REDD – Business and Technology Podcast Episode 002 with Rob Brown Director Cyber & Forensics at McGrathNicol

In this episode our hosts Jackson Barnes (BDM – REDD) and Brad Ferris (COO – REDD) interview Rob Brown (Director Cyber & Forensics at McGrathNicol) to discuss Cyber Security in 2022. Particularly we discuss the recent Optus and Uber hacks, Essential 8, Cyber Insurance, Cyber Awareness training and the key risks facing SMBs in Queensland.

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show please get in touch either via our website, [email protected] or or through any of the links below.

https://www.linkedin.com/company/redd-digital/

https://www.linkedin.com/in/bradley-ferris/

https://www.linkedin.com/in/jacksonpbarnes/

https://www.linkedin.com/in/robert-brown-23780854/

Thanks for watching!

You can find the full transcript below:

– Welcome to Redd’s Business and Technology Podcast. My name’s Jackson Barnes, co-host Brad Ferris, and we’ve got a special guest today who’s an expert in the cyber security field, Rob Brown, from McGrathNicol. We’ll be touching on everything cybersecurity focus, some recent events and what businesses can do to protect themselves from the risk of cyber threat. I guess we start, probably might introduce myself properly, so Jackson Barnes, being a business development manager at Redd, technology advocate and cyber security advocate. Brad, did you want to introduce yourself?

– Yeah. Brad Ferris here. I’m COO and one of the Co-founders at Redd. So thanks for joining us on our very new podcast.

– Yep, episode two. Thanks Brad. So Rob, I guess did you want to introduce, well, firstly, thanks for coming on. Really appreciate it. I know you’re a busy man with a lot on, with all these recent events, probably even more so than before. If you want to introduce yourself, and maybe just focus on yourself, not McGrathNicol at this stage. And what you’ve done in your past career wise to get you to where you are now.

– Yeah, sure. So Rob Brown, I’m a director at McGrathNicol, previous to that, also been there for four and a half years, which is probably the longest employment I’ve ever had in my life, so it says something about McGrathNicol. Previous to that I worked for a big four consulting firm prior to that was in law enforcement, so worked for two police services in Australia, one being Victoria Police, one being South Australia police. So started my journey in security in the law enforcement side of things.

– What made you want to make the change from the police force to cyber security?

– I always wanted to get into E-crime that was my focus when I was in the policing. I always had interest in E-crime as a discipline I guess in policing going down detective road. So I was studying at the time and then life changes took me to private consulting. So ended up leaving the police much, much sooner than I anticipated. But yeah, it’s taken me down a really exciting, and interesting journey after that. So no regrets from that one to be honest.

– That’s awesome. Did you want to cover off, I guess, so you are a director of the technology and cyber side of McGrathNicol. What does your team do?

– Yeah, so we’ve got a broad range of capabilities, and services. We offer, like any consulting firm, specifically myself, focus on cyber security work, where that’s proactive cyber security work, so assisting clients with identifying cyber risks or mitigating those, coming up with plans, strategies, things like that, doing assessments. And then I also focus on the reactive side of things. So I lead the insert response team. So that’s if something goes wrong from a cyber security incident that we get parachuted in, usually to assist clients with trying to contain the issue, investigate what happened, how it happened, ensure that the threat actor also known a hacker isn’t in there anymore, isn’t causing any havoc, and then investigate what might have been done while they were in there. So do like an end to end type investigation or any aspect of that instant response. So from a day to day, can’t really anticipate what’s going to happen when you walk in the door or at six o’clock at night on a Friday you might get a call that somebody’s had a cyber incident. But we do a lot of proactive stuff as well, which is nice to speak to clients proactively about cyber risk rather than always reactively responding to stuff. So I’d say business wise we’re about like a 60, 40 split, some proactive 60% and 40% reactive. Which is nice to have a bit of both because I think doing instant response a hundred percent would get pretty tiring.

– Yeah. I imagine there’d be a lot of weekend work in that. And that’s when most like Friday night, Saturday morning kind of stuff is when it would ramp up and get out of control.

– Yeah, totally.

– How big is your team in Brisbane?

– Brisbane we’re 12 in the tech team, about 50 all up in the office. But as a consulting advisory practise, we have a mix of capabilities. So we do forensic accounting, things like that, insolvency administrations. But then we’ve got a large tech team to support those functions internally as well.

– And then you guys would operate nationally as well, no doubt.

– Yes. We’ve got a national team in every major capital city can respond every major capital city and regional centre as well. But yeah, we’ve got teams in Sydney or Sydney, Perth, Canberra and Melbourne as well. So good national presence.

– Very cool.

– Is your team growing with the cyber risk growing over the past few years? Has your team naturally grown with that as well?

– Yeah, definitely. When I joined McGrathNicol, there were three people on our team. So I was the third person brought in to join and since then, we’ve grown to 12 and that’s in four years. So decent growth locally and then nationally as well. They’ve experienced the same sort of growth in each of the capital cities as well, the need has increased for people in the cyber industry and naturally we’ve got clients who use us for other aspects of the work that we do. And then they always get interested in the cyber security stuff as well. So again, it’s a bit of that.

– With that kind of crossover.

– Yeah, crossover. Yeah.

– Makes sense. So I guess in this podcast we want to get some of your insights as being an expert in that cybersecurity field. Topic all because was it yesterday?

– Optus, yesterday, Uber last week.

– Some ridiculous.

– Perfect timing mate, thanks for coming.

– Didn’t plan that at all, but there you go. From your point of view, as an expert in that field, did you want to go through the Optus breach that happened yesterday? I know it’s not all fully known yet, but what happened there and what other businesses in Queensland or across Australia should be aware of so that they’re not the next Optus?

– Yeah, so Optus is an interesting one because it is so fresh and I saw them get a bit roasted in the media today because they said that they were delayed in getting information out there about the breach. But actually in fact I think they’ve actually notified people pretty quickly given they only identified this on Wednesday. So, I think that’s a lot that’s unknown at the moment probably. The fact that they know that there’s that many people from the general public who are affected gives me a good idea that they must know what’s going on internally and what was actually accessed at the time. So in terms of public people impacted from the general population, I think it was like 7 million or something like that. Like quite. Quite huge. And you think about the information that Telcos will request of you when you sign up for an account. The type of information they hold is pretty serious, and can be used later at all down the track if it’s taken to monetize identity theft, things like that used to set up, fake bank accounts, bank credit cards, used to set up fake mailboxes for drug drops and things like that. All sorts of stuff.

– They usually do. They still call that hundred points ID?

– It can be everything.

– Passport, driver’s licence, billing address.

– And the problem with organisations and that’s not just to Telcos but everybody, once we have information, we’re not really good at getting rid of it. We keep it, we hold onto it, we store it, it’s saved somewhere, but we’re not necessarily really good at disposing of it after we don’t need it anymore. So we tend to retain a lot of information, and when that information is personally identifiable, that’s a huge risk for organisations. So if they don’t need it anymore or it’s not required or it’s in a database, then you can get rid of some of it potentially. Or once you verify your customer who they are, you know them from the a hundred points, do you need to maintain that information necessarily? But I mean data, you guys will be well aware client data, like they’re requesting more and more storage all the time because they’re creating lots and lots of data all the time as well.

– And I think I’ve heard from like real estate and law firms after they have to have the data, try and get rid of it. But you’re right, I think most other businesses out there just keep data forever and they don’t have proper attention policy for right now. So that’s good advice for sure.

– Yeah, it’s something we come across all the time. Like there’s a data, a life cycle where from creation to storage to transmission to and deletions is part of that life cycle, it’s supposed to be anyways. But we are not very good at getting rid of it. It’s supposed to be seven years for some data for financial records and stuff like that, but a lot of companies don’t have necessarily a policy around it in getting rid of it. That’s one of the biggest risks. And I guess that’s with Optus, the type of data that they maintain and the data that was potentially taken or alleged to have been taken. That’s going to be interesting to see how, if it’s sold or how it’s used or who takes responsibility for it or sometimes you don’t even know the repercussions of what’s happened or the true impact until a couple years down the line when people start getting weird accounts set up in their name or bad credit ratings or things like that start happening.

– Has anything been said about that one? Like I know Uber was the guy was just a kid who was trying to prove a point, I believe is my understanding, but was Optus actually cyber crime for profit?

– I heard there’s something out of firewall, but I don’t think there’s a definitive answer yet of what happened.

– Misconfiguration of firewall I think is the root cause that’s been identified. But in terms of threat actor group, I don’t think they’ve been identified yet who’s actually responsible for it. But I know ACSC obviously given the critical infrastructure nature of the Optus. And I’m sure that there’s heaps of government organisations who use Optus and their services. And they would’ve been identified as a critical infrastructure business under the new legislation for sure. So ACSC would be definitely involved.

– All over that.

– One thing that is for sure definitely is not good for Optus’s brand name in the market right now. All of their customers having to reset passwords, and change who they do the mobile phones through, that kind of thing. So that’s a little bit scary, that’s for sure. Over to the Uber breach happened a week ago. Did you want to give your rundown of what happened in that breach because that was a pretty unique one, what went down there and luckily from what we discussed internally wasn’t too bad the actual outcome, but it was still pretty scary. Did you want to go through as a professional in that field, what happened exactly?

– So again, from a lot of the information just been what’s dispersed in the media or what people researchers have put out there as to what actually happened. I don’t know if Uber’s necessarily come out and confirmed the exact attack chain, but I guess from the inception of it, it started with a user awareness issue. So it came back to a user receiving a push notification on their phone from multifactor authentication, which is somebody trying to log into their account with legit credentials. And I think that they were being spammed by these push notifications and just ended up pressing approve on the push notification they received on their phone, which then gave the person who had the credentials immediate access to their account. And then from there it led to identifying other credentials of administrators and things like that, that could be used to then traverse the internal network and then get access to things like central one, which is their EDR platform and an AV tool that they were using. And access to all sorts of information as well. Once you have a decent level of privilege in somebody’s network, it gives you a very good level of access to a lot of information. Which actually is the castle.

– I’m pretty sure there was administrative account or something that was plain text stored somewhere they got access to.

– And I mean with Windows servers, a lot of credentials are stored in plain text that you can dump from memory or you can dump patches and crack them offline. There’s a lot of ways that threat actors will do that. And we see it all the time. Once they get access to an environment, they move quickly to try and identify potential accounts that they can use to then continue their attack and do as much damage as possible. And that’s with usually privileged accounts. So administrator accounts is what they look for.

– It’s quite scary that an 18 year old one person can breach large organisation like that. I guess it’s a good outcome that it wasn’t, a big cyber criminal company and they were trying to do something really bad because that could have got really nasty.

– Well, and again, it’s the classic tried and true technique, the social engineering, that’s the one that’s really hard to protect against really.

– Yeah. It’s always a person at the other end of the keyboard who’s got biggest risk.

– The biggest risk.

– The biggest risk to the organisation. You can have all the controls in place, and obviously they had, they are a big enterprise organisation, they’d have heaps of security, great controls, but then it comes down to somebody accepting a push notification on a phone that wasn’t legit. What can you do as an organisation? Again, like just train, train, train.

– Train your staff. So what advice have you given to organisations who’ve been done by social engineering and they’ve put all the pre measures in place, like had firewalls and they’ve had MFA enforced across, they’ve got proper threat detection response, tools rolled out, but they have been breached like Uber for example. What advice have you given back to that organisation post the attack?

– So, cyber awareness is key for any organisation, small or large. Again, like if somebody can identify a potential threat actor using their account or a suspicious email that might have a malicious link or malicious attachment. The person who’s receiving those emails, they’re the forefront of cyber security for any organisation. So, web filtering, email filtering, things like that stuff does get through. There’s ways of bypassing those things, those technical controls. So cyber awareness training is one of the key, things that we always are banging on about it. It can be a bit boring and people glaze over when they have to do mandatory training and things like that, but it does hopefully lift up the cyber security maturity for an organisation. So that’s one aspect. The other aspect I guess is making sure you’ve got, in cyber security we talk about defence and depth. So you can have a really, really great hard perimeter, which is great, but if the inside’s all squishy and mushy, and you don’t have any security controls internally, then that’s going be a problem. Somebody breaches that in external perimeter. So you want to have a bunch of controls throughout, the perimeter and then once you get inside anti tamper on your EDR. So if you’re using like , or Symantec or Central one, like big end of town, they’ll have the option to have anti tamper in place so that you can’t delete or modify or change things without specific codes or access. So there’s a lot of different, I guess process depending on the size of the organisation that you can put in place or controls, but it’s not just making sure that your external perimeter is secure. It’s actually about a lot more.

– How would you rate awareness at the moment in general? Like how are you seeing, anecdotally, just myself, I definitely see it as definitely being more topical and people are probably aware how deep that awareness is, I’m not sure, but when you’re out in the field, and working with your clients, how would you write that awareness curve? Is it kind of growing at a rapid rate now or still a bit steady still a bit ways to go?

– Yeah, it definitely depends on the industry I think some people are very interested in it, and so will take on the message. Some people, again, not necessarily as interested or as savvy from a tech perspective. So it’s a bit harder to get the message through. And they’re the ones that hackers will prey on. They’re the ones who they, send off 50,000 emails with this one email address that they’re hoping that is going to click on it. So, but yeah, I think that things like Optus, things like Uber, things like that that are in the media, the more and more it’s in the media, people become more and more aware of it being an issue. But business email compromises haven’t slowed down. I think that’s why Microsoft’s actually forcing everybody to have MFA on their account from November. I think that’s a requirement going forward just because it just doesn’t exist, and it’s one of the key ways that hackers are getting into environments or committing fraud. But from a cyber awareness perspective, we do a lot of training with clients and we usually see after a decent cyber awareness programme, a bit of uplift in their maturity and being able to detect things and people know, oh yeah, that’s the phishing email and this is how it should report it and things like that. So we do see from the start, yeah, might not be great maturity, but towards the end of a a programme you definitely see an increase in people’s ability to identify things, which is good.

– So your two bits advice are cybersecurity awareness training and then the internal tools, and policies to reduce the blast radius when stuff actually does get through that initial perimeter.

– Yeah, I think that’s one of the things, again, it’s cyber security strategy is the defence, and depth strategy. It’s one of the things we always bang on about. Because if you can identify something, you don’t identify at the exterior, but you can identify as it gets in, you can minimise the impact.

– So, from what you’ve seen Rob in the Queensland market or Australian market in like the recent three months, what industries and like size of companies have been the biggest targets? As in like, generally speaking.

– We’ve responded to all sorts of sizes and industries. I don’t think necessarily there’s a target from some of the threat actor groups that we see. They’re more looking for known vulnerabilities, so scanning for known vulnerabilities, and when they find one, doesn’t matter if it’s a hospital, local government, a mining company or a two-man show that does accounting business somewhere like a finance business. They find the vulnerability and they’ll try and exploit it and they’ll try and exploit that client or that customer. So that’s one thing. So we’ve responded to local government recently, mining client recently. I’m trying to think. Yeah, it doesn’t seem to discriminate unfortunately.

– So just wherever they can get in though.

– Yeah, yeah. So for known vulnerabilities, things like the exchange vulnerabilities that we saw last year, proxy shell was a main one. So scanning for those vulnerabilities, Lockeford J was a big one obviously. We’re still seeing scanning for that when a threat actor gets in, they’re looking for those vulnerabilities. When a new vulnerability gets dropped, if it’s not patched right away, we’ll see that try to get exploited. A couple years ago was firewalls was a big one, they had a vulnerability that a lot of people hadn’t patched for, which was being exploited. We did like three ransom wares in a space of three months for that specific vulnerability. So yeah, it’s just what’s the flavour of the week sometimes and who’s not patched it.

– So I guess that’s probably another thing we wanted to cover. So you’ve kind of answered that in that response. We were going to ask, what are the biggest risks? Like if you are to cover yourself, to identify those key risks. So it sounds like patching obviously is absolutely critical. Training.

– Training.

– Or maybe over to you, what do you think?

– So, I mean essentially for the ACSC, Australian Cyber Security Centre has the essential aid. So it’s a framework that they recommend that all businesses in Australia adhere to. And they say if you implement all the controls within there to some sort of level of maturity, you can prevent 90% of cyber tax.

– And then that’s a good one. That’s a good one. And the maturity levels?

– So they’re one to three depending on the extent to which you’ve deployed the control. So like multifactor authentication again is one of the key ones that they, and that’s one I would recommend that all customers put in place. And people go, Oh yeah, I’ve got Microsoft 365, I’ve got, multifactor. And it’s like, what do you use remote access into your environment? The VPN, do you have MFA on that? And they’re like, Oh no, I don’t have MFA on that. So there’s always other external accesses that need to be considered, not just email for multifactor.

– So would you say, and it’s an interesting one, like on our end as we’re having this conversation with clients. Would you say, at a minimum everybody really should be on maturity level one?

– I’d say so, yeah.

– At an absolute minimum?

– Well I mean there’s harder ones as part of the essential light. There’s harder controls to implement, some are easy, some are hard, some are process driven.

– Striving too.

– Yes, exactly. So like MFA is one that I think is no brainer now, in this day and age and what we know, and how we know it happens. Again, Uber had MFA, but the way that they’d I guess configured it or enabled it just meant that somebody hit the approve button rather than entering a code or something like that.

– It’s funny, you’d go to so many small businesses, and they say, yeah, I’ve got MFA on my accounting package so we’re sweet. And then you go, oh, but you log into the computer and you’re all your files sitting there and they’re like, oh yeah, we’ve got MFA on the accounting system, so we’re sweet.

– Look, we also kind of see it loosely enforced, and they’ll always be, it’s generally the more senior people in a business, especially in the small to medium space where it’ll be an owner or a director, and it annoys them a little bit. So they ask for it to be turned off. But it’s like you are kind of the account that they’d probably want to get into. You’re going to have all the keys to all the different systems in your account. look from my seat where I’ve been sitting, I have seen that awareness building, people are being a little bit more responsible about it. However, there’s still a few people who, you really have to balance the risk versus convenience, I suppose in this case. And I think the risk have really started to outweigh convenience and people are, okay, fine, we’ll do it.

– Yeah. Oh totally. There’s some controls like I said, that are you hard to implement like application control, it’s not something you can just flick a switch on, and then it’s working. It’s a hard process. It can take a lot of time, a lot of testing. It’s not an easy thing to do. So yeah, having a proper patching regime in place to make sure that your operating systems and applications are up to date, that’s something that you can do. You can put a process in place to make sure that if something gets identified that’s critical that you patch it right away. And you’re not running legacy, Microsoft Windows XP.

– What other security frameworks. So when you come across an organisation, say they’re a hundred person construction company or their thousand person hospital for example, what security frameworks do you recommend they use, and like what are the top ones that you recommend apart from the essential aid, which is just kind of like a blanket coverall for any small business. What are other frameworks that you align to and recommend to organisations?

– So depending on the organisation, Nist is a great one. They’ve got several different frameworks that they have released. And the cyber security framework or CSF is probably a really good one for that small to medium enterprise organisation to understand where their maturity is, where the risks might be. It’s got a good level of technical control in the framework built into. It’s not just based on policies and procedures, and things like that. It actually understands business risk. It follows a proper process. So it looks at, from your preparation to your ability to identify and detect cyber instance, how you would recover from a cyber incident if it did happen from backups and things like that. So the Nist CSF or cyber security framework. It’s a really good one. It’s really adaptable from a small, again to medium enterprise organisation. The larger end of town is going to be more interested in getting certification potentially. So like ISO certification is a big one that we see. So ISO 27,001, which is a cyber security risk management framework. That’s one that’s very popular I guess if organisations want to prove that they have a good level of process, and risk management internally to deal with cyber security. And that’s all about your processes and policies, and things like that. So that’s a good one as well that the bigger end of town looks at. And even organisations like McGrathNicol when we’re trying to prove, look we take cyber security seriously, have certified ourselves, we’ve gone down the certification road and got certified through ISO 27,001 as well.

– So I guess in that vain, it’s all about managing risk at kind of an organisation and a company level, board level. So you can put all the tools and practises in place, and then effectively what’s left over you try, and insure for. So I just wanted to get your thoughts on, or what you are seeing in the market for insurance, and what insurance companies are asking for. Because I’ve been reading that they’re asking for more and more and more protection controls and things in place. Is that kind of what you are seeing as well?

– Definitely. I think insurance businesses have been burned the last couple years over the amount of people making claims on their policy. Especially with the rise of ransomware. Business interruption is a huge cost in cyber incidents. People think oh, like the cost of getting people like us in to investigate is expensive. That’s not the expensive part. The expensive part is if your business can’t operate for several weeks, a loss of business or business disruption costs is huge. So yeah, what we’re seeing is a greater, I guess, scrutiny from sovereign insurers before they actually give somebody a policy actually understanding where their maturity is sitting, and making sure they’ve got a great level of maturity and minimum level of standards as well.

– And how far do they have to go? I mean do you have to get down to, detection and response or just aligning to a framework, some controls, a combination. I guess it depends on like a lot of factors that go into it, but I mean is it trending towards having to have active cyber control?

– So I think that from what I’ve seen, and what we’ve seen is that they want to make sure you have minimum policies and plans in place like instant response plan, they want to see that, that you’ve got a disaster recovery plan, how are you going to recover if you have a cyber incident, they want to see that on paper, and make sure you’ve got something. Bigger end of town, they want to make sure you’ve tested those things as well. So if you’ve tested your instant response plan and done, a tabletop scenario with your board or the crisis management team to make sure if it does happen, you actually know what you’re going to do. So we’ve seen that. I’ve seen MFA as a non-negotiable, like not even being considered for a policy unless you’ve got multifactor authentication in place. There’s a couple different insurers out there in the market. Some will take on the risk, some will make you pay a lot more for the policy depending on your maturity level. We’re seeing a bit of a shift as well in businesses and organisations going down the self insurance road and spending the money rather on a cyber insurance policy, on a cyber programme. Because I think that the return on investment is greater to invest the money they have to spend on a policy annually. On actually increasing and improving their cyber security internally.

– I actually had that conversation with a client like two weeks ago and they were saying, yeah, this is our cyber insurance, he just showed me their quote and he said, yeah we’re looking at not doing that and just putting in better business continuity and in some response plans in place. What’s your advice around that? We say as well, definitely get cyber insurance because if something goes wrong.

– It’s almost a spectrum. So how much you’re doing over here, how much controls you’re putting in place. And again, you kind of have, well here’s your risk spectrum so you cover a bit here and that could be your controls, you could spend more money on controls, and detection response, et cetera. And that takes you a bit further out and whatever that gap is, I suppose you’re trying to, you’re inured for. I’m definitely not an expert in the field, but it’d be interesting to go no insurance.

– And some people are are doing that, some people are doing, or some organisations are going, again, the minimum level of coverage, having some coverage in place. But not getting a policy that’s worth the millions and millions of dollars that they might require if something does happen. And again, investing that money that they would’ve spent on a cyber insurance policy, even putting it into actual cyber programme themselves or buying some new kit or investing in people, things like that. That’s what they are doing instead. It’s a probably a work in progress in terms of where we’re at this stage.

– It’s very dynamic isn’t it?

– Yeah, it is. It’s changing.

– Rapidly.

– Again, I think cyber insurance got burned over the last couple years I’ve heard some insurers are trying to get out of the game again, probably making their policy so cost prohibitive that nobody wants to buy it potentially. But yeah, it’s a changing market for sure. Obviously there’ll be a space for cyber insurance, and some organisations will have a great cyber programme, and great maturity and still will buy cyber insurance because they’re the type of enterprise organisation that needs that and wants that coverage.

– It’s quite a weird one because small businesses who don’t have all of the procedures and business continuing and that stuff set up, they’re the ones who need cyber insurance more, but then they’re the ones who get the cyber insurance being twice the across everyone else and they say, Oh we can’t afford that or get away without it. So, I mean, it’s a no win kind of situation in that industry right now really. And we had a cyber insurance provider a couple weeks ago and they said, yeah, we’re just turning away some clients because they just didn’t have these measures in place, and their policy was coming due and they had not enough time to put the measures in place to get to like maturity to on essentially, for example, to get cost effective cyber insurance. So they just turned them away and said, Oh we’ll deal with that next year or something.

– Yeah, yeah. Like you’d tell those organisations talk to the brokers because their brokers should hopefully be able to find somebody who would potentially give them a policy or something or be able to tell them what they need to do to get a policy anyways. Again, it’s a changing space. It’s a interesting dynamic market. It’s going to evolve even more probably, and I’m not again a cyber insurance expert either. So I wouldn’t profess to say that I know what’s going to happen. Yeah, I think if we all had crystal balls it’d be interesting.

– Yeah, like you said, what you do on a day to basis changes every time. Every day.

– Everyday, every time we get a new, investigate new cyber instant, it’s changed. Threat action groups change, they’ve become more and more efficient, they’ve become more and more sophisticated. The tools that they use are becoming more and more custom built themselves. They’re engaging their own developers to develop their own tools. They’re actually paying for their own pen testing for people to identify vulnerabilities within their tools to make sure.

– The threat actors are?

– Yeah. So Lock Bit was one that went out and said, claimed that their encryption tool was, best of breed, was amazing, was paying somebody for like bug bounties to identify vulnerabilities in their code.

– That’s like a whole industry, and I know you can get like ransomware as a service, you can buy now and stuff. That’s just scary. That’s an whole industry, that whole.

– It’s not what’s going on out there at the moment. I mean you could talk for a long time on this.

– It’s crazy.

– A whole industry, just the tractor side.

– So we’re seeing that like it’s sophisticated, two years ago we would’ve seen an organisation that got compromised and somebody trolling through their file server and collecting files, and putting them in a staging location in a folder, and then uploading them to like a cloud service like Mega, that doesn’t happen anymore. They’re using custom tools to exfiltrate data quickly. It’s going out over the internet so you can’t even identify potentially what it is that’s going out or the amount of data. They’re compressing it when they’re actually sending it out. So you can’t actually tell the volume of data that was taken. It’s not leaving a lot of their forensic artefacts that we usually see during the process. So where somebody accesses a file or folder it will leave, like a fingerprint behind. We’re not seeing that as well. So it’s making the anti forensics that they’re employing as well as part of their tactics is improving, and making our job a lot harder as well.

– I was going to say that, it sounds like they making you a lot harder from the forensics instant response side, if they’re deleting all their tracks and constantly involving.

– Cleaning up after themselves. They’re getting really good at that, because they understand what we look at for, and when they’re trying to extort a business after they’ve taken all the data, they want to have this illusion that they’ve taken heaps amount of data, we can’t actually identify what they’ve taken. They want this ability to go after them for as much money as possible by making sure that they have no idea what has actually been taken. And it could be great stuff, it could be, stuff could be bad but not necessarily terrible. Could be stuff like the customer information from Optus, which is worst case scenario. So if they have that illusion about what’s actually been taken, then the organisation trying to negotiate with them puts them on the back foot.

– Yeah, it’s a scary world out there. So scary when an 18 year old can get into Uber. Conscious of time. Is there anything else you wanted to add Rob, before we close out?

– We talked about what companies can do, really understanding and I think we touched on it, like understanding your environment, understanding where your weaknesses might be, your risks are. Using a framework is really important because then you can monitor yourself against that framework as your journey continues. You can put a programme in place to make sure you’re addressing your risk. You can report on that risk regularly. So really getting a framework to get behind you on your journey is a really important thing. Wrote some other things. Remote access, something we see all the time, remote access into an environment make sure it’s secured appropriately. It’s one of the things whenever we get sovereign, and obviously you’re trying to find how threat actor got into the environment and it’s usually misconfigured remote access somehow, whether it’s through a firewall or through remote access tool that didn’t have MFA, VPN, something like that. So just being really confident in the way that your environment’s being accessed remotely.

– Yeah, that’s good advice. Really appreciate you coming Rob and sharing some insights. Some really good takeaways from what you shared about aligned to a benchmark for example, and getting a cybersecurity awareness training for employees, but also looking past that initial perimeter, having the policies and tools in place to reduce a blast radius of when you do get affected. And it sounds like you’re going to be very busy with everything going on the market. Really appreciate it Rob.

– Thanks guys.

– How can people reach you if there need some advice around cybersecurity?

– Well, mcgrathnicol.com, the website’s easiest one. It’s got all my information, numbers for everybody on there as well. And through Redd obviously, you guys have our details.

– Awesome. Appreciate Rob, thanks for coming.

– Thanks for sharing.

– Cheers.