April 3, 2023 • 32 mins
In this episode, The Audit discusses day-to-day operations in the industry with cybersecurity expert, Nate Ristine. From creating and hunting down phishing emails, to the emotional aspect of social engineering, find out what tools Nate uses to make it all happen.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Nick Mellem (00:14):
All right.
Welcome everybody to anotherepisode of the Audit.
I'm joined today by Eric Brownand Nate Rustin.
Nate, welcome to the show.
Nate Ristine (00:26):
Yeah, thanks for having me Happy to be here.
Nick Mellem (00:28):
Excellent.
Today we're going to, you know,kind of go through everything
Fishing.
Nate is well.
I would call him a subjectmatter expert in the field.
He works us day to day, amongstmany other things, but this is
really what we wanted to diveinto today.
So, nate, first things first.
What's your day-to-dayoperations look like?
Nate Ristine (00:51):
Well, first thing is coffee.
You can't go without coffee,you need it.
So two or three cups of coffee.
Start looking through somealerts, digging through some of
the phishing emails that havebeen reported.
Sift out the false positives.
Get through some of thephishing emails that have been
reported.
Sift out the false positives.
(01:11):
Get those back into therightful owner's hands.
Then you find the maliciousones.
The more fun ones to go throughA lot of the day.
When going through those is, Iguess it really depends on how
many you have.
If you've got 100 maliciousones you've got to go through,
then you've got to go throughthem kind of quick, get them
done.
But when you've got a few andyou can really deep dive onto
(01:32):
them and really look and seewhat the attacker's goal is,
those are the most fun.
Nick Mellem (01:39):
Absolutely yeah.
When you're going through these, is there a specific day of the
week that you've noticed that'sworse?
Is it Monday?
Is it kicking off right away,or is Wednesday more than others
, or is there a specific day youcan remember?
Nate Ristine (01:56):
Monday mornings.
People are normally catching upon emails that are coming
through the weekend or onFridays, so you'll normally see
quite a bit of them on Mondaymornings.
Nick Mellem (02:07):
I always felt like, at least when I was looking
through these types of things.
I always felt like Fridays,things just blew up in your face
and you were ready for a longday going into the weekend.
Nate Ristine (02:20):
To me, fridays have always been the calmest,
because I don't think anyonelikes to work on Fridays.
That's a good point, or atleast check their emails.
Nick Mellem (02:28):
They're late to check their emails on Friday.
Eric Brown (02:30):
Just to back up, a second on your coffee.
Are you grinding your own beansor what are you doing there?
I do grind my own beans.
Yes, All right, let's unpackthat, because I'm also.
Nick Mellem (02:42):
I'm interested now.
Eric Brown (02:44):
Yeah, a bit of a coffee guy myself, you could say
.
So what do you do?
What's your routine?
Nate Ristine (02:53):
I take a half cup of whole beans, grind them up
into a fine I guess fine powder,yeah, and put them in the Mr
Coffee machine and let it runGotcha.
Nick Mellem (03:09):
Oh, so you're not doing a pour over or anything.
Nate Ristine (03:11):
No, nothing fancy for me yet.
Eric Brown (03:14):
Cool.
Are you getting the beans fromanywhere?
Special.
Nick Mellem (03:18):
Walmart.
Hey, there you go, big spender.
Eric Brown (03:23):
What about you, Nick ?
Nick Mellem (03:25):
Yeah, I kind of go all over the place.
We have an espresso and we justgot a new Keurig because they
kind of crap out I feel likeonce a year, but the new one has
a milk frother and everything,so it does all kinds of crazy
stuff and it's like can it be onthe Wi-Fi?
Ours is not, but it can be.
Oh, wow, yeah, one less pointof failure to be hacked, so
(03:47):
we'll leave it off the network.
But yeah, I actually like to dopour-overs, I guess by
regularly.
That would be my poison ofchoice, I guess.
Eric Brown (03:56):
Yeah, cool and Nate, how many tattoos.
Nate Ristine (04:02):
Just the one.
Eric Brown (04:03):
Just one tattoo.
Nate Ristine (04:04):
Yeah, but the one is a quarter of my body, so okay
, all right, so it's good.
Eric Brown (04:10):
I don't think you can be in security without any
tattoos, can you?
I mean, unless you're posing?
I'm not sure.
What do you think?
Nick Mellem (04:15):
yeah, I think you I think you got to have some of
them.
Yeah, I think they're kind oflike battle scars, right.
Nate Ristine (04:21):
They just like comes with the territory that
poses the question what areyours, eric?
Eric Brown (04:27):
uh, so interesting.
I don't have any, so I must beposting, but I did.
I went to ces this year and Igot the prinker, which is a
tattoo printer.
So, like you can, you can printtattoos.
They look, yeah, I don't know.
They look okay, um, but uh,yeah, I started playing around
(04:49):
with that uh, you actuallybought the printer yeah the
printer.
Nick Mellem (04:53):
That's awesome.
I, because I saw you send thatand I that's, that thing is
pretty cool yeah, when I gothome I ordered one yeah, that's
really cool.
So it's kind of like you canjust print whatever tattoo you
want.
You can just find anythingonline and print it yeah, it's
certain size restrictions, likeyou know.
Eric Brown (05:10):
It's like an inch wide by five inches long,
something like that.
Yeah, you can do some coolstuff with it.
You can make a snake, yeah, andthen nate, just by way of
setting the stage, theorganization that that you're
working for now and doing a lotof research with you get about
100,000 emails a day, and ofthose, I don't know what do you
(05:35):
think are spam.
About 50% or 60% are spam,malicious, whatever like
non-business related.
Nate Ristine (05:45):
From emails outside of the organization.
Maybe 40% to 50% fit that notnecessary range, whether it be
marketing campaigns or maliciousattachments, yeah.
Nick Mellem (06:01):
Nate.
When you say not necessary,what do you mean by that?
Nate Ristine (06:04):
It can be a lot of spam or something that's truly
malicious, or something that's amarketing campaign.
It's not malicious, but 90% ofpeople don't want to look at
them either.
So I guess low priority is agood way to classify them.
Sure, absolutely good way toclassify them.
Nick Mellem (06:22):
Sure absolutely.
Eric Brown (06:24):
So we were getting into.
You come in, you have yourcoffee and you're starting to
unpack these emails.
So let's say you find one thatbypassed all of the filters.
It's actually a legit phishingemail.
Nate Ristine (06:40):
What do you do If we've already determined that
it's 100% malicious.
Then I dive right into clickingall the links, figuring out
where things are going, what theattacker's goal is, what kind
of information are they tryingto capture, and that kind of
stuff.
Eric Brown (07:00):
Are you just clicking the links on your
regular machine?
Nate Ristine (07:03):
Nope, I will bring the email into a sandbox
environment, whether it be avirtual box, VMware or some
random server up in Azure or AWS.
Eric Brown (07:17):
And are there tools that you use to see what they're
doing, like how do you exploitthis or how do you look at it?
Nate Ristine (07:29):
When opening up the link you can view the source
code of.
Normally it's an attachmentthat they send.
So you can view the source codeof the attachment or the
landing page and kind of lookthrough what they're supposed to
be doing or what they'reshowing that they're going to do
(07:50):
on the front end.
That can lead to someinformation like pre-populating
the email address of the victimin majority of cases, or causing
redirects with a lot ofphishing campaigns.
They'll send you thisattachment that loads up a web
page.
That web page is going to sendyou to two or three different
(08:14):
urls before you actually hit theactual phishing site.
So you can find a lot of thesteps in the chain by looking at
the source code.
Once you start clicking onstuff and entering credentials
or, well, fake credentials orother information that they're
looking for, you can load upBurp Suite or some other proxy
(08:37):
and capture all the informationthat's going back and forth.
That way you can really see,well, I guess, what kind of
information they're doing, whatportions of the website are
being executed and what formatthey're accepting the data in.
What's something interestingthat you've seen?
I think the most interesting oneI've found like that, when I
(09:00):
went to submit credentials.
It actually executed a PHP code, or some a piece of PHP code
that was supposed to be hiddenon the back end, but it was
actually shown in the front.
That are you.
It was accessible on the frontend so I was able to grab the
code that was actually sending,or in control of sending, the
(09:22):
credentials to their repository.
So that was pretty fun.
Unfortunately, they had thatrepository pretty locked down,
so while they screwed up on thephishing site, they were doing
things right on that side.
Nick Mellem (09:39):
Sure Nate, you mentioned Burp Suite.
I think that leads me intowondering what are your go-to
tools, or is there a handful oftools or one or two that you
just feel like you couldn't doyour job without Burp?
Nate Ristine (09:56):
Suite would probably be one of them.
Capturing that data going backand forth is pretty essential,
and a good text editor really isthe other very important thing.
A lot of these attachmentsthey're just HTML attachments,
or if you're looking at theheaders.
You want that data to lookclean and be easily readable, so
(10:25):
having a good text editor isvery important.
Nick Mellem (10:26):
Yeah, that's good information to have, for sure.
No-transcript, you've been kindof keying on that.
You're seeing common trends,tactics.
Nate Ristine (10:45):
You know that you can comment on yeah, well, right
now there's well, I guess notas much right now, but when the
ukraine russian war began, uh,there was a lot of emails with
information on that back duringthe the george floyd stuff there
(11:05):
people were, there was fishingstuff on that.
Nick Mellem (11:09):
Any major event uh in the world is is going to,
there's going to be fishingemails for it sure, and I
suppose when you bring up, youknow, the ukraine war, that that
brings in kind of thatemotional aspect.
And, eric, I know you havespoken about this before as well
you know, kind of a new thingwe're seeing along with social
engineering goes alongside withfishing as well, that emotional
(11:34):
engineering.
I think you know we're seeingit more and more, but I think we
can probably unpack a lot there, right?
Is that something?
You're seeing it more and more,but I think we can probably
unpack a lot there, right?
Is that something you're seeing?
Nate is, you know you click onthis link, you get a free
burrito, you know, do you?
I see you laughing right now.
Nate Ristine (11:50):
So, yeah, it's kind of a fun one yep, um,
emotional stuff can be one ofthe better ways for the
attackers to actually get theirphishing stuff to work.
Nick Mellem (12:03):
It's kind of a long and crude.
Nate Ristine (12:04):
Yeah yeah.
A lot of the phishing emailsyou'll see are just kind of
blasted out to everyone.
They're very generic, but if itcomes to a point where it's a
more targeted attack, they canget pretty ruthless on how they
do it when it comes to pullingon emotional heartstrings it's.
Eric Brown (12:23):
It's a good point, nick and nate.
I was at a security meetup theother day and some pen testers
were talking about some of thetechniques, uh, and some of the
clients that they worked with,and one pen testing company was
replaced because their socialengineering campaign, where they
(12:44):
were doing a phishing attack toget a way into the organization
, used some pretty harshemotional engineering against a
specific person, against aspecific person, and the
discussion then was around aspen testers, we're the good guys
(13:11):
and we're not trying to causeemotional stress or strain or
damage on an individual at theorganization, because if we were
, you could win every time, soto speak, because those always
get through.
So then the thought was well,can we come up with other ways
(13:33):
to get into an organizationwithout going to that extreme?
And I think, unilaterally.
The answer was yes.
Um, and then the conversationturned to what about the monthly
campaigns that we do and, nate,you were talking about the real
(13:54):
world examples that we'reseeing tend to follow what's
happening in the news, becausethat's current.
So what do you guys think aboutthat?
Right, as we craft trainingemails for our user base, where
(14:14):
do those training emails lie?
Right?
Are they on the side wherethere is that emotional piece,
or is it a little bit more fun,kind of in the middle with the
burrito, or is it something withmisspelled words that looks
pretty obvious to most that it'sa phishing email really,
(14:37):
because those very difficult orfishing simulations that are on
that higher end, where they arevery well crafted and and pull
on those emotional heartstringsfrom a security perspective,
should be what we're doing.
Nate Ristine (14:55):
We should be testing users for that, so that
they're aware and they findthose little details that that
signify that it's a phishingemail.
But again, on the other side,we're a team, we're not their
enemy, we're their coworkers,we're their friends.
We shouldn't be pulling orpulling on those strings like
(15:21):
that.
So it is a very hard thing tobalance.
Nick Mellem (15:25):
Yeah, it's kind of a double-bited sword.
Nate Ristine (15:28):
Yeah yeah, there's kind of a double-bited sword.
Yeah, yeah, there's no winning.
Yeah.
Nick Mellem (15:35):
I can see both sides of it, you know.
Personally, I don't think weshould be pinning them down all
the time.
I do think we need to just behonest with ourselves and we
have to look at it through thelens of the attacker.
They're not going to take iteasy on our colleagues,
coworkers too, even thoughthey're our friends.
We see them every day at thewater cooler.
They're getting the same emailsthat we are.
(15:55):
We should be crafting similarones to test them.
When I was in the military, mysenior leaders used to always
tell us probably when we werecomplaining too much that the
more we sweat in peace, the lesswe bleed in war.
You know, the more we sweat inpeace, the less we bleed in war.
(16:15):
So I think if we can simulatethe best training you know right
that for our customers orclients or our colleagues,
whatever have you you know we'rereally doing the best service
for them because we want totrain them for these.
You know 50% of the emails thatare coming in that we said
earlier that are spam.
We want to train them for thereal deal.
So, yeah, it's kind of adouble-edged sword.
(16:35):
You don't want to bait them inall the time.
Think they're getting a freeburrito or tickets to an
amusement park per se, but thoseare the emails that they are
getting, so we definitely haveto train them for that.
Eric Brown (17:08):
Well, we spend a lot of time and effort dealing with
non-business emails because themalicious actors are using that
as a threat vector.
So it hasn't gone away, itseems to be.
It's probably gotten worse andno matter what tools we have,
they still get through, right.
I mean, there's great tools outthere, new ways to catch these
emails all the time, blow themup in a sandbox, but they're
(17:35):
still seeing that right.
It's still making it throughall of those defenses and it
comes down to the human at theend.
I've advocated in the past thatfrom a business perspective,
there's no reason to havecommercial or emails from
(17:55):
commercial accounts that containAhrefs links.
So if you removed the ability toclick on a link from the email,
that would, I think, solve alot of problems.
If the user really wanted toget to whatever that was, they
could copy paste it into abrowser, but most of the time
(18:19):
you would see that it's a reallylong string of numbers and
letters is masqueraded by thathref link that goes to you know
some common words that mightentice you to click on it, but
really it's just going back to asite that was spun up in some
sort of cloud hosting providerthat is used to capture creds or
(18:45):
redirect or what have you.
But it's probably a trillion, atrillion dollar industry that
email filtering and nate you.
You were talking before kind ofoffline about maybe some of the
stuff that you do with with thecredit cards.
Right, because you'll, you'll,you'll get a phishing link,
you'll exploit it and then it'sasking for some sort of payment.
(19:09):
What do you do there?
Nate Ristine (19:13):
So I've been trying to find new ways to dig
deeper into the attacker's goals.
So over the holidays I was senta text message or a link from a
text message that had for UPS.
So I went in there and I wasgoing through it and it looked.
It was a very good looking site.
(19:35):
I mean, if I didn't notice the,the URL, I would have believed
it was UPS.
I started going through it andyou click on a couple of links.
You enter in your zip code andthey then want you to add
personal information.
So you throw in a fake name,fake address and everything.
Then it tells you well, yourpackage, it was redirected.
(19:58):
Or we have.
You have to pay a dollar and 45cents plus vat, which is
european tax, which didn't makesense, but some of the the
attacks tax have done a littlebit better is have American tax
on there.
But once you enter in all thispersonal information, then it
(20:18):
asks you for a credit card topay this $1.45 fee.
Well, not many people want togive up their credit card number
just for testing.
So there's a site calledprivacycom.
You can sign up for free.
You link your bank account onone end and then on this
privacycom end, you get to makeas many free credit cards as you
(20:41):
want, so you can use differentnames, different zip codes,
different credit card numbers,expiration dates Everything can
be different for every singlepurchase.
Numbers, expiration datesEverything can be different for
every single purchase.
What I typically do is I'll setlike a dollar spending limit so
that way when they do try tocharge my card they can't take
(21:02):
more than a dollar.
But yeah, so I throw one ofthose fake credit cards in there
, wait a couple of days and thenstart seeing charges.
This one specifically was for,is it?
I think it was squarespace,which is a website hosting
website or service.
Maybe they were trying to setup a new phishing site, uh, to
trick more people.
(21:22):
Or maybe they were just usingthat to test if the card was
valid to go sell the credit cardnumber on the darknet.
It's hard to know.
But once that dollar, theytried to charge a dollar 45
cents and that failed because itwas over my limit.
So I guess I don't really knowwhat they would have done next.
So yeah, next time around maybeI step it up a little bit,
(21:44):
maybe I risk $2, put $2 on theline to see where it goes next,
you know.
Nick Mellem (21:50):
I think you should do that and report back, please.
That's really interesting.
Nate Ristine (21:57):
There's been another thing I've been meaning
to dig into a little bit more.
With Google Workspace you canset up this business email
address for fairly cheap and youcan monitor the emails that
have been sent out from like anadmin perspective.
So I let this account getcompromised and then, from the
(22:17):
admin side of things, I can seeall the emails that go out from
them to further investigate whattheir attacks are, what they're
trying to do.
But I'm a little bit skepticalabout moving into doing that
because then I'm knowinglyallowing them to compromise this
email and use it to attackothers.
So unless I can edit the emailbefore it's sent and say like in
(22:43):
the subject line, this is aphishing email, don't click,
then I could see myself gettingsome, some negative, negative
results.
If, if I knowingly allowed anattacker to continue working,
can you send it?
Eric Brown (22:58):
off to a different mail relay where you control
that relay and then you canmanipulate the the outbound
messages like you could justshoot it to a trash can or
something like that.
Nate Ristine (23:18):
Don't know.
I haven't found that availableor that option in Google yet,
but maybe there's definitelyother services that can do it,
though I just don't know if.
Eric Brown (23:24):
Google Workspace can do it.
So you're seeing.
I think you mentioned textmessages too right?
Have you guys both been gettingsmishing or SMS phishing
messages?
Nate Ristine (23:35):
I have one work phone and one personal phone.
My personal phone I don't getanything, which I don't know how
I've managed to do that, but Iguess it was just luck of the
draw.
Nick Mellem (23:45):
I'm not going to mess with you.
Nate Ristine (23:46):
What's your phone number?
Yeah, 69-41028.
Mess with you.
What's your phone number?
Yeah, yeah, six nine four onezero two eight yeah, your work
phone.
You get a lot donate yeah, mywork phone gets a lot.
I don't know why that would be.
Maybe it, maybe it was justluck of the draw, maybe having
it associated with differentaccounts.
Nick Mellem (24:09):
Whoever had the phone number before you could
have used it and then wasinvolved in a breach or
something.
Nate Ristine (24:14):
Yep, yep, that's very possible.
Nick Mellem (24:18):
Yeah, for some reason over the past two days
I've gotten one from Amazon thatmy account, you know.
They noticed some you know someodd activity with a link and
these are good emails.
The only way that I know Isbecause of the sender
Information that comes up on thetop on an iPhone.
(24:39):
I'm sure it does on the samething on an Android.
Eric Brown (24:41):
Are you talking about text?
Nick Mellem (24:43):
Yeah, this is via text.
Okay, I got another one Acouple days before that From
PayPal Saying the same thing.
They want me to call.
They didn't leave a number, butthey specifically say to unlock
your account, contact us orclick on this link.
Again, with the crazy, I didn't, I did not.
Eric Brown (25:06):
You should call it.
Throw it on the speaker rightnow.
Let's see what happens.
Nick Mellem (25:10):
This one right here .
It says call us, but the numberis blank.
It doesn't have a number.
That's why it's odd, OtherwiseI definitely would be down to do
that.
And then I got one from Netflix, and I think we've all seen
that one too, where they want usto change our password or what?
Have you Suspicious activitylogged in somewhere else?
So they're definitely out therein abundance, that's for sure.
Eric Brown (25:32):
That'd be a fun episode If we each came a couple
numbers and we just startedcalling them.
Nick Mellem (25:38):
it would be very interesting, that's for sure.
I think people love that.
Eric Brown (25:41):
And then we just tie the two together and let them
talk to each other and see whathappens.
Nick Mellem (25:45):
Yeah, I think I've seen that as a video, where some
lady calls the two um Chinesetakeout restaurants and they're
yelling back before no, youcalled me.
No, you called me.
What do you want?
What's your order?
No, you called me.
So similar thinking that couldbe pretty.
Nate Ristine (26:01):
There's a couple Twitch streamers out there that
focus on this kind of stuff,where they call a scammer and
trick them.
It's always fun to watch.
Eric Brown (26:13):
Where they're trying to get back and and, uh, I
think I saw one where they wereable to get the guy's camera on
and see the, uh, the buildingthat they were in.
Yeah, how about offline stuff?
Have you got anything offlinemail?
Nate Ristine (26:31):
I don't think I've gotten anything too crazy in
the mail.
There's definitely the weirdmarketing campaigns, but other
than that I don't really getanything from mail.
Nick Mellem (26:42):
Nate, because you're in this industry, do you
get a lot of texts and callsfrom your mom or anybody family
dad, grandma, grandpa saying hey, nate, I got this message.
Is this legit?
Do you get that?
Nate Ristine (26:56):
Yeah, there's definitely been the calls of
what do I do?
Uh, it certainly happened quiteoften.
Uh, I, during this talk, Iremember this, uh, this, call it
.
Like we were talking aboutearlier about calling the
scammers and see what they'retrying to do.
A few years years ago my momplugged in her computer and she
(27:19):
got this pop-up saying callWindows support.
Right now your computers lockedfor for this and that the
common thing you'd see nowadays.
But she called him and the guykept asking for money.
So she called me and she's likecan you figure out what's going
on?
He's like yeah, it's a scam,let me call him.
(27:39):
So I spent an hour on the phonewith this guy just leading him
an hour.
Wow, yep, yep, I was.
I was definitely bored, it was.
It was quite exciting.
After a while I I was just kindof telling him well, this is
what's wrong with my computerand I've got this screen just
making stuff up because I didn'treally have computer or the
(28:01):
alert in front of me.
And he goes well, we're goingto have to charge you to fix it.
I was like how much?
The guy didn't give me a price.
He says how much can you pay?
I was like wait, what, how muchcan you pay?
I was like wait, what, how muchcan I pay?
He's like, well, I've got.
Uh, it's like let me look at mybank.
So I look at my account and I'mlike I've got five million just
(28:25):
completely joking.
And he's like, all right, it'sgonna cost 50 grand to for us to
fix it.
All, right, you ready for thecard number?
And I read off a card numberand, yeah, nothing ever came of
it.
But after a while he started torealize that I was messing with
him and, yeah, some verynaughty words came out after
(28:49):
that.
Nick Mellem (28:51):
So he was posing as Microsoftrosoft support yep,
funny.
Nate Ristine (28:57):
Yeah, that's a.
One of the common ones now isif you come across uh, I guess
you'd call it a malicious ad um,it kind of hijacks the browser
and makes it go full screen andit's just a bunch of pop-ups and
sometimes audio saying callsupport.
Your computer's been locked forI don't know.
Sometimes it's child porn.
Eric Brown (29:33):
So, nate, you've participated in some.
Go through and do specificobjectives, right?
Mm-hmm, yeah, have any of thosescenarios or the problems
presented in those scenariosmimicked some of the things that
you've seen in the real worldat your job?
Nate Ristine (29:53):
some of the things that you've seen in the real
world at your job.
Yeah, the goal of a lot of thecapture the flag stuff is it can
kind of be twofold or two partsOne is going to be more focused
(30:14):
on teaching and one is going tobe more focused on challenging.
So in some of the early capture, the flag challenges, or in
some of the early challengesthey'll have you go through kind
of your common steps, go, lookthrough the headers to find some
information.
Whether the IP address isaligned or the sender's domain
(30:34):
name or the email from is thesame, so maybe they throw a flag
in there.
Another flag could be in thesource code of the website or
the link that you're going to,and another flag could be maybe
an email you get or anotherphishing email you get after you
submit your credentials orsomething of that sort.
(30:56):
Then it can dive into the morechallenging aspect, where it's
going to be not just the thingsthat you would see in a normal
phishing email, but now you needto think outside of the box.
This is going to be thechallenge portion of it, where
not everyone's going to be ableto get it or not.
Well, not a lot of theprofessionals are going to be
able to get it or not.
Well, not a lot of theprofessionals are going to be
able to get it, because it's soout there.
(31:18):
It's not something you're goingto expect to see, but it's a
challenge.
Nick Mellem (31:25):
Well, thanks again, nate, for joining us today on
the Audit, and to all of ourlisteners, thank you again and
be sure to check out ourprevious episodes anywhere you
can find podcasts in yourfavorite platform and check out
our website at itauditlabscom.
Eric Brown (31:44):
Want security leadership without the headcount
.
As an extension of the team, itAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(32:06):
Contact IT Audit Labs to findout more.
You're listening to the Audit presented by IT Audit
Labs.
Nick Mellem (00:14):
All right.
Welcome everybody to anotherepisode of the Audit.
I'm joined today by Eric Brownand Nate Rustin.
Nate, welcome to the show.
Nate Ristine (00:26):
Yeah, thanks for having me Happy to be here.
Nick Mellem (00:28):
Excellent.
Today we're going to, you know,kind of go through everything
Fishing.
Nate is well.
I would call him a subjectmatter expert in the field.
He works us day to day, amongstmany other things, but this is
really what we wanted to diveinto today.
So, nate, first things first.
What's your day-to-dayoperations look like?
Nate Ristine (00:51):
Well, first thing is coffee.
You can't go without coffee,you need it.
So two or three cups of coffee.
Start looking through somealerts, digging through some of
the phishing emails that havebeen reported.
Sift out the false positives.
Get through some of thephishing emails that have been
reported.
Sift out the false positives.
(01:11):
Get those back into therightful owner's hands.
Then you find the maliciousones.
The more fun ones to go throughA lot of the day.
When going through those is, Iguess it really depends on how
many you have.
If you've got 100 maliciousones you've got to go through,
then you've got to go throughthem kind of quick, get them
done.
But when you've got a few andyou can really deep dive onto
(01:32):
them and really look and seewhat the attacker's goal is,
those are the most fun.
Nick Mellem (01:39):
Absolutely yeah.
When you're going through these, is there a specific day of the
week that you've noticed that'sworse?
Is it Monday?
Is it kicking off right away,or is Wednesday more than others
, or is there a specific day youcan remember?
Nate Ristine (01:56):
Monday mornings.
People are normally catching upon emails that are coming
through the weekend or onFridays, so you'll normally see
quite a bit of them on Mondaymornings.
Nick Mellem (02:07):
I always felt like, at least when I was looking
through these types of things.
I always felt like Fridays,things just blew up in your face
and you were ready for a longday going into the weekend.
Nate Ristine (02:20):
To me, fridays have always been the calmest,
because I don't think anyonelikes to work on Fridays.
That's a good point, or atleast check their emails.
Nick Mellem (02:28):
They're late to check their emails on Friday.
Eric Brown (02:30):
Just to back up, a second on your coffee.
Are you grinding your own beansor what are you doing there?
I do grind my own beans.
Yes, All right, let's unpackthat, because I'm also.
Nick Mellem (02:42):
I'm interested now.
Eric Brown (02:44):
Yeah, a bit of a coffee guy myself, you could say
.
So what do you do?
What's your routine?
Nate Ristine (02:53):
I take a half cup of whole beans, grind them up
into a fine I guess fine powder,yeah, and put them in the Mr
Coffee machine and let it runGotcha.
Nick Mellem (03:09):
Oh, so you're not doing a pour over or anything.
Nate Ristine (03:11):
No, nothing fancy for me yet.
Eric Brown (03:14):
Cool.
Are you getting the beans fromanywhere?
Special.
Nick Mellem (03:18):
Walmart.
Hey, there you go, big spender.
Eric Brown (03:23):
What about you, Nick ?
Nick Mellem (03:25):
Yeah, I kind of go all over the place.
We have an espresso and we justgot a new Keurig because they
kind of crap out I feel likeonce a year, but the new one has
a milk frother and everything,so it does all kinds of crazy
stuff and it's like can it be onthe Wi-Fi?
Ours is not, but it can be.
Oh, wow, yeah, one less pointof failure to be hacked, so
(03:47):
we'll leave it off the network.
But yeah, I actually like to dopour-overs, I guess by
regularly.
That would be my poison ofchoice, I guess.
Eric Brown (03:56):
Yeah, cool and Nate, how many tattoos.
Nate Ristine (04:02):
Just the one.
Eric Brown (04:03):
Just one tattoo.
Nate Ristine (04:04):
Yeah, but the one is a quarter of my body, so okay
, all right, so it's good.
Eric Brown (04:10):
I don't think you can be in security without any
tattoos, can you?
I mean, unless you're posing?
I'm not sure.
What do you think?
Nick Mellem (04:15):
yeah, I think you I think you got to have some of
them.
Yeah, I think they're kind oflike battle scars, right.
Nate Ristine (04:21):
They just like comes with the territory that
poses the question what areyours, eric?
Eric Brown (04:27):
uh, so interesting.
I don't have any, so I must beposting, but I did.
I went to ces this year and Igot the prinker, which is a
tattoo printer.
So, like you can, you can printtattoos.
They look, yeah, I don't know.
They look okay, um, but uh,yeah, I started playing around
(04:49):
with that uh, you actuallybought the printer yeah the
printer.
Nick Mellem (04:53):
That's awesome.
I, because I saw you send thatand I that's, that thing is
pretty cool yeah, when I gothome I ordered one yeah, that's
really cool.
So it's kind of like you canjust print whatever tattoo you
want.
You can just find anythingonline and print it yeah, it's
certain size restrictions, likeyou know.
Eric Brown (05:10):
It's like an inch wide by five inches long,
something like that.
Yeah, you can do some coolstuff with it.
You can make a snake, yeah, andthen nate, just by way of
setting the stage, theorganization that that you're
working for now and doing a lotof research with you get about
100,000 emails a day, and ofthose, I don't know what do you
(05:35):
think are spam.
About 50% or 60% are spam,malicious, whatever like
non-business related.
Nate Ristine (05:45):
From emails outside of the organization.
Maybe 40% to 50% fit that notnecessary range, whether it be
marketing campaigns or maliciousattachments, yeah.
Nick Mellem (06:01):
Nate.
When you say not necessary,what do you mean by that?
Nate Ristine (06:04):
It can be a lot of spam or something that's truly
malicious, or something that's amarketing campaign.
It's not malicious, but 90% ofpeople don't want to look at
them either.
So I guess low priority is agood way to classify them.
Sure, absolutely good way toclassify them.
Nick Mellem (06:22):
Sure absolutely.
Eric Brown (06:24):
So we were getting into.
You come in, you have yourcoffee and you're starting to
unpack these emails.
So let's say you find one thatbypassed all of the filters.
It's actually a legit phishingemail.
Nate Ristine (06:40):
What do you do If we've already determined that
it's 100% malicious.
Then I dive right into clickingall the links, figuring out
where things are going, what theattacker's goal is, what kind
of information are they tryingto capture, and that kind of
stuff.
Eric Brown (07:00):
Are you just clicking the links on your
regular machine?
Nate Ristine (07:03):
Nope, I will bring the email into a sandbox
environment, whether it be avirtual box, VMware or some
random server up in Azure or AWS.
Eric Brown (07:17):
And are there tools that you use to see what they're
doing, like how do you exploitthis or how do you look at it?
Nate Ristine (07:29):
When opening up the link you can view the source
code of.
Normally it's an attachmentthat they send.
So you can view the source codeof the attachment or the
landing page and kind of lookthrough what they're supposed to
be doing or what they'reshowing that they're going to do
(07:50):
on the front end.
That can lead to someinformation like pre-populating
the email address of the victimin majority of cases, or causing
redirects with a lot ofphishing campaigns.
They'll send you thisattachment that loads up a web
page.
That web page is going to sendyou to two or three different
(08:14):
urls before you actually hit theactual phishing site.
So you can find a lot of thesteps in the chain by looking at
the source code.
Once you start clicking onstuff and entering credentials
or, well, fake credentials orother information that they're
looking for, you can load upBurp Suite or some other proxy
(08:37):
and capture all the informationthat's going back and forth.
That way you can really see,well, I guess, what kind of
information they're doing, whatportions of the website are
being executed and what formatthey're accepting the data in.
What's something interestingthat you've seen?
I think the most interesting oneI've found like that, when I
(09:00):
went to submit credentials.
It actually executed a PHP code, or some a piece of PHP code
that was supposed to be hiddenon the back end, but it was
actually shown in the front.
That are you.
It was accessible on the frontend so I was able to grab the
code that was actually sending,or in control of sending, the
(09:22):
credentials to their repository.
So that was pretty fun.
Unfortunately, they had thatrepository pretty locked down,
so while they screwed up on thephishing site, they were doing
things right on that side.
Nick Mellem (09:39):
Sure Nate, you mentioned Burp Suite.
I think that leads me intowondering what are your go-to
tools, or is there a handful oftools or one or two that you
just feel like you couldn't doyour job without Burp?
Nate Ristine (09:56):
Suite would probably be one of them.
Capturing that data going backand forth is pretty essential,
and a good text editor really isthe other very important thing.
A lot of these attachmentsthey're just HTML attachments,
or if you're looking at theheaders.
You want that data to lookclean and be easily readable, so
(10:25):
having a good text editor isvery important.
Nick Mellem (10:26):
Yeah, that's good information to have, for sure.
No-transcript, you've been kindof keying on that.
You're seeing common trends,tactics.
Nate Ristine (10:45):
You know that you can comment on yeah, well, right
now there's well, I guess notas much right now, but when the
ukraine russian war began, uh,there was a lot of emails with
information on that back duringthe the george floyd stuff there
(11:05):
people were, there was fishingstuff on that.
Nick Mellem (11:09):
Any major event uh in the world is is going to,
there's going to be fishingemails for it sure, and I
suppose when you bring up, youknow, the ukraine war, that that
brings in kind of thatemotional aspect.
And, eric, I know you havespoken about this before as well
you know, kind of a new thingwe're seeing along with social
engineering goes alongside withfishing as well, that emotional
(11:34):
engineering.
I think you know we're seeingit more and more, but I think we
can probably unpack a lot there, right?
Is that something?
You're seeing it more and more,but I think we can probably
unpack a lot there, right?
Is that something you're seeing?
Nate is, you know you click onthis link, you get a free
burrito, you know, do you?
I see you laughing right now.
Nate Ristine (11:50):
So, yeah, it's kind of a fun one yep, um,
emotional stuff can be one ofthe better ways for the
attackers to actually get theirphishing stuff to work.
Nick Mellem (12:03):
It's kind of a long and crude.
Nate Ristine (12:04):
Yeah yeah.
A lot of the phishing emailsyou'll see are just kind of
blasted out to everyone.
They're very generic, but if itcomes to a point where it's a
more targeted attack, they canget pretty ruthless on how they
do it when it comes to pullingon emotional heartstrings it's.
Eric Brown (12:23):
It's a good point, nick and nate.
I was at a security meetup theother day and some pen testers
were talking about some of thetechniques, uh, and some of the
clients that they worked with,and one pen testing company was
replaced because their socialengineering campaign, where they
(12:44):
were doing a phishing attack toget a way into the organization
, used some pretty harshemotional engineering against a
specific person, against aspecific person, and the
discussion then was around aspen testers, we're the good guys
(13:11):
and we're not trying to causeemotional stress or strain or
damage on an individual at theorganization, because if we were
, you could win every time, soto speak, because those always
get through.
So then the thought was well,can we come up with other ways
(13:33):
to get into an organizationwithout going to that extreme?
And I think, unilaterally.
The answer was yes.
Um, and then the conversationturned to what about the monthly
campaigns that we do and, nate,you were talking about the real
(13:54):
world examples that we'reseeing tend to follow what's
happening in the news, becausethat's current.
So what do you guys think aboutthat?
Right, as we craft trainingemails for our user base, where
(14:14):
do those training emails lie?
Right?
Are they on the side wherethere is that emotional piece,
or is it a little bit more fun,kind of in the middle with the
burrito, or is it something withmisspelled words that looks
pretty obvious to most that it'sa phishing email really,
(14:37):
because those very difficult orfishing simulations that are on
that higher end, where they arevery well crafted and and pull
on those emotional heartstringsfrom a security perspective,
should be what we're doing.
Nate Ristine (14:55):
We should be testing users for that, so that
they're aware and they findthose little details that that
signify that it's a phishingemail.
But again, on the other side,we're a team, we're not their
enemy, we're their coworkers,we're their friends.
We shouldn't be pulling orpulling on those strings like
(15:21):
that.
So it is a very hard thing tobalance.
Nick Mellem (15:25):
Yeah, it's kind of a double-bited sword.
Nate Ristine (15:28):
Yeah yeah, there's kind of a double-bited sword.
Yeah, yeah, there's no winning.
Yeah.
Nick Mellem (15:35):
I can see both sides of it, you know.
Personally, I don't think weshould be pinning them down all
the time.
I do think we need to just behonest with ourselves and we
have to look at it through thelens of the attacker.
They're not going to take iteasy on our colleagues,
coworkers too, even thoughthey're our friends.
We see them every day at thewater cooler.
They're getting the same emailsthat we are.
(15:55):
We should be crafting similarones to test them.
When I was in the military, mysenior leaders used to always
tell us probably when we werecomplaining too much that the
more we sweat in peace, the lesswe bleed in war.
You know, the more we sweat inpeace, the less we bleed in war.
(16:15):
So I think if we can simulatethe best training you know right
that for our customers orclients or our colleagues,
whatever have you you know we'rereally doing the best service
for them because we want totrain them for these.
You know 50% of the emails thatare coming in that we said
earlier that are spam.
We want to train them for thereal deal.
So, yeah, it's kind of adouble-edged sword.
(16:35):
You don't want to bait them inall the time.
Think they're getting a freeburrito or tickets to an
amusement park per se, but thoseare the emails that they are
getting, so we definitely haveto train them for that.
Eric Brown (17:08):
Well, we spend a lot of time and effort dealing with
non-business emails because themalicious actors are using that
as a threat vector.
So it hasn't gone away, itseems to be.
It's probably gotten worse andno matter what tools we have,
they still get through, right.
I mean, there's great tools outthere, new ways to catch these
emails all the time, blow themup in a sandbox, but they're
(17:35):
still seeing that right.
It's still making it throughall of those defenses and it
comes down to the human at theend.
I've advocated in the past thatfrom a business perspective,
there's no reason to havecommercial or emails from
(17:55):
commercial accounts that containAhrefs links.
So if you removed the ability toclick on a link from the email,
that would, I think, solve alot of problems.
If the user really wanted toget to whatever that was, they
could copy paste it into abrowser, but most of the time
(18:19):
you would see that it's a reallylong string of numbers and
letters is masqueraded by thathref link that goes to you know
some common words that mightentice you to click on it, but
really it's just going back to asite that was spun up in some
sort of cloud hosting providerthat is used to capture creds or
(18:45):
redirect or what have you.
But it's probably a trillion, atrillion dollar industry that
email filtering and nate you.
You were talking before kind ofoffline about maybe some of the
stuff that you do with with thecredit cards.
Right, because you'll, you'll,you'll get a phishing link,
you'll exploit it and then it'sasking for some sort of payment.
(19:09):
What do you do there?
Nate Ristine (19:13):
So I've been trying to find new ways to dig
deeper into the attacker's goals.
So over the holidays I was senta text message or a link from a
text message that had for UPS.
So I went in there and I wasgoing through it and it looked.
It was a very good looking site.
(19:35):
I mean, if I didn't notice the,the URL, I would have believed
it was UPS.
I started going through it andyou click on a couple of links.
You enter in your zip code andthey then want you to add
personal information.
So you throw in a fake name,fake address and everything.
Then it tells you well, yourpackage, it was redirected.
(19:58):
Or we have.
You have to pay a dollar and 45cents plus vat, which is
european tax, which didn't makesense, but some of the the
attacks tax have done a littlebit better is have American tax
on there.
But once you enter in all thispersonal information, then it
(20:18):
asks you for a credit card topay this $1.45 fee.
Well, not many people want togive up their credit card number
just for testing.
So there's a site calledprivacycom.
You can sign up for free.
You link your bank account onone end and then on this
privacycom end, you get to makeas many free credit cards as you
(20:41):
want, so you can use differentnames, different zip codes,
different credit card numbers,expiration dates Everything can
be different for every singlepurchase.
Numbers, expiration datesEverything can be different for
every single purchase.
What I typically do is I'll setlike a dollar spending limit so
that way when they do try tocharge my card they can't take
(21:02):
more than a dollar.
But yeah, so I throw one ofthose fake credit cards in there
, wait a couple of days and thenstart seeing charges.
This one specifically was for,is it?
I think it was squarespace,which is a website hosting
website or service.
Maybe they were trying to setup a new phishing site, uh, to
trick more people.
(21:22):
Or maybe they were just usingthat to test if the card was
valid to go sell the credit cardnumber on the darknet.
It's hard to know.
But once that dollar, theytried to charge a dollar 45
cents and that failed because itwas over my limit.
So I guess I don't really knowwhat they would have done next.
So yeah, next time around maybeI step it up a little bit,
(21:44):
maybe I risk $2, put $2 on theline to see where it goes next,
you know.
Nick Mellem (21:50):
I think you should do that and report back, please.
That's really interesting.
Nate Ristine (21:57):
There's been another thing I've been meaning
to dig into a little bit more.
With Google Workspace you canset up this business email
address for fairly cheap and youcan monitor the emails that
have been sent out from like anadmin perspective.
So I let this account getcompromised and then, from the
(22:17):
admin side of things, I can seeall the emails that go out from
them to further investigate whattheir attacks are, what they're
trying to do.
But I'm a little bit skepticalabout moving into doing that
because then I'm knowinglyallowing them to compromise this
email and use it to attackothers.
So unless I can edit the emailbefore it's sent and say like in
(22:43):
the subject line, this is aphishing email, don't click,
then I could see myself gettingsome, some negative, negative
results.
If, if I knowingly allowed anattacker to continue working,
can you send it?
Eric Brown (22:58):
off to a different mail relay where you control
that relay and then you canmanipulate the the outbound
messages like you could justshoot it to a trash can or
something like that.
Nate Ristine (23:18):
Don't know.
I haven't found that availableor that option in Google yet,
but maybe there's definitelyother services that can do it,
though I just don't know if.
Eric Brown (23:24):
Google Workspace can do it.
So you're seeing.
I think you mentioned textmessages too right?
Have you guys both been gettingsmishing or SMS phishing
messages?
Nate Ristine (23:35):
I have one work phone and one personal phone.
My personal phone I don't getanything, which I don't know how
I've managed to do that, but Iguess it was just luck of the
draw.
Nick Mellem (23:45):
I'm not going to mess with you.
Nate Ristine (23:46):
What's your phone number?
Yeah, 69-41028.
Mess with you.
What's your phone number?
Yeah, yeah, six nine four onezero two eight yeah, your work
phone.
You get a lot donate yeah, mywork phone gets a lot.
I don't know why that would be.
Maybe it, maybe it was justluck of the draw, maybe having
it associated with differentaccounts.
Nick Mellem (24:09):
Whoever had the phone number before you could
have used it and then wasinvolved in a breach or
something.
Nate Ristine (24:14):
Yep, yep, that's very possible.
Nick Mellem (24:18):
Yeah, for some reason over the past two days
I've gotten one from Amazon thatmy account, you know.
They noticed some you know someodd activity with a link and
these are good emails.
The only way that I know Isbecause of the sender
Information that comes up on thetop on an iPhone.
(24:39):
I'm sure it does on the samething on an Android.
Eric Brown (24:41):
Are you talking about text?
Nick Mellem (24:43):
Yeah, this is via text.
Okay, I got another one Acouple days before that From
PayPal Saying the same thing.
They want me to call.
They didn't leave a number, butthey specifically say to unlock
your account, contact us orclick on this link.
Again, with the crazy, I didn't, I did not.
Eric Brown (25:06):
You should call it.
Throw it on the speaker rightnow.
Let's see what happens.
Nick Mellem (25:10):
This one right here .
It says call us, but the numberis blank.
It doesn't have a number.
That's why it's odd, OtherwiseI definitely would be down to do
that.
And then I got one from Netflix, and I think we've all seen
that one too, where they want usto change our password or what?
Have you Suspicious activitylogged in somewhere else?
So they're definitely out therein abundance, that's for sure.
Eric Brown (25:32):
That'd be a fun episode If we each came a couple
numbers and we just startedcalling them.
Nick Mellem (25:38):
it would be very interesting, that's for sure.
I think people love that.
Eric Brown (25:41):
And then we just tie the two together and let them
talk to each other and see whathappens.
Nick Mellem (25:45):
Yeah, I think I've seen that as a video, where some
lady calls the two um Chinesetakeout restaurants and they're
yelling back before no, youcalled me.
No, you called me.
What do you want?
What's your order?
No, you called me.
So similar thinking that couldbe pretty.
Nate Ristine (26:01):
There's a couple Twitch streamers out there that
focus on this kind of stuff,where they call a scammer and
trick them.
It's always fun to watch.
Eric Brown (26:13):
Where they're trying to get back and and, uh, I
think I saw one where they wereable to get the guy's camera on
and see the, uh, the buildingthat they were in.
Yeah, how about offline stuff?
Have you got anything offlinemail?
Nate Ristine (26:31):
I don't think I've gotten anything too crazy in
the mail.
There's definitely the weirdmarketing campaigns, but other
than that I don't really getanything from mail.
Nick Mellem (26:42):
Nate, because you're in this industry, do you
get a lot of texts and callsfrom your mom or anybody family
dad, grandma, grandpa saying hey, nate, I got this message.
Is this legit?
Do you get that?
Nate Ristine (26:56):
Yeah, there's definitely been the calls of
what do I do?
Uh, it certainly happened quiteoften.
Uh, I, during this talk, Iremember this, uh, this, call it
.
Like we were talking aboutearlier about calling the
scammers and see what they'retrying to do.
A few years years ago my momplugged in her computer and she
(27:19):
got this pop-up saying callWindows support.
Right now your computers lockedfor for this and that the
common thing you'd see nowadays.
But she called him and the guykept asking for money.
So she called me and she's likecan you figure out what's going
on?
He's like yeah, it's a scam,let me call him.
(27:39):
So I spent an hour on the phonewith this guy just leading him
an hour.
Wow, yep, yep, I was.
I was definitely bored, it was.
It was quite exciting.
After a while I I was just kindof telling him well, this is
what's wrong with my computerand I've got this screen just
making stuff up because I didn'treally have computer or the
(28:01):
alert in front of me.
And he goes well, we're goingto have to charge you to fix it.
I was like how much?
The guy didn't give me a price.
He says how much can you pay?
I was like wait, what, how muchcan you pay?
I was like wait, what, how muchcan I pay?
He's like, well, I've got.
Uh, it's like let me look at mybank.
So I look at my account and I'mlike I've got five million just
(28:25):
completely joking.
And he's like, all right, it'sgonna cost 50 grand to for us to
fix it.
All, right, you ready for thecard number?
And I read off a card numberand, yeah, nothing ever came of
it.
But after a while he started torealize that I was messing with
him and, yeah, some verynaughty words came out after
(28:49):
that.
Nick Mellem (28:51):
So he was posing as Microsoftrosoft support yep,
funny.
Nate Ristine (28:57):
Yeah, that's a.
One of the common ones now isif you come across uh, I guess
you'd call it a malicious ad um,it kind of hijacks the browser
and makes it go full screen andit's just a bunch of pop-ups and
sometimes audio saying callsupport.
Your computer's been locked forI don't know.
Sometimes it's child porn.
Eric Brown (29:33):
So, nate, you've participated in some.
Go through and do specificobjectives, right?
Mm-hmm, yeah, have any of thosescenarios or the problems
presented in those scenariosmimicked some of the things that
you've seen in the real worldat your job?
Nate Ristine (29:53):
some of the things that you've seen in the real
world at your job.
Yeah, the goal of a lot of thecapture the flag stuff is it can
kind of be twofold or two partsOne is going to be more focused
(30:14):
on teaching and one is going tobe more focused on challenging.
So in some of the early capture, the flag challenges, or in
some of the early challengesthey'll have you go through kind
of your common steps, go, lookthrough the headers to find some
information.
Whether the IP address isaligned or the sender's domain
(30:34):
name or the email from is thesame, so maybe they throw a flag
in there.
Another flag could be in thesource code of the website or
the link that you're going to,and another flag could be maybe
an email you get or anotherphishing email you get after you
submit your credentials orsomething of that sort.
(30:56):
Then it can dive into the morechallenging aspect, where it's
going to be not just the thingsthat you would see in a normal
phishing email, but now you needto think outside of the box.
This is going to be thechallenge portion of it, where
not everyone's going to be ableto get it or not.
Well, not a lot of theprofessionals are going to be
able to get it or not.
Well, not a lot of theprofessionals are going to be
able to get it, because it's soout there.
(31:18):
It's not something you're goingto expect to see, but it's a
challenge.
Nick Mellem (31:25):
Well, thanks again, nate, for joining us today on
the Audit, and to all of ourlisteners, thank you again and
be sure to check out ourprevious episodes anywhere you
can find podcasts in yourfavorite platform and check out
our website at itauditlabscom.
Eric Brown (31:44):
Want security leadership without the headcount
.
As an extension of the team, itAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(32:06):
Contact IT Audit Labs to findout more.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.