 So we are here with Kyle Hanselvan, Hanselvan. I said it wrong right after you told me how to say it. That's all right. You're a mayor or a connoisseur, a hacker of things, and CEO of Hunter Slabs. And I first discovered when you did some research on Kasea. And so let's talk a little bit about that. You are like, this is one of those things that's important to me and important to a lot of my audience is that, okay, you know a few things, but you don't just know a few things. You've actually done a lot of things. It's, I look at more of the actions that people have, not like a bunch of accolades on the wall, not a bunch of degrees from wherever. Those are cool and the validation of institution is important, but let's see a couple other things we have in here. You are DEF CON 20 CTFs competition winner. Is that correct? That is. Yeah, I snagged a black badge out of DEF CON. So that was a pretty cool accomplishment. That's pretty cool. Just a ton of articles, not just the Kasea one on auto runs and playing all that. And that comes from your background of creating them on the offense. Am I correct? Yeah, so I cut my teeth. Unlike a lot that start in defense and grow to offense. I jumped knee deep into offensive security in the early 2000s. So there's a lot of things I'm bad at hacking things is one of the things I'm pretty darn good at. And you spent some time playing hide and seek officially though with the NSA and creating, doing some internal testing with your in government engagements too, correct? Yeah, so all the way from my time in the Air Force. So I got to spend a lot of time in the intelligence community in Air Force. I jumped out and worked directly for the NSA but there's a contractor as well as government employee. And here I am now at Hunter's. So it's been a crazy wild ride. Creating all these persistent threats and everything. And one of the other things that is fascinating to me is I don't like security reachers who think that anything should be a secret. Even in the latest Brian Krebs article, I see people calling it out that all these indicators of compromise are sometimes like wall gardens, like well only I should know this information and it shouldn't be shared. And all these security researchers, you and many others, I'm seeing this bigger trend and I love it. You dump it all out there. This is the debrief on it. And this comes all the way to Casayla. You gave a very good debrief and kudos to Casayla. Like you said in there, you're not blaming them. You're, they had a good response to it as well. But security done through the public eye and published and talked about, or even what we're talking about here to start breaking this down, hugely important to me. Yeah, it's kind of weird having like a shady NSA background where you think a lot of it would be, you know, not transparent, but I think I learned over the years and even at the agency itself, like you see now NSA coming out releasing a lot of some of their internal reverse engineering tools. Yeah. Indicators of compromise where it sure benefits them. But I'm a huge on transparency. Like if you accurately represent a situation, make sure everybody's educated, like it puts it at a level playing field, right? And I never wanted to establish blame. So like you said, I never hold anybody against whether it's their issue or not. Yeah, no, and it's about that levels of transparency. It's one of the reasons that's drawn me to open source over the years too, is being able to see inside the firewall, it was a mystery back when everything was some blob of firmware loaded in a little Linksys box. And I'm like, that doesn't seem right. So this would, you know, got me into firewalls and got me taken apart. Once I'm like open source firewalls, we can start seeing what's inside of them. I can actually watch the package traversing. And of course that leads to discoveries of this shouldn't be traversing. It's always an unexpected like, oh, sometimes you, you wish you could put things back in the box. But yeah, I think overall, there's probably way more victories for transparency than not. Yeah, I mean, there's a lot of people that really wish we wouldn't have poked into things, but at some point, and that's, I'm gonna share it real quick on the screen here, let me pull that up because we're gonna talk about the Kaseya thing real quick. Just, you know, this is from a little while ago, share screen, there we go. So the Kaseya mining pilot, and of course, this is a payload, this is also because Kaseya was, you know, is an MSP tool, so it's loaded, it's an ARM tool that is loaded on a lot of computers, so you have access. And mining payloads are really hot in 2018 back before Bitcoin, oh, I don't know, became a little less valuable. It wasn't about exfiltrating data, it's all about mining and stealing my CPU cycles, you know, that was what all the goals of the hackers were. Kind of is for right now, but it was really hot then. So what was the trigger, how'd you guys find this? Let's kind of talk through it a little bit. Yeah, so you kind of already alluded to like the terrible acronym APT. My job was persistence, right, long-term access at the agency, and so we look at things a little bit different. So at Huntress, it's always about how could somebody make a payload automatically start running. And so for us, while there was a lot going on, all of a sudden we noticed like several thousanders, actually probably about tens of thousands of computers that had scheduled tasks that were just abnormally named, you know, they didn't hide in plain sight as well as they should have. And so for us, we were like, what in the world is this thing, like you're actually on your screen right there. It says, you know, as illustrated, the foothold was established with a single power shell command. When you're looking at this data set, it's funny how some things that are just poorly done for like upsec by the attackers really stand out as an anomaly. So we had no clue is even related to any product or any type of vulnerability. It was just the scale made us realize like, oh no, that was kind of that first indicator of compromise for us. And one of the things I find really interesting is that they pulled from Dropbox. And the reason I say that is being that I do a lot of videos on firewall, people constantly are asked to be like, oh, so Siracada would have caught this. Like they think that the firewall, and I think this is a Hollywood problem, they've breached the firewall as if that's like what really happened. But the reality is you're not gonna block Dropbox at the firewall level. So that's why they use it. They know it would pass through any SIM tools, not gonna see this and really understand that it's a power shell script. It is files being downloaded from Dropbox. That's not suspicious at all. This is one of the reasons I think endpoint protection is absolutely almost in some ways more critical than the firewall because, well, they just, like you said, they didn't do too much obfuscation. They just grabbed something from Dropbox and loaded a power shell script. But a firewall wouldn't have seen that at all. And that's what kills me. Like there's a lot of folks that wanna place the blame game. Like you could easily say like Dropbox, you hosted a server, you're negligent, or I mean, even Kaseya, using somebody's RMM for malicious purposes, like it's like holding a gun manufacturer guilty for someone using a crime. I'm not a big fan of that side of the house. So yeah, it's kind of weird how you have to nowadays like attackers are challenged so hard on the process behavior that they've now taken this whole new approach of like, I'm gonna use the legitimate good tools and only with these good tools or good websites am I gonna use them for nefarious purposes to help minimize my time of getting caught. So I think it's both really crappy. I gotta give, you know, actors props for being innovative. But we as obviously the community have gotta do a whole lot to make sure that we're calling these things out, working, you know, vendors quickly reacting, shutting the stuff down like that's the stuff I live for. Yeah, and it's still defense in depth. It's not that I say you don't need the other components, but you need all the components all together and there's just layers and pieces in there. And as we develop all these fancy tools, the next thing that we know happens is the hackers, it's getting harder for them, but they're gonna get better at it. They're gonna do the next thing. And so I find that kind of interesting, but that's where we see this Y-Pro. And Y-Pro, I don't know how we say that one. I heard it on their sales call or they're in the quarterly reading report. At least it sounded like it was Y-Pro. Yeah, and they were using, let me jump back to the screen to hear because they were using the screen connect tool, which is obviously connect-wise tool was a big component of it. And it's not a compromise in screen connect, but it actually caused some confusion because I noticed this is all going on behind the scenes. There's the, before Crubs gets to publish stuff, these companies are sometimes aware, there's NDAs involved because they're trying to investigate. I noticed that our screen connect sessions, and we updated and it solved it, we're getting flagged as malware, which doesn't sound right, but now that they released some of this information and screen connect was one of the tools they had compromised in order to do this, but not compromised it as a upstream vendor attack, but they got into the infrastructure at Y-Pro. Yeah, yeah, so a lot of folks, it was at the downfall sometimes of sharing information like to transparently, you're exactly right. Like that link that says a list of indicators. Oh, it's perfect. Yeah, if you click that folder. So if you take a look at these files, like those exes and DLLs, those are all 100% legitimate software from connect-wise, not vulnerable. It's the legit software. And unfortunately, some folks like knee-jerk reaction was anything that's has these hashes must be malicious, which because BS, it's like once again, like every cop's gun that was made by Beretta must be malicious because a Beretta was used in a shooting. Right, it's silly. I'm looking at it to see if I have the link for my virus totals thing. I uploaded it because ours got flagged and I was like, whoa, why is this out of the blue getting so flagged everywhere? I don't have the link anymore. I sent it to their support people and they're like, oh, you need to do an update, you need to do this. But yeah, it makes you panic at first for me. It just has another MSP, another IT vendor going, why is my tool that something happened that I didn't know about? Well, no, these companies, like you said, these are legit things, but they're using the hashes to go and know they're not. Yeah, yeah, I mean like connect-wise, the software wasn't vulnerable. It wasn't, you know, they literally did nothing wrong but the irony of the whole thing is somebody's knee-jerk reaction caused it to get signature. It also is funny, like what you said about the solution to it was updating the software, right? And you think about that. What type of signature was used? It was probably just a static hash because, think about it, Scream Connect, they didn't rebuild all their features. No. It gave you an update, it was probably a recompiled version that changed the hash, but that was enough to get around. So it was- Yeah, add a space in the code and recompile so the hash changes, all right, now it's fixed. It happens, I mean, not everybody's that way. All most vendors use like, you know, application behavior and stuff like that, heuristics. It makes you scratch your head sometimes when you're like, wait, Scream Connect was getting flagged. I downloaded a new recompiled version the next day and it's no longer getting flagged. Was that because it's now whitelisted? Or is it just because it's a different hash and different, you know? Yeah, now this is, it was kind of funny, I was listening to Steve Gibson's podcast and he's got a new tool out there and he got a new DigiSert signing certificate for compiling and he realized the heuristics flagged it because the cert was too new. It's kind of flagging it. So, and there was enough indicators, so he said the solution he had to fool heuristics was to re-sign a bunch of his products that get downloaded all the time so that new signing cert were in all of his old previous products so that it would have a fingerprint that was common across software. He went through like a debrief and I'm like, that's fascinating way to get around it but that's also why we've seen companies get their signing certificate, which is obviously something that should never get stolen but I think Komodo had an incident not that long ago where someone was reusing their signing cert or in the case of the ASUS mail where it's an upstream attack to get something with a trusted signing cert to get that mail, the shadow hammer, I believe was the- Yeah, you're exactly right. The ASUS vulnerability where some of the samples were straight up signed with the legit ASUS signing certificate, so. Yeah, so it's still ways to get around and it comes back down to monitoring your endpoints and trying to figure that out, but yeah, that is, oh, this is such a mess here. It's crazy, I didn't realize that folks were using that method to be able to get their software more reputable but you know what's a cool analogy on that is a lot of companies that send email and marketing, what you do is you don't put your new server out there and just start blasting email because you're so new, your reputation is low. So there's an actual legitimate marketing procedure to warm your servers where you send a little bit of email over time to trusted addresses till you get the reputation. That's a crazy idea that you could use a signing certificate the same way, establish your reputation by warming. Yeah, by warming it, by doing all the, recompiling your old software is popular so there's enough samples of that certificate out there with across the love Antivirus products that then you can compile your, like this is, it's interesting to think software developers have to do to be inconvenienced in order to go know we're legitimately a genuinely proper company doing good things, we just want our tools get out there. Yeah, I don't know. I mean, I know you probably don't do tons of development. We obviously got a dev team on our house and one of the ways that we've been hoping to see more like security vendors take things more serious is some of the EV or extended validation certificates require a hardware token. And so the benefit of that is like, I think in theory is theoretically if you're a hardware based extended validation token there should be some assumption unless you had a physical security compromise which obviously could still be stolen but a hell of a lot harder to remotely gain access from some foreign country and still somebody's physical certificate. So hopefully there's maybe more of that. I'd love to see that component come in to like helping establish reputation. Yeah, that's actually something he had mentioned was that I was seeing if I could find a picture of it but DigiCert has a little dongle that you plug in for the signing code cert. Actually, I found it real quick, I'll throw it up here but it's kind of cool. I imagine you guys have something similar for signing yours. Yeah, ours is like a little smart card. So it's not a USB drive but ours is like if you ever seen like a military common access card or anything else. Oh, it's a lot like the chip on your credit card. It's just a white little token that we plug in for ours but we actually use DigiCert as well. I wonder if when we renew if we'll get the new USB dress. Yeah, it's kind of, it's a novel and it's coming back to needing something physical to plug in like you said to get this signed because obviously you never want that stolen. You don't want, once you, because revoking certificates is not as simple as a process as it should be. It's one that's been discussed a lot is how do we revoke companies that have their signing certs stolen? It's not easy. Your system can't continue to trust it for a while even though we have an AV update for it. So it's another component that we just really got to keep that locked down. Oh man, yeah. So that's, I mean, that's actually the easiest way when we were looking at that repro incident that was saying whether that connect-wise software was actually abused or not. There was no clarification right at first. There was, they just said it was, it was seeded I think is what Brian Krebs words were. So we had to really figure out like, was there somebody that modified it, backdoor it? And the easiest way for us was right away of saying like, look, the private key wasn't stolen. Yep, this is still validating against the private key. These DLLs and EXEs that were assigned. So you're right, for a vendor it could add like huge benefit for even like researchers that are doing that due diligence to say like, yeah, sign. And as long as it's not a ASUS supply chain type issue, you know, it's a quick way to validate. Yeah, and hopefully, whenever we do some of these debriefs and I noticed even in a debrief on the WEPRO one Mimi Katz was used and like, how are some of these old tools still getting in there? That just tells me that there's something wrong and that if any of these old tools get by them I'm like, they didn't have something up to date. They're not using or they allow someone to work from home who had something on their computer. Those are all policies that hopefully through more public exposure of these companies and the ways they got in, we have them going, oh yeah, I guess we shouldn't let Bob use his kid and share the Minecraft computer and this. And get on there. But minor issues, right? My minor inconveniences. Yeah, minor and things like that. And the next one was, we started talking about those before and I'll jump over here to that is the Fintime, Trojanized Team Viewer Against Government Targets. So now- Oh yeah, there was the hotness this week, right? Like just a couple of days ago. Couple of days ago and it's back to the same thing. It's Team Viewer is not, it's not like Team Viewer themselves are compromised but Team Viewer is a trusted product for doing screen sharing and remote management in the IT space. So why not use it to infect this? Yeah, it's funny as none of these companies would ever use it and they shouldn't use it. Please if you're watching, don't use this as a marketing technique. But it's almost like a huge compliment that the attackers are so confident in these products working that they actually use it for like their data exfiltration and things along those lines. Like, you know, what better backhanded compliment than people even trust us so much to do their shady things with? Yeah, and it's well crafted here. They have the whole breakdown of how they do the decoy documents, how they get them in there. Marked as top secret. Oh God, that's great. I would open that, right? Why would you not want to see something like that? Yeah, and then this is, once again, this is back to that transparency. This is at a checkpoint and I'll leave a link in the show notes to this. But they're walking through each step of it very transparently so we can understand it. So while anyone who's, you know, writing countermeasures to this can understand how this is working. But this is impressive from the attacker standpoint it's also back to the being careful and the upstream. Whoever provides your IT, you have to trust them because that sounds like where the compromise happened. They took over with TeamViewer and moving on, moved through the system. Is that correct? I'm just not reading some of it. I think both in this one here, the checkpoint issue was used for targeting government customers as well as the WEPRO issue. And there was, I guess, a couple other large IT outsourcers, managed service providers that also were compromised in that same WEPRO style attack. But it was exactly like you said. I'm not necessarily caring about the IT service provider so much or the IT department so much is how do I use that access to get into something more exciting? And I can tell you like, that's a legitimate strategy is to swim upstream. Like why go through the front door that's largely locked and has cameras and barricades and maybe a security guard when you could walk through the side door that, you know, maybe a little less scrutiny or maybe has a little bit more access, right? I mean, MSPs typically have a pretty solid internal security as well. But once you get past it, if you could be that authenticated person, right? It's kind of like putting on the security uniform now. Once you're able to put on the security guard uniform, now people extend you to a level of trust. Well, and it's kind of a mix. I interact with a lot of MSPs in doing some help and non-social projects and unfortunately there's a few of them and I've done everything to be as polite as possible, but we just updated one of them on what they contradict us. They had a bunch of screen connect and they were stuck because it was a Linux server and they didn't understand to update it. They hadn't noted an update in five years. Five years that the server was running on and everything was exposed. No firewall, SSH, everything open, password authentication allowed. Their only answer was, well, we have a strong password and hasn't got cracked yet but I'm like, there's dirty cow. There's like a ton of, there's a long list of vulnerabilities that I based on your kernel version like you are wide open to. And this is where sometimes it gets unfortunate when companies get focused on money. So you really have to be careful because they're like, well, it costs money to expend it. And this is a conversation we got into at the hacking event last night was a guy, his company says, our deal is worth $4 million. It's gonna cost us 2 million to fix it. Which one becomes the priority? Giving the next sale or putting my dev team to work at updating some infrastructure that we know could get popped. Close that sale is what the being counter said. And he's like, well, that's what we did. He was being gracefully, like very quiet about what company actually worked for. But he's like, these are some of the serious problems we have at my company. I'm a DevOps engineer there. And I kind of want to leave and I may, because my name might get tarnished with the downfall when someone does go ahead and do it. Because it was directly related to the Atlassian and Confluence things that they had some major problems out there. And if you're not familiar with those particular products, they can be difficult to update. Would be probably a polite way to say it. Not a nice PC plug there. Yeah, I did my video the other day on it. What happens when, because someone did a nice write up on what happens when you run Confluence as root instead of as its own user. And then you don't update it. And then you have a public facing. And according to Shodan, there's about what 20,000, 22,000 public facing ones. And how many of those are gonna get updated? Yeah, there's a lot of like in software development, obviously I'm biased because that's my background. But a lot of like the continuous integration servers like Jenkins or Hudson and things like that. Similar approach, access to source code running as root. And it's funny every now and then my Twitter feed, I'll see somebody have like new remote code exploit for Jenkins. And it just kind of reiterates that people are still targeting these. Like why not? Yeah, actually I need to switch over to the Twitter feed here. So we got. Yeah, so I still will undo while we were talking. We were sharing about those IOCs. And I remembered I had a Twitter feed on it. So one of those slides actually shows that instance you were discussing earlier of even though legit software sometimes gets flagged, it doesn't like throw any vendor under the bus. But I think it's that one. So far, many of the on disk IOCs will only confirm the presence of legit screen connect digitally signed with a valid screen connect software certificate. But you can see in that picture right below there is two of 70 of the engines were already and that was cutting edge that was like right after those were disclosed by Brian Kredz. You can see that tweet right underneath that picture shows the actual, you know, virus total interface. And you click that image there like showing two of the 70 AV vendors were at least flagging it. And it got up to something like 14 out of 70 I think by the end of the day. Yeah, and that's definitely important. I mean, they have to start because then it kind of comes downstream. Everyone starts flagging it and then we can start finding it. One of the other things about screen connect just for people who may not be familiar with the product. I mean, we use it and it's the back end PowerShell commands. We even use it to install Huntress on some of our machines real quick. We could just, you just issue a command through PowerShell through the back end screen connect like here, make this thing happen with completely no user interaction. You have full system. So you're actually at like ring zero because it running as, you know, full admin even if there's a user with a lesser privilege logged in. Screen connect is awesome for that but it's also what makes it so scary if your instance of screen connect is compromised. It's an excellent, excellent attack factor. Yeah, it's, I mean, it's a double-edged sword, right? Yeah. Those that use a handgun to defend themselves at home are also a terrifying thing for kids. So, you know, you put gun locks on it. You can treat your security tools the same way or your screen connect tools the same way. Yeah, and this is something I've told people like even our screen connect server in the event that I am unavailable and an Apache problem comes out is we actually proxy it through Apache in auto updates. And someone's like, well, what if it breaks? I'm like, I'd rather have it broken than compromised any day of the week. Broken is aggravating. Compromised is, all right guys, we got to get the cybersecurity insurance out. We have to talk about this. How bad is it? What got happened? Those are much, much worse conversation than, hey, screen connect broke. I have backups. I can restore. Those are all fine. Update these things constantly. Make sure auto updates are a savior because humans are bad at remembering to update things. Yeah, yeah, for sure. Even in the, that was probably my favorite thing out of the ASUS live update incident is, gosh, I'm gonna forget who it is. I think it's the publisher behind No Start to Press. Did a Washington Post or maybe New York Times, something along those lines article the following day was like, look, the one takeaway after the ASUS live update or incident is to not disable your live updates. Even in the risk of supply chain and everything else, that software was doing what it was supposed to do, which is the overall risk of making sure you're getting those updates installed in real time. Obviously there's the risk of stability and the risk of supply chain, but the answer sure as heck was not stop using automatic updates. That was huge. I think Bill Pollock, by the way, did that. Yeah, no, and that's a good point. When I talked about it too, some people are like, oh, I just disabled all the updates. I'm like, no, no, no, as a matter of fact, the live update can update to the version that's not compromised. So that's a legit thing because in this was a super, unless your MAC address was one of the 612 MAC addresses on the list, unless you were among there, the payload never activated. So that's very targeted. Internally, by the way, whether you're red team or somebody's shadier like nation state adversary, that's an actual business process. A lot of people don't think about actors like following like legitimate business plan, but stage one of it is to do like target validation. Is this computer valuable enough for me to even care about? So those actors behind it were sophisticated. They realized their time and resources were limited and they used that amazing capability, right? They could have installed ransomware on. Oh, yeah. I think as Bersky said, maybe up to 500,000 or something. Yeah, huge number. ASUS is a massive computer vendor. So this is a massive platform to do things with. Yeah, but they were being surgical. They could have, you know, that code was running, even though the update was only doing the validation, was running on whatever that number was, 500,000 computers. Right. Yeah, they were being surgical and only targeting, you know, 600 and some. Yeah, so they wanted something and until we know a little more detail, if we ever know who those 600 people are, that's gonna answer the question of who wanted it. Yeah, who wanted it in life? Why were you important enough? I'm pretty sure and even when we, like when that happened, we immediately went out, thankfully we're like a big data company, right? So everything we store, even if it's something that's not like persistence, we had information on like every single computer that was running ASUS Live Updater. So on the fly, we actually like notified our customers like, hey, this was probably run on your computer. But the biggest thing that we actually notified of folks was like, you're probably not important enough to be one of the 600. Like, no offense, my mom sometimes had asked me like, Kyle, you work at NSA, are you reading my email? I'm like, mom, no offense. One, you're a US citizen. Two, you're not that important. I don't have the time nor care about what you're doing. I used to work with a guy who's a conspiracy theorist and I'd had enough one day and I just yelled, I was like, Brad, you're just not that important. I'm sorry, the government's not coming for you. And it was around year 2000 because he thought that's when the NSA was gonna come get him. I'm like, why would they come get you? You're not that interesting. You don't want anything. You're actually not even a great tech. You're really going for the, yeah. I had like, if you remember to the 2000, I was working in corporate ID back then and so everyone, we had to do all these compliance things because I worked at the automotive level of whether or not it was Y2K compliant. It was like busy work of stupidity of, if it has a clock in it, we had to put stickers on monitors to say that they were Y2K compliant. It was one of the dumbest things I did in my career because you couldn't convince it until he certified it. I'm like, it doesn't have a clock in it, but did you check it? I'm like, it's a monitor. So we had to put stickers on things we checked. It was, I got it, the phone system's failed the Y2 and they were all like, how do we do the testing? I'm like, I'm gonna change the time. Yeah. Everyone said to me like, well, shouldn't you do more thorough than that? I'm like, I'm gonna change the time to 2K and then I'm gonna roll it back to the correct time and see if it crashed. Yeah, gosh, yeah. Oh, he spent so much time doing that. But anyways, yeah. Sometimes people think they're too important. Unless you're, that's 600, which I don't like the way Kaspersky did it. And I probably did it for attention where you had to put your MAC address in and I gave you a yes or no. But that piece of reverse engineering, their name will lose me, but I did a video specifically on how they, they gave such a great detail of how the reverse engineered and pulled and extracted out salted hashes of MAC addresses. And that was a cool reverse engineering. Yeah, that was skylight cyber to give those guys mad props. Oh yeah. They were awesome. Just like a capture the flag event, right? Trying to reverse engineer and figure it out. Yes, that's actually a good point. You know, I guess there is some privacy there that you wanna respect somebody's privacy. There was also some things like just the same way that people like, you know, misconstrued like RMMs or products from, you know, vendors being malicious. Some people took the wrong approach. They were like, look, if you look at the MAC addresses, there's a high level of Intel MAC addresses. Clearly there must be something with Intel. It's like, no, that's not how this worked. It had nothing to do with Intel and nothing to do with the vendor. They just happened to be running a common product, right? Yeah. And these vendors, I mean, they genuinely want all the products to be secure. They don't want their reputation. And I feel the majority of all these MSP larger ones that I've dealt with, you know, connect wise and solar winds. They, the engineers, I've actually met a few of them. Like they are absolutely want their product to be top secure. They do a good job and everything else. And so that's not where these problems lie. It's sometimes the people who use the tooling. And I try to dig through the back channels of the Weeper one. And I feel, I've gotten two mixed things. And I see people arguing in a couple of the hacker channels. Some say I worked there. Their operational security was not as good as it could have been. And other people said it was good. It depended on what division you worked in. So I want these, I hope they give really good debriefs of exactly how a phishing email got through and what the entire movement was on there. I don't know if you listen to Dark Net Diaries. Oh yeah, oh yeah. I think some of those that they do have like the actual dumps are going through like their incidents are brilliant. Kaspersky, ironically, a lot of people forget that Kaspersky themselves got compromised in like 2016. They called it Dooku too. And it's an amazing like breakdown of all the ways how they got in, how they did the incident response. They owned their incident. And you can say like, oh, Kaspersky, you could have been negligent, but I think they owned it. They just said, look, this could happen to anybody when somebody like this targets. Did you see a particular like Dark Net Diary or incident or not incident, but a podcast or that actually had something like this of, they were calling out or walking through the incident? Not that we throw one yet, but I've gone through like some of the older ones. What was that big oil company? They walked through that one. That was the Ramco. Yeah, Ramco. The audio Ramco. Yeah, that was really good. Did you, out of the latest one I just finished yesterday, which was Jeremy from Marketing. I don't know if you've listened to that one. I haven't. I haven't got on that one. Oh, good red team story. Walking you through a plant, they dropped in to do red teaming. He was Jeremy from Marketing. He wasn't really Jeremy from Marketing, but you know, it was actually, it was a good story that gives you absolute and I love the level of detail that I get into it of walking you through. These are the tools I tried using. This is how I tried to capture their password hashes. This is how I tried to walk through each step of it in depth. And that's something I appreciate greatly because we need more content like that because that's what gets people thinking about it. Oh wow, I'm running that. And I didn't turn on 2FA because you always have to start with the assumption they've reached a perimeter. Even my network is overly complex in some ways because I assume they're already breached everything. Yeah, assume compromise, right? Yeah, assume compromise and work from that threat model makes it harder and then, you know, test. So my friends, I invite them over. They're trusted hackers. They're white hats. You can poke at it while you're here. We record how they got hacked on Fridays or whatever shows we record. I'm like, they're poking away at stuff all the time. Hey, Tom, we found your printer. Oh yeah, I forgot, I hooked something up. And I think because I mean, you have a huge variety of viewers from folks that are getting into security to people that are knee-deep, to folks that are in IT that obviously it's tangential. Even down to students or folks in the C-suite that might just want to come here to be able to learn. I think one of the biggest things that your podcast and videos on YouTube offer is like, it makes these things more relatable, right? And even from like IT folks, I've seen folks that commenting on your videos that are like, look, I never thought that I always treated like my pentesters as an adversary or even pentesters commenting of like, I never thought that if I can make these more relatable and don't get rid of some of the hype, the fear and uncertainty and doubt that can make some of these things more digestible for your viewers. So kudos, dude, by the way. Nobody ever says that to you. And I appreciate that the viewer of your stuff and obviously hanging with you here. But I think that's huge for you to be able to share those resources. Yeah, no, and that's, you know, people think it's scary and hard to get into, but once they get into it, they go, oh, you know, and one time I almost wanted to like share the story. I have a friend who now works for Adafruit Industries who has a degree in psychology. She never picked up programming, starts it. And within a year, she's got so good at it, she's now giving talks all over the US and then she's a head Python devices maker at Adafruit. Her degrees in psychology, she spent years working like the medical profession and she's like, oh, it turns out I really liked Python. I thought it was, I thought computers were scary. Turns out, it took just like two books of coding and now she's actually working for a reputable big company doing this and achieving quite a bit and she's really talented at it. She, I don't know if this year or not because I haven't figured out who's involved. There's a conference coming up in two weeks. We sponsor all the laptops for the Python coding course. But for the last two years, I know she's been the teacher for it. I can't remember if she had a conflict this year or not, but it's all things like we hold these labs, we hold these events. We invite people out to DC 313, which our DefCon meet up here. Just get more people involved. That's the biggest thing. It's how will this get better? Gotcha. So I mean, obviously that's part of the reason why we do these blogs the way we do. Some folks have actually asked of like, do you feel like you're calling a vendor out? And I'm never like, I'm a vendor. I'm telling you right now, from one day, Huntress will have an incident. It's going to happen. We put everything in place. You'd be crazy to say it's not gonna happen. When it does happen, I'd hope that you come out, you say, hey, it happened. This is what we're doing to make sure it doesn't happen. That would be my biggest thing. And I hope that level of transparency, you know, runs through and through. And I think that's probably why I love groups like, you know, the DefCon groups or the Black Hat groups or even the old school 2600 groups. They were all about the like, let's not hide the knowledge. Let's not separate it, right? Let's bring it to the limelight. In 2600s where I got my start, I got all the magazines are all stacked up. But I buy mine in cash from Books of Million, so I don't have to pay for it. And they close every where I combine them in cash. I haven't bought some books in a while. And as I always pay cash for them, so I'm like, oh. Now we're the tinfoil hat conspiracy theorists. Oh yeah, I mean, man, I've been reading those books since high school and that was 90s for me. So, nice, nice. So, all right, we're gonna wrap this up. We'll talk real quick though. So you're easy to find, you usually get hold of on Twitter on the blog on Huntress Labs where you guys are always talking about security search and folks closer where a user of your product are really happy with it. I'm gonna do a separate video talking a little bit about your product and how it uses some people. And you have a free demo, by the way, you can sign up. So if you're curious, you don't have to take either of our words for it. You can actually just start playing with it. I'm a huge put your money where your mouth is. Show me, don't tell me. So, I'll be, and I'm sure the sales people love to talk to you. It's just way easier to kick the tires on anything. Yeah, and that's always an awesome, and that's what of course made it easy for me. I didn't even have like some sales people I had to get through and sign up for this BS. You guys like, yo, here, just find it for your account. I'm like, oh, this was simple. And the deployment was easy and your engineering team has been amazing. They found things. We used them specifically for a cleanup on a new client and because we knew they needed it. And your debriefs you give on how to remove the specific tools from that computer. I'll cover all that a whole separate video. It's impressive. You guys have an excellent product. The human element is what makes it interesting because everyone wants to throw the words AI and all this machine learning automation. At some point, people need to work at these knock teams. Need to do some analysis and actually get involved. So as I understand it, we still haven't created the singularity machine that's harder than us just yet. I don't even want to read about it. SkyNet research, but we're not quite there. Right. Until we're there, we're still gonna be finding payloads in Dropbox. Yeah. It's suspicious. It's a two-shave order. Oh, that was great. So all right. I'll leave links to everywhere you can find about you, Huntress and all that. And thanks for coming on, doing this interview. Man, this has been fun. Yeah, this has been fun. And definitely I'll be commenting and retweeting some of the stuff, especially because these attacks, they only get more persistent. Hopefully security gets better through all this transparency though. Cool. Thanks for having me. This is tons of fun. Oh, last thing. I love what you said before, last time we talked was how companies have safety and they brag about 30 days, 40 days without an OSHA incident or an accident. We need that. Days without incident should be just as much of a bragging. Days when we didn't get fish, days we didn't get edit companies. This is the same thing. You should be proud of your days without that. I love that. Yeah, man. You can probably have a whole video on that type of stuff, but I hope bringing those just to celebrate security, right? Yeah. You know that in your business, hey, we haven't had an incident in 270 days. Like, that's not a reason to get mad, right? That's not a reason to celebrate. And it's not a reason to fire a tech vendor or what? They don't do anything. I haven't had an incident. Almost. Yeah, clearly we get bored. They're doing their job. All right, I'm gonna jump off. Take care, man. Yeah, thank you so much. Cheers. Thanks for watching. If you liked this video, give it a thumbs up. If you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon, and maybe YouTube will send you a notice when we post. If you wanna hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us. Also, if you wanna carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you wanna help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.