Modern Cyber with Jeremy Snyder - Episode
56

Joe Erle of Ransomware Rewind

In this special crossover episode of Modern Cyber and the Ransomware Rewind podcast, Jeremy teams up with Joe Erle for a wide-ranging discussion on API security, ransomware threats, and the changing landscape of cyber insurance.

Watch Now
Joe Erle of Ransomware Rewind

Podcast Transcript

So, how are you doing, Jeremy? I'm doing alright, Joe. How about you? Good.

Good. So, Jeremy and I were were talking, and, we we didn't know which which person's podcast we were gonna do. So, we figured we'll just do a crossover to see how this works. So I'm Joe. I'm from the Ransomware Rewind podcast.

We're talking about ransomware, fun current events, hacks, information to help you stay safer. And, Jeremy, go ahead. Yeah. I'm Jeremy with Modern Cyber Podcast. We talk about lots of things connected to cybersecurity, ransomware, cyber insurance, all topics under the sun, cloud security, what have you.

Excited to do this crossover episode. Let's get into it. Absolutely. Absolutely. Right.

To start off, tell me about API security. Yeah. Happy to do that. Look. API security is something that we've been passionate about for more than three years.

And the genesis of it and how we kind of stumbled across APIs as being an attack surface that organizations need to worry about is that both my cofounder, Riley, and I came out of cloud security organizations. Me, more on the vendor side, I was working for a cloud security software company, and he was working for a large media company. And we both observed the same transformation happening at the same time. And what that really was was that a lot of companies move to the cloud. And when they move to the cloud, they don't really change anything about their architecture at first.

And then they get, you know, one, two, three years into it, and they're like, hey. I heard the cloud was supposed to be agile. I heard the cloud was supposed to be scale up, scale down. I heard the cloud was supposed to be pay as you go. I'm not getting those benefits.

Why is that? And what ends up happening is they realize that their software architecture has to change. And when that changes, typically, you'll see this one pattern in particular, which is that they take these kind of legacy old school, you'll often hear monolith, things like that. But they'll take these, like, you know, server based applications, and they start to have to break them down into subcomponents. And just take something like a travel booking, process where I'm trying to schedule flights, hotels, rental car, whatever.

In the past, that might have all been on one server. Nowadays, it would never be. Nowadays, you would have kind of like an entry service that brokers the entire transaction and then fires off requests to a travel booking service, to a rental car service, to a hotel booking service, etcetera. And all of those service components communicate with each other over something called APIs. And as that sensitive data crosses the wire, there's a lot of opportunities for hackers and bad actors to access those same APIs and potentially expose the data.

So that's really where the whole, let's say, the whole concept came from when we understood that pattern was taking place. Now the details and the intricacies of how API security needs to be done properly is something that'll take hours and hours and hours to talk about. But at a high level, you need to think about, the system to system communication. Is it secure? And that's everything from do we have encryption?

Do we have SSL connections, etcetera? But also things like, is Joe actually Joe? Do we know that Joe is Joe? And how do we know that? Right?

So authentication. And then, like, is Joe allowed to do what he's trying to do? Authorization. And then all these other little things around, let's say, like, data validation. Is he trying to book from the fourteenth through the February 30?

Well, the February 30 obviously doesn't exist. So, like, data validation, all of these different things along the way. And is there anything bad or suspicious about the way Joe is trying to conduct this transaction? And that's everything from detecting bots to looking for SQL injection type of attacks and and many, many other things around that. But it is fundamentally checking that API to API communication is secure and that APIs and their designs are secure.

I know that's a mouthful, but hopefully that all made sense. Yeah. It did. And I think to bring it to life, we can talk about some real world examples of APIs that people use in their everyday life, like Chrome extensions Yep. Microsoft extensions.

You know, when you connect your Zoom to your Outlook and Yep. Anytime you're connecting those, I I never thought about it before. And then Yeah. All of a sudden, I have to get, you know, admin permission to sync my Outlook with my Zoom account. And Yeah.

Yeah. I'm like, why do I have to do that? Well, it's because these APIs can be unsafe. Right? Yeah.

Yeah. And when you're giving it admin permission, by the way, a big part of what you're doing is not actually giving that third party application admin permission. It's you're giving it permission to provision an API key that it's going to store in order to communicate between those two services. So it's kind of automating that process of request the key, store the key, etcetera. And by the way, I'll make it a little bit more tangible for people because some of those examples are are they're things that absolutely everybody uses every day.

But I'll tell you what else everybody uses every day is is this right here, you know, this mobile phone, this mobile device. Almost nothing is happening on that device itself. It's all every app that you're loading on that phone is just firing off a request to a back end service over an API. And so, like, you're actually having hundreds of API transactions every day in the things that you do. And by the way, right now, every AI agent, chatbot, whatever is being created is getting integrated via APIs as well.

So APIs there's a saying in the API community that APIs are everywhere. People just don't know it. And and I think it's really true. I think that APIs are probably like the, chinks in the Internet's armor. They are like those small spaces in between two secure systems.

And if you're not careful and you're not checking those, you can be the victim of a supply chain type attack. And if a bad actor gets a hold of these APIs, back end, then they essentially can attack, anyone that's using that API. Yeah. Like, why should like, recently, silk typhoon, right, is is trying to get into, critical infrastructure in Microsoft. So they're like, well, well, we don't need to go into Microsoft.

We can just use APIs that they're using and attack that way. Yeah. That's exactly right. And to your point, so many things in supply chain attacks, whether it's, let's say, code commits or build pipelines or, you know, embedding things, A lot of that stuff is API driven as well or relies on things like the accidental exposure of API keys that give an actor like Salt Typhoon access to one of those systems. It's actually one of the most common attack techniques right now is that threat actors are kind of sitting there watching a feed of code commits going into places like GitHub.

And and for those commits that are public, there's a common mistake that developers make in accidentally embedding their credentials, hard coding their credentials into code that they push in there. And the cloud providers, to their credit, have gotten a lot better at detecting when a key has been exposed through a code commit and then disabling that key. But sometimes that turnaround period is, like, five, ten, fifteen minutes. And threat actors know that if they just sit there and watch all the commits come in, every now and then, they're gonna get lucky and they're gonna get a set of credentials before the cloud provider can see them and disable them. So it's it's a very relevant topic right now.

And by the way, I'll just mention one other thing that's happening with APIs, increasingly over the last little while, and we're about to release some research on kind of the latest state of API security report. Malware and ransomware has been implanted onto server systems via API calls. And it's one of the things that is not well understood is that a lot of off the shelf software now ships with both a web UI that, you know, is kind of what you might expect of the piece of software that you're using, But then there's also an API so that you can integrate that software into other, you know, IT systems that you're using inside your organization's environment or potentially for collaboration with third party partners and things like that. You might have heard not so much last year, but in 2023, there was a whole string of ransomware events, against a software system called, MoveIt, from a company called Progress Software. And, you know, it's not been a % proven or well documented, but I've seen a lot of engineering kind of deep dive to really understand what went wrong there.

And the leading theory as to exactly what the, how the malware payload got uploaded onto these systems is through a file upload resume API. And what it was was they sent an encoded payload through that upload resume API, and they specifically targeted that API because the file upload API actually passes every payload through a malware scanner. But the upload resumes API does not because it assumes that the file has already been checked by the initial upload API endpoint. And so, like, it's a very, very specific API endpoint and a very, very specific piece of functionality being called. And with a, a weakness in the authentication system of that same piece of software, the threat actors were able to kind of pose as legitimate admin users of these instances of MoveIt software and then upload the same payload that they knew would get unencoded on the server side and then processed.

And that is actually the the leading theory on how the malware was planted on these systems. So it's not only data interchange. It can also be function calls over APIs, and that's something that is also a risk as well. It's abuse of system, privileges, abuse of system, functions. That can be fraud.

That can be malware. That can be a lot of different things. After they got in on the MoveIt example Yeah. Through the API, did they move laterally? Did they take control of MoveIt?

Is that is that what happened? So what happened is that it, actually, the the payload that they uploaded existed as a file on the file system, and the unencode process and then a server side process that happens normally kicked off the actual ransomware. The ransomware payload at that point is just a typical piece of malware that then does things like network lateral movement to infect other hosts on the same network. And so, you know, companies who had, let's say, like, one instance of MoveIt, in a data center away from their main facility, not as bad. Only the records on that server itself or on that instance.

But companies that had move it in a data center with a lot of other systems, a lot of other servers, you know, they had a much worse infection. Right? And it was, I think it was twenty twenty three's largest ransomware, incident, if you will. And it it was interesting because it wasn't a single organization ransomware. You you hear all these examples, and you would know this better than I would, but you hear all these examples of so and so company or so and so hospital or so and so health care system or whatever it is, school district, whatever.

But, typically, that's like one organization. This move it stuff was thousands of organizations that all had licenses of this software, all had this API running. That API had the same vulnerability on all of these thousands of instances. Absolutely. Yeah.

I just finished a program, with Chubb Insurance, or a cybersecurity designation. And the Moovit example changed the way that Chubb did insurance for cybersecurity insurance. How so? They deemed it a widespread event, and they separated the insurance for regular targeted, you know, like a Home Depot getting targeted and hit to a widespread event, and further define what that would be and created, a tier where you could buy just regular cyber insurance, and then you can upgrade to a widespread event coverage to cover you for big events like move it and things like that. And Yeah.

The way they saw it was they can charge less to people that just want a, kind of a basic policy and also stabilizes, the underwriting and the, the amount they charge for widespread events. Because Okay. Job in particular was hit pretty hard, because one of the biggest cyber insurers. Right? And they need to, you know, make sure that they don't go bankrupt because of one of these widespread events.

Right? They have they have, like, some of the they're one of the biggest in the world. But if you think about the the size of that event, it was hitting, large fortune 500 companies. It was hitting, large universities, any type of comp lots of different companies under the sun. So, yeah, stuff like that, not Pecha.

Pecha, I mean, there's a lot of, examples of these widespread events. I mean, even the CrowdStrike event, which wasn't a cybersecurity hack, it was just like a bad, you know, a bad patch. That's would also be considered a widespread event and and, Interesting. And and, like, I'm curious just to try to understand this because I think, like like, a lot of people, I don't know a ton about insurance and especially not cyber insurance. We have coverage, but I I I'll be honest.

I haven't read all the details of my policy, and I suspect nobody has. Right? But the the question that comes to mind is if I hear a phrase like widespread event, for whatever reason, my mind immediately jumps to, like, act of god in sense of, like, other insurance policies that I know. Let's say, like like my homeowner's insurance. You know, if my roof is destroyed by a quote unquote act of God, there may be a carve out where the insurance provider doesn't provide coverage.

Was that the vibe or was it more like, oh, no. We understand that going forward. Like, was it that they tried to, let's say, deny coverage because it was a widespread event, or was it more that they realized that going forward, their own kind of, let's say, like, actuarial pool in the way they design policies has these tiers like you described? Correct. It was a a lesson learned by them that, you know, they're one or two widespread events from becoming financially insolvent Okay.

You know, because of the billions and billions of dollars that they could be on board for. Yeah. And then going forward, they decided that they were gonna, create a an upgrade for the policy instead of offering it standard. But that seems that makes sense. I get it.

I do wonder because, like, okay. You cited a couple of other examples, and there's a few more that jumped to my mind that I could see easily falling into that category. Right? So, like, of course, the CrowdStrike outage. Right?

And, of course, like, NotPetya, like you mentioned. And then maybe something like the SolarWinds, right, where it was a supply chain thing that affected thousands of organizations, and it was, you know, honestly nation state directed just as NotPetya was. But for instance, NotPetya is something that I think a lot of organizations, they didn't do anything risky. They chose a piece of software that was targeted by a nation state. It it's it's a little bit hard for me to like, you could make the argument in my mind that there was an inherent risk in licensing software like MoveIt.

And I I could actually buy that argument. But I I I'm a little bit less I'm not sure if I buy the argument as much when you're just like an innocent bystander organization. And, I don't know, you're on the same network in a building as some other company that got hit with NotPetya. You know, you happen to share a network with, like, the utility company next door or whatever it is. I I how do you think about that?

Because I think you know more about cyber insurance than I do and and have had more exposure to these types of conversations. Well, these, this one in particular, this separation of coverages from widespread events to regular events, it was made to protect the insurance company, not the insured. Right? Not to Yeah. Protect you or me, you know, for our companies.

It's it's there to make sure that the insurance company, can live the fight in other countries. Around. Yeah. And that's that's their decision. Yep.

It's their policy. There are policies out there that don't, make, distinction between widespread events and regular events. Yeah. There's some really bad policies out there, that are, like, endorsements to general liability policies or business owners policies that people just add on for, like, $200 that only Yeah. You if you're specifically targeted.

So Yeah. You think about, like, the malware that's out there. It it's usually just like it's, casting a big net and seeing who, you know, clicks on the link. But rarely are people specifically targeted unless they're a high profile Yeah. Type company like, you know, like, Ashley Madison or something like that.

Well, I could imagine. I think defense contractors are probably actually one of those companies that is, you know, let's say, specifically targeted by a nation state. And, thankfully, you know, knock on wood, we haven't heard too too much. I mean, yes, some of them have had incidents in the past. But thankfully, like, we don't hear about that and them being breached as a group regularly, neither here in The States or overseas.

And I think that's, by by the way, good for everybody in the world that you don't hear about defense contractors being breached on a regular basis. But I I I'm curious about something sorry. Go ahead. You think that we're not hearing about it because it's not happening it? Or do you think we're not hearing about it because they're keeping it hush-hush and they don't want you to know that China stole state secrets?

Look. It's a great question, and I don't know. There there's a a phrase that I've heard, and I've never seen academic data about this or anything. But, you know, we track API based data breaches on our website on a little API data breach tracker. It's one of the things that we analyze on a regular basis as part of our annual report.

We find it useful, and we find, like, the the analysis of the incidents to help shape our understanding about where the risks on APIs are is super influential to our product road map. We look at like, oh, okay. This is what's getting attacked. For instance, this year, we saw a whole trend of, let's say, malevolent nation states, you know, China, Iran, North Korea, Russia, etcetera. We saw their behavior shift in a three month period, November, December, January, and we kinda highlight some of those changes in the report as to, like, what they were looking for, what types of API calls their scanners were issuing.

And by the way, everybody runs a scanner. Just know that. Like, every cyber gang, every nation state is constantly scanning the internet, I always tell people to remember that. But but my point in saying this is that, it's kind of this, like, rule of thumb that for every disclosed breach, there's nine more that you don't hear about. You know, so it's kind of a 10% public disclosure rate is kind of the, you know, the stat that I've heard thrown around.

And like I said, I've never seen academic research to back that up. I kind of of think it's maybe true. So to your point, yeah, maybe we're not hearing about it. Maybe they keep them hush-hush. And maybe it's a good thing that they keep them hush-hush as a as a matter of kind of, you know, security defense not making people panic or paranoid or whatnot.

But, but, anyway, I I wanted to ask a follow-up question on the on the kind of ransomware side. For the cyber insurance companies of the world, is ransomware really the number one thing that they're getting claims around these days? Jesse Mango I would say that business email compromise is probably number one. It does lead to ransomware. And it does lead to fraudulent cases.

Yeah. So I think well, the thing is is, like, when you say ransomware, that is one way that, hackers extort money for me. Right? Right. But it's it's also how they get in that I feel like is more important.

And, yes, companies will use ransomware to extort money out of you, but it may be easier just, like, to hack into your bank account or or find your credentials through your, through an old email, or trick somebody to send send you money rather than going through the whole ransom, thing. So I would say that business email compromises is number number one, and I can see if I can find some data to back that up. I think I read that, recently that hackers are using in order to get into US businesses. Okay. Okay.

And but business email compromise on its own, the claims would typically be around, let's say, like, a loss of data or maybe a, somebody who got scammed into a particular money transfer or into, like, approving a vendor transaction or something like that. That was that was false. That's not the kind of, like, to your point, that's not the kind of systemic organizational extortion that I I think about. So I I would tend to think that those are probably they sound like they would be smaller claims as opposed to, like, our whole organization got ransomware. And, you know, we were then presented with the options.

Because you hear about these ransom payments of, like, in into the millions of dollars. Right? The that's what I think of when I think of, like, the big one last year. Yeah. Yeah.

Exactly. Right? Like, I mean, these are big claims. Right? Are though are are insurers covering these, covering ransom payments, or they're generally not, or they're covering the damages to the organization?

Or how does how how are the insurers thinking about that these days? Okay. So when you have a ransomware, and you have an insurance policy, the first thing you do is is call your breach attorney, or you call your insurance company and they get you a breach attorney. Right? Okay.

And then those guys hire incident response people. Right? You may have a retainer, or pre negotiated incident response people. In that way, everything's privileged because you're doing everything through your attorney. The next thing they're doing is, trying to get you back on back in business by up uploading, backups Yeah.

After you can ensure that the person's out of your system. Yep. And usually, they're negotiating with the hacker at the same time. So they're negotiating to, get the money that you have to pay down because, you know, who wants to pay 2,000,000 when you can pay a million? Right.

And they're also negotiating to buy time. Okay. You while you're rebuilding systems, while you're, uploading from backups, you don't want the hacker to, like, be trying to get back in, until you've got the, gates of the castle closed, if you will. Yep. And is it is it pretty well accepted that that the threat actors, like, the these ransomware gangs, they will back off while they're in negotiation with you as kind of like a almost like a good faith measure?

I I would say that you need to be careful, on that front. You you kinda need to know, like, where they are and what they can see. So you you should be looking in your incident response plan to have some alternative communications. So if they're in your phone system, you don't wanna be using your phone. Or if they're in your email, you don't wanna be using your email.

Yeah. You can you can be using as an alternative, like WhatsApp or Yeah. Signal, or you can go to Walmart and buy a burner phone Yeah. And and buy one for everybody in the company. And Yeah.

That's, like, how we communicate now, until this is all over. Yeah. And that's how you can kinda keep them away while you're you're fixing your system and getting it, up to par. And then you can either say, we're not gonna pay and sorry. And they'll be like, okay.

Well, we can't do anything. Or they'll threaten, with a double extortion saying, you know, we've exfiltrated your client's data. We we're gonna drop this on the dark web, and it's gonna hurt your reputation. And they'll even go as far as, like, calling your customers. They'll call your, they'll call the CEO and say, hey, you know, we know you have insurance.

Just pay this, and we'll make it all go away. Okay. And they can get aggressive and, like, threaten your family and things like that too. So it's it's a it's a really can be quite scary for, leadership during these times if, the director is is a a scary dude. I've heard they're, you know okay.

I've heard they're quite businesslike, that this is really a business model for them, and their goal is to get their best financial outcome from this. And that quite a lot of them don't actually care much about the organization that they breach, what they do, who they are, what kind of data they have. And so to your point about, let's say, threatening, it sounds to me like a high pressure sales tactic like a lot of companies, you know, legitimate companies would also have, you know, kind of apply some pressure to you that feels emotionally uncomfortable, puts you in an uncomfortable, you know, psychological state, tries to give you this artificial sense of urgency to act. But at the end of the day, they're trying to do that so that to to optimize their side of the financial outcome. But they wouldn't push to the point where it would, like, completely shut you down or jeopardize where you're gonna be like, you know what?

Screw it. Out of this thing. Go into the police, go into the FBI. We're not gonna negotiate. We're shutting everything down.

Right? Like, there is kind of a business model. Right? They're I mean, you you you know, it's like they have their access people, access brokers that get in. Yep.

Yep. They've got the, the people that will go in your system and lock it down. They have the negotiators, and and then they have, you know, like, the manufacturers of the malware, which are are the guys that, you know, need to get their cut too, when you use their software, in order to use it. Like, UnitedHealthcare, for example. Right.

They paid $22,000,000, and then I think it was Black Cat no. Alpha v didn't pay Black Cat their, their cut, and then they reinfected them and said, sorry. Well, we didn't get paid, so now we're gonna ransom you. So Yeah. Yeah.

I mean, there's no honor between thieves. So Yeah. And then, going back to the example that we were talking through, if somebody gets ransomed, once you get stuff back and running, then there's kind of a, the other side of the claim where you're gonna get forensics people in there, and they're gonna decide, how the person got it got in so you can lock that lock them out in the future. You have to notify anybody that, lost personal data. They'll tell you exactly who you have to notify.

And then you have, like, the experience that will, manage the, credit monitoring for your customers. And then there's, the possibility of, class action lawsuits on the back end. Like, for example, MGM Grand, they just paid a $45,000,000 settlement on a class action, you know, two years later after their Yeah. Debacle. And Yeah.

Yeah. Even I got an email on that one about the class action lawsuit. Oh, you did? Yeah. Yeah.

Yeah. I think I'm I mean, event $20 or something. Yeah. Everybody signed up for, like, a free, card so they could get, like, $25 or a free buffet at one of MGM's properties. And Yep.

That's your information's out there. Yeah. We signed up because, one of the MGM properties host Black Hat every year, big cybersecurity conference, and we're there every year. And, you know, we signed up to get discounted room rates for five people from our team that were going out there. And so sure enough, I think everybody on our team had their data in there.

And I I think it's pretty safe to assume that your data has been in at least one massive data breach or at least one ransomware, if not both. Oh, absolutely. Tell me about BlackCat. For Yeah. Listeners that have never been there, and there's a lot of mystery around it.

And, you know, I've seen YouTube videos on, like, some of the, pseudo celebrities that talk there. Yeah. But, like, what is it like being there? Yeah. What are you doing while you're there?

Yeah. Well well, first of all, I'll tell you that it's part of a string of events that kind of gets affectionately called hacker summer camp. And, there's three or four parts of this, and I feel like every year a new thing gets lumped onto it. But, historically, the way it's been is that, you know, Black Hat was the leading cybersecurity conference. And connected to Black Hat is another event called Defcon.

And I think a lot of the misconceptions around Black Hat are actually misattribution from things that people think about Defcon. Mhmm. And so I wanna, like I'll I'll start by kind of explaining what the two things are and then and then kind of get to your question about what Black Hat is actually like. So Black Hat is really a conference for cybersecurity defenders. You'll hear, like, you know, blue team, whatever.

Right? Like but it is really much more about, people who are working to protect the networks and the systems of organizations. Could be, you know, private companies, could be public sector, schools, governments, whatever. You do see military presence there. You also see, NSA, CIA, etcetera.

They're always looking to understand the leading, you know, research around it. The conference itself does have a lot of research that gets presented. It also has a lot of cybersecurity training. So, actually, it's, like, five or six days typically, but of those, really only two or three days are the conference itself. And then there's, like, two or three days of training events that happen in the run up to Black Hat.

There will also be some little private summits that happen there. So, typically, there are some industry organizations that will collaborate. You'll hear those as ISAC's industry security. ISACA? I don't know.

I think ISAC is, like, connected, but these ISACs are typically industry specific. Like, there's the financial services ISAC. There's a retail ISAC, etcetera. They'll have their little private summits where, you know, CISOs and security leaders from those organizations get together, swap information. But those also happen outside Black Hat on a, I don't know, monthly, quarterly basis depending on the organization.

So there's a lot of great kind of, let's say, like, you know, meetings that get scheduled and and collaborations that happen at Black Hat. And then research wise, you you do get a lot of people who are doing work to defend organizations and things that they've seen, and they share experiences about, like, hey. Maybe it's we got ransomed. Here's how we found out. You know?

And they'll share, typically, you know, redacted format format about, like, what they learn. And and, obviously, people are very sensitive about what data they can share and so on. Right. You also sorry. Go ahead.

I was saying we need more of that where people share, what happened to them because I think there's a big stigma against getting ransomed and, you know, reputationally, people don't wanna share what's what happened. But if we don't share what happened, then how are we gonna learn from it? I couldn't agree with you more. The funny thing is we just launched a breach series on modern cyber. We put the call out a couple months ago on LinkedIn.

Anybody who is willing to share a story of how they got breached, their organization. And, we put out there the kind of the conditions that, like, please only share things that you are comfortable sharing. And so we've recorded a few of these so far. Typically, people are saying I was at x type of organization, often unnamed. And a lot of these are a few years in the past.

I will say, so far, common threads are, like, do the basics. You know? Have good asset management. Have good network segmentation. Have good understanding of your identity.

Have good backups, by the way. That's come up in, I think, almost every single episode so far that we recorded. Backups. Yeah. Yeah.

Test your backups as well. Absolutely. That was a a bad one for me on on my own briefs that I shared on there. Okay. We had some backups that weren't so great.

But, you know, just kinda getting back to Black Hat. As these briefing sessions are going on, there's a massive expo of cybersecurity companies out there, typically showing off the latest and greatest that they've built. There is a ton of swag. There is a ton of partying, all the kind of corporate conference stuff. But fundamentally, Blackhead is a corporate conference.

And and, like, that's where I see, I think, you know, a lot of the misattribution. And DEF CON is more of the fun one? Bingo. DEF CON is more the one that is the more offensive side of things. You know, this is how we break into systems.

Defcon is the one that historically had a wall of shame where, you know, you'd hear these things like, hey, don't leave your phone turned on. If somebody is pushing a card around with USB cables to charge your phone, they're also trying to get data off your phone as you're charging it off of that station. And it's it's not people maliciously hacking each other. It is proof of concept stuff to show you different risks that have been developed by the offensive side of the world. And by the way, I'll say something from my own plug these in before Yeah.

Airports, and then you plug your own thing in. Yep. Yep. I have one of my own right here as well. So, yeah, I'm with you on this one.

Swim lane too? Yeah. Yeah. Oh, mine's from a company called Curity. But, yeah, they were they're a good giveaway at a place like, Blackadder, DEF CON.

But Defcon is really the one where, you know, you really see the latest in hacking techniques and offensive cybersecurity. I I will say it's also you can tell when the the crowds change over between BlackHat and Defcon. The the kind of the joke, which has a little bit of truth in it is, you know, when the number of Mohawks and piercings go up, you know, we switched over from Black Hat into Defcon. Nice. I I think that's a it's a little bit tongue in cheek.

There's maybe a little bit of truth to it. One thing that I absolutely do say, first of all, I have huge, huge respect to people who work on the offensive side because pretty consistently, they're way more creative than people that work on the defensive side. Pretty consistently, they are, oh, I didn't you know, attempt number one didn't work. How about attempt number two, three, five, two hundred, three hundred? You know, there's a saying in the offensive cybersecurity world that if it didn't work, just keep trying.

Try something new. Whereas on the defensive side, almost everybody that I know is like, oh, I implemented a a program for cloud security, identity security, whatever it is. These are the best practices or this is like the framework that I wanted to implement. Mhmm. I did all those things.

I checked the box. I move on to the next project. Right. And they don't revisit us frequently when novel attack types get published. They don't necessarily think about, like, okay.

I did all all the things in that framework. How else could somebody get in, you know, and just, like, ask themselves that question and and really think about it and maybe work off of a threat model? I I see a little bit less creativity on the defensive side of the house. So so that's DefCon. And then there's one last event that I'll throw out there in in the hacker summer camp.

Every year, there are so many talks that get rejected by Black Hat for lack of space or whatever. So years ago, this group set up something called b sides, which is meant to be like the b side of a record. You know, it's like this sometimes better song, but it's not the the popular hit. Yeah. And this has become a thing now in cities all around the world.

So you'll see b sides conferences that are more like community driven. This is a really interesting topic that somebody wants to share about. Yeah. I did the talk, but I didn't get in. Exactly.

Exactly. Next year. Next year, I was talking about something more interesting than segmenting. I've I've, end to end, it's like, you know, eight, nine days out in Las Vegas. It's always in Vegas.

It's always in August. It is always hot as heck. Right. But I love it. It's super energizing.

Sorry. I love everything about the fact that it's Vegas in August. Everything except that. It's super energizing. You meet great people.

You learn really cool stuff. Well, how, how could people use your services and how can they find you? Because I know I know you're we're we're getting close to time here. Yeah. Yeah.

Look. We are at Firetail.ai. Pretty easy. Firetail, all one word. Funny fact, it's actually a bird from Australia.

So if you wanna look it up, if you Google Firetail, that may be the first thing you find. Hopefully, we're at least in the top five. But, Firetail.ai, we have a free tier. Anybody can get started for free. There's a link on the top of our website.

If you want our research, you wanna hear about API security, some of the latest threats, scroll down to the bottom of the page, check out the API data breach tracker. And, we are, releasing in early April this year, we're releasing our updated, state of API security 2024 report for the things that happened over the last twelve months. If anybody wants to email me directly, I'm just Jeremy@firetel.ai. Super easy. Great.

Yeah. And, Joe, just to close out from the other side, what are some of the things that you think are most commonly misunderstood about cyber insurance? Maybe that's, like, a good closing question because I think a lot of people get it because they think they should or they get it because, let's say, an investor or their board required them to get it, but they don't like I said, they don't dig in to read the terms of their policy, what it does and doesn't cover, and what they should understand about it. I love what you described, by the way, about, like, if you do have a ransomware event. Like, just knowing that the first thing you do is you call and you make that call to the attorney that you get everything privileged.

I didn't know that before this, conversation today. So what else would you share that people should understand? Yeah. Like like you said, cyber insurance is one of the most proactive types of insurance, bringing an entire experienced team that does this stuff all day, every day. Yeah.

That that's one of the biggest benefits. I would say that you need to work with an experienced broker, somebody that deals with cyber insurance because it's so different than all the other insurances. One thing you could do is is look at the exclusions on your policy Yeah. And, you know, ask questions to your broker. Like, is insider are insider threats covered for this?

Am I covered for reverse social engineering or or what we call invoice manipulation? A lot of them just cover for regular social engineering. What about, war? Or, like, what's the definition of war Yeah. And your policy?

Because Yeah. Some say any state sponsored type hacker. In some state, the surgeon general or the, the head of, whoever declares war has to say it's an actual war. And some will say, like, oh, it's gotta be a hot spot, you know, where there's military type stuff going on. So it's it's all those things that, you know, you wouldn't think of that you don't know that you don't know.

So, just ask a lot of questions, you know, look at the exclusions, look stuff up online. You can always, DM me or or call me if you have questions on, you know, what this is or what that is, and just go from go from there. And, you know, I'm easy to find too. I was just about to ask. All the socials, under Joe Earl on LinkedIn.

It's cyber joe is my handle on, Twitter and, TikTok and Oh, wow. Instagram. Yeah. I'm TikToker. Wow.

And, yeah, that's it. Joe@c3insurance.com. And I'd be happy to field any questions, help in any way I can. Awesome. Awesome.

And for the modern cyber audience in this crossover episode, just one more time, plug the name of your podcast and where people can find it. Oh, right. Yeah. I always forget to plug my podcast. It's called Ransomware Rewind, and you can find it on YouTube, Spotify, Apple, and wherever you listen to podcasts.

Yeah. Awesome. Ransomware Rewind. Yeah. We have a lot of fun on that podcast.

It's it's like semi professional. It's separate than it's separate from what I do here at c three, so we Okay. Have a little bit more fun. And, it's good. We just riff on current events.

We talk about, modern hacks, and, we give actionable advice to our listeners. Super useful. Awesome stuff. Well, I've enjoyed the crossover episode, Joe. I've really enjoyed getting to talk to you.

Wide ranging conversation. We went everywhere from API security to ransomware to cyber insurance to incident response. I I've learned. I hope our audience has learned as well. Yeah.

I mean, we're we're we're we had a great episode. You know? It's not it's not Darknet Diaries. You know? Yeah.

Yeah. I don't know that either of us has the, production budget or or Maybe, like, one tier down from Darknet Diaries. Yeah. I think that's fair. Yeah.

Yeah. Did you listen to the one, the recent one about the hit man? I did. And in fact, what was really funny in that episode, the guy who obtained the kill list, he got all the message history using an API vulnerability. He talks about it in the episode.

It's it's it used to be called commonly something called IDOR indirect object reference. And nowadays, it's mostly called BOLA, broken object level authorization. It's number one on the OWASP API top 10 vulnerability chart in terms of, like, the most the single most prevalent, misconfiguration or design flaw in APIs. I actually shouted it out on LinkedIn and and say when I was listening to it the other day earlier this week that, like, hey. Even dark web, marketplaces have API vulnerabilities.

Absolutely. Yeah. Yeah. We we gotta hack the hackers. Right?

Look. I think it's a valid tactic. The challenge is, and this is true in, I think, a lot of things related to cybersecurity, you have two different organizations that play by two sets of rules. You know, for me as either a citizen or as a, an employee at an organization, I'm somewhat limited by the law as far as what I can do. Because anything that I do, even if it's against an adversary that is a threat actor or a hacker or whatever, I am breaking the law if I employ the same tactics that they do.

And so, like, I think a lot of people, myself included, are pretty hesitant about doing it. At the same time, I know that, you know, many organizations, law enforcement organizations do have offensive cyber capabilities, and they do use them in going after bad guys. Right. Right. Yeah.

Yeah. Yeah. Definitely two sets of rules. Yeah. Yeah.

Great. Well, it was it was really good talking to you, and, let's do a part two sometime. Sounds great, Joe. Thanks so much for your time. I guess I'll I'll sign off from the modern cyber side.

Yeah. And I'll sign off from ransomware rewind. Be sure to check out, both our podcasts. Like, subscribe. All good stuff.

Put a comment down. We'll we will answer your comment, and we will talk to you in the next episode. Alright.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Request Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!