In this episode, Dr. Chase Cunningham, aka DrZeroTrust, joins us to shed light on what a horror story looks like from an adversarial perspective. In drawing on his extensive red teaming and NSA background, he explores why doing the basics and applying them intelligently does matter, why people should abandon the notion of perfect security, and what controls and practices organizations can adopt and follow to make it a bad day for bad actors.
IT Horror Stories
The scariest stories in IT.
About This Episode
Host
Jonathan Crowe
Director of Community, NinjaOne
Guest
Dr. Chase Cunningham
DrZeroTrust
About Dr. Chase Cunningham
Dr. Chase Cunningham’s career has been dedicated to pioneering strategic cybersecurity frameworks, notably creating the influential Zero Trust Extended (ZTX) Framework at Forrester Research, significantly accelerating global adoption of Zero Trust principles across industries and governments worldwide. In executive roles, including Chief Strategy Officer positions at Demo-Force.com and Ericom Software, he’s successfully driven market innovation, strategic partnerships, and growth initiatives. His proven ability to align complex cybersecurity strategies with business objectives has consistently resulted in substantial market impact, increased client engagement, and accelerated technology adoption.
Audio Transcript
[00:00:00] Chase: Everybody has a plan until they get punched in the face. So we’re always going to go after phishing, we’re always going to go after social engineering. We’re always going to go after, you know, USB drops and those types of things.
[00:00:10] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
Introduction
[00:00:25] Jonathan: Hey everyone. Welcome to another episode of IT Horror Stories. I’m your host, Jonathan Crowe, Director of Community at NinjaOne. And our guest today is Dr. Zero Trust himself, Dr. Chase Cunningham. Chase, thank you so much for being on the show.
[00:00:41] Chase: Hey, thanks for having me here. It’s always good to talk with people, especially when we’re talking about horror stories. What more fun is there?
[00:00:48] Jonathan: Well, I know you’ve seen your fair share, from a unique perspective. For those listening in, Chase has a very unique perspective and comes to the show with a ton of background expertise and experience. More than 20 years in cyber forensics and analytic operations, including time with the Navy, NSA. A ton of different companies, now doing red teaming and PEN testing.
[00:01:14] You definitely bring a macro view of things. You see the bigger picture. Our subject of the day, horror stories. There’s a lot of stuff in your background. I’m sure that you can and that you cannot talk about, with your background in the government and everything. Tell us a little bit about before we dive into your specific story, tell us a little bit about your background and how you got into this world.
About Chase
[00:01:34] Chase: Yeah, so I’m a retired Navy Chief. I was a cryptologist for my career. Then I got medically retired and went over and transitioned and was a government civilian for a bit, with some different agencies. Then I was at Forrester Research and built out some of their zero trust practice, like formalized it. And then from there on, I’ve been a consultant and then the G2 more recently, but I’ve also managed to get a, I have a PhD and six or seven patents and I’m working on my eighth book right now. So I stay busy, I guess.
[00:02:02] Jonathan: You certainly do. You also have your own podcast, the Dr. Zero Trust podcast.
[00:02:07] Chase: Yeah, I, that’s been a passion project. I started that four years ago. And, it’s just fun. It’s, I don’t know about you, but I think podcasting is kind of cathartic. And hey, if people listen, great. If they don’t, then I’m just screaming into the ether anyway. So what’s it matter?
[00:02:20] Jonathan: Great way to talk to interesting people too. I mean, that’s what I’m getting out of this right now.
[00:02:24] Chase: You meet good people and every once in a while you run into somebody at the airport or something that says, Oh, I listened to your stuff. That’s always awesome.
[00:02:30] Jonathan: Absolutely. Absolutely. Well, thank you so much again for taking the time. Let’s get into the horror stories. And what I think is so exciting about this episode, me personally, what makes me so excited about it is we have been talking with IT leaders who are in operations roles, who are, their idea of facing a horror story.
[00:02:49] It’s a little bit different from your perspective going back to your red teaming days. Basically we’re bringing you in. We’re flipping this, the, the script essentially, and I’m interested in getting your perspective. What’s a horror story look like for an attacker?
Flipping the Script
[00:03:04] Chase: Yeah. I mean, I think the funny thing is the horror story for an attacker is when you really, when an organization has aligned on actually doing the things that they read about in best practices and has the controls in place that are sort of, built on removing the adversary’s ability to be successful.
[00:03:20] It gets really nasty really fast. And, you know, as a red team guy, we don’t want to work hard, to be perfectly frank. Like, we’ve got lots of easy targets. If we get in there and we find out that they’ve taken care of the majority of difficult things, it gets really boring really quick and you want to go on and do other things.
[00:03:38] I’ve been on engagements before where we got, you know, kicked off on a red team op and two days in, we didn’t find any of the stuff we typically would want to find and we realized it was going to be a losing battle and we just say, cool, we’re done, here’s the report and I’ll catch you later.
[00:03:52] Cause it, it’s not worth it. And I think that that’s the, the horror story for the adversary is if it’s a difficult enterprise and they’ve put things in place that they, you know, know they should, it makes it very difficult. And then you just, you know, you just don’t, why, why fish in a pond where there’s no fish? I’d rather go where there’s lots of fish, where I can fish with dynamite.
[00:04:13] Jonathan: Well, let’s, let’s bring this into, like, the horror, sticking with our theme here, you know, from the horror movie perspective, talking with you is kind of like we get the viewpoint of, you are the person out there looking in at the cabin, basically, and you’re waiting and watching for the teenagers who are partying and leaving the door open, and one goes out and says, I’ll be right back.
[00:04:31] Chase: I’ll be right back.
[00:04:34] Jonathan: So what are the things, if we’re going to carry that analogy further, what are some of the things when you get in there that you start looking for? What are the weak points that you’re starting to pressure test first?
Where attackers get started
[00:04:43] Chase: I mean, number one, we’re always going to go after is, we’re always going to go after people because people are, it’s not that they’re the weakest link. It’s just that people have got so much going on and that their ability to kind of continually stay up on the many different ways that you can exploit them is pretty minimal.
[00:04:58] So we’re always going to go after phishing, we’re always going to go after social engineering. We’re always going to go after, you know, USB drops and those types of things. Wireless systems are a red teamer’s best friend. Most people don’t ever think about, you know, you buy a wireless printer nowadays and connect it up to your internet or the network at the office.
[00:05:16] They typically have default settings that talk out to the, you know, world writ large. and I mean, I can Google the common usernames and passwords for Kyocera and HP and all those cats. What’s on your printer network? The same stuff on the rest of your network. You know, you can get through there as well.
[00:05:31] Typically you don’t have to do crazy zero day level type exploits to win. You just go after the low hanging fruit and kind of work your way through the process and you’ll find something along those ways. I can’t recall a single time where I’ve ever been in any space where we even have to do much as far as like crafting exploits. It’s usually off the shelf fire and forget and, you know, target what you’re going to target and something works.
[00:05:58] Jonathan: This is one thing that I’ve noticed with a lot of the coverage and everything. I mean, obviously media is going to react to the big nation state attacks and zero days, and even the things we see where, Oh, there’s a hacker that, you know, hacks self driving cars and things like that. You know, it’s… and now AI, of course.
[00:06:15] But when you see the actual incidents that are coming through, and you talk to pen testers, I mean, a lot of it is, it’s just the basics, right? It’s the bread and butter stuff.
“Social engineering, phishing and credential management [have been the] number one, two and three, exploit vectors for the last 10 years in a row.”
[00:06:23] Chase: I mean, there’s a reason that the Verizon DBIR, the Mandiant Entrants have had social engineering, phishing and credential management as the number one, two and three, exploit vectors for the last 10 years in a row. It’s because it works. So you know, I’m a data geek. I live, eat, sleep and breathe data.
[00:06:38] And if I look at the trends and it’s the same stuff for a decade, probably a good place to start focusing my controls around.
[00:06:46] Jonathan: If you’re watching horror movies, you know, you’ve got the classic, the almost cliche things, right? Like, you’re screaming at the person. Don’t go down in the basement. You’re an idiot. What are you doing? You’re probably doing the same thing.
[00:06:58] Don’t pick up that USB drive. Best practices out there, you’d think that’d be common knowledge by now. Don’t use those things. It’s still super effective.
[00:07:05] Chase: Still super effective. You know, it’s funny cause I’ve been back and forth with people about the efficacy of phishing training, whatever else, and social engineering. I had a guy that runs a company that does that. And I said, I’ll bet you my year’s salary that you can line up on a line of some guys on a test the day after you do training and we’ll get access. He wouldn’t take the bet. To me, that speaks volumes.
[00:07:29] Jonathan: So let’s talk about a little, dive into more of what a horror story looks like for you. In that perspective, the red teaming, the adversary perspective. Do you have a particular incident that you were involved in where you got in and it really started making your day a bad day as an adversary or as a red teamer?
A bad day for bad actors
[00:07:45] Chase: Yeah, I mean, we did a red team test on a government provider and the thing was we got in really easy, but once we got in there was nowhere to go. And it was one of those ones where everybody just kind of sat around the table looking at each other like, okay, now what? And, you know, we tried and poked around and we realized that we were giving ourselves away, which you don’t ever want to do.
[00:08:06] You know, we know whether we were setting off alarms and the folks on the other side of the wall that were doing the blue team side. I mean, we could hear them kind of giggling and laughing at us. And it was like, all right, you know, number one, the pride is getting hurt. Number two, I got other things to do.
[00:08:21] So we just wound up packing our bags and leaving and saying, you know, push the chess boards off the board like you guys won.
[00:08:28] Jonathan: Are there specific things then that you would recommend? It sounds like you’re talking about segmentation, taking out, you know, doing least privilege, things like that.
[00:08:38] Chase: Least privilege access, segmentation, browser isolation. Training is good because it does help, but it’s not a technical control. You know, removing application accesses, removing people’s ability to be admin on machines. All the stuff that we’ve written about in the best practices for 20 years that people still go, well, I wonder if we should do this.
[00:08:58] Like, no, it’s, it’s called a best practice for a reason. It’s not because somebody woke up and was like, how can I just, you know, put things on a piece of paper? It’s a best practice because it’s a practice that’s best.
[00:09:09] Jonathan: You’re coming from that red team mentality. So you do have the things where obviously you want to succeed and have useful things that you can be sharing. You want to be able to hack into systems, identify weak points. You want to be able to actually pwn systems.
[00:09:21] But at the end of the day, you want to do that because you want to be able to educate and help these folks improve. And so let’s turn it around a little bit and what are some of the horror stories you’ve seen in terms of here’s an engagement where you’ve, or where you’re consulting or you’re doing red teaming, you’ve come in and you’ve seen something where, wow, this is a real, this is a true nightmare. These guys have so much to fix.
A trip down memory lane
[00:09:47] Chase: Well, one of the biggest ones was a pretty large enterprise organization that had, their, I guess you’d call it their crown jewels on a data center that was on site, like internal to the building. And of course they had other stuff outside of it, but, it was supposedly a secure facility. But it wasn’t. I, after actually at happy hour time, I went to a bar down the street and I just found some random person there and I was like, look, man, I’ll give you a hundred bucks if you come with me right now. And we worked our way past the, you know, the, the people at the front door and everywhere else. And we’d sent the CEO and board pictures of us chilling out in the data center inside of the building.
[00:10:22] And it took, I don’t know, 35, 40 minutes to do that and get there. So it was one of those ones of going like, you know, here we are. I mean, this is your data center. Like we can switch network cables if we want to.
[00:10:35] Jonathan: And that must be terrifying for, leadership of an org to hear because it’s also one of those things where that’s not going to get solved by just buying the next tool that’s recommended on G2, right?
[00:10:46] Chase: Yeah, it’s not going to be something that’s solved very easily. And the interesting thing was just the fact that they’ve put so much kind of faith in the basic, simple physical controls when it doesn’t take much to get past that. If you can throw in some urgency or you can make people a little uncomfortable, it’s amazing what they’ll allow to happen.
[00:11:06] I think the one that I saw online that was one of the best was a lady calling to get somebody’s password. She had a recording of a baby crying and nobody likes to hear a baby cry and just hearing that the person on the other end was like, Oh, I can understand. You know, you’re stressed. Your baby’s crying here. Let me help you out. And that’s all it took.
[00:11:23] Jonathan: How do you think this has changed your perspective on security in general, through, you know, the past 20 plus years?
[00:11:30] Chase: Yeah, it’s one of those ones where I think people should abandon the idea of perfect security because it doesn’t exist. You know, you think if you’re if you’re postured up and you’ve spent enough money and you’ve got the right things in place that you’re not going to have a breach. The odds of you not having a breach are really, really slim. It’s just a matter of time. That doesn’t mean that you stop trying, but it just means to be aware of when things go wrong, what is your plan, how will you isolate, how will you minimize the damage, how do you move or how do you stop lateral movement, etc. And then also, you know, seeing what I’ve worked with people on ransomware planning, if you’ve never been through a ransomware incident or planned for it, you should because when, you know, the, the ish hits the fan, people will change the way that they work with each other and the last thing that you want is, you know, the boardroom throwing stuff across the, you know, board table because they’re not ready to respond to a ransomware event.
[00:12:23] Jonathan: For a lot of folks, the ultimate horror story that keeps them up at night is the ransomware scenario. I mean, it’s so prevalent now, too, right? And I think when we were talking about it, you brought up the famous, Mike Tyson quote, right?
[00:12:37] Chase: Everybody has a plan until they get punched in the face.
[00:12:38] Jonathan: Exactly.
[00:12:39] Chase: Yeah, I mean, I, it wasn’t one of my folks I worked with, but I was working with some people that were tangentially tied to a major city down south. They had an offer from a vendor that would have secured the systems from the perspective of, you know, basic sort of ransomware controls.
[00:12:56] I think the cost was going to be about $75K and the city leadership said, no, we can’t afford that. And, I think it was about a month, month and a half later, they got hit and the ransom was $15 million. $70K sounds good now, doesn’t it?
[00:13:11] Jonathan: Do you think hearing more stories like that and having the headlines, you know, these things appearing in the headlines, do you think it’s made any kind of impact? I mean, or are we just going to be living these horror stories and seeing people still make the same moves over and over and over again?
[00:13:24] Chase: I mean, apathy is a real thing. There’s people that still, you know, don’t buckle up their seatbelts. There’s people that smoke cigarettes. There’s folks that, you know, swim with sharks. I mean, you can’t fix people. But, hopefully the majority of us can start, you know, moving forward. And I think we’re seeing that there’s some effort and some gravitas to the movement as far as strategic approaches to security that make sense.
[00:13:46] So, you know, I’m, it’s not all doom and gloom, but there are still people that just kind of go like, I don’t think this is applicable to me. Small businesses are usually the worst at it because why would somebody target my business? Well, it’s not you, honestly. It’s the fact that you’re connected to others.
[00:14:03] That’s what we want to get to. You know, you’ve got a contract or you’ve got information or whatever else. And, you know, if it’s, I always ask people when they say, why would I be of value? I say, do you make money from your business? Then it’s valuable.
[00:14:18] Jonathan: Talking about having that attacker perspective, if it’s easy enough, I mean, why not? And then, yeah, you see where you can get to from there.
[00:14:27] Chase: Ransomware is the best retirement plan anybody ever came up with. The top three ransomware groups are making hundreds of millions of dollars a year. So I mean, personally, I think I’m in the wrong organization. I should be retired to some beach in Russia. I don’t know whether there are beaches in Russia, but yeah.
[00:14:42] Jonathan: Well, I mean, you mentioned, I mean, having all that money, I mean, I know, Kevin Beaumont had an article, maybe a couple of years ago about just man, calling the stark, challenge of, okay, now you’ve got these groups with that amount of funding to do things if they wanted to, with exploit, you know, development and purchasing and all that. But as you pointed out, a lot of times they don’t even need to.
[00:15:08] Chase: It’s funny too, because, recently, and this is public knowledge, the drug cartels in Mexico have started transitioning a lot of their ops over to cybercrime because there’s less risk, there’s almost no attribution, the odds of them getting arrested are nearly zero and it’s kind of maximum bang for their buck.
[00:15:23] So they’ve gotten to a point where they, are literally changing their business operations and saying like, we’ll have a unit that does shipping cocaine across the border and we’ll have cybercrime and, you know, we’ll make money on both ends of it because it is very doable and it is commoditized and it is almost guaranteed income.
Do the basics. Apply them intelligently.
[00:15:41] Jonathan: Switching over to maybe not the all doom and gloom, the hope, right? Folks use the phrase imposed cost, and goes back to your concept of, well, if you see someone with a clear security system or locked doors, you know, you’re going to, why, why try to rob that house? We can go down the street and get the one that doesn’t. What are some top things that you could recommend that would help in that regard?
[00:16:08] Chase: The basics and really apply them intelligently. General Greg Touhill is a great friend of mine and a mentor and one of his sayings is if everything is a priority, nothing is. And that’s what I mean to folks to understand is not everything is a priority here. You probably read about it in the media, the news, and it seems like, oh my God, how will I ever keep up with this?
[00:16:26] Look at the trends and the data and the information that tells you where attacks are likely to occur and where they’re likely to be successful and apply controls there. And you’re making yourself a harder target. And to your point, I don’t have to have, you know, 50 cows mounted on my roof and claymores in the driveway.
[00:16:42] If I’ve got a Doberman, it’ll make you think twice, you know. So just doing those things does make stuff valuable. The only other one I would put out there is, don’t rely on humans not to be humans. Like, we’re people, and non security people don’t want to do security things. Your security technology should be pretty close to magic.
[00:17:01] It should just do the thing, and they shouldn’t get wrapped up around it. If your security tech makes people miserable, they will find a way around it because we’re humans. That’s just what we do. So work your way towards that too. And, you know, the only last thing I would say is just it’s okay to tell your people, especially if you’re, you know, doing phishing training or whatever else.
[00:17:20] There are some people that you just have to say like, Look, man, I got to put some additional controls around you because you’re, you’re prone to clicking, bro. Like I don’t know what to tell you, man, but I got to do something about you. And it’s not because I don’t like you and I don’t like your hair color or whatever else, but you’re a risk to my business. And I either put more controls around you or I let you go. Which one do you want?
[00:17:40] Jonathan: You could frame it like, Hey, we’re here to help. You know.
[00:17:42] Chase: That’s, yeah, it’s like, you know, you work for me at this business and I want us to be successful, but there’s a risk here. And I mean, that’s one reason why I would say it’s always good to have data to back it up. Like, look, we did a phishing training simulation last month and out of everyone in the company, you were the one that fell for the same thing twice.
[00:18:00] So it’s again, it’s not, it’s not meant to be, you know, focused on you. It’s just, this is what’s up and I want you to keep working here. But, I’m gonna just, you know, help you be a little bit more secure.
[00:18:12] Jonathan: And going back again to the horror story analogy, you know, you tend to find types of characters and, you tend to see the same ones over and over again. The archetypes of characters in horror movies. Are there types in organizations that you’ve seen that have suffered IT horror stories, particularly security incidents, you know, whether it’s leadership who just aren’t seeing the value and risk analysis and security or anything like that. Any stock characters that you can call out?
[00:18:44] Chase: I would say, usually, the higher up in the C suite you talk to, the worse they are about this whole thing. Like, they’re the people that are, you know, gonna be, that are gonna have the most access, they’re gonna have the most privilege, they’re also gonna have the most data available to them, and they’re gonna be the people that are of the most value, like the whales.
[00:19:00] But those people for some reason, you know, I’m the CEO, I need to have admin access to whatever. Are you the developer? Then no, I’m not giving it to you. You know, oh, I’m a chairman of the board, blah, blah, blah. Like, I’m great, it’s not going to make me any taller or more money, so I’m not going to do this for you.
[00:19:16] Like, there’s those folks that just think that they need to have it because of their title or position. And really all that is doing is introducing risk. And you have to find a way to remove and minimize that risk. And those are usually the worst, as far as just the folks that will fight you tooth and nail.
[00:19:32] The other one that stands out too a lot of times is, and it’s not to knock on them, but it’s just developers are tasked with moving so much stuff so fast. That they have no problem hard coding and embedding things that they know are potentially risky into systems and then shipping it. Because if I’m paid to ship code, baby, we’re shipping code, you know, if it goes sideways on the far end of it, I didn’t realize that that was there.
[00:19:55] I mean, there’s always that, you know, by the time 75 people have contributed one block code, it’s kind of hard to track down who screwed up.
[00:20:03] Jonathan: In your experience, both internally at organizations and also, consulting, red teaming, you know, you deliver your report. Here are your findings, here are recommendations. Do you get to stick around to see how orgs have responded to those? I mean, is that part of the horror story to you of how much people do or don’t react to those things?
[00:20:25] Chase: Yeah, there’s been the orgs that are good about it. And they’ll have you come back and run the same simulation or test again. And they want to see if they fix the holes that you put in front of them. And I’ve had a lot that have done that. And then I’ve also had a lot of them where [they] say, Thank you very much.
[00:20:37] They file it with a compliance report and they get the lawyers off their back and go on about doing what they were doing with total disregard for what we put in front of them. And it’s a sad state of affairs, but it does happen more often than I would like. Just because people will, you know, again, the apathy side of it is I gotta be compliant to do business.
[00:20:54] I gotta have this red team test or this pen test. I did it. Thank you very much. And that’s good enough.
[00:20:59] Jonathan: The checkbox approach, basically.
[00:21:01] Chase: Compliance does not equal security. I remind people that every organization that’s had a breach, had just checked the compliance initiative somewhere.
[00:21:11] Jonathan: Any suggestions for the folks who are there at orgs who are champions of, they want to do the right thing. They want to see their org improve. They may be facing various headwinds. How can they be better champions of security within their organizations?
[00:21:27] Chase: This is where I think we in the security community have done ourselves a bit of a disservice is we’ve made this where it’s such a sexy, cool hacker world with all our crazy acronyms and whatever we need to move away from that and really get to where we’re talking business with people. And that is what resonates.
[00:21:44] And then the other piece, too, is tying it to something that’s actually of value for whoever’s involved. And I don’t mean like value as far as the particular, Oh, it’s going to cost us a million dollars if we get breached. Like, what is the value of what we’re doing for this business that is going to be at risk if we get hit up?
[00:22:02] Is it, we’re going to be down for six weeks, and we’re probably going to go out of business? And, you know, the 35 employees we have here will lose their jobs, plus their families will lose healthcare coverage? Like, being able to really speak to the bigger, higher calling is very useful, too. You know, I work with, I do a lot of pro bono, advisory stuff with, like, old people and, women’s shelters and stuff like that on security controls.
[00:22:26] And it’s funny because they’re usually more willing to try and dive in on security than people that have the job of security controls inside of an organization.
[00:22:36] Jonathan: Well, yeah, that’s interesting. I mean, they’re just more appreciative of the help you think?
[00:22:39] Chase: Oh, well that, and they realized that there’s a value to it. Like if you’re, you know, an older person and you’re living off your retirement and your retirement gets bricked, like that’s a big, bad deal.
[00:22:48] Jonathan: We do see companies make headlines and then you look at the stock price later and it’s like, well, I guess they got off the hook. I mean, there is an element to that too. That’s, that’s hard to kind of shake off.
[00:22:59] Chase: That’s why I think the penalties that we have in the whole system, like all the compliance initiatives and all that, whatever else, like it’s just, it’s comical in nature. I’m honestly, I literally have a hashtag I put out on my podcast about buy the breach because it’s good for companies at the large enterprise level to get breached, stock values do better.
[00:23:17] So, you know, it’s the cost of doing business. If you can survive that initial hit, wait six months and your stock value will be up from where it was. and that. That to me speaks volumes about, you know, how this whole market is set up.
[00:23:29] Jonathan: Man, a lot of the other folks we’ve been talking to and all the audience too, may not be security specialists, right? They’re IT leaders. Of course, a lot of their job involves the actual applying of security controls, and security is top of mind, obviously. But do you have any recommendations for those folks?
[00:23:51] Because what you were saying about security, so much of it can be seen as, well, you do everything right and what’s the result? Nothing happens. And so it’s hard to get the value, really underscore the value of that, right? And I think IT people can feel the same way.
[00:24:06] If they’re doing their jobs right, they’re basically invisible. And they have to actually be more proactive and consciously, intentionally work at, hey, here’s what we’re doing and why it’s valuable to the business.
Showing value
[00:24:18] Chase: Yeah, security is one of those ones where if you’re doing your job right, there is no real outcome. And that’s weird to even say. But, you know, if everything goes perfectly, no one knows what went down. And it’s just, you know, regular business for the sake of business. I think, you know, if you go back and look at the CIA prior to 9/11, no one knows about the thousand times the CIA saved us from bad things.
[00:24:40] Everybody knows about the one screw up. And unfortunately, that’s just kind of the way it goes. So there’s you know, there are ways to translate that, around and sort of thing. I think one thing too that I’ve seen security leadership do that is valuable for them is if your strategy is correct and you’re adapting and improvising and doing the right things, over time you should be able to free up budget instead of continually asking for more and spending more money on things that aren’t actually, you know, doing anything for you.
[00:25:05] Jonathan: Yeah, you never want to be that guy who you walk into the boss’s office and they’re basically like, well, what do you want now? How much money do you want now?
[00:25:11] Chase: Yeah, the days of CISOs getting blank checks are over. I mean, you’ve got to have a strategy now and you’ve got to have a way to get it. And I mean, if I had a nickel for every org I worked with where they had two or three of the same thing solving the same problem, it’s always, there’s plenty of way to free up that money.
[00:25:27] Jonathan: So Chase, any other words you’d want to share for IT leaders, security folks too, heading into this year? Words of advice, words of encouragement, anything you want to share?
[00:25:39] Chase: I mean, I think the words of encouragement I would say is that the space is in a spot where there’s vendors that have capabilities that can help you enable a strategy that will reduce the likelihood of a compromise. Is it going to stop a breach? No, but is it going to likely reduce compromise? And by compromise, I mean continual bad things happening based on access, and you can use those solutions. And if you adopt a strategy that’s based on reality and actually apply the controls where the bad guys are going to meet you.
[00:26:09] You’ll do better on the far end. The caution I would say is that we as the good guys do not own the patent on security tech or security solutions. The adversaries are using those to figure out how to get past it and work ways around it. And AI, whatever you want to call it, ML is only expediting that process. So you’re in an arms race, unfortunately. It’s good because you probably won’t be unemployed, but it’s also, you know, the reality of you’re in an arms race and the race is not over.
[00:26:38] Jonathan: It can be humbling. It can be discouraging, but it’s also like you said, I mean, I think if you, if you really switch your mindset to it, not a bad thing at the end of the day. I mean, it’s just, it’s the job.
Think like an adversary
[00:26:48] Chase: I would also tell people like, don’t be a cyber security black belt. And what I mean by that is if you’ve ever been in anybody that’s been in like martial arts or fighting, there’s always those cats that have got a black belt, but they’ve never actually been in a street fight.
[00:27:00] And the moment they get in a street fight, things go sideways really, really quickly. Go get in a street fight, bring in red teamers, bring in folks that can come at you the way the adversary does and then you’ll see what your posture actually looks like. Because until you’ve tested it, it’s just a really good guess. and that is not where you want to be is a really good guess.
[00:27:18] Jonathan: We’re huge advocates of table topping, not just for security either but with IT operations, you know, how would you handle downtime of any kind of nature? How do you handle the really hairy, unexpected circumstances? We really want to encourage people to sit down with their teams and take time to do those things.
[00:27:38] Also talk with folks like yourself. I mean, that’s part of the mission of this podcast. And also, I’m sure part of the goal, what makes it so important to work with, pen testers and red teamers. You know, bringing in the adversaries who are not true adversaries, to get that pressure tested before the real thing happens.
[00:27:57] Chase: Yeah, test your board too. I mean, I do workshops with folks and I kick the C-suite leadership out of the room. I want to deal with the board and see what they do because I mean. People don’t give enough credence to how much influence and how much activity the board is going to impose upon you when things start going sideways.
[00:28:14] So, test the board. You’re well within your rights to be like, if you’re a board member, I want to throw you in the mix and see how you deal with this.
[00:28:23] Jonathan: If only I could be a fly on the wall for those scenarios, I’m sure people, it’s been interesting to say the least.
[00:28:29] Chase: It gets ugly.
[00:28:33] Jonathan: Cause I’m sure they’re too, they’re probably not used to this, right? They’ve never gone through this experience a lot of times?
[00:28:37] Chase: Yeah, and most of the time what’s interesting is you find that they talk a really big game and they’ve, you know, got all this experience and whatever else, but the moment, you know, they’re staring down the barrel of it, it changes stuff. And stress doesn’t really come into play until stress comes into play.
[00:28:52] When I do scenarios with people, I learn from the military, I like to continually increase your stress and see how that drives your response.
[00:28:59] Jonathan: Well Chase, thank you so much for taking time and giving your unique perspective about what it’s like to deal with an IT scenario that turns into a horror story and how to prevent them. And also, how to prepare to make sure you’re actually ready to handle that stress when the real thing hits. Really appreciate your time.
[00:29:18] Chase: Yeah, thanks for having me. This is fun anytime we get to talk, you know, war stories. I’m always up for it.
Closing
[00:29:24] Jonathan: Thanks for listening to this week’s episode of IT Horror Stories. For even more information and resources on how you can beat IT misery and transform your IT, check out www.NinjaOne.com. Or pop by our IT Leadership Lab community, at www.theitleadershiplab.com. There you can connect with other IT leaders, talk shop, and get access to the latest guides, templates, and documents from other experts in the space.
[00:29:48] Remember, whatever your IT horror story, just know you don’t have to go it alone. That’s all for this week. We’ll be back with more soon. Thanks for listening.
[00:00:10] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
Introduction
[00:00:25] Jonathan: Hey everyone. Welcome to another episode of IT Horror Stories. I’m your host, Jonathan Crowe, Director of Community at NinjaOne. And our guest today is Dr. Zero Trust himself, Dr. Chase Cunningham. Chase, thank you so much for being on the show.
[00:00:41] Chase: Hey, thanks for having me here. It’s always good to talk with people, especially when we’re talking about horror stories. What more fun is there?
[00:00:48] Jonathan: Well, I know you’ve seen your fair share, from a unique perspective. For those listening in, Chase has a very unique perspective and comes to the show with a ton of background expertise and experience. More than 20 years in cyber forensics and analytic operations, including time with the Navy, NSA. A ton of different companies, now doing red teaming and PEN testing.
[00:01:14] You definitely bring a macro view of things. You see the bigger picture. Our subject of the day, horror stories. There’s a lot of stuff in your background. I’m sure that you can and that you cannot talk about, with your background in the government and everything. Tell us a little bit about before we dive into your specific story, tell us a little bit about your background and how you got into this world.
About Chase
[00:01:34] Chase: Yeah, so I’m a retired Navy Chief. I was a cryptologist for my career. Then I got medically retired and went over and transitioned and was a government civilian for a bit, with some different agencies. Then I was at Forrester Research and built out some of their zero trust practice, like formalized it. And then from there on, I’ve been a consultant and then the G2 more recently, but I’ve also managed to get a, I have a PhD and six or seven patents and I’m working on my eighth book right now. So I stay busy, I guess.
[00:02:02] Jonathan: You certainly do. You also have your own podcast, the Dr. Zero Trust podcast.
[00:02:07] Chase: Yeah, I, that’s been a passion project. I started that four years ago. And, it’s just fun. It’s, I don’t know about you, but I think podcasting is kind of cathartic. And hey, if people listen, great. If they don’t, then I’m just screaming into the ether anyway. So what’s it matter?
[00:02:20] Jonathan: Great way to talk to interesting people too. I mean, that’s what I’m getting out of this right now.
[00:02:24] Chase: You meet good people and every once in a while you run into somebody at the airport or something that says, Oh, I listened to your stuff. That’s always awesome.
[00:02:30] Jonathan: Absolutely. Absolutely. Well, thank you so much again for taking the time. Let’s get into the horror stories. And what I think is so exciting about this episode, me personally, what makes me so excited about it is we have been talking with IT leaders who are in operations roles, who are, their idea of facing a horror story.
[00:02:49] It’s a little bit different from your perspective going back to your red teaming days. Basically we’re bringing you in. We’re flipping this, the, the script essentially, and I’m interested in getting your perspective. What’s a horror story look like for an attacker?
Flipping the Script
[00:03:04] Chase: Yeah. I mean, I think the funny thing is the horror story for an attacker is when you really, when an organization has aligned on actually doing the things that they read about in best practices and has the controls in place that are sort of, built on removing the adversary’s ability to be successful.
[00:03:20] It gets really nasty really fast. And, you know, as a red team guy, we don’t want to work hard, to be perfectly frank. Like, we’ve got lots of easy targets. If we get in there and we find out that they’ve taken care of the majority of difficult things, it gets really boring really quick and you want to go on and do other things.
[00:03:38] I’ve been on engagements before where we got, you know, kicked off on a red team op and two days in, we didn’t find any of the stuff we typically would want to find and we realized it was going to be a losing battle and we just say, cool, we’re done, here’s the report and I’ll catch you later.
[00:03:52] Cause it, it’s not worth it. And I think that that’s the, the horror story for the adversary is if it’s a difficult enterprise and they’ve put things in place that they, you know, know they should, it makes it very difficult. And then you just, you know, you just don’t, why, why fish in a pond where there’s no fish? I’d rather go where there’s lots of fish, where I can fish with dynamite.
[00:04:13] Jonathan: Well, let’s, let’s bring this into, like, the horror, sticking with our theme here, you know, from the horror movie perspective, talking with you is kind of like we get the viewpoint of, you are the person out there looking in at the cabin, basically, and you’re waiting and watching for the teenagers who are partying and leaving the door open, and one goes out and says, I’ll be right back.
[00:04:31] Chase: I’ll be right back.
[00:04:34] Jonathan: So what are the things, if we’re going to carry that analogy further, what are some of the things when you get in there that you start looking for? What are the weak points that you’re starting to pressure test first?
Where attackers get started
[00:04:43] Chase: I mean, number one, we’re always going to go after is, we’re always going to go after people because people are, it’s not that they’re the weakest link. It’s just that people have got so much going on and that their ability to kind of continually stay up on the many different ways that you can exploit them is pretty minimal.
[00:04:58] So we’re always going to go after phishing, we’re always going to go after social engineering. We’re always going to go after, you know, USB drops and those types of things. Wireless systems are a red teamer’s best friend. Most people don’t ever think about, you know, you buy a wireless printer nowadays and connect it up to your internet or the network at the office.
[00:05:16] They typically have default settings that talk out to the, you know, world writ large. and I mean, I can Google the common usernames and passwords for Kyocera and HP and all those cats. What’s on your printer network? The same stuff on the rest of your network. You know, you can get through there as well.
[00:05:31] Typically you don’t have to do crazy zero day level type exploits to win. You just go after the low hanging fruit and kind of work your way through the process and you’ll find something along those ways. I can’t recall a single time where I’ve ever been in any space where we even have to do much as far as like crafting exploits. It’s usually off the shelf fire and forget and, you know, target what you’re going to target and something works.
[00:05:58] Jonathan: This is one thing that I’ve noticed with a lot of the coverage and everything. I mean, obviously media is going to react to the big nation state attacks and zero days, and even the things we see where, Oh, there’s a hacker that, you know, hacks self driving cars and things like that. You know, it’s… and now AI, of course.
[00:06:15] But when you see the actual incidents that are coming through, and you talk to pen testers, I mean, a lot of it is, it’s just the basics, right? It’s the bread and butter stuff.
“Social engineering, phishing and credential management [have been the] number one, two and three, exploit vectors for the last 10 years in a row.”
[00:06:23] Chase: I mean, there’s a reason that the Verizon DBIR, the Mandiant Entrants have had social engineering, phishing and credential management as the number one, two and three, exploit vectors for the last 10 years in a row. It’s because it works. So you know, I’m a data geek. I live, eat, sleep and breathe data.
[00:06:38] And if I look at the trends and it’s the same stuff for a decade, probably a good place to start focusing my controls around.
[00:06:46] Jonathan: If you’re watching horror movies, you know, you’ve got the classic, the almost cliche things, right? Like, you’re screaming at the person. Don’t go down in the basement. You’re an idiot. What are you doing? You’re probably doing the same thing.
[00:06:58] Don’t pick up that USB drive. Best practices out there, you’d think that’d be common knowledge by now. Don’t use those things. It’s still super effective.
[00:07:05] Chase: Still super effective. You know, it’s funny cause I’ve been back and forth with people about the efficacy of phishing training, whatever else, and social engineering. I had a guy that runs a company that does that. And I said, I’ll bet you my year’s salary that you can line up on a line of some guys on a test the day after you do training and we’ll get access. He wouldn’t take the bet. To me, that speaks volumes.
[00:07:29] Jonathan: So let’s talk about a little, dive into more of what a horror story looks like for you. In that perspective, the red teaming, the adversary perspective. Do you have a particular incident that you were involved in where you got in and it really started making your day a bad day as an adversary or as a red teamer?
A bad day for bad actors
[00:07:45] Chase: Yeah, I mean, we did a red team test on a government provider and the thing was we got in really easy, but once we got in there was nowhere to go. And it was one of those ones where everybody just kind of sat around the table looking at each other like, okay, now what? And, you know, we tried and poked around and we realized that we were giving ourselves away, which you don’t ever want to do.
[00:08:06] You know, we know whether we were setting off alarms and the folks on the other side of the wall that were doing the blue team side. I mean, we could hear them kind of giggling and laughing at us. And it was like, all right, you know, number one, the pride is getting hurt. Number two, I got other things to do.
[00:08:21] So we just wound up packing our bags and leaving and saying, you know, push the chess boards off the board like you guys won.
[00:08:28] Jonathan: Are there specific things then that you would recommend? It sounds like you’re talking about segmentation, taking out, you know, doing least privilege, things like that.
[00:08:38] Chase: Least privilege access, segmentation, browser isolation. Training is good because it does help, but it’s not a technical control. You know, removing application accesses, removing people’s ability to be admin on machines. All the stuff that we’ve written about in the best practices for 20 years that people still go, well, I wonder if we should do this.
[00:08:58] Like, no, it’s, it’s called a best practice for a reason. It’s not because somebody woke up and was like, how can I just, you know, put things on a piece of paper? It’s a best practice because it’s a practice that’s best.
[00:09:09] Jonathan: You’re coming from that red team mentality. So you do have the things where obviously you want to succeed and have useful things that you can be sharing. You want to be able to hack into systems, identify weak points. You want to be able to actually pwn systems.
[00:09:21] But at the end of the day, you want to do that because you want to be able to educate and help these folks improve. And so let’s turn it around a little bit and what are some of the horror stories you’ve seen in terms of here’s an engagement where you’ve, or where you’re consulting or you’re doing red teaming, you’ve come in and you’ve seen something where, wow, this is a real, this is a true nightmare. These guys have so much to fix.
A trip down memory lane
[00:09:47] Chase: Well, one of the biggest ones was a pretty large enterprise organization that had, their, I guess you’d call it their crown jewels on a data center that was on site, like internal to the building. And of course they had other stuff outside of it, but, it was supposedly a secure facility. But it wasn’t. I, after actually at happy hour time, I went to a bar down the street and I just found some random person there and I was like, look, man, I’ll give you a hundred bucks if you come with me right now. And we worked our way past the, you know, the, the people at the front door and everywhere else. And we’d sent the CEO and board pictures of us chilling out in the data center inside of the building.
[00:10:22] And it took, I don’t know, 35, 40 minutes to do that and get there. So it was one of those ones of going like, you know, here we are. I mean, this is your data center. Like we can switch network cables if we want to.
[00:10:35] Jonathan: And that must be terrifying for, leadership of an org to hear because it’s also one of those things where that’s not going to get solved by just buying the next tool that’s recommended on G2, right?
[00:10:46] Chase: Yeah, it’s not going to be something that’s solved very easily. And the interesting thing was just the fact that they’ve put so much kind of faith in the basic, simple physical controls when it doesn’t take much to get past that. If you can throw in some urgency or you can make people a little uncomfortable, it’s amazing what they’ll allow to happen.
[00:11:06] I think the one that I saw online that was one of the best was a lady calling to get somebody’s password. She had a recording of a baby crying and nobody likes to hear a baby cry and just hearing that the person on the other end was like, Oh, I can understand. You know, you’re stressed. Your baby’s crying here. Let me help you out. And that’s all it took.
[00:11:23] Jonathan: How do you think this has changed your perspective on security in general, through, you know, the past 20 plus years?
[00:11:30] Chase: Yeah, it’s one of those ones where I think people should abandon the idea of perfect security because it doesn’t exist. You know, you think if you’re if you’re postured up and you’ve spent enough money and you’ve got the right things in place that you’re not going to have a breach. The odds of you not having a breach are really, really slim. It’s just a matter of time. That doesn’t mean that you stop trying, but it just means to be aware of when things go wrong, what is your plan, how will you isolate, how will you minimize the damage, how do you move or how do you stop lateral movement, etc. And then also, you know, seeing what I’ve worked with people on ransomware planning, if you’ve never been through a ransomware incident or planned for it, you should because when, you know, the, the ish hits the fan, people will change the way that they work with each other and the last thing that you want is, you know, the boardroom throwing stuff across the, you know, board table because they’re not ready to respond to a ransomware event.
[00:12:23] Jonathan: For a lot of folks, the ultimate horror story that keeps them up at night is the ransomware scenario. I mean, it’s so prevalent now, too, right? And I think when we were talking about it, you brought up the famous, Mike Tyson quote, right?
[00:12:37] Chase: Everybody has a plan until they get punched in the face.
[00:12:38] Jonathan: Exactly.
[00:12:39] Chase: Yeah, I mean, I, it wasn’t one of my folks I worked with, but I was working with some people that were tangentially tied to a major city down south. They had an offer from a vendor that would have secured the systems from the perspective of, you know, basic sort of ransomware controls.
[00:12:56] I think the cost was going to be about $75K and the city leadership said, no, we can’t afford that. And, I think it was about a month, month and a half later, they got hit and the ransom was $15 million. $70K sounds good now, doesn’t it?
[00:13:11] Jonathan: Do you think hearing more stories like that and having the headlines, you know, these things appearing in the headlines, do you think it’s made any kind of impact? I mean, or are we just going to be living these horror stories and seeing people still make the same moves over and over and over again?
[00:13:24] Chase: I mean, apathy is a real thing. There’s people that still, you know, don’t buckle up their seatbelts. There’s people that smoke cigarettes. There’s folks that, you know, swim with sharks. I mean, you can’t fix people. But, hopefully the majority of us can start, you know, moving forward. And I think we’re seeing that there’s some effort and some gravitas to the movement as far as strategic approaches to security that make sense.
[00:13:46] So, you know, I’m, it’s not all doom and gloom, but there are still people that just kind of go like, I don’t think this is applicable to me. Small businesses are usually the worst at it because why would somebody target my business? Well, it’s not you, honestly. It’s the fact that you’re connected to others.
[00:14:03] That’s what we want to get to. You know, you’ve got a contract or you’ve got information or whatever else. And, you know, if it’s, I always ask people when they say, why would I be of value? I say, do you make money from your business? Then it’s valuable.
[00:14:18] Jonathan: Talking about having that attacker perspective, if it’s easy enough, I mean, why not? And then, yeah, you see where you can get to from there.
[00:14:27] Chase: Ransomware is the best retirement plan anybody ever came up with. The top three ransomware groups are making hundreds of millions of dollars a year. So I mean, personally, I think I’m in the wrong organization. I should be retired to some beach in Russia. I don’t know whether there are beaches in Russia, but yeah.
[00:14:42] Jonathan: Well, I mean, you mentioned, I mean, having all that money, I mean, I know, Kevin Beaumont had an article, maybe a couple of years ago about just man, calling the stark, challenge of, okay, now you’ve got these groups with that amount of funding to do things if they wanted to, with exploit, you know, development and purchasing and all that. But as you pointed out, a lot of times they don’t even need to.
[00:15:08] Chase: It’s funny too, because, recently, and this is public knowledge, the drug cartels in Mexico have started transitioning a lot of their ops over to cybercrime because there’s less risk, there’s almost no attribution, the odds of them getting arrested are nearly zero and it’s kind of maximum bang for their buck.
[00:15:23] So they’ve gotten to a point where they, are literally changing their business operations and saying like, we’ll have a unit that does shipping cocaine across the border and we’ll have cybercrime and, you know, we’ll make money on both ends of it because it is very doable and it is commoditized and it is almost guaranteed income.
Do the basics. Apply them intelligently.
[00:15:41] Jonathan: Switching over to maybe not the all doom and gloom, the hope, right? Folks use the phrase imposed cost, and goes back to your concept of, well, if you see someone with a clear security system or locked doors, you know, you’re going to, why, why try to rob that house? We can go down the street and get the one that doesn’t. What are some top things that you could recommend that would help in that regard?
[00:16:08] Chase: The basics and really apply them intelligently. General Greg Touhill is a great friend of mine and a mentor and one of his sayings is if everything is a priority, nothing is. And that’s what I mean to folks to understand is not everything is a priority here. You probably read about it in the media, the news, and it seems like, oh my God, how will I ever keep up with this?
[00:16:26] Look at the trends and the data and the information that tells you where attacks are likely to occur and where they’re likely to be successful and apply controls there. And you’re making yourself a harder target. And to your point, I don’t have to have, you know, 50 cows mounted on my roof and claymores in the driveway.
[00:16:42] If I’ve got a Doberman, it’ll make you think twice, you know. So just doing those things does make stuff valuable. The only other one I would put out there is, don’t rely on humans not to be humans. Like, we’re people, and non security people don’t want to do security things. Your security technology should be pretty close to magic.
[00:17:01] It should just do the thing, and they shouldn’t get wrapped up around it. If your security tech makes people miserable, they will find a way around it because we’re humans. That’s just what we do. So work your way towards that too. And, you know, the only last thing I would say is just it’s okay to tell your people, especially if you’re, you know, doing phishing training or whatever else.
[00:17:20] There are some people that you just have to say like, Look, man, I got to put some additional controls around you because you’re, you’re prone to clicking, bro. Like I don’t know what to tell you, man, but I got to do something about you. And it’s not because I don’t like you and I don’t like your hair color or whatever else, but you’re a risk to my business. And I either put more controls around you or I let you go. Which one do you want?
[00:17:40] Jonathan: You could frame it like, Hey, we’re here to help. You know.
[00:17:42] Chase: That’s, yeah, it’s like, you know, you work for me at this business and I want us to be successful, but there’s a risk here. And I mean, that’s one reason why I would say it’s always good to have data to back it up. Like, look, we did a phishing training simulation last month and out of everyone in the company, you were the one that fell for the same thing twice.
[00:18:00] So it’s again, it’s not, it’s not meant to be, you know, focused on you. It’s just, this is what’s up and I want you to keep working here. But, I’m gonna just, you know, help you be a little bit more secure.
[00:18:12] Jonathan: And going back again to the horror story analogy, you know, you tend to find types of characters and, you tend to see the same ones over and over again. The archetypes of characters in horror movies. Are there types in organizations that you’ve seen that have suffered IT horror stories, particularly security incidents, you know, whether it’s leadership who just aren’t seeing the value and risk analysis and security or anything like that. Any stock characters that you can call out?
[00:18:44] Chase: I would say, usually, the higher up in the C suite you talk to, the worse they are about this whole thing. Like, they’re the people that are, you know, gonna be, that are gonna have the most access, they’re gonna have the most privilege, they’re also gonna have the most data available to them, and they’re gonna be the people that are of the most value, like the whales.
[00:19:00] But those people for some reason, you know, I’m the CEO, I need to have admin access to whatever. Are you the developer? Then no, I’m not giving it to you. You know, oh, I’m a chairman of the board, blah, blah, blah. Like, I’m great, it’s not going to make me any taller or more money, so I’m not going to do this for you.
[00:19:16] Like, there’s those folks that just think that they need to have it because of their title or position. And really all that is doing is introducing risk. And you have to find a way to remove and minimize that risk. And those are usually the worst, as far as just the folks that will fight you tooth and nail.
[00:19:32] The other one that stands out too a lot of times is, and it’s not to knock on them, but it’s just developers are tasked with moving so much stuff so fast. That they have no problem hard coding and embedding things that they know are potentially risky into systems and then shipping it. Because if I’m paid to ship code, baby, we’re shipping code, you know, if it goes sideways on the far end of it, I didn’t realize that that was there.
[00:19:55] I mean, there’s always that, you know, by the time 75 people have contributed one block code, it’s kind of hard to track down who screwed up.
[00:20:03] Jonathan: In your experience, both internally at organizations and also, consulting, red teaming, you know, you deliver your report. Here are your findings, here are recommendations. Do you get to stick around to see how orgs have responded to those? I mean, is that part of the horror story to you of how much people do or don’t react to those things?
[00:20:25] Chase: Yeah, there’s been the orgs that are good about it. And they’ll have you come back and run the same simulation or test again. And they want to see if they fix the holes that you put in front of them. And I’ve had a lot that have done that. And then I’ve also had a lot of them where [they] say, Thank you very much.
[00:20:37] They file it with a compliance report and they get the lawyers off their back and go on about doing what they were doing with total disregard for what we put in front of them. And it’s a sad state of affairs, but it does happen more often than I would like. Just because people will, you know, again, the apathy side of it is I gotta be compliant to do business.
[00:20:54] I gotta have this red team test or this pen test. I did it. Thank you very much. And that’s good enough.
[00:20:59] Jonathan: The checkbox approach, basically.
[00:21:01] Chase: Compliance does not equal security. I remind people that every organization that’s had a breach, had just checked the compliance initiative somewhere.
[00:21:11] Jonathan: Any suggestions for the folks who are there at orgs who are champions of, they want to do the right thing. They want to see their org improve. They may be facing various headwinds. How can they be better champions of security within their organizations?
[00:21:27] Chase: This is where I think we in the security community have done ourselves a bit of a disservice is we’ve made this where it’s such a sexy, cool hacker world with all our crazy acronyms and whatever we need to move away from that and really get to where we’re talking business with people. And that is what resonates.
[00:21:44] And then the other piece, too, is tying it to something that’s actually of value for whoever’s involved. And I don’t mean like value as far as the particular, Oh, it’s going to cost us a million dollars if we get breached. Like, what is the value of what we’re doing for this business that is going to be at risk if we get hit up?
[00:22:02] Is it, we’re going to be down for six weeks, and we’re probably going to go out of business? And, you know, the 35 employees we have here will lose their jobs, plus their families will lose healthcare coverage? Like, being able to really speak to the bigger, higher calling is very useful, too. You know, I work with, I do a lot of pro bono, advisory stuff with, like, old people and, women’s shelters and stuff like that on security controls.
[00:22:26] And it’s funny because they’re usually more willing to try and dive in on security than people that have the job of security controls inside of an organization.
[00:22:36] Jonathan: Well, yeah, that’s interesting. I mean, they’re just more appreciative of the help you think?
[00:22:39] Chase: Oh, well that, and they realized that there’s a value to it. Like if you’re, you know, an older person and you’re living off your retirement and your retirement gets bricked, like that’s a big, bad deal.
[00:22:48] Jonathan: We do see companies make headlines and then you look at the stock price later and it’s like, well, I guess they got off the hook. I mean, there is an element to that too. That’s, that’s hard to kind of shake off.
[00:22:59] Chase: That’s why I think the penalties that we have in the whole system, like all the compliance initiatives and all that, whatever else, like it’s just, it’s comical in nature. I’m honestly, I literally have a hashtag I put out on my podcast about buy the breach because it’s good for companies at the large enterprise level to get breached, stock values do better.
[00:23:17] So, you know, it’s the cost of doing business. If you can survive that initial hit, wait six months and your stock value will be up from where it was. and that. That to me speaks volumes about, you know, how this whole market is set up.
[00:23:29] Jonathan: Man, a lot of the other folks we’ve been talking to and all the audience too, may not be security specialists, right? They’re IT leaders. Of course, a lot of their job involves the actual applying of security controls, and security is top of mind, obviously. But do you have any recommendations for those folks?
[00:23:51] Because what you were saying about security, so much of it can be seen as, well, you do everything right and what’s the result? Nothing happens. And so it’s hard to get the value, really underscore the value of that, right? And I think IT people can feel the same way.
[00:24:06] If they’re doing their jobs right, they’re basically invisible. And they have to actually be more proactive and consciously, intentionally work at, hey, here’s what we’re doing and why it’s valuable to the business.
Showing value
[00:24:18] Chase: Yeah, security is one of those ones where if you’re doing your job right, there is no real outcome. And that’s weird to even say. But, you know, if everything goes perfectly, no one knows what went down. And it’s just, you know, regular business for the sake of business. I think, you know, if you go back and look at the CIA prior to 9/11, no one knows about the thousand times the CIA saved us from bad things.
[00:24:40] Everybody knows about the one screw up. And unfortunately, that’s just kind of the way it goes. So there’s you know, there are ways to translate that, around and sort of thing. I think one thing too that I’ve seen security leadership do that is valuable for them is if your strategy is correct and you’re adapting and improvising and doing the right things, over time you should be able to free up budget instead of continually asking for more and spending more money on things that aren’t actually, you know, doing anything for you.
[00:25:05] Jonathan: Yeah, you never want to be that guy who you walk into the boss’s office and they’re basically like, well, what do you want now? How much money do you want now?
[00:25:11] Chase: Yeah, the days of CISOs getting blank checks are over. I mean, you’ve got to have a strategy now and you’ve got to have a way to get it. And I mean, if I had a nickel for every org I worked with where they had two or three of the same thing solving the same problem, it’s always, there’s plenty of way to free up that money.
[00:25:27] Jonathan: So Chase, any other words you’d want to share for IT leaders, security folks too, heading into this year? Words of advice, words of encouragement, anything you want to share?
[00:25:39] Chase: I mean, I think the words of encouragement I would say is that the space is in a spot where there’s vendors that have capabilities that can help you enable a strategy that will reduce the likelihood of a compromise. Is it going to stop a breach? No, but is it going to likely reduce compromise? And by compromise, I mean continual bad things happening based on access, and you can use those solutions. And if you adopt a strategy that’s based on reality and actually apply the controls where the bad guys are going to meet you.
[00:26:09] You’ll do better on the far end. The caution I would say is that we as the good guys do not own the patent on security tech or security solutions. The adversaries are using those to figure out how to get past it and work ways around it. And AI, whatever you want to call it, ML is only expediting that process. So you’re in an arms race, unfortunately. It’s good because you probably won’t be unemployed, but it’s also, you know, the reality of you’re in an arms race and the race is not over.
[00:26:38] Jonathan: It can be humbling. It can be discouraging, but it’s also like you said, I mean, I think if you, if you really switch your mindset to it, not a bad thing at the end of the day. I mean, it’s just, it’s the job.
Think like an adversary
[00:26:48] Chase: I would also tell people like, don’t be a cyber security black belt. And what I mean by that is if you’ve ever been in anybody that’s been in like martial arts or fighting, there’s always those cats that have got a black belt, but they’ve never actually been in a street fight.
[00:27:00] And the moment they get in a street fight, things go sideways really, really quickly. Go get in a street fight, bring in red teamers, bring in folks that can come at you the way the adversary does and then you’ll see what your posture actually looks like. Because until you’ve tested it, it’s just a really good guess. and that is not where you want to be is a really good guess.
[00:27:18] Jonathan: We’re huge advocates of table topping, not just for security either but with IT operations, you know, how would you handle downtime of any kind of nature? How do you handle the really hairy, unexpected circumstances? We really want to encourage people to sit down with their teams and take time to do those things.
[00:27:38] Also talk with folks like yourself. I mean, that’s part of the mission of this podcast. And also, I’m sure part of the goal, what makes it so important to work with, pen testers and red teamers. You know, bringing in the adversaries who are not true adversaries, to get that pressure tested before the real thing happens.
[00:27:57] Chase: Yeah, test your board too. I mean, I do workshops with folks and I kick the C-suite leadership out of the room. I want to deal with the board and see what they do because I mean. People don’t give enough credence to how much influence and how much activity the board is going to impose upon you when things start going sideways.
[00:28:14] So, test the board. You’re well within your rights to be like, if you’re a board member, I want to throw you in the mix and see how you deal with this.
[00:28:23] Jonathan: If only I could be a fly on the wall for those scenarios, I’m sure people, it’s been interesting to say the least.
[00:28:29] Chase: It gets ugly.
[00:28:33] Jonathan: Cause I’m sure they’re too, they’re probably not used to this, right? They’ve never gone through this experience a lot of times?
[00:28:37] Chase: Yeah, and most of the time what’s interesting is you find that they talk a really big game and they’ve, you know, got all this experience and whatever else, but the moment, you know, they’re staring down the barrel of it, it changes stuff. And stress doesn’t really come into play until stress comes into play.
[00:28:52] When I do scenarios with people, I learn from the military, I like to continually increase your stress and see how that drives your response.
[00:28:59] Jonathan: Well Chase, thank you so much for taking time and giving your unique perspective about what it’s like to deal with an IT scenario that turns into a horror story and how to prevent them. And also, how to prepare to make sure you’re actually ready to handle that stress when the real thing hits. Really appreciate your time.
[00:29:18] Chase: Yeah, thanks for having me. This is fun anytime we get to talk, you know, war stories. I’m always up for it.
Closing
[00:29:24] Jonathan: Thanks for listening to this week’s episode of IT Horror Stories. For even more information and resources on how you can beat IT misery and transform your IT, check out www.NinjaOne.com. Or pop by our IT Leadership Lab community, at www.theitleadershiplab.com. There you can connect with other IT leaders, talk shop, and get access to the latest guides, templates, and documents from other experts in the space.
[00:29:48] Remember, whatever your IT horror story, just know you don’t have to go it alone. That’s all for this week. We’ll be back with more soon. Thanks for listening.
