Skip to content
 
Episode 30

Pen Testing and Incident Response with Pathfynder

EPISODE SUMMARY

Pen testing and vulnerability scans used to be a once-per-year project, but more and more, companies are turning to a continuous model of defense throughout the year. How do you determine the appropriate strategy to defend your organization? What should you think about when setting your offensive budget? And what the heck do some of these cybersecurity terms even mean? The CEO of Pathfynder, DJ Fuller, joins us to break through a lot of common pen testing myths and break down best practices, especially when using a third-party service.

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

mike-gruen-150x150
Mike Gruen

Mike is the Cybrary VP of Engineering / CISO. He manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture.


Joseph Carson:
Hello everyone, welcome back to the next episode of 401 Access Denied. Really excited to be here for another educational fun topic to bring as much education and knowledge and value to you so you can really get your security, best practices, and strategies, and incident response and everything going and planned and in practice. Hopefully this will be very valuable session for you today. My name is Joseph Carson. I'm one of your co-hosts of the show, chief security scientist at Thycotic and based in Tallinn, Estonia. I'm really excited to be here for this next episode. Passing it over to Mike to give us an update and what we're in for today. And he was our special guest.

Mike Gruen:
Yup. Mike Gruen, VP of Engineering and CISO here at Cybrary. Really excited to talk to DJ Fuller from Pathfynder about what it's like to work with a security service provider and what all the different services are, incident response. And I'll throw it over to DJ to introduce himself. Welcome to the show.

DJ Fuller:
Thanks. Thanks for having me, excited to be here. DJ Fuller, CEO of Pathfynder. We're a Bozeman, Montana-based cybersecurity company. Really focused heavily on technical cyber services. We have ops in Washington, DC as well. Help companies in a variety of ways which we can go into really more than anything incredible team that we have, a lot of former VoD intelligence community, cyber practitioners, those are the ones that do the real work every day and really bring that knowledge to our clients. Happy to be here.

Joseph Carson:
Thanks for joining us.

Mike Gruen:
Thanks for joining us.

Joseph Carson:
Yeah. It's a pleasure to have you on the show. One question I've got for you, it's something that's for a long time, that organizations, they struggle to get the in house expertise. And they don't necessarily need to have the expertise, it's really important for them to go out and actually get retainers and get services from those because like organizations, you're not dealing with incidents, you're not dealing with security events every single day. So if you're not doing it every single day, what happens is your skill sets can become a bit, let's say, not up to speed and a bit maybe not on per with those who are dealing with it every day.

Joseph Carson:
How important is it for organizations to actually sign up and make sure they actually get services from expertise while they're being into penetration testing, or red teaming or incidence response? How important is it for them to just sign up and gain access to the services, especially when they need them?

DJ Fuller:
Based on the landscape that we're seeing right now, obviously it's extremely important. I think one of the things that we hear from some folks and some clients sometimes who end up becoming clients as well, "My business isn't that important, it's not that sexy, we're not doing anything that someone would want to attack us." And really, no one's safe today. If you look at what I would call the cyber powder keg forming, in the cyber environment, the attack surfaces are just growing larger and larger as companies are scaling. Cyber adversaries are getting more innovative, and I think that's creating this unique scenario where attackers are increasingly motivated. And really, they just have this lush landscape to go and attack.

DJ Fuller:
And so I think what companies have to understand right now is that being on the defensive really means that the adversary is going to set the tempo time and place of the attack. So if you really have no control, or very little control on when the attack is going to happen, and to your point, you need to have thought about some of these services well prior to needing them.

DJ Fuller:
And I think what we're seeing as far as how clients are treating it, a few years ago would have been someone would do a pen test and a vulnerability scan because their legal agreement set it, there was a check in the box for some compliance, maybe it was SOC 2, PCI, but now we're actually seeing clients start to get ahead of it in their budgets, engage, and say, "How do we have a continuous program throughout the year that is right sized for our organization?"

DJ Fuller:
So it could be a pen test, it could be a red team, it could be multiple of those things. But it could be also a lot of just basics that they need to train their employees on. So we're starting to see the shift from people saying, "Well, I'll just buy more insurance. And we'll have to do one thing a year to check a box," to, "How do I really start to defend myself? And how do I create the right budget to do that?"

Mike Gruen:
Can we just take a step back? Because I think, and DJ, you and I have talked about this in the past, that just organizations, I think, come to you and don't even necessarily know what's the difference between a pen test and a red team? What are these different things? I think just defining some of that stuff for the audience would be super helpful.

DJ Fuller:
Absolutely. One of the areas we focused is on the offensive side, which are some of the services that you mentioned, oftentimes called the red side of cyber. A couple different things to lay out. Usually, what people are getting when they think they're getting a pen test is a vulnerability scan. And there's multiple and these are automated tools, there's different scanners, there's some that are more prevalent in the industry. But a lot of times what will happen is, someone will call that a pen test, they'll run an automated scan, which kicks out the results, they'll put some executive summary on it, and they'll present it to the client for something like $5,000, and say they did their pen test. And that's pretty far from a pen test.

DJ Fuller:
When you actually talk about penetration testing, whether it be a web app, or physical infrastructure, or any other applications that you have, you're actually talking about someone with an ethical hacking background that maybe uses multiple scanners to just understand where the gaps are in the network, but then is actually going in and doing manual testing to figure out how they would simulate an attacker getting in into the environment and really spending tens of hours. If you're buying a pen test, and someone is spending less than 40 hours actually trying to find all the attack vectors in, you're probably, I'm not going to say you're wasting your money because every sized company has different needs, but that's what a real pen test is.

DJ Fuller:
Sometimes we hear clients say, "Well, we were quoted this for a pen test." And we're like, "Well, you're not getting a pen test." So it's important. And then a red team can mean a lot of things depending on if you want to bring physical into it. But the way that we oftentimes approach a red team, think of a normal penetration test as, from the outside, like there's a wall on the company. And it's really looking at it from an external lens. When you talk about red teaming, it goes to what would be called an internal pen test. And so the idea is that an attacker is in your environment.

DJ Fuller:
There's a couple ways to do that. There's different models to gain access. We prefer the assumed breach model. So you'll hear different things. Some people say, "Here's a contract or laptop, we want you to get into our environment, starting with just a basic user." But we use an assumed breach model, which usually means someone was phished to the point where they clicked on an executable, which we all know, given enough time, we can do that. So you save the client money by not spending hours phishing folks.

DJ Fuller:
And then the goal is to interact with the lowest level access possible in a red team and prove that you can move laterally and then vertically through their system to eventually get to their crown jewels. And why is this important? Because that's what we hear in the world of ransom these days. So what are attackers ransoming? Well, they're usually ransoming the crown jewels to be able to say, "Pay me or your business is over." That's essentially a red team, it's an internal pen test.

DJ Fuller:
We're seeing a lot more companies do that. We're seeing automation start to play into the red team side of the house. Some different opinions on that in the industry. I still think the manual touch is extremely important. The AI doesn't exist, they'll move and find all the holes laterally. So that's that's what folks and clients should think about when they're setting their offensive budget.

Mike Gruen:
I would think on the automation side, it's like anything automated, right? If you can use some automated tools to save some money and save some steps that-

DJ Fuller:
Right.

Mike Gruen:
... Right. You still need the manual, but like, "Hey, now we can just do that much more on the same sized budget because we do these scans." It's the same reason why the scans and other things exist.

DJ Fuller:
Right.

Mike Gruen:
In talking to other companies, I know one of the big questions or the conversation points with prospects or clients, or whatever, and the service provider is how much information to give to this company you are hiring, right? And I know my friends that work at them. They're like, "The more information you give us, the better off, because we can spend hours and hours and hours spending your money, digging up this information, or you can just give it to us because an attacker has unlimited time, they'll eventually get the same information. So you might as well just give it to us upfront rather than trying to simulate a total outside person."

Joseph Carson:
Yeah. Focus on what your goals are.

Mike Gruen:
Right.

DJ Fuller:
Right.

Joseph Carson:
What is the success that you measure success? And try to minimize the waste where possible, it's ultimately what you want to achieve.

Mike Gruen:
Right.

DJ Fuller:
Without a doubt. It's different client by client. Some just don't have the budget. And so in that case it's, what are the goals? What are the crown jewels? What's the information that we need to show you where your weaknesses are so you can defend against them as quick as possible? However, there's some folks, like some of the very large institutions that are worried about a lot of different things, that will say, "Here's a thousand hours. Go and tell us what we don't know." We tend to like to start with very little knowledge. We just say, "Give us an internal user, give us remote access via VPN. And then we'll tell you when it's better for you to give us something where you're going to spend too much money."

DJ Fuller:
For example, we had a client recently where we got to a point where we proved that we could download a pretty large file that would then give us access to more users to then get to their crown jewels. And we said, "Instead of us spending five hours downloading this file, we can do it, just go ahead and give us the next level of access because you're saving money now and saving time."

Joseph Carson:
Yeah, saving time.

DJ Fuller:
So I think it depends, and you're exactly right on the tools, we use some of the tools. Anything that can help us save time so that we can do more manual work for the client is really the goal. And I think that's how it has to be looked at.

Joseph Carson:
A question. I've done quite a few penetration tests in the past and participated in red teaming as well. And one of my main goals is always to stay as stealthy as possible; raise no alarms, create no flags, which means that introducing as very little tools as possible. So what I tend to do is living off the line. I look at what tools are available already to me, whether they're using something like a seam that you can gain access to, or are you looking at maybe a system center or some type of automation? Are they using partial automatically? Are they using things like PsExec that you can just hide within the shadows and darkness there that you can make it look like it's normal IT operations? Where do you sit in between introducing new automation tools? What I tend to do is I try to take things out and do the automation in my own place versus bringing the tools into their environment where it can create much more noise. What's your thoughts on that?

DJ Fuller:
Yeah. We approach it the exact same way that you just said, we'd rather bring it out of the environment. And I think one of the things that we're starting to pivot of it, you made me think of something, one of the things that we're actually seeing is that companies are increasingly buying more purple teams these days.

Joseph Carson:
I actually noticed as well.

DJ Fuller:
And I think it's because they recognize that you could pay for a red team. In two weeks, someone's going to come back and tell you where you need to increase your visibility, defend, but what a better opportunity to sit side by side with the blue team and say, "We just did this. Did you see this? Do you have visibility that let you know that we just downloaded a seven..." "Okay. You don't. Why is that important?" Because the constant struggle in the industry is blue and red trying to work happily together.

Joseph Carson:
I think that is the most critical thing; we need them to work together. That's why purple-teaming is so important because we need to, one is make... Otherwise, we're just going to basically do retrospect; is we're going to do lessons learned, but we're actually not going to do anything to stop it.

Mike Gruen:
Right.

Joseph Carson:
And that's the whole purpose of purple-teaming, is to make sure that the defenders know the techniques that's used so they can put the right... My goal, I always have a methodology that I take, which is the more noise I can force the attacker to take, the more risks. The more noise that they make throughout the environment, the more better chance I have at detecting them. And that's what you want the force them to do. You want to force them to be noisy. Because my goal, when I look at my methodology, it's be as stealthy as possible, is to introduce very little... use resources efficiently, doing it as the quickest time I possibly can with the least amount of money. So stealthy is the most important. If I can't be stealthy, then that's where I start to increase everything else.

Joseph Carson:
So the more risk we force them to take, the more noise they'll create. And ultimately, if they start creating noise and you force them to take that risk, you have a better chance to detect them much earlier. And that's where my thoughts is around purple-teaming, is that that's their goal; is to force more noise in the environment so they can actually detect them much quicker and put the right controls in place that will actually make it more challenging, more difficult. So that's my methodology and approach I've always taken.

Mike Gruen:
Yeah. I think it's very similar to how I got into cybersecurity in the first place. As an application developer, I think I've told this story before. I was responsible for being the liaison with the team that we'd hired to do an actual pen test and watching them use their tools and their techniques. And they were happy to share it with me because they're like, "The more you understand, the next time we come through, this stuff will all be buttoned up and we can focus on the next level, the next higher thing."

Mike Gruen:
So I think that's also an important part is, that budget, the money spent, like, "Right, you got this report back, but what good does that get into you if the next time you go through this process you're just going to get basically the same findings?" You need the educational piece, you need the blue team, you need the application developers. You need everybody to understand the abstract concepts that these attackers are using so that they can use their brains to better defend as well.

DJ Fuller:
We evolved a bit this year with our red teaming and purple-teaming because... And we could talk about what we're seeing in the different sized clients, just in general, but we have a lot of clients that probably could pay for a full red team, but it's not worth their money yet. You're like, "Within two hours, we'll have your box. It'll be over. And then you've spent a lot of money and it's not worth it."

DJ Fuller:
So we were challenged to come up with a new product, if you will, where we're trying to use it more as a training tool. And so we're going in and we're spending... We do it every other month, and we go in and we build a different, wouldn't call it completely automated, but we do almost this unit level red teaming or purple-teaming where we have a specific goal of training at the end of it.

DJ Fuller:
So we'll start out and typically an attacker will go in, as you know, and they'll execute a TTP. They'll level exec TTP to find something to move laterally. So what we're trying to do inside of some of these companies that are trying to become more sophisticated is we don't move laterally. We'll execute the TTP, we'll prove out that case. We just prove why it's important to have segmentation. We'll stop there. We'll have a conversation with the client, "Go build segmentation." And then two months later, we'll execute another TTP.

DJ Fuller:
And the idea is that at the end of 12 months, you've essentially helped them mature to a point where in the next year they may have the capability to really test that and do a full red or purple team. So it's a little bit of unit level testing combined with training and helping them become better because a lot of clients are just figuring out where to start right now.

Joseph Carson:
Absolutely. Get the basics done because ultimately if you don't have the basic done, you're going to be wide open to attacks. And I think that's great. I really like that approach that you're really going through and focusing on specific details and making sure that we find this one, let's make sure we actually close it immediately. And then basically then to go the next one. So really much more of a maturity type model than just a quick check box, spray and pray type of approach that we hope you find everything, close everything up. This is much more pragmatic, much more, let's say, strategic into making sure that...

Joseph Carson:
There's something, I guess, organizations this year, with the volt and the RDP, let's just take RDP as a specific type of attack. And make sure that basically, we detect all the weaknesses and all the risks that organization has taken and let's close that, let's just focus on the one specific attack factor. And then we move to the next one and the next one. I think it's much more, let's say, it lures more maturity and quicker educational learning. So taking the most critical assets, I would tend to do first and can layer down following that. I like that approach. It's good.

DJ Fuller:
There's probably a lot of people listening thinking, "Well, I don't really know if I have anything to penetration test," or, "if I have anything to red team, so it's probably not applicable." But on the maturity curve and sophistication curve, I don't know what you're seeing, but we find that it's hard in this industry to segment necessarily by revenue or employee size. It's usually by the amount of effort that they've put into cybersecurity, the sophistication level.

DJ Fuller:
And so for some of our clients, I would say, on the, I wouldn't call them the lower end of the sophistication, but maybe they are a professional services company that, they're like, "Well, we have O 365, we use SharePoint, we talk to our customers on Teams and we send a couple emails." And in those cases, I think folks really these days, if you want to talk about incident response, you have to start looking at B2C business email compromise. And it's not even what it was a year ago. It used to be phishing, buy one, get one free from this store, click on it. It's becoming extremely targeted. Attackers are getting into these O 365 or Google Workspace environments and they're hanging out there. And they're usually hanging out somewhere where invoices fly back and forth. And they're winning.

DJ Fuller:
So for those types of people, we oftentimes say, "Very basically, you need to worry about your cloud applications like Google Workspace, O 365. There's very basic security audits that you can do because a lot of times those products come out of the box built for productivity, but not for security." Doesn't mean that security isn't available, it just means it's not automatically enabled the right way coming out of the box.

DJ Fuller:
So, a lot of times we go in, we'll do a 12-point audit of both of those systems depending on the one that they have. We'll come back with recommendations on security controls that they should enable, and then we can do those for them so that they have the right multi-factor authentication rules set up, they have the right log in set up. You can't do a whole lot from a threat hunting or an IR perspective if you don't have logs in them.

Joseph Carson:
Oh, that's my worst nightmare. Every time I get in... I have a system back there, I've been doing forensics on a ransomware case. And the attackers basically command deleted applications, just system security logs, VPN logs, partial logs and ongoing. And there's no archives, there's no backups, there's no nothing. So what you're just trying to do is just recover from everything else around it that may have touched... that might give you some visibility using things like TASO or other types of correlation tools that will give you some type of timeline, and then you're trying to fill in the gaps.

Joseph Carson:
It's getting to a point where if you don't have logs, or if you have logs only at certain areas, it only gives you this tiny little view. And it means that you have the user experience. You have the user knowledge into, "Here's what I've seen in a similar environment that I can make assumptions and fill in the gaps," but that's my worst case, is when I go into an organization and I'm dealing with an incident response, I'll have no logs to deal with. What you're doing...

Mike Gruen:
Right. And I think that brings up... there's having logs, but then also having backups of the logs and offsite... all the rest of it. And I think that leads into another thing that we were talking about, which is, what are some of the common mistakes? There's going to be an incident, there's going to be something. So when that happens, what are you seeing, DJ, is... What do you think are some pretty common mistakes people make? What should you do? What should you not do?

DJ Fuller:
I'd love your opinion as well, Joe, but I think some of the common mistakes that we see, and this a lot of times applies to folks that haven't invested in an incident response retainer, planning, table topic, they're just not prepared. First off, number one, the communications plan completely breaks down from the start, the wrong information gets out, information gets out that shouldn't, communication isn't right to the board, whatever it may be. I think that's number one. I think you just hit on it, Joe, you did as well, mishandling of evidence, I think they think a lot of folks say, "We're doing the right thing by shutting this down or making a quick backup," but they're oftentimes inadvertently destroying volatile data. So the important point is that you have someone who knows how to come in and preserve the data right away.

DJ Fuller:
I think number three, and we touched on it with the O 365 and Google Workspace security settings is misconfigured applications for security. The big challenge that we're facing, everything's moving to the cloud. So how do you do incident response in the cloud? And I think logs is a big one, but if you're using all these systems, the important pieces that you have set up the right user level access and enabled that user, whether it be an admin or someone else, with all of the right security settings, because the time to say, "How do we go in and create an admin user and see if we even have logs for the system? Is it when the attacks happen?"

DJ Fuller:
And another thing for folks to know is that when it comes to some of those cloud environments, time is important. Because they'll say, "Okay, well, I'll try to get the access, I'll talk to this, we're triaging all these things." Some systems are set up so that it only keeps seven days. So it's going to overwrite itself and, to Joe's point, now you have no information on the attacker that you would have had had you had that incident response plan in place. And I think that you mentioned it earlier.

DJ Fuller:
And I'd say the fourth thing from a mistake standpoint is not giving a previous red flag maybe the due diligence it deserves; underestimating. Something weird happened, you thought one account was compromised and you said, "Well, we just had them change the password. They should be good." It's unfortunate that we live in this world, but you really have to follow those types of things up with a threat hunt or something else to ensure that that wasn't the breach. And now someone's hanging out for a month. There's been countless cases of very large reportable incidences where it's been traced back that it happened a year prior and they've just been... So I think focusing on those types of things, but more than anything, having an incident response plan and practice it, and a lot of those things are mitigated.

Mike Gruen:
We talked to a cyber insurance company not that long ago. Their recommendation was, "The first thing you should do is call us." And then we're like, "Maybe, maybe not. Is that the first call, or should I call my service..." I think it's important to make sure that my insurance provider and the company that's actually going to be providing the service, have a relationship so that I'm not bringing in the... so that my cyber insurance company isn't like, "Oh, you brought in somebody we didn't work with."

DJ Fuller:
Right. I have an opinion on that, but Joe, go ahead.

Joseph Carson:
Yeah, no, I agree. It's one of the ones that you have. It's one of those contacts that you have to inform. If you might be a small business, you might not have a retainer ready with an incidence response team or somebody who has done... Was it digital forensics? Your insurance company might have those resources. They're providing a full 360 service, they might come in with a legal counsel, they might come in with PR readiness, they might come in with specific expertise that you can leverage. So it really comes down to what relationship you have and what type of insurance that you have. That might be the first if they're providing a full 360 service.

Joseph Carson:
If there's just insurance, you probably want to have other services available ready. You want to have a PR, you want to have legal, you want to have a financial person who can give you understanding about impact analysis, you want to have incident responders incoming to do the evidence gathering. So it really comes down, but you should have something, you should not be doing this looking in the yellow pages of the book to try and find it.

Mike Gruen:
You're saying my first move shouldn't be to duck duck go...

Joseph Carson:
Yeah. Incident response for your first service.

DJ Fuller:
Yeah. The interesting thing is, you're right, the full 360 services, they have it all for you right there. But the majority of the time, this is what we see happening is because someone hasn't bought a huge incident response retainer with a company, they're not going to get priority handling. So something weird is going to happen. And let's say that they... We'll give a couple of scenarios. Let's say they do have an incident response provider, and they don't. They're like, "Wait a second. We have incident response insurance and cyber insurance. Go dig that policy out." You dig the policy out, there's a 1-800 number. "Okay. Call that number."

DJ Fuller:
And it's patching through to the law firm that has been outsourced to determine if there's been an incident. Someone's going to answer the phone, you're going to tell them what you think happened, they're going to say... They're going to collect a bunch of info. The clock starts. The billable hour starts. And in some amount of time, they get back to you to let you know if you have a payable incident. In the meantime, you're like, "We're losing business. Everyone's here. We don't know what's happening."

Joseph Carson:
Clock is ticking, yes.

DJ Fuller:
So then they're going to come back, call it 48 hours or later, and say, "Okay, this is something that we're going to pay for. Here's a list of firms that we work with. Pick one of them." You're going to call... You're going to start down the list, and they're going to say, "We can get to you in a couple of weeks. We're super busy right now. No, by the way, it's going to be very expensive." And now you're dead in the water for a period of time. So that's what we're seeing from the folks who maybe don't have a plan. For the folks that do, the way that we pitch our retainer is we do not go into it with a ton of hours because we understand this isn't a huge focus for the medium-sized businesses.

DJ Fuller:
But typically we go in and we say, "Okay, for this incident response retainer, half of the hours are going to be used by us to help you get to a point administratively where you should be." IR planning, is an example. "We'll build your IR plan for you. We'll rehearse your IR plan with you, i.e. tabletop exercise, we'll train your employees. We'll do all the stuff so that when it happens, as it will happen, you've at least gone through it once, and that will make you 80% better.

DJ Fuller:
And then the other half of the incident response retainer has to be kept in reserve for when the phone call comes. And so take the same example. Call the 1-800 number. They're putting you in the holding pattern, and you're waiting. In the meantime, we are on site, virtually, within six hours and we're spending, let's say 40 hours in your environment to at least do a couple of things: one, we're helping you understand what happened. We're preserving the data, we're starting to do the forensics. So then at this point, the law firm comes back and they say, "You have an incident. It'll be paid for. Use one of these 20 firms." You say, "Well, I'm using this firm."

DJ Fuller:
And oftentimes, if they look at a firm like ours or someone, they'll say, "Okay, they know what they're doing. You can use them." Even if they say you can't, we've spent, let's say, 40 hours in your environment. And we're handing over a ton of information to the firm that you're forced to use where you haven't lost time, money, saving you money. It just prevents-

Joseph Carson:
You've prevented it from escalating as well, from getting worse. Yeah, prevented. I completely agree because it reminds me, I remember going back a couple of years to ... situation and here in Europe, of course she's one of the large companies, Merck, who became a significant victim of that. And they hired all the consultants to do recovery. So literally, any other company who became victim, there was no one available. There was no consultants, no services. And if you were lucky to get, you're going to pay probably double what you would have paid if it was basically a single incident. So those are the situations.

Joseph Carson:
And to your point as well, I think it's really important to have a relationship and have some understanding because coming in blind to an environment and not having an understanding of what the business is, where the assets are, what the naming conventions are, what process they have in place, makes your job much more difficult. And you'll probably waste several hours just trying to get some knowledge about, what is the landscape? What am I dealing with here? Where if you've had previous relationships you've been in, you understand the business, you understand who the people are, the contacts, the skill sets they have, it makes things go much more smoother. The communication's more fluid, you can respond quicker and you don't waste that time trying to just get an idea of the environment. You have some understanding because you've been basically partnering with them along that experience.

Joseph Carson:
So it means you're up to the point where you can really respond much faster, much more efficiently, and quickly move through the steps to where you're already getting past the eradication phase, you're done the containment phase and hopefully within 24 hours, you're already building a recovery plan. If you're not in a recovery plan in 24 hours, you're starting to really impact revenue, business and everything else that comes up the longer that you're down.

Joseph Carson:
So I think that's really important for organizations to consider. And that's why having a retainer, having an organization on hand with the number that you're paying for that basically when you call that you'll have somebody respond within the hour, that you'll have basically somebody available as quickly as possible, rather than waiting... that you get to an organization that is busy because the insurance company might be actually dealing with multiple incidences at the same time. Just because maybe they're a national or state level or global provider, that makes a much more limited resources. So, I think it's really important.

Joseph Carson:
I think organizations do definitely need to have expertise available, especially when they need them. Because for things like ransomware cases, time is the most critical thing that you have. If you don't respond as quickly as possible, then you're going to start actually having more systems getting infected, more data becoming unavailable, then ransom demand will just get bigger because ransom demands are related to how many systems are actually... What size is your database? How many systems are impacted? That's the questions they'll have, and that's where they'll go to the little calculator and determine how much Bitcoins you need to pay. And the more that you can prevent that, the quicker you can sever that active attack, the more you're saving the company. And I think that's what's important.

DJ Fuller:
It's not that expensive to have a very... The retainer that we sell, obviously if someone wants to buy a ton of hours, we'll sell it to them, but the retainer we sell is not that expensive in that what you're getting for it, actually building your plan and testing it. If you read various reports out there in some of the industry juggernauts, you'll typically find that the two or three biggest mitigating factors to reducing costs in a cyber attack are related to having an incident response plan and testing it. And for a lot of companies, that can translate into a million and a million and a half dollars easily. To your point, just time is important. So, it's so important these days to have it. And most folks within their organizations, especially small-sized and medium-sized, they absolutely don't have the forensics capability in house.

Mike Gruen:
Well, that's what I'm going to say. I think that's another... Even the bigger organizations, I feel like there's no way you can have the staff on... Unless you're dealing with an attack every day, you can't justify the cost of having these people, and if you do, if they do have that expertise but they're not exercising it everyday because they have some other job, which is their main job, then when something happens, they're going to be behind, they're going to be knocking off the roster and getting up to speed. And I think it's similar to any number of other things where sometimes you just need that ability to flex up because something has happened, and I just need to reach out and get the right people with the right expertise. I think I would equate it to fighting fire.

Joseph Carson:
Doctors sitting in your house right when you need them.

Mike Gruen:
Right. Exactly. Right. But you always have a plan. I don't know, take a school, for example. They have a plan in the event of a fire. They have fire systems in place, they know what do, they practice it all the time, and the fire department also shows up. They don't just depend on their internal resources to fight that fire or having gone through this plan or having a fire marshall or whatever, there's all of these things that go into that. And so making sure that you know who to call in the event of an emergency is the important part.

DJ Fuller:
The funny part is important part is, that same school's probably a higher probability they're going to hit with a cyber attack than a fire.

Mike Gruen:
Oh, absolutely.

Joseph Carson:
Yeah. These days it's probably higher. The likeliness has changed significantly. Absolutely. But I think, Mike, to your point, I agree that what they need to have internally is a coordinator; somebody who is familiar with the process, somebody who can manage and project and plan and make sure that things are running smoothly according to what they've already pre-tested. So they do need to have some type of coordinator internally. But I think their job is just more for the relationship to make sure that the right people are informed. So they might be informing the executive team to what's happening.

Joseph Carson:
I don't believe they need to have permanent incidence response in-house, but they need somebody who's familiar. Like in schools or offices, they will have some type of safety officer who is familiar where things are, where that red button is, or how to make the alarm or when to contact incidence response team. I think they need to have somebody who's ready for that, but-

Mike Gruen:
A school nurse.

Joseph Carson:
... Yeah. Somebody who's going to be honest. Someone who, they can look at something and say, "This is something bad. We should deal with it. We should hit the emergency button and..."

Mike Gruen:
Well, yeah. I think that's another... And I think DJ touched on it earlier, it's that notion of being able to recognize like, "Oh, wait a second. This is just the tip of an iceberg. This is a flag. This isn't like, 'Oh, somebody's password, whatever, we'll change it and move on.'" Someone who can recognize and throw a flag on the plane, but like, "No, no, no, no. This is potentially an indicator of a much larger problem. Let's go ahead and look into that."

Joseph Carson:
So these are questions that you would... When you get called in and you respond to an incident and you're dealing with it and you start gathering... you have logs and you're getting visibility, for me, what gets really frustrating is that in many cases, the attackers were not silent. There's so much noise in the logs that servers rebooting and all of a sudden you're like, "Well, has anyone looked at the logs of why that server was rebooting?" And it was because basically they were actually running scans and downloading as a staging machine, or it was patient zero, that there was so much noise in logs that they were overlooked. They just thought, "It's nothing. It happens."

Mike Gruen:
It's a self-healing system. Obviously, it detected a problem and just rebooted itself.

DJ Fuller:
...technology. We see it even a little bit more... A lot of times we'll get a phone call for just basic business email compromise, and it could be, "I almost wired the money, I did wire the money," because the attackers are getting good. The ones that we're seeing lately are they're sitting there, they're intercepting invoices. They're making PDF editing with software these days, they're changing an account number, and people are doing it.

DJ Fuller:
So a lot of times when we first come in and it's like, "Well, have you seen an increase in weird phishing emails or people asking you... weird emails from internal?" And they'll say, "Yeah, we have." That's not even in the logs, that's just right in front of your face every day. So it's so important to... We tell our clients that they can use their incident response retainer for threat hunting after maybe a B2C attack. We don't really care. We just want them to be safe.

Joseph Carson:
Because to your point, that could be so many. Because I always think it's important to make sure you... even the smallest things could be the indicator of massive attacks forthcoming. And sometimes it's also misdirection as well. You'll find that if you're getting somebody poking a hole or doing some type of phishing or information gathering in order to get details, it might because they're actually planning something bigger to go through another door that you're not physically observing. So I think it's really important that we do have... And I will say, one of my priority of things is to try and be unpredictable as well. The more unpredictable you are and the more random things you can do from a security perspective, is you can bring that noise and bring that visibility to the surface.

Joseph Carson:
Threat hunting something that shouldn't be planned, it should be basically done ad hoc when you need to. You've got a gut feeling sometimes that we need to just go and take a look, let's do it now. Let's not spend six months talking about it. Let's just do it, and let's see what we find. That randomization and misdirection can sometimes really bring a lot of things to surface that you wouldn't typically get just from normal day-to-day operations.

DJ Fuller:
My biggest piece of advice I can give is multi-factor authentication. We tell some folks, "You could tell when you're talking on the phone with some of the clients," and I'm like, "Here's a free one, MFA. We won't even charge you for that." It's like you tell them, "If you don't have..." And I know it's hard for some folks that don't want to accept that, it's not fun that every time your IP address changes or you're on a new Wi-Fi network, you're going to get MFAd from your phone, four places on your Mac, but it's like driving down the street in your car without a seatbelt on. It's...

Mike Gruen:
For me, the more frustrating thing is all of the services that we use that either don't support MFA or don't support SSO so that we can have it go back to the system that we use MFA. We have MFA set up and yet there's these systems that we were forced to use because for business reasons we've chosen, "This is the best provider of the service. Their security is subpar in some way." And that's, for me, one of the more frustrating parts is, "That's great. We've configured this and it's going to use SSO and it's going to enforce MFA because what we're using for SSO uses MFA and this could be great." And then it turns out there's no way to turn off the username and password authentication. Our end users still can use username and password rather than using the SSO. There's no way to just restrict it to SSO. Things like that are frustrating.

Joseph Carson:
Yeah, absolutely. In that case, one of the things is that you need to have two decisions, you either go with either a privileged access solution and actually filter everything through that way. So then before you even get into the system, you're managing the security controls beforehand. Or the second point is that, "Sorry, then that has to be on a segregated part of the system. You can integrate it because that ends up being basically a pivot or lateral move if you use the same credentials." So you have to make a choice, you have to decide that you're going to accept the risk that you're exposing or you'll take additional security controls to make sure that you're actually minimizing that risk.

Joseph Carson:
And that's all, it's a business decision, but they have to understand, we have to be the translators through the business to help them say, "If you do this and you continue having a system that is basically using weak credentials, no additional security controls, and we're using our same active directory to access the system, as other systems, then we're going to have basically... we are a security incident waiting to happen. So we better go and have our incident response team on hand and we better have it in place because we're going to need to use it." So you have to create that balance and you have to create that expectation. So I think that's really important, especially when you're looking at those legacy systems.

Mike Gruen:
Yeah. It's not even legacy systems, it's these new SAS systems they're... Right. We're taking actually a lot of active steps to change things around on how some of those work. And then also access just the bubble of access. They just don't have the roles with the fine-grained enough controls. It's like, "Well, I need this person to be able to do X, but it turns out, "Well, only admins can do that." It's like, "I don't want to give this person access" That's another...

Joseph Carson:
That's what privileged access allows you to do, is say, "This button here, I don't need to give them admin access, but this button, when they push it, I'll actually elevate it on demand in the background." They don't have that full bonus scope. You'll deal with those elevations when they need to. So that's what you're able to achieve. So you can still have centered account-based in a much more granular way. But DJ, it's been fantastic talking to you. It's really given me a lot of insights and understanding.

Joseph Carson:
And I agree, with the purple teaming, I think that's for organizations, I think it really thinks about, not just about penetration testing and red teaming, but also by getting into defense, making sure you take steps to actually put the right controls in place to really mitigate and to help organizations progress to maturity, to make it more difficult for attackers to be successful. So it's been fantastic having you on the show. Is there any final thoughts you would like to share with the audience? I think definitely multifactor authentication, we're giving some free consulting here on the podcast these days. Is that what we're doing?

DJ Fuller:
No, it's been great having this conversation. I just let people know no one's safe. I don't say that as a scare tactic, but a lot of companies just think that they're not sexy enough to get hit. And there's just so many things that can be done from a, not a huge budget, a huge cost standpoint, that can just exponentially increase what we oftentimes tell clients is they're low hanging fruit.

DJ Fuller:
Our goal right now in this defensive nature of what we're trying to mature clients to is just pull your fruit higher than your peers and the passer-by/attacker is going to look at you and say, "Why would I spend two hours trying to get into your network when I can spend 10 minutes on the 10 beside you?" So I think that's the biggest thing, is even if you don't have a big budget, do something to make yourself a little bit more secure to give that attacker a brief hesitation on how long it's going to take them to look at you.

Mike Gruen:
The bike lock approach, right?

Joseph Carson:
Oh, yeah.

Mike Gruen:
Which bike is going to get stolen?

Joseph Carson:
Yeah. I've used the same. Back when I lived in Belfast and you went to park your car, you'd always park your car next to a nicer car that had less security because you knew the thieves were going to go after that one first. And that was my methodology, always make sure that when you were choosing your parking, you chose it wisely.

Mike Gruen:
I always parked next to the Honda Accord.

DJ Fuller:
Yeah. We say in Montana, you don't have to outrun the bear, right?

Joseph Carson:
Exactly. You just need to be faster than your friends.

DJ Fuller:
Yeah. But no, happy to have any conversations that ever come up. And it was a lot of fun.

Joseph Carson:
How can people contact you or get further information? I guess we'll also provide your contact details in the show notes, but-

DJ Fuller:
Yeah. It's pathfynder.io. Pathfynder with a Y instead of an I. We have an info@ you can reach out directly to me, it's just dj@pathfynder.io. Conversations are free. We're happy to have them all day. We're a like-minded group of former folks that served in the government. So we just want our companies and our country to be safe and be doing something, even if it has no economic value to our company.

Joseph Carson:
Yeah. We're all defenders at heart. We want to make sure resiliency in defending. We'll even, for me, it's a passion to make sure that... Basically, we make the internet a safer place.

DJ Fuller:
Right.

Joseph Carson:
That was a fantastic, DJ, having you on the show. Mike, always great having your intellectual conversation with you all the time. It's fantastic. And hopefully the audience have really found this interesting and really enlightening. And definitely, don't wait. Make sure that if you don't have an incidence response plan or you don't have a service provider that is able to provide those, make sure you get up and start looking because everyone's a target, everyone at some point is going to become a victim, and it really determines how you can respond and how you're going to recover and how resilient you are to attacks really determines how well your business survives and how quickly you can get back to serving your customers and your employees and everyone else. So make sure that you have something planned, in place, tested and ready, because that really makes sure that you can be more resiliency to attacks. So it's a pleasure, stay safe and tune in every two weeks for 401 Access Denied and look forward to future podcasts and talking with you further. Thank you.