FBI Cybersecurity Strategy: Ransomware, Incident Response, & Emerging Threats with Brett Leatherman

[00:00:02] [SPEAKER_01]: We talk a ton of cybersecurity, but I wanted to get another perspective.

[00:00:06] [SPEAKER_01]: Let's go back to law enforcement and understand what the FBI is thinking about right now.

[00:00:11] [SPEAKER_01]: Brett Leatherman joins me today.

[00:00:13] [SPEAKER_01]: He is a Senior Executive with the FBI, and we get into what they're seeing, how they

[00:00:19] [SPEAKER_01]: want to onboard you, and what resources they offer on this bonus episode of the Business

[00:00:24] [SPEAKER_01]: of Tech.

[00:00:26] [SPEAKER_01]: Today's episode is supported by CoreView.

[00:00:29] [SPEAKER_01]: Your customers need your Microsoft 365 expertise, and CoreView has the only M365 management

[00:00:36] [SPEAKER_01]: platform designed for MSPs.

[00:00:39] [SPEAKER_01]: Manage hundreds of tenants, automate manual tasks and monitor compliance all while intelligently

[00:00:44] [SPEAKER_01]: comparing to the baseline.

[00:00:46] [SPEAKER_01]: With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration.

[00:00:52] [SPEAKER_01]: This powerful platform enables automatic reporting and remediation, ensuring optimal

[00:00:57] [SPEAKER_01]: performance and security.

[00:00:59] [SPEAKER_01]: The best part?

[00:01:00] [SPEAKER_01]: You achieve this high level of service without the need for a large workforce, allowing

[00:01:05] [SPEAKER_01]: you to focus on growing your business through efficiency.

[00:01:08] [SPEAKER_01]: Want to know more?

[00:01:10] [SPEAKER_01]: Visit coreview.com slash MSP and find out more.

[00:01:17] [SPEAKER_01]: Well, Brett, thanks for joining me today.

[00:01:19] [SPEAKER_01]: Thanks for the invite.

[00:01:21] [SPEAKER_01]: So this is going to be fun.

[00:01:22] [SPEAKER_01]: I'm going to start really high level before we dive into some of the specifics

[00:01:25] [SPEAKER_01]: I want to get into.

[00:01:26] [SPEAKER_01]: But I like to get a sense from you.

[00:01:27] [SPEAKER_01]: You know, we're talking as we're wrapping up summer 2024.

[00:01:30] [SPEAKER_01]: Like what are the thing that you're really tracking right now at the FBI, particularly

[00:01:36] [SPEAKER_01]: those that are targeting SMBs?

[00:01:37] [SPEAKER_01]: What's the big trend that you're tracking right now?

[00:01:40] [SPEAKER_00]: Yeah, well, no surprise probably to you or to your listeners, but ransomware continues

[00:01:44] [SPEAKER_00]: to be a major issue for businesses across the country.

[00:01:49] [SPEAKER_00]: And what we've seen that is unique about ransomware this past year in particular

[00:01:53] [SPEAKER_00]: is the targeting by the bad actors of the underlying ecosystem that supports health care

[00:02:00] [SPEAKER_00]: or energy sector or elsewhere.

[00:02:03] [SPEAKER_00]: The actors are trying to identify those key nodes within the ecosystem that has cascading

[00:02:10] [SPEAKER_00]: impact on other victims because it allows them to continue to extort and shrink that

[00:02:17] [SPEAKER_00]: window by which an organization might consider payment because they have downstream customers

[00:02:22] [SPEAKER_00]: who are impacted by ransomware.

[00:02:24] [SPEAKER_01]: One of the things I've been tracking on the show is, is I also feel like we've been

[00:02:28] [SPEAKER_01]: talking a lot of stories where law enforcement's been doing a great job of pushing back.

[00:02:32] [SPEAKER_01]: You guys have had a lot more string of victories in terms of getting to identify

[00:02:37] [SPEAKER_01]: criminals, bring them to justice.

[00:02:38] [SPEAKER_01]: People are starting to face court time, face repercussions for that.

[00:02:43] [SPEAKER_01]: What do you attribute that organization to?

[00:02:46] [SPEAKER_01]: Like, are you guys I don't think it's getting lucky.

[00:02:48] [SPEAKER_01]: I think you've done something a little bit different.

[00:02:50] [SPEAKER_01]: What's shifted in the strategy that's making it more effective?

[00:02:53] [SPEAKER_00]: Yeah, and then you hit the nail on the head.

[00:02:55] [SPEAKER_00]: There's it's the strategy, right?

[00:02:56] [SPEAKER_00]: The FBI strategy is to impose cost on malicious cyber actors while also providing

[00:03:02] [SPEAKER_00]: substantial assistance to victims of cyber crime.

[00:03:05] [SPEAKER_00]: We're a law enforcement agency.

[00:03:06] [SPEAKER_00]: We have a vested interest in providing that assistance to victims.

[00:03:10] [SPEAKER_00]: But at the same time, imposing cost on the actors is a deterrent and also protects

[00:03:16] [SPEAKER_00]: protects victims as well.

[00:03:17] [SPEAKER_00]: So an example, going back a few months, is the disruption that the FBI conducted

[00:03:23] [SPEAKER_00]: with our partners in the UK at the National Crime Agency against Lockbit.

[00:03:28] [SPEAKER_00]: We were able to do both a technical operation that degraded their

[00:03:32] [SPEAKER_00]: infrastructure.

[00:03:32] [SPEAKER_00]: We were able to get decrypter keys that we were able to push out to small and

[00:03:36] [SPEAKER_00]: medium businesses to be able to decrypt data.

[00:03:40] [SPEAKER_00]: And we indicted and charged a number of affiliates to include Lockbit SUP,

[00:03:44] [SPEAKER_00]: which is one of the main guys behind the Lockbit ecosystem.

[00:03:48] [SPEAKER_00]: And so that serves as a deterrent to the adversary.

[00:03:52] [SPEAKER_00]: And we see them often move to different variants after that.

[00:03:56] [SPEAKER_00]: But our goal is to also arrest them when we can.

[00:03:59] [SPEAKER_00]: And we have a number of folks that we've been able to arrest associated

[00:04:02] [SPEAKER_00]: with different ransomware strains and ultimately bring back to the United

[00:04:06] [SPEAKER_00]: States to face justice here.

[00:04:09] [SPEAKER_01]: And it feels like you're getting a much better engagement with the private

[00:04:13] [SPEAKER_01]: sector in terms of the submission of information.

[00:04:17] [SPEAKER_01]: I actually want to talk a little bit about how that works, because one of the

[00:04:20] [SPEAKER_01]: things we often talk about this at a very high level, right?

[00:04:23] [SPEAKER_01]: Like have your incident response plan ready, be ready to respond,

[00:04:28] [SPEAKER_01]: call law enforcement.

[00:04:29] [SPEAKER_01]: But I actually want to ask a little bit more about that.

[00:04:31] [SPEAKER_01]: If you're an MSP listening to the show and you're starting to think about

[00:04:36] [SPEAKER_01]: that, what is that first call like?

[00:04:40] [SPEAKER_01]: So I've been I'm an MSP.

[00:04:42] [SPEAKER_01]: I've been breached.

[00:04:43] [SPEAKER_01]: I've probably identified like when I call the number, like what do I have to

[00:04:48] [SPEAKER_01]: have ready? What's that call an intake look like?

[00:04:51] [SPEAKER_00]: Yeah. Well, let me kind of show that in three different phases, first,

[00:04:56] [SPEAKER_00]: before, second, during, third, after a breach.

[00:05:00] [SPEAKER_00]: And so when we talk before, we want to have that relationship with you as

[00:05:05] [SPEAKER_00]: an MSP before a breach happens.

[00:05:08] [SPEAKER_00]: That way, you're not calling an ambiguous number trying to identify

[00:05:11] [SPEAKER_00]: during a crisis who you need to talk to within the FBI.

[00:05:15] [SPEAKER_00]: Hopefully, you've developed a relationship with your local FBI field office.

[00:05:19] [SPEAKER_00]: We have 56 across the country.

[00:05:22] [SPEAKER_00]: You've developed that relationship and hopefully you're getting threat

[00:05:25] [SPEAKER_00]: intelligence from the local field office before a breach and able to

[00:05:29] [SPEAKER_00]: ingest that and defend your networks now during a breach.

[00:05:32] [SPEAKER_01]: Well, let's let's let's actually pause at the pre then.

[00:05:34] [SPEAKER_01]: Let's let's walk through here.

[00:05:36] [SPEAKER_01]: Is it just a matter of like calling up the local office and asking

[00:05:39] [SPEAKER_01]: go out for coffee? Like how do I when we talk about getting a relationship,

[00:05:43] [SPEAKER_01]: what does that mean from your side?

[00:05:45] [SPEAKER_01]: What's the expectation of the interaction?

[00:05:49] [SPEAKER_00]: Yeah, it is actually identifying your local field office within the state

[00:05:53] [SPEAKER_00]: and contacting the field office and asking to speak to a cyber supervisor,

[00:05:57] [SPEAKER_00]: asking to speak to a member of the cyber task force and having that

[00:06:02] [SPEAKER_00]: conversation up front, letting them know what your business model is,

[00:06:05] [SPEAKER_00]: who your customer base is, helps inform them as to what

[00:06:11] [SPEAKER_00]: what threat actors might target you as an organization.

[00:06:14] [SPEAKER_00]: And often there are threat feeds or threat email distros that the field

[00:06:18] [SPEAKER_00]: office participates in that they can put you on as well.

[00:06:21] [SPEAKER_00]: So if you don't have a local contact, certainly reach out to the field

[00:06:24] [SPEAKER_00]: office and you can see that at FBI.gov.

[00:06:27] [SPEAKER_00]: You can find your local field office there.

[00:06:30] [SPEAKER_00]: And other folks are members of the FBI's InfraGuard program,

[00:06:33] [SPEAKER_00]: which is a public private sector program meant for small members

[00:06:38] [SPEAKER_00]: within small to medium businesses as well.

[00:06:40] [SPEAKER_01]: OK, so literally it's a matter it really is a matter of calling up

[00:06:43] [SPEAKER_01]: the field office and introducing yourself and just starting that.

[00:06:47] [SPEAKER_01]: Do you have a recommendation of the rhythm of that communication?

[00:06:49] [SPEAKER_01]: Is it annually by what's the rhythm that works?

[00:06:53] [SPEAKER_00]: Yeah, you know, at all times, if you see an anomaly on the network,

[00:06:57] [SPEAKER_00]: we want you to reach out.

[00:06:58] [SPEAKER_00]: We want you to connect with the local field office.

[00:07:00] [SPEAKER_00]: Absent some sort of incident in the environment,

[00:07:04] [SPEAKER_00]: you know, whatever you're comfortable with, certainly not every day.

[00:07:06] [SPEAKER_00]: That's probably not worth your and their time necessarily,

[00:07:09] [SPEAKER_00]: because there's a lot of folks in the community.

[00:07:12] [SPEAKER_00]: But, you know, every six months, every every year, touching base

[00:07:16] [SPEAKER_00]: and trying to identify if there are,

[00:07:20] [SPEAKER_00]: you know, external communications that the FBI is providing

[00:07:23] [SPEAKER_00]: in that area that might help you defend your networks.

[00:07:27] [SPEAKER_01]: OK, now that's the so that's the pre.

[00:07:29] [SPEAKER_01]: So move me along the chain then.

[00:07:31] [SPEAKER_00]: So hopefully you've got that relationship established.

[00:07:33] [SPEAKER_00]: If you don't, you do the same thing.

[00:07:35] [SPEAKER_00]: FBI dot gov reach out to your local FBI field office.

[00:07:38] [SPEAKER_00]: If you have any issues doing that whatsoever,

[00:07:42] [SPEAKER_00]: there are two locations you can submit information during an incident.

[00:07:46] [SPEAKER_00]: You can either go to tips dot FBI dot gov

[00:07:49] [SPEAKER_00]: and enter your information in there or the Internet Crime

[00:07:53] [SPEAKER_00]: Complaint Center IC three dot gov.

[00:07:56] [SPEAKER_00]: You can enter in information there.

[00:07:57] [SPEAKER_00]: It will go to our our cyber watch center

[00:08:01] [SPEAKER_00]: and they will be able to contact the local field office to engage you.

[00:08:06] [SPEAKER_01]: OK, gotcha.

[00:08:06] [SPEAKER_01]: And how how organized do I need to be during this?

[00:08:10] [SPEAKER_01]: You know, like I'm assuming that there's some prep

[00:08:11] [SPEAKER_01]: that makes it work a little bit better, right?

[00:08:14] [SPEAKER_00]: Hopefully you've identified in advance through an incident response plan

[00:08:19] [SPEAKER_00]: what you should have prepared and what you're willing to share

[00:08:21] [SPEAKER_00]: with law enforcement.

[00:08:22] [SPEAKER_00]: And I think being intentional about what you are going to share

[00:08:27] [SPEAKER_00]: and how you're going to communicate is important.

[00:08:29] [SPEAKER_00]: For example, it's probably not a best practice to communicate on an impacted system

[00:08:34] [SPEAKER_00]: because you don't want the bad guys knowing you're talking to the FBI necessarily.

[00:08:38] [SPEAKER_00]: So out of communications is important.

[00:08:40] [SPEAKER_00]: Now, when it comes to actually talking to the FBI,

[00:08:43] [SPEAKER_00]: part of that incident response plan should consider our our do we have cyber insurance?

[00:08:48] [SPEAKER_00]: Are we going to reach out to the cyber insurer first?

[00:08:51] [SPEAKER_00]: Do we have inside or external counsel that we want to run this by first?

[00:08:55] [SPEAKER_00]: Hopefully internal counsel has also weighed in previously

[00:08:59] [SPEAKER_00]: in the incident response plan and understands what that engagement

[00:09:03] [SPEAKER_00]: with law enforcement looks like.

[00:09:05] [SPEAKER_00]: And do we have a third party remediation company on retainer

[00:09:08] [SPEAKER_00]: or that we're going to bring in as well that we want to engage

[00:09:12] [SPEAKER_00]: with law enforcement, because what's important to notice,

[00:09:15] [SPEAKER_00]: the FBI has 56 field offices.

[00:09:17] [SPEAKER_00]: We also have 21 and counting cyber assistant legal

[00:09:22] [SPEAKER_00]: act cashes located in embassies around the world.

[00:09:25] [SPEAKER_00]: So if you haven't seen the actor on your networks before

[00:09:28] [SPEAKER_00]: and you don't know how to address it, chances are good.

[00:09:31] [SPEAKER_00]: One of those 56 field offices or those foreign partners

[00:09:34] [SPEAKER_00]: that we engage with with have seen it.

[00:09:37] [SPEAKER_00]: So it's important for us to be able to share intelligence quickly

[00:09:40] [SPEAKER_00]: with the teams who are helping you identify

[00:09:43] [SPEAKER_00]: and contain and ultimately eradicate the adversary.

[00:09:47] [SPEAKER_01]: Now, I'm curious, what's the kind of information that the FBI is looking

[00:09:50] [SPEAKER_01]: for that might be contentious, you know, the kind of information

[00:09:54] [SPEAKER_01]: that you'd be looking for, that that somebody's lawyer may advise differently?

[00:09:58] [SPEAKER_01]: Like, give me a sense of what that information is that's contentious.

[00:10:00] [SPEAKER_00]: Yeah, let's start with the easy stuff like indicators of compromise right up front.

[00:10:05] [SPEAKER_00]: Very few people tend to have concerns about sharing bad actor IPs,

[00:10:09] [SPEAKER_00]: domains, hash values, those kind of things.

[00:10:12] [SPEAKER_00]: Binaries containing malware, those things we have an interest in

[00:10:16] [SPEAKER_00]: right up front, and those tend to be less controversial.

[00:10:19] [SPEAKER_00]: Where we see counsel start to get involved

[00:10:22] [SPEAKER_00]: is understanding what data was exfiltrated from the organization,

[00:10:26] [SPEAKER_00]: where it was exfiltrated to.

[00:10:29] [SPEAKER_00]: A lot of times that involves intellectual property or trade secrets

[00:10:32] [SPEAKER_00]: and companies, rightfully so, are considerate

[00:10:35] [SPEAKER_00]: of what law enforcement might do with that.

[00:10:38] [SPEAKER_00]: And we often provide very specific

[00:10:41] [SPEAKER_00]: guidance on what our legal role is as a law enforcement agency

[00:10:45] [SPEAKER_00]: and how we protect that.

[00:10:46] [SPEAKER_00]: Log files are sometimes contentious as well because

[00:10:50] [SPEAKER_00]: insider outside counsel don't always know what those files contain.

[00:10:54] [SPEAKER_00]: Do they contain information not germane to the investigation

[00:10:58] [SPEAKER_00]: about our network and what does that mean?

[00:11:01] [SPEAKER_00]: How does that protect the privacy of our business,

[00:11:04] [SPEAKER_00]: our employees and potentially our customers?

[00:11:07] [SPEAKER_00]: And so log files, exfiltrated data, those kind of things

[00:11:10] [SPEAKER_00]: tend to give folks pause.

[00:11:12] [SPEAKER_00]: And we also hear folks say, we don't want law enforcement

[00:11:15] [SPEAKER_00]: on the keyboard or SSH into our Linux server, kind of rooting around.

[00:11:20] [SPEAKER_00]: And that's a that's a myth.

[00:11:22] [SPEAKER_00]: The FBI doesn't do that.

[00:11:23] [SPEAKER_00]: We work closely with your folks or your incident response firm

[00:11:27] [SPEAKER_00]: who are on the keyboard.

[00:11:29] [SPEAKER_00]: And we don't want to get information ultimately that doesn't

[00:11:33] [SPEAKER_00]: promote attribution towards the adversary and mitigation on your part.

[00:11:38] [SPEAKER_00]: We want to provide that assistance to the victim as well.

[00:11:41] [SPEAKER_01]: Now, I'd be highly surprised if the answer to this was none.

[00:11:44] [SPEAKER_01]: So I'm just going to ask the question.

[00:11:45] [SPEAKER_01]: I'm pretty confident the FBI has policies and procedures for information handling.

[00:11:51] [SPEAKER_01]: If somebody wants to understand a little bit about that

[00:11:53] [SPEAKER_01]: so that they can think about it when they're not in crisis,

[00:11:56] [SPEAKER_01]: like give me a sense of what those policies are.

[00:11:58] [SPEAKER_01]: And I would assume they're public since it's a government organization.

[00:12:01] [SPEAKER_01]: Give me some guidance on how you learn more about it.

[00:12:03] [SPEAKER_00]: Yeah. So as far as the violations of federal law,

[00:12:06] [SPEAKER_00]: the federal criminal code identifies kind of what we're looking for

[00:12:10] [SPEAKER_00]: in pursuing actors.

[00:12:13] [SPEAKER_00]: The the Computer Fraud and Abuse Act is often what we seek

[00:12:17] [SPEAKER_00]: charges against these actors for.

[00:12:19] [SPEAKER_00]: And so understanding what our intent is

[00:12:22] [SPEAKER_00]: in gathering evidence to support violations of CFAA are important.

[00:12:26] [SPEAKER_00]: So those, you know, 18 U.S. Code 1030,

[00:12:29] [SPEAKER_00]: which is the Computer Fraud and Abuse Act.

[00:12:32] [SPEAKER_00]: Everybody can go on and look at that.

[00:12:34] [SPEAKER_00]: FBI.gov within our cyber program will give you some additional information

[00:12:38] [SPEAKER_00]: about what we're looking for, both from a relationship

[00:12:42] [SPEAKER_00]: standpoint and what our mission is and how we accomplish that mission.

[00:12:46] [SPEAKER_00]: And so really understanding the FBI's law enforcement authorities

[00:12:50] [SPEAKER_00]: helps you to understand exactly how we protect your data

[00:12:54] [SPEAKER_00]: in ways that others aren't obligated to.

[00:12:56] [SPEAKER_00]: We are bound by the Victims Rights Act.

[00:12:59] [SPEAKER_00]: And as a corporate corporation who's been compromised by a criminal

[00:13:03] [SPEAKER_00]: or a nation state actor, we treat you as a victim

[00:13:06] [SPEAKER_00]: and we treat anything we gather from your organization

[00:13:09] [SPEAKER_00]: as evidence of criminal conduct, you know,

[00:13:13] [SPEAKER_00]: or evidence of the adversary conducting criminal conduct

[00:13:16] [SPEAKER_00]: for use in our investigations.

[00:13:17] [SPEAKER_00]: And they're protected as such.

[00:13:20] [SPEAKER_01]: Gotcha. Now, knowing that every case is always a little bit different, right?

[00:13:23] [SPEAKER_01]: In every circumstance, a little bit different.

[00:13:25] [SPEAKER_01]: I'm reasonably confident there's some trends

[00:13:26] [SPEAKER_01]: and some generalities that you can make.

[00:13:28] [SPEAKER_01]: Talk to me about sort of what happens post that initial intake.

[00:13:32] [SPEAKER_00]: Like kind of walk me through the process.

[00:13:33] [SPEAKER_00]: Yeah, so once we get a call from a private sector company

[00:13:37] [SPEAKER_00]: indicating they were breached, we try to quickly identify

[00:13:41] [SPEAKER_00]: if it's a ransomware attack.

[00:13:43] [SPEAKER_00]: What is the variant?

[00:13:43] [SPEAKER_00]: Because there's intelligence we have.

[00:13:45] [SPEAKER_00]: We have field offices who work every variant out there.

[00:13:49] [SPEAKER_00]: And if it's a brand new variant, we will find a field office to work in.

[00:13:53] [SPEAKER_00]: And what we do is we search our holdings for IOCs,

[00:13:56] [SPEAKER_00]: indicators of compromise, tactics, techniques and procedures

[00:13:59] [SPEAKER_00]: that the adversary uses so that we can provide that to you

[00:14:02] [SPEAKER_00]: to aid you in identification of the adversary and containment of the adversary.

[00:14:07] [SPEAKER_00]: At the same time, our dialogue to you or your third party

[00:14:12] [SPEAKER_00]: incident response firm is this is the information we would like you to

[00:14:17] [SPEAKER_00]: hold on to, not destroy in your eradication process,

[00:14:21] [SPEAKER_00]: but hold on to for evidence of criminal conduct.

[00:14:24] [SPEAKER_00]: And those things can include, like we talked about for IOCs,

[00:14:27] [SPEAKER_00]: they can include log files.

[00:14:29] [SPEAKER_00]: We may ask for wallet addresses of the bad actors

[00:14:32] [SPEAKER_00]: because, as we all know, you can follow money through the block chain

[00:14:35] [SPEAKER_00]: and that will give us some visibility into into who the actors may be.

[00:14:40] [SPEAKER_00]: And so there's information we will probably ask for

[00:14:43] [SPEAKER_00]: pretty early on to help with that attribution work.

[00:14:47] [SPEAKER_00]: But again, we're going to provide you information up front as well.

[00:14:50] [SPEAKER_00]: And then, you know, as you're in crisis,

[00:14:53] [SPEAKER_00]: the FBI is over 100 years old.

[00:14:56] [SPEAKER_00]: It's a law enforcement agency with a long history of helping people

[00:15:01] [SPEAKER_00]: in crisis. And our job also there is to have you engage with our agents,

[00:15:06] [SPEAKER_00]: computer scientists, intelligence analysts and even victim specialists

[00:15:10] [SPEAKER_00]: to help you through that crisis.

[00:15:12] [SPEAKER_01]: Are there any particular like sort of emerging technologies

[00:15:15] [SPEAKER_01]: that you're you're sort of tracking or cyber threats

[00:15:18] [SPEAKER_01]: that you think are sort of new and emerging that people should be keeping an eye on?

[00:15:22] [SPEAKER_00]: Well, we just announced about a month ago, you know,

[00:15:25] [SPEAKER_00]: we're approaching November in the elections and we announced an operation

[00:15:28] [SPEAKER_00]: about a month ago against a Russian based artificial intelligence platform

[00:15:33] [SPEAKER_00]: that was scaling disinformation campaigns.

[00:15:36] [SPEAKER_00]: So we're all talking about artificial intelligence.

[00:15:38] [SPEAKER_00]: That's the first campaign we saw where a state actor was leveraging

[00:15:43] [SPEAKER_00]: artificial intelligence to scale their influence operations.

[00:15:47] [SPEAKER_00]: So artificial intelligence is going to play a huge role on the offensive side,

[00:15:51] [SPEAKER_00]: but also the defensive side. That's an area we're tracking.

[00:15:55] [SPEAKER_00]: Certainly, the actors are going to continue to target the underlying

[00:15:59] [SPEAKER_00]: ecosystem, like I talked about early of different sectors.

[00:16:02] [SPEAKER_00]: They have cascading impact on other companies.

[00:16:05] [SPEAKER_00]: Likewise, they're continuing to target the supply chains within software.

[00:16:10] [SPEAKER_00]: They're continuing to look to weaponize patches in other areas where they can

[00:16:15] [SPEAKER_00]: weaponize it and it's rolled out to thousands, potentially tens of thousands

[00:16:19] [SPEAKER_00]: of customers out there, which gives them access to all those end user victims.

[00:16:23] [SPEAKER_00]: So we're going to have to keep an eye on that software based supply chain

[00:16:28] [SPEAKER_00]: area because the actors are getting really good at that.

[00:16:31] [SPEAKER_00]: And it's not emerging, but we see it continue to happen is the actors

[00:16:36] [SPEAKER_00]: don't have to use their most sophisticated tools because they continue

[00:16:40] [SPEAKER_00]: to steal credentials.

[00:16:41] [SPEAKER_00]: They continue to exploit vulnerabilities that were disclosed

[00:16:44] [SPEAKER_00]: a long time ago and organizations could patch those.

[00:16:48] [SPEAKER_00]: And so they're able to get into an environment relatively easy,

[00:16:51] [SPEAKER_00]: because they don't have to use those sophisticated tools.

[00:16:55] [SPEAKER_01]: I want to get your sense of a premise that I've been thinking about it.

[00:16:58] [SPEAKER_01]: And I want to get you know, because when I look at cybersecurity

[00:17:01] [SPEAKER_01]: and I'm a general technologist, right, and in my perfect world,

[00:17:05] [SPEAKER_01]: I'd be using customers money to grow their business or increase

[00:17:09] [SPEAKER_01]: top line revenue or do better job with marketing.

[00:17:12] [SPEAKER_01]: Like cybersecurity is one of those areas where it's like it's not

[00:17:14] [SPEAKER_01]: where I want to spend my money is I didn't get into technology

[00:17:17] [SPEAKER_01]: to defend against criminals.

[00:17:18] [SPEAKER_01]: I got into technology to do cool stuff.

[00:17:21] [SPEAKER_01]: Right. And so you look and say, OK, this is something that's necessary.

[00:17:24] [SPEAKER_01]: And it feels like a strategy of being really good

[00:17:29] [SPEAKER_01]: at the basics would go very far.

[00:17:32] [SPEAKER_01]: I was actually would be really good at making sure

[00:17:35] [SPEAKER_01]: multifactor authentication is enforced on all accounts

[00:17:39] [SPEAKER_01]: that we are.

[00:17:40] [SPEAKER_01]: So we're leaning into things like pass keys, you know,

[00:17:43] [SPEAKER_01]: for physical authentication, like and we and we do a really good job

[00:17:47] [SPEAKER_01]: of backing up our stuff, like making sure that we could recover

[00:17:51] [SPEAKER_01]: and maybe we'll have downtime if we get impacted,

[00:17:54] [SPEAKER_01]: but we could put everything back together.

[00:17:56] [SPEAKER_01]: Am I overly naive to think that leaning into just those basics

[00:18:00] [SPEAKER_01]: goes most of the way?

[00:18:03] [SPEAKER_00]: You're not overly naive.

[00:18:05] [SPEAKER_00]: And what I will say is deterrent happens in two ways.

[00:18:09] [SPEAKER_00]: From my perspective, deterrents happens in offensive operations

[00:18:13] [SPEAKER_00]: like I talked about before, where law enforcement or intelligence

[00:18:16] [SPEAKER_00]: sources go and impose costs on an adversary.

[00:18:19] [SPEAKER_00]: Deferred deterrents also happens on the defensive side.

[00:18:23] [SPEAKER_00]: Defensive deterrence is raising the general cyber hygiene

[00:18:27] [SPEAKER_00]: of your organization so that the actors decide

[00:18:30] [SPEAKER_00]: this is not an entity I want to use or disclose one of my more technical

[00:18:34] [SPEAKER_00]: tools on, so I'm going to move on to another act,

[00:18:37] [SPEAKER_00]: another victim who's got less cyber hygiene.

[00:18:40] [SPEAKER_00]: And so you mentioned some of those things, right?

[00:18:42] [SPEAKER_00]: So, multi-factor authentication using FIDO or FIDO2 compliant

[00:18:48] [SPEAKER_00]: tokens in order to leverage encryption behind your authentication.

[00:18:52] [SPEAKER_00]: Authentication is an important area to focus on,

[00:18:56] [SPEAKER_00]: but also patch management.

[00:18:57] [SPEAKER_00]: We talked about businesses are continuing to be exploited

[00:19:01] [SPEAKER_00]: because they're either using end of life hardware on the perimeter

[00:19:05] [SPEAKER_00]: or they're not appropriately patching their hardware and software.

[00:19:09] [SPEAKER_00]: And that means not just your endpoints, but also your clients,

[00:19:14] [SPEAKER_00]: your laptops, your desktops, your servers,

[00:19:18] [SPEAKER_00]: certainly your routers and everything else you have to continue to patch.

[00:19:22] [SPEAKER_00]: And if there's one thing Log4j two years ago taught us,

[00:19:27] [SPEAKER_00]: it's that you have to have an inventory of software

[00:19:30] [SPEAKER_00]: that's running in your environment and understand, do I need the software?

[00:19:34] [SPEAKER_00]: If I'm not using it, I should remove it.

[00:19:36] [SPEAKER_00]: And if I am using it, I should look to secure it. Right.

[00:19:39] [SPEAKER_00]: And so really understanding both the hardware and software

[00:19:42] [SPEAKER_00]: in your environment is incredibly important.

[00:19:46] [SPEAKER_01]: Well, Brett Leatherman is the deputy assistant director for cyber operations

[00:19:50] [SPEAKER_01]: and the director of the National Cyber Investigative Joint Task Force

[00:19:54] [SPEAKER_01]: under presidential policy directive 41.

[00:19:56] [SPEAKER_01]: The FBI is the lead cyber threat response agency

[00:19:59] [SPEAKER_01]: for the United States government.

[00:20:00] [SPEAKER_01]: And this role, Brett, serves as a senior executive

[00:20:03] [SPEAKER_01]: managing the FBI strategy to impose cost.

[00:20:06] [SPEAKER_01]: On some of the most sophisticated cyber adversaries targeting U.S.

[00:20:10] [SPEAKER_01]: interests, Brett, what would be the one thing you want

[00:20:12] [SPEAKER_01]: listeners to know about working with the FBI?

[00:20:15] [SPEAKER_00]: Yeah, that the FBI is there to help.

[00:20:17] [SPEAKER_00]: We are a law enforcement agency in your community.

[00:20:20] [SPEAKER_00]: It doesn't cost you a dime to call us.

[00:20:22] [SPEAKER_00]: You're already paying our salaries and your taxes.

[00:20:26] [SPEAKER_00]: So reach out, engage us.

[00:20:28] [SPEAKER_00]: And we are there to provide intelligence available

[00:20:31] [SPEAKER_00]: only to law enforcement to help out.

[00:20:33] [SPEAKER_00]: And we hope that everybody will establish that relationship

[00:20:36] [SPEAKER_00]: with their local FBI field office.

[00:20:38] [SPEAKER_01]: This has been great. Thanks for joining me today.

[00:20:40] [SPEAKER_01]: Thank you so much.

[00:20:43] [SPEAKER_01]: Looking to reach an audience of thousands of MSPs and IT service providers?

[00:20:48] [SPEAKER_01]: Put your ad right here on the business of tech

[00:20:51] [SPEAKER_01]: and be on the show that 64 percent of MSPs report having listened to

[00:20:56] [SPEAKER_01]: a recurring top 50 tech news podcast.

[00:21:00] [SPEAKER_01]: There are affordable options for you to reach our audience.

[00:21:03] [SPEAKER_01]: And we can support any budget podcast listeners are more engaged,

[00:21:07] [SPEAKER_01]: have a higher level of brand retention and are more willing

[00:21:11] [SPEAKER_01]: to listen to ads here than any other avenues.

[00:21:15] [SPEAKER_01]: Want to know more?

[00:21:17] [SPEAKER_01]: There's information at MSP radio dot com slash engage,

[00:21:21] [SPEAKER_01]: including a button to book a time to talk.

[00:21:24] [SPEAKER_01]: I'm looking forward to that discussion.

[00:21:28] [SPEAKER_01]: The business of tech is written and produced by me,

[00:21:32] [SPEAKER_01]: under ethics guidelines posted at business of dot tech.

[00:21:36] [SPEAKER_01]: If you like the content, please make sure to hit that like button

[00:21:39] [SPEAKER_01]: and follow or subscribe.

[00:21:41] [SPEAKER_01]: It's free and easy and the best way to support the show and help us grow.

[00:21:46] [SPEAKER_01]: You can also check out our Patreon where you can join

[00:21:49] [SPEAKER_01]: the business of tech community at Patreon dot com slash MSP radio

[00:21:54] [SPEAKER_01]: or buy our Why Do We Care merch at business of dot tech.

[00:21:59] [SPEAKER_01]: Finally, if you're interested in advertising on the show,

[00:22:02] [SPEAKER_01]: visit MSP radio dot com slash engage.

[00:22:06] [SPEAKER_01]: Once again, thanks for listening to me.

[00:22:08] [SPEAKER_01]: I will talk to you again on our next episode of The Business of Tech.

[00:22:15] [SPEAKER_00]: Part of the MSP radio network.