Skip to content
 
Episode 28

Digital Forensics and Incident Response with Ondrej Krehel of LIFARS

EPISODE SUMMARY

CEO and Founder of LIFARS, Ondrej Krehel, joins us to discuss Ransomware Mitigation, Cyber Resiliency, Incident Response, and Digital Forensics. How can individuals, organizations, and nations be resilient against cyber threats? We hear from the experts in today's episode.

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

mike-gruen-150x150
Mike Gruen

Mike is the Cybrary VP of Engineering / CISO. He manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture.


Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. We're really excited to be here again and we've got another fantastic guest and fun topic for you to enjoy today, and hopefully get... We always want to entertain you, but also to educate you, and that's really the goal of the podcast itself. So my name is Joseph Carson, Chief Security Scientist at Thycotic, and I am really excited to again be with my co-host here, Mike. You want to kick it off and give us a little bit of an update and what we're going to be talking about.

Mike Gruen:
Yeah. Mike Gruen, VP of engineering and CISO here at Cybrary. And yeah, we're going to be talking about cyber offensive with Ondrej. Why don't you go ahead and introduce yourself and tell us a little bit about you?

Ondrej Krehel:
Joe and Mike, it's a pleasure to have me here on the call. And Joe, the relationship with us for years, so... To be here. I run the Digital Forensics Unit at LIFARS. I'm also one of the founders of the company, and we focus primarily on digital forensics and incident response, forensic investigations. We have a unit that performs offensive tactical services of the right team and more human-skilled penetration tasks. We have advisory unit. We also conduct, managed services more in almost like a cyber 911 ambulance type of ... level three and up. And we also have R&D. So we develop our own tools. For example, look us on GitHub, we have tools or welfare and the best ... stay in the memory of the computer.

Joseph Carson:
Fantastic. And just Krehel, you're based in New York, but where would you... Your operations and activities, who would you provide services to? Is it in the US specifically or is it globally? Or where would you-

Ondrej Krehel:
It's globally but most of our clients, because we are in New York are in North America. We have some clients in Europe. Some of our clients are of course international. We got offices in Europe and India, because they have the support 24 seven on Cyber 911 is 24, 7.

Joseph Carson:
Fantastic. So one is there's two responses, one thing it's but responding quickly, and gathering evidence and really making sure to understand about how the attackers got in. What would you recommend, when somebody hits a button and they have an incident? What would you recommend? Where would you start? What's the first things? What's the most important things for a victim in order to to prepare, and start thinking about, what do they deal with when they're in the middle of an incident?

Ondrej Krehel:
Joe, I always recommend a step zero. Step zero is you call your recruiter last them got the job, right? ...And you also do the teaching and get a glass of water. Look most of us have been this for 10, 20 years, right? And you see what happens? Reality is today, a cyber attack can be as bad as a cyber forensic. You can't ...and predict how you're going to get sick tomorrow. Of course, all of us believe that you will get sick ...you need a doctor at some point. So became one of my students. Life is a breach. That's the ecosystem you live. You like it or don't like it, cyber warfare applies to you at everywhere.

Ondrej Krehel:
If you join... don't have a $500,000 data, we'll be happy to send you a check. But if you do, great news for you, you are a target. If you look at three common targets are nation state, cyber extortion, and business no compromise applies today to everyone. So wherever you really start I mean, you really truly have to start with understanding, "Why am I a target?"

Joseph Carson:
Yeah, understanding about what your risks are? What is your exposure? What's the value that you have? I think that's really, I was, say the organizations. Sometimes look at yourself from the mindset of a hacker, and really look at it from the outside in, because that will really identify the risks and exposures you might have. So it's really critical to make sure that you understand about that it's absolutely, everyone is a target, everyone can be a victim. In most cases, we always have to assume that we're already breached. And it's really important to be looking for it. This is really critical to make sure that you're always looking, you're always... It always reminds me. I remember it was a quite a few years ago, it was one thing that always reminded me, and it's one thing you just mentioned about being unpredictable.

Joseph Carson:
I remember we were doing a major OS upgrade, thousands of operating systems are going to be... I think it was XP to... I mean Windows 8 to Windows 10 as a major upgrade. And ultimately what happened was that we had planned everything with the ... all of the images, all the tasks deployment, the system are all ready. And then all of a sudden we've done the testing, we've done the preparation, and we're now about to deploy the updates. And all of a sudden we're thinking about, "Oh, let's just go and take a look, let's we hit the go deploy button." And then we'd say, "Let's take a step back, let's do something, let's go and double check everything, we just didn't."

Joseph Carson:
Something in our gut said, "Don't hit the button yet." And we went and we checked. And what actually happened was, it was actually already compromised. An attacker gained access, and we are actually about to deploy a basically piece of malicious software through our update. And ultimately, they've been watching, they've been understanding about what our projects were, what the plans were. And they've been hiding themselves. And it was basically our unpredictable moment where they didn't realize that we were going to go and do that final check, which wasn't in the schedule, it wasn't planned.

Joseph Carson:
And it was really for me, it was like, that being unpredictable sometimes is one of your best capabilities, is that it always if you can catch attackers by surprise, then is the best way at some point in times to detect them, to find them on the networks. So unpredictable for me is definitely one of the things that all organizations should put into practice. It should be something we should do, is be unpredictable, because it makes it harder for attackers to stay hidden.

Joseph Carson:
It will force them sometimes to make mistakes and be uncovered. So Ondrej, how would you recommend organizations to go on? What should they be looking for networks to try and find or to be unpredictable, or to find attackers? Looking at the networks, what indicators or what things should you be trying to check for?

Ondrej Krehel:
Joe, a real life how you put the unpredictable into some systematic approach, because looking back to my life, I was just unpredictable, I've made a lot of...

Joseph Carson:
Sometimes.

Ondrej Krehel:
But it's truly doing something outside of the norm, and outside of normal implementation. I had a very similar scenario where a company deploying very expensive seven digits area solution from a provider, and I'm not ... provider because it's not important. And that solution was breached. The main reason why it was breached is because they put predictable implementation solution and a trade after literally just followed the manual, how the air gutter is going to be connected and disconnected, and what they need to do. And they asked us, "What would make a difference?" And we said, exactly.

Ondrej Krehel:
If you've done something outside of the box that you could not read from manuals, could not find in your documentation, could not do, not deal with and only you know all, and it's basically let's say, a third party system that you integrate to API is documented on the identity management side, but not in a backup solution. It's only reference and the identity group, actually calls all the documentation ... group and your large organization that's read after that significant challenge to do that.

Ondrej Krehel:
So I would say the same page, you have to have a corporate disability, you have to create a corporate in disability, almost you can appear at any point at any point of time. And yes, we pull the thread ... we call whatever regular form of audit, but create a snapshot. If you look at the plane industry, plane industry or airline industry created really good ... complaints. Why? Because they do research. And we just don't do that in the cyber security. We don't throw, we don't question. Everyone is busy. Whenever we come to organization, we ask them, "What do you do on a daily basis?"

Ondrej Krehel:
So you understand, I have four products and I became IT help desk. IT information security help desk for this product, because all what my executive management is doing is convincing me that all these tools are going save me, right? And it's in a specialized in the military, we don't believe the gun is going to save me. We believe they're using the gun with the ability to use a sniper gun is the path, because everyone can buy a sniper gun but not anyone can shoot two miles until the target. It's a skill set. I'm not saying to that extreme, but also don't be naive that having the dynamics of a sniper, no it doesn't, right?

Ondrej Krehel:
And it will be seen as almost like a ninja warrior approach that when you walk into organization that you don't understand. We've got everything on the planet, look at my budget. Two years later, we've got some small problems here. We're going to need ... what happened, right? So dealing with something that you can't expect, and yes the hacking has maybe low probability, interesting, 46%. Very low, sure. But instead, when it happens, right? You either going to be digitally naked, with all executives on the internet, or you're going be digitally dead. And as one of the generals corporals from the Russian security unit, which is Cyber Intelligence Unit that expose the most.

Ondrej Krehel:
Basically it says, "Look, our number goal is make look Americans stupid, and digital die." And you know what is the beauty? When you kill person by blood, they are in the graveyard, digitally, I can make that four times a year to be very painful. And I can repeat that every year.

Joseph Carson:
Yeah. And that's what's happening. It's literally is that, basically with the different cyber attacks and it's been going on for a long time. It's becoming, I guess, the media is picking it up more, you're getting more visibility into it, they're becoming more catastrophic, more impactful. So it's clear that you're absolutely right, is that basically those attacks, it's exposing multiple times, it's repeating. I've seen companies that not just become the victim of ransomware, one time, but multiple times.

Joseph Carson:
And it's continuous. And if they don't learn from the lessons and the mistakes, and what's been done in the past, and they don't make fundamental changes, they're not going to stop it in the future. So I think this is something that we had to really address and it really gets into really around, one is the resiliency side of things, how to become more resilient. So for me, your perspective into what can we do to deter? What's the deterrent for those types of scenarios? What would be the resiliency, what would you recommend?

Ondrej Krehel:
I would say it's a very systematic approach in science if you need to check, right? It's not like one thing's going save you, right? When you look at, for example, that ransomware attack, isolation routine, don't allow lateral movement, right? Because look at my computer ... connected where I am, my computer is compromised, we have to assume at some point, something is going to happen with computer. It's just the reality. Virus that you're going to get a call or cancer, whatever pandemic is going to get, you're going to be exposed to it, are these to the right computer to ready to deal with it? Maybe they are, maybe there's going to fail, maybe the person is going to ... maybe some visibility.

Ondrej Krehel:
So some visibility is in the right, because you don't feel well, right? So you do have some visibility, you might just not understand what that is. So you still have to question. So very important in the cyber resilience is that how much truly you can create a systematic approach that isolates, create a Zero Trust, does some type of monitoring, does give you some level, does give you these warnings, these Oracles right now. It's Cassandras around the world and they might not have all the answer ... already marketing schools, but you have to figure out the point where you start you start believing that the artificial intelligence and robots ... learns consolidating for us.

Ondrej Krehel:
What you see actually it's happening is, the trade after a nation state. There is you're now starting in the mitre framework, isolated executions. Every time they do it, such as only one thing they execute. One thing that is okay. Okay I'm executing this cover Sheldon Beebe, ...Jack, standard libraries and library downloads, right? And these are the 10 things that will happen now in a kill chain. Another EDR product, all these things 40%. Then you put them chained together as a kill chain. You just got killed. Actually there's no product right now. That's going to do this point, right?

Ondrej Krehel:
So let's get personal before is that true that also going to spend the day ... almost like every inspection on the chain for you too. And they schedule this in a way that your EDR solution or whatever, you have a method, but you still have a 40%. And if someone looking at his dashboard and sees those 40%, and at the end is decent ... guys. This is interesting, right? You still need that human talent to actually pull that... Cyber Resiliency approach. So having almost verticals in every, like a building security, And I think you've done very well, building security, same approach in the cyber where don't put a lot of money in one basket, but you have to diversify. And you always have to assume that, "Look, Joe, I like you, you're a really trustworthy guy, but you have no access nor the content." Okay? You're going to be requesting access tomorrow.

Ondrej Krehel:
I only work like that. I mean, honestly this is like a punishment to me. So no, because if someone hacks your computer, and you have to assume someone's going to hack your computer, right? You have to ask for access. And you know what, you have to take that form, and you have to get authentication talking to the data repository is not going to be mapped to your computer anymore, because when you get ransomware, right? It's going encrypt ... You don't understand, I'm like, "You have a good cyber hygiene on what my cyber is three times a day." it doesn't matter. None of these excuses do matter, because we go outside, and you still get cold. We go outside and we still get sick, right?

Ondrej Krehel:
So being cybersec, should not be a way of us defending ourselves, or take it personal. It was 10 years ago, it would tell me already that hack, I will take it personal. I had to deal with my own issues, not to take personally that I've done everything I could and I get hacked. I wake up early in the morning, and I'm thinking, "Is Joe and Mike in my computer? Who is in my computer?" And that's my first 10, 50 minutes, almost like you wake up in the morning and you're asking yourself, "Am I going to die today? or what would it be that I die today, my meditation moment when I go and run, run in a park." And I think good learning lesson here is what happened in cyber extortion ransomware. Around 10 years ago, the few groups declare that they are going to go after the cyber insurance broker's data.

Ondrej Krehel:
I know we really believe these, that people say, "Oh, this is nonsense. Why does it make sense?" And look, if there's someone who's a cyber criminal? You think they're really that stupid? They do all that cyber crime. They don't get arrested. That that's silly. It makes perfect sense. Why don't you get a list from a competitive broker who is creating competitive analysis, the accounts he wants to get from another broker, with the cyber insurance limits, and also premiums, imagine that list, enhance that this broker, your competitor has the accounts you want to go after.

Ondrej Krehel:
Come on everyone in technology business is done, and we work for tech company looking at our competitors, try to get a competitor list. Okay, it's the game we played for years. And now we have groups openly admit it. We don't even have companies who have no insurance. Why? Because why would I be hacking someone who can't pay? How ... right? So I think what we learn also in a Cyber Resiliency is try to limit footprint of sharing what your enterprise risk strategies actually are. And if the enterprise strategy for some companies only by cyber insurance, you're really done. Your game is over.

Joseph Carson:
Because you're putting your value out there.

Ondrej Krehel:
... record, there's going to be disclosed to trade actors who are, by the way, quite sophisticated. And if you look also the recent momentum filmed and posted that, "Elon Musk, thank you for bumping our earnings five times. We are in the hiring mode, do you want to join us?" Actually asking Elon Musk to join them. Criminal race marines, because from 10 million now we have 50. Imagine 40 million to hire people. Now the reason, right? That's a pretty good chunk of money of revenue, right? So I have high power right now in the rental market.

Ondrej Krehel:
So how do you deal with that momentum? And the answer is truly systematic approach, Zero Trust. Look at all the components that you hire, try to figure out how you're going to gain visibility on the endpoint, on the network, on your perimeter. If your perimeter is dead, put things in a cloud. Like for example, one of our strategies is work heavily in the Microsoft Cloud, because they do much better security as this a small company can do, and then lock everything, right? Meaning that I'm here on my network, I connect my computer, I only had access to the Microsoft cloud and no one's else computer maybe few printers, okay?

Ondrej Krehel:
I'm isolated. My computer is lonely in office, doesn't talk to anyone, ... movement can't do Microsoft Cloud. And you can go to Microsoft cloud and someone encrypts the data, right? We just reverted. If you take the data out of law, you have to compromise my account, because most of the data has IRL, like a digital rights management, like a music. You ... up some takes the file is gone, right? So sure, they can take a snapshot while they're on my computer, or they can clear screenshots and take some data probably from my email, because that's some of the stuff but reality is that these layers are very important.

Joseph Carson:
It makes it more difficult. It forces the attackers to take more risks. That's ultimately what we're trying to achieve, is make them take more risks, so they create more noise and become more visible. And I absolutely agree. I mean, for me, one of the clear messages that I find is important is the principle of this privilege. It's so fundamental is that you should start with zero. And you have to build up basically your verification, your trust, your access, and it should basically only for the things that you need at that moment in times to be time based. And I love that what you're mentioning is that, you tried to keep your connections as much as limited as possible.

Joseph Carson:
So even for myself, when I go to anywhere in public, I basically tell them, if even anytime connect to public Wi-Fi. It's always either through my own VPN connection, my mobile hotspot. I limit all the connectivity that I do, I even get into the point where I systematically have boot into my disk rotation, I see backups of the disks. So I've got online backup. And then at some point in time, usually in a month or every three months, I rotate the disks. That disk goes into basically an archive, and won't com out until I ever need it.

Joseph Carson:
So fundamentally, I've always got a point in time where I can go back to, what was got data. So for me, I think what I try to do is I look at, yes, sometimes I might become a victim of ransomware. It's fundamentally possible, but I want to do everything I possibly can to limit the ability that they have to get all the data because not all my drives are concurrently connected all the time. And also that if you ever do encrypted data, that I've got a disk, I can just pull out of the store, plug it back in and be up and running, and not have to become thinking even about paying it, which I would definitely never pay it.

Joseph Carson:
And I'm seeing people, I get calls all the time. Ondrej, you're probably the same as you hear from victims quite regularly. And I basically was talking to a person just a few weeks ago, who became the victim of ransomware, and had lost 30 years of their digital life. 30 years, and the attackers basically gained access. It was the week before enabled remote desktop up on his machine. One week before, and only took a week from again access to his desktop. And then also his NAS device, and all his data encrypted, gone over 30 years. Just look at that. And they're thinking about paying, they start considering about new worlds, it's my life, it's all the kids and families in history pictures.

Joseph Carson:
So what you end up doing is that we have to educate, and we have to make sure that those types of actions don't happen. I've seen businesses as well, not just individuals that happen. I've seen businesses lose a year of data, where ultimately they've lost one year of value, because fortunately enough, when they did a migration, that migration forced a backup. And the backup was from an older version of software, which had the data, but they lost the cumulative data for entire year of their business. And of course, then they had to go, they spent probably a month or so going through the paper, and then having...

Joseph Carson:
They had paper receipts and paper documentation, paper notes that they had to go and recreate that again. So the victims that are real, I don't know, Ondrej, what type of victims that you. You've seeing organizations regularly becoming victims, whether being nation state type of attacks, or whether it being business email compromised, or somebody's transferred money and hopefully the bank can stop it depending on what type of transaction it is. And also ransomware victims, for me that those seem to be the most common areas. You sometimes get the data theft, but the competitive one that you mentioned. Which instance you see the most often and which ones are the most impactful?

Ondrej Krehel:
So we can play the role on midsize market vertical or a company of 100 million to 20 billion in revenue. But ideally we'll have a good relationship with the Mandaeans ... some of our big shops, basically definitely like a lot of the nation's babies... and some maybe not at the same level as they see. But in mi-size business, I'd say we have a really healthy chunk in our emergency et cetera and ... and some of them are more targeted. Let's say healthcare is more targeted because of in the US Medicaid data to be abused for ordering pills through various automated services.

Ondrej Krehel:
So medical records are really good way to go. ... someone is really on narcotics, and wants to get what really good approved FDA, narcotics, right? Instead of sweet, whatever drops, I mean, this is the way to go. And we need that FDA approved standard really high in this space, right? Into the cloud, real cloud with these people. So I can see how that case has meanwhile ... medicating ... $4 billion for a year...

Joseph Carson:
That's a lot.

Ondrej Krehel:
... In a state of New York. That's I would say, it's probably what we haven't even close to 30%, 1%, literally healthcare, and going after healthcare data, try to monetize the data, try to monetize ... Financial, yes, primarily, I don't think the last two years we have needed to be companies, we did not have a great chance. And I think was just honest error on a trade offers to, the higher incidence and don't need to mess up from time to time, right? So they misplaced the company, the company equals XYZ, and there's also XYZ Incorporated. So XYZ is more or less incorporated as real target.

Ondrej Krehel:
I know sometimes, you're starting in the wrong stuff, right? So it happens to all of us. Sometimes we straight up have the wrong companies that are the company they really wanted to have. We've seen some of those instances, though. But primarily, it's really at that point, it's not a vertical. It's not who they are, it's a mid-size business they think they can get in through web vulnerabilities. Some spear phishing, or lately we've seen the spear phishing be more of a decoy for branded companies, meaning that it comes towards a ... vulnerability but it's still rough you spear phishing campaigns that people click on, and they put company ... was a large data center ... December.

Ondrej Krehel:
It was very famous for any firm out of Chicago and work on it, it puts them in rabbit holes in the wrong direction for almost a month. But they realized the problem was somewhere else. So even ... be careful. They know how to play the tricks right now. And the more ... create this rabbit hole forensic thumbs, and let's say you have a domain controller right now, and it touch the domain controller four or five different ways. It didn't compromise corporate admin credentials the same way. And now ... it used to be one system that made a lot of room and ... made a lot of movement.

Ondrej Krehel:
Of course, they did. It's probably two or three of them, there are more... than the other, but now they had one is called six, all right? So actually destroys on down on the forensic investigation with those victims. Mid-size is really the target portrayed actors, because the insurance premiums are healthy, we have highest range from last year to 35 or $45 million in that vertical. So it's pretty good when insurance pays 35 million for you. And I will say it's almost seven figures very quickly. And that's what you saw the escalation to seven figures really happen because the money is there to pay.

Ondrej Krehel:
... right now can be a problem, right? The hope of licensing in US and paying the ransomware rings can be an issue. But I wasn't sure, you'd look at the large rooms, nation states not continuing, right? So sure that's fair. But the meter is going to get smarter, more and more, just because there's not enough international cooperation, federal law enforcement is hard to do internationally. And that it makes sense America has a really healthy data right now, and really healthy money to pay.

Joseph Carson:
Yep. I've seen a lot from Europe doing a lot of work and take downs of the botnets. And a lot of the some of the ransomware gangs, so there's a lot of work going on continuously, but it gets into the main focus, is that some of the bigger, larger multinational that's a criminal organization. So and very rarely, it's not consistent. There's so many gangs out there. That's probably one in 500 you ever get seen taken down. It's a really kind of small number compared to what's happening. One of the questions I've got for you, Ondrej as well as that, when you get into from... I've seen some challenges into when it gets into digital evidence gathering.

Joseph Carson:
So it for me, it's always like challenging area. And I've seen cases where I remember it goes back to quite a few years ago now, and it was that when we got a warrant in order to go and collect computer systems from a internet cafe, right? So there's a warrant about that. And the problem is that from basically when you send that warrant, it's local law enforcement goes in and basically does the warrant, collects the computer equipment. However, they basically collected just computers. And it was a misunderstanding that it should have also included network devices and switches and anything else and there was an internet cafe. So they also had games consoles like, PlayStations and stuff.

Joseph Carson:
And they only went in and collected basically just computers, because it was a misunderstanding of what was technical equipment. Do you find? I don't really care if this was in a specific country where the legal and warrants had not been modernized yet. Is that improving? Are you seeing barbaration between, let's say, Digital Forensics, and local law enforcement being able to collect evidence and gathering it without contaminating it? How improved is that today?

Ondrej Krehel:
I think that and no, I don't want to say I'm a radical here. That's the way I see it, becoming with is regulations like GDPR, CCPA assumptions, right for companies. But we are not covering an improvement to help data collections and cyber crime starting, but higher penalties, easier process of interviews, which we are completely opposite, right? Look, I also have local devices, but look what's really happening here. This ... event will decide if you can decrypt the device or not, right?

Ondrej Krehel:
Now there is Oracle right now, NYPD has a three rooms of Apple iPhones and Apple equipment from childhood of all cases. One that tells you, your child pedophile use the devices that no one can get even into it. So it's nothing like how do you collect from something that you don't have access anymore, and the person is going to be put a gun to his head says, "I don't know." And he doesn't have a fingerprint, he has a pin or something else and he's not going to cooperate, period. I mean, he knows that unless you find some other evidence, you're not going to get it, and you're not going to get it from the Apple. You're not going to get it from any other way, right?

Ondrej Krehel:
You're not going to get into his account. And you're pretty much done, right? So you pretty much done, because he's not backing up in the cloud. So Apple service, a subpoena to Apple isn't going to work. He has everything on his device that's secure and unless you buy this exploit for $1 million for every iPhone, you have in his back and police station, you pretty much cooked at that point of time. And that's what I see. I see that criminals heavy rely on that, number one, there are only few governments who are aggressive in prosecution. Look at APT 10, respectful. Only United States or subpoena.

Ondrej Krehel:
Most of the European countries, Asian countries held in slaughter by APT 10. It was first really eye opener in a supply chain type of that. But MSP providers 11 years ago got all hat across the room, okay? 3000, warriors, whatever was on this mission. That was much bigger than four ... How many countries really wanted to serve subpoena to other nations. So this one big nations in ... sorry, in Asia, right? Now, it's like this force is where you have the powers after the World War II, and they said, "We're going to do the right thing." Those battles are gone. You might have one evil country was serving Department of Justice subpoenas. In other countries, in other civilized Western world will not contribute. Because they don't want to create any enemies. There's some trade issues, right? But first, let's be honest to all each other and says, "Okay, I'm a small country, but I'm going to serve subpoena too. This is not right."

Joseph Carson:
I agree. The only way forward... I was really happy at the recent White House statement regarding the new cyber funding that they came up with. I was really happy because it was for me, there was actually the language in there about basically the funding, was that the need for cooperation and transparency and collaboration. And that for me was actually positive, because what I find is that in this environment, we're always dealing cyber crime. I don't know how much you're finding cyber crime being cross border, I find it not a lot of it.

Ondrej Krehel:
Most it.

Joseph Carson:
It's most basically, probably 90% plus is cross border, meaning that you're not having to deal with international legal frameworks. And then you get into jurisdictions and legal and difference and so forth. And I find that the only way we can really treat this as a basically a collaborative, as working together multiple countries, working to make sure that there's fewer places to provide safe havens for cyber criminals. The more we work together, the more we collaborate, the more we are transparent, the more we hold certain countries accountable for providing safe havens for criminals, then that's the only way we can actually make some movement forward. Because if we're working individually as single countries trying to deal with it as a single country, it's not going to be possible.

Joseph Carson:
It's a fundamentally, it's a no go direction. No single country today can win a cyber war. And it means that we must act as a collection. So I was really happy with the statements, the reinforcement that the US now will work as a collective as together cooperation. I think that's a key message. So I agree to your point is that, that absolutely, we have to start holding accountable, accountable, a country's accountable for the crimes that they do, or the crimes that their citizens are conducting from within their borders. There has to be some element ability to do action, whether it being sanctions, which has been the most common method, but I think we must go further.

Joseph Carson:
I think it must really get into stepping up and really doing something more actionable to really, because otherwise, we're going to continue seeing ransomware, we're going to see it increase, we're going to see more companies become victims, because the more supply chain attacks, we're going to be seeing more nation states starting to, let's say, shame or embarrass countries from doing cyber attacks. I think that's going to continue unless there's some type of global cooperation working together moving forward.

Ondrej Krehel:
The legal framework has to be dealt with supported like, not everyone has to get on board and, "Yes, I'm going to prosecute this. I'm going to go forward. I'm going to make..." Look, I came from Czechoslovakia, we don't even have... Our court does not accept electronic evidence. PSI electronic... is the primary evidence. Okay. But how do you deal with it? The countries wherever I came from, that you can always like, there's a joke, the guy goes to Bronx Zoo, from former Czechoslovakia, and watching giraffe all day, giraffe, right? And get the beer and vodka and get watching giraffe, goes to beer market completely drunk at the end of the day, completely drunk.

Ondrej Krehel:
Two security guards are trolling guy out of the Bronx Zoo, he turns to them and says, "And you know, guys, that giraffe doesn't exist." Right, that's a monster you dealing with. You're watching all day long, you are getting into ... but at the day, it doesn't exist, okay? So how would you convince these countries and nations that, "Yeah, it does exist. Is real." If you reinforce legal framework, like what do you mean? Like you can't prosecute people stealing intellectual property, that's a minor offense in your country, people really taking a code, Here in the US, you can get 15 years? And what are you're telling me in your country gets a penalty of €5,000. And tells, "Can you please not do that again." It's not nice.

Joseph Carson:
Yeah, it's a warning, it's a slap in the wrist. Here in Estonia, that was one of the... When I came to Estonia 2002 almost, it was a long time ago. That ultimately, it was a realization for me, Estonia realized that actually back in 2001 ... set out it's called, to become a digital society, digital nation was that paper had to be equal to digital. So your digital signature, everything you do in a digital world is actually accountable. It's actually, it can be classified equal to that on paper. I think the only thing you can't do online here in Estonia is getting married or divorced. The only two things you can't do, everything else you can do digitally.

Ondrej Krehel:
...doesn't accept... doesn't exist.

Joseph Carson:
It's a way that we have to do, that's the the future. So countries that want to, let's say innovate and become much more of a digital nation, that's the only way forward.

Ondrej Krehel:
And I have ... If you're a prime minister, and you sign a contract, and it has your signature, now it's classified because your signature is ... How many millions don't miss a meeting.

Joseph Carson:
Oh, that's so sweet. I mean, Ondrej, is fantastic having you on and it's really, I mean intriguing conversation always. I really always enjoy listen to you talk and some of your insights, you have a huge amount of experience, was fantastic. Mike, any thoughts or anything that you would like to share with the audience? Or what what do you have been taking away from the conversation?

Mike Gruen:
Yeah, no, I mean, yeah, for those that don't remember. I am actually here. Yeah, no, it's been fascinating to listen to, I think we covered a lot of topics, I think a lot of times we sort of get sucked into the very pessimistic negative side of things. This episode, no exclusion to that. And I think there's the what we can do in terms of the International framework. We've talked about that in the past, but I think trying to maybe handle a little bit more on some of the positive side of like, what individuals should be doing or could be doing what small businesses could be doing? Because I think one of the reasons as we were talking about, like why this sort of mid-size market? Why is that so lucrative for cyber criminals? It's because probably, my guess, is that you have the high insurance premiums, and you have, there's all the money there, but not the investment on the cyber security side of things. And so it's there, the ratio of money to be made, versus the ease of the target is much higher than if you start going after more.

Mike Gruen:
What would be a higher value target probably also has much more sophisticated systems, and therefore it's harder and maybe not worth the effort. And you have to be nation state. So thinking about that mid-market and small market and individuals like what would you say are good things that we should be doing on a regular basis to sort of help protect us. So we can sort of maybe end a little bit on a more positive note than that nihilistic, we're all screwed.

Ondrej Krehel:
They won't help us with the hiring model, I think, stop, believe that you are your own cyber mechanic, you are your own cyber terrorist, you are your own cyber doctor. Because ultimately, in IT people believe that we can do ... If you go to, for example, a hospital, none of us wants to do open heart surgery, none of us wants to do open brain surgery. And you realize that these people at hospitals, have been trained to do that. Or lets less ... denial would really help us as a company and ultimately market, is create a hybrid ecosystem, meaning that we do have a partner, for example, my partner is Microsoft. Well, why? Because yes, I believe the Microsoft conducted the trade off, and this is the graph coming into the ... much better than I do.

Ondrej Krehel:
If I need to save infrastructure with my friends. I can go in the same way. And I'm paying the fraction for the money, but that hybrid model right now that I don't host in that internal, and I don't have active directory at all premise. Now doesn't exist. Okay. No active directory on premise, maybe some companies can operate, you have to do the hybrid model, right? So do the hybrid, try to separate the domains when you have in the cloud? When you have here. But truly I would say, don't try to do it on your own, right? Do not. You're not fixing current, don't think the cyber is something you're going to fix.

Ondrej Krehel:
Fine an hybrid ecosystem, and take, when you say you have a limited budget, take the budget and say, "Okay, if I buy this from this partner, and I paid that much money, what kind of security I'm going to get versus I'm going to build everything internally? How much is it going to cost me? What am I really saving? And what is my risk? Okay, so the saving is 20%. But if I'm going to get hacked, oh, I'm done." Okay, so maybe the 20% of the saving is not worth it to go here to a cloud provider, or to call someone who knows what he's doing. And I see a dramatic shift on MSSP side, the companies that used to completely try to manage the SOX internally.

Ondrej Krehel:
Now here, yes, hybrid SOX, what it means that our vendor SOX outside providers, meaning that we have our own sub-team. So we actually use our own sub-team, but if we didn't have it for the clients, we would have to probably do the same. Guess what, because it's a different view is already given different opinion from someone and it's not that expensive anymore to actually do that to get a different opinion. And then also, find someone like Joe, right? Someone who used to be a cyber professional, not a cyber therapist, right? And sign up for a therapy session that's expensive, I'm sure that more expensive are cyber professional consultations ... with your doctor, because you don't always need a therapy versus cyber professional consultation.

Ondrej Krehel:
But sign up for the session twice a year, and go and ask them, "Listen, I've got this network, do you think I'm cyber healthy? What else would you do?" I mean, you've seen it all. You've seen being compromised, your external identity management, your score on a provisioning expert in, less privileged or ... people are really gaining the access. What's happened in your vertical? How is that really working? We don't use to access, for me access what's important, right? Isolation, it's important to monitor that. Then you talk to someone at a network forensics, you talk to someone, right? The same way you seek specialists, let's say four or five specialists in a year. Find those individuals. Trust me, it's not that expensive. That hour and a half, two hours is worth your time. And the way it should be really ran, gets you confidence, th report actually does.

Ondrej Krehel:
The board calls for the season by the specialist to talk them about the issues. And then they say, "This is a quarterly ... selling network visibility, restyling the identity and access management and they want to have legal and compliance the presentation." These three areas, and you guys have been three experts to look on what you're doing, and don't take it personal. Right again, goes back to the personal moment on holding this, don't ask me questions. All right-

Mike Gruen:
I know what I'm doing.

Ondrej Krehel:
I know what I'm doing. I just wanted to come in and audit me and ask me questions, no. No, let's be real, right? Like, everyone has a different level of experience. Bring them in and be open. You have to be open like the same way, many us move in a career because they were open to critique, right? And I always liked the people who actually they are not laughing. They said, "Ondrej, you're greatest and you really suck, man." But this is not good. And I knew these people are honest...

Joseph Carson:
You want the honesty. You want the basically the direct honest feedback. And that's one thing that's great about Estonia, everyone is very ... they will tell you what is on their mind. And I think it's really important. I think that's where definitely leaders surround themselves with people who actually critique and provide continuous feedback. People who they will learn from. They want to make sure that they're continually learning. So Ondrej, absolutely, I completely agree as the hybrid approach, I'd love it, I think, because one of the things for me is that most organizations cannot hire the experts and specialists in all of those areas.

Joseph Carson:
It's impossible to maintain resources for every one of those areas. Well, that being its response, malware, reverse engineering to attribution, to recovery to sock analysts, to looking at log correlations, to doing it then the next you won't be able to find one person does it a little bit. And there'll be difficult to find individuals to maintain all of that-

Mike Gruen:
So other problem is again, if you're trying to... Let's say you were trying to hire all those people, it's not a full time job for all of them all the time that your company gets back to like, it's the same as a software, my background in software engineering, like we've built so much on top of other things, that's what's core to our business, let's make it that in house, and then look to leverage whatever SaaS or third parties or contractors or whatever, for all these other things, and it gets into, we have this great ecosystem, and cybersecurity is a really cooperative space. I'd love it, right? Everybody wants to help everybody. We all recognize that by working together, we're better together. And so I think there's all that opportunity. And yeah, encourage people to reach out, get the right professionals ask for help. Because that's you can't do it all internally, you can't do it yourself.

Ondrej Krehel:
If you look at the military, right? And you look at the countries who are good at this, right? So you have local police station, and let's say you're in New York, we have NYPD so that's a big privilege, because there's not a classical police, has a helicopter, boats, I don't know, submarine, whatever they have, right? So it's a pretty big budget, right? But they're dealing with the different types of criminals, but you go to outside Westchester County or normal police department, they've normal guns, that they should have some automatic rifles in the closet. But then they will federal law enforcement, you have a state law enforcement ran by the DEA offices, and you have the FBI or ... you have a federal mandate over the state, right?

Ondrej Krehel:
We move on level up. On top of that, you also have US Martial Arts, right? So we have multiple layers here. How is ... this restructure, then you have the offensive forces and military and even in the military, you go through right the various ranks the Marines, you've air force, you have a Naval Development Unit Development Groups, and then you get a specialized forces. Now, if someone at that local station thinking that he is a special forces, he's making a big mistake. And I don't think they do-

Joseph Carson:
Absolutely. I love ...

Ondrej Krehel:
In technology, that's exactly what it is. You have a local cyber cop who thinks he's a the special operations cyber cop, okay? And he thinks he covers all of those. And the answer is no, you don't. Because he will never be the sugar cookie, you actually had to drop in an ocean and go into the sand, and then stay with it for a day and be truly in a misery. You actually never experienced all that being swatted at a cyber actually mean. So the hybrid model, even when you see how the specialized unit will deal with, I will say quite complex human and war conflict type of issues. And also society should rise model enforcement to ... submissions, and how they structure. Don't think that you can create all of that at your company. And it's not something you should do. Why do you think Westchester County doesn't have a snipers?

Joseph Carson:
Because they don't to. It's not something that happens so often ...

Mike Gruen:
I'm far from Westchester. I don't know if they had snipers.

Joseph Carson:
But I think I absolutely I love that analogy. I think it's really important. That's why all organizations focus on your business. And for the things that's not your core business, get help, get partners, get experts, get people and relationships with other organizations that can help you fill those roles and needs. Do not try to do it all yourself. And I love Ondrej that the county sheriff thinking they're a specialist and it's something that I think that's where we really have to get the realization. I think all of us who have been in that position that's how we... We have to look for the experts to provide us that need and resources. So I love that Ondrej.

Joseph Carson:
So I think we're coming on the end. So I think it's fantastic Ondrej having on the show. I think this is really exciting and interesting and definitely for the audience is going to be something that they'll probably listen to multiple times. There's so much constant value in here. It's fantastic. Thank you very much for being on. Mike, again, all this is awesome having you with on the co-host. So for the audience it's a pleasure having Ondrej. If you're interested in learning more about digital forensics or its response and Ondrej is expert, so you need a specialist to talk to, definitely reach out to Ondrej.

Joseph Carson:
We'll make sure that Ondrej, we'll get your contacts available to the audience when they need to and how they get in contact and get more information from you. For the audience, it's a pleasure as always. Join us every two weeks for the 401 Access Denied Podcast, stay safe, stay educated, keep learning and we enjoy having you listen to this show. All the best and bye.