- Cybersecurity News
- PSA RMM News & Trends
- Backup as a Service (BaaS) Industry News
- Disaster Recovery News
Zero Trust World: ThreatLocker Providing an Action Plan for Preventing Attacks
Global crises are fueling cyber crime.
With examples like the Australia insurance company in mind, ThreatLocker’s Danny Jenkins said he set out to find products to make protection easier for smaller businesses and couldn’t find any.
"And that was one of the reasons that we decided to create ThreatLocker, because we don't believe cybersecurity tools should be for the big, large organizations that have unlimited budget and unlimited resources, but they should be for everybody,” he said.
Jenkins said Zero Trust World attendees should be able to take immediate action after the conference to improve their cybersecurity.
“We can't make everyone perfect,” he said. “We can't make everyone understand everything about the idea of zero trust, the idea of least privilege in three days. But if everyone goes away, hardens something on their system and stops one cyberattack, then that's success for us. When we created Zero Trust World in 2021, our goal was to make this not another conference where you walk around some booths, you see some sessions that don't really mean anything and talk a lot of theory, but to make them actually educational, how to harden your environment, how to harden servers, what you should be doing.”
Jenkins provided a tip for everyone who uses either a remote monitoring and management (RMM) or software deployment tool.
“Now those tools inherently are dangerous, but they also provide real value to the IT department,” he said. “And it's very hard to control what they do sometimes. Here’s a simple tip: Configure the service, whether it's Automate or Kaseya, or Ninja or SCCM, to delay starting Windows. What does that mean to you from a productivity point of view? It means when the machine reboots, you have to wait an extra 60 seconds to be able to connect to the machine. But what does it mean from a security point of view? Bear in mind it costs you nothing. It means your RMM, your software deployment tool, doesn't start until after all of your other security tools are started because while early load antivirus drivers do load for you everything else on your system, they're pretty limited. They don't have all the features of an endpoint detection and response (EDR) and all the features of other security tools. So if you just delay the start of that tool, it costs you nothing other than 60 seconds on a reboot to check in, and it means your security tools are running ahead of it.”
Jenkins also shared a tip to prevent someone from spoofing your organization. Anyone who has the letter L in their domain line should register the same domain name with the letter I, and register email authentication such as SPF and DMARC.
“You can send emails from that domain and they'll show as validated and the user cannot see any physical difference when they receive an email; it's literally you,” he said. “It doesn't matter how good your eyes are. So go home and register your domain name with an alternative of an I instead of an L before somebody else does that who wants to spoof your organization. And if you're an MSP and you've got customer testimonials on your website, it's an easy target for attackers. They get a list of your customers, they register your domain name and send it out.”
Ray Heffer, field CISO at Veeam, provided a practical guide to zero trust for senior security leaders. He said zero trust matters because of privacy.
“I'm very passionate about privacy … and the reason being is the outcome of a data breach,” he said. “Whether that be through ransomware or a leak or any other means, sure, it's the IP of our organizations, it hits our revenue, but it affects me personally. It's my private data or personally identifiable information (PII), and quite often with ransomware, that information is leaked online, perhaps on Tor on the darknet or a breach forum somewhere. And we're seeing things like double extortion.”
For example, the Black Basta ransomware group recently attacked a UK-based water utility company, Heffer said.
“It had to pay a ransom to get the decryption key to decrypt the data, but then they had to pay again to get the data removed offline,” he said. “They did remove the data, but if that data has been exposed on a breach forum, then it's already proliferated across the internet. So this is why I care deeply about it and why zero trust is of extreme importance in the industry today.”
It’s important to minimize the attack surface blast radius through “never trust, always verify,” Heffer said.
“That's a key premise of zero trust so we need to verify access attempts with multifactor authentication (MFA),” he said. “But we're not just talking about the user. We're also talking about the application as well. But as we extend zero-trust principles into data resilience, now we need that separation of the backup software and our backup storage, again minimizing that blast radius. So we need at least three copies of our data on two different types of media, and at least one of those offsite.”
It’s important to make sure you can recover a backup that cannot be tampered with or touched, Heffer said.
Three key takeaways from Heffer include:
Strategic integration of data protection and incident response.
Mastering strategic frameworks for cyber resilience, which helps your organization implement controls.
Proactive ransomware defense and recovery readiness, including immutable backups.
Chase Cunningham, vice president of security market research at G2, outlined the numerous global crises, including running out of drinkable water, recession, global poverty and hunger, and more. Conflict, and therefore cyber crime, are the end result of these crises.
“Cyber is the ultimate equalizer,” he said. “If you're thinking about what's going on globally, think for a second about how cyber plays in. Cyber is where we level things out. It's where a nation like North Korea that is so poor that it actually feeds its people grass can build nuclear weapons because it's funded by cryptocurrency crime. That hasn't happened any other time in history. Cyber is how these organizations, these countries, will continue to grow their economy with veiled conflict and those things as they move into the next phase. They are funding themselves with cyber crime.”
Throwing more and more money at the problem isn’t going to make a difference without fundamental changes in cybersecurity, Cunningham said.
“It's the commoditization of digital conflict,” he said. “And as that becomes more and more prevalent, and people understand more and more the value that they can get from that, they will engage in it further. Statistically speaking, the global annual salary is about $14,000 a year, not great. Statistically speaking, the annual salary roughly for a ransomware operator is about $800,000 a year. So if you're living in one of those countries where you can make a whopping $14,000 a year digging out turnips or whatever they do in Moscow, why would you not engage in this? I'll take $800,000. Oh and by the way, there's no real risk to me because I'm actually affiliated with the state.”
We need to do more than continuing to “throw money down the toilet,” Cunningham said.
“It means that we should realign,” he said. “Zero trust is a strategy. Zero trust talks about the things that actually make a difference. Don't trust anything by default, but go on about your way. And folks that doubt zero trust as a strategy, look at Google. Google got their ass handed to them with Operation Aurora, and they didn't like the press that followed with that. What did they do? They stepped back. They realigned. They moved to this thing they call BeyondCorp, which is their instantiation of zero trust, and you have not heard of a corporate breach on a Google system since that time, and they have 188,000 employees globally and a couple of hundred thousand contractors, and they do their thing.”
Jenny Radcliffe, aka “The People Hacker,” gave a keynote highlighting the ease of social engineering attacks due to human error. She said 95% of attacks and breaches result because of people.
“Any time anything private becomes public against that person's wishes, any time there is a security alert, we know that somewhere there's a human making a mistake or being manipulated,” she said. “It doesn't matter if you're in a great big company. I've spoken with some really big brands and they’re like, 'Wow, we've got these huge training programs.' And in a building like this, there might be 3,000 people and I think 3,000 ways in. Three thousand people, any one of whom might just have that last piece of the jigsaw that I need to build a story that's going to give me access. It doesn't matter how big you are and if you're smaller. You see those little companies, those SMEs with less training and less preparation, and easier for me to research, easier for me to profile and easier for me to get to them to get to the big guys.”
Social engineers are looking for people who make mistakes and are malicious, Radcliffe said.
“And all I'd say to you in terms of insider threat is you need to know your people better than I can,” she said. “And that's hard when we work for big firms. But I know them and people who do my job maliciously know them as well.”
It might be the people who supply the coffee, or the cleaning or the gardener, Radcliffe said.
“They are ways in because we're all links in the chain and it even goes down to normal people, just your man and woman in the street, individuals who think, 'I'm not important enough to be hacked; I'm not rich,'” she said. “That's what they think. They think security is someone else's problem. But you know and I know that security is everyone's problem because every one of you is worth hacking.”
Jenny Radcliffe, aka “The People Hacker,” gave a keynote highlighting the ease of social engineering attacks due to human error. She said 95% of attacks and breaches result because of people.
“Any time anything private becomes public against that person's wishes, any time there is a security alert, we know that somewhere there's a human making a mistake or being manipulated,” she said. “It doesn't matter if you're in a great big company. I've spoken with some really big brands and they’re like, 'Wow, we've got these huge training programs.' And in a building like this, there might be 3,000 people and I think 3,000 ways in. Three thousand people, any one of whom might just have that last piece of the jigsaw that I need to build a story that's going to give me access. It doesn't matter how big you are and if you're smaller. You see those little companies, those SMEs with less training and less preparation, and easier for me to research, easier for me to profile and easier for me to get to them to get to the big guys.”
Social engineers are looking for people who make mistakes and are malicious, Radcliffe said.
“And all I'd say to you in terms of insider threat is you need to know your people better than I can,” she said. “And that's hard when we work for big firms. But I know them and people who do my job maliciously know them as well.”
It might be the people who supply the coffee, or the cleaning or the gardener, Radcliffe said.
“They are ways in because we're all links in the chain and it even goes down to normal people, just your man and woman in the street, individuals who think, 'I'm not important enough to be hacked; I'm not rich,'” she said. “That's what they think. They think security is someone else's problem. But you know and I know that security is everyone's problem because every one of you is worth hacking.”
THREATLOCKER ZERO TRUST WORLD — On day one of Zero Trust World, ThreatLocker CEO Danny Jenkins said he hopes attendees gain an action plan for preventing cyberattacks.
The conference in Orlando has attracted attendees globally, including the United States, Australia, Belgium, the United Kingdom, the Philippines and more.
Master of ceremonies Adam Reid told attendees they recognize cybersecurity is a “serious topic and you’re serious about getting the solutions you need.”
Attendees still have a lot of progress to be made in their zero-trust journeys. When asked if any have completed their zero-trust journeys, no one raised a hand.
Zero Trust World Theme
The theme of Zero Trust World is about risk, diving deep into the threat landscape to learn about attacks so you can defend against them, Reid said.
The global average cost of a data breach has reached $4.5 million, while attacks and data breaches are occurring and going undetected more and more, Reid said. Last year, it took an average of 49 days to detect and discover breaches. That means hackers were able to operate in an environment for over a month without getting caught.
“This is why we’re here, to stop cyberattacks before they happen,” he said.
During his keynote, Jenkins talked about his experience with helping an insurance company in Australia that was hit with ransomware in 2014.
“Essentially a user downloaded what they thought was an antivirus," he said. "A virus allowed them to go onto their network, got onto the servers, encrypted their Exchange database, their claims database, their backups, everything. I was called in to help because they paid $22,000 in ransom, which is pretty cheap by today's number, but the decryption tool didn't work. It decrypted some files, but not more, and it was unreliable.”
ThreatLocker's Danny Jenkins
Jenkins said about a week into the recovery, he was still unsure if he was going to be able to get anything back in terms of money.
“The owner of the company, who was a 60-something-year-old man, called me up. The guy was crying on the phone and he said to me, 'Well, are we going to get this back up and running?' And I couldn't give him a positive answer,” he said. “I couldn't say yes to him. I said, 'We're trying everything, but right now it doesn't look good. We don't have any backups. Our databases are gone and it was a disaster.' Now, we did get him back up and running. There was a lot of cost. There was a lot of business loss. There was a lot of money lost. However, after we got him up and running, he asked me what he could do to stop this from happening again. The words zero trust didn't exist then, but I said, 'Change the way you’re thinking. You can't rely on an antivirus. You can't rely on everything being detected. You need to start blocking everything by default, take away users' permissions and limit what happens in your environment.' And even after him bawling his eyes out, to me, the answer was, hat's not viable for us. We're too small a company. It's not manageable.”
Scroll through our slideshow above for more from Zero Trust World.
About the Author(s)
You May Also Like