
This Anti-Cast originally aired on December 18, 2024.
In this video, Amanda Berlin discusses the challenges and solutions for cybersecurity in small and medium-sized businesses (SMBs) and managed service providers (MSPs). She dives into real-world scenarios and share stories about network and security incidents from their past experiences in IT, illustrating the importance of having effective security measures in place. The discussion also highlights the significance of democratizing security and the need for tailored solutions that address the unique challenges faced by SMBs, emphasizing collaboration, training, and community engagement.
- The webinar highlights the challenges faced by small and medium-sized businesses (SMBs) in implementing effective cybersecurity measures due to limited resources and expertise.
- The importance of democratizing security is emphasized, suggesting that security solutions should be made accessible and understandable for SMBs.
- It is suggested that focusing on basic cybersecurity practices, like asset management and visibility, is crucial for SMBs to bolster their defenses.
Highlights
Full Video
Transcript
Amanda Berlin
Thank you everybody for being here. This is super great. it’s been a while since I’ve done an Anti-Cast, so I’m, I’m really excited to be here. Super cool. I’m gonna try, I’m gonna try and ignore Discord.
And I know my camera’s flickering a little bit, so I’m gonna try and ignore that too. so depending, on when you joined the the pre show banter, you might have heard a little bit about my background.
but for those of you that don’t know, I started my career working at and for SMBs, and MSPs and have been doing that pretty much for the majority of my life, it’s one of my passions. And why or one of the major reasons I moved from just being like a network and systems admin into security.
So we’ll start off with that, see if this works. Here we go. So in the chat, who knows what SMB and MSP stand for Server message like it does.
It stands for server message block. Right. Also, small, medium or mid sized business. That’s great. anybody get MSP?
Okay, so managed service provider. How about Minneapolis St. Paul? Anybody else ever have connecting flights through there? Also stands for managed service provider.
Yes, Correct. Great job everybody. So to be honest, I was tired of dealing with this stuff. I had to like go back into archives and find some of the fun pictures I had when I was this administrator.
but here we have one of our network closets that we had at the hospital that I used to work at. This was 2012 and we were called to another campus after there was a partial power outage to deal with.
and authentication wasn’t working over there. Gladly. Our network team had grown from three people to six because we had like over a dozen buildings. We still didn’t.
Even when I left there, we still had no like actually security roles. and so we pack up our laptops, some extra gear and we head over to that campus.
And then after we arrive there, at one point this had to been like a switchboard office or something like that. Like before they had computers.
but we’re met with one side of the room having power and the other having just a sputtering hot water geyser, in the corner from an uncapped boiler, boiler pipe.
at some point there they took the pipe out, but the boiler was maybe still there and doing something. Somebody turned it on or power went off, something.
Lots of hot liquid just pouring out of that geyser in the corner. so like I said this is 2012. on the right hand side there on the desk, there’s a rack mountable server underneath, a regular just I think they were called mpcs.
Just like a regular PC with a CRT on top of it. Again this is only 2012 so it’s not that long ago. but that was a 2000 domain controller running on that.
and that was, the old DC was one of them. I can’t remember which one. I think maybe the actual DC used to be on the PC and then we moved it to the rack mounted server but didn’t have a rack.
I don’t know. but that was the side of the room that didn’t have power. And of course the reason nobody there was able to log in because that was their domain controller and there was only one there.
So to remedy that situation we ended up with this daisy chained ups to the other side of the room. and I didn’t take a picture of this but the step stool that’s in the background ended up.
That’s what we put the ups on just in case that room flooded. So really, really super fun. so if any of you have ever been in that situation before, if you’ve worked in an SMB or msp, I’m sure everyone has great stories.
Those are some of my favorite things to talk about. and we probably know each other’s name. So for those of you who haven’t, just imagine like playing Mario Brothers like levels for the first time ever.
anytime you try and implement anything, anytime you try and onboard a new customer or answer a call about something not working, and there’s a reason after like 10 years of that, I switched to consulting and SaaS because I really liked not being on call anymore.
just I did my time, I’m old and I don’t want to do anything. so let’s start off with like an SMB story. Nothing earth shattering stuff, like this happens all the time and we’ll just go ahead and walk through it in like a timeline kind of view.
So everyone likes scanning network, right? Whether you use Nmap, vulnerability scanner, one of the other, 5,000 tools that are out there that you can use to scan a network.
it’s a fairly common practice practice for like initial deployment or asset management auditing activities. a lot of customers like will merge with other custom, other companies or onboard like, like child, companies, whatever that they purchased.
So say we sit down at this new SMB, this customer that we’re onboarding, and with no real information what the network has in store for us. So we download a scanner that we always use and proceed like normal.
So it’s at 18, 57, a couple minutes later when you get a warning that you’re running a software that you always run. You really don’t think much of it.
However, in this particular instance, that software looked like Advanced IP Scanner, in the Google results actually resulted in the user navigating to a fake version of the software in a cloudflare instance.
And that Cloudflare that had gotten to the top of the search results just by like SEO poisoning and they were downloading what they thought as the legitimate version of an advanced ip, scanner because it was the first thing that they clicked on when they Googled it.
Third thing that happens. So admin runs several commands to gather information about the active directory domain, right. I imagine somewhere some immature programs are for sure run local commands, to identify like what device they’re on, system requirements, stuff like that.
and these commands are also run all the time in Windows networks. But it’s really weird to see them being run in conjunction with a software, not necessarily install but software, execution.
And I’m sure a lot of you have heard of lull bins or lullaba or LL bins, however you say it. and it’s a term to use term that people use to talk about programs and scripts that can be leveraged that are already built into the os.
So not to age myself too much, I mean I already talked to you about a Windows 2000 server. but I remember like when PowerShell didn’t used to be installed on Windows and now it is by default when it started to be installed by default on Windows.
I know admins were like losing their minds like we have to remove this PowerShell. this is going to be nothing but hassle. What happens if a user runs something and messes it up?
Or all of the security implications that comes from something as powerful as PowerShell being on an endpoint.
you can’t take it off Windows anymore, right? It’s used all the time for admin functions. I don’t think a lot of us could operate without PowerShell. And so now we just have to account for all of those kind of things in our threat detection and response efforts just constantly.
So, activity number four is when the Advanced IP scanner is run. And we can see, let’s see here.
Yeah, we can see the action here running. So right here we have just like Visual, basic command running some other stuff.
We have CVT res exe. So that CVT res exe stands for convert resource.
Convert resource files to cough objects. and it’s. I don’t know necessarily what it does, but it’s a tool that helps create Windows programs, right?
So CBT res. It’s always on Windows. it’s just one of those things. So then an admin again runs this command to copy a batch file to a, newly discovered domain controller, right?
So it’s copy. It’s using X copy to move this log converter thing over to be a log, log converter over on the domain controller.
So we’re how many minutes in now? Like 10 minutes in. So from that host name one, the attacker then uses WMI to remote code execute and run that newly copied code on the domain controller.
Now that first detection they kind of ignored, right? They definitely meant to, meant to run Advanced IP Scanner. Like they. Yes, like I downloaded it, I ran it.
Like I’m going to, I’m going to ignore that detection that fired. but like when you see additional alerts stacked on top of it, it starts to become a little bit more evident that something isn’t necessarily right.
WMI is another living off the land and it’s really used by a lot of threat actors obviously to run commands remotely, across an organization.
And, and then this, 12 seconds later we have this finding, for remote code execution via wmi.
So now this attacker has a connection, remote shell, whatever, into that domain controller. They’re now able to run commands on that host and they run this, follow this, this PowerShell script.
So it runs in hidden window, which a lot of times is, is normal because if you’re scripting across an environment, you don’t want just things popping up, bugging your users.
but they are wanting to hide the fact that it’s happening now for another reason. then it uses a lot of weird PowerShell syntax to create variables and obfuscate the text and invoke different methods and all this kind of stuff.
It’s using that technique to like evade detection. It’s a really long PowerShell thing, so I didn’t include all of it.
And then we see a batch, batch, script running in that same directory. So now we have this log converter bat and this whatever press Any key exe we don’t alert at Bloom Air we at least we don’t alert on all batch script executions, just like we don’t alert on all programs being run.
so somebody remotely called this command line first from a unusual location to run this bash script. So we were given a copy of both the file that was initially download.
so I think it’s shown here as maybe not maybe it’s on a different one but it was like this random string of characters. T. it was just like a a C file I think and then that log converter bat.
oh yeah, it was a c, a C application that they gave us that we could kind of look into what it was actually doing. and when we looked at both of those things together we realized it was a data exfiltration application.
So it was sending HTTP post requests from the device, external like trying to exfiltrate stuff from their domain controller.
so not, not super great. then customer contacts or support team which fantastic.
And finally the customer manually isolates the device, cutting off that command and control traffic at least from that device. there wasn’t any more. But you never know.
So and I want to make a point on this one. So a lot of a lot of images now are, are used with created with Gen AI. Right.
this one is the least cursed version that I could find to present to everybody. I just wanted to have like Goomba behind bars because Mario themed it would be cool.
But then like Yeah, this is just not. It’s just really weird. It’s tan and I mean this one didn’t have a belly button.
I don’t know. There’s a lot of really weird ones. So host is isolated, getting back to the event. and then our salespeople love to talk about this one but sadly like almost 24 hours after the initial event happened, two other files were found on other devices because of a roaming, a roaming profile for the administrator.
So there was a backup or the admin logged on to somewhere else and it copied the profile, moved it over and the other XDR caught that file but none of the actual malicious commands.
So think about this is this is me trying, I’m trying not to get on a soapbox, but I like talking about this kind of stuff. M Think about how that same issue would have different impacts on the size and maturity of an organization.
Right? So say if you are. I don’t know GM or Walmart or anywhere like that.
Right. They have a large budget, they have a full security team, like multiple subsets in those security teams. They have a lot of configuration configured and locked down and time and knowledge and all of this kind of stuff that would have never happened.
I’m sure they would have had a, a license to some kind of enterprise, enterprise grade software to do that scanning in the first place. They would have application whitelisting.
So they’re not going to allow an unknown application to run or even Download ACLs between network segments. That wouldn’t have allowed just like random WMI calls to domain controllers.
Probably hold their office in the cloud or something Anyways. So so many different areas that, that you can apply defense to when you can dedicate the time and resources.
But then when you’re an SMB you have a very small amount of IT staff. Many times no security staff and the IT admins are expected to wear that hat no matter what.
So no wonder like SMBs struggle with security a lot of times now over time as like cloud infrastructure becomes easier and more available, SMBs and large companies are using more similar infrastructure to each other than ever before.
it was last year’s Verizon DBIR had a really cool breakdown of how they used to look at SMBs, and their threats and statistics and everything like that and how they do it now and they point out everything.
something that I think is interesting, that asset management and visibility are the most ignored but the most important part, doesn’t matter the size of organization and it’s really hard.
I know asset management management’s hard but so now according to Gartner, a small and mid sized business, you can group them or classify them two different ways.
So speed round quiz for employees. How many employees do you have to have to be typically considered a small business?
We’re going to do employees and I think it’s here we go. So 1 to 10, under 100. Less than 100.
Now you’re all just cheating off each other. No, I’m joking. it is, it’s less than 100. So fewer than 100 employees is a small business. Okay, next. How about for medium?
Five thousand. Less than a thousand. One hundred. Two fifty. Nice. I think Ron, you win. Mediums 100 to 999.
Perfect. This I thought was really interesting. if you look at the numbers of how many businesses are included and how many do you think would actually have dedicated it or security staff.
I know there’s a lot of numbers on the screen, but so like one of the ones that I like to point out is 46%. Or is it, Oh, that’s not actually on here.
another piece of like stats that I have, 46% of all breaches impact businesses with fewer than a thousand employees. That’s a lot. Especially when you consider the lack of resources that they probably have.
Small, businesses receive the highest rate of targeted malicious emails. and this is all from the small, medium business or small business admin, economic profile thing.
And then we move on to medium. So, Oh, actually sorry, we’re still on a small. How much revenue? So we’re going to talk about annual revenue that so it’s like employees and revenue are the different ways that you can categorize small, medium businesses or whatever other size.
So small business, for annual revenue, how much do you think it is? I have a hundred thousand. One million, 253 million.
Five million. Ten. You go, this is crazy.
And I didn’t, I thought this was crazy when I, found out. 50 million. 50 million or less. You could be a small business based on annual revenue, which is, a lot.
Right? That’s a lot. medium, under 500 million.
250 or less. Oh, yeah, there you go. Neo, I think you’re the first one to say it.
50 million to 1 billion in annual revenue is medium. $1 billion exactly. So this is from that same, study.
And just the scale of total GDP that small business contribute to is crazy.
Right? Like you wouldn’t imagine that small to medium business would take up that much percentage, and still have that many problems.
Right. So some of the. We’ll get back to that a little bit. But, it’s a very underserved market when it comes to services and talent and time and pretty much everything.
arbitrary ranges. They were actually from the US Chamber of Commerce. sorry, I probably missed a bunch of other questions, but I saw that one.
they’re not arbitrary numbers. It’s from the government. I don’t know. So next we’re going to go into what you can do for detect, Oh my gosh.
Detect, defend and respond. It’s always hard saying those three things together, for the different things that we saw happen at those time frames during that incident.
So first thing we saw was that advanced IP scanner. these are the different things that you can do to detect you have event ID one or which is with Sysmon or event ID 4688.
Those are both process creation and you could just look for Advanced IP Scanner. you can look for all of the popular scanners that are out there. Right. Because if it’s just somebody randomly doing it, you still want to know about that too.
it’s a, it’s a more of a risk thing than it is anything else but it’s. It’s nice to know about. Oh I didn’t, I didn’t cover everything and then defend you’ll see this a lot Application ll listing and then User Access Control.
that happens a lot is to. To defend against certain things right. Is Are those two things and then to respond you can kill that task.
you can delete the file if it wasn’t necessarily malicious. You can pretty much just stop there. Next we have the NS lookup and system info.
I don’t really recommend that you necessarily alert on those. it’s pretty common to run during troubleshooting and stuff like that.
it just kind of depends on the environment. if that’s something that you don’t think anybody’s going to run, yeah, go for it. Feel free to detect on it. and that’s kind of the same thing.
You look at the process creation, Windows event IDs and then you can just look at other things too. Right? You can look at net user net computer DS query.
Like there’s a whole bunch of different. Just like living off the land, random command line things that are used for discovery that you can always inspect on and then defending not really super recommended I guess you can like prevent people from running all of that stuff or even opening up the command line and stuff like that.
But again depends on the time and effort if you happen to be an SMB msp. that’s not usually at the top of your list to do to be honest it’s probably really low on the priority list.
And then we have For responding is just further investigation to see who ran those and where and if they were doing anything else malicious.
and then we have that Visual Basic running that CVT res, and doing the living off the land stuff again same event IDs but you’re looking for a parent process and child process combo.
So a lot of times you can kind of bundle these up. like a really good example that I like to give is the IIS In Windows.
So when Exchange was getting popped all the time because of the web access, it runs on IIS and people were constantly seeing PowerShell being run by the IIS process.
There’s things like that. Right. So in this case there’s been proven attacks where VBC exe is running CVT Res exe. There’s a really good article.
I don’t know if I have it in my notes. No, there’s a really good article on Sandstorm, center about it. If you look up like CVT Res on Sans.
Again, the two top two things Application allow listing and user Access Control, but also group policy. you can use group policy to control a lot.
You can make it so people can’t run Visual Basic if you want to. You can do that with a lot of different things, but that’s, that’s another option. And then for responding, you remove the files, investigate that source and analyze what the output of whatever command was that they did running through CVT resources.
X Copy was the next part. this can be prone to false positives, especially if you use X copy for a lot of stuff. But it has been seen in threat actors using X copy and other types of, command line copy tools, to move data around and run it remotely.
And, and so again like, yeah, like I have robocopy on there too. and then you can look for it running specifically to sysvol, for defending just lock down DCS and admin shares.
Especially in this case. nobody should have just been able to. Even an admin account shouldn’t have been able to just randomly copy and run stuff to that directory.
those, those should, should really be locked down otherwise bad things happen. and then responding, oh again, always just depends on what that file was copied and what that does.
We have the remote WMI call. again, as you can see, these are kind of common themes when it comes to detecting a lot of things, processes.
So again we have a parent process and a child process. So we don’t want the WMI exe doing this node process thing because that just screams remote, remote commands.
And then I have again, again, again application allow listing uac and then you can also restrict incoming WMI connections, by using Endpoint solutions, firewalls, stuff like that.
And then responding you can check in the suspicious files that were shown so there were shortcuts in the program data directory.
you can, check those, delete them, see what they Were doing whatever is part of your IR. Maybe I have two left.
Malicious, PowerShell. this one can be two different ways. So you can still do sysmon event id 1 and then 4688 or you can log all PowerShell output to Event Viewer.
The problem comes in if anybody’s ever dug through 4103 and 4 and I think 5.2, it’s a lot, it’s a lot of information in.
It gets really heavy because that’s all the PowerShell. I mean I’m sure you’ve seen PowerShell output be 10,000 lines.
that all goes to the Event Viewer. So while it’s possible it’s not super fun to alert with, but it can be really great for investigating.
So if you want to dive into that, it’s good to still output those and use it for discovery. then you can also look for that Net web client being run inside those PowerShell commands.
That’s super common. it’s something that attackers can use and have used in their PowerShell scripts that really just download and run stuff from the Internet and it gets passed execution, policy, stuff that you, if you have configured for PowerShell, you guessed it for defense and then for response just please isolate the device and do full ir.
and yeah this is the last one. So malicious batch script. We have the parent process of, you name it. Right. The, the main, the main ones, the PowerShell Command Line Explorer, and all of the other common exes, that things are run off of.
And I think I’m, I must be missing the I’m missing the other process but that’s okay. it was the process of that batch script and then defend last time I promised uac and they have wide listing and not all servers need access to the Internet.
Right. That domain controller was able to exfiltrate using whatever custom thing that they wrote. with a CNC just out to the Internet just over regular HTTP or HTTPs whatever way they did it.
your domain controllers don’t need access to the Internet. Not everything does. Definitely shut that off. Right. You get updates a different way. You get all of that stuff a different way.
You don’t need to have access to the Internet for everything. And then you can also use web application firewalls to block things outbound like that too. Because it was going directly, it was sending posts directly to an IP address in Cloudflare.
I don’t know that I’ve ever seen that be a good thing. All right, so I’m gonna take a drink of water real quick.
I’m gonna make sure I end this soon enough so we can, I can answer any questions. So I like this phrase. I didn’t come up with it.
I think maybe Wendy Nader did. Someone did. I know it wasn’t me though. but I like the idea of democratizing security, especially for SMBs and MSPs.
And like I kind of mentioned at the beginning, during our, our pre show banter, I got into this field because I really like helping people, that their focus is on something else.
I, I, I just, that’s one of the things I really like to do. Like a core part of who I am and one of the reasons why I like, oh, I mean, major reason why I love anti siphon, first off, because that’s kind of anticiphon and Black Hills, like entire thing, right?
Like you really like helping people, you like educating people. It’s all the free education, all that kind of stuff. Like that’s something that that market needs so much.
because it’s not like all of those, mom and pop shops are going to send their IT person to get a big other company expensive cert.
and that’s one of the reasons why I really like working at Blumera. And it’s like one of the main tenants why we created the company. Right? So if you think, think about like when I was at the hospital.
So, the first sim I was ever in, involved with was called McAfee Nitrogen, which sounds like a coffee.
And I just still remember like the pain and frustration that I had not knowing anything about a sim. I was handed it and told, hey, configure this. Configure everything in our environment to go to it and alert on attacks.
at that point in time, I had never done officially anything in security. I was good at active directory. I could do some Cisco switching and routing.
that, I mean that was kind of it. I did backups. Right? Like that was the level of security knowledge I had. And, and I’m not sure if anybody’s ever, ever else has ever worked with the camping nitro sim, but I can tell you we couldn’t even find a professional services engineer to implement it without it just like falling all over itself.
And it was like corrupting data all the time. So it’s terrible. And just another example of a piece of secure piece of software in general.
that’s Complicated, unintuitive, little to no documentation of how to work it or set it up and just given to a medium sized business.
Right. And so I went from that with like zero experience. The first sim, you think I would hate sims and not want to do anything with them ever again. But then I went and worked on stuff.
So then from there, if you like, when I was doing that I was working with customers on attck use cases and with our implementation team and on average implementation was anywhere from six to nine months and then with some more of the complicated ones being over a year and I don’t know how many other SIM implementations I’ve seen that have just never been fully implemented.
Happens all the time. And that’s the kind of software that SMBs are trying to have to contend with, right? Massive licenses, integrations that take a ton of time and professional services and just all of this knowledge because it’s super unintuitive to set up, to maintain.
just all of this kind of like enterprise level type stuff. And all of those solutions are not created for SMBs but they are marketed to them, right?
It’s just a scaled down version of the enterprise version software that they have. it, lacks cost effectiveness to actually help out in any meaningful way, any specific feature sets that are needed by smaller teams.
It’s just not, not built for them. And there’s a lot of, there’s a lack of players in the space creating solutions and software and feature whatever, for those subsets of, of the businesses that we have here.
And if, I mean when you look again at that GDP chart, before, there’s a lot of companies out there that need those kinds of software and services and a lot of times SMBs don’t even know that they need a certain technology above what their MSPs tell them.
So what is some of the kind of, I don’t know if anybody in this audience is the right audience or not. But some of the things that we should focus on if we’re servicing that market is trying to find out the specific pain points of the SMBs that we’re working with and MSPs and designing measures that take away that complexity and make it understandable, factor people in and like their roles and what they do day to day and what they who they have to contend with and communicate to in the design and implementation of those things.
I mean I don’t know how many professionals that I’ve talked to that can ever, explain to me, like how Microsoft, licensing works like to a T.
granted there’s a lot of information out there about it and a lot of, documents and explanations, all that kind of stuff. But, it’s not, you can’t just sit an admin down and expect them to do anything with it.
Right. Super confusing. I consider myself kind of smart and I’ve tried to figure out licensing several times and I just kind of gave up.
This is another one of my favorite, pictures. So I had to pull some, pull some more back from the archives. and this is what it was better. so this is the top of the server X, at the hospital that I worked at, prior to this.
There were also KVM cables everywhere that made it so you couldn’t even see the back of the servers. And we had like one of those really big box fans, in the server room just to circulate air.
And it was not, it was not great. Granted there wasn’t like spewing hot water in this one, but there were. I don’t think you can see it in this picture. There was definitely just like regular sprinkler system also.
not super great. and I don’t know, I know it looked a little bit better when I left, but how many years of wiring, debt do you think we have to, try and contend with that?
So, just like I said, how anti siphons like helping reframe how we’re thinking about training and we saw how much of a percentage SMBs make up, of the economic population.
You can just use that previous like same implementation story that I came and gave as an example or really just think about every other piece of enterprise software that you’ve ever used.
you can’t just like tell a singular administrator at an SMB, like, I don’t know, you’re just going to have to run it or you’re just going to have to trust this professional service is going to use their Level 1 SoC analyst and keep you secure the whole time.
and they’re going to catch every threat that comes through or that you don’t only need to implement a piece of software, but you also have to keep it up to date with new threats. But those are changing all the time and you also have to test all of those or, they end up charging more than anybody’s actually able to afford to get the feature invisibilities that they need.
So, what else do you want to. What time do I have? I have a little bit, a little bit more time. so let’s see here.
let’s go to the next one. Here we are. that’s another one. this, that’s young Amanda. What when she was all bright and super happy about all the servers she just took out of the racks and is replacing with VMs.
It’s like the first time I ever worked with VMware was around then. so that’s super fun. giant stacks of servers and stuff.
Another thing that you have to remember when you’re trying to tailor, ease of use is everything’s going to be trial and error. Don’t be afraid to fail and fail fast.
There’s entire like leadership books on that and ways of working to do that. Even if you’re a starting company from the ground up, you’re not going to get everything right no matter how hard you try.
what I learned, over a very long time in tech is you won’t find the easy to use and repeatable tools and processes all right away.
just don’t be afraid to try something new. Wait to see how it works in your workflow, work, how does it fit with your values and your strategy and then just continue to iterate.
We don’t always have to worry about getting it right 100% of the time. We just have to figure out a process to grow and make it a little bit better as we go.
There’s all the hard drives that I took out of all of the servers when we were actually moving, away from spinning disks, which was really super fun. we had a SAN at that point, so storage area network and we had to go out back and drill a bunch of holes in these because there was phi on them.
Super fun. when I first got the outline for this talk, it was it. It.
What it is now is not what the outline was. It was presented to me that our PR firm wanted me to give. and I’m okay with that. but one thing that was listed on there that I thought was interesting was they wanted me to cover SMB specific threat models.
like you see here, mostly bs. threat modeling is really super complex and that’s why there’s entire companies and job positions and everything around, threat modeling.
It’s time consuming and warning, your results may vary, probably will with time, money, resources, all of that stuff that you need to worry about threat modeling is probably the least important thing that an SMB is going to have to worry about.
just identifying common in general attack vectors. Right. And use a framework whether you want to use mitre, whether you want to use cis, whatever you want to use.
Pick some kind of framework to tie your security strategy to and do that like I’m sure there are way more fires to fix in security than you’re even going to need threat modeling for.
and this poor guy, this is Patch Tuesday 2am at M A hospital. and then we just fall asleep on the floor.
And then last thing I know I’m biased, but run a tabletop and see what your weaknesses are. Focus on what is important in your organization, what keeps your admins up at night, what keeps you up at night.
And run a tabletop and prove why it’s important. you kind of have to just balance that throughout because I mean people use tabletops to show why they need budget for certain security things or that you probably shouldn’t just be accepting the risk of this.
but definitely use different layers of that defense. defense in depth is always talked about all the time but there’s a lot of just normal things that you can do.
Just like tabletops and segmentation, access control, all of the things that I talked about before like UAC and white investing, just focus on the basics.
and once we democratize security and get the basis up a little bit more, then we can worry about the more important the, the more difficult stuff that enterprises are working worried about.
And then lastly invest in people. I know this doesn’t necessarily, I don’t know, it’s talked about a lot but maybe not necessarily enough.
I speak all the time to companies with like that fall into that small medium business. They have like one to ten IT people, no security experience beyond your regular like tool management.
they’re concerned so is their leadership that they’re not going to be able to respond to threats due to bandwidth. But then those same people are the ones that are entrusted to secure, hundreds of people that work and generate revenue and keep the company going.
and it’s just a super, I mean all of it’s a super stressful area to be in. and there’s just like a lot that you can do for your people to make it so it’s not as stressful and it’s a Little bit easier.
So you’re already here, so that’s helping, a little bit. Right, so like, continued education and training, if you’re in charge of the budget, at least 5% of your IT budget towards, training of some kind of development of your internal staff, you can do quarterly business reviews, all that kind of stuff.
and then just. Yeah, just care about your people and be collaborative and supportive, because that’s how you get IR done.
Like, we’re not all computers, so we can’t do it all if we’re just constantly stressed and at the end of our rope all the time.
and that’s it. So this is me, technically, as of yesterday. I think I have a new title. but I still work at Blue Mara.
and then I do our playbook and tabletop training with my partner Jeremy, through Anti Siphon, CEO of Mental Health Hackers. And then I also podcast.
So that’s a little bit about me and any. I’m. I’m. I have 352 missed messages, so I’m sure there’s questions somewhere.
Zach Hill
Oh, yeah, there was definitely lots of questions coming through. Thank you, for coming here, taking the time to do this with us today, Amanda. Appreciate it.
Amanda Berlin
Of course.
Zach Hill
So, just a reminder then for everybody, if you have any questions that, we didn’t get to during the stream, you can put them in the Discord now or in Zoom. we’ll try to get to them as quickly as we can.
One question that did come up is, what, tabletop, games and exercises do you recommend?
Amanda Berlin
I heard there’s this company that has this. It’s a card game, I think.
Zach Hill
Yeah, I’ve heard something about that one. I don’t know.
Amanda Berlin
Did you. Was it your question?
Zach Hill
What was that? I’m sorry?
Amanda Berlin
I said, was that your question?
Zach Hill
No, it wasn’t actually.
Amanda Berlin
Okay.
Zach Hill
Everybody else was like, yeah, everybody was like, back doors and breaches. Yeah, yeah, there’s a, there’s an online version of that that you guys can play as well, so you don’t actually have to have the physical guards.
but it is a great resource for you guys for tabletop exercises. We do give free demos, so, sorry to, like, hijack this, but, like, yeah, if you guys are interested in.
In engaging in a, a tabletop exercise, definitely check out Back Doors and breaches. we do free demos for teams. So if you guys want us to sit down with you for an hour, we’ll walk you through how to play the game, get you set up with a dm and it’s a lot of fun.
not everybody has to be super technical to play it, but it, it opens up a lot of conversation and I don’t know, every time I play it, I have a good time playing.
Daniel Lowrie
That’s what I like about Zach is like, you don’t have to be super techy to be able to figure out what’s going on with the game. You get the rules down and then the cards kind of explain themselves and it’s super fun.
Zach Hill
Mhm.
Amanda Berlin
1 of these days I’ll have my own deck. I’ll be real happy.
Zach Hill
Whenever you’re ready. Let’s go. We’ll make it happen. Nerf is asking, have you seen anyone getting nailed by Microsoft by not having enough P1 licenses?
Amanda Berlin
I saw that. So like for the longest time that I’ve known about Microsoft licensing, in regards to logging, you were always told to just like, if you want extra logging, you just buy one E5 license for somebody and all the logging gets turned on.
And then you don’t have to buy E5 licenses for everybody. I guess they’re starting to catch people that have been doing that. which sucks because Microsoft has enough money.
Yes, I’m a stockholder, but I don’t care. Let the people have the logs. They should all be free.
Zach Hill
That’s what I’m saying.
Daniel Lowrie
Yeah. It seems like an interesting thing to charge. Just like saying, what, people use water. We should charge for that. Like you can’t have water.
Amanda Berlin
I mean, you mean.
Daniel Lowrie
No, I mean like as a basic human. Right.
Zach Hill
I mean, yeah, they still kind of do in.
Daniel Lowrie
They do charge for it, but if you need it, you can get access to it.
Amanda Berlin
Yes.
Zach Hill
Yeah.
Amanda Berlin
Right.
Zach Hill
how, how do people help or contact small businesses as a beginner to help with their security?
Amanda Berlin
So there’s a lot of, there’s a lot of different things you can do depending on where you, where you’re at. that’s one thing that I’ve come to realize. It’s really hard to reach all of the people that kind of need it.
most of our customers probably, didn’t even know they needed a sim. local community stuff, to be honest.
I know I got my start when I was getting my start in security. there was like a local business journal. I would help write for them and write articles about security that were like just plain articles that would just help any business owner become more secure.
I don’t Know that just local community stuff.
Zach Hill
Yeah, there’s like, if you have like, a chamber of commerce or something in your area or like, city hall, that could be a great opportunity for you to kind of reach out to them to see if they put on any community events and things like that.
I know, like, I live in a smaller community and we have a chamber of Commerce, and they’ll, they put together, like, lunch and learn type of things pretty frequently, like once a month or something like that.
that could be a great opportunity for you to kind of sit down just to get in front of the community, for one. But also, you’ll have some small businesses that might show up to those things as well, and they do a lot of that outreach for you too.
So if you can get involved in, like, the Chamber of Commerce, they’ll like, outreach to, like, members of their, chamber to let them know, like, hey, there’s an event coming up somebody wants to present about, like, cybersecurity.
That, could be a great way for you to one, like, do. Do maybe your first talk. Right. And kind of put yourself out there. but help out the community as well. they definitely need it.
I don’t think there’s especially smaller communities. There’s really. There’s nobody out there, I think that really focuses so much on, like, cyber security and best practice and things like that. There’s a lot of just generalized IT groups or IT support, like small businesses as well.
But there’s nothing out there that really has a. A strong focus, I think, on. On security and where it needs to be these days. Especially, like, they’re very small businesses that are like, 100 or less users.
Amanda Berlin
There m was a, question in the Q and A about links to slides, ideally, not Discord. I don’t know if you guys send out slide links any other way, but I can always tweet it.
Zach Hill
Yeah, I can share the slides here. on Discord. I’m do that right now. Give me a moment.
Amanda Berlin
Right.
Zach Hill
The slides should be added to the resources section within zoom.
Amanda Berlin
nice.
Zach Hill
No, I don’t want to hide that from. Click to show. Okay. Yeah, now it should be there. My bad.
Amanda Berlin
and then what helped me the most to pivot from sysadmin work to cyber security, in regards to, like, what a lot of people talk about, right, Is like, how do I get my foot in the door in cybersecurity kind of thing?
I’ll talk about that first. what made that easy for me is I found a network security job, so at least had security in the title.
and then I was able to, I was doing stuff that I did anyways as just a regular network admin. I was just like, I don’t know. I had security under the title, so I made sure there were block rules in place.
I was doing that as. Anyways. it’s easier once you have security in your title to kind of pivot anywhere in security, I think. as far as skills, that was a long time ago.
let’s see here. Probably more knowledge of Linux and what, and Mac and then eventually cloud.
because when I was doing sysadmin, it was literally all Windows and no cloud. So knowing like, I hate the term, but threat landscape a little bit better helped.
Zach Hill
Yeah, sysadmin rules. I mean, you typically run across, like, you get everything thrown your way at some point in that type of position. Especially like, depending on the environment that you’re in.
I can more speak from like a, like smaller environments as like a sysadmin, where it’s just like you’re kind of like a, A Zach of all trades, if you will.
Amanda Berlin
Yeah, right.
Zach Hill
Like that, that happens very frequently. it’s not until you start getting into like those larger organizations where like a sysadmin role is really defined as like, oh, you’re actually just only doing system administration types of duties.
I would imagine throughout the years, like, yeah, you’ve got to experience a lot of different things thrown your way that, that have helped and probably helped like, really form your path, your, Your journey.
Yeah, like, especially like, again, in this admin role, it’s like you were at one point, like probably looking through logs very frequently and it might have been like, oh, like, I kind of enjoy this.
There’s these little, you get these little pieces of things that, that kind of stand out. and I think that’s, that’s really something. I think that’s overall exciting about it in general, not just like cyber security is just like, as you’re going through your career, you’re experiencing like these different roles.
You get, you get introduced to different things and you’re never kind of like pigeonholed to stay in one area. You’re never like siloed in one area. Like, it is like one of those care years where it really gives you a lot of flexibility in what you’re doing, where you can expand and grow and like start doing more of the things that you enjoy.
just as you’re kind of like accelerating through your career and you’re like, experiencing that right now.
Amanda Berlin
Yeah.
Zach Hill
Which is great. I love that. I’m excited for you.
Amanda Berlin
Yeah. yeah, I remember I was going for like, my CCNA and studying really hard to get that, when I was a sysadmin and then I found out that security was an actual field and then I’m like, well, I don’t want to do networking anymore.
Zach Hill
Right.
Amanda Berlin
Like, that looks way cooler.
Zach Hill
If, there’s anybody else out there that has any other questions for Amanda, definitely, throw them in the chat and we’ll try to get to them. We got a few more minutes here left. we will be going and joining a, our breakout room after this, which is our ama.
So if you have the Zoom, application installed on your device at the bottom of your screen there, you’re going to see breakout rooms. And we will have, our AMA room created there here, momentarily, so that we can join that and y’all can come and join and ask whatever questions you have.
Amanda, you’re not required to be there if you don’t have the time.
Amanda Berlin
It’s all good. Do I stay for that or not? I can. I could. I couldn’t remember.
Zach Hill
No, no, it’s up to you. It’s definitely up to you. We.
Daniel Lowrie
The more the merrier.
Zach Hill
Yeah, absolutely. Marrier. But we open up to the community to get them involved.
Amanda Berlin
So, yeah, I’m free until 2, so.
Zach Hill
Perfect. Yeah. Awesome. and then another reminder, that I didn’t get to earlier today in our pre show banter, but I want to let everybody know that we do have a couple brand, new pay what you can or pay forward what you can workshops coming up in January.
I’m going to post the first one we have with Patterson, cake on investigating M365 email compromise. That one’s on January 10th and it’s a four hour pay what you can workshop.
And then we have Bo Bullock doing introduction to Cloud Security coming up on January 24th. Another pay pay forward what you can workshop.
That one starts at $0, so would love to see y’all join that and, come hang out with us and learn something new or just maybe, touch up your skills a little bit.
I don’t know if I missed any questions when I was going through our whole spiel there.
Amanda Berlin
Somebody asked if I had any stings available. Oh, for Blue Mirror. I’ll send you a message.
Zach Hill
All right. Yeah. Any other questions? Otherwise we can get started on our, our other ama, which that one That’s a very open format where everybody is welcome and it’s.
There’s no question. Well, I guess there are some questions that you shouldn’t probably ask in that, but otherwise it’s pretty open format, and we’re here to help you. So thank you, everybody, for joining the webcast today.
Thank you again, Amanda, for being here and sharing your knowledge with us. We always appreciate that. Another, reminder that we won’t be here for the next two weeks, so take some time off, do something fun, exciting with your time.
Maybe, maybe Daniel will do more live streams on his YouTube channel to make up for it. We’ll see.
Daniel Lowrie
I. I will be. I will be.
Zach Hill
There you go.
Daniel Lowrie
Next week. Is next week Christmas?
Zach Hill
It is, but.
Daniel Lowrie
Yeah, but it’s on, like, Wednesday, right? So totally doing it that way. Doing the week after. So the only. The only conflict I have is I’ll be at shmoocon on the 10th, which is a Friday, which is when I normally do my live stream.
Zach Hill
I’ll take over for you. We got the team Simply Cyber. Do it.
Daniel Lowrie
There you go.
Zach Hill
I’m gonna put a link to your, YouTube channel in the chat there. Daniel, what’s up, Amanda? I’m sorry.
Amanda Berlin
Oh, I’m just sadly not going to,
Zach Hill
I’m not going either. Daniel’s going. Yay, Daniel. All right, well, yeah, that’s it. We got, for this webcast today. Thank you all for joining us. We’re going to get this breakout room started so you can get kicked over there and, start answering your questions.
So, until, I guess until next time, see you all in about three weeks or so. Take care, everybody, and happy holidays.
