do to create as much fear and panic in a victim to then have them pay as soon as possible. And this is kind of the, the MO for all the bad guys that are out there.

    The site may appear to be look different, but usually the content is always the same. Threat actors are now looking to fix their problem in the job market. And the reason is, is that they’re looking to obviously get talent, just like in the IT world, in our world, ⁓ there are sites that do job placement. And this is a group out there that says they want to become a freelancing site. So this is how this works. Let’s say you want to join a crew of bad guys and you want to be able to say,

    I add value because I understand Active Directory really well. So you would go to this site, you give them your handle, you probably have to give them a few examples of some of the things you’ve done. They may test you and then they’re going to place you within a ransom group or you might join their particular group that they’re a part of. But essentially it’s a job board. And it’s kind of frightening because this is what’s happening on not just this site. You go to the dark web, you see a bunch of amounts out there, looking for this, looking for that.

    if you have a certain skill set, very interesting times. Once again, they have a labor issue as well. The crime work kits and the hacking tools are really interesting and I’ve always had an interest in them, but now we’re seeing some momentum. And the momentum is this, it’s like the dark markets are getting better and better. So if anybody’s been to the dark web,

    There’s markets, some are scam markets, some are legit, but for the most part, like this is a site that I consider legit. We’ve bought things and we’ve bought, you know, crime work kits, we’ve bought malware kits, we’ve bought all sorts of data that’s on there. The experience of buying on a dark market is very Amazon-esque. And in fact, you can get whatever you want. It’s not just hacking tools. You want to get drugs, you want to buy a machine gun, you can buy anything you want. And the experience is rather professional. I mean, you look at what’s out here,

    For example, you could buy a hacking toolkit to become a millionaire. It’s $312 in Bitcoin. How these transactions typically work is you have a shopping cart, you put it in your cart. Oh, but before that, you have to escrow money within the market. So you have to load it up with some crypto, whether it’s Bitcoin or Monero or Ethereum. And at that point, what’ll happen is, you you shop, you buy stuff, and then at some point when you check out,

    the market then clears the money and you’re supposed to then get, for example, here a link to download your crimeware kit. I’ll tell you, I bought kits on here before and one time I got burned by a vendor and I went right back to the administrator and I complained and within less than five minutes they refunded my crypto. So really interesting customer service, fabulous, almost better than Amazon. So these guys are once again creating their own little industry, basically on the backs of hackers and threat actors that are out there.

    And there’s tons of markets out there. Interesting thing too that’s happening is if you’re not that skilled at being a bad guy, there’s services now that allow you to do things that are essentially automated. And this is a really interesting service that’s automated. So you go online on the dark web, this is fully indetectable ransomware, they got a typo there. But ultimately what you do is you give them crypto, you pay for it, and then you fill out. It’s like software as a service, it’s ransom as a service.

    And essentially this form comes up, you put in, now you wouldn’t put your real email in, just to let you know you put an alias in there. ⁓ And then at this point, you’ve got your ransom note, you got your victim details about what you’ve just done to their network. ⁓ And at this point, the ransom amount, the payment details that you want, probably your crypto key of where they’re gonna pay the crypto ransom that’s there.

    And then you could then create the malware of your choice, whether it’s Windows, whether it’s for an Apple or for Linux platform. ⁓ And then the file type, it essentially creates whatever you want. You order it, they deliver it. And at that point, you have what you need. So you don’t have to be a developer. You don’t have to be a skilled programmer anymore. You just have to be able to handle a few simple steps here, be able to then move your crypto from one place to the other. And at that point, you’re off and running.

    So this is an example of some of the ransom services that are out there. The other services that are out there, so let’s say you just bought your malware and you now want to do some sort of phishing excavate to break into an organization or to launch that piece of malware, this is a site called Robin Banks. So you actually go to Robin Banks and you can create a phish of whatever you want. if you want to create a transaction to a user that says that they have an issue with let’s say the bank of your choice here.

    You drop and drag whatever logo you want. if you don’t have a logo or send a bank, you could just dump the logo in there. And then the language is built for you. It’s incredibly articulate. It’s really well written. There’s not a lot of typos inside there. And then you once again, just create the list of the individuals that you want to send this to. And you put out a rather sophisticated fish. This isn’t even AI. It’s a bit AI right now, I think, but they’re.

    that when this first came out, it was mostly just a lot of decision-based stuff that was in there. The new tools are a little bit more frightening that are out there. But this is what you’re going to see. You’re going to see things like this become, they’re expanding on becoming ⁓ a lot more clever in terms of how to get that fish into an organization. And I’ll tell you right now, you can go to a boatload of forums that are on the dark web and they know all about the training services like Noble 4 and they know about Hook and.

    you know, all these other types of security services that train the users and they’re doing everything to like, once again, bypass those. They’ll even use a noble for fish. Heck, my guys have done noble for fish is not being noble for and then they trick the user thinking that they’re going through a training course. So the bad guys understand what we’re doing and every step of the way they’re trying to bypass us. So you’re a bad guy. You just bought your malware, the fully undetectable ransomware.

    You built yourself a fish, but perhaps you want to have faster access to the inside of a network, you go to an access broker. And an access broker is almost like a cottage industry for the bad guys. So what these guys will do, the access brokers re-break into places and then they sell the connection for the threat actor that gain access to it. So this is an access, or this is one of this is one of my RDP. ⁓

    And these guys out there sell connections that have already been broken into. So you’re looking at a bunch of Comcast, Roadrunner. I mean, these are AT &T, who knows where they’re all over the globe, but essentially these are pre-broken in places. You add it to your basket, you pay in crypto, and then they give you, let’s say the RDP connection, remote desktop, and now you’re off to the races. You have a connection that’s already been made into the business, and now you do whatever you got to do. Hunt around, move around, find any data stores.

    and then at some point leverage whatever malware you wrote and then encrypt that data. or exfiltrate the data by the way, cause you want to take a copy of it, you know, make things especially painful. And at that point you leave a ransom note, you know, for the individual to then go off to the wall of shame. So ultimately it’s interesting too. It’s like the threat actors that are out there are creating these small little industries for other bad guys to once again feed the machine.

    Now, artificial intelligence. Believe it or not, if you use chat GPT or co-pilot or grok or granite or whatever else you’ve seen that’s on the regular internet, yes, the bad guys have dark AI. And dark AI is a pretty frightening thing because it’s essentially jailbroken artificial intelligence off of a large language model. So good example, there’s fraud GPT, there’s shatbot are evil, there’s demon GPT. There’s another one called, I think onion GPT that’s on the dark web right now. But for the most part,

    I believe that these are just jailbroken versions of let’s say deep seek or some other artificial or large language model that’s been made available to them. And ultimately with tools like this, once you gain access to it, it does everything that you could do in a world of crime without having to like try to jailbreak chat GPT. So for example, you could then gain access to let’s say darkest GPT, you could build malware.

    There’s like no tricking it. You just say, hey, I want to build a piece of malware that’s going to bypass Sentinel-1 or CrowdStrike and it does it. Remote access Trojan development. Once you gain access to a network, give me a piece of code that allows me to gain access to the inside of a network. It gives you criminal ideas and you know, once again, ways of thinking outside the box. Exploit analysis and suggestions. I mean, ultimately these guys are thinking of every way to hide your identity to essentially move through a network that’s stealthy.

    and not get detected and to bypass the controls. And then once again, any sort of script or custom tools, there’s just ask it and it does it. And essentially, even if you wanted to do something like this in some of the available tools that we have today, like the large language models, like chat and so on, you can still jailbreak them. But for the most part, you might as well go to DeepSeek in China and you know what, they’ll let you do most of this stuff without any sort of questioning what you’re doing.

    And if you want to get around it, you just ask it politely and usually the engine will coincide. It’ll say, yeah, no problem. Just go ahead and we’ll do this for you. Very interesting world right now. Hard to put guardrails on a lot of this stuff, ⁓ especially, once again, with these engines continuously learning. So the bad guys have this. They’re leveraging it to their best capability. So once again, we’re fighting the fight. This is an interesting problem as well.

    So if you’re familiar with what happened with the MGM grant, you know, the threat actors actually called the help desk, a password reset. ⁓ In that particular group, I think their English is rather good. Perhaps they can hide their dialect, but for threat actors to use artificial intelligence to speak and to then do some sort of voice phishing, ⁓ it’s rather interesting. So it’s really simple. ⁓ The key behind this is that you can generate content

    based upon somebody’s ⁓ current voice. And what you would do is you would do a snippet of somebody’s voice, you dump it into this thing, you would then enter your text of what you want that person to say, and then you can add the tone of whatever you need the person to sound like. So they can actually speak slower, they can speak faster, you can create a sense of fear or anger or concern, and then the engine actually generate it and sound just like that.

    You know, it’s an interesting little test I did. My mother’s from Germany. She’s 89 years old, very heavy, but very in accent ⁓ with a 10 second snippet of her voice. I dumped into this. I can have her say whatever I want. And that’s what happens in today’s world where, you know, individuals, especially the elderly are called up and they’re like, yeah, my grandson just called me. He’s in a wreck and he needs 2000 bucks to get out of jail. Cause he’s got a

    a pending, you know, driving, you know, while intoxicated charge. And at that point, the person is tricked. This stuff works. I mean, if you want to sound like a little boy, an old woman or Joe Biden, it works. And I’m frightened by it because here’s the problem that we’re all experiencing with the tool like this is that when you get a mobile phone call and you hear that pause, and then all of a sudden you say hello and there’s a hang up.

    You got to wonder if they’ve recorded your voice, they’ve matched it up to your phone number into some database where they know it’s you. And that’s going to be used or sold on the dark web for some other nefarious task. And that’s why I think when you get a phone call now on your cell phone and it’s either anonymous or a number you don’t know, I think your best bet is just to wait for somebody else to speak first. ⁓ Because it’s right now, to me, it’s a big concern.

    This thing works. There’s a bunch of them out there on the open internet, not just on the dark web. So once again, I don’t think there’s any guardrails put around this stuff yet. So just word of caution, when you answer that phone, I would just wait for somebody else to speak. And if you hear that half a hello, it’s a boiler room someplace, I’d just hang up. It’s probably not important. So we’ve talked about the malware that these guys are making. We talked about their job boards. We talked about how they have cottage industry brokers of services like

    know, pre-broken in places and so on. But there’s a market for everything. And if you ransom a company and you happen to take their data and they don’t, I guess, pay the ransom for the destruction of it, where you don’t pay them at all, your data will get sold. And here’s a great example of this. So your data gets brokered. Nothing is for free on the dark web. In fact, everything is pretty much sold. And this is dark leak market, for example.

    So everything that’s out there that was ever compromised as a result of, let’s say, a breach or a ransom or whatever, it gets then taken and it gets put into a bucket and then it’s brokered. And cell phone data is a perfect example of it. So T-Mobile’s taking their lumps, US Cellular, AT &T took a big hit last year, I think twice as a matter of fact. So all those mobile phone numbers and that data that’s tied to the individual, that’s perhaps why you’re seeing the uptick in all the reasons you’re getting phone calls on your cell phone.

    It gets in the hands of threat actors. They put a boiler room together. They start calling people for whatever nefarious purpose. It could be for tricking you into some bill that’s from the utility company. It could be getting a snippet of your voice to do something different. It could be for another reason, to validate the database so they could sell it to some other threat actor saying that they were finding into this. So everything is for sale. And whether it’s the data that ties back to an individual, to corporate information,

    everything has value. ⁓ So once again, when your data gets leaked, it ends up someplace. Even when the people pay the ransom, my gut says that they’re criminals and that they’ll probably use it someplace else and they’re gonna sell it. So this is unfortunate. You’re gonna see more and more of this stuff pop up.

    So this is a really big frightening part about today’s world. We told you about the affiliate programs that these guys have, but as they become more advanced and more sophisticated, the managed service provider model is really something that these guys look like they’re striving for. And if you don’t believe me, I just have to tell you that I saw it happen firsthand in an incident and the threat actors began to behave just like an MSP to the point where I thought at some point,

    They’re going to ask for like, you know, an annual agreement with the statement of work and service level agreement as well. So DragonForce was the group that hit this organization. And when we started looking at what they were doing, we realized, you know, they talk about added security features to their site. They’re advertising what they can do in terms of being the better affiliate program. Really an interesting thing that I saw here. They’re taking what was out there with like LockBit to the next level.

    And the other thing that they started to talk about was how they actually helped a threat actor group they were in competition with. So there was a group that was out there that got hit. They got taken down by law enforcement. ⁓ Ransom Hub was the group. And so while Ransom Hub was trying to get back on their feet because the law enforcement guys took their site down, not the means that they’re going to stop them. They just took their site down. Dragon Force came to the rescue, partnered with them to help them.

    so that they can continue to negotiate with their victims and bring money in. And at that point, I think the light bulb went on for Dragonforce and then this happened. It came all out into like, here’s what we’re gonna do for anybody else that’s in the same boat or wants to partner with us. They invite them to partner with them. They’re gonna take a certain percentage fee of only 20 % and they’re gonna provide 24 by seven support monitoring. So if you, for example,

    ransom a company, you can then, once again, partner with DragonForce, you lead your victim off to their site, you do all the negotiation there, you share the victim’s data that you just stole, all the back and forth goes into the protected chat session there. And then when it’s all done and the victim pays, these guys at DragonForce pay 20%, the ransom group takes on the balance of the money, and they move on to their next victim.

    They talk about their enhanced capability in encryption modes. What does that mean? The malware they hit you with or they encrypted your data, they’re constantly changing it, they’re manipulating it in a way so it’s harder, stronger and tougher for the incident response people to get past if there was any chance of saving that data. Multi-platform support, what does that mean? That means that they’re going to go after anything that has any sort of like Linux based solution, Windows based, it could be a VMware solution.

    anything that’s out there that they can go after, these guys are going to once again leverage the capability of what DragonForce has already put an investment into. And then finally, they were talking about marketing and apparently there was a Russian site that was out there talking about how DragonForce is doing that. And they gave them kudos and thanks to say, listen, we appreciate your help. And once again, spread the word. Guys at DragonForce are really interesting. They said that they can also

    let you have your own identity within their site. So they’re ranting groups and saying they’re eliminating the white label. You know, if you’re a ransom group and you’re happy that you’ve got a cool logo and you just took down 20 companies, by all means, keep your cool logo. Just use the DragonForce site. And they talk about it. So once again, it allows you to keep your identity and then continue to make money. DragonForce is make money.

    And once again, they’re creating this model that’s becoming attractive to other threat actors or the threat actors that want to get into the biz. So the threat actors out there have learned a lot. And the interesting thing that they’ve learned from is they’ve learned from how law enforcement goes after them. And every time they get taken down, it’s interesting how quickly they bounce back. And I look at it from the perspective of every time they get hit or they see one of their colleagues get hit,

    they harden their environment to make it that much tougher for law enforcement. And there is a perfect example of this. So Lockbit 3.0 is the guy named Dimitri that I talked about. And at one point, this was the wall of shame that you would go to. And his site, it’s interesting. He’s quite active that’s out there and he’s still up there right now. So one day I’m looking at his site, seeing the victims that are out there. What you’re seeing in red are the victims that have time to negotiate.

    When it goes to green, that means that things didn’t go so well, they published your content. So I went back one day and I’m looking at the LockBit site and lo and behold, LockBit site’s gone. It turns into this. This means that the law enforcement or agencies across the globe banded together, took them down. And then what they did is they throw this up to say, hey, LockBit, guess what? You’re not working today, we took you down. And then in an effort to kind of like really kind of expose the LockBit guy and to kind of

    you know, make fun of them. But law enforcement agencies did this. They actually took the lock-bit site and they modified it and they changed all the victims into things they did to them. So for example, they published decryption keys, they put rewards for reporting the victim or the people tied to them. They supposedly had indictments. They’ve got some activity in Ukraine they found out. They made some arrests in Poland. They’ve got some other things happening. Well, you you look at this and you say, this guy’s done. He’s out of business for sure.

    No, in fact, the lock bit guy was back up and running in like one day. He put his site back up there. He published some stuff about the FBI. And then he made a point. He made a point to say this. He said, you know what? I’m going to publish a white paper. And in his white paper, he talks about everything that happened. And when February 19th on 2024, you know, his servers were compromised. He said, you know what?

    My bad, it was my mistake. And ultimately he explains that he will remediate, make sure this never, never happens again. He said he became complacent and that he realized that his mistakes cost him time and money and his business, as well as some of the other ransom groups that were tied to him. This is an interesting white paper. If you guys reach out to me, I can dig this thing up and let you read it because it’s incredibly articulate. He’s very intelligent. He talks about what he does and how he does it.

    and he’s making hundreds of millions of dollars and he discusses it. ⁓ So there’s too much money at risk to go away. And this is the one thing that I’ve learned from this guy. So clearly the bad guys practice strict cybersecurity. And that’s the interesting thing. And that’s the point of my presentation here or my webinar is that they’re doing it. Everything that they see that happens to our victims across the globe, they learn from.

    and then they start hardening their environments to make sure that they can’t get taken down. Unfortunately, most organizations don’t follow the same thing. And that’s the sad part because organizations out there and they do things where they’ll say, well, I bought all this stuff and I did this and they did that. And they throw money at a problem, but they’re not fixing the problem. And that’s the difference. And I think what they need to do is they need to pen test and they don’t.

    just waste time scanning a network and getting back a bunch of documents with high, and lows. You need to test it, you need to punch that network in the throat as hard as you can to understand your vulnerabilities on what a threat actor is going to do. I’ll tell you something else. No threat actor is going to go to your network and start running tools like Nessus and Nmap and anything that’s loud and proud. In that’s the last thing they want to do. They’re going to touch a box, they’re going to go away, and they’re going to do it ever so softly and gently without

    raising any sort of like, you know, attention to themselves. Why would you want a tool like that when you’re going to give yourself up? That’s the first thing. Test it like a bad guy. The other thing is remediate the problem. I see so many companies out there just drag their heels, have a report on their desk, wait to get somebody in there, talk to their boss about, know, we need to fund this or do, no, you need to do something now because if you get hit, you’re going to be down, count on two to three months.

    And if you’re lucky to be back up and running at that point, talk to your customers because they’re all going to hate you. They’re not going to trust you. For the most part now that’s happening too is people are starting to become complacent, but nobody wants to go through the hell. And the other problem that you’re going to see when you get hit is every lawyer jumps on the bandwagon now to create a class action lawsuit saying that there’s some sort of personal identifiable information that was exfiltrated. So now cough up more money. So that’s an interesting thing.

    Other companies need to do this. Do a purple team. Do some sort of exercise where you’re looking at your network from the aspect of if you have somebody in there, how do you stop them? Good example on purple team. The best analogy I have is that game Battleship. It’s you against somebody else. And if your team is able to stop the threat actor while they’re in your network, that simulation will give you a good understanding of how good things are or how bad things are. I think more organizations need to do that, cost a little bit of money.

    but it’s worth a lot. Tabletop’s pretty good too, but it’s mostly a simulation that’s occurring in a dialogue. And frankly, the rubber meets the road when you actually do things on your network. Cyber insurance. Frankly, I think it’s something that you have to have now. If you’re in business and you’re connected to the internet, you got to do it. If there’s anything worth protecting inside your network, you definitely have to have it.

    Organizations now have figured out that, okay, this is going to be expensive. But if you fix your network, if you start testing it and doing the right things and you don’t lie in the form, it’s not as bad. That premium can be somewhat absorbed into the business. And once again, the worst thing that have happened is actually have to use it. So once again, it’s really important. Last thing I think most people have to do in organizations is train the users and educate them on security so that they understand that it’s not just protecting the business, you’re protecting them. Make it relevant.

    You know, when the company’s down, I see it happen. Company’s down for two months, nobody’s getting a paycheck and they’re all freaking out. You know, people got to pay their bills. They got to make their mortgage payments or rent payments. And frankly, know, complacency sets in because you think it’s just the company that’s taking the hit. No, the individuals take the hit as well. Trust me, I’ve seen it. So once again, educating the users, making them understand the consequences as well as what they need to do and make it relevant to them in terms of human beings to when they go home. yeah, cause they don’t have an IT department at home.

    they might want to pay attention. So it’s an important thing that they do. So the outlook for 2025 is that I think you got to be on your game and you got to know what you’re doing because right now the threat actors are definitely on their game and they’ve got a really well organized plan and they’re executing it right now. So it’s unfortunate. With that, Hirsham, I think we got some time for Q &A if that’s okay with you. Dean, if you guys have any questions.

    So Steve, from my perspective, that was amazing. It’s a lot to digest there and ⁓ certainly hits home and ⁓ gives a slice of reality to all of this. appreciate that. I’m assuming everybody else is feeling the same. And Gershon, we should definitely find a way to maybe get this out to some clients and prospects because I think it’s quite critical. Yeah. Can we ask a question?

    Yeah, Steve, I understand the thrust to organizations. How about high net worth individuals and their protection? Same deal. It’s the same thing. And in fact, you know, it’s not just ransomware to organizations. Threat actors are there once again, leveraging the high network individuals, not from a perspective of rancid me it, but from a perspective of taking advantage of any sort of

    Let’s say a transaction, a good example is a ⁓ transaction with a wire. So, you know, somebody’s buying a property, they think they’re communicating with, let’s say the person who’s gonna be, you know, sending that wire and that threat actor will intercept that communication, change the account details, the bank account number, you know, the routing number, and that’s how money gets moved. Trust me, nobody’s exempt, nobody’s exempt, but you know, if I was a…

    if I was a high net worth individual, I can assure you, you better take some precautions. Definitely. Hope that answered your question. Yeah. Definitely. Do you know if cyber insurance is offered to the high net worth individual? That’s a great question. I’m sure there’s an insurance company out there that will insure anything, but will they insure that individual personally for cyber attack like that?

    I will definitely find out and get back to you on that.

    And Steve, further to the individual, obviously there’s a lot of things that companies can do to mitigate, right? Probably not going to eliminate, but to mitigate. What can individuals do to mitigate? Is there a lot there? I’m going to tell you right now with individuals, you got to get a password locker and create the most convoluted password, pass-free schemes that you can, and then let the password locker do its business.

    If there’s something you need to know at that point, all you need to know is one long passphrase to get into that locker. But right now, I don’t think anybody has any business trying to think they can store every password in their head. There’s no way. I don’t do it. I don’t want to do it. And frankly, that’s where I look at what’s happening in today’s world. My team of guys, they grab hashes all the time. I got a bunch of gear back there that cracks passwords day and night.

    And the capability is getting better and better to do it. think it starts with credentials and managing them better. Don’t put them in smarty password locker. Got it. Steve, I heard somebody, I don’t remember who, someone told me a while ago that if you had good two-factor, and we actually have this, I think on all of our networks, both our Microsoft and our Google. But somebody told me a while back that if you had

    two factor authentication that you would save yourself from like 99 % of these kind of issues. Is that true? A little true or just? No, it’s true. It’s true. It’s the big deterrent for the bad guy. I mean, there’s ways around it, but it’s work. But for the most part, you know, two factors pretty darn good. And it’s been around for years and I think it’s gotten much more mature.

    better. mean, starting out, remember years ago, secure ID from RSA, you know, it’s come a long way since that. And frankly, I think it’s good. And I try to put two factor on everything we have here. I’m so paranoid about getting hit. Trust me. I mean, any place that it’s offered, it’s usually free. Why would you take advantage of it? You know, So yeah, definitely.

    Has our government and the FBI, cetera, become more adept at putting these people out of business? I mean, is this a priority?

    I don’t know. That’s a great question. You know, it’s interesting because, you know, my colleagues will tell you the same thing. When somebody gets hit, we just had a company and Megan, who’s on this call can back me up on this. The customer was like, well, you know, before we send in some more resources, we’re going to talk to the FBI to see who they send in. And I was like, do you want to break the news to them? Because I’m tearing, they’re not going to roll in and roller shirt sleeves up. It just doesn’t work that way.

    You know, if you’re a business and you think that there’s going to be bunch of G men with like dark sunglasses and black suits helping out, it doesn’t work that way. They’re going to ask you for some IP addresses. They’re going to write a bunch of notes down and they’re going to walk. And that’s what happens. And the resources that we have at SZA, I think that organization has been gutted. I mean, it doesn’t, right now you’re on your own. You got to take matters into your own hand, put a plan together for your own hand. You can’t rely on anybody.

    That’s the truth. Maggie, you got something to add? Yeah. So I’m the, work alongside Steve. I’m sales manager at secure network. And I think one of the biggest takeaways that organizations need to do, it’s a work in progress when it comes to cybersecurity. So I think a lot of companies assume, Hey, if you do a pen test, you’re good. you have an incident. You’ve gotten back on your feet. You’re good. You need to keep your network up to date. You need to focus in defense and depth. need to pen tester network.

    You need cyber insurance. You need legal counsel that’s aware of cyber policies. So to actively put in that effort day in and day out, that’s the key to all of this.

    And Catherine in Gargolia, she’s on the call as well. She’s with iPower Technologies. It’s the reason we work through the channel and we work hand in hand. The last thing we want to do is provide a pen test. have all these gaps and now it becomes liability. We want to make sure you have the resources to go day in, day out and feel like you can be productive at work, you can be productive at home, and you’re not going to be stopped by a threat act.

    ⁓ There’s always a risk of them stepping inside your network, but if you can put that active effort, that’s what’s going to put you in a better position.

    Thank

    I’m sure there’s teams from the government agencies that are going to step in, but it’s always going to be infrastructure. I think it’s always going to be stuff that’s like mission critical to keeping a city, a town, a village of, you know, something that keeps the people working and running. You know, we saw them at a breach at an airport and you know, they came in and they also left while we still were in the middle of something. So, you know, they only have so many people to go around and that’s the other issue we’re dealing with.

    Several years ago, I was on the board of a large hospital network that got active and they brought down their ⁓ real time surgical services, paid a big ransom, had the FBI and everything else. We learned that there were a number of the same things that were happening simultaneously by Eastern European ⁓ actors. They also went after universities during the ⁓

    ⁓ When students came back to school and took down the ⁓ services that ⁓ enrolled students, they also went after cities. I mean, a number at the same time. We don’t necessarily hear about it in the news.

    No, a lot of it never makes the news. I mean, it’s just very interesting. Unless it’s big enough that, you know, once again, it impacts the country, you rarely hear about it, you know? But, you know, I will tell you, it’s interesting too, like nobody is exempt. know, ⁓ Megan and I were involved in a redirection of funds where a retirement fund for a group of nuns was hit and they lost $5 million.

    If you don’t care about stealing from a nun, then you’re a pretty bad person. So I mean, those guys are going to hell for sure. But I mean, that’s what you’re dealing with. So most sophisticated, sinister criminal I think I’ve ever had to deal with. So.

    Any other thoughts or questions or anything else we should discuss? Well, I’m kind of curious. I don’t know if this is the forum, but what do you charge to do pen testing? That’s a Megan question. I’ll let her respond. Steve, you can always answer, but I’m happy to. it really depends on the size of the network. I would say an average pen test cost can be anywhere from $10,000 to $20,000.

    But again, there’s number of services. You can test your web apps. You can test your perimeter and insider network. You can train your employees. You can do a physical break in. There’s a lot of different things and avenues you can go for. There’s two important things. It needs to one, align with your business objectives. And two, as we all know, budget. I’d love to say that every company has an unlimited budget, but we know that’s not true.

    I think the point is, you know, having this initial conversations, knowing all the services are a la carte, it’s a stepping stone, right? You can budget for 2026. If you can’t do things now, maybe you can do one of those services. It’s a lot more cost effective. But really having the conversation, seeing your options, seeing the posture of your network, that’s the most important part and then building it up from there.

    Got it. I know that when talk about how to come up with our pricing and our approach, sometimes the assessment is just a fraction of what it costs to fix it. But the assessment is the first step where you kind of get people in the door. You know, it’s a good starting point because you want to know where your gaps are. You want to know what threat actors could take advantage of, the tactics, techniques, and procedures they’re doing to date.

    But yes, does. want it’s important to pentest. It’s just as important to remediate. What I can tell you is this going to be a whole lot cheaper than getting hit with ransomware or having redirection of funds. So and you know, especially with compliance regulations and cyber insurance, this is already being a push today. You rest. You rather stay ahead of the curve along those lines with these engagements and do the proactive.

    Steve, have you identified the characteristics of a profile that various groups go after? In other words, the type of business, ⁓ the collection of individuals, is there a profile that helps target activities? That’s a great question, because I think there is a profile that they go after. And there’s a couple of forums that I participate in, ⁓ obviously through an alias.

    but you’ll see they discuss things like tax season came around. Interesting. And one of them was a Russian guy that was going, so we’re gearing up to go after CPA firms. Typically lots of communication with all the individuals back and forth for companies that are doing their taxes to close out. And they said, you know, a lot of things can be then slipped in saying that they can get a fish to go through to get a foothold into a business.

    Then they’ll discuss schools. They’ll say, yeah, schools are good. They’re good targets. They have good cyber insurance. They’re always covered. And they have horrible IT networks in terms of security. They say that all the time. They’re still saying that right now. And if you go to some of the sites on the threat actors, you’ll see a boatload of schools that are in there. Then for a while it was trucking company. Megan will tell you this. We saw trucking logistics companies getting hit. Why? Because the trucking companies will put more money in a vehicle.

    than they would ever consider putting into their network. And when they get hit, they’re complaining that, geez, I can’t believe this happened. We can’t move a truck because they don’t know where to send it. And they’ve realized that trucking companies also have good cyber insurance because they pay so much for insurance already on the aspect of all the vehicles that they have to cover. And gosh, who knows what that costs as a result of, you if have one fatality under your belt or something. So they’ve profiled and figured out places they want to go.

    And when they learn about places to hit, they share the information and then you’ll see spikes and trends, you know, of where they go after. Manufacturing as well, believe it or not. So really interesting, you know, as things develop over time, you’ll see a pattern and they figured it out.

    If you ever want to see the stuff on the open internet, go to a site called Ransom Watch or Ransom Look. Ransomwatch.telemetry.com. Ransomlook.io. And go to the recent posts. Just look on there and you’ll see every recent post. It’ll show you the threat actor, show you the name of the company, who’s locked up, who’s living the pain right now. And that’s going to be the eye-opener for you. And the variety of businesses, it’s interesting, you know?

    Could be a trucking company, but they could be in Germany or one in like, you know, Italy or someplace. They’re not just in the U S they’re all over. So they learn quickly, they adapt quickly and they’re really smart and they should be respected because frankly, I think they, ⁓ like I said, they’re incredibly incredibly intelligent. Well, if national ⁓ operators are using them offensively,

    Why wouldn’t it be appropriate for our ⁓ defense system to be offensively going after them?

    I don’t know about my pay grade. you know, I can’t answer that. I have no idea. But, you know, I would hope that there’s somebody out there. Frankly, I’ll be honest with you. You know, this is a problem. But the stuff that I worry about are the threat actors that are going after the infrastructure like Typhoon or Salt Typhoon. I mean, those things you take away electricity and power from somebody, you know, things go to, you know, hell in a handbag real quick. ⁓

    I think they’re learning a lot by what goes on in Ukraine.

    yeah, those people are fighting the fight every day, physically as well as on the digital side. So yeah, it’s gotta be miserable. But I think you’re gonna see threat actors up in their game. And my big fear is the ransomware attack that comes across an electrical grid that takes an entire grid down and then they hold that utility and that city or that agency hostage to restore it.

    That could be detrimental. That could be a big, big, big issue. They’re trying it with the cell phone companies, but I don’t think they’ve really had the success that they wanted yet. All right. This is going to end up on our YouTube. If anyone is listening who’s not here live or anyone on the LinkedIn live ⁓ who wants a copy of the presentation, do we have a copy of it, Steve?

    No, I’ll get your copy. You’re go please send Brittany a copy in case anyone needs it and Like Dean said we probably have a bunch of clients who should see this We got it for sure get it over to them ⁓ By the way, even former clients, know, like this is yeah, there’s this great clients clients and prospects. Yeah, it’s definitely put her out there. So Steve, thank you very much was

    Great having you. Yes, thank you. was great. thank you again to Brittany for setting it up and Dean for making the introduction. Thank you. Thank you, Catherine as well. Thanks, guys. care. Bye bye.