167: Threatlocker

In this episode, I'm gonna gush about Threat Locker.

Why? Well, currently, there might be a big sponsor, which makes the my favorite sponsor. But what I'm saying is that this whole episode is brought to you by Threat Locker. But don't worry, I found some pretty great stories from them,

“but I think you'll find interesting and educational. So, let's go!”

These are true stories from the dark side of the internet. I'm Jack Recyter. This is DarkNet Diaries. Do you want to mention your name or company name or all, or do you want to keep that out? No, I'll keep that out. I guess that's just to do with the fact that we don't want people to know what we use? Yeah, I feel the same way.

Everyone's asking me, "What do you, what's your privacy stack?" And I'm like, "If I tell you, now you know exactly how to target me?" Yeah, it's happened exactly.

Okay, so the first question was, "Who are you, what do you do?"

Yeah, I can generalise. So, I'm the group head of IT operations for a manufacturing company, and I look after the operational running of the IT across the business. We're a thousand employee business, operating across 17 different sites when the UK and Europe. I look after the security cloud operations infrastructure, servers,

client support, etc. Okay, you get the picture. This guy manages a huge network with a thousand employees, which probably means there's like 10,000 computers that are all up and operating, picture a factory. No, picture lots of factories, spread all over Europe. Yeah, we have

“distribution centers, offices, and big manufacturing sites. So, how's the network called now?”

Have you had any problems? I mean, right now we're in a good place. If you rewind back five years ago, we were in a very bad place. What happened? Well, unfortunately for me, I was actually on my way on holiday. So, I was in the process of driving the family down to the South Coast of the UK, and I got a phone call. I don't remember the exact words. One of my technicians said,

"I don't mean to worry you, but something worrying is happening." Oh, it's like, okay, calm down and explain exactly what's happening. Here's like, I've just had a ticket in where somebody's tried to go to some files and all the files were renamed, and I was like, "What do they say?" It was like, "They all end in the word dot, conty." I was like, "Oh no." Yikes. Conty is a type of ransomware.

What? It's kind of more than that, actually. It's practically a full company that's in the business of ransomware. They're Russian-based, and they build the ransomware, but then they have sort of an affiliate program that someone could use their ransomware and go in fact to company, and then that person would get a cut of the money if the company pays a ransom. It's devastating and brutal. To be hit with it, and this doesn't sound good at all.

So, I had to make phone calls continue to drive the rest of the three hours remaining of my six-hour drive, because I had my whole family with me, drop them off, and then turn around and drive six hours back, making furious phone calls the whole way.

“Yeah, oh my gosh. Is there a protocol? Is there a go-to, a runbook, or something?”

Like, okay, if ransomware comes in, here's the button we hit. Here we've got to turn the network off as fast as we can, or something to keep it from spreading. Do you have a procedure in place? We do now. We didn't then. A number of the people in my team had experienced situations like this kind of, but not on the scale that we got here on this. And I know five years ago, it was a long time ago, and a lot of things

have changed, and a lot of things that people are more aware of what to do and to have those

sort of playbooks in place. And we had an element of what we do, and the first thing we reached

to was, as turn everything off, but too much turmoil was going on and making too many calls and trying to deal with everything. And I just remember at one point my senior infrastructure engineer just told everybody to shut up and give him five minutes to think, because everybody was just asking too many questions, and we were trying to work out how we respond to this. Yeah, yeah, I imagine it's a really hard time to focus. So how bad did it spread or how bad did it

knock you out? Well, in the space of 15 minutes it encrypted all 250 servers.

servers. Yes, okay. So your whole infrastructure is down.

“Yeah, I mean, that sounds like business is going to start if, yeah, and it did stop at that”

very moment in time. And we assembled a team. I had the very nervous six-hour drive back, making loads of calls to everybody trying to work out what's going on, work out which way to go had to get people to sites. This was on a Friday evening afternoon around about core plus four that it happened, which is quite a common tactic used because people are just switching off on a Friday afternoon. And we pretty much just had to just turn everything off on them work out

where we go from there and give ourselves some headspace to think, because it was just too quick. We just couldn't react to 15 minutes window. A lot of CSOS CEOs

we reach out and they say, "I have a note to be a guest on your show." And I know he's say, "Well,

I'll only if we're going to talk about the worst day of your life." That's the kind of stuff I'm interested in. Would you say that this was the worst day of your life as far as career wise goes? I say that to everybody I talk to about it, which I don't actually like talking about it, because taking myself back to that day. That sinking feeling in your stomach is absolutely the worst stress for the most stressful situation I've been through my career.

“Hands down. I think I did 27 days straight after that.”

Yeah. I mean, you've got to even worry if your job is on the line here as well, because if you're the one in charge of this sort of stuff and now this is happening, there are people blaming you.

Well, I mean, that's the first thing that comes into your head. Well, after you've tried to work

out how to deal with everything, you think, am I going to get blamed for this? But then very quickly after that, you realise you've just got to focus on actually doing what you are paid to do because ultimately hackers and people that are trying to attack you are trying to attack you all the time. And it's a constant battle. Okay, so you drive back romantically, you arrive late night Friday. Do you go right to the office

in the night? Yep. Wow. And then, so okay, so I mean, there's a lot of people out there, you know, armchair experts that are just like, well, you just restore it from backup, like, what's the big deal? I mean, the problem of that is you don't know whether they're in the backups. You don't know whether they've, we're already in the in your environment and they were just waiting for the right time to push the button, which we thoroughly believe they were. So what we focused on was

stopping everything and then working out how, how did they get in, where did they come from, what method did they use to actually spread and initiate the attack? Ah, good boy, it's like trying to set up dominoes when your cat is on the table. You want to get rid of the threat in the network before beginning to restore it. If you restore and the thing just reinfects you, that's a waste of effort. And maybe it'll show them where your backups are kept and in fact, those two.

So once we've worked that out, we then established a process to be able to check our backups, check each VM as we bought them back online. We established a protocol for rebuilding machines. We printed signs off at the doors of every office and told people where to go with their machines so that we could rebuild them. We kind of employed the whole red amber green process. What's the red amber green process? So every laptop until it's checked is considered red,

then it goes into amber as it's being worked on and green. It's good to go back to the user. Okay, pretty simple, but it keeps easy to manage because you've got a small team, and I have a team of the other, there was 10 of us at the time, and you're managing the throughput of upwards of 600 laptop users at multiple sites. So you need a process to check in, check out everything.

“Yeah, I mean, their devices were toast and you were just re-imaging them from a fresh image, right?”

Yeah, but we'd lost our image in service. But yeah, so we had to rebuild them manually for a while until the process, the team that were dealing might sort of sub-team that were dealing with the servers, where to the point where they were bringing the image and service back up. And then you've got, you've got users wanting to know what's going on.

You've got middle management senior management board of directors, everybody wants to know what's going on, and that completely flusters the situation. So you can't understand. You can't get a clear head to actually focus on the task at hand. Yeah, I imagine there's a bunch of emotions to manage in this, which is, which is stuff, I don't think anyone talks about, right? You look at the CISSP manual and they don't,

they don't explain, okay, what you're in the middle of a breach situation, here are the motions you're dealing with, and how to detect them, and what to, what to do about them.

you feel like maybe you can't actually do this, maybe you can't get it back.

There's an element of shaky hands in-dream, and anybody can claim to be cool and calm, until they're actually in the trenches with this situation, and it can really, there was a lot of team fighting and arguments and falling out and people popping under the pressure,

“it was a hell of a ride. When you see popping, what was some of the stuff you were thinking?”

Well, I had like a team member walk out, because he didn't agree with a certain methodology to fix one thing, and another team member fall out with another team member, and arguments happening on meetings, what we're trying to work out, what's the best methodology to bring something back online, or to grant somebody some slight access, because I turn around to the business and said, "I can get as back for backups in this

in about five days." But if you really want the best solution, give me three weeks,

and we will build it back how it should have been done in the first place.

What a proposal for a leadership to decide on, huh? Business is down, there is no manufacturing happening, no shipping, no revenue coming in, and the question is, "Do we get business back up as fast as we can, or because those old systems are end of life and need to be replaced badly, take advantage of this outage, and upgrade everything properly, and build for the future?" And of course, this incident is all that the business leadership can focus on,

all other meetings, and projects are canceled, until business can come back up.

“Okay, so what path did they choose? Five days, three weeks, or somewhere else?”

Really, they wanted the whole thing, that's an ambitious thing to say, I'll redo the entire infrastructure, but properly at this time three weeks, didn't it mind being down for three weeks? Well, sort of what I did was make sure that certain services came up as reasonably quickly as possible, so email communications, and then focused on a major system of here, or a major system there, and slowly bought everything back on, but by getting some of those

primary services back up and running, I was able to then get the headspace to concentrate on the other eight to percent of the business, and the business accepted that there would be some interruption in that process, and they wouldn't necessarily get everything back, so a good example was we didn't turn Wi-Fi back on until the very end of the three weeks, so nobody had Wi-Fi. That was to stop rogue devices turning up and undoing all our hard work.

You know, what if there was still something running on a laptop that we hadn't got to, or identified, internet was shut down at every single site, and then we only, we kind of had like a board, where you had every site, and all the services, and sort of, again, the red-amper green of when we are ready to start bringing stuff back on. Oh yeah, that's got to be the moment of truth, you know, when you flip that switch on and bring the network back up, are you sure every device

got cleaned up? Because Kanty is notorious for spreading quick, so if you bring the Wi-Fi up, and there's just one device that's still infected, it will try to spread all over again. They really need a solution that could give them visibility, and crucially be able to stop this from spreading again. We brought malware bytes, the enterprise platform version of malware bytes, and paid quite a lot of money for it, but quite quickly found that it wasn't

really to hit the job that we'd hoped. It was good as a, as a helper, as an assistant to keep to check machines for being clean, servers, and whatnot, but it didn't really do everything. It was more of the traditional sense of a signature-based scanning tool than it was anything else, and it found some registry entries and things. So then we started looking, well, what do we actually need to put in place? We need an endpoint solution, a natural proper

EDR, but we don't feel like that's good enough, we're going to protect us 100%. So we probably need something that's going to do application control. As an application whitlist, so I reached out to a bunch of supplies whilst at the end tail end of that three weeks, and there's like, "Can you find me something that does this?" And once a player actually said, "I'll we use threatlocker now, or environment ourselves," and so I jumped on a call and had a demo,

looked at the software, and I was like, "That's amazing. I need that right now."

“And that's where we discovered threatlocker. So what was amazing about it, you know?”

It stopped everything from running, if you didn't allow it to run. This is black and white, is that? Stop everything from running. Okay, let's think about that. You know the difference between a router and a firewall. They're both network devices. They look at the packet coming in, where the data going in, and then the decide where it needs to go, and then send that along.

wants to get all the packets to pass through it, and on their way. But a firewall really, really wants

to stop every packet from going through it. See, by default, a router permits everything, while a firewall will deny everything, which means the firewall acts as a security guard. Stopping everything, it doesn't like. But the router acts like a public park, just anyone could

“come and go. And so you have to poke holes in the firewall if you want anything to get through it.”

So the question is, when you go to run an app or a game or anything on your computer, should it act like a router and just permit anything you try to open, or should it act like a firewall and say, "Hold on, buddy. You need a permission slip to open that." Traditionally, all our computers just do what we tell them to do, which makes sense. Open app. Okay,

done. Because when you need to use an app, you obviously need to use it. But the thing is, malware is

tricky. It's sneaky. It's hiding. It's being quiet. But it's also opening and running and doing stuff without us seeing all secretly in the background. So what Threat Locker does is it says, "Okay, let's start by blocking every app from opening and running." But if you the user wants to open something, just ask. And we'll let you open it. We just want to block apps that you didn't try to open. Or apps that you don't actually need. And we figured, in a world where we just been absolutely

burned to high hell, we need to stop everything running. Unless, of course, we allow it. Every single device, server, client, we needed to know that it was not going to run anything that we did not want it to run. And our supplier was using it in their own environment,

which is always a very good sign. And if the person trying to sell you it is also the person

that's using it. And we were like, "Yeah, how quick can you get me the installers?" So when you get Threat Locker, it goes through a learning period where it just listens and allows everything. And from there, you get a sense of what apps everyone in the business is using. And so you add those apps. You allow lists, so business can continue. And then switch it over to secure mode. Where if your app isn't on the allowed list, now it's going to be stopped from running.

It just says, "No." And it comes up and says, "This has been blocked by Threat Locker." And you can request it. And then when you request it, we have a portal where we can just say, "Yes or no." And then you, there's a lot of tinkering with how you set up the policy, but we pretty much just say, "No, to everything." And so how annoying is this to the users? To like, you know, you imagine some people are just like,

"Oh, you can't run anything on this laptop." This is stupid. Do people complain a lot about it,

“or are they okay with it? Maybe they did. Originally? And I think even if they did complain,”

you've got such an easy card to pull out. You could just be like, "Okay, back in 2020." Let me tell you what happened. Well, net, we cannot afford to have three weeks of outage again, because this is this is very serious stuff. I've used that so many times. And I turn around to the users and go, "You can't have this piece of software, and they'll be like, "Why?" And I was like, "Because it's open source. It allows plugins. We don't know whether it will be safe,

and it could be exploited." And I'd say, "Do you want to be the reason that this company gets hit again?" And just put it on them. Or if they escalate it to their director, "Okay, then I'll say to the director, "Do you want to be the person that authorized this software that takes the distance down?" And people back off really quick when you say that. Okay, so, so it's getting threat locker. Any big security incidents?

No. But I don't like saying that, so don't like tempting fate. Yeah, exactly right. But no, we haven't had anything. Yeah, you're saying that. Yeah, I don't like saying it. Brands somewhere. It's the most successful business model cyber criminals have ever invented. The people infecting us with brands somewhere are making tens of not hundreds of millions of

dollars by hacking into a company, locking up their data and holding it for ransom. It's on the rise even just last month, I heard it's more ugly than ever. It's also one of the most disruptive types of cyber attacks. When a company gets hit with it, it becomes a huge deal. Companies have gone out of business from ransomware. So I wanted to talk with someone who defends companies from this type of attack.

My name is Hunter Clark. I'm one of the cyber security engineers at ARC technology consultants.

“My main focus is ground, important security, and how we can help organizations implement some of”

those zero trust principles in their organization. ARC is an MSSP, which is a managed security service provider, which means they take care of a bunch of people's networks. A lot of businesses

on everything and help keep it secure. One of the networks he was put in charge of securing was

“a hospital. There's a lot of servers in the environment that run applications that are critical”

that imaging software, solutions that the doctors leverage to diagnose patients, a lot of it runs on servers. So those are typically what we try to secure. So we took a look at this hospital's network. It didn't have very sophisticated security tools. So him and his team brought in threat locker and installed it on all the servers and computers and went through the learning process of what apps are normal in the network and then locked it down so no new apps could run.

Along with that, they installed an EDR and endpoint detection and response tool to monitor

for suspicious activity. And then they suggested adding multi-factor authentication or MFA on all the

internet facing portals and computers. But the hospital said no. They didn't have the budget for implementing MFA. They didn't want to have to train users on how to use the doctors complaining about

“having the use of MFA. So they did not have MFA. Okay, well if they don't have the budget, they don't have”

the budget. You do what you do to protect them with what you've got. But late one night, something happened. Incident originated, obviously. In the middle of the night, as all incidents do. But we got a call from the EDR MDR solution that we were using that there was someone in the environment. And this is something that people should consider is that not all MDR solutions are created equal. Some of them will pull the fire alarm, but not help you put out the fire, right? So they'll let you know

something's going on. But not necessarily step in to stop it until they're able to get a hold of you. And in this case, you know, it happened at 3 a.m. And we received the detections that something was going on. And we're able to then, early the next day, 5 a.m. 6 a.m. whenever we got up, start investigating what had actually happened. And that was whenever, as part of that investigation, we started looking into threat locker logs to see, okay, what actually, what did the threat actor try to do,

what user account was likely compromised, seeing the threat actor bounce around the different servers. And that's whenever we saw that threat locker had blocked the solutions that the threat actor had planned on leveraging such as any desk and our clone. Someone got into the network, gained access to a window server, tried to infect it with ransomware, but threat locker denied it. Nice. Okay, but how did they get in? The threat actor had bought credentials off the dark web

for a domain administrator account for the environment and was able to just remote in through the VPN and had full domain admin rights across the environment. That darn VPN. I mean, VPNs are

“great. It allows you to connect securely into a company from home or on the go. They are essential even.”

But they also are exposed to the internet. They're a portal into a company's network. But that's something that should be super secure since it is out on the internet. But in this case, all that was needed to get into this hospital's VPN was a username and password, which happened to be for sale on the dark web. How wild is that? A username and password is not going enough to keep people out anymore. One of the questions that came up was wood MSA prevented this event from happening and

it was pretty clear. Yes, the FMFA would have been implemented. Then at least that initial access. They would the threat actor would have had to find a different way in than through the VPN. Anyway, this is why there's defense in depth. You want layered securities so that there are multiple places that should have stopped us attacker. And they were lucky that they had threat locker to stop this. But this attacker was clever and motivated. And even though they were stopped,

they weren't done yet. This hospital system used to be made up of multiple different hospital locations. A few of them had been sold off. But they still needed the maintained VPN tunnels between the sides because of certain application dependencies that the hospitals had had time to build in their own environment. So because of those VPN connections to the threat actor, it looked like it was just one network. It probably looked at them like it was just one big connect in that

work. But really they ended up bouncing to a different hospital system that was not a customer of ours that actually did not have threat locker in the environment and was able to deploy what they needed on those devices. Oh no, they bounced from this hospital to another hospital that was connected

internally and were able to do damage there. The threat actor ultimately reached out later that

week saying, hey, you know, we we were compromised your environment, we have terabytes of data.

Whenever this happens, right, the company, if they have cyber insurance, they should just read their cyber insurance because it probably says in there that if they're in

“if it of an incident, you need to call us because we have intersponsed companies that we trust that”

we want to have involved in this. So that's what happened. And as part of that cyber insurance, there's also usually some sort of will negotiate on your behalf with the threat actor to try to get that ransom cost dropped as much as possible. So with the knowledge that we have with threat locker is able to see where they're able, I know to drop it by quite a bit. I can't, I can't, I don't know exactly the number drop, but I heard that it was they're able

to negotiate pretty effectively because they knew what the threat actor actually had been able to get to. Okay, so they, they lowered the ransom and then they paid the ransom. Yeah, the, this hospital system did end up paying the ransom. The hospitals, they would ask the threat actor, hey, how can we improve, how can we get that or what, what should we be doing? And the threat actor responded saying that they quickly

realized that threat locker was on the windows devices. So they knew that they wouldn't be able to use those for the purposes that they intended and they began to pivot to other locations in the environment, but did not have the threat locker. Tell us who you are and what do you do? So I'm Dan Jenkins, I'm CEO and co-founder of Thought Locker, but what I do is really build solutions and educate the world on how denying by default

“is the best way to address security and it doesn't have to be difficult.”

So you started that locker. How did all this get started for you? The first thing is, I, I, I,

I was, I wanted to do something fun and I, I started doing some ethical hacking. I ended up doing more ransomware recoveries in ethical hacking, because people would call me and I wanted to make money. So they say, hey, I've been hit by ransomware. Can you help with this recovery? We paid a ransom and those in particular case in Australia, which was the first one I dealt with. It was an insurance broker. So about 50 employees insurance company and I got called in by the MSP managed IT company

to help with the recovery. And I came in and they paid this $22,000 ransom and they hadn't got their data back. So they got some keys, but the keys didn't work. They weren't decrypt in the files. They exchanged databases encrypted. They're SQL databases encrypted. Everything was encrypted and broken. And they'd ask me to come in. So we start trying to reverse engineer the code, see if the decryption keys are in the code. Try to use low-level data recovery tools to get things from the

disk that had been deleted or written over for encryption or a covering from RST trial. So email databases. We're trying everything we can to get this company back up and running. And during

their recovery, the owner of the company called me. And he got quite, first he got quite mad and

he was like, "Well, when's this going to be done? I've been waiting two weeks and I still have

“my servers up and running." And he's getting quite mad and it's like, "Look, you need to be realistic here.”

I'm trying to recover your files, but you have everything encrypted, you have no backups. You've paid a ransom, you didn't get your data back." And I don't know if it's going to be back and we're doing everything we can to make sure you can get your data back. And it then turned into quite an emotional call and his voice started crackling, he started almost crying down the fire and I got really awkward at that point because I really didn't know what to say. And to me,

this was different because every other cyber, I call it cyber attack. I dealt with every other malware attack I dealt with because prior to 2014, most malware attacks were really just IT issues. It was, you know, getting advert, someone sending email out from your server. It'd be in an IT problem. IT needs to fix the server because we're sending spam emails. IT needs to fix the computer because it's getting pop-ups. The worst I'd seen before that was someone crying because they saw

it in the appropriate picture. And what I did was, it suddenly hit home that this is a real problem and this guy's going to lose his entire business and he's close to retirement age because somebody decided to download a piece of software. And I didn't, at that thing, go, I'm going to go and start companies to solve this. What I said to the IT team and what I said to him, after we, and we managed to recover enough, was you need to use application control, you need to

block software by default. And he said to me, okay, well, I'm going to go and do that. And then the IT team told him that Danny's stupid, listen to him, it's not viable, we can't do that. And I went

out to prove him wrong and I couldn't prove him wrong. The IT team. And that was really when the first

time we said, well, let's try and build something to prove him wrong. And it kind of went back and forth on this idea quite a bit because it wasn't an easy lift to build a solution for this. But

this was the right thing to do because we knew in order to make zero trust viable. And today, we've got 70,000 companies that use our product from small businesses right up to some of the biggest companies in the world, federal government, airports, banks, everything. But back then, I was like, if I need, I need to make this so it's viable for everyone. I need to make it so we can deploy application control. We can block software by control default. We can ring fans, applications,

and make it so you can deploy it in hours and days, not months and years. And I wasn't sure it was

“going to be viable without be hiring. I ended up hiring hundreds and hundreds of people. But I think”

in 2017, my mindset shifted because before 2017, I was thinking about building a business that 1% of the world would sign up to. After 2017, I made the decision we don't want 1% of the world. We want to change the markets and 90% of the world are using a zero trust approach.

Okay. So, so you coded it at the beginning? You built it. Yes. So, I coded the first bit. So, I

coded the first version and there's four parts about luck if you like them. There's a service, there's a driver, there's a portal and there's an API. That's the four original components of that luck. And I wrote an entire version of it. And I wasn't so good at the drivers stuff. I caused a lot of blue screens. So, we ended up bringing at the very beginning I wrote the whole thing and then I got somebody else to come and rewrite my driver code because frankly, it just wasn't

very good. And since then, that's probably one of the best decisions we made. And today, of course, we've got 250 people in our D department, but then it was just me writing code and Sammy and John

“testing and deploying. Can you tell me about the first network you installed it on?”

Well, so I guess that we obviously installed it on our own machines. I think the first network outside of our row and that we installed about luck around was actually my kid's school. And they had a problem as well. We were looking after our kid's school IT. It was we were getting very actively involved because we couldn't afford private school for our kids at the time and we were getting essentially help with scholarships because we were helping them with the IT systems and

everything else. And they were getting malware every single day. It was like a complete nightmare and we pushed it out to them. That was very difficult and somewhat unstable in many areas because there was things we didn't even think about and we were seeing a lot of noise. But they went

from malware every day to never since. And still today, they're using the product and

my kids aren't in the school anymore. But our cheap product obviously kids are actually in the school now. And the IT management went down from full time to a couple of hours a month because they just the systems became very stable, very easy. Deny, all apps by default seems like a radical idea, like to block everything seems like it's going to halt productivity. Radical depends on where you start. And if you start in a situation where my network is running smoothly and I'm very happy

you would never approach with that idea. You'd approach with the idea. We're going to learn what we have. We're going to review the list and remove the things from the list we don't want. Where is

“if you start with the situation that I've been hit by ransomware attackers are in my network?”

The alternative is you shut down the entire network or the the plus side is you allow the network to run but you only allow these trusted apps and then every time someone wants something they request it for the first time we add it to the list and it doesn't seem so extreme now because the alternative is the whole network shut down until we reformatted every single computer and guaranteed that nothing's bad on it. So it really depends where you start. For 90% of customers that they're

starting from a clean slate so they'll they'll learn and they'll remove the things from the list. They didn't know about for the other side of the customers who were starting from hey we've already been hacked. It's not extremes to say hey everything's blocked until we've approved it and it's also not that difficult because most people think well what about all the software we don't know about but the average user uses you know 10, 20, 30 apps on their machine and it's Chrome, zoom,

office, Firefox and then they have an SAP system or whatever that may be so it really doesn't

take long even when you're dealing with a response I mean you never want to be doing it from

response but even when you're not in learning mode and you say if you need something hit the quest we'll review it and we'll approve of the night. It's still not the end of the world because that's a lot better than where you were where oh ransomware is actually going to get our environment. The traditional way we would secure networks was kind of like a castle in mode type of system.

put up this giant gate and mode to around the whole thing keeping everyone out that you don't want

in but the problem with this is that if someone does sneak in well now they've got access to everything there's nothing to stop them once they're in. If an employee turns rogue or clicks on a fishing link and gets infected that employees computer can go anywhere and do anything so the new way people are securing networks today is called zero trust and that simply means to verify everything no longer is everyone on the inside trusted by default they're now given the least amount of privileges

to do what they need to do and tools like threat locker are great for implementing zero trust since you can see and lock down any and all activity in the network very easily and quickly. So in the world of zero trust you essentially grant access where access is required is everyone thinks it means no it doesn't mean no it means if you're the finance director and you need access to all of the

“financials we're going to give you access to the financials because that's your job. If you need to”

about to upload those financials to the internet we're going to allow you to upload those financials to the internet because that's part of your job and requirements. So in the world of zero trust it's not about no it's about if you need it for your job we will grant that permission. In the world of detection and response you're saying if I detect an anomaly or something suspicious I'm going to block a respond to that anomaly or something suspicious but if we don't detect something suspicious

we're just going to allow it. So in the world of detection and response everyone can access the financials in the world of zero trust only the people that need to. What is your mission or what's threat luxuries mission or what are you trying to change in the world? So simple this is very simple I want to change the way the world of things of insecurity from default allow to default deny. So rather than going into a computer and saying I'm allowed access to everything

until someone decided is bad for me to access this which is how most security works right now

“on endpoints. I want to change it so I go in and I need to access everything I need to do to my”

job and everything else is denied until somebody's decided and granted me that permission that's our mission as a company it's been our mission since it's the beginning. We attend over a thousand trade shows that all throughout luck has attended over a thousand trade shows this year we host zero trust world and the reason we do this is education I think I did a hundred and twenty trips this year and I will do local events or digital swirled I'll go to blackout to RSA to Gartner

events and it's about educating people why this is so important but also how it's not difficult because people think it's going to take them months and years and I've onboarded people in hours I mean ideally we want to do it over a week so we can do a nice learning baseline but it's very easy to do it's very effective to do and so my mission is to make sure people understand why this is so important and then also educate them how it can be done. Yeah so educate me educate

us so you say deny by default you could explain why that's so important or even pick another topic and say there's what else is important to me. Okay so deny by default is it's

“so important because I think about this if we go back and we've never as a world we've never been”

very good at stopping viruses. I mean in less face it we go back to 2000 and 2000 one we have

the love bug virus in effect to the third of the world's business communities now that virus said

I love you and email your friends and said I love you so it wasn't the end of the world we had the blast of virus after that all of these times we had anti virus we were denying by exception we were allowing by default and denying by exception and we weren't very good at doing that in 2007-2008 we started seeing bot nets emails being sent out again people were getting malware all time they were sending this spam emails they were getting pop-ups but it was a problem and it was

an IT problem we got switched to 2014 we started seeing malware that actually encrypts files and takes down businesses malware and software are the same thing the whether it's they're literally written in the same languages work the same way the only difference is the intent it which was created so every piece of software you run on your computer whether it's Angry Birds or Logitech Support App or Microsoft Office or Google Chrome or a piece of ransomware can see all

of the files that the user who runs it can see so you don't have to be an admin if you're a finance director if you're in sales it can see all of your files so if you were to say I want to deny software by default and only allow software that's been approved by the company what you end up with is the situation where you're no longer just relying on is I'm I'm I'm going to detect the latest threat but you're now saying I'm going to block everything it doesn't

matter if I detect it because if the software isn't approved by the business it's not allowed to run and that is so efficient at stopping ransomware malware but also things like team view remote access tools which are often used by scammers to gain initial access to your network this is great keep going tell us more about how to secure network every secure and and mostly most secure that can be stopped with one or three methods the people detection and controls and the

first one is through people but the first example I'll give you is fishing in the event that

or text message whatever it may be as a user you have the power to stop that attack immediately in his tracks by not clicking on the link not putting your credentials in the attackers gone if you don't do that so that's method one the people don't make the mistakes don't click on the

fishing links don't give somebody access to their machine the second method is the detect a threat

and this is where we look at the fishing this is where we'll say is this a known where is this a known bad website is it does it exhibit signs that it's a fishing attack and again the detection is not a guarantee because the website might just be in span of 10 attack calls will switch to website out use techniques it's brand new you don't know it's a bad website but it's a method if you manage to detect it and you can block that fishing link from being used the threat is neutralized

the third way is the idea of controls and controls are where zero trust really fits in and this is the most simple way and this is where you say well I'm going to turn on things like dual factor authentication I'm going to turn on things like IP restrictions so it can only be accessed from one of our no IP addresses and when you do this it's that you basically say that I accept my user might click on the link and give the person they attack on my password or their password

I accept that my emails have security may not detect the fishing email but I won't accept that they can still get into my machine so what I'm going to do in addition to this now I'm going to restrict which IP addresses can log into my Microsoft Office tenant to only the IP addresses and my devices and I'm also going to enforce dual factor authentication so the password by itself isn't allowed they're going to have to have the user's physical device as an IT or security professional

“this is the controls are the only thing that you actually can control you can't control you can train”

you users but users are going to make mistakes people are going to make mistakes all the time you can buy detection but detection can't tell the intent if it's new if it's unknown but you can control whether if it's if someone puts their passwords in will somebody be able to get into your system so that's that's the first example of where that's really important the second example is when we think about malware I can put a anti virus on a machine and say if you download no malware block this no malware

from running and Windows Defender comes shipped with every machine and sometimes it blocks the

malware sometimes it doesn't I can tell my users to never download attachments don't open things

that you don't know where their source is and if the user doesn't do it the threat is failed but I cannot guarantee either of those two are going to apply if I block untrusted software by default if one and two fail three is always going to be successful and this is where security has to be and if we think it go back to the even the 80s and the 90s we didn't use to have files on our network we didn't use to have files on our computers we know it didn't have a file or built in until

Windows XP and we'd get constant malware and the Microsoft would patch it and then we'd get malware again on Microsoft Apache Microsoft released the firewall on the computer and suddenly malware from the user dialing up to the internet or connecting to a broadband connection vanished and it became people

“downloading malware because they implemented a we denied network traffic by default policy that's how”

all security should operate do you have any statistics that you can tell me that makes that tells me that threat locker is effective I mean when I go to the doctor and they give me medicine to prevent an illness I don't know if it actually prevented the illness because I can't tell if I got ill in the medicine fixed it right so if threat lockers here it's a prevent ransomware how do I know it worked so I will tell you you know so I've got 70,000 roughly companies

that you start locker and I think the 70,000/70,000 companies that you start locker from small businesses through MSPs right up to large some of the biggest software companies bank financial companies hospitals airports in the world so it really is a mass scale not a lot of them go

through MSP so you take a MSP they have a hundred small businesses they'll manage it I have never

had a customer with a ransomware case that wasn't ignoring obvious signs so like we will send a report saying you have your machines in monitor only mode you and the bottom line is I'm not

“and there's no such thing as unhackable but the only way is somebody if you go out and you”

install network control and you close ports and you stop one trusted software and you stop PowerShell accessing things it's nothing's impossible but it's almost impossible to get through that and you know if I look at those 70,000 businesses I'm tracking about 125 ransomware cases on them and every single one of them has been pure their machines were not secured or they the other one we see is where they they they didn't have they had open ports on the hypervisor and so one

the policies that they followed we're going to stop one trusted software we're going to close ports

“and I'm going to allow them to trust the devices I have never seen a case where somebody gained access”

to a machine threat locker is hiring but beware they'll tell you in the interview that it's the hardest job you'll ever have yeah I mean every every person that we hire we make sure that they're

aware this is going to be one of the hardest jobs they ever had and we because look I try and always

say to our yeah I make sure everyone in the company knows we are not supporting a software product we are supporting a hospital and airport a government agency a local business and when someone calls in and they're having a problem and the the thing is about what we're doing is we often I would say 70 to 80% of our support tickets have nothing to do with us and the reason people call us first is because if you say well I've got an EDR and I've got a zero trust end point security product

and suddenly one piece of myself my dental software is not working it's very very easy for you to say

well assume it's to do with zero trust always like I've spent literally four hours proving

and diagnosing and working with a competitive vase on the EDR space to say look you have a problem here with your software I will on it still throughout locker will show them the issues still hash in it happening and and then we'll actually go in with the venue and say you've got a problem

“with your software here and because I think it's easy to assume that zero trust to the problem but”

most of the time it isn't but you've got this culture change which we're trying to change so people have to know it's hard but I think it's also incredibly rewarding I think what we do is there's nothing better than a feeling that we just stopped to major around somewhere attack

my door never gets closed my phone is never turned off but and I always say to anyone if you

can't fix a customer issue and you can't get someone else to help you you know go over to the development part and go over to your peers but also when you the end of the day if it's 2 a.m. in the morning and it's not working come and call me like call me call Sami who's our other co-founder and like call and say hey I've got a customer on the phone and they're saying that something's wrong and there's something's getting blocked and it shouldn't be and they're unstandard I

don't understand why and I can't find anyone else it's like well let's see what's wrong because

“I'd rather I think it's important for everyone to know that we're willing to pick take a”

phone call at 2 a.m. in the morning if it solves the customer issue and how many phone calls do you get a month during your sleep probably six or seven cheese and I don't give it a overtime for that yeah no I think it's yeah we have a 24 hour I mean we have customers in Australia where we are offices in Australia in Dubai in Dublin we have staff in 11 different countries we have customers all over the world and I just I think it's more important that we solve the issue

for the customer and that that's that's the bottom line thank you so much to our guests and especially Danny Jenkins from threat locker to learn more about them or to get a free trial visit threatlacker.com this show is made by me the real SQL shady jacri cider mixing by proximity sonner theme music is by the mysterious breakmaster cylinder I got tired of forgetting my password so I just changed it to the word incorrect and whenever I go

and I type in the wrong one the website always says your password is incorrect and I'm like oh yeah thanks for the reminder this is Darknet Diaries [BLANK_AUDIO]