WEBVTT

00:00:00.000 --> 00:00:03.440
JACK: Hello, hello! Today is a great day, isn’t it? In this episode I’m gonna

00:00:03.440 --> 00:00:07.680
gush about ThreatLocker. Why? Well, currently they’re my biggest sponsor,

00:00:07.680 --> 00:00:12.720
which makes them my favorite sponsor. But what I’m saying is that this whole episode

00:00:12.720 --> 00:00:17.120
is brought to you by ThreatLocker. But don’t worry, I found some pretty great

00:00:17.120 --> 00:00:25.097
stories from them that I think you’ll find interesting and educational. So, let’s go.

00:00:25.097 --> 00:00:31.920
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:00:31.920 --> 00:00:50.234
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:00:50.234 --> 00:00:54.640
JACK: Do you want to mention your name or company name, or do you want to keep that out?

00:00:54.640 --> 00:00:58.960
GUEST: No, I’ll keep that out. I’ll keep that out. Just — I guess that’s just to

00:00:58.960 --> 00:01:02.000
do with the fact that we don’t want people to know what we use.

00:01:02.000 --> 00:01:06.080
JACK: Yeah, I feel the same way. Everyone’s asking me like, what do you — what’s your

00:01:06.080 --> 00:01:09.240
privacy stack? I’m like, if I tell you, now you know exactly how to target me.

00:01:09.240 --> 00:01:10.954
GUEST: Yeah, exactly, exactly.

00:01:10.954 --> 00:01:13.280
JACK: Okay, so, the first question was who are you and what do you do?

00:01:13.280 --> 00:01:23.120
GUEST: Yeah, I can generalize. So, I’m the group head of IT operations for a manufacturing company,

00:01:23.120 --> 00:01:30.880
and I look after the operational running of the IT across the business. We’re a

00:01:30.880 --> 00:01:36.880
thousand-employee business operating across seventeen different sites in the UK and Europe.

00:01:36.880 --> 00:01:44.200
I look after the security, cloud, operations infrastructure, servers, client support, etc.

00:01:44.200 --> 00:01:48.480
JACK: Okay, you get the picture. This guy manages a huge network with a thousand employees,

00:01:48.480 --> 00:01:51.840
which probably means there’s like, ten thousand computers that are all up and

00:01:51.840 --> 00:01:57.240
operating. Picture a factory. No; picture lots of factories spread all over Europe.

00:01:57.240 --> 00:02:03.400
GUEST: Yeah, we have distribution centers, offices, and big manufacturing sites.

00:02:03.400 --> 00:02:08.440
JACK: So, how’s the network holding up? Have you had any problems?

00:02:08.440 --> 00:02:12.240
GUEST: I mean, right now we’re in a good place. [Music] If you rewind

00:02:12.240 --> 00:02:14.800
back five years ago, we were in a very bad place.

00:02:14.800 --> 00:02:16.520
JACK: What happened?

00:02:16.520 --> 00:02:22.880
GUEST: Well, unfortunately for me, I was actually on my way on holiday. So, I was in the process of

00:02:22.880 --> 00:02:29.120
driving the family down to the south coast of the UK, and I got a phone call. I remember the

00:02:29.120 --> 00:02:35.760
exact words one of my technicians said; I don’t mean to worry you, but something worrying is

00:02:35.760 --> 00:02:44.400
happening. I was like, okay, calm down and explain exactly what’s happening. He was like, I’ve just

00:02:44.400 --> 00:02:51.120
had a ticket in where somebody’s tried to go to some files, and all the files are all renamed. I

00:02:51.120 --> 00:02:57.880
was like, what do they say? He was like, they all end in the word .kanti. I was like, oh no.

00:02:57.880 --> 00:03:03.520
JACK: Yikes. Kanti is a type of ransomware. Well, it’s kind of more than that, actually. It’s

00:03:03.520 --> 00:03:08.240
practically a full company that’s in the business of ransomware. They’re Russian-based, and they

00:03:08.240 --> 00:03:12.240
build the ransomware, but then they have sort of an affiliate program that someone could use their

00:03:12.240 --> 00:03:16.080
ransomware, go infect a company, and then that person would get a cut of the money if the company

00:03:16.080 --> 00:03:22.080
pays the ransom. It’s devastating and brutal to be hit with it, and this doesn’t sound good at all.

00:03:22.080 --> 00:03:28.240
GUEST: So, I had to make phone calls. I continued to drive the rest of the three

00:03:28.240 --> 00:03:32.880
hours remaining of my six-hour drive because I had my whole family with me, drop them

00:03:32.880 --> 00:03:37.660
off, and then turn around and drive six hours back, making furious phone calls the whole way.

00:03:37.660 --> 00:03:37.920
JACK: Really? GUEST: Yeah.

00:03:37.920 --> 00:03:46.320
JACK: Oh my gosh. Is there a protocol? Is there a go-to, a run-book or something that like — okay,

00:03:46.320 --> 00:03:50.160
if ransomware comes in, here’s the button we hit. We gotta turn the network off as

00:03:50.160 --> 00:03:55.000
fast as we can or something to keep it from spreading. Do you have a procedure in place?

00:03:55.000 --> 00:03:58.939
GUEST: We do now.

00:03:58.939 --> 00:03:58.953
JACK: [Laughs]

00:03:58.953 --> 00:04:05.280
GUEST: We didn’t then. [Music] A number of the people in my team had experienced

00:04:05.280 --> 00:04:11.600
situations like this kind of, but not on the scale that we got hit on this. I know

00:04:11.600 --> 00:04:14.160
five years ago — it was a long time ago and a lot of things have changed,

00:04:14.160 --> 00:04:20.320
and a lot of things — people are more aware of what to do and to have those

00:04:20.320 --> 00:04:25.840
sort of playbooks in place. We had an element of ‘what do we do?’, and the first thing we reached

00:04:25.840 --> 00:04:30.400
to was let’s turn everything off. But too much turmoil was going on. We were making too many

00:04:30.400 --> 00:04:34.240
calls and trying to deal with everything. I just remember at one point my senior infrastructure

00:04:34.240 --> 00:04:39.680
engineer just told everybody to shut up and give him five minutes to think, because everybody was

00:04:39.680 --> 00:04:44.200
just asking too many questions and we were trying to work out how we respond to this.

00:04:44.200 --> 00:04:50.880
JACK: Yeah, yeah, I imagine it’s a really hard time to focus. So,

00:04:50.880 --> 00:04:55.585
how bad did it spread, or how bad did it knock you out?

00:04:55.585 --> 00:05:04.720
GUEST: [Music] Well, in the space of fifteen minutes it encrypted all 250 servers,

00:05:04.720 --> 00:05:09.560
and like I said, it hit about 350 endpoints as well.

00:05:09.560 --> 00:05:12.760
JACK: So, the 250 servers, were those all Windows servers?

00:05:12.760 --> 00:05:13.320
GUEST: Yes.

00:05:13.320 --> 00:05:16.360
JACK: Okay, so, your whole infrastructure is down.

00:05:16.360 --> 00:05:17.280
GUEST: Yep.

00:05:17.280 --> 00:05:20.600
JACK: Geez. I mean, that sounds like business is gonna stop.

00:05:20.600 --> 00:05:27.680
GUEST: Yeah, and it did. It stopped at that very moment in time, and we assembled a team. I had

00:05:27.680 --> 00:05:33.360
a very nervous six-hour drive back, making loads of calls to everybody, trying to work out what’s

00:05:33.360 --> 00:05:39.200
going on, work out which way to go. I had to get people to sites. This was on a Friday evening,

00:05:39.200 --> 00:05:46.000
afternoon, around about quarter past four that it happened, which is quite a common

00:05:46.000 --> 00:05:51.200
tactic used because people are just switching off on a Friday afternoon. We pretty much just

00:05:51.200 --> 00:05:54.960
had to just turn everything off and then work out where we go from there, give ourselves some head

00:05:54.960 --> 00:05:59.640
space to think, ‘cause it was just too quick. We just couldn’t react to a fifteen-minute window.

00:05:59.640 --> 00:06:05.840
JACK: A lot of CISOs, CEOs, they reach out and they say, I would like to be a guest on

00:06:05.840 --> 00:06:10.859
your show. I always say, well, only if we’re gonna talk about the worst day of your life.

00:06:10.859 --> 00:06:10.874
GUEST: [Laughs]

00:06:10.874 --> 00:06:14.000
JACK: ‘Cause that’s the kind of stuff I’m interested in. Would you say that

00:06:14.000 --> 00:06:17.440
this was the worst day of your life as far as career-wise goes?

00:06:17.440 --> 00:06:21.840
GUEST: I say that to everybody I talk to about it, which I don’t actually like talking about it,

00:06:21.840 --> 00:06:27.440
‘cause taking myself back to that day, that sinking feeling in your stomach,

00:06:27.440 --> 00:06:32.400
it is absolutely the worst, stressful — the most stressful situation I’ve been

00:06:32.400 --> 00:06:36.960
through in my career, hands down. I think I did twenty-seven days straight after that.

00:06:36.960 --> 00:06:41.600
JACK: Yeah, I mean, you’ve gotta even worry if your job is on the line here as well,

00:06:41.600 --> 00:06:46.240
‘cause if you’re the one in charge of this sort of stuff and now this is what happened…

00:06:46.240 --> 00:06:46.840
GUEST: Yeah.

00:06:46.840 --> 00:06:48.160
JACK: There are people blaming you.

00:06:48.160 --> 00:06:50.640
GUEST: Well, I mean, that’s the first thing that comes into your head. Well,

00:06:50.640 --> 00:06:55.280
after you’ve tried to work out how to deal with everything. You think, am I gonna get

00:06:55.280 --> 00:06:59.680
blamed for this? [Music] But then very quickly after that, you realize you’ve just gotta focus

00:06:59.680 --> 00:07:07.520
on actually doing what you are paid to do, because ultimately, hackers and people that are trying to

00:07:07.520 --> 00:07:13.520
attack you are trying to attack you all the time, and it’s a constant battle.

00:07:13.520 --> 00:07:16.400
JACK: Okay, so, you drive back frantically. You

00:07:16.400 --> 00:07:20.760
arrive late night Friday. Do you go right to the office in the night?

00:07:20.760 --> 00:07:22.000
GUEST: Yep.

00:07:22.000 --> 00:07:27.280
JACK: Wow. Then — so, okay — so, there’s a lot of people out there,

00:07:27.280 --> 00:07:32.640
armchair experts that are just like, well, you just restore it from backup. What’s the big deal?

00:07:32.640 --> 00:07:37.360
GUEST: I mean, the problem with that is you don’t know whether they’re in the backups.

00:07:37.360 --> 00:07:41.440
You don’t know whether they were already in the — in your environment and they were just waiting

00:07:41.440 --> 00:07:46.560
for the right time to push the button, which we already believe they were. So,

00:07:46.560 --> 00:07:53.680
what we focused on was stopping everything and then working out how. How did they get in?

00:07:53.680 --> 00:07:59.640
Where did they come from? What method did they use to actually spread and initiate the attack?

00:07:59.640 --> 00:08:04.160
JACK: Ah, good point. It’s like trying to set up dominoes when your cat is on the table.

00:08:04.160 --> 00:08:06.960
You want to get rid of the threat in the network before beginning to

00:08:06.960 --> 00:08:11.040
restore it. If you restore and the thing just re-infects you, that’s a waste of effort,

00:08:11.040 --> 00:08:13.920
and maybe it’ll show them where your backups are kept and affect those, too.

00:08:13.920 --> 00:08:17.200
GUEST: So, once we worked that out, we then established a process to be

00:08:17.200 --> 00:08:23.840
able to check our backups, check each VM as we brought them back online. We established

00:08:23.840 --> 00:08:29.280
a protocol for rebuilding machines. We printed signs off at the doors of

00:08:29.280 --> 00:08:34.480
every office and told people where to go with their machines so that we could rebuild them.

00:08:34.480 --> 00:08:37.080
We kind of employed the whole red, amber, green process.

00:08:37.080 --> 00:08:39.280
JACK: What’s the red, amber, green process?

00:08:39.280 --> 00:08:44.800
GUEST: So, every laptop, until it’s checked, is considered red, then it goes into amber as it’s

00:08:44.800 --> 00:08:49.600
being worked on, and green, it’s good to go back to the user. Pretty simple, but it keeps it easy

00:08:49.600 --> 00:08:55.760
to manage because you’ve got a small team — and I have a team of — there was ten of us at the time,

00:08:55.760 --> 00:09:02.480
and you were managing the throughput of upwards of six hundred laptop users

00:09:02.480 --> 00:09:06.640
at multiple sites. So, you need a process to check in, check out everything.

00:09:06.640 --> 00:09:10.560
JACK: Yeah, I mean, their devices were toast,

00:09:10.560 --> 00:09:13.320
and you were just re-imaging them from a fresh image, right?

00:09:13.320 --> 00:09:15.760
GUEST: Yeah, but we had lost our imaging service.

00:09:15.760 --> 00:09:17.440
JACK: Oh, geez. Yeah.

00:09:17.440 --> 00:09:22.880
GUEST: So, we had to rebuild them manually for a while until the process, the team that were

00:09:22.880 --> 00:09:27.760
dealing — my sort of sub-team that were dealing with the servers were to the point where they

00:09:27.760 --> 00:09:33.520
were bringing the imaging servers back up. Then you’ve got users wanting to know what’s going on,

00:09:33.520 --> 00:09:37.920
you’ve got middle management, senior management, board of directors. Everybody

00:09:37.920 --> 00:09:43.440
wants to know what’s going on, and that completely flusters the situation. So,

00:09:43.440 --> 00:09:48.800
you can’t understand — you can’t get a clear head to actually focus on the task at hand.

00:09:48.800 --> 00:09:54.080
JACK: Yeah, I imagine there’s a bunch of emotions to manage in this,

00:09:54.080 --> 00:09:58.080
which is stuff I don’t think anyone talks about, right? You look at the CISSP manual

00:09:58.080 --> 00:10:03.520
and they don’t explain, okay, well, you’re in the middle of a breach situation. Here are the

00:10:03.520 --> 00:10:07.280
emotions you’re dealing with and how to detect them and what to do about them.

00:10:07.280 --> 00:10:14.800
GUEST: Oh, there’s definitely moments where you kind of just sit there and you feel like maybe

00:10:14.800 --> 00:10:23.120
you can’t actually do this. Maybe you can’t get it back. There’s an element of shaky hand syndrome,

00:10:23.120 --> 00:10:27.280
and anybody can claim to be cool and calm until they’re actually in the trenches

00:10:27.280 --> 00:10:33.200
with this situation, and it can really — there was a lot of team fighting and

00:10:33.200 --> 00:10:38.800
arguments and falling out and people popping under the pressure. It was a hell of a ride.

00:10:38.800 --> 00:10:41.920
JACK: When you say ‘popping’, what was some of the stuff you’re thinking?

00:10:41.920 --> 00:10:46.240
GUEST: Well, I had a team member walk out because he didn’t agree with a certain

00:10:46.240 --> 00:10:50.560
methodology to fix one thing, and another team member fall out with another team member,

00:10:50.560 --> 00:10:54.240
and arguments happening on meetings while we were trying to work out what’s the best

00:10:54.240 --> 00:11:01.440
methodology to bring something back online or to grant somebody some slight access.

00:11:01.440 --> 00:11:05.920
‘Cause we — I turned around to the business and said, look, I can get us back from backups in

00:11:05.920 --> 00:11:12.240
this — in about five days. But if you really want the best solution, give me three weeks,

00:11:12.240 --> 00:11:16.468
and we will build it back how it should have been done in the first place.

00:11:16.468 --> 00:11:20.560
JACK: Phew, what a proposal for leadership to decide on, huh? Business is down. There

00:11:20.560 --> 00:11:25.600
is no manufacturing happening, no shipping, no revenue coming in, and the question is

00:11:25.600 --> 00:11:31.360
do we get business back up as fast as we can, or, because those old systems are end-of-life

00:11:31.360 --> 00:11:37.680
and need to be replaced badly, take advantage of this outage and upgrade everything properly and

00:11:37.680 --> 00:11:42.240
build for the future? Of course, this incident is all that the business leadership can focus

00:11:42.240 --> 00:11:48.080
on. All other meetings and projects are canceled until business can come back up. [To Guest] Okay,

00:11:48.080 --> 00:11:52.160
so, what path — what did they choose, five days, three weeks, or something…?

00:11:52.160 --> 00:11:52.800
GUEST: Three weeks.

00:11:52.800 --> 00:11:55.280
JACK: Really? They wanted the whole thing…? I mean,

00:11:55.280 --> 00:11:59.120
that’s an ambitious thing to say I’ll redo the entire infrastructure

00:11:59.120 --> 00:12:04.320
properly this time. Three weeks, they didn’t mind being down for three weeks?

00:12:04.320 --> 00:12:10.480
GUEST: Well, sort of what I did was make sure that certain services came up as reasonably

00:12:10.480 --> 00:12:18.080
quickly as possible. So, e-mail communications, and then focused on a major system here or a

00:12:18.080 --> 00:12:25.360
major system there, and slowly brought everything back on. But, you know, by getting those — some of

00:12:25.360 --> 00:12:29.920
those primary services back up and running, I was able to then get the head space to concentrate on

00:12:29.920 --> 00:12:34.240
the other eighty percent of the business. The business accepted that there would be

00:12:34.240 --> 00:12:37.920
some interruption in that process and they wouldn’t necessarily get everything back.

00:12:37.920 --> 00:12:44.080
So, a good example was we didn’t turn Wi-Fi back on until the very end of the three weeks. So,

00:12:44.080 --> 00:12:49.280
nobody had Wi-Fi. That was to stop rogue devices turning up and undoing all our

00:12:49.280 --> 00:12:54.480
hard work. What if there was still something running on a laptop that we hadn’t got to or

00:12:54.480 --> 00:13:00.240
identified? Internet was shut down at every single site, and then we only — we kinda had

00:13:00.240 --> 00:13:04.560
a board where you had every site and all the services and sort of, again,

00:13:04.560 --> 00:13:07.920
the red, amber, green of when we were ready to start bringing stuff back on.

00:13:07.920 --> 00:13:12.000
JACK: Oh yeah, that’s gotta be the moment of truth, you know? When you flip the switch on

00:13:12.000 --> 00:13:18.000
and bring the network back up, are you sure every device got cleaned up? Because Kanti is notorious

00:13:18.000 --> 00:13:23.600
for spreading quick, so if you bring the Wi-Fi up and there’s just one device that’s still infected,

00:13:23.600 --> 00:13:28.080
it will try to spread all over again. They really need a solution that could

00:13:28.080 --> 00:13:33.185
give them visibility and, crucially, be able to stop this from spreading again.

00:13:33.185 --> 00:13:37.600
GUEST: [Music] We brought Malwarebytes, the enterprise platform version of Malwarebytes, and

00:13:37.600 --> 00:13:43.280
paid quite a lot of money for it, and — but quite quickly found that it wasn’t really doing the job

00:13:43.280 --> 00:13:51.040
that we’d hoped. It was good as a helper, as an assistant to keep — to check machines for being

00:13:51.040 --> 00:13:57.840
clean, servers and whatnot, but it didn’t really do every — it was more of in the traditional sense

00:13:57.840 --> 00:14:03.040
of a signature-based scanning tool more than it was anything else, and it found some registry

00:14:03.040 --> 00:14:06.480
entries and things. So, then we started looking — well, what do we actually need to put in place?

00:14:06.480 --> 00:14:13.760
We need an endpoint solution, an actual proper EDR, but we don’t feel like that’s good enough

00:14:13.760 --> 00:14:20.400
or gonna protect us 100%. So, we probably need something that’s gonna do application control,

00:14:20.400 --> 00:14:26.400
as in application white-listing. So, I reached out to a bunch of suppliers whilst the sort of

00:14:26.400 --> 00:14:29.920
end — tail end of that three weeks, and was like, can you find me something that does

00:14:29.920 --> 00:14:36.560
this? One supplier actually said, oh, we use ThreatLocker in our environment ourselves. So,

00:14:36.560 --> 00:14:40.080
I jumped on a call and had a demo, looked at the software, and was like,

00:14:40.080 --> 00:14:46.960
that’s amazing. I need that right now. That’s where we discovered ThreatLocker.

00:14:46.960 --> 00:14:49.990
JACK: So, what was amazing about it to you?

00:14:49.990 --> 00:14:51.280
GUEST: It stopped everything from running if you

00:14:51.280 --> 00:14:54.280
didn’t allow it to run. It’s as black and white as that.

00:14:54.280 --> 00:15:00.240
JACK: Hm, it stops everything from running? Okay, let’s think about that. You know the difference

00:15:00.240 --> 00:15:04.480
between a router and a firewall? They’re both network devices. They look at the packet coming

00:15:04.480 --> 00:15:09.440
in or the data going in, and then decide where it needs to go, and then send that along. At

00:15:09.440 --> 00:15:14.640
their core they’re very similar, but there’s a big difference. A router really, really, really

00:15:14.640 --> 00:15:21.040
wants to get all the packets to pass through it and on their way. But a firewall really,

00:15:21.040 --> 00:15:27.440
really, wants to stop every packet from going through it. See, by default, a router permits

00:15:27.440 --> 00:15:34.320
everything while a firewall will deny everything, which means the firewall acts as a security guard,

00:15:34.320 --> 00:15:40.080
stopping everything it doesn’t like. But the router acts like a public park. Just, anyone

00:15:40.080 --> 00:15:45.440
can come and go. So, you have to poke holes in the firewall if you want anything to get through it.

00:15:45.440 --> 00:15:50.160
So, the question is, when you go to run an app or a game or anything on your computer,

00:15:50.160 --> 00:15:54.080
should it act like a router and just permit anything you try to open, or should it act

00:15:54.080 --> 00:15:59.520
like a firewall and say, hold on, buddy, you need a permission slip to open that? Traditionally,

00:15:59.520 --> 00:16:03.600
all our computers just do what we tell them to do, which makes sense. Open app. Okay,

00:16:03.600 --> 00:16:08.000
done. Because when you need to use an app, you obviously need to use it. But the thing is,

00:16:08.000 --> 00:16:14.720
malware is tricky. It’s sneaky. It’s hiding. It’s being quiet. But it’s also opening and

00:16:14.720 --> 00:16:19.760
running and doing stuff without us seeing all secretly in the background. So, what

00:16:19.760 --> 00:16:24.640
ThreatLocker does is it says, okay, let’s start by blocking every app from opening and running,

00:16:24.640 --> 00:16:29.600
but if you the user wants to open something, just ask and we’ll let you open it. We just

00:16:29.600 --> 00:16:34.960
want to block apps that you didn’t try to open or apps that you don’t actually need.

00:16:34.960 --> 00:16:40.240
GUEST: We figured in the world where we had just been absolutely burnt to high hell,

00:16:40.240 --> 00:16:44.800
we need to stop everything running unless, of course, we allow it; every single device,

00:16:44.800 --> 00:16:48.960
server, client. We needed to know that it was not gonna run anything that we

00:16:48.960 --> 00:16:53.920
did not want it to run, and our supplier was using it in their own environment,

00:16:53.920 --> 00:16:57.840
which is always a very good sign if the person trying to sell you it is also the

00:16:57.840 --> 00:17:04.600
person that is using it. We were like, yep, how quickly can you get me the installers?

00:17:04.600 --> 00:17:06.160
JACK: So, when you get ThreatLocker,

00:17:06.160 --> 00:17:09.280
it goes through a learning period where it just listens and allows everything,

00:17:09.280 --> 00:17:12.880
and from there you get a sense of what apps everyone in the business is using. So, you

00:17:12.880 --> 00:17:18.320
add those apps to the allow list so business can continue, and then switch it over to secure mode,

00:17:18.320 --> 00:17:22.480
where if your app isn’t on the allowed list, now it’s going to be stopped from running.

00:17:22.480 --> 00:17:26.880
GUEST: It just says no, and it comes up and says it’s been blocked by ThreatLocker.

00:17:26.880 --> 00:17:29.840
You can request it, and then when you request it,

00:17:29.840 --> 00:17:36.320
we have a portal where we can just say yes or no. Then you — there’s a lot of tinkering

00:17:36.320 --> 00:17:41.600
with the — how you set up the policy, but we pretty much just say no to everything.

00:17:41.600 --> 00:17:47.680
JACK: So, how annoying is this to the users? You imagine some people are just like, ugh,

00:17:47.680 --> 00:17:52.480
you can’t run anything on this laptop; this is stupid. Do people

00:17:52.480 --> 00:17:55.520
complain a lot about it or are they okay with it?

00:17:55.520 --> 00:17:58.240
GUEST: Maybe they did originally.

00:17:58.240 --> 00:18:03.040
JACK: I think even if they did complain, you’ve got such an easy card to pull out.

00:18:03.040 --> 00:18:09.040
You could just be like, okay, back in 2020, let me tell you what happened. We

00:18:09.040 --> 00:18:15.320
cannot afford to have three weeks of outage again, because this is very serious stuff.

00:18:15.320 --> 00:18:21.280
GUEST: I’ve used that so many times. I turn around to the users and go, you can’t have this piece of

00:18:21.280 --> 00:18:26.720
software. They’ll be like, why? I was like, because it’s open source. It allows plugins.

00:18:26.720 --> 00:18:32.240
We don’t know whether it will be safe, and it could be exploited. I’d say, do you want to be the

00:18:32.240 --> 00:18:38.240
reason that this company gets hit again? And just put it on them. Where if they escalate it to their

00:18:38.240 --> 00:18:43.280
director, okay, then I’ll say to the director, do you want to be the person who authorized

00:18:43.280 --> 00:18:48.320
this software that takes the business down? People back off really quick when you say that.

00:18:48.320 --> 00:18:56.800
JACK: Yeah. Okay, so, since getting ThreatLocker, any big security incidents?

00:18:56.800 --> 00:19:00.960
GUEST: No, but I don’t like saying that ‘cause I don’t like tempting fate.

00:19:00.960 --> 00:19:02.320
JACK: Yeah, exactly, right?

00:19:02.320 --> 00:19:05.680
GUEST: But no, we haven’t had anything.

00:19:05.680 --> 00:19:08.640
JACK: I hear you sighing like…

00:19:08.640 --> 00:19:13.600
GUEST: Yeah, I know, I don’t like saying it.

00:19:13.600 --> 00:19:16.800
JACK: [Music]

00:19:16.800 --> 00:19:22.960
Ransomware is the most successful business model cyber criminals have ever invented. The people

00:19:22.960 --> 00:19:27.600
infecting us with ransomware are making tens if not hundreds of millions of dollars by hacking

00:19:27.600 --> 00:19:32.960
into a company, locking up their data, and holding it for ransom. It’s on the rise, even. Just last

00:19:32.960 --> 00:19:38.480
month I heard it’s more ugly than ever. It’s also one of the most disruptive types of cyber-attacks.

00:19:38.480 --> 00:19:43.680
When a company gets hit with it, it becomes a huge deal. Companies have gone out of business

00:19:43.680 --> 00:19:49.440
from ransomware. So, I wanted to talk with someone who defends companies from this type of attack.

00:19:49.440 --> 00:19:53.680
HUNTER: My name is Hunter Clark. I’m one of the cybersecurity engineers at

00:19:53.680 --> 00:19:59.920
Ark Technology Consultants. My main focus is around endpoint security and how we can

00:19:59.920 --> 00:20:05.040
help organizations implement some of those zero-trust principles in their organization.

00:20:05.040 --> 00:20:09.520
JACK: Ark is an MSSP, which is a managed security service provider, which means they

00:20:09.520 --> 00:20:13.280
take care of a bunch of people’s networks. A lot of businesses don’t have a cybersecurity

00:20:13.280 --> 00:20:17.760
team to keep their network safe, so they hire an MSSP who can keep an eye on everything and

00:20:17.760 --> 00:20:22.000
help keep it secure. One of the networks he was put in charge of securing was a hospital.

00:20:22.000 --> 00:20:28.480
HUNTER: Yeah, there’s a lot of servers in the environment that run applications that are

00:20:28.480 --> 00:20:36.560
critical that — like imaging software, solutions that the doctors leverage to

00:20:36.560 --> 00:20:43.640
diagnose patients. A lot of it runs on servers. So, those are typically what we try to secure.

00:20:43.640 --> 00:20:46.480
JACK: So, he took a look at this hospital’s network, and it didn’t

00:20:46.480 --> 00:20:51.280
have very sophisticated security tools. So, him and his team brought in ThreatLocker,

00:20:51.280 --> 00:20:55.360
installed it on all the servers and computers, and went through the learning process of what

00:20:55.360 --> 00:20:59.520
apps are normal in the network, and then locked it down so no new apps could run.

00:20:59.520 --> 00:21:03.280
Along with that, they installed an EDR, an endpoint detection and response tool,

00:21:03.280 --> 00:21:08.080
to monitor for suspicious activity. Then they suggested adding multi-factor authentication

00:21:08.080 --> 00:21:13.200
or MFA on all the internet-facing portals and computers, but the hospital said no.

00:21:13.200 --> 00:21:15.840
HUNTER: They didn’t have the budget for implementing MFA.

00:21:15.840 --> 00:21:18.800
They didn’t want to have to train users on how to use it and doctors

00:21:18.800 --> 00:21:22.040
complaining about having to use MFA, so they did not have MFA.

00:21:22.040 --> 00:21:24.560
JACK: Okay, well, if they don’t have the budget, they don’t have the budget. You do

00:21:24.560 --> 00:21:31.344
what you do to protect them with what you’ve got. But late one night, something happened.

00:21:31.344 --> 00:21:36.560
HUNTER: [Music] The incident originated obviously in the middle of the night,

00:21:36.560 --> 00:21:45.440
as all incidents do. But we got a call from the EDR/MDR solution that we were using that

00:21:45.440 --> 00:21:50.080
there was someone in the environment. This was something that people should consider,

00:21:50.080 --> 00:21:55.760
is that not all MDR solutions are created equal. Some of them will

00:21:55.760 --> 00:22:00.880
pull the fire alarm but not help you put out the fire, right? So, they’ll let you know something’s

00:22:00.880 --> 00:22:06.640
going on but not necessarily step in to stop it until they’re able to get ahold of you.

00:22:06.640 --> 00:22:14.640
In this case, it happened at 3:00 a.m. and they’re — we receive the detections that something’s

00:22:14.640 --> 00:22:21.280
going on and were able to then, early the next day, 5:00 a.m., 6:00 a.m., whenever we got up,

00:22:21.280 --> 00:22:26.640
start investigating what had actually happened. That was whenever — as part of that investigation

00:22:26.640 --> 00:22:31.680
we started looking into ThreatLocker logs to see, okay, what actually — what did the

00:22:31.680 --> 00:22:36.720
threat actor try to do? What user account was likely compromised? Seeing the threat

00:22:36.720 --> 00:22:43.120
actor bounce around the different servers. That’s whenever we saw that ThreatLocker had blocked the

00:22:43.120 --> 00:22:48.840
solutions that the threat actor had planned on leveraging, such as AnyDesk and rclone.

00:22:48.840 --> 00:22:53.600
JACK: Someone got into the network, gained access to a Windows server, tried to infect

00:22:53.600 --> 00:22:58.640
it with ransomware, but ThreatLocker denied it. Nice. Okay, but how did they get in?

00:22:58.640 --> 00:23:04.000
HUNTER: The threat actor had bought credentials off the dark web for a

00:23:04.000 --> 00:23:10.160
domain administrator account for the environment and was able to just remote in through the VPN,

00:23:10.160 --> 00:23:14.400
and had full domain admin rights across the environment.

00:23:14.400 --> 00:23:18.880
JACK: Ah, that darn VPN! I mean, VPNs are great. It allows you to connect securely

00:23:18.880 --> 00:23:24.080
into a company from home or on the go. They are essential, even. But they also are exposed to the

00:23:24.080 --> 00:23:27.840
internet. They’re a portal into a company’s network. But that’s something that should be

00:23:27.840 --> 00:23:33.760
super secure since it is out on the internet. But in this case, all that was needed to get into this

00:23:33.760 --> 00:23:38.800
hospital’s VPN was a username and password, which happened to be for sale on the dark

00:23:38.800 --> 00:23:43.760
web. How wild is that? A username and password is not good enough to keep people out anymore.

00:23:43.760 --> 00:23:47.040
HUNTER: One of the questions that came up was would MFA have prevented this event

00:23:47.040 --> 00:23:51.440
from happening? It was a pretty clear yes that if MFA would have been implemented,

00:23:51.440 --> 00:23:54.320
then at least that initial access, they would — the threat actor would

00:23:54.320 --> 00:23:57.880
have had to find a different way in than through the VPN.

00:23:57.880 --> 00:24:02.160
JACK: Anyway, this is why there’s defense in depth. You want layered security so

00:24:02.160 --> 00:24:05.120
that there are multiple places that should have stopped this attacker,

00:24:05.120 --> 00:24:11.200
and they were lucky that they had ThreatLocker to stop this. But this attacker was clever

00:24:11.200 --> 00:24:17.040
and motivated, and even though they were stopped, they weren’t done yet.

00:24:17.040 --> 00:24:21.920
HUNTER: [Music] This hospital system used to be made up of multiple different

00:24:21.920 --> 00:24:27.360
hospital locations. A few of them had been sold off, but they still needed to maintain

00:24:27.360 --> 00:24:33.600
VPN tunnels between the sites because of certain application dependencies that the

00:24:33.600 --> 00:24:40.240
hospitals hadn’t had time to build in their own environment. So, because of those VPN connections,

00:24:40.240 --> 00:24:44.800
to the threat actor it looked like it was just one network, right? It probably looked to them

00:24:44.800 --> 00:24:49.600
like it was just one big connected network. But really, they ended up bouncing to a different

00:24:49.600 --> 00:24:55.440
hospital system that was not a customer of ours that obviously did not have ThreatLocker

00:24:55.440 --> 00:24:59.640
in the environment, then was able to deploy what they needed on those devices.

00:24:59.640 --> 00:25:03.280
JACK: Oh no, they bounced from this hospital to another hospital that

00:25:03.280 --> 00:25:06.160
was connected internally and were able to do damage there.

00:25:06.160 --> 00:25:11.840
HUNTER: The threat actor ultimately reached out later that week saying, hey,

00:25:11.840 --> 00:25:15.120
we compromised your environment. We have terabytes of data.

00:25:15.120 --> 00:25:19.640
JACK: They wanted the hospital to pay hundreds of thousands of dollars in ransom to get it back.

00:25:19.640 --> 00:25:23.840
HUNTER: Whenever this happens, right, the company, if they have cyber insurance,

00:25:23.840 --> 00:25:29.440
they should read their cyber insurance ‘cause it probably says in there that in the event

00:25:29.440 --> 00:25:33.600
of an incident, you need to call us because we have incident response companies that we trust,

00:25:33.600 --> 00:25:40.000
that we want to have involved in this. So, that’s what happened. As part of that cyber insurance,

00:25:40.000 --> 00:25:46.080
there’s also usually some sort of ‘we’ll negotiate on your behalf with the threat actor to try to get

00:25:46.080 --> 00:25:52.080
that ransom call to drop as much as possible’. So, with the knowledge that we had, that ThreatLocker

00:25:52.080 --> 00:25:57.360
was able to see, we — they were able, I know, to drop it by quite a bit. I can’t say — I

00:25:57.360 --> 00:26:02.480
don’t know exactly the number it dropped, but I heard that it was — they were able to negotiate

00:26:02.480 --> 00:26:06.960
pretty effectively because they knew what the threat actor actually had been able to get to.

00:26:06.960 --> 00:26:11.104
JACK: Okay, so they lowered the ransom and then they paid the ransom?

00:26:11.104 --> 00:26:13.040
HUNTER: [Music] Yeah, they — this hospital system did

00:26:13.040 --> 00:26:18.480
end up paying the ransom. The hospital was able to ask the threat actor, hey,

00:26:18.480 --> 00:26:24.720
how can we improve? How can we get better? What should we be doing? The threat actor

00:26:24.720 --> 00:26:30.880
responded saying that they quickly realized that ThreatLocker was on the Windows devices,

00:26:30.880 --> 00:26:35.680
so they knew that they wouldn’t be able to use those for the purposes that they intended,

00:26:35.680 --> 00:26:40.400
and they began to pivot to other locations in the environment that did not have ThreatLocker.

00:26:40.400 --> 00:26:51.680
JACK: Tell us who you are and what do you do.

00:26:51.680 --> 00:26:55.280
DANNY: So, I’m Danny Jenkins. I’m CEO and co-founder of ThreatLocker,

00:26:55.280 --> 00:27:01.520
but what I do is really build solutions and educate the world on how denying by default

00:27:01.520 --> 00:27:04.800
is the best way to address security, and it doesn’t have to be difficult.

00:27:04.800 --> 00:27:08.640
JACK: So, you started ThreatLocker. How did all this get started for you?

00:27:08.640 --> 00:27:13.360
DANNY: The first thing is I was — I wanted to do something fun, and I started doing

00:27:13.360 --> 00:27:17.600
some ethical hacking. I ended up doing more ransomware recoveries than ethical hacking,

00:27:17.600 --> 00:27:20.160
to be honest, ‘cause people were calling me, and I wanted to make money. So, they’d say,

00:27:20.160 --> 00:27:22.720
hey, I’ve been hit by ransomware. Can you help with this recovery? We paid

00:27:22.720 --> 00:27:26.000
a ransom. There was this particular case in Australia, which was the first one I

00:27:26.000 --> 00:27:30.320
dealt with. It was an insurance broker, so about fifty employees — an insurance

00:27:30.320 --> 00:27:38.320
company. I got called in by the MSP-managed IT company to help with the recovery. I came in,

00:27:38.320 --> 00:27:43.600
and they paid the $22,000 ransom, and they hadn’t got their data back. So, they had got some keys,

00:27:43.600 --> 00:27:48.080
but the keys didn’t work. They weren’t decrypting the files. Their exchange database was encrypted.

00:27:48.080 --> 00:27:54.000
Their SQL database was encrypted. Everything was encrypted and broken. They had asked me to come

00:27:54.000 --> 00:27:59.280
in. So, we start trying to reverse-engineer the code, see if the decryption keys are in the code.

00:27:59.280 --> 00:28:06.880
We tried to use low-level data recovery tools to get things from the disks that had been deleted or

00:28:06.880 --> 00:28:11.840
written over from encryption. We’re recovering from — OST files for e-mail databases. We’re

00:28:11.840 --> 00:28:16.960
trying everything we can to get this company back up and running. During the recovery,

00:28:16.960 --> 00:28:23.280
the owner of the company called me, and he got quite — first he got quite mad. He was like,

00:28:23.280 --> 00:28:26.240
when is this gonna be done? I’ve been waiting two weeks and I still don’t have my servers

00:28:26.240 --> 00:28:32.720
up and running. He’s getting quite mad. I was like, look, you need to be realistic here. I am

00:28:32.720 --> 00:28:39.120
trying to recover your files, but you have everything encrypted. You have no backups.

00:28:39.120 --> 00:28:44.480
You’ve paid a ransom and you didn’t get your data back, and this — I don’t know if it’s gonna be

00:28:44.480 --> 00:28:50.560
back. We’re doing everything we can to make sure we can get your data back. It then turned into

00:28:50.560 --> 00:28:55.440
quite an emotional call, and his voice started crackling. He started almost crying down the

00:28:55.440 --> 00:28:59.680
phone, and I got really awkward at that point because I really didn’t know what to say. To me

00:28:59.680 --> 00:29:04.640
this was different because every other cyber — I’ll call it a cyber-attack — I’ve dealt with,

00:29:04.640 --> 00:29:07.920
every other malware attack I’ve dealt with — ‘cause prior to 2014,

00:29:07.920 --> 00:29:11.520
most malware attacks were really just IT issues. It was, you know,

00:29:11.520 --> 00:29:15.920
you’re getting adverts. Someone’s sending e-mail out from your server. It had been an IT problem.

00:29:15.920 --> 00:29:19.920
IT needs to fix the server ‘cause we’re sending spam e-mails. IT needs to fix the computer ‘cause

00:29:19.920 --> 00:29:23.360
it’s getting pop-ups. The worst I had seen before that was someone crying ‘cause they

00:29:23.360 --> 00:29:31.040
saw an inappropriate picture. What I did was — it suddenly hit home that this is a real problem and

00:29:31.040 --> 00:29:36.240
this guy’s gonna lose his entire business — and he’s close to retirement age — because somebody

00:29:36.240 --> 00:29:41.520
decided to download a piece of software. I didn’t at that think, oh, I’m gonna go start a company

00:29:41.520 --> 00:29:46.640
to solve this. What I said to the IT team and what I said to him after we — and we managed to

00:29:46.640 --> 00:29:53.440
recover enough — was you need to use application control. You need to block software by default. He

00:29:53.440 --> 00:30:00.800
said to me, okay, well, I’m gonna go and do that. Then the IT team told him that Danny’s stupid.

00:30:00.800 --> 00:30:05.760
Don’t listen to him. That’s not viable. We can’t do that. I went out to prove him wrong,

00:30:05.760 --> 00:30:11.200
and I couldn’t prove him wrong, the IT team. That was really when — the first time we said, well,

00:30:11.200 --> 00:30:15.280
let’s try and build something to prove him wrong. I kinda went back and forth

00:30:15.280 --> 00:30:20.320
on this idea quite a bit because it wasn’t an easy lift to build a solution for this,

00:30:20.320 --> 00:30:27.280
but we had to — it was really — in 2017 we had a product — we had a concept product,

00:30:27.280 --> 00:30:31.440
and I still wasn’t sure this was the right thing to do, because we knew in order to make zero-trust

00:30:31.440 --> 00:30:36.480
viable — and today we got 70,000 companies that use our product, from small businesses right up

00:30:36.480 --> 00:30:42.080
to some of the biggest companies in the world; federal government, airports, banks, everything.

00:30:42.080 --> 00:30:46.800
But back then, I was like, if I need — I need to make this so it’s viable for everyone. I need to

00:30:46.800 --> 00:30:53.440
make it so we can deploy application control. We can block software by default. We can ring-fence

00:30:53.440 --> 00:30:57.840
applications and make it so you can deploy in hours and days,

00:30:57.840 --> 00:31:03.280
not months and years. I wasn’t sure that it was gonna be viable without me hiring — well,

00:31:03.280 --> 00:31:09.920
I ended up hiring hundreds and hundreds of people. But I think in 2017 my mindset shifted,

00:31:09.920 --> 00:31:16.160
because before 2017 I was thinking about building a business that one percent of the world would

00:31:16.160 --> 00:31:21.680
sign up to. After 2017 I made the decision; we don’t want one percent of the world. We want

00:31:21.680 --> 00:31:25.560
to change the market so that ninety percent of the world are using a zero-trust approach.

00:31:25.560 --> 00:31:30.960
JACK: Okay, so, you coded it at the beginning? You built it.

00:31:30.960 --> 00:31:38.480
DANNY: Yep. Yeah, so, I coded the first of it. So, I coded the first version, and there’s four parts,

00:31:38.480 --> 00:31:43.360
if you like; there’s a service, there’s a driver, there’s a portal, and there’s

00:31:43.360 --> 00:31:51.360
an API. That’s the four original components of ThreatLocker. I wrote an entire version of it, and

00:31:51.360 --> 00:31:56.480
I wasn’t so good at the driver stuff. I caused a lot of blue screens. So, we ended up bringing — at

00:31:56.480 --> 00:32:00.720
the very beginning I wrote the whole thing, and then I got somebody else to come and rewrite my

00:32:00.720 --> 00:32:06.400
driver code because, frankly, it just wasn’t very good. Since then, that’s probably been one of the

00:32:06.400 --> 00:32:11.120
best decisions we made. Today, of course, we’ve got 250 people in our R&D department,

00:32:11.120 --> 00:32:16.560
but back then it was just me writing code and Sammy and John testing and deploying.

00:32:16.560 --> 00:32:20.280
JACK: Can you tell me about the first network you installed it on?

00:32:20.280 --> 00:32:26.480
DANNY: Well, so, I guess the — we obviously installed it on our own machines. I think

00:32:26.480 --> 00:32:30.320
the first network outside of our own that we installed ThreatLocker on was actually

00:32:30.320 --> 00:32:34.800
my kids’ school. They had a problem as well. We were looking after our kids’

00:32:34.800 --> 00:32:39.440
school IT. It was — we were getting very actively involved ‘cause we couldn’t afford

00:32:39.440 --> 00:32:42.480
private school for our kids at the time, and we were getting essentially help with

00:32:42.480 --> 00:32:48.240
scholarships ‘cause we were helping them with the IT systems and everything else.

00:32:48.240 --> 00:32:53.360
They were getting malware every single day. It was like, a complete nightmare. We pushed

00:32:53.360 --> 00:32:59.440
it out to them. That was very difficult and somewhat unstable in many areas because it

00:32:59.440 --> 00:33:03.120
was things we didn’t even think about, and we were seeing a lot of noise. But

00:33:03.120 --> 00:33:10.000
they went from malware every day to never since, and that — and still today they’re

00:33:10.000 --> 00:33:13.920
using the product. My kids aren’t in the school anymore, but our chief product officer’s kids

00:33:13.920 --> 00:33:19.280
are actually in the school now, and their IT management went down from full time to

00:33:19.280 --> 00:33:24.560
a couple of hours a month because they just — these systems became very stable, very easy.

00:33:24.560 --> 00:33:30.880
JACK: Deny all apps by default seems like a radical idea. To

00:33:30.880 --> 00:33:33.080
block everything seems like it’s gonna halt productivity.

00:33:33.080 --> 00:33:36.240
DANNY: Radical depends on where you start,

00:33:36.240 --> 00:33:42.080
and if you start in a situation where my network is running smoothly and I’m very happy,

00:33:42.080 --> 00:33:45.600
you would never approach with that idea. You would approach with the idea; we’re going to

00:33:45.600 --> 00:33:51.600
learn what we have. We’re going to review the list and remove the things from the list we don’t want.

00:33:51.600 --> 00:33:56.480
Whereas if you start with the situation that I’ve been hit by ransomware, attackers are in

00:33:56.480 --> 00:34:03.920
my network, the alternative is you shut down the entire network, or the plus side is you allow the

00:34:03.920 --> 00:34:08.160
network to run, but you only allow these trusted apps. Then every time someone wants something,

00:34:08.160 --> 00:34:13.760
they request it for the first time, we add it to the list. It doesn’t seem so extreme now

00:34:13.760 --> 00:34:18.000
because the alternative is the whole network’s shut down until we’ve reformatted every single

00:34:18.000 --> 00:34:23.040
computer and guaranteed that nothing’s bad on it. So, it really depends where you start.

00:34:23.040 --> 00:34:28.400
For ninety percent of customers, they’re starting from a clean slate. So, they’ll

00:34:28.400 --> 00:34:32.560
learn and they’ll remove the things from the list they didn’t know about. For the other side of the

00:34:32.560 --> 00:34:37.040
customers who are starting from, hey, we’ve already been hacked, it’s not extreme to say,

00:34:37.040 --> 00:34:40.640
hey, everything’s blocked until we’ve approved it. It’s also not that difficult,

00:34:40.640 --> 00:34:45.680
because most people think, oh, well, what about the software we don’t know about? But the average

00:34:45.680 --> 00:34:55.680
user uses ten, twenty, thirty apps on their machine. It’s Chrome, Zoom, Office, Firefox,

00:34:55.680 --> 00:34:59.920
and then they have an SAP system or whatever that may be. So, it really doesn’t take long,

00:34:59.920 --> 00:35:03.360
even when you’re dealing with a response, and you never want to be doing it from a response.

00:35:03.360 --> 00:35:06.960
But even when you’re not in learning mode, you can say, if you need something, hit request.

00:35:06.960 --> 00:35:11.680
We’ll review it and we’ll approve or deny it. It’s still not the end of the world, because

00:35:11.680 --> 00:35:15.920
that’s a lot better than where you were where, oh, ransomware is actively running in our environment.

00:35:15.920 --> 00:35:20.080
JACK: The traditional way we would secure networks was kind of like a castle-and-moat

00:35:20.080 --> 00:35:24.800
type of system. Everyone inside the castle wall was trusted. They could go anywhere,

00:35:24.800 --> 00:35:29.680
do anything. Then you put up this giant gate and moat around the whole thing, keeping everyone out

00:35:29.680 --> 00:35:34.000
that you don’t want in. But the problem with this is that if someone does sneak in, well,

00:35:34.000 --> 00:35:37.840
now they’ve got access to everything. There’s nothing to stop them once they’re in. If an

00:35:37.840 --> 00:35:42.960
employee turns rogue or clicks on a phishing link and gets infected, that employee’s computer can go

00:35:42.960 --> 00:35:48.080
anywhere and do anything. So, the new way people are securing networks today is called zero-trust,

00:35:48.080 --> 00:35:53.680
and that simply means to verify everything. No longer is everyone on the inside trusted by

00:35:53.680 --> 00:35:57.360
default. They’re now given the least amount of privileges to do what they need to do,

00:35:57.360 --> 00:36:00.960
and tools like ThreatLocker are great for implementing zero-trust since you can see

00:36:00.960 --> 00:36:04.520
and lock down any and all activity in the network very easily and quickly.

00:36:04.520 --> 00:36:08.560
DANNY: So, in the world of zero-trust, you essentially grant access where access is

00:36:08.560 --> 00:36:12.480
required. Everyone thinks it means no. It doesn’t mean no. It means if you’re

00:36:12.480 --> 00:36:15.360
the finance director and you need access to all of the financials,

00:36:15.360 --> 00:36:18.480
we’re going to give you access to the financials because that’s your job. If

00:36:18.480 --> 00:36:22.320
you need to be able to upload those financials to the internet, we’re going to allow you to upload

00:36:22.320 --> 00:36:25.600
those financials to the internet because that’s part of your job and requirement.

00:36:25.600 --> 00:36:29.360
So, in the world of zero-trust, it’s not about no. It’s about, if you need it for your job,

00:36:29.360 --> 00:36:33.520
we will grant that permission. In the world of detection and response, you’re saying,

00:36:33.520 --> 00:36:38.640
if I detect an anomaly or something suspicious, I’m going to block and respond

00:36:38.640 --> 00:36:41.840
to that anomaly or something suspicious. But if we don’t detect something suspicious,

00:36:41.840 --> 00:36:45.360
we’re just going to allow it. So, in the world of detection and response,

00:36:45.360 --> 00:36:50.560
everyone can access the financials. In the world of zero-trust, only the people that need to.

00:36:50.560 --> 00:36:53.280
JACK: What is your mission, or what’s ThreatLocker’s mission,

00:36:53.280 --> 00:36:55.200
or what are you trying to change in the world?

00:36:55.200 --> 00:37:00.080
DANNY: So, it’s very simple. I want to change the way the world thinks about security from default

00:37:00.080 --> 00:37:04.800
allow to default deny. So, rather than going into a computer and saying, I’m allowed access

00:37:04.800 --> 00:37:08.960
to everything until someone decided it’s bad for me to access this, which is how most security

00:37:08.960 --> 00:37:14.160
works right now on endpoints, I want to change it so I go in and I need to access everything I need

00:37:14.160 --> 00:37:18.800
to do my job, and everything else is denied until somebody’s decided and granted me that

00:37:18.800 --> 00:37:22.720
permission. That’s our mission as a company. It’s been our mission since the beginning.

00:37:22.720 --> 00:37:26.720
We attend over a thousand trade shows — well, ThreatLocker’s attended over a thousand trade

00:37:26.720 --> 00:37:31.120
shows this year. We host Zero-Trust World. The reason we do this is education. I think I

00:37:31.120 --> 00:37:36.800
did 120 trips this year. I will do local events, we’ll do Zero-Trust World, I’ll go to Black Hat,

00:37:36.800 --> 00:37:41.680
to RSA, to Gartner events, and it’s about educating people why this is so important,

00:37:41.680 --> 00:37:46.560
but also how it’s not difficult, ‘cause people think it’s going to take them months and years.

00:37:46.560 --> 00:37:52.240
I’ve onboarded people in hours. Ideally, we want to do it over a week so we can do a nice

00:37:52.240 --> 00:37:57.680
learning baseline, but it’s very easy to do. It’s very effective to do. So, my mission is to make

00:37:57.680 --> 00:38:02.400
sure people understand why this is so important and then also educate them how it can be done.

00:38:02.400 --> 00:38:09.680
JACK: Yeah, so, educate me. Educate us. So, you say deny by default. You could explain why

00:38:09.680 --> 00:38:14.040
that’s so important or even pick another topic and say this is what else is important to me.

00:38:14.040 --> 00:38:19.760
DANNY: Okay, so, deny by default is so important because think about this; if we go back — and

00:38:19.760 --> 00:38:24.480
we’ve never — as a world, we’ve never been very good at stopping viruses. Let’s face it,

00:38:24.480 --> 00:38:30.560
we go back to 2000, 2001. We have the Love Bug virus. It infected a third of the world’s business

00:38:30.560 --> 00:38:34.240
commuters. Now, that virus said ‘I love you’ and e-mailed your friends and said ‘I love you’,

00:38:34.240 --> 00:38:37.600
so it wasn’t the end of the world. We had the Blaster virus after that. All of these times

00:38:37.600 --> 00:38:43.200
we had antivirus. We were denying by exception. We were allowing by default and denying by exception,

00:38:43.200 --> 00:38:46.560
and we weren’t very good at doing that. In 2007, 2008,

00:38:46.560 --> 00:38:50.640
we started seeing botnet e-mails being sent out. Again, people were getting malware all

00:38:50.640 --> 00:38:55.040
the time. They were sending the spam e-mails. They were getting pop-ups. But it was a problem,

00:38:55.040 --> 00:39:00.480
and it was an IT problem. Switch to 2014; we start seeing malware that actually

00:39:00.480 --> 00:39:06.320
encrypts files and takes down businesses. Malware and software are the same thing.

00:39:06.320 --> 00:39:11.120
Whether it’s — they’re literally written in the same languages, work the same way.

00:39:11.120 --> 00:39:16.560
The only difference is the intent at which it was created. So, every piece of software you run on

00:39:16.560 --> 00:39:22.480
your computer, whether it’s Angry Birds or a large e-tech support app or Microsoft Office or Google

00:39:22.480 --> 00:39:28.400
Chrome or — a piece of ransomware can see all of the files that the user who runs it can see. So,

00:39:28.400 --> 00:39:32.240
you don’t have to be an admin. If you’re a finance director, if you’re in sales, it can see all of

00:39:32.240 --> 00:39:38.240
your files. So, if you were to say I want to deny software by default and only allow software that’s

00:39:38.240 --> 00:39:43.840
been approved by the company, what you end up with is a situation where you’re no longer just relying

00:39:43.840 --> 00:39:51.120
on is — am I going to detect the latest threat? But you’re now saying I’m gonna block everything.

00:39:51.120 --> 00:39:55.680
It doesn’t matter if I detect it, because if the software isn’t approved by the business, it’s not

00:39:55.680 --> 00:40:00.640
allowed to run. That is so efficient at stopping ransomware, malware, but also things like Team

00:40:00.640 --> 00:40:05.320
Viewer and access tools, which are often used by scammers to gain initial access to your network.

00:40:05.320 --> 00:40:08.720
JACK: This is great. Keep going. Tell us more about how to secure a network.

00:40:08.720 --> 00:40:12.880
DANNY: Every secure — or mostly, most security attacks can be stopped with one or three methods.

00:40:12.880 --> 00:40:19.200
The people, detection, and controls. The first one is through people. But the first example I’ll

00:40:19.200 --> 00:40:27.120
give you is phishing. In the event that someone wants to phish you or someone in your company,

00:40:27.120 --> 00:40:32.720
they’re going to send an e-mail to you or a text message, whatever it may be. As a user,

00:40:32.720 --> 00:40:36.800
you have the power to stop that attack immediately in its tracks by not clicking on the link,

00:40:36.800 --> 00:40:42.400
not putting your credentials in. The attack is gone if you don’t do that. So,

00:40:42.400 --> 00:40:47.040
that’s method one. The people don’t make the mistakes, don’t click on the phishing links,

00:40:47.040 --> 00:40:52.960
don’t give somebody access to their machine. The second method is to detect a threat,

00:40:52.960 --> 00:40:59.200
and this is where — we look at phishing; this is where we’ll say, is this a known bad website?

00:40:59.200 --> 00:41:04.960
Does it exhibit signs that it’s a phishing attack? Again, detection is not a guarantee because the

00:41:04.960 --> 00:41:10.560
website might have just been spun up. Attackers will switch the website out, use techniques. It’s

00:41:10.560 --> 00:41:14.720
brand-new. You don’t know it’s a bad website. But it’s a method. If you manage to detect it and you

00:41:14.720 --> 00:41:20.160
can block that phishing link from being used, the threat is neutralized. The third way is the

00:41:20.160 --> 00:41:25.600
idea of controls. Controls are where zero-trust really fits in, and this is the most simple way,

00:41:25.600 --> 00:41:30.160
and this is where you say, well, I’m gonna turn on things like dual-factor authentication, I’m gonna

00:41:30.160 --> 00:41:36.160
turn on things like IP restriction so it can only be accessed from one of our known IP addresses.

00:41:36.160 --> 00:41:41.680
When you do this, it’s — you basically say that I accept my user might click on the link and give

00:41:41.680 --> 00:41:47.600
the person, the attacker, my password or their password. I accept that my e-mail to security may

00:41:47.600 --> 00:41:52.880
not detect the phishing e-mail, but I won’t accept that they can still get into my machine. So,

00:41:52.880 --> 00:41:56.560
what I’m gonna do in addition to this is I’m gonna restrict which IP addresses can log

00:41:56.560 --> 00:42:02.000
into my Microsoft Office tenant to only the IP addresses of my devices. I know I’m also

00:42:02.000 --> 00:42:05.840
gonna enforce dual-factor authentication so the password by itself isn’t allowed. They’re gonna

00:42:05.840 --> 00:42:10.800
have to have the user’s physical device. As an IT or security professional, this is the — the

00:42:10.800 --> 00:42:15.040
control is the only thing that you can actually control. You can’t control — you can train your

00:42:15.040 --> 00:42:18.560
users, but users are gonna make mistakes. People are gonna make mistakes all the time.

00:42:18.560 --> 00:42:24.320
You can buy detection, but detection can’t tell the intent, if it’s new or if it’s unknown,

00:42:24.320 --> 00:42:28.880
but you can control whether — if it’s — if someone puts their passwords in, will somebody be able to

00:42:28.880 --> 00:42:34.960
get into your system? So, that’s the first example of where that’s really important. The second

00:42:34.960 --> 00:42:41.440
example is when we think about malware. I can put a antivirus on a machine and say, if you download

00:42:41.440 --> 00:42:45.680
known malware, block this known malware from running. Windows Defender comes shipped with every

00:42:45.680 --> 00:42:50.000
machine, and sometimes it blocks the malware. Sometimes it doesn’t. I can tell my users to

00:42:50.000 --> 00:42:54.400
never download detachments. Don’t open things that you don’t know where their source is. If the user

00:42:54.400 --> 00:43:00.960
doesn’t do it, the threat is foiled. But I cannot guarantee either of those two are gonna apply. If

00:43:00.960 --> 00:43:08.720
I block un-trusted software by default, if one and two fail, three is always going to be successful.

00:43:08.720 --> 00:43:13.520
This is where security has to be. If we think — go back to the — even the eighties and the

00:43:13.520 --> 00:43:17.600
nineties. We didn’t used to have firewalls on our network. We didn’t used to have firewalls on our

00:43:17.600 --> 00:43:22.560
computers. Windows didn’t have a firewall built in until Windows XP. We’d get constant malware,

00:43:22.560 --> 00:43:24.880
and then Microsoft would patch it, and then we’d get malware again,

00:43:24.880 --> 00:43:27.920
and Microsoft would patch it. Microsoft released the firewall on the computer,

00:43:27.920 --> 00:43:33.200
and suddenly malware from the user dialing up to the internet or connecting to a broadband

00:43:33.200 --> 00:43:38.000
connection vanished, and it became people downloading malware because they implemented

00:43:38.000 --> 00:43:43.560
a we-deny-network-traffic-by-default policy. That’s how all security should operate.

00:43:43.560 --> 00:43:50.160
JACK: Do you have any statistics that you can tell me that makes — that tells me that ThreatLocker is

00:43:50.160 --> 00:43:55.360
effective? When I go to the doctor and they give me medicine to prevent an ailment — an illness,

00:43:55.360 --> 00:43:59.920
I don’t know if it actually prevented the illness, ‘cause I can’t tell if I got ill and the medicine

00:43:59.920 --> 00:44:07.680
fixed it, right? So, if ThreatLocker is here to prevent ransomware, how do I know it worked?

00:44:07.680 --> 00:44:10.480
DANNY: So, I will tell you. So,

00:44:10.480 --> 00:44:15.520
I’ve got 70,000 roughly companies that use ThreatLocker, and I think…

00:44:15.520 --> 00:44:18.553
JACK: Did you say 70,000?

00:44:18.553 --> 00:44:23.280
DANNY: 70,000 companies that use ThreatLocker, from small businesses through MSPs right up to

00:44:23.280 --> 00:44:28.480
large — some of the biggest software companies, banks, financial companies, hospitals, airports in

00:44:28.480 --> 00:44:34.560
the world. So, it really is at mass scale. Not a lot of them go through MSPs, so, you take an MSP;

00:44:34.560 --> 00:44:40.080
they have a hundred small businesses. They’ll manage it. I have never had a customer with a

00:44:40.080 --> 00:44:47.040
ransomware case that wasn’t ignoring obvious signs. So, we’ll send a report out saying,

00:44:47.040 --> 00:44:53.040
you have your machines in monitor-only mode. The bottom line is — and there’s no such thing

00:44:53.040 --> 00:44:59.040
as un-hackable, but the only way somebody — if you go out and you install a network control and you

00:44:59.040 --> 00:45:03.840
close ports and you stop un-trusted software and you stop power shell accessing things,

00:45:03.840 --> 00:45:09.120
it’s — nothing’s impossible, but it’s almost impossible to get through that.

00:45:09.120 --> 00:45:14.160
If I look at those 70,000 businesses, I’m tracking about 125 ransomware cases on them, and every

00:45:14.160 --> 00:45:22.080
single one of them has been pure — their machines were not secured or they — the other one we see is

00:45:22.080 --> 00:45:26.480
where they didn’t — they had open ports on their hypervisor and someone got in. They shut down

00:45:26.480 --> 00:45:30.480
the VMs and put them in safe mode or something like that. But if they followed the policies,

00:45:30.480 --> 00:45:34.080
if they followed — we’re gonna stop un-trusted software, we’re gonna close ports and only allow

00:45:34.080 --> 00:45:38.280
them to trust the devices, I have never seen a case where somebody gained access to a machine.

00:45:38.280 --> 00:45:40.560
JACK: ThreatLocker is hiring, but beware;

00:45:40.560 --> 00:45:43.600
they’ll tell you in the interview that it’s the hardest job you’ll ever have.

00:45:43.600 --> 00:45:48.240
DANNY: Yeah. I mean, every person that we hire, we make sure that they’re aware this is gonna be

00:45:48.240 --> 00:45:55.520
one of the hardest jobs they’ve ever had. Because I try and always say to our — I make sure everyone

00:45:55.520 --> 00:45:59.600
in the company knows we are not supporting a software product. We are supporting a hospital,

00:45:59.600 --> 00:46:05.360
an airport, a government agency, a local business, and when someone calls in and

00:46:05.360 --> 00:46:10.240
they’re having a problem — and the thing is about what we’re doing is we often — I would

00:46:10.240 --> 00:46:14.880
say seventy to eighty percent of our support tickets have nothing to do with us. The reason

00:46:14.880 --> 00:46:20.880
people call us first is because if you say, well, I’ve got a EDR and I’ve got a zero-trust endpoint

00:46:20.880 --> 00:46:25.200
security product, and suddenly one piece of my — my dental software is not working,

00:46:25.200 --> 00:46:31.600
it’s very, very easy for you to say, well, I assume it’s to do with the zero-trust, always.

00:46:31.600 --> 00:46:39.200
I’ve been literally four hours proving and diagnosing and working with a competitor of ours

00:46:39.200 --> 00:46:44.800
on EDR space to say, look, you have a problem here with your software. We’ll uninstall ThreatLocker.

00:46:44.800 --> 00:46:48.800
We’ll show them the issues still happening, and then we’ll actually go in with a vendor and say,

00:46:48.800 --> 00:46:53.360
you’ve got a problem with your software here. Because I think it’s easy to assume

00:46:53.360 --> 00:46:57.040
that zero-trust is the problem, but most of the time it isn’t. But you’ve got

00:46:57.040 --> 00:47:01.680
this culture change which we’re trying to change. So, people have to know it’s hard,

00:47:01.680 --> 00:47:06.960
but I think it’s also incredibly rewarding. I think what we do is — there’s nothing better

00:47:06.960 --> 00:47:10.960
than a feeling that we just stopped a major ransomware attack. My door never gets closed.

00:47:10.960 --> 00:47:14.800
My phone is never turned off, but — and I always say to anyone,

00:47:14.800 --> 00:47:18.720
if you can’t fix the customer issue and you can’t get someone else to help you,

00:47:18.720 --> 00:47:22.480
go over to the development part and go over to your peers. But also when you — at the end of

00:47:22.480 --> 00:47:28.560
the day, if it’s 2:00 a.m. in the morning and it’s not working, come and call me. Call me,

00:47:28.560 --> 00:47:33.200
call Sammy, who’s our other co-founder, and call and say, hey, I’ve got a customer on the phone

00:47:33.200 --> 00:47:37.600
and they’re saying that something’s wrong and something’s getting blocked and it shouldn’t be,

00:47:37.600 --> 00:47:40.640
and they don’t understand and I don’t understand why, and I can’t find anyone else. It’s like,

00:47:40.640 --> 00:47:46.400
well, let’s see what’s wrong, because I think it’s important for everyone to know that we’re

00:47:46.400 --> 00:47:50.400
willing to take a phone call at 2:00 a.m. in the morning if it solves a customer issue.

00:47:50.400 --> 00:47:54.480
JACK: How many phone calls do you get a month during your sleep?

00:47:54.480 --> 00:47:56.800
DANNY: Probably six or seven.

00:47:56.800 --> 00:48:03.000
JACK: Geez. I hope you get paid overtime for that.

00:48:03.000 --> 00:48:09.360
DANNY: Yeah, no. But I think it’s — we have a twenty-four-hour — I mean,

00:48:09.360 --> 00:48:14.320
we have customers in Australia. Well, we have offices in Australia, in Dubai, in Dublin,

00:48:14.320 --> 00:48:21.760
we have staff in eleven different countries. We have customers all over the world. I just — I

00:48:21.760 --> 00:48:39.977
think it’s more important that we solve the issue for the customer, and that’s the bottom line.

00:48:39.977 --> 00:48:43.040
(Outro): [Outro music] Thank you so much to our guests, and especially Danny Jenkins from

00:48:43.040 --> 00:48:48.320
ThreatLocker. To learn more about them or to get a free trial, visit threatlocker.com. This show was

00:48:48.320 --> 00:48:53.040
made by me, the real SQL Shady, Jack Rhysider, mixing by Proximity Sound, and our theme music

00:48:53.040 --> 00:48:57.440
is by the mysterious Breakmaster Cylinder. I got tired of forgetting my password, so I just changed

00:48:57.440 --> 00:49:02.560
it to the word ‘incorrect’. Whenever I go and I type in the wrong one, the website always says,

00:49:02.560 --> 00:49:12.400
your password is incorrect. I’m like, oh yeah, thanks for the reminder. This is Darknet Diaries.