UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 60 of Unhacked. Cybersecurity made simple, or at least that's the goal, because it isn't really that simple. But we try to break it down for the business owners out there who wear a million hats. And this is hat number 1 million and one. ⁓ We know you got a lot to do. So we're here week after week to tell you about what makes the most difference with the least amount of money. least that's the goal. ⁓ We'll do some quick introductions. I am Justin Shelley, CEO of Phoenix IT Advisors.

I help you build your business and then I protect it from the hackers, usually from Russia. Mario likes to fight the whole world at once. ⁓ After the hackers, then we've got the government will come in and find you if you get breached. And if that's not enough, then the attorneys are going to come and sue you for whatever's left. That's what we're trying to avoid. ⁓ That's what I do. I work in Texas, Utah and Nevada. And I am here as always with my good friend, Brian. Brian, tell everybody who you are, what you do and who you do it for.

Bryan Lachapelle (00:54)
Yeah, Brian Lashbro, present CEO of B4 Networks. I do everything Justin does and also help you get rid of the headaches and frustration that come with dealing with technology. And I also help you sleep better at night.

Justin Shelley (01:06)
⁓ shit,

you took Mario's line. Mario, tell everybody who you are, what you're doing, who you do it for.

Bryan Lachapelle (01:10)
You

Mario Zaki (01:14)
Yeah, Mario Zaki CEO of Mastic IT located here in beautiful, New Jersey We help small to medium-sized businesses do what these guys do, but we just do it better And we help you guys just get better every day 1 % at a time. I think that's Specialized in keeping business owners ⁓ have the ability to sleep better at night

Bryan Lachapelle (01:27)
Hahaha

Mario Zaki (01:43)
You make me mess up my own line now.

Justin Shelley (01:44)
Good. Well, listen, we've,

Adriel Desautels (01:45)
Ha ha ha.

Justin Shelley (01:46)
we've got some inside jokes rolling. Anybody that listens on a regular basis gets it. ⁓ the rest of you are just out to lunch. Don't know what the hell we're talking about. and, and in that camp lies, Adrienne, this, ⁓ desk hotels got it. And I slaughter your name, Adrienne. Thank you for being here today. And I apologize for my co-hosts. ⁓ Adrienne, you have, you have a hell of a story and a hell of a job. So

Adriel Desautels (02:01)
That's all right. Pleasure.

Justin Shelley (02:11)
I don't want to slaughter it. I'm going to introduce basically, as you said, I love the line. You are a good bad guy. Is that right? Or a bad good guy? I don't know which it is, but, but you do the shit that we try to protect against. Correct? Okay.

Adriel Desautels (02:24)
Yeah, yeah, has our slogan

right we protect you from people like us

Justin Shelley (02:28)
Okay, tell me a little bit

about you and your business.

Adriel Desautels (02:32)
Yeah, so I'm the founder and CEO of Netregard. Netregard is an offensive security term and we are service firm and we deliver ⁓ a range of things from your entry level penetration test or the industry standard all the way up to your bonafide red team where we're replicating the real threat. So I guess comparison what everybody else said, we do sort of the opposite.

Justin Shelley (02:57)
Yeah.

You keep your friends close and your enemies closer and here you are. ⁓

Bryan Lachapelle (03:04)
and he gives

business owners headaches and frustrations.

Justin Shelley (03:06)
Right.

Adriel Desautels (03:06)
We do, but we save them

from the big ones. So we hack you first before the bad guys do, hopefully.

Bryan Lachapelle (03:09)
Right. Yeah.

Justin Shelley (03:11)
Yeah.

Hopefully. ⁓

So tell me you had the line that, know, as we prep for these, the thing that caught my attention more than anything else is you talked about an ROI, a RURY return on investment of effective security. Now, usually when we talk about cybersecurity, we are talking about costs that the best case scenario is you, you light the money on fire and you never see any benefits or results from it because you don't get hacked, right? You it's almost like insurance you're paying

Adriel Desautels (03:43)
Yeah.

Justin Shelley (03:43)
to hopefully not experience it. Talk about ROI. This is interesting.

Adriel Desautels (03:47)
Yeah, so the return on investment of effective security, not good security per se, but effective security is equal to the cost and damages of a single breach and that number keeps on going up. So I think last year, I it was IBM said it was something along the lines of $4.8 million, right? So if you're thinking in the context of just like a $40,000 penetration test, for example, it's about a 12,000 % ROI. But people don't think about security in terms of ROI, they think about it in terms of

what can I spend the least amount of money on that's gonna protect me? And what ends up happening is they end up buying stuff that makes them feel good or that maybe creates a false sense of security. Then when they get breached, they can add the cost of all of that to the cost and damages because it wasn't effective. It's pretty substantial.

Justin Shelley (04:33)
Yeah. No, that's a good point.

Very good point. ⁓ Brian Mario, have you ever can talk with your clients, your prospects about the ROI on the cybersecurity services that you sell?

Bryan Lachapelle (04:47)
Not particularly ROI specifically, like a percentage, but we do talk about what risks they have, what risks they're willing to bear, what the ramifications on their business and their outcomes would look like if they got breached, and then present our solution as here's what we would do to mitigate the areas of risk you have. And in most cases, they usually take that and run with it. But we've never actually showed, like if you got a breach, would be a million dollars.

and our services are X per month. And so it's, 5,000%, you know, ROI. We've never done that, but it's an intriguing way of looking at it.

Adriel Desautels (05:17)
Yeah.

Justin Shelley (05:21)
Mario, what do think?

Adriel Desautels (05:21)
Yeah.

Mario Zaki (05:22)
No,

not really. Like, nothing like pretty much exactly what Brian said. Occasionally, sometimes we will talk about like stuff that we've mentioned earlier, like the investment of putting in, you know, ⁓ in technology, faster computers and stuff like that. You'll get like better production out of your employees. ⁓ That's pretty much the extent of the conversation we've had, but nothing, to actually show there's a return on the investment.

Justin Shelley (05:50)
And here's another question, because the reason we don't talk about this, I believe is because there's an element of uncertainty to it. Right? So I'm going to say, you're going to spend this much money to prevent a possibility. Right? We, a true ROI is a guarantee. Like this, this is a benefit or it's a cost. It's hard. It's in the, can, you can quantify it, but in cybersecurity, there's that element of what if now let me, let me frame that a different way.

Adriel Desautels (06:16)
you

Justin Shelley (06:16)
Let's say

that I, as a small business owner, don't invest any time, any money, or any energy, effort, internal effort, culture, whatever we want to call it on cybersecurity. What is the likelihood that I'm going to get breached in the course of doing business?

Adriel Desautels (06:30)
100%.

Bryan Lachapelle (06:31)
100%.

Justin Shelley (06:32)
100%. So maybe, then as we, as we, each episode I learned something new and I come out with a new thing that I probably need to be doing with my clients and prospects and selling this, evangelizing this message. Maybe we need to flip the dialogue a little bit because it is a hundred percent. In fact, we can, right now, any of us can go to any of our clients, pull the logs on their firewall and show that they are currently right now being attacked, right? By foreign countries, by...

Mario Zaki (06:33)
100%.

Justin Shelley (06:59)
state sponsored shit like it's happening right now all day long every day. yeah, ⁓ a hundred percent. All right. Let's ⁓ listen, Mario, if we're going to do this out, I'll do it out. The only time thank the gods. The only time I ever dealt with an actual breach where I was hand to hand combat was the Russian. So I'm always going to have a soft spot in my heart for my Russian competitors. ⁓ that is who I fight.

Bryan Lachapelle (07:03)
Yeah.

Mario Zaki (07:06)
Not just from Russia.

Adriel Desautels (07:11)
Ha

Mario Zaki (07:21)
the

Adriel Desautels (07:23)
Hahaha!

Justin Shelley (07:28)
All right, so let's let's talk a little bit Adriel about what got you into this line of work because this is I don't know. It's intriguing. I love it I love watching the behind-the-scenes stuff of ethical hackers or whatever we want to call it a lot of times This is a bad guy turned a good guy. Is that your case? Okay, okay, but I know I know episode over where word can you make up a story, please?

Adriel Desautels (07:48)
No, not at all. Yeah.

Mario Zaki (07:50)
Well that's not fun.

Adriel Desautels (07:52)
Trust me, it gets interesting though. I

Mario Zaki (07:53)
Cut.

Adriel Desautels (07:57)
could.

Justin Shelley (07:58)
Jesus.

Bryan Lachapelle (07:59)
haha

Adriel Desautels (07:59)
But I got some good ones. you know, because a lot of the times when you do what we do, the ethics behind what you do are not fully understood. Like for ourselves, for example, right? We were involved in effectively brokering, creating and selling cyber weaponry.

Justin Shelley (08:11)
Hmm.

Adriel Desautels (08:19)
⁓ this weaponry can be dual use. can, if you're an oppressive regime, you could use it to quash reporters or go after families. Or if you're law enforcement, you could use it to combat human trafficking and child pornography. ⁓ So that's something that I actually was very heavily involved in. people called me everything from a Dwee-vish mercenary to, you know, the God of War. you know, I mean, they said all kinds of things ⁓ because it is sort of a dual use thing. ⁓

So guess I can get pretty dark, but I've always kept the ethics about me. I've always believed in the look at myself in the mirror and think I'm a good person. So yeah, so I'm the kind of guy, if you tell me I can't do something, I'm gonna say watch me. Just my personality. And so my dad picked up is a Tandy 1000 way back when, and he told me I couldn't touch it. And I, know,

Justin Shelley (08:57)
So tell me how you got into this line of work.

Adriel Desautels (09:18)
that just made me want to touch it. So I started playing with that, started learning basic, and then down the road he got a modulator, demodulator, and a modem. So I realized I could dial random numbers and connect to other computers. And then when I was curious, I eventually learned I could look around. ⁓ Then we finally had ISPs and the whole thing just kind of grew. And my curiosity just grew. I just wanted to know everything that I could know, I guess. I don't know.

Justin Shelley (09:26)
yeah.

Adriel Desautels (09:47)
⁓ Early on, I realized that there was a need for people that would do what the bad guys do, like really do it to help people understand how they're gonna get breached. So you can give them sort of a good recipe for defense, right? Because, I mean, you can try to protect yourself against the bad guys, but if you don't know how they're going to attack you,

even if you look at like industry norms, you don't know how to protect yourself, right? And so I thought, all right, this is something we can do. And so we started doing this ⁓ in the late 90s along with some of the cyber weapon stuff that we did my first company. And it just kind of turned into a real industry. And now here we are.

Justin Shelley (10:38)
Brian Mara, got any thoughts or origin stories you want to share?

Mario Zaki (10:40)
So you

said if we tell you something that you can't do it, you'll say, well, watch me, right? So I don't think you can take down our competitors. I don't think you can do it. ⁓

Bryan Lachapelle (10:45)
Let's take it the same.

Mario Zaki (10:53)
the

Bryan Lachapelle (10:55)
I was just going to tell him he can't sign over his company to me and now he's going to have to do

Justin Shelley (10:55)
Hello.

Bryan Lachapelle (11:01)
it. I guess maybe one of the, ⁓ I don't know if we've gotten to this point yet, but I'm curious, like what do most businesses still get wrong when either hiring a security expert like us or an internal person, like what are they still not doing right?

Adriel Desautels (11:18)
Yeah, so do you want me to give you the really candid blunt answer?

Bryan Lachapelle (11:21)
Well,

Justin Shelley (11:22)
Yes.

Bryan Lachapelle (11:22)
I think

the people that are watching will absolutely want the blunt answer.

Adriel Desautels (11:25)
Yeah,

they're going about it ⁓ entirely wrong. ⁓ So the industry that is responsible for building technology that defends other businesses ⁓ are fully aware of the industry that's responsible for testing defenses and being offensive, right, in most cases. So what you end up with is sort of a self-defeating situation. You end up with businesses that are trying to protect themselves

and they're listening to what most of the technology vendors market and advertise and promise. ⁓ And they buy their technology, then they deploy their technology. Then they go to another business that does the testing to determine if something actually works properly, right? And they use commercial off-the-shelf tools that these defensive technologies are already aware of. So these companies pass with flying colors and they end up, yeah, you're safe. not gonna get, nobody got in, didn't find anything.

but it's because the defensive tools neutralize the offensive tools, right? Then you get people like us or the bad guys for that matter. And we don't use commercial tools. We build our own. We come up with our own methodology. It's just like the bad guys do, right? And just look again, walk right in the front door. And people ask us why that happens. How is it that get past stuff? Well, it's because we're not using things that these technologies are aware of. Now, you take it even a step farther, you know,

And it's not to say that these technologies aren't useful because they're absolutely useful. I I definitely think people should take these things seriously. They should deploy them, but they're never going to be as good as they're advertised to be in part because they only know what they know. And the threat actors always define the new sort of the new threat, right? So there's sort of that thing going on. ⁓ Then the other thing, and I think a really big mistake kind of talked about earlier,

people build their defenses without first understanding how a threat is going to potentially align with and exploit their risks. So it reminds me of ⁓ the Meugenault Line in France, a big fortified line where they were trying to keep the Nazis out of France. They just walked right around it. And it was because they built their defenses without really thinking about what the threat was going to do. And that happens all the time. Honestly, most of the breaches that we see,

when I hear the stories about how things were breached, I'm like, only if somebody had actually tested you, only if you've been exposed to a real threat, then you could have used this technology more effectively. I mean, case in point, not to harp on Equifax, but when Equifax was breached, was an Apache struts vulnerability that was exploited. Hackers hit a web server, they got in, they began scanning the network, found other targets, all of our data got stolen, right? If they had had a real test,

And they knew this was a vulnerable system, but if they had had a real test and experienced somebody actually breaching, they could have done something as simple as deploy honey PY, just open source honey pot. Behind that prevented the entire breach. Not even fix the stress vulnerability, just prevent the breach. Not the breach actually, I should say damages, right? Because breach doesn't matter, damages matter.

Justin Shelley (14:37)
Great.

Mario Zaki (14:38)
Mm.

Justin Shelley (14:38)
Tell me, Adriel for our, for our audience, talk about a honey pot. What is that in a, normal people language?

Bryan Lachapelle (14:38)
Right.

Adriel Desautels (14:42)
⁓

Bryan Lachapelle (14:44)
Yeah

Adriel Desautels (14:44)
Yeah, so it's a computer system or device that sits on a network and does absolutely nothing. It literally sits there and does nothing. It runs, offers services and it might look appealing to an attacker. The instant somebody communicates with that system, it just goes berserk and sends alerts and says, my God, somebody is touching me.

And you know that that event is going to be something you really have to pay attention to because there's no legitimate reason for that system to ever be touched. And when you're breaching an infrastructure, mean, these are honestly, honeypots are our biggest pain when we're an infrastructure. When you're breaching an infrastructure and you begin to do discovery and you find that there's a honeypot there, you don't know that there's honeypots until after you hit the honeypot. So yeah.

Mario Zaki (15:35)
Mm.

Adriel Desautels (15:38)
They're great.

Justin Shelley (15:39)
Kind of like landmines for the bad guys.

Bryan Lachapelle (15:39)
Mark. Yeah.

Adriel Desautels (15:41)
That's actually exactly what they are, and they really suck.

Mario Zaki (15:45)
The front

line, yeah, front line pretty much defense.

Adriel Desautels (15:49)
Yep. Yeah. Honeypots and so they have the same thing like tokens that are files that you can deploy that are similar. ⁓ Honestly, of all the things you run across, those are the things that give us the biggest trouble.

Justin Shelley (16:03)
Yeah.

So tell me you, you, uh, you mentioned that early on, I might, was it your first one? You had a, discovered a SQL injection, right? So talk and, and first I'm going to ask you to talk about what a SQL injection is and then tell us what you found and why that mattered and how it kind of shaped your business.

Adriel Desautels (16:13)
Mm-hmm. Yeah.

Sure, so an easy way to describe SQL injection. you have a web application that interacts with a SQL database or Microsoft SQL database, whatever it is in the backend. In this case, it Microsoft SQL. ⁓ Databases accept all sorts of commands. So if you're working with database, you can create your query strings. You can ask it for any kind of data. You can do whatever.

Web applications have a predefined set of commands that they'll send to the database to extract very specific information. And the users of applications are typically, and they're supposed to be restricted by what the actual application allows them to view and access. So in the case of a bank, you have ⁓ a database, you might be able to do something like dump passwords or extract hashes, or back in the day, there was the XP command show, which enabled you to actually run commands as if you had a shell.

on the system. So what we ended up finding was a ⁓ vulnerability in a web application. This is actually how Netreguard came into play because ⁓ who became our customer couldn't find a vendor that would deliver what he called a real test. They were doing the typical thing, which is, you do the offensive testing against the technology already knows that you're there and it defeats it, right? So they challenged us and pushed us and assisted.

we did a task for them. And I think it was something like four minutes time we took the domain. And we took their domain because the application had a blind SQL injection vulnerability, which is slightly different. You discover it through sort of timing tests. But it had a blind SQL injection vulnerability that sat behind some kind of defensive technology. I can't remember what it was. It was a while ago. And we thought, well, you know, to get past this technology and to...

exploit whatever is here, let's try writing our entire payload backwards and wrapping it in reverse, which is just bizarre. There's even a reverse function there. So we did. And we got a shell. And the shell that we got was with system privileges. And it turns out that we were also domain admin. And that was really common back in the day. Everybody ran everything in the system. So yeah. And so that's how we kind of came to be. They started talking about us, and people kept on coming.

Justin Shelley (18:30)
Bye.

Yeah, yeah.

Bryan Lachapelle (18:42)
Excellent.

Justin Shelley (18:44)
Brian Mario, have

you ever come across a sequel injection attack?

Bryan Lachapelle (18:48)
Not personally, we don't deal with lot of ⁓ web applications with our clients.

Mario Zaki (18:48)
Not for a while,

Adriel Desautels (18:50)
Right?

Mario Zaki (18:54)
Yes,

same here.

Justin Shelley (18:57)
All right. Yeah.

Mario Zaki (18:58)
We leave it to the experts. We don't like touching.

Adriel Desautels (19:02)
We'll find it, we don't fix it.

Justin Shelley (19:06)
So was that, if I remember right, wasn't that your first client with your current company?

Adriel Desautels (19:09)
Yeah,

yeah, so this was ⁓ a customer from my prior company, Snowsoft, that came to us because they knew that we could hack shit, right? ⁓ And like I said, they couldn't find another vendor. And so we actually incorporated Netraguard so we could get the contract set and all that and do this work for them. But yeah, they were the first one and they were so impressed by what we did that they talked about. Other people kept on coming.

Justin Shelley (19:20)
Yeah, yeah.

Adriel Desautels (19:39)
And I remember actually they asked, you why is it that other vendors, other people we've worked with haven't found these vulnerabilities? And my answer was straightforward is they're using tools that are commercial off the shelf tools. These tools are using known methods of testing and scanning and probing. And your defenses know these things are coming into their blocking them, right? They're defeating them. We didn't do that. We actually came in and we actually manually looked at things because that's what we do. We're researchers, right? So we look at things and we say, this looks interesting. Let's try wrapping this thing backwards in reverse, you know?

Bryan Lachapelle (19:56)
Right.

Adriel Desautels (20:09)
And that's the same thing that happens to bad guys.

Bryan Lachapelle (20:11)
So that brings up a really great

point. These vendors probably made sure their systems were compliant, right? And so when we talk about putting things in place and we're compliant with the rules and regulations, there's a big difference between that and being secure. So what is the difference between compliant and being secure?

Adriel Desautels (20:27)
Yeah.

Boy, so ⁓ prior to 2003, 2004, when PCI DSS became a thing, ⁓ Penetration testing meant that you emulated what the bad guys do and you tested people just like the bad guys so people could protect themselves against that threat and prevent a data breach. When MasterCard and Visa got together and created PCI DSS, they said, everybody has to have a pen test.

but they failed to define what that entailed and what that meant and what the objective was at a really low level. It was more of a bureaucratic thing, but it was mandated. If you wanted to do any kind of financial stuff on it, it was mandated. So what ended up happening around 2004, 2005, businesses just started popping up left and right that offered penetration testing services, right?

But they weren't, these were, right? Exactly. They were offering vulnerability scans using something like Nessus. Yeah, exactly. And they were masquerading these things as penetration tests. And then, you know, people started saying, well, you need to get a manual penetration test because these scans just don't work. And plus there has to be some kind of differentiator. And they all said, all right, cool, we'll do a manual test and run the scan. We're gonna manually verify the results and then call that a test. Right? ⁓

Justin Shelley (21:27)
You mean?

Port scanners. Yeah.

Bryan Lachapelle (21:53)
Yeah.

Adriel Desautels (21:54)
So

that's compliance. So that's the difference between like, it's testing a squirt gun, it's like testing right at the body armor with a squirt gun or with five rounds.

Bryan Lachapelle (22:02)
Yeah,

it reminds me of the fact, because we've talked about this a lot, that in order to be an IT provider, you need nothing. You could literally get a business license in whatever state, city, province, pick one of the above country. And you can say, I'm an IT guy, and I can do your cybersecurity. There's no requirement for anything legally or certification-wise. so yeah, compliant is checking the box.

Secure is actually being secure.

Adriel Desautels (22:32)
Yeah, and what ends up happening is, you know, people will talk about compliance and they want compliance and they look for the cheapest possible solution because they think that compliance is going to protect them or frankly, they might not care about security, but they need compliance to operate, right? One of my favorite quotes was the former CEO of Target, Greg Steinhafel.

He said something to the effect of, don't get it. We were just certified as being PCI compliant. We suffered a breach anyway, right? That quote is the embodiment of all of this. And when you see people breached, when you see organizations get breached conceptually, they made the same mistake, right? You got to take it seriously. You got to do the real thing. ⁓

Mario Zaki (23:16)
So

I have a question for you. So when you do find like a vulnerability or something, like for example, you know, Microsoft SQL, do you, what do you do? Do you contact like Microsoft and submit this to them? I mean, Microsoft probably is open to it, but what about some other vendors? they, do they ever try to like really push back at you for anything?

Adriel Desautels (23:34)
Yeah.

So there's a lot of ways to answer that. So back in 2000, jeez, 98, 2001, sometime around then with my first company, we did some research, vulnerability research and exploit development actually against HP's True64. We targeted True64 because it was a different architecture. And at the time they were talking about how absolutely secure this thing was. I believe they said it was a C level something rather, right?

We found, I don't remember how many vulnerabilities, I remember like 70, 76, and I remember most of them were remote, they'd exploit, give us a root shell, whatever. So we made it a point to contact HP and we said, hey, look, we don't want money for this, we don't want anything, we just wanna make you aware of this, right? We wanna tell you about these vulnerabilities so you can fix them. They said, oh, sure, great, thank you.

And then they sent us this threatening letter in the mail afterwards saying we violated the Computer Crime Act of 1984 or whatever it was. So we contacted them again, we said, we didn't really violate anything, we just found these flaws in the system that you said was really secure and it isn't, and we wanted to help you, right? And they said, sorry, just big misunderstanding, right? Then they sent us a threat for the DMCA saying we violated the DMCA and we're gonna come after you and do this and that. And it dawned on us at that point, they're just trying to quash our research.

So we made it a point to contact the EFF. We knew a person out of the EFF, Jennifer Granick, who's absolutely awesome. ⁓ And we made it a point also to let the media know what was going on. That turned into a big shit storm really fast for them. And we never got sued or anything. And that instance actually is one of the instances that helped to forge what was then known as responsible disclosure, believe it or not. ⁓

Justin Shelley (25:09)
⁓

Adriel Desautels (25:36)
And the whole concept of responsible disclosure was something that I was really standing behind for a while. And then I didn't about face when I had a realization that I wasn't protecting people. I was actually putting them at more risk. And that's something a lot of people have a hard time understanding, but it's actually simple. When you notify people of vulnerabilities in their systems, or you publish information about a vulnerability, ideally people are going to take that seriously and fix their systems.

Right? In reality, ideally, right? In reality, that doesn't happen. In reality, when you publish a new vulnerability, the threat actors pick it up real fast. And they'll write an exploit or, you know, they'll turn that into something that they can monetize real quick. And it's going to be faster than you can patch your networks. Right? You know, so really what we end up doing is we end up giving the bad guys this window in which they can breach people really quickly.

Mario Zaki (26:07)
Ideally.

Justin Shelley (26:17)
Yeah.

Adriel Desautels (26:34)
and other people don't have time to react. And the defensive solutions aren't even up to par yet, maybe on how the attack works. then there's this whole concept of, I guess, silent disclosure, which is when you quietly send something to the vendor and they fix it theoretically. So we had instances, I don't want to call anybody out for this, but we had instances where we found pretty critical vulnerability actually in one system. It was fully exploitable. We provided the exploit, it was all quiet.

took them six years to patch this thing, six years. And there's no reason for that. ⁓ And then the other issue with this too is, like you look at Microsoft Patch Tuesday or Patch Tuesday, when Patch Tuesday happens, teams like mine will take that, reverse engineer that, find out how to exploit the vulnerabilities that were in that and you get more tools and you can hack more stuff.

Justin Shelley (27:04)
Good lord.

No.

Bryan Lachapelle (27:09)
Wow.

Justin Shelley (27:30)
So, nice,

Mario Zaki (27:32)
That's

Justin Shelley (27:32)
nice.

Adriel Desautels (27:33)
So...

Mario Zaki (27:33)
what I was gonna say doesn't Microsoft pretty much do this on a weekly basis is they they pretty much announced like okay We found this or discovered this and we fixed it And you know and then the guys you know the bad guys are probably the only ones that actually read it You know and and and then they're using it to their advantage because you're not gonna patch millions of computers

Adriel Desautels (27:43)
Yeah.

Yeah, and that's, yeah.

No, I mean,

that's why we always get in with our engagements is because we operate just like that, right? mean, so the industry that's protecting people, they're not really protecting people, you know? And the solutions like anti-virus solutions, what they used to be called, if they really worked, there'd be no malware, right? If intrusion prevention solutions actually worked, there'd be no intrusions. These things don't work perfectly.

They work to a degree and their value just working to a degree makes them something you need, but they're not absolute solutions, right? So the real issue and the real thing that people have to do is they have to understand there is never going to be a point where their infrastructure is impervious to breach proof, right? Ever. There's always a way in. You could fix your network today, 100 % patch, no vulnerabilities, no zero days, nothing. Tomorrow, I'm gonna find something new.

Bryan Lachapelle (28:30)
Right.

Justin Shelley (28:41)
Great. Yeah.

Bryan Lachapelle (28:43)
Right.

Adriel Desautels (28:51)
and I'm gonna read an exploit and I'm gonna get in. But what you can do, if you work with somebody and they breach you like the bad guys will, you can understand how they're going to make way through your network, how they're going to access things, what their behavior is, and then you can put down those little landmines and booby traps and you can build your security around how they're most likely to operate. So it's not a matter of preventing breaches, it's a matter of being sensitive enough to pick up.

Bryan Lachapelle (28:51)
Yeah. ⁓

Adriel Desautels (29:20)
the activity and then respond before damage is realized.

Bryan Lachapelle (29:23)
Yeah, that brings up

a quote that I remember. There are two type of companies, those who have been hacked and those who don't know they've been hacked. And so, one of the questions we were going to ask is, why should every business assume they've already been breached? And this is, I mean, you've already answered this. If you assume that you've been breached already, you can set up your systems in a way that will notify you for the activity that is being generated when somebody is in your network.

Adriel Desautels (29:32)
Yep. ⁓

they have.

Bryan Lachapelle (29:51)
to notify you that somebody's there so that you can then take action and get them out.

Adriel Desautels (29:55)
Yeah, absolutely. Yeah,

I mean, there's a funny statistic, not funny, but funny, I guess, ⁓ in ⁓ the recent Verizon data breach incident report. what they said, and the way they framed it was kind of crafty, what they said was, ⁓ you know, the time to notification of breaches is shrinking, like when people actually realize that they've been breached, that window is shrinking. And then they wanted to say, but that's not because people are getting better at it. It's just because ransomware threat actors are demanding ransomware sooner.

So it's not that they detect these breaches, it's that the threat actors are saying, okay, we want our money now. And I can tell you from firsthand experience, a lot of people will go through that whole process, they'll suffer, ransomware breaches, pay, they won't pay whatever, they think they're fine. They may be even going to have some third party clean out the network and think they got the bad guys out next year, they're still in the network, and they have no idea. And again, you can't detect what you don't know.

Justin Shelley (30:25)
You

Adriel Desautels (30:52)
Right, like we have our own framework that we use for doing red team engagements. That's a fairly advanced C2 framework. You can't see our technology with commercial defensive technology. You can't see it because it doesn't know how it works, right? yeah, it's a, you're gonna be breached. If you have been breached, you probably won't know it unless your technology picks up on something behavioral, ⁓ you know, or, ⁓ you know, you get lucky.

And a part of being covert in these breaches too is you become your target as quickly as possible. If you know somebody is a security admin or a sysadmin, you take their credentials, you work as them, you authenticate like them, and you don't do anything that they wouldn't normally do per se, you're not gonna trip any alarms. You can take the entire business. ⁓ Yeah, so it's living off the land. mean, it's amazing how unfair it is, right?

Justin Shelley (31:43)
Yeah.

Bryan Lachapelle (31:44)
Good point.

Adriel Desautels (31:52)
As the guys that define the threat, right? The good guys, I should say. We're the good guys. As the guys that define the threat, we don't have to get it right every time. We can try it many times and get it right once, right? As the guys that are defending, you have to get it right every single time. And that's not possible because, I mean, even the security technology you deploy, like imagine the number of firewalls.

Justin Shelley (32:04)
Right.

Bryan Lachapelle (32:11)
every single time.

Adriel Desautels (32:19)
even those things have exploitable vulnerabilities in them. but you don't know that. So you're doing everything you can do to protect things. You're doing your job, right? There's a shit ton of value in that, but then there's this one other thing that nobody knows about and everybody's vulnerable to it. yeah, I think that shift in mindset, try to prevent breaches, but it's more about damage prevention. It's really about damage prevention.

Mario Zaki (32:44)
Now, what about remote management ⁓ software, RMMs? there's at least a dozen out there, at least more, probably more, but what about those? do you... Those are stuff that are out of most people's control, most MSPs control. And unfortunately, sometimes when they find out, it's too late.

Adriel Desautels (32:56)
Ahem.

Mario Zaki (33:12)
Have you done any work with stuff like that and you know recommendations, know best practice?

Adriel Desautels (33:17)
Yeah, mean,

yeah, 10 gently, I suppose, and maybe in some cases, directly. We don't think about ⁓ when we're doing our work, we don't think about specific technologies, but we think instead about how to leverage what's available. So if we come across technology that allows us, and it's within scope, to say access a wide range of different targets from a single point, we're gonna leverage that. ⁓ I think the way to think about it though is,

If you're going to be using any kind of remote management software from a centralized point, do the best that you can do to protect that centralized point. And back to the honeypot thing, you can actually set up honeypots in that because you can set ⁓ up domains that trigger when they're accessed, right? So you could do something like populate a profile or something with some kind of token that's designed to trigger when somebody touches it. And then when somebody goes in and touches that, you know they're not supposed to because there's no reason to touch that.

Justin Shelley (34:00)
you

Adriel Desautels (34:15)
So there are different things that you can do there. And if you can pick that up when it's touched, hopefully you can prevent a breach from becoming catastrophic. ⁓ But something I talked about, this might have been back in the 90s, but convenience is the antithesis. It's the opposite of good security. ⁓ Here we are in the world trying to make everything convenient and easy. Critical infrastructure is a key point. We have these systems that are designed in the 40s, 50s, 60s, 70s.

Justin Shelley (34:35)
Yep. ⁓

Adriel Desautels (34:44)
these antiquated systems that control critical infrastructure, power, water, all that. Somebody decided one day that they should put these things online because it's easy. Well, I mean, that was a really bad idea. So when you think about remote management software or automation software, ⁓ it's not necessarily stuff that we're going to look for unless there's some reason to look for it. ⁓ But if we find it, yeah, we're going to use it.

Justin Shelley (34:49)
Mm-hmm.

Yeah.

Bryan Lachapelle (34:57)
Whoops.

Adriel Desautels (35:14)
So it's definitely stuff that has to be protected. I mean, and the unfortunate reality is though, businesses like yours and others need that kind of technology to operate and your customers need to have that kind of technology to operate. So again, attackers have the upper hand because we're gonna use whatever you use to our advantage. It's just, don't have the same ethical, well, not we, but the bad guys don't have the same ethical basis as the people on the defensive side of things have. ⁓ Yeah, so.

Justin Shelley (35:44)
So, Adriel, I'm sitting here and I've got my business owner hat on because we are. ⁓ I live in the world of cybersecurity, so I understand this stuff. I can at least sit through this conversation and hear and process what you're talking about. But if I switch hats to my clients, the people that we do business with, not only am I lost, I'm depressed, I'm confused, I'm scared. And what I'm hearing is we're fucked and there's nothing we can do about it.

Adriel Desautels (36:03)
Yeah.

Ha ha ha ha ha!

Justin Shelley (36:14)
Flip that script for me.

Adriel Desautels (36:16)
Yeah, so ⁓ the first thing is to realize that you're fucked, but there is something you can do about it, right? So you don't have to have perfect security. And the reason people tend to think that they're totally screwed when they hear me talk about stuff like this is because they think, well, how do I keep people out? How do I prevent them from getting in? But again, it's not worrying about that. You don't have to worry about that. You have to take advantage of what the attacker doesn't know. The attacker doesn't know the inside.

Justin Shelley (36:20)
Okay.

Adriel Desautels (36:44)
infrastructure, doesn't know you lay things out, it doesn't know where sensitive information is, it doesn't know anything about your internal infrastructure unless they have inside help, and even then they probably have limited knowledge, right? So what you can do to defend your network is you can set things up in such a way that they're enticing, but the things that are enticing are not the things that the attacker actually wants to go after, it's just things that they think they want to go after, right?

So you can take advantage of, again, honeypots, canary tokens, whatever they might be, right? But you can also ⁓ deploy different technologies to monitor behavior, right? You know that somebody is not supposed to do X, Y, and Z in this particular area, you you set up technology to monitor that. So there are different things that you can do ⁓ to detect the motion and the behavior and the access. And it's not, again, it's not prevention, but it's really early detection.

Right, because you might not detect the breach. You might not even detect the use of malware, the deployment of malware, but you can definitely detect anomalies and strange behavior and strange access. And that's hugely effective.

Bryan Lachapelle (37:52)
Mm-hmm.

Justin Shelley (37:52)
Perfect.

All right. So guys, we're going to, again, as the overwhelmed layman business owner, listening to this, my head's about to blow up. ⁓ I think there's good stuff here. I think, ⁓ I want to sign off though, with, the message of hope, like, ⁓ so Adrian, thank you for that Brian and Mario in that order talk about, like, based on what we've learned today as a business owner, what actions do we need to take to, fight this?

Adriel Desautels (38:01)
you

Justin Shelley (38:22)
overwhelming. And I mean, like you said, a drill, they've got the upper hand. How do we, how do we attack this Brian? What are your thoughts?

Bryan Lachapelle (38:29)
Well, a couple of things that I picked up today, I'm actually already in process of thinking about how to make some changes internally is, ⁓ we put all the defensive systems in place, and we have some of our tools and systems that do have honeypot-ish things in them, but we don't have actual ⁓ honeypots throughout our clients' networks. And that might be a...

a good takeaway for me is assume they're in, assume they're already breached, assume that they're in the network and how do you determine that they are, which we have some of it, but maybe we can do a little bit better job there. And continuing to segregate and separate out the internal infrastructure at our clients to make sure that if they do get in that they're limited as to what they can access. As an example, something we learned last week is just separating out the manufacturing plant from the front office.

Making sure those are on separate networks, so if they breach one, they don't breach the other. And just being more intentional about making sure that when somebody does get an A, we can detect it, and B, we're limiting to the scope as to what they're doing and also potentially wasting their time on something that is inconsequential and is useless information or systems.

Adriel Desautels (39:27)
you

Justin Shelley (39:43)
Right. Okay. Mario, final thoughts.

Mario Zaki (39:46)
Yeah, I mean, it's

just being proactive, you know, setting up different things to, you know, testing, you know, what you think is going on, you know, making sure that, you know, you're going through every scenario, you know, like, you know, setting up a honey pot, you know, sometimes it's a pain in the ass, sometimes it's doable, you know, we now know some experts that can assist in that matter, but it's kind of just

Adriel Desautels (39:58)
you

Mario Zaki (40:16)
testing everything that you're using.

Adriel Desautels (40:19)
you

Justin Shelley (40:20)
⁓ and I'm going to, I'm going to kind of close up with what I say all the time.

And this is the most frustrating thing that I hear when I'm trying to evangelize this message, which is really what I'm trying to do is we're fine. And the counter to that is that if you feel safe, you are vulnerable. I don't want to spare spread fear, but unfortunately that's the only thing that gets us to take action. If you are not afraid, you're fucked. mean, there, there is no protection. You're done.

Bryan Lachapelle (40:35)
No you're not.

Adriel Desautels (40:45)
You

Justin Shelley (40:50)
Close up shop right now, save yourself the headache and go do something else. listen guys, I'm sorry, if you're not afraid, you're not fighting and you don't understand what's going on out there. So ⁓ be afraid, but do something about it. Hire guys like Adriel and Adriel, if somebody listening here wanted to employ your services, which by the way, please do. I cannot imagine a better thing to do than to get away from, or I would say add to by the way, because

Adriel Desautels (41:10)
you

Justin Shelley (41:17)
You've painted a pretty bleak picture of our industry. I'm not going to lie. It's not wrong. ⁓ But I will argue you've got to start somewhere. Start there. And when you've got those frameworks in place, when you do feel compliant, take it to the next level. And if they want to do that, Adriel, how do they get a hold of you?

Adriel Desautels (41:34)
So yeah, so you can just hit our website, ⁓ www.netraguard.com. And as a Nancy, E-T-R-A-G-A-R-D.com. The release spelled wrong. ⁓ And you can contact us there and we're happy to help any business, any size. It's like our slogan says, we protect you from people like us and we really do.

Justin Shelley (41:56)
And, and don't worry guys, if you don't remember how to spell that, just go to the show notes. There'll be a hyperlink right there. Tap on that. If you're on your phone or click it on your computer and we'll take you right to his website. So definitely recommend, ⁓ Adriel and the services guys. Thank you for being here. We're going to go ahead and, ⁓ sign off. This is, ⁓ go to unhacked.live. If you want more information about the show, if you want to see our social media links, if you want to know who we are, the, the, people behind the scenes, Mario.

Brian, we all have free assessments that we will do. This is just kind of a way to get you started on your journey. Take us up on that offer. But again, it's a starting point and then we'll guide you through the rest of the process. So with that guys, let's go ahead and sign off. Brian, what's ⁓ your sign off for the day?

Bryan Lachapelle (42:41)
My song offer today is, hey, ⁓ we're here. ⁓ We're going to be your guide in your journey to improving your cybersecurity, improve a little bit every day. Give us a call. We'll take care of ⁓ securing your systems and helping you on your journey.

Justin Shelley (42:57)
Perfect, Mario.

Mario Zaki (42:59)
Yeah, if you guys are staying up at night worried about your business, let us help you stay on high.

Bryan Lachapelle (43:06)
And if you're not, you better call.

Mario Zaki (43:08)
Mwahaha

Adriel Desautels (43:08)
Hahaha!

Justin Shelley (43:08)
Yeah,

exactly. All right, Adriel again, thank you for being here. Any final thoughts or sign off?

Adriel Desautels (43:17)
Now I just say, focus on detection and response more than prevention, because that's what's going to save you.

Justin Shelley (43:23)
I love it. All right. And I am Justin. Remember, listen in, take action and keep your businesses as Mario said, unhacked. See you guys next week.