Is it only about zero days?
Robert Wortmann (00:00.725)
Hello and welcome to the very very first episode of the Breach Report. I'm 99 % sure that this will be the name of the podcast. I think we kind of agreed on this fact. My name is Robert. I will be one of the two hosts of the Breach Report. And maybe some of you already do know me from my German speaking podcast Breach FM.
which I have now running for over two years and we have around 60 episodes of this podcast. But there was a increasing wish for the podcast to be in English. I always pushed back to this because I didn't want to have any more work in my life. But at a certain point, I think I was not strong enough to push back about this idea.
Then I looked into AI tools which could translate the podcast into English or other languages. But in the end, I didn't do it because it sounded like total crap and I didn't want to hear my voice like that anymore. yeah, I think we are really doing this. The preach FM format will be now also transported into English. It won't be the...
the same thing, the exact same thing for those of you who are constantly listening to Preach FM. We are doing it a little bit different. We will do...
I wouldn't say every two weeks because then we have to stick to it, but there will be episodes in a certain routine, I would now call it. And what we will do is we will talk about recent news in the space of cybersecurity. We don't want to talk too much about the news itself. We just want to see these news maybe in the bigger picture about is it really like
Robert Wortmann (02:07.425)
some people think because what we saw in the past few months is that news can be consumed in so many different ways and there can be so many different arguments around these news and I don't think we should take these news always for 100 % granted because there's always a very big room for discussion in it and that's what we will do on a very practical level sometimes a bit technical sometimes not so technical we didn't
want to set ourselves too many guardrails on this, it will be more or less an open format. So as I said, my name is Robert for those of you who don't know me. I have a background in SOC, in SOC architectures and SOC planning, but also in sometimes doing the analysis part. And I would say I have a very good broad overview about the whole threat landscape. And that's what I'm doing. I'm working for Trend Micro, but it won't be a Trend Micro.
podcast, we won't talk about products, it's just my employer I would say. And I have a partner in crime, which will absolutely help me to do this because I couldn't do it on my own and I'm very, very happy to introduce Rens.
Rens (03:23.689)
Hey Robert, good to be here on our first English podcast by a Dutch and a German guy. So yeah, so my name is Rens. I'm the incident response lead for Trend Micro globally, as well as the Red Team guy. So my background is in various technical as well as leadership functions. So I've done professional services, engineering.
Robert Wortmann (03:31.98)
Yeah.
Rens (03:53.063)
sales engineering, yeah, obviously with the focus on security. And right now, yeah, the teams that I work with, they deal with a variety of incidents. And that is very interesting work. So I believe today we're gonna discuss some of that.
Robert Wortmann (04:11.235)
Yes, and I think that will be most likely the beauty of it. It will be those day by day insights because whatever any news outlet is saying, my personal experience is that most companies never had a very, very big crisis. More and more they are getting into those crisis, but...
I know too many companies which had never any big crisis and I think it's very good to have insights about what really happens, what were the reasons for it, because I don't know if you're agreeing to this, but in my personal opinion, the representation of those learnings are not that accurate all the time. We are always talking about highly sophisticated stuff, new techniques and in the end, when I look into our incident response cases, it's...
a lot of the same stuff happening over and over again.
Rens (05:05.947)
Yeah, that's definitely true, Robert. yeah, we also see that in some of the Red Team stuff we do, right? So basically hacking our customers. And it's not the most sophisticated stuff that usually gets them, right? It's the very basics that are often forgotten. So although there are a lot of these cowboy stories out there, how sophisticated threat actors are, we just have to see it like this, you know, they are...
also just going for the low-hanging fruit. Why would you spend a lot of time on something if you can just do it the easy way? So that's also what we see. It's often the very easy stuff that will get you into trouble. So everything starts with the basics. And yeah, that's definitely true.
Robert Wortmann (05:56.111)
And I think it's always good to acknowledge that there are very sophisticated things out there. And these things are happening. So it's not that we want to say these are lies. It's just like that's typically not the majority of the things we are seeing. I have a little, I don't know if you know the story. It was about two weeks ago, I had a webinar and I talked about insights from a ransomware attack. And I said like, and that.
That was the point where the threat actor installed any desk to connect a bit easier to this environment. That's where they used Netscan to do a little discovery and whatsoever. And there was someone in the audience who thought like, shit, that's us. Not the story itself, but this person thought back.
about a week ago where they encountered any desk installations, which seemed to be a bit suspicious, but they weren't connecting this to a ransomware tag. And sadly, the next morning, this person wrote me an email and said that they are now in an active incident response case because they were breached. it sounds like a lie, but everything I told about in the podcast, in the webinar,
this person realized it's 100 % like that. And when I now look at the timeline, it's really 100 % like I outlined this. that again proves my point, I think, that most of the things we are encountering is pretty repetitive.
Rens (07:32.817)
Yeah, no, for sure. And the TTPs that some of these groups use, like if we look at these access brokers or ransomware groups, if it works, why would you change it? So it's like you say, it's pretty repetitive. They have their playbooks and as long as it works and you can do that over and over again, then they will just keep doing that. And for sure they adapt over time, right? As we get better in detecting these things or as we...
get better in writing defenses for that, they will adapt. But a lot of it is just used over and over again. They are the same TTPs. And like you correctly mentioned, it doesn't mean that there aren't more sophisticated attacks or there aren't a different set of threat actors that use more advanced TTPs. Certainly, right? Especially if we talk about APTs or you also have, I would say, a pyramid within these.
threat actors, right? That you have the ones that are more advanced and you have the ones that are just executing on a playbook. yeah, it's just that the overall majority of it is pretty straightforward and they use that over and over again. So I think it's important for companies out there who are listening to this that, yeah, it isn't always the most advanced stuff and it isn't...
like these exceptions that you have to look for. It's the ones that are there and that's what you need to focus on when you're looking at your risk posture. And I think, yeah, that's something that we will probably discuss in this episode, Robert.
Robert Wortmann (09:20.749)
Yes, I think we will have a pretty good topic on this in a few minutes that outlines this whole discussion about sophisticated versus not so sophisticated attacks in a very, good way. I mean, the only big question I typically have, because I don't think there's too much proof of an answer around this question is, are these threat actors which don't seem to be that advanced? Aren't they advanced?
Do they just do the bare minimum? They could do way more, but it's still enough to do the job. And I think some of them couldn't do that much more because I saw some, especially affiliate actors, are acting very, very poorly. And for them, I think some of them just don't have more capabilities, while others just don't have to do more. They could maybe do way more than they do, but as you said, in the end, it's a return on investment.
topic.
Rens (10:21.895)
Yeah, no, for sure. And I think that's a correct assessment, right? That's why you have your, let's say, very good threat actor or very good in execution and the ones that might be a little bit lazy or sloppy. for them, it is also a money game, right? So let's go for the most low-hanging fruit, the one that you don't have to do that much for, but you still get the job done. Hey, it's money in the bank, right? So why go through the lengths of...
of putting a lot of effort into something if you can just take the ones that you don't have to put a lot of effort in. And sadly enough, there are enough targets out there, right? So if they have to put more effort in, then they just move on to the next. And I think in terms of defenses, right? In terms of how we can protect ourselves against these types of attacks is that you also have to start with the obvious.
because if you make sure that you have batched these simple things, if you follow some practical rules, if you've your, let's say risk assessment correctly, then you already take away those first obvious attack factors. And if you take away those first obvious attack factors, chances are pretty high that they'll just move on to the next and it isn't you that's on the menu, right? So.
Yeah, I think that's really a good learning or a good takeaway.
Robert Wortmann (11:51.331)
I mean, it kind of is a good bridge to our first topic of the day, but one thing I still remember, I think it was three years ago, and I talked to a, I don't think he was officially a CSO, but he was kind of in a CSO role. And he asked me if the product we were talking about, it was more or less a product related discussion we had, how this product leverages AI to detect zero day execution.
And it was a strange discussion all over the place, I would say. So we had a discussion for two hours, I would say, and it was sorry for that, bullshit all the time. And then this question came up and I was a bit frustrated at this stage. And I was like, you don't even have a proper asset management. You don't have anything. And what are we talking about? Are we now talking really about a zero day?
detection system based on AI you don't have anything properly in place so let's go a little bit back to the basics and he then asked me about yeah but this is the product you want to sell I said yes but I'm still honest I still I will still tell you that this is a bit out of reach for your capabilities at the moment do the basic stuff in the end as you said it's a funnel
If you can exclude the non-so-sophisticated affiliates, you maybe exclude a little bit more the ransomware actor side of things which were a bit more sophisticated, then you can start thinking about things like this. But otherwise, please go back to the basics.
Rens (13:37.243)
Yeah, yeah, yeah, that's, those are good anecdotes, right? Like I say, so we do a lot of these red team and purple team engagements. And I think our current statistics is somewhere we always become domain administrator within 36 hours, right? So it takes us 36 hours to basically crack the defenses of these companies that we work with. And that's...
not because they don't have adequate product or no, that's really the basics that they haven't done right. And often when we are in these sessions and explain them like, okay, this is what we did. This is, you know, the route that we took to become the main admin. And they're flabbergasted because they, like you say, they're thinking about the most advanced stuff, but then they forget to think about the basics, right? So that's one of the learnings that we always
Also, when we work with organizations to talk about their incident response planning, right? What are you going to do when something happens? And do you have these things in place? Then it's often the, you know, they start talking about all these advanced stuff and it's like, well, let's start with your password policy, right? And then they look at you, like, really? We're going to talk about the password policy? And it's like, okay, let's have a look. And then it turns out that the password policy isn't all that great, right? So.
Robert Wortmann (15:00.759)
Yeah.
Rens (15:01.179)
It's there where you have to start and that's often forgotten. So it's a good reminder that we look at that.
Robert Wortmann (15:09.679)
I don't think we can count the times we found administrator passwords on the terminal server in a text file whatsoever. I think that's, I mean that that's the stuff they are looking out for because these are people out of the industry, the attackers, they know what flaws are within an organization. And I think nobody of us want to finger point and say, wow, that's bad. I mean, we all did things in the past, which we wouldn't do now. So.
I always tell the story of I don't know how many, for example, NetApp filers are out there in the world with root and NetApp123 as a password, which I personally installed like 10 or 12 years ago because yeah, not everything I did in the past is correct now or was correct back then or maybe it was under another level of awareness for myself and
I think that's what we all need to understand that times are changing and things like techniques, even though, as you said, they are not really changing in the big picture. Maybe the, for example, type of initial vector is changing a little bit. are trends out there which can go down and back up again. And that's the first topic I want to talk about today because there was a little bit of a discussion around a
Google or let's say Mendiant blog article out there. And first of all, I just want to give credit because I'm a constant reader of the blog and I think it's a very, very good resource, especially when they are talking about certain threats, they are really going in depth, they are providing a lot of data and I think it's very helpful. That's one of the...
most important RSS feeds for me when it comes to threat Intel, the Google blog, the Mandiant blog. And they had an article with the name of how long, how long can you go in analysis of 2023 time to exploit trends. And just want to lay out a few things they are talking about in this article. So they were basically doing a analysis of 138 exploited vulnerabilities.
Robert Wortmann (17:32.079)
that were disclosed in 2023 and I think most of them they were actively working on in their own incident response practice. And a few key takeaways I want to lay out. 70 % of them, so 97 of the vulnerabilities were exploited as a zero day. So before there was a public announcement or something like a patch available, we always have to...
differentiate between a zero day and an end day. And then a few other things they laid out. We observed an average time to exploit TTE of five days in 2023, down notably from the previous observed average TTE of 32 days. So really, the time to exploit really came down. And another thing, exploitation of an end day, so something which is publicly
public knowledge and where most of the time there's a patch available or some fix. Exploitation of an end-day vulnerability continues being most likely to occur before the end of the first month following the release of the patch. We continue to assess that media attention and exploit availability and that's very interesting I think, do not guarantee exploitation nor are they primary indicators what a vulnerability will be exploited and
That's the thing I find pretty compelling because there were some vulnerabilities in the past few years. When the first guidance came out, I was like, wow, that will be a major thing because it's relatively easy to exploit. It's something that's very, very broad in terms of installed bass and it could be even most likely
in an external way available. So that's always a mixture of, yeah, this will be big. And then in the end, for some of these vulnerabilities in the past, let's say two or three years, at least in the broader range of companies when it comes to ransomware, something like that, not too much happened.
Rens (19:45.211)
Right, yeah, yeah, that is definitely interesting, right? And the report is very interesting. And obviously Google Mandiant, they're on the forefront as well, like incident response. So they have very interesting data. What caught my eye in the report is really that the speed in which exploits are developed, right? So it's coming down from that.
32 days, I think you mentioned to five days. And that's something that we see as well. Also, if you look in these underground forums, right? So if we use a little bit of our Threat Intel, then we see as well that whole marketplace of Threat Actors that develop these exploits and that seems to be accelerating, right? Because they, again, they make money out of that. So they see a vulnerability.
they will write the exploit, they will sell the exploit. And the groups that will acquire these exploits, it's a return of investment, right? The faster you can use it and the broader your attack factor, the more successful you are in breaching these organizations. So that's certainly interesting. To your point that there are companies out there that are obviously vulnerable for months, if not longer.
Yeah, that remains a mystery. Why do some of them get breached immediately and why do some of them, you know, don't get breached? Again, I think it's opportunism, you know, that threat actors, they go for the low hanging fruit, they stumble upon something, they got a list and they just work through the list. Maybe you're lucky if you're not on there, right? I don't think that has a lot to do with strong defenses. I think that sometimes it's just...
luck and the amount of work and the amount of targets that these threat actors have and don't forget that they're pretty busy as well right so sometimes we we think that they got all the time in the world to to explore you know pretty much every target they have but they probably have a really big list to work through and they will prioritize and that is also something i think that that
Rens (22:00.007)
from their point of view is how they prioritize targets is also based on revenue. So some of these organizations, I think they know pretty well what is the most likely probability of payout. So is a customer or is a company in a certain industry, in a certain country with a certain amount of revenue or profit, then they will prioritize those. Which means that if
that organization is not in that bucket at that moment, they have plenty of other targets to go through, right? And they will prioritize them.
Robert Wortmann (22:37.603)
And I think another thing we need to make sure because I had this discussion with a customer and I said, just because you didn't got encrypted doesn't mean that not someone is within your network because especially when we have a look at access brokers, it could be still the case that someone executed on the vulnerability, did a persistence on a certain machine and is now actively selling this
this access and even though someone maybe bought the access doesn't mean he instantly is using this access because I think they know that most companies, if it's just a single access to a single machine, they don't recognize for months and months and months. And I think for many of our instant response cases, I mean one of our goals is always to find the patient zero and is to find the initial access. But I think and please correct me if I'm wrong, but
For many cases, we can make thesis on how the threat actor might have come into the network. But for some of them, we just don't know because there's not enough data to really prove our point. And we could maybe say, hey, you have 14 net firewall. There was a very big vulnerability a few months ago, just as an example. The timeline shows us that this could lead to this point. But to be honest,
we don't know. And I think that's another issue when it comes not to this article. I really like the article, but what people are making out of this article, because we have to make sure that what we are looking at is a sample size. It's a sample size of 138 vulnerabilities. And we also need to make sure that not every incident response company is always working on the same kind of customers. Mendiand could be working most likely on bigger cases where
zero days could play a bigger role while other companies are more working on the mid-sized upper mid-sized market where if we take another sample size of another 150 executed vulnerabilities or exploited vulnerabilities we could say maybe 70 or 80 percent were not zero days but more n days.
Rens (24:55.803)
Yeah, yeah, that's correct. And I think the trend and that is what we are seeing, right, is that, let's say, exploiting vulnerabilities, that's certainly going up, right? As you know, if you look at some of the well-known attack factors, so whether that's malware phishing or it was, you know, breaching brute forcing RDP, those kinds of things. And especially if you look at RDP, for instance,
that's notably trending down because that is, you know, that has been such a big attack factor and there's been a lot of attention to it that, you know, that is kind of, I wouldn't say disappearing. There's still plenty out there, but it's really a remote exploitation that's gone up. And I think that if we look, you know, the last, certainly the last two years,
And there's been a lot of zero days, right? There's been a lot of remotely exploitable, pretty big attack factors, pretty wide attack factors. I think you mentioned 40 OS, right? Or 40 firewalls. That was a big one, right? We got some of the VPN providers or VPN software that had a couple of big ones. And so there've been quite notable, quite wide attack factors that are easy to exploit.
There's a lot of them out there. And yeah, so that is a trend that we're definitely seeing. But as you correctly point out, it's a sample size and it might also depend on region. might depend on the type of customer or type of organization. There should obviously be a different shader between cybercrime and APTs, right? So those TTPs tend to differ from each other. But I think
You know what is interesting from this report is vulnerabilities, right? So the amount and the percentage that they have in in the total. All first exploited attack vectors and that's definitely going up and and then you know touching on your first point, you know on can we always find patient zero? That stuff you know and and one thing that actually works for us I would say is that.
Rens (27:15.121)
the certainly if you look at cybercrime that the time that it takes to detonate ransomware, know, after initial infection, that's also trending down, right? So threat actors are much faster now getting into the organization and then deploying ransomware, which means that in a lot of cases, the forensics evidence is still there, right? They're not always good in.
destroying logs or wiping those kinds of things. They're pretty sloppy and why would they care, right? I mean, the job's done, you know, hopefully money in the bank. So why would we go through all of that effort to do a proper cleanup? But because that time is relatively short, it means that there's a lot of forensics evidence, right? That is available to you. Whereas a couple of years ago, the time that it took for, you know, initial breach to ransomware was much longer, which means that by default, some of that evidence might've been destroyed.
But yeah, it's not always possible to prove what is the point of entry. And then you do have to make thesis, right? And especially in large organizations where you might have multiple attack vectors. And sometimes we see multiple threat actors in the network. It's difficult to prove exactly what the entry was, but yeah, we try.
Robert Wortmann (28:34.607)
And I think that's a very good point because when I look at actual numbers of statistics, I'm always a bit careful. Not because I don't trust these statistics. I always tell everyone, take it as a guidance. And yes, we might see trends that the industry is agreeing on. But sometimes if you look at the methods of these statistics, it's a lot of assumptions.
because sometimes we just don't know and we assume things and that's okay. We sometimes have to work with those assumptions or thesis to do our job, but we have to be careful in not taking every headline of a news outlet of a blog article as granted for everyone. And that's sometimes my issue, not that there is a lot of information available, but how we deal with this kind of information. And I think just from a, I always try to take a logical.
standpoint in those discussions. I mean, what we saw a lot is fished credentials in the past few years. And yes, it makes good sense that this is now slowly coming down because many companies are now at least have some kind of a multifactor authentication on most of their external services. That doesn't mean that's going back into our discussion of return on investment that threat actors
couldn't get over a multi-factor authentication, they can still get it. It's not bulletproof, it's far away from that. But it's still harder than to maybe exploit a publicly available NDA where there is already proven code to exploit it. And I think that's always the discussion we need to have. think for most of the things, we just have to think.
Logically and the other thing is it's not all about ransomware. I mean the amount of business email compromise we We for example see where no real access within the network is needed. Maybe it's only necessary to get the maybe session cookies from a office 365 session to get into a Few maybe two or three mailboxes within a company
Robert Wortmann (30:51.592)
And I saw a text where they stole over 2 million euros and they only got access to two Office 365 mailboxes to not have to spoof email addresses and whatsoever. yes, it's a lot of ransomware because these are typically the things you see because companies are standing still, but ultimately it's a lot of other things. It's a lot of fraud still happening and
Sometimes these fraud cases are fraud cases because the technology part of it is most of the times very very small.
Rens (31:28.261)
Yeah, definitely. And it's good that you mentioned it. Business email compromise is huge. If you look at some of the data on insurances, we see that most of the claims are done on that particular subject. So BEC is really a problem. again, and some of the other stuff that you mentioned is, again, it's low hanging fruit. What's the easiest way to exploit or
get money from a target. So they will use that. They will go after what's the easiest. And if you have leaked credentials and you have a webmail available to you that you can breach, use, then of course you're going after that, right? I think you mentioned two factor authentication as well. That's certainly true. And I think that's one of the reasons why we also see public exploitation going up.
because some of these other defenses are getting better. And by no means are they ironclad, but certainly, you know, people are starting to employ them more. And we have the disruption of some of the larger, let's say malware strains out there, right? So if you look at the likes of Trickbot or Emotad, which used to be pretty big problems, they got disrupted.
There's still obviously a lot of these loaders and a lot of these dangerous malwares out there that are used as entry factor credential stealing malware, right? But yeah, if there are more and more, let's say published exploits that can be misused by threat actors, 2FA defenses are going up, then you resort to some other method. And that is obviously then exploitation or it's using stolen credentials to...
to employ BEC scams for sure.
Robert Wortmann (33:23.852)
And I think that shows how important it is to have a discussion about this topic because there two things which I always want to make sure. First of all, I don't think we just take a headline for granted because if we would just say, hey, it's only about zero days nowadays, hey, that would be a horrible message because...
There's only so much you could do around this if you don't even have the knowledge about the vulnerability. If it would be all about Zero Days, we would be in big trouble because that would mean that, I mean the attackers are always a little bit ahead of us, but that would mean we don't have a chance to be honest. So I think it's really important to widen up this discussion and say, yes, Zero Days do play a big role. Yes, they even play a bigger role.
but it's not only about series. And the second thing I want to make sure, I think we always look at these things and say, this is the attack. And that's just not right. It's now in this discussion, we're talking about initial vector. They still have to do so much more within your network. It's not like I heard a discussion a few years ago, there was someone, I think he was more a investor guy in a company, forensics company and the whole company.
Seemed to be like a fraud and they are not present anymore So he talked about having an helicopter and flying to breach customers like my god This guy's full of shit, but the audience was listening to him because these were non-technical people was like wow this guy's Wow, that's great. I was like no he's full of shit and he said like and you just need to have a new speech stick and you just
need to find someone dumb enough to put it in and seconds later the whole network is encrypted. And I was thinking like show me that network because most of the networks of my customers are so crappy that wouldn't be the case that this would encrypt anything in a few seconds. I think what we still see is I mean the whole scripting effort is going up in my personal experience but it's still a lot of manual work they put in and
Robert Wortmann (35:43.754)
If it's, we can talk about phishing emails, we can talk about exploitations whatsoever, but not any company in this world just got compromised because someone was clicking on a phishing link. That's one part of it. And I think there are so many other things which need to go wrong in terms of processes, in terms of technology, in terms of visibility, in terms of reaction to let a threat actor do his whole thing.
And I think it's the same with Zero Days. I mean, yes, it's not as good because we don't have any knowledge about them, but it's not the only thing that is happening during the attack. They still have a lot of more things to do to get to their goal.
Rens (36:31.565)
Certainly. And if you look at these various stages, where you have initial entry, reconnaissance, lateral, they are all steps in this, let's say, chain of events that can either be successful or you can disrupt them. So for sure, it's not just one topic and it's not just one thing that's going to prevent a breach. And I usually, I'm pretty honest in that.
when we talk to customer organizations or we are on, like you say, these forums or whatever, I'm usually pretty straightforward. Like the chances that you will get reached in the next couple of years are pretty high, right? There's no reason to lie about it, right? So if there is people out there peddling their wares that say, just install this product or click on this button and you'll never be breached, that's not true, right?
The question is just, I think it's become a time to respond and visibility game. How fast can you respond and how fast can you make sure that you disrupt one of these events in this chain? And that means visibility. So you need to be very aware of your infrastructure and you need to have that visibility to react timely. So are you gonna get breached? Yeah, probably. But are you gonna prevent?
you know, whatever the threat actor is after. And that's usually, like you say, BEC, right? Hijacking a communication chain, exfiltrating data or extorting you, right? So if you can prevent that last stage and you can prevent it as early as possible in the kill chain, then job done, right? So yes, it's important to focus on some of these topics.
That's just be fair as well that there are companies out there that, you know, they use these things as well to attract organizations, right? It might be a marketing thing, might be something that that particular organization is very good at. But yeah, correct. You know, there are a lot of these stages in that chain and all of them deserve their attention, right? So definitely, yeah.
Robert Wortmann (38:51.54)
And yeah, I think that's pretty much on point. I once had a keynote where I think the person ahead of me was talking about security awareness and the bad user which is clicking on things and I totally went off script during my keynote and said, if the only thing you're worried about is a user clicking on a link and you will then get breached, you have a shitty
a very shitty or maybe no concept at all. Because you should have a concept where you, yes, want to make sure that these initial things are not happening in the first place, but you are still prepared for the case that they are happening. I mean, it's still an assumed breach paradigm where we are living in and where we should live in. And the other thing you told me a few minutes ago that we now luckily have more data on those cases.
because the threat actors are speeding up their operations. And I think that's very important to say because if I look through lessons learned or if I talk to breach customers about why it happened and whatsoever, most of the evidence we have, I would say is by accident. It's because the threat actors sped up their whole thing. It's not because they were designing for this. It's not because they were collecting actively
Telemetry data from the Windows clients and maybe analyzing it in whatever they have if it's a CMXDR whatsoever It doesn't matter to me, but it's not that that most of them actively collecting this data is more or less It's by accident and I think we should live in a world where we have by design a lot of these data because Even if you get worst case encrypted by a ransomware gang, I think that decides over a lot of facts Are you able to find?
patient zero based on that finding, can you find the right point to restore that you don't go back too much back in time, but still have some actual data, but you find the right data to not getting breached again because you're getting some backdoor back in. And I think this whole term of visibility is yes, it's very important to find things before they are actually happening.
Robert Wortmann (41:16.672)
or before they are actually damaging your company. But otherwise, still if it's the worst case, I think it's a matter of how much visibility you have and how good you are on acting on this.
Rens (41:30.197)
For sure. you know, when we look at incident response itself, it's just, it's not just the technical thing, right? It's a procedural thing as well. So not only for us, right? But certainly for the customer organization, it is, do you have a plan, right? What kind of visibility do you have to start with? Right? So what technology and procedures do you have in place? What kind of backup strategy? And that, I mean, it's shocking, you know, we have, you know,
We see that a lot that even those kinds of things like backup strategy, they're not present, right? So that hampers.
us in responding as well. Or certainly it's a problem to restore or get back into operations for a customer organization. But yeah, it's a procedural nature. It is, do you have the visibility? Do you know what kind of visibility you actually have? What kind of data you store? Where is it? Is it protected? And how do you act on it? And then there's the question of who's going to act on it. So yeah.
Unfortunately, I think again, this is the basics. If you don't have the basics in place, it's not only going to make it harder to defend, but it's also going to make it harder to restore and get back into operation. So I think one of the points that we should get out there and which is important for anybody listening is start with that. Make sure that you have a plan, right? Make sure that not just from a technological point of view, that you have the right telemetry, that you have the right protections in place.
but also that you know, where do you store your information? What is your valuable information? How do you protect it? And if something happens like a breach or let's say a ransomware incident, you know, do you have the procedures in place to restore from it and to recover from that? And sadly enough, that's in a lot of cases that is not there. And I think everybody needs to ask themselves that question. What if something happens? Unfortunately, we still see a lot of behavior out there that is like, hey,
Rens (43:33.191)
This won't happen to me because I have A, B, and C, and usually that's not the case, right?
Robert Wortmann (43:40.342)
Yeah, I mean, the good thing is this whole discussion about I'm not worth enough. I don't have enough worthy data to be preached. That goes, that was reduced a lot in the past few years for me. I don't have these discussions too often anymore. That's, that's a very good thing. think the overall awareness about something could happen to you went up a lot. And I can emphasize with a lot of CISOs, IT administrators, CIOs, what
whatever they are called, because the both of us, think we can talk out of a very privileged perspective because yes, we are there when something happens or on the architectural pieces, but we don't have to run this whole environment day by day. And I'm very honest about that. I'm lucky that I don't have to do this because if I look into those companies about
how limited the resources are from time to time on a human level, but also on a financial level, that's shocking. I, especially with that in mind, I do think we have to prioritize way more. We are working on sometimes, mind my language, useless shit, which could maybe add up another 0.5 % when it comes to maturity. But that's the same picture of
building a very, very nice villa on a muddy place because you know at a certain point this villa will just break down because the base of it is just not stable. And I think that the last thing we need to do right now and today we talked about vulnerabilities and for me I think we should all forget about
remediating all vulnerabilities or all risk we find. I don't think we are in a phase of technology where this is still possible. Especially when it comes to vulnerabilities, we have so many dependencies. Sometimes we need to wait for a patch. Sometimes when the patch is there, we have to test the patch. Sometimes it's not even possible to roll it out. we need to have a, a,
Robert Wortmann (45:55.671)
strategy to prioritize and I don't think many companies are ready to prioritize because they are missing context. They don't know how practical executable for example or exploitable a vulnerability is. Sometimes they are focusing on vulnerabilities and doing midnight patches with the whole IT crew and in the end I tell them this has never been exploited in the wild.
It's in a part of your infrastructure where it's pretty unlikely that someone will get into because that would mean you're already breached. I mean, it's still valuable to patch that thing, but not in a midnight action. And some people always tell me like, we are not doing enough when it comes to emergency patching. I take the complete different position. I say we are doing way too much emergency patching.
But most of the time, if I have a look into this for the total wrong things, because we are not looking into the context of a vulnerability. And I think that's the first thing we need to get into. We need to get more automated context to a vulnerability and also a vulnerability. are always referring to software vulnerabilities. There's so many other vulnerabilities, as I said, like the text file with credentials of some administers, users and whatsoever. That's also.
big vulnerability. It's another risk. I think with all that pool of risk, we need to have some kind of a, and I'm not talking about technology. In the end, it will be technology, but we need to find ways to centralize those risks and then to prioritize those risks. But we cannot deal with those individual risks all over the place because it's just too much for every freaking IT organization in this world.
Rens (47:50.217)
Yeah, I agree. I think the industry at large is getting better, you know, with making that risk visible and helping you with prioritizing. But again, there's also a lot of organizational and procedural, let's say backlogs in organizations, right? You have large organizations with, I don't know how many people that are, you know, part of that chain and part of that risk and part of that visibility. You might have IT admins that are, you know,
taking over certain tasks because the previous person left and they have no idea where things are stored or how things are set up. So there's a lot of that technical depth as well. yeah, I would say that all of that should be part of your incident response plan. All of that should be part of your defenses. And for sure, prioritizing risk is very important. Like you correctly say, if you put a lot of time into something, yeah, you need to do, but it's not the most
know, pressing thing, means that you took time away from doing the right thing at the right moment. And, but again, I think it's basics, right? If you don't know your risk, if you don't know where your valuable assets are, if you don't know your own environment, which again is what we see a lot, right? And that's not, it's not to blame, you know, the people or the individual there, that's just how organizations grow.
to keep pace with that, to keep pace with technical infrastructure, to keep pace with risk is very, very difficult, right? So I think, you know, if you look at practicals, right? If you, and I'm a bit biased in that, for sure I will, but I know that it has helped countless of organizations. is, I always take this analogy with backups, right? So if you do a backup and you have a proper backup strategy,
then part of that should be to restore, right? You don't know whether your backup is gonna be successful if you don't test that once in a while. It's the same with security, right? So test your defenses. If you have these procedures in place, if you think you have the right risk prioritized, if you think you have the right visibility, if you think you have the right technology in place, if you think you have the right incident response plan, how are you gonna make sure that all of that is right? You have to test it, right? So.
Rens (50:14.885)
We often help these organizations to test their defenses. It's pretty practical, right? We don't over-engineer it and just, you know, the simplest findings can really help, you know, that can really take that risk posture into the right direction. And if you start with those basics, you can build from there. But I think that's just tremendously important, right? Test your defenses and know where is that risk and...
There's countless of organizations out there that can help you with that. So if I want to give one takeaway in this podcast, it's that. We can talk hours on vulnerabilities, on what kind of attack factors are there, how does an infrastructure look and where do you prioritize? But in the end, is whatever you put in place, you need to test it. And that's important.
Robert Wortmann (51:08.74)
I think what we need to do for one of the next episodes is let's say top 5, top 3 incident response fuck up stories. Because I always like to present them, not to point my finger at a certain victim, that's just not my style, but they on the rune are typically saying in the lessons learned, how on earth can we have overseen that? and it's...
Typically they are reaching out for the worst case and whatsoever and then they are overseeing the easiest thing. Just one story a few years ago when I was not actively doing incident response, but my company back then was doing incident response. They told a company that they have to get offline for the whole network because it was very likely that they were already breached and they just wanted to prevent even worse things.
And after too long of a discussion, this customer acknowledged, yes, we will go offline. Then they saw, our firewalls are not in-house. They are pretty much standing next door at the managed service provider. So they had to call the managed service provider to basically go offline for the whole network. The managed service provider was there and said, yeah, please open ticket. We cannot do it with opening a ticket.
And this whole process ultimately took so long that they were encrypted before they even went offline. mean, especially for this situation, you couldn't say that this could have been prevented for with a timely response. We don't know, but it was a very good fuck up story in the end because nobody ever planned to call that managed service provider.
to take down the firewall without opening a ticket with the Nestle A of one hour.
Rens (53:08.453)
Yeah, yeah, I mean, that's good example. know, again, that is part of your incident response plan. It's all that procedure. Who are your vendors? You know, what responsibility do they have? Do you have an MSP? Do you have an MSSP? What responsibility do they have? What are their SLAs? All of that should be part of your plan, you know, but yeah, again, that's that's often not there. And yeah, but a good suggestion. Let's do that in the next episodes. Go through some of these examples and also how we
Robert Wortmann (53:16.377)
Yeah.
Rens (53:38.193)
how we can defend against them and how we can put that plan in place.
Robert Wortmann (53:41.955)
And I can promise you one thing for all of those fuck up stories, the people who were responsible, not for the fuck up itself, but let's say for the IT environment a few years later, and it typically takes a few years, but if you ask them now, they will have a good laugh about this and say, yeah, it was pretty silly back then, but I have learned a lot from that. And I think it could be cool if...
You could learn those things by listening to this podcast and not by experience this to yourself. I think I would rather listen to that podcast. So as a little spoiler to get you to the next episode, but I had a lot of fun, Rens.
Rens (54:30.065)
Me too. Yeah, was great being here and I'm looking forward to our next chat.
Robert Wortmann (54:37.443)
And I think for us it could be a very good way in having constant talks without all that rush that comes to our jobs day by day.
Rens (54:46.715)
Absolutely.
Robert Wortmann (54:47.93)
Great to have you and yeah, I'm already looking forward to the next episode and for all the listeners, we will be back in some time. Let's see when, I think Renz and I, are both. Yeah, there is a, let's say reality of having a day by day job. So let's see when the next episode will drop, but I'm 100 % certain there will be a next episode. So thank you to all of you and.
See you next time.
