Dennis Underwood, a cybersecurity expert and CEO of Cyber Crucible, joins the show to discuss a variety of topics ranging from his experiences in Pittsburgh to the intricacies of cybersecurity. He delves deep into the technical aspects and importance of cybersecurity. He explains how Cyber Crucible's autonomous software works to prevent data breaches in real-time, even preventing hackers from executing malware.
Our conversation also touches on the evolution of hacking tactics, the importance of multifactor authentication, the value of cyber insurance, and practical security tips for businesses.
We discussed the increasingly professional structure of hacking organizations, compared various cybersecurity solutions, and explored some notable cyberattacks, including ransomware incidents. The episode wraps up with a focus on the human element in cybersecurity and the critical role of preparation and proper planning in preventing cyber threats.
If you enjoyed this episode, don't forget to subscribe. Thank you for listening!
00:00 Introduction
01:01 Cyber Crucible Product Overview
02:33 Explaining Cyber Crucible
04:49 Comparing Cybersecurity Products
06:26 Hacker Techniques and Evolution
19:37 Influencers and Cybersecurity
26:32 Exploring Insurance for Online Marketplaces
27:13 Underwriting and Due Diligence in Insurance
29:10 Cybersecurity Threats: NotPetya and Ransomware
31:31 Ransomware Negotiations and Hacker Motivations
35:01 Suspicious Ransom Payments and Company Involvement
40:26 Targeted Hacks and Executive Protection
46:31 Practical Security Tips for Businesses
52:17 Connecting with Dennis Underwood and Crowdfunding
Social Media: Connect to Joe, Mike, and David on social media platforms like LinkedIn, TikTok, and Instagram:
Joe Erle, Cyber Group Practice Leader at C3 Insurance
Tiktok / https://www.tiktok.com/@itscyberjoe
Insta / https://www.instagram.com/itscyberjoe/
Meta / https://www.facebook.com/joeerle/
LinkedIn / https://www.linkedin.com/in/joeerle/
Questions about cyber insurance? Email joe@c3insurance.com
Get the 14 Steps to protect your data here: https://c3insurance.com/secure-your-companys-data/
Co-Host: Mike Dowdy, Cloud Solutions Consultant at RapidScale
LinkedIn / https://www.linkedin.com/in/mikedowdy/
Questions about cloud security? Email mike.dowdy@rapidscale.net
Special Guest: Dennis Underwood, CEO of Cyber Crucible
LinkedIn / https://www.linkedin.com/in/dennis-underwood/
Cyber Crucible / https://www.cybercrucible.com/
See you next time. #cybersecurity #ransomware #ransomwarerewind
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
what's a QBR? sorry
(00:01):
a quarter
wow I don't know
a quarter
if the hackers go to access data or passwords
or whatever we go ahead and we say
you know what let's not do that right now
you know and then and we uh
we go ahead and suspend it
I should get the um the smiley face like on my uh um
on all of my emails and notifications
(00:21):
you know like have a nice day
you know
self respecting hacker was leaving like my hacker lol
thought exe on your desktop
this wasn't happening you
you're listening to the Ransomware Rewind
where we break down the latest cyber threats
data breaches
and security solutions that matter to you
and your business
(00:43):
stay secure
stay informed
enjoy the show
welcome Dennis
thanks for having me long time listener
first time uh questioner you know
so how's it going out there in Pittsburgh
you know it's good
you know um
it is uh
it is frigid cold it's really interesting
um I actually did a whole day of sales pitches
(01:05):
and like this
like massive cardigan sweater that I got for Christmas
you know and really I felt I felt very like Nordic
you know like I should have like a
like a Steve Jobs
like black turtleneck or something out of it
it was just a normal Christmas sweater there
maybe that'll be your thing like the cardigan
do you have it with you can we
can the listener see it
I don't know I don't
you know what I you know what
it's white
(01:25):
and I made the mistake of like having spaghetti
like a four year old and then wow
I know so now I have
I have to get it cleaned um
it would be funny though to see me
like on cons stage somewhere in a conference
and like my uh
built for Nordic weather uh
you know sweater
you know and then I'm just like sweating
you know like as I'm up there in front of the cameras
you know
like what's wrong with this guy
you know it's like always wearing this like Arctic gear
(01:47):
you know
so you're doing sales pitches today uh
what were you pitching
our product right
um and it was good to pitch to uh
you know partners who like to do like
their own testing on the software
um and then uh
but sometimes I'm like hey
I'll talk to someone who's like
gonna be an investor or whatever
um and uh
(02:09):
you know so it's
it's interesting you know
we um
I've always heard like
QB's discuss with like an OEM to a channel partner
and then we have a what's the QR
sorry a quarter wow
I don't know a quarter
hahaha
that's
it's a QR
yeah you know
it's
what's that meme that's like
(02:29):
um from uh
parks and recreation like
you know I'm scared to ask at this point
you know like I
never really asked I just kind of went with it
you know like I knew quarterly
you know quarterly business review
I think you know
and I just want to know how to use the product better
and stuff like that and you know
kind of like a what have you done lately for me kind of
um you know
kind of meeting you know and um
we found actually some
(02:51):
we found some kind of like data breach like hey
did you guys know
we like stopped this like four months ago
and then like someone piped up and was like
oh yeah that was like Mandiant
you know and I'm like
oh cool
so we stopped your pentest
I guess you know
and I hope based on how expensive they are
that they worked around that
you know that they didn't just sit there and
you know go away and send you a Bill
you know so you're impossible to get into
(03:14):
haha right right
well um
for the listeners that don't know what your product is
can you can you give us a quick overview
yeah yeah sure
absolutely um
so cyber crusible is an autonomous agent
what that means is that we live on the machine
we are able to do some really cool assessments
uh in near real time and then take action uh
(03:36):
to stop the hacker
and hopefully if everything goes well
knock on wood
and it's cause if those of you in security
but generally our customers uh
an attack will be stopped
and the employees have no idea
only the it department
for the security folks know
if they're actually watching
you know like if
if uh
we had one customer that uh
marked us as spam and then they never got reports
(03:58):
and they never knew anything
and then all of a sudden on our QR
I was like did you know this happened like a month ago
you know like
and they were like no
you know I'm like
well
like this is good I mean
the product worked as intended
you know like nobody uh
no fuss no muss
you know just like your fire sprinkler
just kind of sat there and did his job
so the attacker tries to get in or um
(04:19):
they try to execute malware and then in a very
in like a millisecond a couple milliseconds
your software
um agent takes charge and stops it from executing
yeah
it's a it's like a data prevention
data loss prevention tool basically
you know so if the hackers go to access data
(04:39):
or passwords or whatever we go ahead and we say
you know what let's not do that right now
you know and then we yeah
we go ahead and suspend it
um and then uh
the hacker sometimes they'll retry cause of all the
I mean I've seen you post on like AI and stuff
there's a there's definitely a lot of automation
in various steps and
and so sometimes it'll be like 10,000 attempts
(05:00):
because they have some script running
this little program that's constantly retrying um
and uh we uh
we sum that all up and say hey
guess what someone just was stopped about 10,000 times
have a nice day you know
I I should get the um
the smiley face like on my uh
on all of my emails and notifications
you know like have a nice day
(05:20):
you know I think
for you just like
every notification should be like a different meme
nice
nice so people have EDs
like Crowd Strike and Arctic Wolf
and all these great products why do they need you too
(05:40):
that's a great question
we get that like every single sales pitch
I always feel bad when someone um
was like I'm sorry to ask this
you know and then I'm like
well everyone else did
so don't feel sorry you know um
like uh
you know edrs
um I mean
I've been around security for a long time
and they were really good when they first came out
essentially
they came out because antiviruses were really good at
(06:02):
like checking like files
but then um
they got really bad at checking files
you know like
like
and so edrs are really good at like catching telemetry
and then it's almost like herd defense
you know where they were like OK
well a couple you
what's that um
Futurama uh
meme with like you know
some of you will die but
you know that's a sacrifice I'm willing to make
(06:24):
you know like haha
like that's essentially e r right
I mean which
you know I was one of the guys saying that
you know and it was like
um some of you will be victims uh
sorry you know
I did a control group for my experiment
and the experiment is figure out OK
what is the hacker doing now
OK now
is anybody else
are we seeing that anywhere else from anyone else
(06:45):
we haven't seen his victims yet right
and that worked as long as the uh
the hackers were pretty stable
you know like
whether it was like Stuxnet or all the rest of them
you know like way back in the day um
and uh
that worked well but then the hackers
like they're not gonna be stagnant right
so they started to evolve
and it's almost like um
(07:05):
I don't know if anyone's ever read Michael Crichton's
Jurassic Park
it's like from high school
required reading back in the day but um
the virus was like give our product right
um and it was good to pitch to uh
you know partners who like to do like
their own testing on the software um
and then uh
but sometimes I'm like hey
(07:25):
I'll talk to someone who's like
gonna be an investor or whatever
it's almost like um
I don't know if anyone's ever read Michael
Crichton's and drama to strain
it's like from high school
required reading back in the day
but um the virus was like
mutating faster than anyone could do anything
and it's kind of what the hackers have done
they're like well okay
I'll just keep on mutating
so fast that you can't ever keep up
and build a signature to deploy um
(07:47):
so we said you know what
let's figure out if we can make it that
no matter what signature is coming out there
what hacker technique is mutating that we can just say
you know what we're gonna stop that
and then we're gonna figure out why exactly later
that's time for Crystal on us show
yep OK
I'm reading this book called Ghost Fleet right now um
I think it's required reading for like a government
(08:11):
NSA type jobs um
where it's about like possibility of like World War 3
um
and how it would go down
and the Ghost Fleet is essentially like
all these ships that are on ice
because they're like analog
and they're like the government's insurance policy
in case like these connected ships get all like hacked
(08:32):
right nice um
but the
way that the virus got into like
the government agency in the book was
it jumped from a cell phone to an RFID chip um
is that could that happen
I mean the the RFID trip would have to be like
writable and everything you know
(08:52):
normally they're just kind of
like chips that just wake up and give out a signal
they're not programmable you know um
I guess
you know there's a certain number that are right
but then also it
there's not much room to do much right
so like the they don't
it's like if I'm going to you and being like hey
hey Joe I want like a programmable RFID chip
and I need to do these things
(09:13):
and you're gonna be like okay
well let me do the minimum to fit into like the
the price I give you
like it has to be 3 cents per chip
you know well you're not gonna like go out and be like
let me see how many SSD's I can cram into there
you know
how many hard drives can I cram into this thing
you're gonna be like the bare minimum be cheap
you know be profitable
is it possible for a a virus to come into or
(09:34):
or malware to come into your system in pieces
and then put itself together later
yes
yeah actually we
we stopped someone at a merchant services firm
where they actually um
you know you can do that and that's fancy
or you can just like pass the source code down
because a lot of machines
out there have the ability to compile
programs that like
nobody uses you know um
(09:56):
and uh so we actually had one where they
they went on there and they were compiling the
the malware right there
building the malware in memory
um and to run it right
and it was pretty wild to see and I was like
huh never thought about doing that before
you know but um
or I guess you could do it in pieces sure
you know until like
I don't know like some big superhero
(10:17):
Mike Myers comes and saves the day
I don't know I think so yeah
um
going down that line um
most
a lot of hackers are using like legitimate programs
um to access your system right
like they're
they're not like going and making all this malware
they're they're just using like Microsoft tools
(10:39):
is that is that sound right like
or yeah it depends
I remember um
I remember back when so if you look so
so everyone on you know
all of your millions of readers
you know know that like um
race more rewind actually was the name of like
our product back in the day
and Joe has like
all right to use it for his
you know his podcast right
(11:00):
so it's down the way right now
you know you're the
you're the godfather of ransomware
we went I know yeah
it was like a you know
it it was worked from marketing until it didn't
but we had like that key capture back in the day
you know where we actually decrypt Ransom
and you look on YouTube you'll see
I should give you the the YouTube channel actually
I should see like I don't know if there's like a
like a uh
I guess you took it over right you
(11:21):
you name your channel ransomware Rewind
is that right yeah
maybe you have a okay great
if if
if you're not let me know and I'll make sure to like
I'll pass the torch I don't know
you know but like um
we have all these like decryption videos right
and they stopped something in 2020
well to your point right
they were using the windows uh
the windows cryptography libraries to like
(11:42):
create keys and and settings
the NSA term would be like crypto variables
you know I think it's in our pattern too right
you know and so like
um and then they
we figured it all out and put it together
well the hackers were like
well you know
that's great because you're living off the land
they call it a hacker you know
in security um
but we're gonna go ahead and like
take that and we're gonna make our own program
(12:03):
and keep it all quiet and secret
and that way you can't see how we're messing
around with keys and stuff
you know and I was like
I remember these guys were calling me from like
burner phones and they speak better English than me
despite being like
from Bangladesh or Northeast China or whatever and um
their solution to get around all the monitoring uh
was to uh
(12:24):
to not use Windows you know
libraries anymore and to go ahead and take it in house
you know and that that caused some issues for me
um you know
and there's it gets geekier
but basically we realized that prevention was better
so to your point it's like sometimes they use them
cause they're there and they're available
and they know everyone has them
and other times they they realize
(12:44):
they introduced a vulnerability into their own setup
and their own operations and they had to like
kind of like stop using the Windows libraries
like back in
2020
yeah 1
Dennis was a speaker at our Cyber Summit last year
and he had a really
cool presentation about how
(13:05):
hacking groups are working as businesses
um can you kind of just like give us a thirty
uh thousand foot view on that on how uh
sophisticated hackers are
yeah yeah
I mean there's just like
there's a limited number of like really experienced uh
you know penetration testers
or I'm assuming experienced actuaries I
(13:27):
I don't know like I'm speaking out of my
my lane there but like
um and so like gifted people right
limited number so uh
you know the business model is well
if you you know
how can you multiply your most experienced employees
and you can set up different ways
whether it's like a training program or have like
a lot of times you see like a master salesperson
(13:49):
the VP of sales you know they're just gifted
right and they just um
they'll give like
call scripts to all their junior folks
running out of college you know
to say you just say these things right
and that's kind of what happened
with the Hacker Village was like they uh
you know deep in their volcano
they were like well
let me just like
automate the attack and give a whole bunch of these
um uh
junior folks you know
(14:09):
this like the
these call scripts to use right
and then it went from there
where they developed
like an affiliate program and a channel program
just like a normal business
you know like
let me get resellers
let me get agents out there to do stuff for me um
and they set up this whole supply chain
you know because they were
they were so successful it was so profitable
and they were like well
(14:29):
how can I amplify my reach
and it's just like selling
I don't know straws
I was sure my next company will be like
an AI powered cocktail napkin
you know
so I'm distributing my AI powered cocktail napkins
you know like and
napkin dot AI actually
yeah
now you're gonna see some crazy pattern put in for like
(14:49):
AI powered cocktail napkin
they'll beat me to the punch exactly
but like no pun intended
but like um
but the uh
so um
yeah so there needs to be a distribution model
right and distributors in different places
and they set all of that up
and they have like you know
revenue shares and everything
it's pretty wild to watch
um and then whenever it's like
someone calling us on a burner phone
(15:09):
it's always like the mower developer behind the scenes
it's like
not the front line junior guy who knows or girl right
you know who knows like hey
I know to run this script and if as long as I do that
I have a job right
and that's what we see a lot
yeah the uh
they have like access managers
access people too that
(15:30):
that just their job is to just to hack um
and create access
and then they hand it off to the person that's gonna
actually Ransom it
right which is boring compared to like
the hacking for some people right
it reminds me of um
my some of my software developers
you know and other ones I know in my career that like
they love like the R&D problem and then um
(15:52):
and then what happens is like
when you get to like quality assurance
testing or like any like the boring stuff
they're like I don't wanna do that
you know and then you
you never get a working solution
it reminds me of a um
so I was I was
when I was back working in government
there was like this like uh
this military operation like counter terrorism thing
you know and like we
were waiting for this one new capability to come down
(16:13):
and um
I was waiting for like um
you know months
and finally I just like went and I found the person
and it was like this
like it was a young woman who like was
you know this brilliant mathematician right
and like I was like
what are you doing and she was like
well it's not
I know I can do more for efficiency
it's like not optimized like yet for full mathematical
(16:34):
like precision and I was like
you're like
1,000% better than anything we've ever seen before
like we need this now right
and it was so weird to see the separation between like
the academic side of like
whether it's hacking or you know
mathematical models or anything
versus like the operational side of like just hey
can you
can you run your software without breaking my business
(16:56):
and causing a global blue screen of death
you know
like it was like two separate sides of the equation
you know
yeah I get that
it's kind of like a form of perfectionism
yeah where she's afraid to
to ship something I feel like that
I do that when I'm a editing these podcasts
nice nice
my partner's always like where's the podcast Joe
(17:18):
I'm like I just need to go and
you know and fix the audio a little bit more
I get it I get it
I I went through um
well here I
am saying um
but I went through and every now and
and I'll be like let me just go ahead and remove
all of the unnecessary words
and I end up with like
this max headroom type situation
cause there's so many unnecessary words
I'm um
I think you know
(17:39):
the news casters are safe from me taking their jobs
cause I'm not quite as smooth right
so let's look at what you're saying
well
for the news casters all you have to do is talk in um
little bite size chunks they just want um
you know like a one liner
nice
it was it was a
who's the guy that did cosmos um
(18:02):
the
uh
he does Ron Burgundy
he's like the most famous scientist guy on TV
um he did the documentary Cosmos
Neil
oh Neil degrasse Tyson
the gross yeah
Neil degrasse Tyson okay
(18:24):
yeah and he said all the guys are looking
all the people are looking for a sound bites
oh awesome
so you don't need to like give them a big explanation
just give them like a sound bite
so that they can take that and put it on their story
awesome so that's I guess small words too huh
(18:46):
like I every now and then I'll tell someone I'm like
well now that that's the little quiz done
you know and then
uh sounds like that's not the way to communicate now
you know exactly
exactly
I saw an article with the um
about I think they're bringing back Vine
maybe wasn't Vine one
that was like six second clips or whatever like like
I I think
(19:07):
I don't know it could have been like rage
I was too slow to get on Vine
I want I like was nice
I was like signing up for an account and I was like
well Vine's no more oh
so I was gonna say were you the one writing the article
like like a
a girl a marketing campaign
you know like let's bring back Vine
you know
I thought that the people that were using it right
were pretty much geniuses
(19:27):
because they took Vine and they would
you know 6 seconds right
but they would put it together like a tweet storm
and they would have like these six second clips
like um
you know going uh
continuously to like tell a whole story
which was yeah the people that did it right
it was really captivating
(19:48):
I believe it there was a um
so my daughter's uh 15 and she was
she always has like sometimes she'll come down to the t
watch her influencers and Youtubers
whatever on uh
on the big TV in the living room
and I looked up and I was like
I recognized that now woman
and I had actually in my first business in Pittsburgh
the services company I had asked her to like
(20:10):
make some graphics and business cards for me
um before I
guess she got into like being an influencer
and then like I saw her and I was like
you know we're all 20 years older now you know
and I was just like I kept thinking like man
she has more money than I could ever hope to have
you know like just recording videos
you know and um I was like
(20:30):
I'm questioning a lot of my life now you know um
that was wild to see
the influencer economy is really interesting
and I think that
they are probably the least cyber savvy
and that they have a lot to lose by getting hacked
I think there's a contingency of hackers
out there that try to steal their passwords
(20:52):
and then
their Youtubes have you seen that out there
yeah actually um
I've seen it before where uh
we thought it was someone
I'm gonna say something important that's
that's kind of like not the right way to say it but um
where it it was like a celebrity yeah like
like basically it was like
it wasn't important to the enterprise
(21:13):
but it was like they it was an account that basically
fed back to a influencer and they like
this person was just like tracking this
this woman um
you know as she was going like
internationally shopping and Dubai and everything
and it was like a whole set
as if it was like a VP at a bank
you know or or CTO CTO of a bank or something
(21:34):
you know so I see that and you know what I um
I saw we had a we gifted a channel partner
um some licenses for like Christmas a year ago um
and then they kind of disappeared
and then one day like it
like the licenses showed up and it was um
some of like the camgirl kind of stuff
you know like
and we only knew because like they were
their logins and we were protecting them
(21:55):
and they were like
someone was trying to get access to their
their account right and um
their account information
because that person had logged into an
a camgirl a site
I think that was the camgirl like the
the gift like it was given
it was basically given to the
cause we looked it up and we're like what
it was an anomaly in our site okay
(22:16):
surprise no
not many I mean this probably an insurance thing too
not many employees do
go to those kinds of sites with their work
you know desktops you know um
if if they are I don't wanna know
but in this case
we saw the theft attempt and we were like
what the heck you know
and um we realized that it
you know and it was in like this orphan group
(22:36):
so we had no idea who it was or what it was
and then we looked at the name and I was just like
let's go ahead and close that link right now
before we violate all HR policies at
in our company you know
like and um
W right yeah
so it definitely was a concerted effort
so it must have been some creepy fan or something
yeah and so they were just like
trying to get access to secret photos and
you know so I was
(22:58):
uh looking on LinkedIn the other day and this girl was
she does videos like that have to do with stem
you know like she does as like presentation
she's pretty uh
good looking and she was like
showing a side by side of impressions of like
when she puts stuff on LinkedIn
and when she puts stuff on Pornhub
(23:20):
and how much
like more money she made from putting it on Pornhub
just like her like uh
you know stem presentations
like with all her clothes on just talking about like
you know cyber security or
or whatever she was talking about
so right
I just found that kind of interesting
I had um
you know for
for this the
(23:40):
the crowd fund we're targeting like uh
building a community of like security experts
you know to as investors
um great for customer acquisition partners
I I always joke
you know
people that if I take a 90 degree turn the wrong way
they'll be like maybe don't do that Dennis
you know like
you know let's have a chat about that one
um and uh
it like I played it right next to some guy
(24:01):
like one of those like Instagram Youtuber
uh like 20 something year old
you know young man
and he was like sitting on the hood of like Ferraris
and he was like I don't know
like doing all kind of stuff and super
super um
what are those filters you know
that made them look like uh
unlike more like a robot I don't know
you like and um
yeah and I was just like
and you can see the numbers rolling in like
(24:23):
and I was just like
and it was selling some NFT or something
you know like
and I was like man
like I'm
I always question whether I'm doing this wrong or not
because like you know
here I am
trying to do this super advanced security thing
you know and this guy's still on a dream and
you know just raking in the cash
there's a cost to being like a good guy too
hahaha thanks
if you used your skills for
(24:45):
you know on the other side of things
I mean I'm sure you can make a lot of money
and probably more money yeah
they're guaranteed probably stay
you know under the radar
but like then you wouldn't feel like a good guy and
and I think there's a value to that
that yeah that's right
you can go home yeah
that's why I'm always playing these like RPG games
you know like Baldur's Gate or whatever
(25:05):
and I always end up being like the folk hero
even though I'm like you know
I have all these choices right
but like I just like feel weird like
you know killing people for no reason
I get it I get it
so maybe not being a mercenary
maybe not in your future you know
so yeah sometimes I'll
I'll like that's it
(25:26):
as far like bad as I'll get is like mercenary work yeah
but you know
I I usually end up being like the folk hero
you know
it was interesting because it was kind of boring or
or I'll or I'll like be the folk hero and like um
somebody will piss me off and I'll just like
kill everybody but then I'll like load my last save
(25:47):
right
you should maybe talk to someone about that
I talk to people
it's 2,025
you can talk to people it's fine
oh yeah
um and
you know I
I uh
I had made a comment that was a little bit edgy so
you know I
I try to say things on LinkedIn that are a little bit
um punching up
you know uh
(26:08):
while I can you know
once I have like you know
you know big private equity saying don't do that
and they have someone managing my
my online presence you know
but um
and I made a comment about how they released the um
the Silk Roads guy like the
that website that does all like the for whatever reason
whether on purpose or not
I have no idea and I guess
you know um
(26:28):
what's his name the the something pirate yeah
I can't remember first name
I should I should know this right
it's my career you know first name is Ross
um you you look like a normal guy too right
you know it's like wow
a bearded pirate or something it was like nice
what's this
it's a the stores
go to the website and Saint Kiss buried in the sand
you know like um
and but here I released right and I was kind of like um
(26:51):
the uh um
you know OK
well that's good for cyber security for I felt because
you know like his website was kind of
you know up to a whole lot of shady things and um
that he was taking money on
so here's here's my question though right
you know
cause I saw you comment on my on my comment right
and I was like maybe I should answer offline
so I'm not gonna answer here right
(27:12):
but the question is like
so let's say that he comes to you guys right
C3 insurance and he's like hey
I'm gonna start a new business
I want like it's gonna be a website forum
and I wanna customize Eno policy or cyber policy right
like so how would you guys approach that knowing
you know past sins forgiven right
would you have like an extensive questionnaire period
(27:34):
or would you like find a customized like chub
kind of like you know
quote or something
cause like you can assure anything allegedly right
yeah
if it's gonna be a similar website to Silk Road
then it's probably uninsurable
but I know I was and then like it was like only legal
uh only legal market
uh right
(27:54):
can only do legal things
then I'm sure we could find something for him even
right and then
and my question is like
how much due diligence would you do if he's like just
oh it's a marketplace for friends to gather
and then you find out it's like
like what how would you track that
or was that the insurance is like the underwriter's job
like how would that work
well I wouldn't
(28:14):
get information from different sources
they have their own databases they'll look at
the insurance website they're insuring
they'll do
their due diligence on on that part
um if they're gonna look up the CEO
probably not um
and then in the application
(28:35):
it's always asking like
is this an adult website is this a gambling website
is this a um
a crypto website um
or do like
people can make financial transactions on the website
you know stuff like that
in order to like kick those either out of their um
appetite which means like what
whether they'll write it or not
(28:57):
the insurance policies
and then you
know or or if it's gonna fit their their box right
and we have we of course have a
a ton of companies that will fit
you know adult sites and
and gambling sites that are out of the box
it just goes to a different kind of insurance company
like a a Lloyd's of London syndicate yeah
(29:18):
got it but there's
as long as it's legal we can insure it uh
because in every insurance policy
there's a clause about doing illegal stuff um okay
where that's not covered so if you're like
get in trouble for doing something illegal on purpose
(29:42):
then we can't uh
the insurance company is gonna just deny the claim
got it got it okay so I guess they're still unsure
they just won't get yeah
they won't get short for that right
yeah if they're doing something bad
interesting intentionally
yeah okay
got it got it oh sorry
I got serious
I didn't get I don't get all serious on that's okay
(30:03):
I like talking about cyber insurance
I talk about it all the time so yeah yeah
we can talk about that hey
uh
I did a tiny bit of research on this hack called not
Petya
do you remember that it was back in uh
June 2017 that was like ancient history as far as uh
(30:23):
cyber security goes right
it's probably I I imagine this same exploits
you can probably find work somewhere
you know are you I mean they used a
a combination of a Eternal Blue
which was a US created um
exploit to get into Microsoft computers right
(30:44):
and then they use this other one called mimikatz
which would go in
take the passwords out of that computer
and then you know
move it to like other computers that
that were on that network
and Microsoft even had a patch for Eternal Blue
but if they got into an unpatched Eternal Blue computer
(31:06):
that had passwords for the patched Eternal Blue
computer it could still spread
so it was kind of like a really um
sophisticated worm and it was
it's a good example of like actual cyber warfare
cause it was like the Russians like going after Ukraine
but it spilled over to the rest of the world
it was kind of became like a cyber crime on
(31:27):
a cyber war fair on the entire world
um due to due to its nature
it's always hard I
I noticed you know
and ransomware is very similar
like it's just uh
the the hackers go on
keep on trying to find ways to like
automate their operations and um
every now and then you'll see me talk about like
right sizing uh
(31:48):
ransomware attacks you know
right sizing your hack cause if like
if you develop something that's like so uh
you know so much like this exploding worm
you know across the world
um then like
it's probably overkill for what you want like and
and we used to have in the beginning with ransomware
where like they would um
uh you know
data sets is one thing right
(32:09):
so it would go everywhere and just steal data
but then I think
wanna cry ended up being that they were like
people were getting like these
you know just pay the bitcoin and we'll
and we'll like
uh open up your computer
but it was like
it spread so far that the hackers were like
we're out of this is out of our control like
you know yeah
and if you pay we can't open your computer
cause this went to like millions of computers right
(32:31):
and that's that's the um
I guess that's the problem
you know with
with the hackers is kind of like
if you encrypt too little
right then like the it team all high fives
cracks open like the prosecco or whatever
you know like
and then they move on right
um and if it's like too much
like I remember some points
like I'd have like FBI guy call or
or whoever right
(32:51):
and they'd be like hey
like can you help us
and I'm like well
what's left you know
or do you have the did you pay the Ransom
and they're like well
the problem is
is that like the hackers love like left nothing
you know like
and they also like drain their bank accounts
and I'm like
so you can't pay the Ransom and the machines are down
and so they have no revenue generating capability
right and I was like
(33:12):
okay so they're sports
they're you know
the what
no cyber insurance
no no
yeah so they just like
and they go down and I'm like
there's nothing left just declare bankruptcy
you know like what are you gonna do at this point
you know
or sell for pieces like sell for the server cost
I don't know and um
and so I think from the hacker world right
it's almost like you you know
(33:32):
you kidnap someone then you like you kill the hostage
you know and there's like just
you can't get your Ransom now because you uh
you you know you
you got rid of your leverage point that they pay for
right right
and depends on the motivation of the hacker right
and then I saw one they were talking about they
um you know
they they realize what like almost every sales
like especially you know
(33:53):
every salesperson knows that like every
like buyer has like
a certain check size that they can actually um
get out of them you know
and you know what like oh
this deal value requires the
this many signatures kind of thing
you know right
and um
so every now and then I see them like
do like a smaller attack trying to like
get it to be under the budget of the person
they're notifying you know
(34:14):
and I'm like that's actually really smart
you know
smart than a lot of sales people out there
you know like so um
so I always call it like right sizing
be just painful enough to get a quick transaction
you know release the CFO's kid
so to speak you know
like and then like there you go back to the races
you know yeah
heard of people uh
finding out that the hacker
(34:35):
went on their server
and looked at their insurance policy
and they found out that they're you know
have $1 million in cyber insurance
and then they'll say in the negotiation like
we know you have $1 million in cyber insurance
just let your insurance company pay it
and we'll go away right
uh I always felt like that gave insurance a bad rap
cause like it's not
(34:56):
cause if it wasn't the insurance policy
they just bring up the the
the bank statement you know
and be like OK
how much how much liquidity do they have
I bet you we can get them to like
give like a 24 hour payday loan for this much
you know like
I mean it I always felt like people were blaming
the risk management system
you know the insurance system
instead of blaming the hackers
(35:17):
are just figuring out how much they can charge
you know so they don't see something
good
I'm sorry to talk over you dude
it's it's hard with zoom um
they could look at zoom info or yeah
Bradstreet and find out like
numbers that way too just like hey
we know make 25 million a year
this is only 500,000 it's
(35:39):
it sucks for you
but don't you wanna get back into business
right
yeah right
I mean it makes perfect sense to me
you know um
but uh
I mean I think they're just getting smarter
can you think of any hacks that
they weren't motivated by money
where they wanted to to like shut a company down
(36:00):
oh jeez um
you know
I saw more where I was really suspicious that the
perpetrators were somehow also
the victims were also helping the perpetrators um
where I'd see evidence of that where like um
I'd try to negotiate the Ransom down or um
(36:21):
or like the you know
I try to call the owner to be like
hey
they gave me like 24 hours to raise the price and the
and like not even the owner
but just like some C sweeper whatever
and it's like
they just weren't interested in a lower Ransom or like
deadlines or anything it was just kind of like
you know like I'd
I'd eventually call the guy
they'd be down for like a week
and then they'd be on the golf course
(36:41):
you know and I'm like
do you do you think I can close this deal
and they're like yeah
sure let me finish up my round first
you know and I'm like
how are you solvent you know
like you're playing
golf and your whole company shut down
so I always wondered I
I could never ask I don't wanna know if I did know
I couldn't talk about it I'd be like
looking outside my window
if there's someone following me
you know like
(37:02):
but like right um
but I always wondered about that
you know um
because like it
it just seemed like there were some folks uh
maybe a little bit too interested in the Ransom payment
taking place you know
without fuss or muss you know um
and
we're a lot less stressed out than I would have been
you know with my business down
you know so I did see that none of
(37:22):
no one that you know
I think you know
and it's been it was during Covid too
you know so um
just crazy times you know do you think
the vodka company Stoli's was
was uh
purposely attacked to make them go bankrupt
uh
which one Stoli's Vodka
oh
I don't even know about that one
(37:43):
I I
I have this like feed of like Ransom companies
and it's just like non stop
every day there's like a new article
you know and I'm like
ah just it goes spam now
you know what
I just heard
that they were not in good standing with Putin
and the government there
and then they like seized their
um factories in Russia
(38:03):
and then at the same time they got hacked
it just seemed like
too many things coming together at once right
I said I've been now then with um
MNA like we're like
right before or right after an investment or MNA
they'll like they'll be like some big Ransom event
and then um
I'm like ugh
was that kind of like on purpose to like
(38:23):
get some tax free liquidity
you know like
and you know
I don't know like
I always wonder about that
cause the timing you know
it could be that the hacker
there was sitting on their systems
waiting for them to have a high risk situation
where they would pay cause they were yes
the MNA
(38:43):
yeah or
or the traditional um
before your investment
have some troll like send you like a legal notice
they're gonna sue you if you want to keep it quiet and
cause they know you'll have to disclose to the
you know investor
you know I can see that happening too
you know like you have to disclose this or else uh
you know
the investors will know they might blow up the deal
sorry you know
like so alright
(39:04):
there was that one hacking group that like
reported a company to the SEC
before the reporting rule was actually even up um
up right right
I I heard
I don't know
I think it was you who told me that
or someone told me that like
the filing was actually pretty high quality
like it was better than what they
expected out of like
even their own employees or something
and I was like that's hilarious
you know they know rules better than us
(39:26):
yeah yeah that's funny
yeah uh and then there's uh
Ashley Madison that one was uh
yeah that was wild
I um
you know I was brought in where we identified a uh
a cookie theft you know
and it was like an executive's personal computer
and it wasn't actually Madison
(39:46):
it was actually a different site that
you know I
I don't feel comfortable saying
you know but like
it was a certain sub genre of sexual activities
you know and he had gone to there as well
but this this executive's computer
like the executive somehow like was involved in like
they figured out it was like patient Zero for the uh
the ex like
like basically the ransomware event
(40:07):
you know and um
now it was good because you know
when I when I talked to them
it was like the eno
insurance guy for the company was there
and I guess there was like a um
an umbrella policy for the personal insurance
I guess and I don't know how they were related
you know but you know
different line you know
way more than I do about this
so you know
so and basically it was like once I identified it
(40:29):
that was like the end of the communication involving me
you know cause I don't need
you know at that point
that's probably the right thing to do anyway
you know I don't need to be there
you know I'm not Perry Madison
you know and then um
I see Madison's dad maybe
I don't know you know
but like one more question
Perry Mason I met wow
so that's a it's a total uh
slip right
but um
but the um yeah
(40:50):
but they I guess they realized what was going on
you know and then uh
you know and I don't know what happened beyond that
you know I don't want to know
you know but so to that point though
you know
there was definitely an extortion blackmail kind of uh
angle you know right
you know they said like
shut down the company or we're gonna leak everything
yeah or like we're gonna call your wife I
I don't know you know like
(41:11):
but but uh
I was just like you know
glorified Geek Squad you know
with a piece of software you know
so I did my Geek Squad thing and then I was like
okay there you go
you can leave now you know
zoom call yeah
yeah this is
this episode of uh
Dark Knight Diaries
(41:31):
where he talks to this guy named Chris Rock
uh different Chris Rock how can I say it
white guy
and uh
he
this guy is talking about how he does this
like he's basically a gray hat
gray hat hacker uh
who works like as a
basically a hacker mercenary for high profile
(41:52):
like people of the Middle East or whatever
and he was talking about how
when they need to hack somebody
they don't start with like the person themselves
they start like they do their reconnaissance
they find out like where they get their massages
what banks they use um
like all this other stuff
(42:13):
and then they try to like
hack those people
or they'll try to hack their kids or their wife
and then like slowly get to the person that way um
do you see that a lot or do you see
is that um
pretty yeah um
I mean I
I get to like I get to distance myself
from a lot of that kind of work
(42:33):
now that we're like a software company
not services you know um
that certainly would would happen um
you know back when I was doing services
uh whether whatever scope of activities that would be
absolutely because like
you know the
the guy might be hardened
you know but then like
you know the
the executive's wife's home computer wasn't right
(42:55):
and and um
so I always do try to convince people to it's thorny
right because um
you're like okay
use my software to protect your family's computers
right awesome right
but then there's a second area issue
which is that like so if if um
if we're installed on like
the kids computer or the executive's home computer
which we all know you know
(43:16):
despite all the admonitions
they they'll share devices and share logins and stuff
you know like this
you know and then um
then uh
or like the wife's computer
right like the wife's Microsoft soon
I don't know you know
whatever the iPod killer
right but they'll
they'll use that right
and then the company though
if they deploy that with them
then if they're managing that
(43:37):
then the company has access to all their personal stuff
which increases the liability for like both parties
right because now you have
what are that waste doing
are you liable now like for their like
you know salacious book club activities
you know like whatever yeah
and that's a that was always a challenge
I know I was never quite you know
I was always say well
there's some options I never really saw them come back
(44:00):
but it seems like the sticking point was always
we should protect them
but we don't want to know what's going on
you know and that was always the uh
the point where they had to figure something out
have you ever thought about doing a consumer version of
uh what cyber crusible
yeah we
we definitely could I
I think that was one of the options I always gave
you know or give
(44:20):
you know was um
was like hey
we can make a separate group for them and just like
it'll go basically
you know cause the odds of a consumer
ever looking at their stuff was
is pretty low you know
so it was always like hey yeah
we'll set up a separate group for them
uh they can be notified
they'll probably they'll probably historically
they will probably like Mark that note
(44:41):
that security notification as spam
you know or just be like filtered out of my inbox
I don't care about that you know like
and um
uh and
and we'll see that you know
with like one or two company users
like a lawyer or like a dentist or whatever
you know we'll see that already
you know where um
there I always say
they treat it like their fire suppression system
like their fire extinguisher company was like
hey Tom
(45:01):
do you renew and they're like great
it's over there bye
you know here's your 20 bucks
you know so
um so we do see that
but yeah it's it's um
it's harder on the sales side for us right
cause it's hard to get that big ROI when you're like
you know
they think about it for six weeks and then you're like
okay great
here it is and you realize like it's a 70 dollar deal
you know and you're like
okay like that wasn't worth my time
(45:22):
you know right so yeah
I yeah
I guess you never know but yeah
so sometimes you
you end up working on stuff that ends up
not coming out to anything
and sometimes it ends up
being leading to something even better
much bigger
yeah there's um
you know
we have a couple executive Protection type folks like
(45:44):
like you know
Station X Green Beret outside the office kind of thing
you know and um
it was actually the exact opposite problem
we're like um
they were like look
we just installed like a 25,000 dollar like
you know camera system for this one
you know leading to the safe room
I don't know whatever you know
I'm like cool and then they're like
I'm like well
you know identity theft is a problem
(46:06):
they're like yes
we're very concerned about that
and then I'm like well
I have the software that uses AI
uh some
you know genetic
with the genetic algorithms
and reinforced learning kind of stuff
and then we we are able to find the hacker right
like awesome great
let's give it to Mister or Missus executive right
and then like they're like
I show them the price you know
it's like
still a hundred bucks for the both or whatever
(46:27):
you know and they're like
okay look
like we're paying like 10,000 a week for this
like X Navy seal to like you know
walk around with them I
I can't put a 70 dollar thing on their Bill like
and I was like well
then charge what you want and wrap it inside of like
I don't know special forces like cyber
you know sleuthing agent or whatever
(46:48):
I don't care what you call it
and cause for them it was the opposite problem right
where it was like too cheap
and they were busy
like installing like the best of the best
like fiber optic cables for the cameras
and like
Thermal sensors and all this kind of crazy stuff right
and then here's me with like a little plucky
little like you know
dime store
kind of like a software compared to all that
(47:08):
you know yeah
so if you're listening Dennis is software is too cheap
hahaha
for them it is yeah
I mean get it now before he raises his prices
that's right like
why buy a Rolex when you can get a K
Mart plastic strap for the same price
you know I mean really yeah
they're both tell the time ha ha ha
real real quick we're kind of getting to the end here
(47:31):
uh do you have any like
like 3 practical security tips for
for businesses out there
oh wild um
yeah sure
you know um the I think the first is that if you are
you know selfishly is in my favor
you know
but whatever you can buy just like buy it automated
I mean really
(47:51):
I I see people down this
go down this trap all the time of like
they're gonna buy this thing that has like
50 knobs to turn and they'll like
you know and they'll be able to get back to it later
they never get back to it later
you know like
they're lucky that they have time to change the oil
nowadays you know
so I say if you're gonna get it
get it automated as you possibly can
don't trust that someone else will automate it for you
because they have the same problem you do
(48:11):
you know um
so I think automation uh
is gonna should be a big focus um
I really like it when people use some kind of MFA
multi factor authentication
I know it's a pain in the butt
don't do the text message stuff
I hate it whenever someone like knows my history
and they'll call and they'll be like
hey I have this like
high net worth individual and executive
(48:32):
and they're like their phone has been cloned
like that is that
they're getting hacked on their phone constantly
can you help us and I'm like
I don't have time but I can tell you
it's probably gonna be like
30 to 50 thousand dollars
by the time you're done kicking out the hacker now um
that you know that can get really expensive right
you know so I would say use multi factor
get like a Google authenticator
Microsoft whatever fill in the brand
(48:55):
I don't care you know
that really slows down the hackers
and makes them work harder
you ask for three things oh man um
you know I
I you know
you and I have spoken about the insurance side
you know repeatedly um
and I
I always see that like whenever an attack does come
even when our
our tool successfully like blocks everything quiet day
(49:19):
there's like still like hey
where's the hacker at you know
and there's still time and money spent on that
and it always costs more than you think um
and it's you know
a lot of people
the less technical they are less cyber savvy
the less valuable they think
the less the price they think should be right
and then um
(49:39):
it always surprises them
and I always say like the cyber insurance um like
uh you know
like Eno's not really gonna cover it right
like cyber insurance
that'll help them like navigate that um
you know the
the dip in revenue or the
or the escalation temporarily in expenses
you know and it's
always
seems to be messier than they think it's gonna be um
(49:59):
so I'm a big advocate of it
I know that's selfishly your line of work right
you know
but you know it's
it's it's funny cause like if you're not doing that
then you're dipping into like your liquidity
you know and that's just not cool
you know like
cause then there's only so much of it right
and so um
it is an interruption to your
to your normal day and insurance will help bridge that
no different than like your driver
(50:21):
like rear ends some school bus
and then now you're stuck with this
you know really
uh difficult situation
you know if you want properly insured for this
for your driver right
and these professionals get paid on par what
uh lawyers get paid
you know it's like
you can't find a incident
response team that's gonna charge you less than
like $400 an hour yeah
(50:42):
we actually raised our prices um
to try to like like
we try to be nice to people
cause they're normally in desperate times
that they haven't used our software
and so actually
I raised my price to try to get them to like
find a more affordable option
cause most folks do not need
like former NSA cryptographers
you know like they just
they just don't need that
you know
(51:02):
so right um
and and uh
this complex situation I raised the price
and some people were just kind of like
okay sure
and I'm like that didn't go as planned
you know
you're supposed to go to like someone cheaper or
you know who has
who has a bench you know right um
but but um
you know it's
it's funny emotions are
are are crazy at those times
you know the
the the cost of the business terms of emotions are
(51:23):
are pretty high
absolutely yeah
if it does happen to you you know
you're gonna feel a lot better if you have a plan
and insurance and professionals ready to go yeah
absolutely
yeah you know
like the insurance policy
but also like uh
retainers with instant response teams
(51:44):
retainers with the breach council
um then you get people that know
you know your systems um
and you can get going right away
um and
we help them negotiate that with the insurance company
so that everybody's approved
and the insurance company is going to be paying
those people um
you don't have to like write a check for anything
you just um
(52:05):
you just activate them
right which
I mean
I you know
I've been in situations
where we had something happen in the business
where I I felt out of control and I was like
making all these decisions and then um
you know and then I
I took out this like line of credit because like
I was getting hammered from everywhere
right and it
it was
like a higher interest rate that I could have gotten
(52:26):
and I had to pay it off real quick
you know but like I
I get it like once you're out of control
like you're feeling like there's too much going on
and you don't have the answers then um
you know my banker wasn't answering the phone
you know it was a mess
right and the uh
this like a year ago
I guess and the um
but like having that control
I think emotionally allows you to make smart decisions
(52:47):
you know and that's really what it comes down to
you know cause
you know if you're
if you're buying the insurance if you're like that guy
you know that that woman you know
like you're in that position
where you don't wanna be making like
knee jerk decisions based off of like
partial information
and you're not an expert in those things right
so I always like that that concept of like
having someone ready to go who can be like
(53:08):
let's just take a deep breath and slow down
before you do something you're gonna regret later on
you know
nice let's uh
coming up to the top of the hour here
how do people find you you know
I'm on LinkedIn
what um
if you see a spicy comment
just say hi
don't worry about getting in trouble with work
you know but I like to uh
I always like to be on LinkedIn
I'm really active there so find me on LinkedIn
(53:30):
you can email me you know um
and uh you know
sometimes it makes it through the spam filters
uh if I respond to you
sometimes I make it through your spam filters
you know but um
I'm always around happy to talk if it's too too spicy
you can always send hit me up on signal
you know encrypted commie comms and uh
but uh
I look forward to seeing some of you visit my
(53:51):
my profile you know and saying hi
awesome so that's Dennis Underwood
um on LinkedIn
and then you can reach his website at cyber
crucible.com
and you're doing some some funding right now too right
crowd funding oh
I am yeah
it's a crazy idea that's seeming to work
I um
someone showed me a medical device company
(54:12):
that's doing it that
uh was able to better align with their customers
by having this like emotionally and and
and you know
financially invested group of people that are customers
users prospects
whatever haters
I don't know and um
and they uh
they actually uh
you know it's worked out really well for them
and it helped them keep aligned with the customer
values and customer expectations
(54:32):
so I started a crowdfunder
it's on Wefunder um
there's a couple videos on there
wefunder.com Sabre Crucible
um and uh
you know looking forward to seeing some more people
on there that are um
you know uh
interested in seeing a cyber security company
as it continues to scale to kind of stay
stay true to what their needs are right
(54:53):
which is uh
it's always easier to do when you're
you're invested in the company you know
absolutely I think a year from now um
you're gonna be on much bigger podcast than us
than this one
I see big things in the future
just keep doing what you're doing
yeah we're scaling nicely
it's very nice to see
you know uh
(55:13):
that the vision is is uh um
the crazy
vision of autonomous cyber security is starting to
to uh
gain more and more followers let's go
awesome well
you guys know how to find me
Joe at c 3 insurance
you can go to cthreeinsurance.comslashcyber and uh
get in touch with me there
or Joe at c three insurance dot com
(55:34):
and uh thank you for liking
and subscribing and commenting on our um YouTube
Apple podcast give us 5 stars
Spotify give us 5 stars um
you have to listen to us for
like two minutes first before you can
they'll let you grade
but if you can get through the first two minutes
we'd really appreciate it
alright that's it for today though
(55:56):
thank you again Dennis for coming and absolutely
I'll see you all on the next one
what's a QBR? sorry
(00:01):
a quarter
wow I don't know
a quarter
if the hackers go to access data or passwords
or whatever we go ahead and we say
you know what let's not do that right now
you know and then and we uh
we go ahead and suspend it
I should get the um the smiley face like on my uh um
on all of my emails and notifications
(00:21):
you know like have a nice day
you know
self respecting hacker was leaving like my hacker lol
thought exe on your desktop
this wasn't happening you
you're listening to the Ransomware Rewind
where we break down the latest cyber threats
data breaches
and security solutions that matter to you
and your business
(00:43):
stay secure
stay informed
enjoy the show
welcome Dennis
thanks for having me long time listener
first time uh questioner you know
so how's it going out there in Pittsburgh
you know it's good
you know um
it is uh
it is frigid cold it's really interesting
um I actually did a whole day of sales pitches
(01:05):
and like this
like massive cardigan sweater that I got for Christmas
you know and really I felt I felt very like Nordic
you know like I should have like a
like a Steve Jobs
like black turtleneck or something out of it
it was just a normal Christmas sweater there
maybe that'll be your thing like the cardigan
do you have it with you can we
can the listener see it
I don't know I don't
you know what I you know what
it's white
(01:25):
and I made the mistake of like having spaghetti
like a four year old and then wow
I know so now I have
I have to get it cleaned um
it would be funny though to see me
like on cons stage somewhere in a conference
and like my uh
built for Nordic weather uh
you know sweater
you know and then I'm just like sweating
you know like as I'm up there in front of the cameras
you know
like what's wrong with this guy
you know it's like always wearing this like Arctic gear
(01:47):
you know
so you're doing sales pitches today uh
what were you pitching
our product right
um and it was good to pitch to uh
you know partners who like to do like
their own testing on the software
um and then uh
but sometimes I'm like hey
I'll talk to someone who's like
gonna be an investor or whatever
um and uh
(02:09):
you know so it's
it's interesting you know
we um
I've always heard like
QB's discuss with like an OEM to a channel partner
and then we have a what's the QR
sorry a quarter wow
I don't know a quarter
hahaha
that's
it's a QR
yeah you know
it's
what's that meme that's like
(02:29):
um from uh
parks and recreation like
you know I'm scared to ask at this point
you know like I
never really asked I just kind of went with it
you know like I knew quarterly
you know quarterly business review
I think you know
and I just want to know how to use the product better
and stuff like that and you know
kind of like a what have you done lately for me kind of
um you know
kind of meeting you know and um
we found actually some
(02:51):
we found some kind of like data breach like hey
did you guys know
we like stopped this like four months ago
and then like someone piped up and was like
oh yeah that was like Mandiant
you know and I'm like
oh cool
so we stopped your pentest
I guess you know
and I hope based on how expensive they are
that they worked around that
you know that they didn't just sit there and
you know go away and send you a Bill
you know so you're impossible to get into
(03:14):
haha right right
well um
for the listeners that don't know what your product is
can you can you give us a quick overview
yeah yeah sure
absolutely um
so cyber crusible is an autonomous agent
what that means is that we live on the machine
we are able to do some really cool assessments
uh in near real time and then take action uh
(03:36):
to stop the hacker
and hopefully if everything goes well
knock on wood
and it's cause if those of you in security
but generally our customers uh
an attack will be stopped
and the employees have no idea
only the it department
for the security folks know
if they're actually watching
you know like if
if uh
we had one customer that uh
marked us as spam and then they never got reports
(03:58):
and they never knew anything
and then all of a sudden on our QR
I was like did you know this happened like a month ago
you know like
and they were like no
you know I'm like
well
like this is good I mean
the product worked as intended
you know like nobody uh
no fuss no muss
you know just like your fire sprinkler
just kind of sat there and did his job
so the attacker tries to get in or um
(04:19):
they try to execute malware and then in a very
in like a millisecond a couple milliseconds
your software
um agent takes charge and stops it from executing
yeah
it's a it's like a data prevention
data loss prevention tool basically
you know so if the hackers go to access data
(04:39):
or passwords or whatever we go ahead and we say
you know what let's not do that right now
you know and then we yeah
we go ahead and suspend it
um and then uh
the hacker sometimes they'll retry cause of all the
I mean I've seen you post on like AI and stuff
there's a there's definitely a lot of automation
in various steps and
and so sometimes it'll be like 10,000 attempts
(05:00):
because they have some script running
this little program that's constantly retrying um
and uh we uh
we sum that all up and say hey
guess what someone just was stopped about 10,000 times
have a nice day you know
I I should get the um
the smiley face like on my uh
on all of my emails and notifications
you know like have a nice day
(05:20):
you know I think
for you just like
every notification should be like a different meme
nice
nice so people have EDs
like Crowd Strike and Arctic Wolf
and all these great products why do they need you too
(05:40):
that's a great question
we get that like every single sales pitch
I always feel bad when someone um
was like I'm sorry to ask this
you know and then I'm like
well everyone else did
so don't feel sorry you know um
like uh
you know edrs
um I mean
I've been around security for a long time
and they were really good when they first came out
essentially
they came out because antiviruses were really good at
(06:02):
like checking like files
but then um
they got really bad at checking files
you know like
like
and so edrs are really good at like catching telemetry
and then it's almost like herd defense
you know where they were like OK
well a couple you
what's that um
Futurama uh
meme with like you know
some of you will die but
you know that's a sacrifice I'm willing to make
(06:24):
you know like haha
like that's essentially e r right
I mean which
you know I was one of the guys saying that
you know and it was like
um some of you will be victims uh
sorry you know
I did a control group for my experiment
and the experiment is figure out OK
what is the hacker doing now
OK now
is anybody else
are we seeing that anywhere else from anyone else
(06:45):
we haven't seen his victims yet right
and that worked as long as the uh
the hackers were pretty stable
you know like
whether it was like Stuxnet or all the rest of them
you know like way back in the day um
and uh
that worked well but then the hackers
like they're not gonna be stagnant right
so they started to evolve
and it's almost like um
(07:05):
I don't know if anyone's ever read Michael Crichton's
Jurassic Park
it's like from high school
required reading back in the day but um
the virus was like give our product right
um and it was good to pitch to uh
you know partners who like to do like
their own testing on the software um
and then uh
but sometimes I'm like hey
(07:25):
I'll talk to someone who's like
gonna be an investor or whatever
it's almost like um
I don't know if anyone's ever read Michael
Crichton's and drama to strain
it's like from high school
required reading back in the day
but um the virus was like
mutating faster than anyone could do anything
and it's kind of what the hackers have done
they're like well okay
I'll just keep on mutating
so fast that you can't ever keep up
and build a signature to deploy um
(07:47):
so we said you know what
let's figure out if we can make it that
no matter what signature is coming out there
what hacker technique is mutating that we can just say
you know what we're gonna stop that
and then we're gonna figure out why exactly later
that's time for Crystal on us show
yep OK
I'm reading this book called Ghost Fleet right now um
I think it's required reading for like a government
(08:11):
NSA type jobs um
where it's about like possibility of like World War 3
um
and how it would go down
and the Ghost Fleet is essentially like
all these ships that are on ice
because they're like analog
and they're like the government's insurance policy
in case like these connected ships get all like hacked
(08:32):
right nice um
but the
way that the virus got into like
the government agency in the book was
it jumped from a cell phone to an RFID chip um
is that could that happen
I mean the the RFID trip would have to be like
writable and everything you know
(08:52):
normally they're just kind of
like chips that just wake up and give out a signal
they're not programmable you know um
I guess
you know there's a certain number that are right
but then also it
there's not much room to do much right
so like the they don't
it's like if I'm going to you and being like hey
hey Joe I want like a programmable RFID chip
and I need to do these things
(09:13):
and you're gonna be like okay
well let me do the minimum to fit into like the
the price I give you
like it has to be 3 cents per chip
you know well you're not gonna like go out and be like
let me see how many SSD's I can cram into there
you know
how many hard drives can I cram into this thing
you're gonna be like the bare minimum be cheap
you know be profitable
is it possible for a a virus to come into or
(09:34):
or malware to come into your system in pieces
and then put itself together later
yes
yeah actually we
we stopped someone at a merchant services firm
where they actually um
you know you can do that and that's fancy
or you can just like pass the source code down
because a lot of machines
out there have the ability to compile
programs that like
nobody uses you know um
(09:56):
and uh so we actually had one where they
they went on there and they were compiling the
the malware right there
building the malware in memory
um and to run it right
and it was pretty wild to see and I was like
huh never thought about doing that before
you know but um
or I guess you could do it in pieces sure
you know until like
I don't know like some big superhero
(10:17):
Mike Myers comes and saves the day
I don't know I think so yeah
um
going down that line um
most
a lot of hackers are using like legitimate programs
um to access your system right
like they're
they're not like going and making all this malware
they're they're just using like Microsoft tools
(10:39):
is that is that sound right like
or yeah it depends
I remember um
I remember back when so if you look so
so everyone on you know
all of your millions of readers
you know know that like um
race more rewind actually was the name of like
our product back in the day
and Joe has like
all right to use it for his
you know his podcast right
(11:00):
so it's down the way right now
you know you're the
you're the godfather of ransomware
we went I know yeah
it was like a you know
it it was worked from marketing until it didn't
but we had like that key capture back in the day
you know where we actually decrypt Ransom
and you look on YouTube you'll see
I should give you the the YouTube channel actually
I should see like I don't know if there's like a
like a uh
I guess you took it over right you
(11:21):
you name your channel ransomware Rewind
is that right yeah
maybe you have a okay great
if if
if you're not let me know and I'll make sure to like
I'll pass the torch I don't know
you know but like um
we have all these like decryption videos right
and they stopped something in 2020
well to your point right
they were using the windows uh
the windows cryptography libraries to like
(11:42):
create keys and and settings
the NSA term would be like crypto variables
you know I think it's in our pattern too right
you know and so like
um and then they
we figured it all out and put it together
well the hackers were like
well you know
that's great because you're living off the land
they call it a hacker you know
in security um
but we're gonna go ahead and like
take that and we're gonna make our own program
(12:03):
and keep it all quiet and secret
and that way you can't see how we're messing
around with keys and stuff
you know and I was like
I remember these guys were calling me from like
burner phones and they speak better English than me
despite being like
from Bangladesh or Northeast China or whatever and um
their solution to get around all the monitoring uh
was to uh
(12:24):
to not use Windows you know
libraries anymore and to go ahead and take it in house
you know and that that caused some issues for me
um you know
and there's it gets geekier
but basically we realized that prevention was better
so to your point it's like sometimes they use them
cause they're there and they're available
and they know everyone has them
and other times they they realize
(12:44):
they introduced a vulnerability into their own setup
and their own operations and they had to like
kind of like stop using the Windows libraries
like back in
2020
yeah 1
Dennis was a speaker at our Cyber Summit last year
and he had a really
cool presentation about how
(13:05):
hacking groups are working as businesses
um can you kind of just like give us a thirty
uh thousand foot view on that on how uh
sophisticated hackers are
yeah yeah
I mean there's just like
there's a limited number of like really experienced uh
you know penetration testers
or I'm assuming experienced actuaries I
(13:27):
I don't know like I'm speaking out of my
my lane there but like
um and so like gifted people right
limited number so uh
you know the business model is well
if you you know
how can you multiply your most experienced employees
and you can set up different ways
whether it's like a training program or have like
a lot of times you see like a master salesperson
(13:49):
the VP of sales you know they're just gifted
right and they just um
they'll give like
call scripts to all their junior folks
running out of college you know
to say you just say these things right
and that's kind of what happened
with the Hacker Village was like they uh
you know deep in their volcano
they were like well
let me just like
automate the attack and give a whole bunch of these
um uh
junior folks you know
(14:09):
this like the
these call scripts to use right
and then it went from there
where they developed
like an affiliate program and a channel program
just like a normal business
you know like
let me get resellers
let me get agents out there to do stuff for me um
and they set up this whole supply chain
you know because they were
they were so successful it was so profitable
and they were like well
(14:29):
how can I amplify my reach
and it's just like selling
I don't know straws
I was sure my next company will be like
an AI powered cocktail napkin
you know
so I'm distributing my AI powered cocktail napkins
you know like and
napkin dot AI actually
yeah
now you're gonna see some crazy pattern put in for like
(14:49):
AI powered cocktail napkin
they'll beat me to the punch exactly
but like no pun intended
but like um
but the uh
so um
yeah so there needs to be a distribution model
right and distributors in different places
and they set all of that up
and they have like you know
revenue shares and everything
it's pretty wild to watch
um and then whenever it's like
someone calling us on a burner phone
(15:09):
it's always like the mower developer behind the scenes
it's like
not the front line junior guy who knows or girl right
you know who knows like hey
I know to run this script and if as long as I do that
I have a job right
and that's what we see a lot
yeah the uh
they have like access managers
access people too that
(15:30):
that just their job is to just to hack um
and create access
and then they hand it off to the person that's gonna
actually Ransom it
right which is boring compared to like
the hacking for some people right
it reminds me of um
my some of my software developers
you know and other ones I know in my career that like
they love like the R&D problem and then um
(15:52):
and then what happens is like
when you get to like quality assurance
testing or like any like the boring stuff
they're like I don't wanna do that
you know and then you
you never get a working solution
it reminds me of a um
so I was I was
when I was back working in government
there was like this like uh
this military operation like counter terrorism thing
you know and like we
were waiting for this one new capability to come down
(16:13):
and um
I was waiting for like um
you know months
and finally I just like went and I found the person
and it was like this
like it was a young woman who like was
you know this brilliant mathematician right
and like I was like
what are you doing and she was like
well it's not
I know I can do more for efficiency
it's like not optimized like yet for full mathematical
(16:34):
like precision and I was like
you're like
1,000% better than anything we've ever seen before
like we need this now right
and it was so weird to see the separation between like
the academic side of like
whether it's hacking or you know
mathematical models or anything
versus like the operational side of like just hey
can you
can you run your software without breaking my business
(16:56):
and causing a global blue screen of death
you know
like it was like two separate sides of the equation
you know
yeah I get that
it's kind of like a form of perfectionism
yeah where she's afraid to
to ship something I feel like that
I do that when I'm a editing these podcasts
nice nice
my partner's always like where's the podcast Joe
(17:18):
I'm like I just need to go and
you know and fix the audio a little bit more
I get it I get it
I I went through um
well here I
am saying um
but I went through and every now and
and I'll be like let me just go ahead and remove
all of the unnecessary words
and I end up with like
this max headroom type situation
cause there's so many unnecessary words
I'm um
I think you know
(17:39):
the news casters are safe from me taking their jobs
cause I'm not quite as smooth right
so let's look at what you're saying
well
for the news casters all you have to do is talk in um
little bite size chunks they just want um
you know like a one liner
nice
it was it was a
who's the guy that did cosmos um
(18:02):
the
uh
he does Ron Burgundy
he's like the most famous scientist guy on TV
um he did the documentary Cosmos
Neil
oh Neil degrasse Tyson
the gross yeah
Neil degrasse Tyson okay
(18:24):
yeah and he said all the guys are looking
all the people are looking for a sound bites
oh awesome
so you don't need to like give them a big explanation
just give them like a sound bite
so that they can take that and put it on their story
awesome so that's I guess small words too huh
(18:46):
like I every now and then I'll tell someone I'm like
well now that that's the little quiz done
you know and then
uh sounds like that's not the way to communicate now
you know exactly
exactly
I saw an article with the um
about I think they're bringing back Vine
maybe wasn't Vine one
that was like six second clips or whatever like like
I I think
(19:07):
I don't know it could have been like rage
I was too slow to get on Vine
I want I like was nice
I was like signing up for an account and I was like
well Vine's no more oh
so I was gonna say were you the one writing the article
like like a
a girl a marketing campaign
you know like let's bring back Vine
you know
I thought that the people that were using it right
were pretty much geniuses
(19:27):
because they took Vine and they would
you know 6 seconds right
but they would put it together like a tweet storm
and they would have like these six second clips
like um
you know going uh
continuously to like tell a whole story
which was yeah the people that did it right
it was really captivating
(19:48):
I believe it there was a um
so my daughter's uh 15 and she was
she always has like sometimes she'll come down to the t
watch her influencers and Youtubers
whatever on uh
on the big TV in the living room
and I looked up and I was like
I recognized that now woman
and I had actually in my first business in Pittsburgh
the services company I had asked her to like
(20:10):
make some graphics and business cards for me
um before I
guess she got into like being an influencer
and then like I saw her and I was like
you know we're all 20 years older now you know
and I was just like I kept thinking like man
she has more money than I could ever hope to have
you know like just recording videos
you know and um I was like
(20:30):
I'm questioning a lot of my life now you know um
that was wild to see
the influencer economy is really interesting
and I think that
they are probably the least cyber savvy
and that they have a lot to lose by getting hacked
I think there's a contingency of hackers
out there that try to steal their passwords
(20:52):
and then
their Youtubes have you seen that out there
yeah actually um
I've seen it before where uh
we thought it was someone
I'm gonna say something important that's
that's kind of like not the right way to say it but um
where it it was like a celebrity yeah like
like basically it was like
it wasn't important to the enterprise
(21:13):
but it was like they it was an account that basically
fed back to a influencer and they like
this person was just like tracking this
this woman um
you know as she was going like
internationally shopping and Dubai and everything
and it was like a whole set
as if it was like a VP at a bank
you know or or CTO CTO of a bank or something
(21:34):
you know so I see that and you know what I um
I saw we had a we gifted a channel partner
um some licenses for like Christmas a year ago um
and then they kind of disappeared
and then one day like it
like the licenses showed up and it was um
some of like the camgirl kind of stuff
you know like
and we only knew because like they were
their logins and we were protecting them
(21:55):
and they were like
someone was trying to get access to their
their account right and um
their account information
because that person had logged into an
a camgirl a site
I think that was the camgirl like the
the gift like it was given
it was basically given to the
cause we looked it up and we're like what
it was an anomaly in our site okay
(22:16):
surprise no
not many I mean this probably an insurance thing too
not many employees do
go to those kinds of sites with their work
you know desktops you know um
if if they are I don't wanna know
but in this case
we saw the theft attempt and we were like
what the heck you know
and um we realized that it
you know and it was in like this orphan group
(22:36):
so we had no idea who it was or what it was
and then we looked at the name and I was just like
let's go ahead and close that link right now
before we violate all HR policies at
in our company you know
like and um
W right yeah
so it definitely was a concerted effort
so it must have been some creepy fan or something
yeah and so they were just like
trying to get access to secret photos and
you know so I was
(22:58):
uh looking on LinkedIn the other day and this girl was
she does videos like that have to do with stem
you know like she does as like presentation
she's pretty uh
good looking and she was like
showing a side by side of impressions of like
when she puts stuff on LinkedIn
and when she puts stuff on Pornhub
(23:20):
and how much
like more money she made from putting it on Pornhub
just like her like uh
you know stem presentations
like with all her clothes on just talking about like
you know cyber security or
or whatever she was talking about
so right
I just found that kind of interesting
I had um
you know for
for this the
(23:40):
the crowd fund we're targeting like uh
building a community of like security experts
you know to as investors
um great for customer acquisition partners
I I always joke
you know
people that if I take a 90 degree turn the wrong way
they'll be like maybe don't do that Dennis
you know like
you know let's have a chat about that one
um and uh
it like I played it right next to some guy
(24:01):
like one of those like Instagram Youtuber
uh like 20 something year old
you know young man
and he was like sitting on the hood of like Ferraris
and he was like I don't know
like doing all kind of stuff and super
super um
what are those filters you know
that made them look like uh
unlike more like a robot I don't know
you like and um
yeah and I was just like
and you can see the numbers rolling in like
(24:23):
and I was just like
and it was selling some NFT or something
you know like
and I was like man
like I'm
I always question whether I'm doing this wrong or not
because like you know
here I am
trying to do this super advanced security thing
you know and this guy's still on a dream and
you know just raking in the cash
there's a cost to being like a good guy too
hahaha thanks
if you used your skills for
(24:45):
you know on the other side of things
I mean I'm sure you can make a lot of money
and probably more money yeah
they're guaranteed probably stay
you know under the radar
but like then you wouldn't feel like a good guy and
and I think there's a value to that
that yeah that's right
you can go home yeah
that's why I'm always playing these like RPG games
you know like Baldur's Gate or whatever
(25:05):
and I always end up being like the folk hero
even though I'm like you know
I have all these choices right
but like I just like feel weird like
you know killing people for no reason
I get it I get it
so maybe not being a mercenary
maybe not in your future you know
so yeah sometimes I'll
I'll like that's it
(25:26):
as far like bad as I'll get is like mercenary work yeah
but you know
I I usually end up being like the folk hero
you know
it was interesting because it was kind of boring or
or I'll or I'll like be the folk hero and like um
somebody will piss me off and I'll just like
kill everybody but then I'll like load my last save
(25:47):
right
you should maybe talk to someone about that
I talk to people
it's 2,025
you can talk to people it's fine
oh yeah
um and
you know I
I uh
I had made a comment that was a little bit edgy so
you know I
I try to say things on LinkedIn that are a little bit
um punching up
you know uh
(26:08):
while I can you know
once I have like you know
you know big private equity saying don't do that
and they have someone managing my
my online presence you know
but um
and I made a comment about how they released the um
the Silk Roads guy like the
that website that does all like the for whatever reason
whether on purpose or not
I have no idea and I guess
you know um
(26:28):
what's his name the the something pirate yeah
I can't remember first name
I should I should know this right
it's my career you know first name is Ross
um you you look like a normal guy too right
you know it's like wow
a bearded pirate or something it was like nice
what's this
it's a the stores
go to the website and Saint Kiss buried in the sand
you know like um
and but here I released right and I was kind of like um
(26:51):
the uh um
you know OK
well that's good for cyber security for I felt because
you know like his website was kind of
you know up to a whole lot of shady things and um
that he was taking money on
so here's here's my question though right
you know
cause I saw you comment on my on my comment right
and I was like maybe I should answer offline
so I'm not gonna answer here right
(27:12):
but the question is like
so let's say that he comes to you guys right
C3 insurance and he's like hey
I'm gonna start a new business
I want like it's gonna be a website forum
and I wanna customize Eno policy or cyber policy right
like so how would you guys approach that knowing
you know past sins forgiven right
would you have like an extensive questionnaire period
(27:34):
or would you like find a customized like chub
kind of like you know
quote or something
cause like you can assure anything allegedly right
yeah
if it's gonna be a similar website to Silk Road
then it's probably uninsurable
but I know I was and then like it was like only legal
uh only legal market
uh right
(27:54):
can only do legal things
then I'm sure we could find something for him even
right and then
and my question is like
how much due diligence would you do if he's like just
oh it's a marketplace for friends to gather
and then you find out it's like
like what how would you track that
or was that the insurance is like the underwriter's job
like how would that work
well I wouldn't
(28:14):
get information from different sources
they have their own databases they'll look at
the insurance website they're insuring
they'll do
their due diligence on on that part
um if they're gonna look up the CEO
probably not um
and then in the application
(28:35):
it's always asking like
is this an adult website is this a gambling website
is this a um
a crypto website um
or do like
people can make financial transactions on the website
you know stuff like that
in order to like kick those either out of their um
appetite which means like what
whether they'll write it or not
(28:57):
the insurance policies
and then you
know or or if it's gonna fit their their box right
and we have we of course have a
a ton of companies that will fit
you know adult sites and
and gambling sites that are out of the box
it just goes to a different kind of insurance company
like a a Lloyd's of London syndicate yeah
(29:18):
got it but there's
as long as it's legal we can insure it uh
because in every insurance policy
there's a clause about doing illegal stuff um okay
where that's not covered so if you're like
get in trouble for doing something illegal on purpose
(29:42):
then we can't uh
the insurance company is gonna just deny the claim
got it got it okay so I guess they're still unsure
they just won't get yeah
they won't get short for that right
yeah if they're doing something bad
interesting intentionally
yeah okay
got it got it oh sorry
I got serious
I didn't get I don't get all serious on that's okay
(30:03):
I like talking about cyber insurance
I talk about it all the time so yeah yeah
we can talk about that hey
uh
I did a tiny bit of research on this hack called not
Petya
do you remember that it was back in uh
June 2017 that was like ancient history as far as uh
(30:23):
cyber security goes right
it's probably I I imagine this same exploits
you can probably find work somewhere
you know are you I mean they used a
a combination of a Eternal Blue
which was a US created um
exploit to get into Microsoft computers right
(30:44):
and then they use this other one called mimikatz
which would go in
take the passwords out of that computer
and then you know
move it to like other computers that
that were on that network
and Microsoft even had a patch for Eternal Blue
but if they got into an unpatched Eternal Blue computer
(31:06):
that had passwords for the patched Eternal Blue
computer it could still spread
so it was kind of like a really um
sophisticated worm and it was
it's a good example of like actual cyber warfare
cause it was like the Russians like going after Ukraine
but it spilled over to the rest of the world
it was kind of became like a cyber crime on
(31:27):
a cyber war fair on the entire world
um due to due to its nature
it's always hard I
I noticed you know
and ransomware is very similar
like it's just uh
the the hackers go on
keep on trying to find ways to like
automate their operations and um
every now and then you'll see me talk about like
right sizing uh
(31:48):
ransomware attacks you know
right sizing your hack cause if like
if you develop something that's like so uh
you know so much like this exploding worm
you know across the world
um then like
it's probably overkill for what you want like and
and we used to have in the beginning with ransomware
where like they would um
uh you know
data sets is one thing right
(32:09):
so it would go everywhere and just steal data
but then I think
wanna cry ended up being that they were like
people were getting like these
you know just pay the bitcoin and we'll
and we'll like
uh open up your computer
but it was like
it spread so far that the hackers were like
we're out of this is out of our control like
you know yeah
and if you pay we can't open your computer
cause this went to like millions of computers right
(32:31):
and that's that's the um
I guess that's the problem
you know with
with the hackers is kind of like
if you encrypt too little
right then like the it team all high fives
cracks open like the prosecco or whatever
you know like
and then they move on right
um and if it's like too much
like I remember some points
like I'd have like FBI guy call or
or whoever right
(32:51):
and they'd be like hey
like can you help us
and I'm like well
what's left you know
or do you have the did you pay the Ransom
and they're like well
the problem is
is that like the hackers love like left nothing
you know like
and they also like drain their bank accounts
and I'm like
so you can't pay the Ransom and the machines are down
and so they have no revenue generating capability
right and I was like
(33:12):
okay so they're sports
they're you know
the what
no cyber insurance
no no
yeah so they just like
and they go down and I'm like
there's nothing left just declare bankruptcy
you know like what are you gonna do at this point
you know
or sell for pieces like sell for the server cost
I don't know and um
and so I think from the hacker world right
it's almost like you you know
(33:32):
you kidnap someone then you like you kill the hostage
you know and there's like just
you can't get your Ransom now because you uh
you you know you
you got rid of your leverage point that they pay for
right right
and depends on the motivation of the hacker right
and then I saw one they were talking about they
um you know
they they realize what like almost every sales
like especially you know
(33:53):
every salesperson knows that like every
like buyer has like
a certain check size that they can actually um
get out of them you know
and you know what like oh
this deal value requires the
this many signatures kind of thing
you know right
and um
so every now and then I see them like
do like a smaller attack trying to like
get it to be under the budget of the person
they're notifying you know
(34:14):
and I'm like that's actually really smart
you know
smart than a lot of sales people out there
you know like so um
so I always call it like right sizing
be just painful enough to get a quick transaction
you know release the CFO's kid
so to speak you know
like and then like there you go back to the races
you know yeah
heard of people uh
finding out that the hacker
(34:35):
went on their server
and looked at their insurance policy
and they found out that they're you know
have $1 million in cyber insurance
and then they'll say in the negotiation like
we know you have $1 million in cyber insurance
just let your insurance company pay it
and we'll go away right
uh I always felt like that gave insurance a bad rap
cause like it's not
(34:56):
cause if it wasn't the insurance policy
they just bring up the the
the bank statement you know
and be like OK
how much how much liquidity do they have
I bet you we can get them to like
give like a 24 hour payday loan for this much
you know like
I mean it I always felt like people were blaming
the risk management system
you know the insurance system
instead of blaming the hackers
(35:17):
are just figuring out how much they can charge
you know so they don't see something
good
I'm sorry to talk over you dude
it's it's hard with zoom um
they could look at zoom info or yeah
Bradstreet and find out like
numbers that way too just like hey
we know make 25 million a year
this is only 500,000 it's
(35:39):
it sucks for you
but don't you wanna get back into business
right
yeah right
I mean it makes perfect sense to me
you know um
but uh
I mean I think they're just getting smarter
can you think of any hacks that
they weren't motivated by money
where they wanted to to like shut a company down
(36:00):
oh jeez um
you know
I saw more where I was really suspicious that the
perpetrators were somehow also
the victims were also helping the perpetrators um
where I'd see evidence of that where like um
I'd try to negotiate the Ransom down or um
(36:21):
or like the you know
I try to call the owner to be like
hey
they gave me like 24 hours to raise the price and the
and like not even the owner
but just like some C sweeper whatever
and it's like
they just weren't interested in a lower Ransom or like
deadlines or anything it was just kind of like
you know like I'd
I'd eventually call the guy
they'd be down for like a week
and then they'd be on the golf course
(36:41):
you know and I'm like
do you do you think I can close this deal
and they're like yeah
sure let me finish up my round first
you know and I'm like
how are you solvent you know
like you're playing
golf and your whole company shut down
so I always wondered I
I could never ask I don't wanna know if I did know
I couldn't talk about it I'd be like
looking outside my window
if there's someone following me
you know like
(37:02):
but like right um
but I always wondered about that
you know um
because like it
it just seemed like there were some folks uh
maybe a little bit too interested in the Ransom payment
taking place you know
without fuss or muss you know um
and
we're a lot less stressed out than I would have been
you know with my business down
you know so I did see that none of
(37:22):
no one that you know
I think you know
and it's been it was during Covid too
you know so um
just crazy times you know do you think
the vodka company Stoli's was
was uh
purposely attacked to make them go bankrupt
uh
which one Stoli's Vodka
oh
I don't even know about that one
(37:43):
I I
I have this like feed of like Ransom companies
and it's just like non stop
every day there's like a new article
you know and I'm like
ah just it goes spam now
you know what
I just heard
that they were not in good standing with Putin
and the government there
and then they like seized their
um factories in Russia
(38:03):
and then at the same time they got hacked
it just seemed like
too many things coming together at once right
I said I've been now then with um
MNA like we're like
right before or right after an investment or MNA
they'll like they'll be like some big Ransom event
and then um
I'm like ugh
was that kind of like on purpose to like
(38:23):
get some tax free liquidity
you know like
and you know
I don't know like
I always wonder about that
cause the timing you know
it could be that the hacker
there was sitting on their systems
waiting for them to have a high risk situation
where they would pay cause they were yes
the MNA
(38:43):
yeah or
or the traditional um
before your investment
have some troll like send you like a legal notice
they're gonna sue you if you want to keep it quiet and
cause they know you'll have to disclose to the
you know investor
you know I can see that happening too
you know like you have to disclose this or else uh
you know
the investors will know they might blow up the deal
sorry you know
like so alright
(39:04):
there was that one hacking group that like
reported a company to the SEC
before the reporting rule was actually even up um
up right right
I I heard
I don't know
I think it was you who told me that
or someone told me that like
the filing was actually pretty high quality
like it was better than what they
expected out of like
even their own employees or something
and I was like that's hilarious
you know they know rules better than us
(39:26):
yeah yeah that's funny
yeah uh and then there's uh
Ashley Madison that one was uh
yeah that was wild
I um
you know I was brought in where we identified a uh
a cookie theft you know
and it was like an executive's personal computer
and it wasn't actually Madison
(39:46):
it was actually a different site that
you know I
I don't feel comfortable saying
you know but like
it was a certain sub genre of sexual activities
you know and he had gone to there as well
but this this executive's computer
like the executive somehow like was involved in like
they figured out it was like patient Zero for the uh
the ex like
like basically the ransomware event
(40:07):
you know and um
now it was good because you know
when I when I talked to them
it was like the eno
insurance guy for the company was there
and I guess there was like a um
an umbrella policy for the personal insurance
I guess and I don't know how they were related
you know but you know
different line you know
way more than I do about this
so you know
so and basically it was like once I identified it
(40:29):
that was like the end of the communication involving me
you know cause I don't need
you know at that point
that's probably the right thing to do anyway
you know I don't need to be there
you know I'm not Perry Madison
you know and then um
I see Madison's dad maybe
I don't know you know
but like one more question
Perry Mason I met wow
so that's a it's a total uh
slip right
but um
but the um yeah
(40:50):
but they I guess they realized what was going on
you know and then uh
you know and I don't know what happened beyond that
you know I don't want to know
you know but so to that point though
you know
there was definitely an extortion blackmail kind of uh
angle you know right
you know they said like
shut down the company or we're gonna leak everything
yeah or like we're gonna call your wife I
I don't know you know like
(41:11):
but but uh
I was just like you know
glorified Geek Squad you know
with a piece of software you know
so I did my Geek Squad thing and then I was like
okay there you go
you can leave now you know
zoom call yeah
yeah this is
this episode of uh
Dark Knight Diaries
(41:31):
where he talks to this guy named Chris Rock
uh different Chris Rock how can I say it
white guy
and uh
he
this guy is talking about how he does this
like he's basically a gray hat
gray hat hacker uh
who works like as a
basically a hacker mercenary for high profile
(41:52):
like people of the Middle East or whatever
and he was talking about how
when they need to hack somebody
they don't start with like the person themselves
they start like they do their reconnaissance
they find out like where they get their massages
what banks they use um
like all this other stuff
(42:13):
and then they try to like
hack those people
or they'll try to hack their kids or their wife
and then like slowly get to the person that way um
do you see that a lot or do you see
is that um
pretty yeah um
I mean I
I get to like I get to distance myself
from a lot of that kind of work
(42:33):
now that we're like a software company
not services you know um
that certainly would would happen um
you know back when I was doing services
uh whether whatever scope of activities that would be
absolutely because like
you know the
the guy might be hardened
you know but then like
you know the
the executive's wife's home computer wasn't right
(42:55):
and and um
so I always do try to convince people to it's thorny
right because um
you're like okay
use my software to protect your family's computers
right awesome right
but then there's a second area issue
which is that like so if if um
if we're installed on like
the kids computer or the executive's home computer
which we all know you know
(43:16):
despite all the admonitions
they they'll share devices and share logins and stuff
you know like this
you know and then um
then uh
or like the wife's computer
right like the wife's Microsoft soon
I don't know you know
whatever the iPod killer
right but they'll
they'll use that right
and then the company though
if they deploy that with them
then if they're managing that
(43:37):
then the company has access to all their personal stuff
which increases the liability for like both parties
right because now you have
what are that waste doing
are you liable now like for their like
you know salacious book club activities
you know like whatever yeah
and that's a that was always a challenge
I know I was never quite you know
I was always say well
there's some options I never really saw them come back
(44:00):
but it seems like the sticking point was always
we should protect them
but we don't want to know what's going on
you know and that was always the uh
the point where they had to figure something out
have you ever thought about doing a consumer version of
uh what cyber crusible
yeah we
we definitely could I
I think that was one of the options I always gave
you know or give
(44:20):
you know was um
was like hey
we can make a separate group for them and just like
it'll go basically
you know cause the odds of a consumer
ever looking at their stuff was
is pretty low you know
so it was always like hey yeah
we'll set up a separate group for them
uh they can be notified
they'll probably they'll probably historically
they will probably like Mark that note
(44:41):
that security notification as spam
you know or just be like filtered out of my inbox
I don't care about that you know like
and um
uh and
and we'll see that you know
with like one or two company users
like a lawyer or like a dentist or whatever
you know we'll see that already
you know where um
there I always say
they treat it like their fire suppression system
like their fire extinguisher company was like
hey Tom
(45:01):
do you renew and they're like great
it's over there bye
you know here's your 20 bucks
you know so
um so we do see that
but yeah it's it's um
it's harder on the sales side for us right
cause it's hard to get that big ROI when you're like
you know
they think about it for six weeks and then you're like
okay great
here it is and you realize like it's a 70 dollar deal
you know and you're like
okay like that wasn't worth my time
(45:22):
you know right so yeah
I yeah
I guess you never know but yeah
so sometimes you
you end up working on stuff that ends up
not coming out to anything
and sometimes it ends up
being leading to something even better
much bigger
yeah there's um
you know
we have a couple executive Protection type folks like
(45:44):
like you know
Station X Green Beret outside the office kind of thing
you know and um
it was actually the exact opposite problem
we're like um
they were like look
we just installed like a 25,000 dollar like
you know camera system for this one
you know leading to the safe room
I don't know whatever you know
I'm like cool and then they're like
I'm like well
you know identity theft is a problem
(46:06):
they're like yes
we're very concerned about that
and then I'm like well
I have the software that uses AI
uh some
you know genetic
with the genetic algorithms
and reinforced learning kind of stuff
and then we we are able to find the hacker right
like awesome great
let's give it to Mister or Missus executive right
and then like they're like
I show them the price you know
it's like
still a hundred bucks for the both or whatever
(46:27):
you know and they're like
okay look
like we're paying like 10,000 a week for this
like X Navy seal to like you know
walk around with them I
I can't put a 70 dollar thing on their Bill like
and I was like well
then charge what you want and wrap it inside of like
I don't know special forces like cyber
you know sleuthing agent or whatever
(46:48):
I don't care what you call it
and cause for them it was the opposite problem right
where it was like too cheap
and they were busy
like installing like the best of the best
like fiber optic cables for the cameras
and like
Thermal sensors and all this kind of crazy stuff right
and then here's me with like a little plucky
little like you know
dime store
kind of like a software compared to all that
(47:08):
you know yeah
so if you're listening Dennis is software is too cheap
hahaha
for them it is yeah
I mean get it now before he raises his prices
that's right like
why buy a Rolex when you can get a K
Mart plastic strap for the same price
you know I mean really yeah
they're both tell the time ha ha ha
real real quick we're kind of getting to the end here
(47:31):
uh do you have any like
like 3 practical security tips for
for businesses out there
oh wild um
yeah sure
you know um the I think the first is that if you are
you know selfishly is in my favor
you know
but whatever you can buy just like buy it automated
I mean really
(47:51):
I I see people down this
go down this trap all the time of like
they're gonna buy this thing that has like
50 knobs to turn and they'll like
you know and they'll be able to get back to it later
they never get back to it later
you know like
they're lucky that they have time to change the oil
nowadays you know
so I say if you're gonna get it
get it automated as you possibly can
don't trust that someone else will automate it for you
because they have the same problem you do
(48:11):
you know um
so I think automation uh
is gonna should be a big focus um
I really like it when people use some kind of MFA
multi factor authentication
I know it's a pain in the butt
don't do the text message stuff
I hate it whenever someone like knows my history
and they'll call and they'll be like
hey I have this like
high net worth individual and executive
(48:32):
and they're like their phone has been cloned
like that is that
they're getting hacked on their phone constantly
can you help us and I'm like
I don't have time but I can tell you
it's probably gonna be like
30 to 50 thousand dollars
by the time you're done kicking out the hacker now um
that you know that can get really expensive right
you know so I would say use multi factor
get like a Google authenticator
Microsoft whatever fill in the brand
(48:55):
I don't care you know
that really slows down the hackers
and makes them work harder
you ask for three things oh man um
you know I
I you know
you and I have spoken about the insurance side
you know repeatedly um
and I
I always see that like whenever an attack does come
even when our
our tool successfully like blocks everything quiet day
(49:19):
there's like still like hey
where's the hacker at you know
and there's still time and money spent on that
and it always costs more than you think um
and it's you know
a lot of people
the less technical they are less cyber savvy
the less valuable they think
the less the price they think should be right
and then um
(49:39):
it always surprises them
and I always say like the cyber insurance um like
uh you know
like Eno's not really gonna cover it right
like cyber insurance
that'll help them like navigate that um
you know the
the dip in revenue or the
or the escalation temporarily in expenses
you know and it's
always
seems to be messier than they think it's gonna be um
(49:59):
so I'm a big advocate of it
I know that's selfishly your line of work right
you know
but you know it's
it's it's funny cause like if you're not doing that
then you're dipping into like your liquidity
you know and that's just not cool
you know like
cause then there's only so much of it right
and so um
it is an interruption to your
to your normal day and insurance will help bridge that
no different than like your driver
(50:21):
like rear ends some school bus
and then now you're stuck with this
you know really
uh difficult situation
you know if you want properly insured for this
for your driver right
and these professionals get paid on par what
uh lawyers get paid
you know it's like
you can't find a incident
response team that's gonna charge you less than
like $400 an hour yeah
(50:42):
we actually raised our prices um
to try to like like
we try to be nice to people
cause they're normally in desperate times
that they haven't used our software
and so actually
I raised my price to try to get them to like
find a more affordable option
cause most folks do not need
like former NSA cryptographers
you know like they just
they just don't need that
you know
(51:02):
so right um
and and uh
this complex situation I raised the price
and some people were just kind of like
okay sure
and I'm like that didn't go as planned
you know
you're supposed to go to like someone cheaper or
you know who has
who has a bench you know right um
but but um
you know it's
it's funny emotions are
are are crazy at those times
you know the
the the cost of the business terms of emotions are
(51:23):
are pretty high
absolutely yeah
if it does happen to you you know
you're gonna feel a lot better if you have a plan
and insurance and professionals ready to go yeah
absolutely
yeah you know
like the insurance policy
but also like uh
retainers with instant response teams
(51:44):
retainers with the breach council
um then you get people that know
you know your systems um
and you can get going right away
um and
we help them negotiate that with the insurance company
so that everybody's approved
and the insurance company is going to be paying
those people um
you don't have to like write a check for anything
you just um
(52:05):
you just activate them
right which
I mean
I you know
I've been in situations
where we had something happen in the business
where I I felt out of control and I was like
making all these decisions and then um
you know and then I
I took out this like line of credit because like
I was getting hammered from everywhere
right and it
it was
like a higher interest rate that I could have gotten
(52:26):
and I had to pay it off real quick
you know but like I
I get it like once you're out of control
like you're feeling like there's too much going on
and you don't have the answers then um
you know my banker wasn't answering the phone
you know it was a mess
right and the uh
this like a year ago
I guess and the um
but like having that control
I think emotionally allows you to make smart decisions
(52:47):
you know and that's really what it comes down to
you know cause
you know if you're
if you're buying the insurance if you're like that guy
you know that that woman you know
like you're in that position
where you don't wanna be making like
knee jerk decisions based off of like
partial information
and you're not an expert in those things right
so I always like that that concept of like
having someone ready to go who can be like
(53:08):
let's just take a deep breath and slow down
before you do something you're gonna regret later on
you know
nice let's uh
coming up to the top of the hour here
how do people find you you know
I'm on LinkedIn
what um
if you see a spicy comment
just say hi
don't worry about getting in trouble with work
you know but I like to uh
I always like to be on LinkedIn
I'm really active there so find me on LinkedIn
(53:30):
you can email me you know um
and uh you know
sometimes it makes it through the spam filters
uh if I respond to you
sometimes I make it through your spam filters
you know but um
I'm always around happy to talk if it's too too spicy
you can always send hit me up on signal
you know encrypted commie comms and uh
but uh
I look forward to seeing some of you visit my
(53:51):
my profile you know and saying hi
awesome so that's Dennis Underwood
um on LinkedIn
and then you can reach his website at cyber
crucible.com
and you're doing some some funding right now too right
crowd funding oh
I am yeah
it's a crazy idea that's seeming to work
I um
someone showed me a medical device company
(54:12):
that's doing it that
uh was able to better align with their customers
by having this like emotionally and and
and you know
financially invested group of people that are customers
users prospects
whatever haters
I don't know and um
and they uh
they actually uh
you know it's worked out really well for them
and it helped them keep aligned with the customer
values and customer expectations
(54:32):
so I started a crowdfunder
it's on Wefunder um
there's a couple videos on there
wefunder.com Sabre Crucible
um and uh
you know looking forward to seeing some more people
on there that are um
you know uh
interested in seeing a cyber security company
as it continues to scale to kind of stay
stay true to what their needs are right
(54:53):
which is uh
it's always easier to do when you're
you're invested in the company you know
absolutely I think a year from now um
you're gonna be on much bigger podcast than us
than this one
I see big things in the future
just keep doing what you're doing
yeah we're scaling nicely
it's very nice to see
you know uh
(55:13):
that the vision is is uh um
the crazy
vision of autonomous cyber security is starting to
to uh
gain more and more followers let's go
awesome well
you guys know how to find me
Joe at c 3 insurance
you can go to cthreeinsurance.comslashcyber and uh
get in touch with me there
or Joe at c three insurance dot com
(55:34):
and uh thank you for liking
and subscribing and commenting on our um YouTube
Apple podcast give us 5 stars
Spotify give us 5 stars um
you have to listen to us for
like two minutes first before you can
they'll let you grade
but if you can get through the first two minutes
we'd really appreciate it
alright that's it for today though
(55:56):
thank you again Dennis for coming and absolutely
I'll see you all on the next one
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!