In this eye-opening episode of The Backup Wrap-up, we delve into the critical concept of minimizing the cyberattack blast radius. Joined by cybersecurity expert Dr. Mike Saylor, we explore practical strategies to significantly reduce the impact of a breach on your organization.
We start by discussing the principle of least privilege access and its role in containing a cyberattack's blast radius. Next, we examine the importance of network segmentation in limiting the spread of an attack. The conversation then shifts to the often-overlooked aspect of controlling outbound traffic to prevent data exfiltration.
Throughout the episode, we provide actionable insights and best practices that IT professionals and business owners can implement to enhance their cybersecurity posture. By focusing on minimizing the cyberattack blast radius, organizations can better protect their digital assets and mitigate potential damages in the event of a breach.
Speaker:
You found the backup wrap up your go-to podcast for all things
Speaker:
backup recovery and cyber recovery.
Speaker:
In this episode, we'll explore the critical concept of minimizing the
Speaker:
blast radius of a cyber attack.
Speaker:
Once again, we're joined by cybersecurity expert Dr.
Speaker:
Mike Saylor.
Speaker:
We'll talk about implementing lease privilege, access, network segmentation,
Speaker:
controlling outbound traffic, and other ideas on how to reduce the
Speaker:
impact of your next cyber attack.
Speaker:
By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been passionate about backup and recovery for
Speaker:
over 30 years, ever since.
Speaker:
I had to tell my boss that there were no backups of the really
Speaker:
important database we just lost.
Speaker:
I don't want that to happen to you, and that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
Before I continue, if I could ask you to press that subscribe, like
Speaker:
or follow button so that you will always get our amazing content.
Speaker:
And I am w Curtis Preston, AKA, Mr.
Speaker:
Backup.
Speaker:
And with me, I have my very expensive chair disassembly consultant.
Speaker:
Persona.
Speaker:
Malaiyandi how.
Speaker:
Are you upset that I am returning my very expensive chair?
Speaker:
Are you saddened?
Speaker:
I am not, because chairs are one of those things that are very subjective
Speaker:
and what work, what works for one person may not work for
Speaker:
another person, So I get it.
Speaker:
those, those that listen to the podcast regularly know that I
Speaker:
recently purchased a pretty, for me, pretty expensive office chair.
Speaker:
I.
Speaker:
From Crandall office Furniture, not a sponsor.
Speaker:
Um, and that, uh, as a very nice chair, it was actually a Steelcase chair.
Speaker:
And, um, I think I spent like 800 bucks on it, which was, you know,
Speaker:
a lot of money for me for a chair.
Speaker:
And I did it all
Speaker:
Not, not, but if you think about,
Speaker:
what,
Speaker:
yeah.
Speaker:
Well, two things.
Speaker:
Yeah.
Speaker:
Your existing chair would constantly squeak, especially if
Speaker:
you go left, right, left, right.
Speaker:
like this.
Speaker:
Oh, I can't hear it anymore.
Speaker:
Yeah, well, maybe I better mic placement.
Speaker:
I don't know.
Speaker:
The first is, yeah, the squeak.
Speaker:
And then what was the second one?
Speaker:
Oh, if you think about the cost per hour of buying that $800 chair and
Speaker:
how much time you sit in that chair,
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
And.
Speaker:
a penny
Speaker:
a
Speaker:
It was a $1,200 chair that I got for 800 bucks.
Speaker:
But, but anyway, Crandle was great in terms of, I'm like, listen, I,
Speaker:
I just really don't like the chair.
Speaker:
They were great with the return policy, so I'm very happy.
Speaker:
But disa assembling it was quite the chore.
Speaker:
Um, so, uh, on, on a completely different note, non-sequitur,
Speaker:
my favorite Latin term.
Speaker:
Uh, we're gonna be talking this week about minimizing the
Speaker:
blast radius of a cyber attack.
Speaker:
And once again.
Speaker:
Fans of the show will recognize our guest today, Mike Sailor.
Speaker:
How's it going, Mike?
Speaker:
It is going well.
Speaker:
How are you guys?
Speaker:
Doing well, doing well.
Speaker:
Doing all right.
Speaker:
I'm back.
Speaker:
would get a bit new chair though.
Speaker:
I'm back.
Speaker:
I'm back to my old chair, which is, which is for me is fine for now.
Speaker:
But, uh, what, what do we, what do we mean, uh, Mike, when we talk about
Speaker:
minimizing the blast radius of an attack?
Speaker:
Sure.
Speaker:
It's also today the new term is called Exposure management.
Speaker:
Ooh.
Speaker:
Exposure
Speaker:
I.
Speaker:
I like it.
Speaker:
You know, it's not a new term, it just means something
Speaker:
different today than it used to.
Speaker:
It used for me, it just, it meant, it meant, uh, knowing who my daughter was
Speaker:
going out with before they left the house.
Speaker:
But, uh, today,
Speaker:
also a.
Speaker:
exposure.
Speaker:
Yeah.
Speaker:
Today.
Speaker:
Exposure Management really encompasses kind of the, the, you know, i
Speaker:
governance, like good controls and policy, and knowing where your stuff is.
Speaker:
It, it, it in it involves good operations, sound operations,
Speaker:
good quality, consistency.
Speaker:
It involves incident response.
Speaker:
It involves insurance and.
Speaker:
Risk mitigation and it's, it's very broad, but uh, specific to attack surface stuff,
Speaker:
um, a lot of, a lot of organizations and, and I've been in it for 30 years,
Speaker:
uh, I can count probably on one hand the number of the number of organizations that
Speaker:
have a good handle on their environment.
Speaker:
Like how many in, when I, when I ask how many assets do you have?
Speaker:
Oh, well, I maybe go check the spreadsheet or let me run my scan real quick.
Speaker:
They don't know.
Speaker:
Uh, and that's a problem in certain industries, especially like oil and gas,
Speaker:
where you've got all that stuff out in the field and you don't, I have no idea.
Speaker:
Well, then how can you protect what you don't know and how?
Speaker:
And then there's other implications like licensing and patching and all.
Speaker:
If you don't know what you're.
Speaker:
You're in charge of, then how can you be effective at it?
Speaker:
So there's that.
Speaker:
Uh, but then the exposure management or the, the blast radius is also
Speaker:
all those controls that would be designed or implemented to minimize
Speaker:
the impact of a given situation.
Speaker:
Like, this laptop gets ransomware.
Speaker:
How do I make sure it doesn't go other places?
Speaker:
Or at least not to the critical stuff.
Speaker:
Um, you know, if users get in fact in infected, then, you know, they
Speaker:
get the day off or whatever, but at least it's not taking down my server.
Speaker:
Um, but then other
Speaker:
considerations too, based on how your business operates and the people you
Speaker:
work with, are there ways to limit risk, uh, to, to that scope of, uh,
Speaker:
you know, your, your little ecosystem?
Speaker:
You know, if you're a company that just does business in Texas, then why are you
Speaker:
accepting internet traffic from China?
Speaker:
Yeah, good
Speaker:
Kind of a simple example.
Speaker:
And one thing, Mike, as you were talking about, sort of understanding
Speaker:
like what's in your environment.
Speaker:
I know sometimes we don't think about like companies who are developing
Speaker:
software and they, or even just using a third party software, sometimes
Speaker:
those have vulnerabilities that can.
Speaker:
That get flagged.
Speaker:
And if you don't know what software is running in your environment, how can
Speaker:
you make sure that you don't have any issues or you realize, Hey, I should
Speaker:
really be patching this, or I need to take some mitigation steps to prevent
Speaker:
myself from being attacked and being exploited by a certain ex, uh, exploit.
Speaker:
Absolutely.
Speaker:
And that seems like a very straightforward, uh, conversation to have.
Speaker:
But the moment that we, we start sitting back and talking about changing
Speaker:
our patch management policy and, and what systems get antivirus and what
Speaker:
don't, and for whatever reason I.
Speaker:
It's, it's not just us having this conversation anymore.
Speaker:
We've gotta involve the business and how what we're doing is gonna impact
Speaker:
people's ability to do their job or
Speaker:
watch Netflix on their lunch break.
Speaker:
But then also, uh, is there a cost associated with that?
Speaker:
Now we're gonna be paying more or differently.
Speaker:
Uh, and then at the end of the day, uh, if our policy is what drives an
Speaker:
incident, then, then you're on the hook.
Speaker:
Um, and so I think a lot of it environments kind of.
Speaker:
Take the, the, the risk averse approach.
Speaker:
Let's, let's like be as.
Speaker:
Uh, implement as much coverage as we can without
Speaker:
Hindering the
Speaker:
responsible.
Speaker:
Uh, for, especially when the business doesn't give us the feedback or the
Speaker:
direction we need to be more effective.
Speaker:
We, we become the default, uh, you know, scapegoat.
Speaker:
Uh, I mean, think the CrowdStrike situation, uh, where they, you know,
Speaker:
this update went out, I believe it was an involuntary update, so it doesn't
Speaker:
really apply to patch management, but if we knew about the criticality of the.
Speaker:
Um, or the value or the function of a server or machine
Speaker:
that had CrowdStrike on it.
Speaker:
The moment that problem arose, we would know the impact it was gonna
Speaker:
have over the next day or week.
Speaker:
Uh, and we would be.
Speaker:
I was reading a, a blog, uh, this morning.
Speaker:
I was reading a blog about the over-reliance on
Speaker:
individual vendors, right?
Speaker:
Um, and, uh, the, the funny thing is the blog was on, uh, CrowdStrike's, uh, blog.
Speaker:
Um.
Speaker:
It was a blog that they wrote a little while ago about, you know,
Speaker:
the overreliance on a single vendor.
Speaker:
It's just, it's just, when you think about what happened with
Speaker:
CrowdStrike, it's just rather ironic.
Speaker:
Um, yeah, I, so when we talk about, you know, there, there are things, let's
Speaker:
first talk about the concept when we're trying to minimize that blast radius.
Speaker:
Um, the, one of the first things that comes to my mind is the
Speaker:
concept of least privilege.
Speaker:
I.
Speaker:
Um, you want, you want to talk about that a little bit?
Speaker:
Sure.
Speaker:
That that lends itself to some comments I've already made.
Speaker:
And so let's just take you gentlemen, for example, Curtis, if you're just
Speaker:
a normal user, I'm just gonna give you the ability to do your job.
Speaker:
And so that's internet access, the ability to print, maybe access your,
Speaker:
you know, your email and maybe access, you know, some role specific server
Speaker:
or application within the environment.
Speaker:
Well, that takes time on the operations side for me to develop.
Speaker:
Who has access to what, based on job role,
Speaker:
which is called what role?
Speaker:
Role
Speaker:
based
Speaker:
based access control, right?
Speaker:
Or RA.
Speaker:
Yeah.
Speaker:
so that's a, that's a, that's a mature version of, uh, of, of just having the
Speaker:
questions a asked, uh, when new users get.
Speaker:
Uh, new user access, uh, is requested.
Speaker:
And,
Speaker:
and so in a small shop that's, that's not so somewhat of a problem, but even in a
Speaker:
small shop that has a lot of turnover, where you've got these large enterprise,
Speaker:
you know, small, medium, large, you know, and then enterprise, the different sizes
Speaker:
of organization may dictate the need for better, uh, more mature approaches to.
Speaker:
Allocating or provisioning access.
Speaker:
So if we can reduce what a user has access to, we're reducing their
Speaker:
exposure of that asset and that user.
Speaker:
Um, when, if, if they're compromised, their credentials are compromised, their
Speaker:
assets compromised, whatever it is, that user profile, the limit of, of that user's
Speaker:
profiles, that the access to do other stuff, uh, should mitigate the risk.
Speaker:
And a good example of that is in some environments.
Speaker:
When it resources are limited and we don't have the ability to go fix all
Speaker:
these problems at people's desks, we're giving users, normal users, local
Speaker:
administrator, access to their machine.
Speaker:
Um, and if we're not looking at stuff on the network, like network shares
Speaker:
and who has the ability to do whatever, uh, the exposure there, the risk, uh,
Speaker:
is much greater because you've given those users, those profiles, those
Speaker:
assets, more access than they need.
Speaker:
Well, I think when we start talking about least privilege and and RBAC.
Speaker:
Where this really comes to play is the more privileges that you have as part of
Speaker:
your job, the more RAC and the concept, the least privilege applies, right?
Speaker:
So if you are, you know, back in the day again, you and I have been around a
Speaker:
minute, and back in the day if you, if you were part of the IT team, you got root.
Speaker:
Right.
Speaker:
You got root on all the systems and you could do all the things.
Speaker:
And if you wanted to, if you wanted to blow up Oracle, you logged in as root.
Speaker:
You sued Oracle.
Speaker:
You did stuff in Oracle, right?
Speaker:
You basically were all powerful in the data center.
Speaker:
And I guess what, what I'd like to recommend here is that.
Speaker:
The more power that you're giving to someone and the more powerful that
Speaker:
their role is, the more you should think about this concept of limiting
Speaker:
the privilege that, that they have.
Speaker:
Right?
Speaker:
So you don't give root to everybody.
Speaker:
You don't give the Oracle like, like again, back in the day, you
Speaker:
just gave the Oracle password.
Speaker:
To the person that was going to be in charge of Oracle rather than
Speaker:
forcing them to become themselves.
Speaker:
And then su to, and again, I'm using very eunuchs terms, but, um, you
Speaker:
know, I'm old and that's what we did.
Speaker:
Um, although that still applies.
Speaker:
great responsibility, right?
Speaker:
Yeah, exactly.
Speaker:
Um, persona, I mean, you, you, you, you've dealt with this as well, right?
Speaker:
Oh yeah, yeah.
Speaker:
No, and that's always the case is how do you make sure?
Speaker:
Well, I think it's the trade-off, right?
Speaker:
Because people want easy, seamless access to do things they have to
Speaker:
get done, and they don't always do those operations over and over.
Speaker:
So if you introduce some of these hurdles, it becomes
Speaker:
difficult for them to do things.
Speaker:
At the same time, I totally agree a hundred percent that,
Speaker:
hey, I can't do this anymore.
Speaker:
Like our, I wanna restrict access because it's just too much exposure.
Speaker:
And so really only what you need access to, you should have, so an example
Speaker:
is in the CrowdStrike case, right?
Speaker:
If you look at what the recovery step was, right?
Speaker:
You had to go sort of go to each individual machine, enter their
Speaker:
recovery key before the user could even get to safe mode in order to be
Speaker:
able to try to recover their machine.
Speaker:
And this was, you had to go to every single endpoint and do that, right?
Speaker:
If you said least privilege, and you said, look, as an end user, you should
Speaker:
never have access to this key, right?
Speaker:
Because you never need access to it.
Speaker:
Now you're kind of stuck having an IT person manually go to every
Speaker:
single desk, and there's no sort of
Speaker:
self-help
Speaker:
mitigation, right?
Speaker:
So I think that's why there needs to be a balance, right?
Speaker:
It can't just be one or the other.
Speaker:
It's just like everything else in it.
Speaker:
Right?
Speaker:
It's easier to do it, you know, like you said, it's easier
Speaker:
to give everybody, everybody administrator on their laptop, right?
Speaker:
Um, it's easier to give everybody the recovery key.
Speaker:
It's also riskier to do all of that.
Speaker:
What were you gonna say, Mike?
Speaker:
I, I'll add a couple things.
Speaker:
You're right, it is a balance.
Speaker:
The more security you have, the less usable things are.
Speaker:
Uh, and that's, that's just a.
Speaker:
Balancing act between operations or usability and security.
Speaker:
But, uh, a couple things I'll add and, and this kind of, uh, continues the,
Speaker:
the threads that both of you mentioned.
Speaker:
Um.
Speaker:
Even, even administrators should have a normal non-ad administrator account
Speaker:
for doing normal non-administrative things like checking my email
Speaker:
and writing reports or whatever.
Speaker:
I don't need to be logged in as admin for that.
Speaker:
And it could still be Mike admin, but also have a Mike normal user account.
Speaker:
We want that accountability that, that, that I can attribute
Speaker:
network activity to a user
Speaker:
Yeah.
Speaker:
Can can
Speaker:
I add, can I add on that?
Speaker:
Can I add on that, Mike?
Speaker:
Um, and you should, as a matter of policy and a matter of logging
Speaker:
and monitoring and enforcement, I.
Speaker:
Enforce the idea that you do, you do not ever log in as
Speaker:
administrator or log in as root.
Speaker:
You log in as you, and you become the role that you need that creates logs,
Speaker:
that creates all of these things.
Speaker:
Uh, and that, and that way if anyone ever does log in as administrator
Speaker:
directly, that should be setting off the, the CLS on alerts everywhere, right?
Speaker:
So that goes back to the logging and alerting part.
Speaker:
Um.
Speaker:
And you're right, that's policy.
Speaker:
So you need to have a policy that dictates that privileged users have normal user
Speaker:
accounts and that they, they use those accounts to then gain administrator what,
Speaker:
whether it's their own administrator account or it's pseudo or su to, to
Speaker:
a, uh, an a router admin account.
Speaker:
Uh, the other thing I'll, I'll, I'll contribute is
Speaker:
privileged, privileged access.
Speaker:
Um.
Speaker:
Is often applied to more than just users.
Speaker:
There are service accounts that get privilege.
Speaker:
And so you've really gotta assess whether service accounts
Speaker:
really need that privilege.
Speaker:
And I know a lot of vendors in IT shops will give it that privilege for, for the
Speaker:
ease of deployment and troubleshooting.
Speaker:
Like, it's not gonna be a problem if it's, if it's an admin.
Speaker:
Uh, unfortunately, even, even security tools.
Speaker:
Um, and I think we, we, we, we may have mentioned red teaming at some point when
Speaker:
we, when we red team an organization.
Speaker:
We look at service accounts, and in a lot of cases, those security tools that
Speaker:
are supposed to protect you are also running as a privileged service account.
Speaker:
And in a lot of cases, we're able to actually compromise those
Speaker:
security service accounts in order to compromise the network.
Speaker:
Yeah, we talked, we talked about that.
Speaker:
We talked about those service accounts quite a bit a, a couple episodes ago.
Speaker:
Um,
Speaker:
but that's policy.
Speaker:
Policy needs to dictate that least privilege is, is something that, uh,
Speaker:
needs to be applied to everything.
Speaker:
Yeah, absolutely.
Speaker:
Uh, let's move on to another topic.
Speaker:
Um, least privilege.
Speaker:
Really important.
Speaker:
You know, implement it wherever you can, as much as you can.
Speaker:
There is a balance that you have to have, right?
Speaker:
Um, and I do think that idea of like, you know, administrators need to
Speaker:
have administrator, but they should not be logging in as administrator.
Speaker:
They should have to become administrator.
Speaker:
And I do.
Speaker:
Um, I do very much prefer pseudo to su, uh, because you, you use your password,
Speaker:
right, rather than the, the root password.
Speaker:
Anyway.
Speaker:
Um, let's talk a little bit about network segmentation.
Speaker:
You talked a little bit about laptops.
Speaker:
Um, one of the things, you know, a laptop we can limit to a certain degree
Speaker:
what servers a laptop has access to.
Speaker:
But I think that in, in almost every case, we can put laptops on a
Speaker:
separate network that should never be able to talk to each other.
Speaker:
does a laptop ever need to talk to another laptop directly?
Speaker:
Well, it's it, because it's running windows, first of all.
Speaker:
But, um, their their windows is so chatty when you look at network
Speaker:
analyzers, it's, it's crazy.
Speaker:
But, uh, absolutely you should have a, a, a, like your core
Speaker:
network should be on its own
Speaker:
segment.
Speaker:
Your if, if you have a voiceover IP network that
Speaker:
needs to be on its own segment.
Speaker:
Uh, your backup network, your administration, uh, there's, there are
Speaker:
so many different ways to, to architect your network that can reduce exposure when
Speaker:
there is a problem, because deploying, uh, access control, uh, creating rules around
Speaker:
segments, all that stuff is one console today with the virtual, you know, the, the
Speaker:
interface and a lot of these switches, it's so much, it's so intuitive.
Speaker:
Creating VLANs and all that stuff.
Speaker:
It's, that is one of the best and most timely ways of mitigating
Speaker:
network, uh, network layer, uh, intrusions and, and incidents is se
Speaker:
being able to, you've already got it.
Speaker:
You've already got it set up.
Speaker:
If there's a problem with the, the, the user environment, just
Speaker:
go to your switch and tell it.
Speaker:
They can't talk to anything else for a while until you figure this out.
Speaker:
Uh, so there's a lot of, a lot of very effective and, and, um, timely, uh,
Speaker:
things you can do, uh, once you've implemented, once you've architected
Speaker:
segmentation, the tools are out there.
Speaker:
And Mike, I think, and wanna get your take on this, I guess so.
Speaker:
Segmentation is great, and firewall rules are great only
Speaker:
if you use 'em correctly, right?
Speaker:
Because there are a lot of times where people might say, have a trunk port
Speaker:
passing all the BAN tags across it, which basically defeats the purpose of having
Speaker:
segmentation, especially for end users because you can automatically switch
Speaker:
between different VLANs and now you have access to networks, which you should not.
Speaker:
So just making sure you are using the switches and.
Speaker:
The network configuration and also your firewall rules correctly
Speaker:
is also a big thing as well.
Speaker:
Yeah, you've gotta have a strategy for your architecture.
Speaker:
Implementing parts of this are better than not in most cases, but
Speaker:
implementing segmentation can actually create more overhead if you don't do.
Speaker:
Um, and then, I mean, there's, I, I, I listed a couple.
Speaker:
You could also create a, a segment for your remote access, uh,
Speaker:
users that are calling in over, you know, VPN or what have you.
Speaker:
But, um, the, the idea though, and even other locations, if you've
Speaker:
got different buildings, that those buildings should be on their own segment.
Speaker:
Uh, if, if you're running like an MPLS or internal, uh.
Speaker:
Networking scheme for that,
Speaker:
but the idea then is making sure you have a good understanding of how your network
Speaker:
operates and how it supports the business so that you can configure that right.
Speaker:
On a previous episode, actually, I think it's the one that went live just
Speaker:
this week, um, in recording World.
Speaker:
It's, it's, it's different.
Speaker:
It's different on the episode world.
Speaker:
But, um, you know, one of the things that I harp against a lot is RDP, right?
Speaker:
Uh, which I call the ransomware deployment Protocol.
Speaker:
Um, and if, if you are going to enable RDP, I think RDP should be on its own
Speaker:
segment, that in order to use RDP, you must be either physically present.
Speaker:
In a particular place, or you need to be VPNing in, uh, to that, that you should
Speaker:
not be able, you should not have RDP on, on every server and have that rd have
Speaker:
those RDP ports accessible everywhere.
Speaker:
Right.
Speaker:
Um, that's another, can you think of anything else like that, that
Speaker:
we would really wanna segment off?
Speaker:
man, I can, I can, I can probably spend the, the rest of the
Speaker:
day, uh, talking scenarios.
Speaker:
But the important thing, the important thing to do is assess the
Speaker:
way your environment operates, the things that you use to support your
Speaker:
environment, your users and the company.
Speaker:
And then what, what I'm gonna say, what risks are associated with that?
Speaker:
Like RDP, if you don't have it configured well, all that traffic is unencrypted.
Speaker:
Uh, if, if, you know, so are there other tools you're using?
Speaker:
Uh, and, and how are those configured?
Speaker:
Like Service Desk or, uh, ninja, RAMM or, or some of these others if those
Speaker:
are great tools, but if the endpoints are con, are configured to auto answer
Speaker:
without user interaction and putting in a token and all that stuff, that's a risk.
Speaker:
And that's, so that's an example of look at the tools you're using and.
Speaker:
Can we use, can we use them secure?
Speaker:
And if not, are there, is there an alternative?
Speaker:
And like there are alternatives to RDP that are low or no cost, that
Speaker:
are more secure and effective.
Speaker:
They're just not as, they're not easy.
Speaker:
They're, they don't come with the operating system.
Speaker:
So there's
Speaker:
a, there's a, there's a list there of there deployment
Speaker:
and configuration to use it.
Speaker:
Uh, that, you know, maybe some organizations don't have
Speaker:
the time or resources to,
Speaker:
Yeah.
Speaker:
Or, or once again, money.
Speaker:
It's like everything else that, you know, the good tools cost money, right?
Speaker:
Um.
Speaker:
One other thing I was gonna add to what you were saying, Mike, is for some of
Speaker:
these vendors, maybe it's worthwhile to see, do they have like white papers
Speaker:
or knowledge, uh, based articles on how to actually set these up securely,
Speaker:
Mm-Hmm.
Speaker:
right.
Speaker:
Or best practices to
Speaker:
and I, I
Speaker:
know, and, and you're right there usually is because that's just
Speaker:
gonna help them, uh, you know, distribute and market their product.
Speaker:
I know a lot of organizations that are using AI to ask those questions, like,
Speaker:
how, what's a good way to, what's a good alternative to RDP or what have you?
Speaker:
And I'm gonna, I'm gonna, uh, suggest that people be conscious that when
Speaker:
you ask the questions in a public domain, they become public knowledge.
Speaker:
And if I can trace that back to who asked the question, now I know the
Speaker:
technologies you might be using.
Speaker:
Um, and, but also not to trust AI on face value.
Speaker:
Still do your own research.
Speaker:
In fact, finding all that good stuff.
Speaker:
Are you saying AI's not perfect, Mike?
Speaker:
is not perfect.
Speaker:
It's almo.
Speaker:
AI is almost intelligent.
Speaker:
Almost intelligent.
Speaker:
I like that.
Speaker:
The key, the key is the board of artificial, um, that I saw
Speaker:
a meme yesterday and it was a, it was a picture of, um.
Speaker:
What's the, what's the, the, the guy, the young man that comes back
Speaker:
in time to stop the Terminator?
Speaker:
What's his name?
Speaker:
Um, what's the character's name?
Speaker:
No, the, the, the guy that comes back.
Speaker:
The son, the guy that battles all the terminators.
Speaker:
Why can't I think of him?
Speaker:
Yeah, we know who you're talking about though.
Speaker:
Mike Connors.
Speaker:
Mike, Mike Connors and that his name Mike Connors.
Speaker:
Anyway, and he is like, it's like it's a picture of him, like giving
Speaker:
side eye and it's like Mike Connor's watching all of you people befriend ai.
Speaker:
Nice.
Speaker:
Um, all right, so let's talk about a third topic, and that
Speaker:
is, again, this is all under the concept of minimizing blast radius.
Speaker:
One of the things, so, you know, we, we talk on this, on this podcast, we talk
Speaker:
a lot about backup and recovery and DR.
Speaker:
And making sure that you, you have a copy of your data and having it
Speaker:
in a place that is, is blocked from, from, um, uh, you know, access.
Speaker:
You know, so that if, if you do get attacked or when you get
Speaker:
attacked, the, the hackers won't be able to also delete your backups.
Speaker:
Having said that, none of that will help you.
Speaker:
If your data is stolen, right, if your data is exfiltrated.
Speaker:
So the thing that I think people are not spending enough time on is doing what
Speaker:
they can to stop the uploading of their data, um, you know, to, uh, the world.
Speaker:
And we, we, there's a really good episode, uh, of ours back when we had, um, uh,
Speaker:
Dwayne from, uh, the red teaming group.
Speaker:
That where, where he talked a lot about, you know, he talked about
Speaker:
how that actually generally people aren't, the hackers aren't using like
Speaker:
the web, they're just going directly.
Speaker:
They're just, you know, copying the data directly to where they want to
Speaker:
store it because, and this is the crazy thing, no one is stopping them right.
Speaker:
They know that the web traffic is being monitored, and so they don't use that.
Speaker:
And, and he had this analogy, he goes, it's like we're in this wide open field
Speaker:
and the web is like a door in the middle of this field and that door is locked.
Speaker:
So it's like, oh, darn, there's a door here.
Speaker:
We can't use it.
Speaker:
Oh, maybe we'll just go around the door.
Speaker:
Right?
Speaker:
We'll, all these other ways.
Speaker:
So it, it came as a surprise to me, and I guess it shouldn't.
Speaker:
Because historically we didn't limit outgoing traffic.
Speaker:
Uh, and so, you know, what do you think about this idea of basically blocking
Speaker:
everything that's going out and only limiting what should be going out, which
Speaker:
is the, the complete opposite of the way most networks currently are configured.
Speaker:
What do you think about that idea?
Speaker:
I think it's a beautiful idea, but it would take a lot of analysis.
Speaker:
That, uh, most organizations don't, don't go through.
Speaker:
So what, what is normal?
Speaker:
What is allowed?
Speaker:
Uh, where's it coming from?
Speaker:
Where's it going to?
Speaker:
How much volume should I be, uh, considering as normal?
Speaker:
Uh, what ports do, does that data go out?
Speaker:
Uh, what protocol?
Speaker:
All those things,
Speaker:
uh,
Speaker:
talked
Speaker:
can be done.
Speaker:
on your firewalls on observe mode.
Speaker:
Um, first for like a month just to see what actual outgoing traffic.
Speaker:
Uh, and he did tell the story that when they were advising a customer of
Speaker:
this and they turned on their firewall and observe mode, they found out
Speaker:
they were in the middle of an actual attack, um, during the observe mode.
Speaker:
Um, but yeah, that you definitely have to.
Speaker:
You can do a lot of damage.
Speaker:
And I, you know, and I have a story that I've told a lot of times on the
Speaker:
podcast of me working in an environment where they, they blocked everything
Speaker:
and the, the amount of hassle that was to me as a, so here I was, I was the
Speaker:
o they had a very segmented network that server A could not talk to server
Speaker:
B it was, it's, it was properly done.
Speaker:
And this is 25 years ago, so this is really impressive, but.
Speaker:
When me, the crazy man came in and I wanted to do this thing
Speaker:
called backups, and I needed a server to be able to talk to every
Speaker:
other server that blew their mind.
Speaker:
And, and they hated me from day one, and they did a lot of damage to my
Speaker:
ability to do my job, uh, in the process.
Speaker:
So, you know, it has to get their job done, but I, I do think this is
Speaker:
something that you should entertain.
Speaker:
Uh, and I do like this idea of turning on the, the firewall and, and observe mode.
Speaker:
What do you think persona.
Speaker:
I think that's worthwhile.
Speaker:
I think also with sort of some of the, uh, blacklists that are out there,
Speaker:
for instance, you could also be using DNS blacklists and other things like
Speaker:
that to also help filter out some of the common websites or IP addresses,
Speaker:
which have a bad reputation, right?
Speaker:
There's also the reputation score out there, right?
Speaker:
So you can look at some of these and apply them and.
Speaker:
Not necessarily gonna prevent every anyone from trying to get to legitimate
Speaker:
websites, because even in those 30 days when you're running firewall and observe
Speaker:
mode, maybe it's seasonality and I don't go look at certain websites or do certain
Speaker:
things until like the quarter end.
Speaker:
So you're not impacting the business, but at least you're trying to prevent
Speaker:
a lot of the malicious traffic.
Speaker:
He, he did also talk about blocking, uh, things like S-S-H-S-C-P.
Speaker:
Um, he's like, ask yourself, when would we ever, is there a scenario in which
Speaker:
we as admins would ever need to SSH to the outside, outside of our network?
Speaker:
And if the answer is, we can't think of one, then turn SSH off
Speaker:
Or FTT.
Speaker:
or ftp, similar protocols, right.
Speaker:
Um, outgoing, specifically outgoing, FTP.
Speaker:
Right.
Speaker:
Um, can you think of other things like that, Mike, that, that we
Speaker:
might wanna block going out?
Speaker:
Uh, encrypted traffic over your DNS port.
Speaker:
That did come up, I think.
Speaker:
Yep.
Speaker:
Yeah.
Speaker:
that's a good exfil, that's a good xFi port and tactic.
Speaker:
Um,
Speaker:
but then
Speaker:
wanna, explain that?
Speaker:
I know what you mean, uh, Mike, but do you wanna explain that
Speaker:
So it's a port that's usually not monitored.
Speaker:
Uh, it's never, it's never blocked.
Speaker:
You, you, you, you have to have it.
Speaker:
Um, so we don't monitor the DNS port on the firewall.
Speaker:
Um, and bad guys know this, so we're, to your point about web traffic and encrypted
Speaker:
traffic and these other services like SSH and FTP, those run on specific ports.
Speaker:
And so if, if I'm concerned about someone.
Speaker:
Uh, creating a connection outbound that can upload files.
Speaker:
I'm looking at Port 21 and the SSH port SSH port.
Speaker:
But very rarely do we monitor the DNS port and so back and, and
Speaker:
there's a couple things there.
Speaker:
One, uh, very low traffic on that port.
Speaker:
And so we could simply look for any increase, you know, abnormal
Speaker:
traffic volume on that port.
Speaker:
That should be clue number one.
Speaker:
And then clue number two, uh, bad guys.
Speaker:
You know, when we, when we expel data off, uh, through that
Speaker:
port, we typically encrypt it.
Speaker:
So you don't know what we're, what we're stealing.
Speaker:
And so encrypted traffic over that port at, at, at any level should be suspicious.
Speaker:
Um, so yeah.
Speaker:
And this goes back to understanding your business, what, and
Speaker:
whether it's the, the firewall.
Speaker:
Uh, you know, observe mode, uh, or just simple understanding of the different
Speaker:
applications and ways that users interact and data flow and all that
Speaker:
stuff that'll help you determine what can be turned off, blocked, uninstalled,
Speaker:
monitored, uh, that kind of thing.
Speaker:
Uh, and along those lines, and, and, and persona touched on this
Speaker:
with the, the known bad IP lists.
Speaker:
Um, so those are good, but you know, you might have a handful of bad ips
Speaker:
in a geographic area of the world.
Speaker:
Well, if your, again, if your business doesn't do, if, if your
Speaker:
business doesn't care about traffic from that part of the world, just
Speaker:
block that entire geo IP subnet.
Speaker:
Uh, and that'll do two things.
Speaker:
One, uh, or several things.
Speaker:
One, uh, you're not gonna get direct traffic from that part of the world.
Speaker:
You don't care about whether it's malicious or unintentional,
Speaker:
and that should reduce.
Speaker:
Overhead on your firewall, but it'll also limit, um, at least
Speaker:
the direct attack exposure, uh, from, from that part of the world.
Speaker:
Yeah.
Speaker:
I remember a long time ago me deciding that I didn't need any web browsers
Speaker:
from, uh, customers from uh, Russia.
Speaker:
I remember deciding that.
Speaker:
A long time ago.
Speaker:
Um, yeah, this, this reminds me, you know, I'm gonna draw an
Speaker:
analogy to pre nine 11, right?
Speaker:
Um, the idea of the idea that the attackers used the planes.
Speaker:
As the weapons themselves was a new idea at the time.
Speaker:
This is a new idea that we never really had to think about exfiltration
Speaker:
really as the problem itself.
Speaker:
And so I'm just saying to me it's the one problem that you can't.
Speaker:
Stop.
Speaker:
Right?
Speaker:
I'm not, let me rephrase that.
Speaker:
If you, if you experience it, if they download your data,
Speaker:
there's nothing you can do.
Speaker:
You're going to either pay the ransom or take the hit the pr hit of whatever it
Speaker:
is that's gonna happen to your company.
Speaker:
And which is why I remember asking you, um, you know, the, the degree
Speaker:
of people that, or the percentage of people that pay the ransom.
Speaker:
And one of the first things you said was if they did exfiltration.
Speaker:
Generally speaking, they're gonna end up paying the ransom.
Speaker:
And so I guess all I'm saying is it's time to have that conversation.
Speaker:
Maybe you do some of these things, maybe you block known bad IP addresses.
Speaker:
Maybe you, maybe you start blocking, um, you know, uh, outgoing, uh,
Speaker:
SSH and SCP and FDP, uh, any of the file transfer type protocols.
Speaker:
Um, and maybe you consider, at least consider, run your firewall and observe
Speaker:
mode to see what kind of outgoing traffic that you normally have, and
Speaker:
then maybe if you want to take it to the next level, do the, the best thing
Speaker:
again, good, better, best, right?
Speaker:
The best thing would be to block all outgoing traffic, except for
Speaker:
the, you know, the stuff, but yes.
Speaker:
You know, your initial response to that is a hundred percent true.
Speaker:
It's gonna take you a minute to accomplish that,
Speaker:
right?
Speaker:
Well, and just imagine
Speaker:
piss off some people in the process.
Speaker:
What's that?
Speaker:
And just imagine the end users like Curtis.
Speaker:
Imagine if at home you blocked all outgoing traffic,
Speaker:
Yeah,
Speaker:
right?
Speaker:
Imagine what?
Speaker:
Help desk.
Speaker:
Yes.
Speaker:
I.
Speaker:
exactly.
Speaker:
Uh, the um.
Speaker:
Uh, I can imagine that very much.
Speaker:
Um, well, it's been another great conversation.
Speaker:
Um, I, I hope that folks got some ideas about ways that they
Speaker:
can minimize the blast radius.
Speaker:
And, um, this is our part of our continuing, uh, series here
Speaker:
about, uh, defeating ransomware.
Speaker:
Thanks again, Mike.
Speaker:
You are welcome.
Speaker:
And, uh, thanks again, prana.
Speaker:
No, this was fun.
Speaker:
And Mike, I'm glad that there's someone who understands networking because
Speaker:
whenever I talk about networking with Curtis, it sort of just like
Speaker:
goes over his head.
Speaker:
stop.
Speaker:
you're
Speaker:
But I love you, Curtis.
Speaker:
sometimes.
Speaker:
You're mean pana.
Speaker:
Thank goodness for me.
Speaker:
I have our lovely listeners.
Speaker:
We love you guys.
Speaker:
Thanks.
Speaker:
Uh, thanks.
Speaker:
Uh.
Speaker:
For, uh, being there at least I think you're there.
Speaker:
The numbers say you're there.
Speaker:
So, uh, thanks for being there.
Speaker:
That is a wrap.