Things are bound to go sideways in the world of IT and security, but there are certain three-letter government organizations that you never want to hear from. In this episode, long-time security veteran and Chief Security Officer at Vetcor, Andrew Wilder, joins us to unpack several harrowing encounters with bad actors and local law enforcement – ranging from chasing down unknowing internal payments to known hackers and cracking down on vulnerable vendors. Andrew explores why establishing relationships with your local law enforcement before bad things happen is key in a world where so much often goes awry, and how to translate risks into opportunities for growth.
IT Horror Stories
The scariest stories in IT.
About This Episode
Host
Jonathan Crowe
Director of Community, NinjaOne
Guest
Andrew Wilder
Chief Security Officer at Vetcor
About Andrew Wilder
Andrew Wilder, Chief Security Officer at Vetcor, spearheads the veterinary services company’s efforts to enhance cyber maturity. He is responsible for architecting a robust, secure network infrastructure that serves as a foundation for the company’s 950+ practices across the US and Canada. Andrew’s background includes over 20 years of experience in Cybersecurity and IT Leadership (including 18 years as a Regional CISO at Nestlé), and a bachelor’s degree in Cybersecurity and Information Assurance.
Audio Transcript
[00:00:00] Andrew Wilder: So we get contacted by one of those government three letter agencies, because one of our accounts payable departments has sent a seven figure amount to an offshore bank that is owned by a known hacker.
Introduction
[00:00:20] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
[00:00:35] Jonathan: Hey everyone, and welcome to the show. I am your host, Jonathan Crowe, and I’m very pleased to have with me as our guest in IT Horror Stories, Andrew Wilder. He’s the Chief Security Officer at Vetcor. Andrew, thank you for being brave and joining us.
[00:00:50] Andrew: It’s a pleasure. I’m looking forward to reliving some of my horror stories with you, Jonathan, so let’s do it.
[00:00:57] Jonathan: I love it. I love that mindset. That you can’t wait to revisit those horrible moments. Well, let’s definitely do that. Before we do though, we always like to get a feel for our guests, right? We, our audience, we want to care about, our heroes, our protagonists, who are about to go through these terrible circumstances. Give us some context about where you’re at in your, how long you’ve been working in IT.
[00:01:18] Andrew: Currently the Chief Security Officer at Vetcor, as you said. Vetcor is a veterinary consolidation company. We own about a thousand veterinary hospitals in North America. And, they’d never had a CISO before I joined as their first CISO in September of last year.
[00:01:33] Built the team out from zero to eight people over the last nine months or so. And it’s the best job that I’ve ever had. Great company, great leadership. You know, everybody that I work with is a partner in trying to help us you know, do things together. So it’s a wonderful place to be at.
[00:01:50] I’m very, very happy with where I’m at. I also have the distinct pleasure to get to tell recruiters all the time when they reach out that I’m not interested. I’d be happy to connect them to other people in my network, but I’m perfectly happy where I’m at. So, that’s a wonderful thing to say.
[00:02:04] Jonathan: I feel like that’s a great goal to have.
[00:02:06] Andrew: It is, it is. If you can, if you can get to that spot, I, you know, kudos to you too.
[00:02:11] Jonathan: And you get to work on securing, of course you’re dealing with people, you’re dealing with the veterinarians themselves, but you’re also in a way, you’re servicing and securing the types of end users everyone would really love to have. And that’s dogs, cats, animals.
[00:02:26] Andrew: That’s right. That’s right. We’re protecting the pet data too. So in terms of my history, I’m gonna ask you a question, Jonathan, did you ever watch that TV show called The Office?
A Dunder Mifflin origin story
[00:02:37] Jonathan: Of course.
[00:02:38] Andrew: Okay, so my story starts not unlike Dunder Mifflin. I worked in a paper company in San Diego, right out of school.
[00:02:47] And I was actually a customer service rep at a paper company. But because it was a small company, I did everything. I did inventory, I did marketing and sales. I did finance. I did the whole thing. In fact, when we get really busy, I’d go out in the warehouse and drive the forklift and pick pallets and put them on the truck.
[00:03:05] So I knew this whole business from beginning to end. And one day the owner comes to me and he says, Hey Andrew, we’re gonna replace our old mainframe system with Windows servers and Windows workstations. And I said, awesome. That sounds like a great idea. He said, you’re the youngest guy, so you get to do it. I said, okay. So I did it. You know, I worked nights and weekends for about three months to do all the data conversion by hand. One day we go live with this new system and things are breaking and I’m fixing them on the fly and it just feels amazing to me. So I have this moment of clarity very early in my career and I realized maybe I should do this IT thing as a career. So I save up some vacation time. I save up some money, and I go and do one of these Microsoft boot camps in Chicago in the winter – a guy from San Diego. That’s pretty rough. It’s two weeks and there’s seven exams, and if you pass all seven exams at the end, you are an MCSE. And so that launched my IT career, and I put my resume out all over the country.
[00:04:07] I got picked up by HP doing a contract for cybersecurity for Bank of America in Atlanta, Georgia. And the rest, as they say, is history. That started my consulting career. Then I, one of the companies that I consulted for was Nestle. I was there for 18 years. When I left Nestle, I was the regional CISO of America’s, Asia, and Europe.
[00:04:27] I didn’t sleep very much. Had a big team around the world, traveled a lot. And since then I’ve been a CISO three times and as I said, currently at Vetcor. So that’s been my, my history.
[00:04:36] Jonathan: Wow. That’s amazing. Thank you so much for sharing that. It’s funny to think about if, you know, you had really taken to that forklift driving, where you would be instead.
[00:04:46] Andrew: There’s actually a nonprofit group that I work with called CyberUp that helps take people who are mid-career, gives them free cyber training, and then places them as apprentices. And every once in a while I get the opportunity to go and speak to one of the training cohorts. And one of the guys in the thing gave feedback afterwards and he says, I’m a forklift operator right now, and I’m getting into cybersecurity, so I’m gonna be just like you.
[00:05:10] I was like, man, I’m glad I can inspire with that story. That’s helpful.
[00:05:14] Jonathan: That’s fantastic. You know, I arrived at NinjaOne through a path that [also] involved paper. I used to work for a book publisher actually. Some very fortuitous changes where I ended up in tech and I’m so glad and feel so lucky that I did. So that’s fantastic that you’re helping other people do that. All right, well, enough of the good, fluffy, happy stuff. Let’s talk about…
[00:05:34] Andrew: Let’s get to the horror!
[00:05:36] Jonathan: That’s right. That’s what the people are here for. Let’s give ’em what they want. Okay, so I understand we’re gonna be talking about two different stories, and they have a through line. What ties these two stories together is you get a visit or a call from a certain organization that you really never want to hear from.
[00:05:56] Andrew: Yes, well, you wanna establish relationships with them ahead of time, but getting that phone call. It’s kind of a dread, but I’ll tell you what, for me, the horror is a little bit exciting. Like this is, you know, when you talk to the CEO and they’re like, why are you so excited? Hey, this is what you, this is what you hired me for, right? This is what I’m here to do. This is where I shine. So, it’s kind of interesting when you get that phone call.
[00:06:20] Jonathan: Well, yeah, I mean, the fact that you said, you know, you’re not a one-time CISO, you’ve come back to it. So there must be something in there that’s drawing you to this. Paint the picture for us. What’s the setting like? What phase of your career is it? What does it look like before things start going wrong?
The first phone call
[00:06:37] Andrew: So I’m, phase of my career I would say, you know, phase two. Phase one was kind of my early leadership journey and phase two is maybe leaders of leaders and really I think, or I hope, develop some level of maturity and calmness in these kind of crazy situations. So we get contacted by one of those government, three letter agencies, because one of our accounts payable departments has sent a seven figure amount to an offshore bank that is owned by a known hacker. So, you know, so actually our finance team works with them to kind of claw back that money. And the good news of this story is they were able to get the money back. But we start to do, of course, the due diligence on our side to figure out how did this thing happen in the first place. And for me at the time, this was definitely the most interesting attack scenario that I had ever heard of.
[00:07:37] What we’d seen at the time, and this is after the days of WannaCry and NotPetya and things like that, that were kind of, you know, malware worms that spread everywhere and caused a lot of chaos. This was much more organized, higher level thought that went into this. And what we found is, at the time when we get phishing emails, people would pwn someone’s user account and they would use that account to send more phishing emails to try and basically steal credentials and get people to click on things and maybe load malware or something like that.
[00:08:13] In this case, [it was] a completely different scenario. So, a user email got pwned at least six months, if not longer, before this wire transfer was sent. And instead of using that compromised account to send a bunch more phishing emails internally or externally, they used the access of that account to start to do research on the company.
[00:08:40] Again, we had never seen this before. Now I would say today it’s a little bit more commonplace, but at the time like you couldn’t even read articles about people doing this. Like we tried to find other cases and this was kind of, kind of new.
[00:08:53] Jonathan: I mean at the time too, if this is in that same timeframe, I remember I was working for an endpoint security startup. You know, Emotet was a big thing like the, but it was all these Trojans that would basically, that you’re totally right, the goal is to gain access to the MLX so they could send out more of the spam, and then they’re maybe going to sell that initial access.
[00:09:10] But yeah, nothing like there, not a whole lot more thought other than we want to establish a beachhead here. And that’s about it.
[00:09:17] Andrew: What they ended up doing is they got onto the SharePoint of the accounts payable team. And they were reading, and we found this later, they were reading the processes. They were looking at the documents that showed the standard operating procedures and they saw the approvals going through.
[00:09:35] And so they knew exactly the nomenclature that was used, the kind of the tone of the emails, everything to make it happen. And there was a phrase I remember that the guy used. He said like, “This one is green-lighted to go through,” or something like that, which is not a phrase that I think a hacker would normally use.
[00:09:54] But they saw that happen so many times in the approval chain that they said they used that exact phrase and the people sent it through. Now today, when you think about financial fraud, of course you think about, you know, if anyone ever by email asks you to change their bank account information, you always do a phone call.
[00:10:13] You always follow up with a known resource or whatever, because a lot of times it may not be your organization that’s been compromised. It can be your vendors or your customer’s organization is compromised and they’re trying to get you to change something. So it’s not on you. It’s more on them. And what we did, I think one of the important things that we think about when we do incident response is a really strong, after action review.
After action review
[00:10:38] So we went deep in this. We involved the legal team, we involved the financial team of course. We involved internal audit and the cybersecurity team. And there were a lot of kind of quick reactions to this. Like, we should reset everybody’s password. Well, that’s not gonna fix anything. We had to push back on the idea of resetting everybody’s password because that’s gonna give a false sense of security.
[00:11:02] Now it’s fine to reset the credentials of all of the people that were impacted by this, but resetting everyone in the company’s password, not only would it cause total chaos, but it wouldn’t really solve anything. What we ended up doing is really two sides of this. So we put a number of different controls on the financial side, process controls, where if someone asks you to change a bank account, you make phone calls, all that kind of stuff.
[00:11:27] And then we started to look at controls on the cybersecurity side, and the biggest one being [adding] phishing resistant MFA. So, again, at the time, MFA was not really standard for everybody. Maybe if you were in a tech company, you’d have it, but for, you know, large enterprises and stuff like that, you would not have, not everybody was having phishing resistant MFA at that point.
[00:11:47] Jonathan: You were mentioning that this isn’t the sort of thing that you were really seeing a lot of anywhere. And [what] strikes me is that compared to the ransomware situations we hear about or some other attacks that are more kind of smash and grab, right?
[00:12:01] Like you were involved in, you got your pocket picked, you know, there’s a crime like that. But this, is something more insidious, right? You find out that someone has been in your house for six months. I mean, I imagine that that is a completely different type of feeling than, Hey, we just got… yeah.
[00:12:20] Andrew: Absolutely. You feel violated, right? Because it’s one thing to stop the smash and grab, but for someone to sit in there for so long. And the first question that I had, which I’m sure I’m sure a lot of our peers would have too is, “How many other areas is this happening in.” Right? How many other accounts do I have that are compromised?
[00:12:38] You know, how do I fix that? So it’s really about putting that phishing resistant MFA in place, and then forcing all of your accounts to kind of re-authenticate. Because you don’t, at that point, you don’t know how many times you have this, and there’s a number of solutions specifically in the email security space that will retroactively look at rules that are in place.
[00:13:02] One of the things an attacker will do in this situation is they’ll create a bunch of Outlook rules that will cover all of their tracks, allow them to do things with the account, but not allow the account owner to see it. And then another thing you need to look at in this scenario is the idea of active accounts versus dormant accounts.
[00:13:19] The golden ticket for an attacker is to take over a dormant account. And the reason is if you get compromised and your email account starts sending weird spam or phishing, you’re gonna call somebody and say, Hey, there’s something wrong with my account. But if you have left the organization, and I compromise your account, there’s no you on the other end to say, “Hey, I’m doing something weird.” It’s a real boon for them. So we started to look at, you know, how do we make sure that accounts are getting cleaned up, not just through automated HR actions, but we do kind of other sweeps to make sure of that.
[00:13:57] And of course, as I said, I’m gonna keep saying, and again, is putting phishing resistant MFA in place because, and there’s ways to get by that too, but a lot less than just being able to compromise someone’s username and password.
[00:14:08] Jonathan: Now all eyes are on you basically, and there’s this initial, especially after that learning that, okay. They may have access to that, they could have access to anything, you know?
[00:14:18] And there was that initial reaction, we need to reset everything. It’s kind of like, I think about Aliens and the quote, “Only way to be sure [is to] nuke it from our orbit.” And you can understand that, right? But you’re also having to balance that with the, well, we have to maintain, we have to continue functioning as a business. And so I’m just kinda curious how that you worked that stuff out and how those conversations kind of looked.
Cyber is here to serve the business
[00:14:42] Andrew: So cybersecurity, the entire function exists because business exists. Right. We are here to serve the business, to make them operate, to allow them to operate in a safe and secure way. And really my role as a CISO is a cyber cybersecurity subject matter expert to the C-suite and to the board. And when they want to do things, it’s for me to say, Hey, here’s my recommendation for what to do.
[00:15:10] Or here are three flavors of things that we can do based on your risk appetite. Now if the business really desires to reset everyone’s password, I can explain why I think that’s a bad idea. But in the end, I will go and execute whatever they want to do based on their risk appetite. But in this case, I said, look, the only accounts that were compromised, were in this specific finance group.
[00:15:33] Let’s reset all of their credentials. But they, but the business impact of resetting another, you know, 29,000 people’s passwords is not gonna, is not gonna really help. And it is just gonna cause a bunch of chaos and problems that everybody’s gonna have to work to clean up. So…
[00:15:49] Jonathan: You know, MFA is a pretty well established, of course, I mean, but… lest we forget, it wasn’t that long ago that no one really wanted to do it. I mean, you’re constantly having to fight that battle. Right. And you kind of mentioned at the top here that as a CISO, okay, yes, these events are something you don’t want these things to happen.
[00:16:08] Obviously. At the same time, it’s what you’re there for. You kind of thrive in this scenario. And I imagine too, I don’t know if MFA was something you were pushing before this at all, but if you were, now you have a clear check to do it right. I mean… never let a crisis go to waste, I guess?
[00:16:26] Andrew: Yes. I was just gonna say that, Jonathan. I was just gonna say that, that’s exactly it. So utilize those crises, utilize those bad audits to be able to do the things that you’ve been wanting to do and haven’t been able to do. And you’re absolutely right. The CEO of this business unit became the greatest advocate that we had for implementing phishing resistant MFA throughout the enterprise. And that business unit, you know, did it faster and better than anybody and than anybody else because we had that kind of top down support to say, this is really important that we need to do this.
[00:17:02] Jonathan: So I think we can move on to the next story if you want to, Andrew.
[00:17:05] Andrew: I’m ready. I’m ready. Keep the horror coming Jonathan.
[00:17:07] Jonathan: All right. So this one, this [horror story] comes to a conclusion. The organization is better off afterwards, more secure. You’re able to… lessons learned and everything. You get another call.
The sequel
[00:17:18] Andrew: Yeah, so this one actually has a six-months-before part of the story as well. So, we get notified by our EDR solution that we have an active attacker in our network. They have gotten onto a server. They’re running commands to, you know, search the network and download usernames and credentials and all that kind of stuff.
[00:17:40] So we quarantine the device, you know, we stop them. And then we do some, you know, strong after action review, as you should do in incident response. And what we find is that this device is, it’s owned by us, but it’s run by a third party who is doing some financial work, financial automation work for our company. And in researching the company, we realize that they are very, very lax on cybersecurity. They don’t take it seriously at all. And it’s clear that they’re, that these, you know, bad cyber hygiene practices have allowed other people to get in and compromise their stuff. So, I don’t know if it was an insider threat thing or if someone, you know, compromised them, but it was one of those two things and somebody was able to get in.
[00:18:29] So we go to the board and we present, you know, every quarter we present on any incidents that we’ve had, and we present, you know, the after action review and our recommendations for what we should do. So what’s your recommendation in this case? And I said, we should immediately stop doing business with this company.
[00:18:43] We should find another company that can do this financial automation for us, that takes cybersecurity seriously, and we’ll vet them ahead of time. Now, we did have like a third party risk process, but this company had come in before we established that process, and there wasn’t really an appetite to go retroactively third party risk assess every, you know, every one of the 10,000 vendors that we had.
[00:19:05] So this is something that you’re gonna find out as you move forward. So six months later, our favorite friends at the three letter agency call us again. They have discovered on the dark web ‘for sale’ credentials to get into our environment. And they can’t help us anymore, except they can give us these, like two screenshots of what they found on the dark web. So another incident is raised. We do our due diligence. We find out, guess where those credentials came from? The same company. So they had like an AWS server with an open RDP port with very easy credentials, and once you got into that server, they then had a file on the desktop that had their credentials to get into our system, which they were using very similar to what they had done before, even with all the additional controls and things that we had put in place after the first incident.
[00:20:00] And we made them do a bunch of cybersecurity stuff and jump through hoops and stuff, but it, you know, it didn’t really work that well. So needless to say, we go back to the board and we have a very similar discussion and they say, what’s your recommendation? And I say, I actually pulled in the same after action review that I’d shown them six months before.
[00:20:19] And I said this is still my recommendation that we stop doing business with this company and I hope we’ll take it seriously this time. This was one where I had a call from with the C-suite, you know, leading into this. And they could all sense my excitement. And they said, well, why are you so excited?
[00:20:38] Like, why are you so happy about this? And I said, folks, again, this is why you hired me. This is what we do. This is where my team shines. You know? And in neither of those cases, was there any kind of data breach or ransomware or any of that stuff. Nothing was ever executed. And we did hire a forensics firm to go look on the dark web and try and find these credentials for sale or see if anything else was for sale.
[00:21:00] Of course, they couldn’t find anything. Intelligence is hard to do and it’s hard to, you know, find stuff. You’re lucky if you find stuff sometimes. But anyway, that’s the second story of our friends. And one thing I would say this has taught me, and I, it’s something that I share with a lot of my peers.
[00:21:16] It’s very important to establish those relationships with government three letter agencies, your local law enforcement, before these things happen. Because if you know them and you’re, you know, I don’t know if I would say friends with them, but if you, if you know them and you have those contacts in place already, it makes things a lot easier when they reach out to you for the first time.
Lessons learned: Build proactive relationships
[00:21:37] Jonathan: Do you think there are any hesitations other people may have with that? Maybe they’re not ready yet. Maybe they want to be in a better position when they reach out in case, you know, they don’t wanna look bad. If there’s things that they’re kind of worried about in terms of their own security posture.
[00:21:52] Andrew: My thing is I always want to know how bad I am. Knowing gives me the opportunity to focus resources on the largest risks. So a lot of people ask CISOs like, what keeps you up at night? For me, the thing that keeps me up at night are not the risks that I know about, that I’m focusing on, and addressing.
[00:22:10] It’s any risk that I don’t know about. So I would say it’s never too early to contact the FBI. There’s a group called InfraGard, and they have, they establish a relationship between the FBI and businesses. So if you’re not a member of your local InfraGard, you can go to https://www.infragard.org/ and you can join up, and you can become part of that organization. Really great organization, and you can start to establish those relationships today.
[00:22:39] Jonathan: Is there any, you know, the stereotypical thing from anyone who is promoting cybersecurity to business leadership is, you’ve inevitably gotten the reaction at some point that we’re too small, we’re not gonna be really on [bad actors’] radar. This isn’t for us, this is only for big, giant companies.
[00:22:56] Could there be a similar reaction to this, you know, is the FBI, is it really worth it for us to do that if we’re just small?
[00:23:04] Andrew: I would say to anybody who thinks they’re too small, I completely disagree. Because it depends on the type of motivation of attackers. Normally for a small business, you’re not gonna be looking at nation state attackers or activist attackers. You’re usually gonna be looking at people who are just going for money.
[00:23:22] There’s something to be said about the shotgun approach, right? If I just target really large enterprises to try to get, you know, seven figure payouts, it’s gonna be few and far between. But if I target hundreds of small businesses and just want them to pay, you know, five grand to unlock their files, that’s a lot easier.
[00:23:41] And if I do that, you know, at scale, especially using generative AI tools, it’s gonna be a lot easier for me to make money if that’s their goal.
[00:23:49] Jonathan: I’m wondering about the FBI side too, you know, if organizations may feel like, well, we’re too small, we don’t need to reach out to them and establish a relationship, you know. Is that something that only happens when you’re officially a very large company, a CISO there, or should it be for everybody?
[00:24:04] Andrew: I would say it should be for everybody.
[00:24:06] I mean, there may be a size at which the FBI is not really concerned about it, I would say. But you know, I think anytime they see something or they find something, the other great thing about these organizations is there’s a lot of information sharing that goes on.
[00:24:21] So there’s an organization called ICE, and they share, you know, great information and reports that you can get for free. There’s an organization called CISA. They release bulletins almost daily about new CVEs and things that you need to update so you can get a lot of great information from joining these groups, whether or not it’s applicable to you now or maybe in the future, establishing those relationships to me is never too early.
[00:24:44] Jonathan: This is what you’re preparing for. And so when it does happen, you get that rush. But then, you know, there’s the constant, there must be a thing in the back of your mind too, of, for a lot of folks, you know, you’re just preparing, you know, and you’re never really gonna know. I mean, it’s not gonna be announced, you know, it’s gonna happen one time and you, you can’t really predict it.
[00:25:04] Andrew: Yeah, you need to be prepared for when it happens and what better time to, you know, create your incident response plan and establish those key relationships and all of those things now, than when you’re in the middle of a crisis.
[00:25:18] Jonathan: Absolutely. I think [both stories] also speak to the broader scope of, you know, in some cases, I think with IT and security, there’s a lot of the security controls and diving into how some of these attacks work.
[00:25:29] You can address a lot of it with purely just the tech right? Focusing on those controls. But I think in both of these cases you’re also talking about, processes and procedures. You’re talking about working with accounting and in other cases, you know, you’re working, you’re relying on other vendors who are outside of your organization.
[00:25:49] I mean, countless amounts of major cyber attacks we’ve seen, well it was the third party vendor that did that. And so you’re working with people, right? So, anything that. You would recommend on that side of things for people who, you know, you’re passionate about the technology and finding these solutions in that way, but at the end of the day, you’re operating in a real world with real people and you’re trying to make change that way.
Your best intel is your own intel
[00:26:14] Andrew: Yep. So I think what you have to do, one of my favorite things is your best intelligence is your own intelligence. So, first thing I would look at is what has happened to you and your organization in the past? And then using that information and doing very strong after action reviews of those incidents, what are the controls that you need to put in place? Now, if I was talking to someone who is vanilla, who’s never gone through this before, I would say probably three things: The first one is you need phishing resistant MFA for everyone in your organization. The second thing I would look at is your perimeter.
[00:26:49] So if you have, you know, if you bought your firewall at Best Buy, probably not a good spot to be in, right? Making sure your default credentials are there, that you’ve locked down your perimeter in some way. And there’s a lot of free services that you can get that will scan you externally and see if there’s any open holes or ports or whatever.
[00:27:08] So cleaning that up. And the third thing that I would look at, ’cause a lot of these things come in through phishing email, is looking at kind of, context aware email security. So not just I sent you a bad attachment or a bad link or from a bad address, but like, Hey Jonathan, I’d like to change my bank account for this next payment.
[00:27:29] That kind of contextual awareness that it says, Hmm, something seems weird about this. You should go validate this. So there are, I think all three of those things are the things that I would kind of start with by default. And those will help you to address the majority of those kinds of entry controls. And then you can start to look further down the attack chain and other things you might want to do.
[00:27:48] Jonathan: I think those are great. How do you balance, you know, going back to the earlier story and, knowing that, okay, phishing resistant MFA at that point, maybe not as widely as common in, in the stack and you’re constantly looking to see okay, what’s next? Things are evolving all the time.
[00:28:07] There’s new solutions. Attackers are getting better. It’s the cat and mouse game, solutions are getting better. And we need to stay up to date and go for newer things. How often are you kind of revisiting your solutions and then, particularly now, you know, the context aware comment makes me think about all the claims and hype around AI and everything too.
[00:28:28] How do you, how often do you review things and then when you are kinda reviewing what’s new out there, new and the new hotness, how do you try to, navigate I guess the hype cycle of things?
[00:28:42] Andrew: Great questions. I like that you called it the new hotness. Obviously AI is gonna impact both sides of the equation. From a cybersecurity perspective, we’re able to use AI to help us. Agentic AI to do kind of more basic tasks, using it to analyze things that we couldn’t before that were harder for us to do before.
[00:29:03] So there’s a lot of ways that we can use it positively on our side, but on the attacker side, there’s certainly a lot of ways that they can use it. One example that’s great is phishing emails. We’ve been teaching people for 20 years to look at, you know, misspellings and bad grammar and you know, specific links and subject lines and all of those things.
[00:29:22] All of that stuff is going out the window because, you know, if you use generative AI to create unique phishing emails for every single one, you can do that and it’ll be harder to find and harder to root out and harder to identify and all that stuff. So, your second question was about navigating the hype cycle.
[00:29:41] There’s certain keywords that, you know, vendors will kind of glom onto and just, everybody will say machine learning or everybody will say zero trust, or everyone will say single pane of glass, or everyone will say AI. I think you need to look at, for your business and your perspective, what are your biggest risks and what are you doing to address those biggest risks using the intelligence that you have and making sure that you’re continuing to address those largest risks.
[00:30:08] In the course that I teach at the university, there’s a slide that I use that says CISO responsibilities, and it’s a single slide and it’s got so many words and in like a four point font. It’s this huge kind of mind map thing. And you can’t read the words on the screen. And I do that on purpose to say, look, if you really look at what you’re responsible for in cybersecurity, it’s huge.
[00:30:29] But what you need to do is you need to focus, right? What are the top three things that are impacting me? And you need to focus on those things and get those things under control, do the basics, and then start to look at, you know, the next three or whatever, once you get those under control. So I think that’s, you have a finite amount of resources, you know, using those to the best that you can to address the biggest risks for you and your organization.
[00:30:53] Jonathan: There’s the hype cycle, the new hotness hype that’s coming outside from vendors. And then of course you’re trying to get the attention of leadership too. And you’re giving your recommendations, here’s what we need to focus on, our priorities, and then they’re of course reacting to that.
[00:31:08] How do you balance the whole, you don’t wanna be chicken little, for example, right? But also there’s cases where you really do, I mean, you need to get their attention. You need to make them feel the urgency around it. You know, after these two scenarios, you get that buy in because they see this is real.
[00:31:25] But what about for folks who haven’t, they don’t have leadership, who have gone through a real scare, like one of these.
Be a change influencer
[00:31:32] Andrew: Yeah, I think the best thing that you can do here is really kind of organizational change management and leading change upwards, influencing change. And one of the best ways to do that is by establishing relationships with the key stakeholders and sharing with them the ideas that you have about what you’re gonna do one-on-one.
[00:31:50] Getting their feedback. And then when you go and present to the larger group, if you have two or three people in the room who you’ve already heard their feedback, whether it’s positive or negative that you’ve been able to address, then you go in having some advocates on your side, at least people who understand what you’re trying to say before you do it.
[00:32:08] So to me, it’s really about educating. It’s about being a subject matter expert. It’s about allowing businesses to make informed decisions about cyber risk based on their appetite. And you talked before about stage of my career. I really consider it in two big stages. In stage one, I knew what we needed to do to fix these problems and I would just come in and pitch that one idea and try to get funding for that one idea.
[00:32:36] And sometimes it would get shot down and sometimes it wouldn’t. And I realized after a while, like that is not my role. My role is not to go and tell you here’s what to do. My role is to tell you, here’s a risk. Here’s a few different ways that we can address it. And which one do you want to do? And I’ll be happy to do whatever one you want to do.
[00:32:54] So changing the mindset to that and allowing the business to make the risk-based decision, I think is a much more powerful way to get funding for things. And you may find that they want to do things, you know, above and beyond what you want to do. So I recommend that every time is kind of, giving, giving options and, and educating and helping people understand.
[00:33:15] Jonathan: Andrew, this has been fantastic, and I have, before I let you go, it comes very clear through, through everything that you’ve said that, these scenarios, you have a healthy appreciation maybe, but I wouldn’t say a fear. Not, you’re not scared of ’em. Of course you don’t want there to be a sequel, but you realize that there is going to be a sequel in some shape or form, and you wanna be there for it. Any other advice you want to leave for folks?
Closing
[00:33:38] Andrew: I mean, whatever you can do to be prepared ahead of time. We talked a little bit about this before. I think there’s two types of organizations in the world. Those who acknowledge that they’ve been breached or those that don’t realize that they already have been. So it’s gonna happen to you eventually if it hasn’t already happened.
[00:33:53] I think it’s really important to establish those roles and responsibilities ahead of time. Establish your incident response process. Having a tabletop exercise with the people who are involved, helps ’em to really cement it and understand it now instead of in the middle of an incident, because what you want to be focusing on in the middle of an incident is.
[00:34:14] Eradicating the issue and being able to do your root cause analysis and being able to give your recommendations for how to move forward. You don’t want to be defining communication plans, figuring out who to call, all that kind of stuff. That stuff should already be defined ahead of time and it’s a great time to do it now.
[00:34:30] So as much as you can be prepared for those things. We talked about this before, establishing relationships with local law enforcement, figuring out who your external legal counsel is, who’s your incident response team, all of those kinds of things, maybe based on your cyber insurance. Go take a look at that.
[00:34:45] So having all that stuff ready ahead of time is really what you need to do. And you may have other priorities or projects that you’re working on. I encourage you to put those things on hold or slow those down so you can get this stuff in place. And I’m sure you can use generative AI to help you to create tabletop scenarios to create your documentation that you need.
[00:35:05] So go and use the tools that are out there. That’s my advice.
[00:35:09] Jonathan: Great recommendation and we’ll be sure to share a few others. Table topping incident response is something that comes up a lot. And so, but how do people actually do that and making that… So it’s amongst all the other things you’re trying to do, it’s actually something you can do pretty easily.
[00:35:24] That’s something we’re super interested in. So we’ll definitely share resources.
[00:35:27] Andrew: By the way, another plug for CISA. CISA, the cybersecurity, man, I can’t remember what the acronym means, means for anyway, CISA. They will do free tabletop exercises for your organization. Contact them.
[00:35:41] Jonathan: Amazing. So it takes a village, right? And, you should absolutely leverage your resources. Don’t be the lone person in the horror movie that says, I’ll be right back. Andrew Wilder, Chief Security Officer at Vetcor. Thank you so much for taking the time outta your busy day to share your horror stories and all your great advice. Really appreciate you.
[00:36:00] Andrew: My pleasure, Jonathan. Thanks for having me. Cheers.
Introduction
[00:00:20] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
[00:00:35] Jonathan: Hey everyone, and welcome to the show. I am your host, Jonathan Crowe, and I’m very pleased to have with me as our guest in IT Horror Stories, Andrew Wilder. He’s the Chief Security Officer at Vetcor. Andrew, thank you for being brave and joining us.
[00:00:50] Andrew: It’s a pleasure. I’m looking forward to reliving some of my horror stories with you, Jonathan, so let’s do it.
[00:00:57] Jonathan: I love it. I love that mindset. That you can’t wait to revisit those horrible moments. Well, let’s definitely do that. Before we do though, we always like to get a feel for our guests, right? We, our audience, we want to care about, our heroes, our protagonists, who are about to go through these terrible circumstances. Give us some context about where you’re at in your, how long you’ve been working in IT.
[00:01:18] Andrew: Currently the Chief Security Officer at Vetcor, as you said. Vetcor is a veterinary consolidation company. We own about a thousand veterinary hospitals in North America. And, they’d never had a CISO before I joined as their first CISO in September of last year.
[00:01:33] Built the team out from zero to eight people over the last nine months or so. And it’s the best job that I’ve ever had. Great company, great leadership. You know, everybody that I work with is a partner in trying to help us you know, do things together. So it’s a wonderful place to be at.
[00:01:50] I’m very, very happy with where I’m at. I also have the distinct pleasure to get to tell recruiters all the time when they reach out that I’m not interested. I’d be happy to connect them to other people in my network, but I’m perfectly happy where I’m at. So, that’s a wonderful thing to say.
[00:02:04] Jonathan: I feel like that’s a great goal to have.
[00:02:06] Andrew: It is, it is. If you can, if you can get to that spot, I, you know, kudos to you too.
[00:02:11] Jonathan: And you get to work on securing, of course you’re dealing with people, you’re dealing with the veterinarians themselves, but you’re also in a way, you’re servicing and securing the types of end users everyone would really love to have. And that’s dogs, cats, animals.
[00:02:26] Andrew: That’s right. That’s right. We’re protecting the pet data too. So in terms of my history, I’m gonna ask you a question, Jonathan, did you ever watch that TV show called The Office?
A Dunder Mifflin origin story
[00:02:37] Jonathan: Of course.
[00:02:38] Andrew: Okay, so my story starts not unlike Dunder Mifflin. I worked in a paper company in San Diego, right out of school.
[00:02:47] And I was actually a customer service rep at a paper company. But because it was a small company, I did everything. I did inventory, I did marketing and sales. I did finance. I did the whole thing. In fact, when we get really busy, I’d go out in the warehouse and drive the forklift and pick pallets and put them on the truck.
[00:03:05] So I knew this whole business from beginning to end. And one day the owner comes to me and he says, Hey Andrew, we’re gonna replace our old mainframe system with Windows servers and Windows workstations. And I said, awesome. That sounds like a great idea. He said, you’re the youngest guy, so you get to do it. I said, okay. So I did it. You know, I worked nights and weekends for about three months to do all the data conversion by hand. One day we go live with this new system and things are breaking and I’m fixing them on the fly and it just feels amazing to me. So I have this moment of clarity very early in my career and I realized maybe I should do this IT thing as a career. So I save up some vacation time. I save up some money, and I go and do one of these Microsoft boot camps in Chicago in the winter – a guy from San Diego. That’s pretty rough. It’s two weeks and there’s seven exams, and if you pass all seven exams at the end, you are an MCSE. And so that launched my IT career, and I put my resume out all over the country.
[00:04:07] I got picked up by HP doing a contract for cybersecurity for Bank of America in Atlanta, Georgia. And the rest, as they say, is history. That started my consulting career. Then I, one of the companies that I consulted for was Nestle. I was there for 18 years. When I left Nestle, I was the regional CISO of America’s, Asia, and Europe.
[00:04:27] I didn’t sleep very much. Had a big team around the world, traveled a lot. And since then I’ve been a CISO three times and as I said, currently at Vetcor. So that’s been my, my history.
[00:04:36] Jonathan: Wow. That’s amazing. Thank you so much for sharing that. It’s funny to think about if, you know, you had really taken to that forklift driving, where you would be instead.
[00:04:46] Andrew: There’s actually a nonprofit group that I work with called CyberUp that helps take people who are mid-career, gives them free cyber training, and then places them as apprentices. And every once in a while I get the opportunity to go and speak to one of the training cohorts. And one of the guys in the thing gave feedback afterwards and he says, I’m a forklift operator right now, and I’m getting into cybersecurity, so I’m gonna be just like you.
[00:05:10] I was like, man, I’m glad I can inspire with that story. That’s helpful.
[00:05:14] Jonathan: That’s fantastic. You know, I arrived at NinjaOne through a path that [also] involved paper. I used to work for a book publisher actually. Some very fortuitous changes where I ended up in tech and I’m so glad and feel so lucky that I did. So that’s fantastic that you’re helping other people do that. All right, well, enough of the good, fluffy, happy stuff. Let’s talk about…
[00:05:34] Andrew: Let’s get to the horror!
[00:05:36] Jonathan: That’s right. That’s what the people are here for. Let’s give ’em what they want. Okay, so I understand we’re gonna be talking about two different stories, and they have a through line. What ties these two stories together is you get a visit or a call from a certain organization that you really never want to hear from.
[00:05:56] Andrew: Yes, well, you wanna establish relationships with them ahead of time, but getting that phone call. It’s kind of a dread, but I’ll tell you what, for me, the horror is a little bit exciting. Like this is, you know, when you talk to the CEO and they’re like, why are you so excited? Hey, this is what you, this is what you hired me for, right? This is what I’m here to do. This is where I shine. So, it’s kind of interesting when you get that phone call.
[00:06:20] Jonathan: Well, yeah, I mean, the fact that you said, you know, you’re not a one-time CISO, you’ve come back to it. So there must be something in there that’s drawing you to this. Paint the picture for us. What’s the setting like? What phase of your career is it? What does it look like before things start going wrong?
The first phone call
[00:06:37] Andrew: So I’m, phase of my career I would say, you know, phase two. Phase one was kind of my early leadership journey and phase two is maybe leaders of leaders and really I think, or I hope, develop some level of maturity and calmness in these kind of crazy situations. So we get contacted by one of those government, three letter agencies, because one of our accounts payable departments has sent a seven figure amount to an offshore bank that is owned by a known hacker. So, you know, so actually our finance team works with them to kind of claw back that money. And the good news of this story is they were able to get the money back. But we start to do, of course, the due diligence on our side to figure out how did this thing happen in the first place. And for me at the time, this was definitely the most interesting attack scenario that I had ever heard of.
[00:07:37] What we’d seen at the time, and this is after the days of WannaCry and NotPetya and things like that, that were kind of, you know, malware worms that spread everywhere and caused a lot of chaos. This was much more organized, higher level thought that went into this. And what we found is, at the time when we get phishing emails, people would pwn someone’s user account and they would use that account to send more phishing emails to try and basically steal credentials and get people to click on things and maybe load malware or something like that.
[00:08:13] In this case, [it was] a completely different scenario. So, a user email got pwned at least six months, if not longer, before this wire transfer was sent. And instead of using that compromised account to send a bunch more phishing emails internally or externally, they used the access of that account to start to do research on the company.
[00:08:40] Again, we had never seen this before. Now I would say today it’s a little bit more commonplace, but at the time like you couldn’t even read articles about people doing this. Like we tried to find other cases and this was kind of, kind of new.
[00:08:53] Jonathan: I mean at the time too, if this is in that same timeframe, I remember I was working for an endpoint security startup. You know, Emotet was a big thing like the, but it was all these Trojans that would basically, that you’re totally right, the goal is to gain access to the MLX so they could send out more of the spam, and then they’re maybe going to sell that initial access.
[00:09:10] But yeah, nothing like there, not a whole lot more thought other than we want to establish a beachhead here. And that’s about it.
[00:09:17] Andrew: What they ended up doing is they got onto the SharePoint of the accounts payable team. And they were reading, and we found this later, they were reading the processes. They were looking at the documents that showed the standard operating procedures and they saw the approvals going through.
[00:09:35] And so they knew exactly the nomenclature that was used, the kind of the tone of the emails, everything to make it happen. And there was a phrase I remember that the guy used. He said like, “This one is green-lighted to go through,” or something like that, which is not a phrase that I think a hacker would normally use.
[00:09:54] But they saw that happen so many times in the approval chain that they said they used that exact phrase and the people sent it through. Now today, when you think about financial fraud, of course you think about, you know, if anyone ever by email asks you to change their bank account information, you always do a phone call.
[00:10:13] You always follow up with a known resource or whatever, because a lot of times it may not be your organization that’s been compromised. It can be your vendors or your customer’s organization is compromised and they’re trying to get you to change something. So it’s not on you. It’s more on them. And what we did, I think one of the important things that we think about when we do incident response is a really strong, after action review.
After action review
[00:10:38] So we went deep in this. We involved the legal team, we involved the financial team of course. We involved internal audit and the cybersecurity team. And there were a lot of kind of quick reactions to this. Like, we should reset everybody’s password. Well, that’s not gonna fix anything. We had to push back on the idea of resetting everybody’s password because that’s gonna give a false sense of security.
[00:11:02] Now it’s fine to reset the credentials of all of the people that were impacted by this, but resetting everyone in the company’s password, not only would it cause total chaos, but it wouldn’t really solve anything. What we ended up doing is really two sides of this. So we put a number of different controls on the financial side, process controls, where if someone asks you to change a bank account, you make phone calls, all that kind of stuff.
[00:11:27] And then we started to look at controls on the cybersecurity side, and the biggest one being [adding] phishing resistant MFA. So, again, at the time, MFA was not really standard for everybody. Maybe if you were in a tech company, you’d have it, but for, you know, large enterprises and stuff like that, you would not have, not everybody was having phishing resistant MFA at that point.
[00:11:47] Jonathan: You were mentioning that this isn’t the sort of thing that you were really seeing a lot of anywhere. And [what] strikes me is that compared to the ransomware situations we hear about or some other attacks that are more kind of smash and grab, right?
[00:12:01] Like you were involved in, you got your pocket picked, you know, there’s a crime like that. But this, is something more insidious, right? You find out that someone has been in your house for six months. I mean, I imagine that that is a completely different type of feeling than, Hey, we just got… yeah.
[00:12:20] Andrew: Absolutely. You feel violated, right? Because it’s one thing to stop the smash and grab, but for someone to sit in there for so long. And the first question that I had, which I’m sure I’m sure a lot of our peers would have too is, “How many other areas is this happening in.” Right? How many other accounts do I have that are compromised?
[00:12:38] You know, how do I fix that? So it’s really about putting that phishing resistant MFA in place, and then forcing all of your accounts to kind of re-authenticate. Because you don’t, at that point, you don’t know how many times you have this, and there’s a number of solutions specifically in the email security space that will retroactively look at rules that are in place.
[00:13:02] One of the things an attacker will do in this situation is they’ll create a bunch of Outlook rules that will cover all of their tracks, allow them to do things with the account, but not allow the account owner to see it. And then another thing you need to look at in this scenario is the idea of active accounts versus dormant accounts.
[00:13:19] The golden ticket for an attacker is to take over a dormant account. And the reason is if you get compromised and your email account starts sending weird spam or phishing, you’re gonna call somebody and say, Hey, there’s something wrong with my account. But if you have left the organization, and I compromise your account, there’s no you on the other end to say, “Hey, I’m doing something weird.” It’s a real boon for them. So we started to look at, you know, how do we make sure that accounts are getting cleaned up, not just through automated HR actions, but we do kind of other sweeps to make sure of that.
[00:13:57] And of course, as I said, I’m gonna keep saying, and again, is putting phishing resistant MFA in place because, and there’s ways to get by that too, but a lot less than just being able to compromise someone’s username and password.
[00:14:08] Jonathan: Now all eyes are on you basically, and there’s this initial, especially after that learning that, okay. They may have access to that, they could have access to anything, you know?
[00:14:18] And there was that initial reaction, we need to reset everything. It’s kind of like, I think about Aliens and the quote, “Only way to be sure [is to] nuke it from our orbit.” And you can understand that, right? But you’re also having to balance that with the, well, we have to maintain, we have to continue functioning as a business. And so I’m just kinda curious how that you worked that stuff out and how those conversations kind of looked.
Cyber is here to serve the business
[00:14:42] Andrew: So cybersecurity, the entire function exists because business exists. Right. We are here to serve the business, to make them operate, to allow them to operate in a safe and secure way. And really my role as a CISO is a cyber cybersecurity subject matter expert to the C-suite and to the board. And when they want to do things, it’s for me to say, Hey, here’s my recommendation for what to do.
[00:15:10] Or here are three flavors of things that we can do based on your risk appetite. Now if the business really desires to reset everyone’s password, I can explain why I think that’s a bad idea. But in the end, I will go and execute whatever they want to do based on their risk appetite. But in this case, I said, look, the only accounts that were compromised, were in this specific finance group.
[00:15:33] Let’s reset all of their credentials. But they, but the business impact of resetting another, you know, 29,000 people’s passwords is not gonna, is not gonna really help. And it is just gonna cause a bunch of chaos and problems that everybody’s gonna have to work to clean up. So…
[00:15:49] Jonathan: You know, MFA is a pretty well established, of course, I mean, but… lest we forget, it wasn’t that long ago that no one really wanted to do it. I mean, you’re constantly having to fight that battle. Right. And you kind of mentioned at the top here that as a CISO, okay, yes, these events are something you don’t want these things to happen.
[00:16:08] Obviously. At the same time, it’s what you’re there for. You kind of thrive in this scenario. And I imagine too, I don’t know if MFA was something you were pushing before this at all, but if you were, now you have a clear check to do it right. I mean… never let a crisis go to waste, I guess?
[00:16:26] Andrew: Yes. I was just gonna say that, Jonathan. I was just gonna say that, that’s exactly it. So utilize those crises, utilize those bad audits to be able to do the things that you’ve been wanting to do and haven’t been able to do. And you’re absolutely right. The CEO of this business unit became the greatest advocate that we had for implementing phishing resistant MFA throughout the enterprise. And that business unit, you know, did it faster and better than anybody and than anybody else because we had that kind of top down support to say, this is really important that we need to do this.
[00:17:02] Jonathan: So I think we can move on to the next story if you want to, Andrew.
[00:17:05] Andrew: I’m ready. I’m ready. Keep the horror coming Jonathan.
[00:17:07] Jonathan: All right. So this one, this [horror story] comes to a conclusion. The organization is better off afterwards, more secure. You’re able to… lessons learned and everything. You get another call.
The sequel
[00:17:18] Andrew: Yeah, so this one actually has a six-months-before part of the story as well. So, we get notified by our EDR solution that we have an active attacker in our network. They have gotten onto a server. They’re running commands to, you know, search the network and download usernames and credentials and all that kind of stuff.
[00:17:40] So we quarantine the device, you know, we stop them. And then we do some, you know, strong after action review, as you should do in incident response. And what we find is that this device is, it’s owned by us, but it’s run by a third party who is doing some financial work, financial automation work for our company. And in researching the company, we realize that they are very, very lax on cybersecurity. They don’t take it seriously at all. And it’s clear that they’re, that these, you know, bad cyber hygiene practices have allowed other people to get in and compromise their stuff. So, I don’t know if it was an insider threat thing or if someone, you know, compromised them, but it was one of those two things and somebody was able to get in.
[00:18:29] So we go to the board and we present, you know, every quarter we present on any incidents that we’ve had, and we present, you know, the after action review and our recommendations for what we should do. So what’s your recommendation in this case? And I said, we should immediately stop doing business with this company.
[00:18:43] We should find another company that can do this financial automation for us, that takes cybersecurity seriously, and we’ll vet them ahead of time. Now, we did have like a third party risk process, but this company had come in before we established that process, and there wasn’t really an appetite to go retroactively third party risk assess every, you know, every one of the 10,000 vendors that we had.
[00:19:05] So this is something that you’re gonna find out as you move forward. So six months later, our favorite friends at the three letter agency call us again. They have discovered on the dark web ‘for sale’ credentials to get into our environment. And they can’t help us anymore, except they can give us these, like two screenshots of what they found on the dark web. So another incident is raised. We do our due diligence. We find out, guess where those credentials came from? The same company. So they had like an AWS server with an open RDP port with very easy credentials, and once you got into that server, they then had a file on the desktop that had their credentials to get into our system, which they were using very similar to what they had done before, even with all the additional controls and things that we had put in place after the first incident.
[00:20:00] And we made them do a bunch of cybersecurity stuff and jump through hoops and stuff, but it, you know, it didn’t really work that well. So needless to say, we go back to the board and we have a very similar discussion and they say, what’s your recommendation? And I say, I actually pulled in the same after action review that I’d shown them six months before.
[00:20:19] And I said this is still my recommendation that we stop doing business with this company and I hope we’ll take it seriously this time. This was one where I had a call from with the C-suite, you know, leading into this. And they could all sense my excitement. And they said, well, why are you so excited?
[00:20:38] Like, why are you so happy about this? And I said, folks, again, this is why you hired me. This is what we do. This is where my team shines. You know? And in neither of those cases, was there any kind of data breach or ransomware or any of that stuff. Nothing was ever executed. And we did hire a forensics firm to go look on the dark web and try and find these credentials for sale or see if anything else was for sale.
[00:21:00] Of course, they couldn’t find anything. Intelligence is hard to do and it’s hard to, you know, find stuff. You’re lucky if you find stuff sometimes. But anyway, that’s the second story of our friends. And one thing I would say this has taught me, and I, it’s something that I share with a lot of my peers.
[00:21:16] It’s very important to establish those relationships with government three letter agencies, your local law enforcement, before these things happen. Because if you know them and you’re, you know, I don’t know if I would say friends with them, but if you, if you know them and you have those contacts in place already, it makes things a lot easier when they reach out to you for the first time.
Lessons learned: Build proactive relationships
[00:21:37] Jonathan: Do you think there are any hesitations other people may have with that? Maybe they’re not ready yet. Maybe they want to be in a better position when they reach out in case, you know, they don’t wanna look bad. If there’s things that they’re kind of worried about in terms of their own security posture.
[00:21:52] Andrew: My thing is I always want to know how bad I am. Knowing gives me the opportunity to focus resources on the largest risks. So a lot of people ask CISOs like, what keeps you up at night? For me, the thing that keeps me up at night are not the risks that I know about, that I’m focusing on, and addressing.
[00:22:10] It’s any risk that I don’t know about. So I would say it’s never too early to contact the FBI. There’s a group called InfraGard, and they have, they establish a relationship between the FBI and businesses. So if you’re not a member of your local InfraGard, you can go to https://www.infragard.org/ and you can join up, and you can become part of that organization. Really great organization, and you can start to establish those relationships today.
[00:22:39] Jonathan: Is there any, you know, the stereotypical thing from anyone who is promoting cybersecurity to business leadership is, you’ve inevitably gotten the reaction at some point that we’re too small, we’re not gonna be really on [bad actors’] radar. This isn’t for us, this is only for big, giant companies.
[00:22:56] Could there be a similar reaction to this, you know, is the FBI, is it really worth it for us to do that if we’re just small?
[00:23:04] Andrew: I would say to anybody who thinks they’re too small, I completely disagree. Because it depends on the type of motivation of attackers. Normally for a small business, you’re not gonna be looking at nation state attackers or activist attackers. You’re usually gonna be looking at people who are just going for money.
[00:23:22] There’s something to be said about the shotgun approach, right? If I just target really large enterprises to try to get, you know, seven figure payouts, it’s gonna be few and far between. But if I target hundreds of small businesses and just want them to pay, you know, five grand to unlock their files, that’s a lot easier.
[00:23:41] And if I do that, you know, at scale, especially using generative AI tools, it’s gonna be a lot easier for me to make money if that’s their goal.
[00:23:49] Jonathan: I’m wondering about the FBI side too, you know, if organizations may feel like, well, we’re too small, we don’t need to reach out to them and establish a relationship, you know. Is that something that only happens when you’re officially a very large company, a CISO there, or should it be for everybody?
[00:24:04] Andrew: I would say it should be for everybody.
[00:24:06] I mean, there may be a size at which the FBI is not really concerned about it, I would say. But you know, I think anytime they see something or they find something, the other great thing about these organizations is there’s a lot of information sharing that goes on.
[00:24:21] So there’s an organization called ICE, and they share, you know, great information and reports that you can get for free. There’s an organization called CISA. They release bulletins almost daily about new CVEs and things that you need to update so you can get a lot of great information from joining these groups, whether or not it’s applicable to you now or maybe in the future, establishing those relationships to me is never too early.
[00:24:44] Jonathan: This is what you’re preparing for. And so when it does happen, you get that rush. But then, you know, there’s the constant, there must be a thing in the back of your mind too, of, for a lot of folks, you know, you’re just preparing, you know, and you’re never really gonna know. I mean, it’s not gonna be announced, you know, it’s gonna happen one time and you, you can’t really predict it.
[00:25:04] Andrew: Yeah, you need to be prepared for when it happens and what better time to, you know, create your incident response plan and establish those key relationships and all of those things now, than when you’re in the middle of a crisis.
[00:25:18] Jonathan: Absolutely. I think [both stories] also speak to the broader scope of, you know, in some cases, I think with IT and security, there’s a lot of the security controls and diving into how some of these attacks work.
[00:25:29] You can address a lot of it with purely just the tech right? Focusing on those controls. But I think in both of these cases you’re also talking about, processes and procedures. You’re talking about working with accounting and in other cases, you know, you’re working, you’re relying on other vendors who are outside of your organization.
[00:25:49] I mean, countless amounts of major cyber attacks we’ve seen, well it was the third party vendor that did that. And so you’re working with people, right? So, anything that. You would recommend on that side of things for people who, you know, you’re passionate about the technology and finding these solutions in that way, but at the end of the day, you’re operating in a real world with real people and you’re trying to make change that way.
Your best intel is your own intel
[00:26:14] Andrew: Yep. So I think what you have to do, one of my favorite things is your best intelligence is your own intelligence. So, first thing I would look at is what has happened to you and your organization in the past? And then using that information and doing very strong after action reviews of those incidents, what are the controls that you need to put in place? Now, if I was talking to someone who is vanilla, who’s never gone through this before, I would say probably three things: The first one is you need phishing resistant MFA for everyone in your organization. The second thing I would look at is your perimeter.
[00:26:49] So if you have, you know, if you bought your firewall at Best Buy, probably not a good spot to be in, right? Making sure your default credentials are there, that you’ve locked down your perimeter in some way. And there’s a lot of free services that you can get that will scan you externally and see if there’s any open holes or ports or whatever.
[00:27:08] So cleaning that up. And the third thing that I would look at, ’cause a lot of these things come in through phishing email, is looking at kind of, context aware email security. So not just I sent you a bad attachment or a bad link or from a bad address, but like, Hey Jonathan, I’d like to change my bank account for this next payment.
[00:27:29] That kind of contextual awareness that it says, Hmm, something seems weird about this. You should go validate this. So there are, I think all three of those things are the things that I would kind of start with by default. And those will help you to address the majority of those kinds of entry controls. And then you can start to look further down the attack chain and other things you might want to do.
[00:27:48] Jonathan: I think those are great. How do you balance, you know, going back to the earlier story and, knowing that, okay, phishing resistant MFA at that point, maybe not as widely as common in, in the stack and you’re constantly looking to see okay, what’s next? Things are evolving all the time.
[00:28:07] There’s new solutions. Attackers are getting better. It’s the cat and mouse game, solutions are getting better. And we need to stay up to date and go for newer things. How often are you kind of revisiting your solutions and then, particularly now, you know, the context aware comment makes me think about all the claims and hype around AI and everything too.
[00:28:28] How do you, how often do you review things and then when you are kinda reviewing what’s new out there, new and the new hotness, how do you try to, navigate I guess the hype cycle of things?
[00:28:42] Andrew: Great questions. I like that you called it the new hotness. Obviously AI is gonna impact both sides of the equation. From a cybersecurity perspective, we’re able to use AI to help us. Agentic AI to do kind of more basic tasks, using it to analyze things that we couldn’t before that were harder for us to do before.
[00:29:03] So there’s a lot of ways that we can use it positively on our side, but on the attacker side, there’s certainly a lot of ways that they can use it. One example that’s great is phishing emails. We’ve been teaching people for 20 years to look at, you know, misspellings and bad grammar and you know, specific links and subject lines and all of those things.
[00:29:22] All of that stuff is going out the window because, you know, if you use generative AI to create unique phishing emails for every single one, you can do that and it’ll be harder to find and harder to root out and harder to identify and all that stuff. So, your second question was about navigating the hype cycle.
[00:29:41] There’s certain keywords that, you know, vendors will kind of glom onto and just, everybody will say machine learning or everybody will say zero trust, or everyone will say single pane of glass, or everyone will say AI. I think you need to look at, for your business and your perspective, what are your biggest risks and what are you doing to address those biggest risks using the intelligence that you have and making sure that you’re continuing to address those largest risks.
[00:30:08] In the course that I teach at the university, there’s a slide that I use that says CISO responsibilities, and it’s a single slide and it’s got so many words and in like a four point font. It’s this huge kind of mind map thing. And you can’t read the words on the screen. And I do that on purpose to say, look, if you really look at what you’re responsible for in cybersecurity, it’s huge.
[00:30:29] But what you need to do is you need to focus, right? What are the top three things that are impacting me? And you need to focus on those things and get those things under control, do the basics, and then start to look at, you know, the next three or whatever, once you get those under control. So I think that’s, you have a finite amount of resources, you know, using those to the best that you can to address the biggest risks for you and your organization.
[00:30:53] Jonathan: There’s the hype cycle, the new hotness hype that’s coming outside from vendors. And then of course you’re trying to get the attention of leadership too. And you’re giving your recommendations, here’s what we need to focus on, our priorities, and then they’re of course reacting to that.
[00:31:08] How do you balance the whole, you don’t wanna be chicken little, for example, right? But also there’s cases where you really do, I mean, you need to get their attention. You need to make them feel the urgency around it. You know, after these two scenarios, you get that buy in because they see this is real.
[00:31:25] But what about for folks who haven’t, they don’t have leadership, who have gone through a real scare, like one of these.
Be a change influencer
[00:31:32] Andrew: Yeah, I think the best thing that you can do here is really kind of organizational change management and leading change upwards, influencing change. And one of the best ways to do that is by establishing relationships with the key stakeholders and sharing with them the ideas that you have about what you’re gonna do one-on-one.
[00:31:50] Getting their feedback. And then when you go and present to the larger group, if you have two or three people in the room who you’ve already heard their feedback, whether it’s positive or negative that you’ve been able to address, then you go in having some advocates on your side, at least people who understand what you’re trying to say before you do it.
[00:32:08] So to me, it’s really about educating. It’s about being a subject matter expert. It’s about allowing businesses to make informed decisions about cyber risk based on their appetite. And you talked before about stage of my career. I really consider it in two big stages. In stage one, I knew what we needed to do to fix these problems and I would just come in and pitch that one idea and try to get funding for that one idea.
[00:32:36] And sometimes it would get shot down and sometimes it wouldn’t. And I realized after a while, like that is not my role. My role is not to go and tell you here’s what to do. My role is to tell you, here’s a risk. Here’s a few different ways that we can address it. And which one do you want to do? And I’ll be happy to do whatever one you want to do.
[00:32:54] So changing the mindset to that and allowing the business to make the risk-based decision, I think is a much more powerful way to get funding for things. And you may find that they want to do things, you know, above and beyond what you want to do. So I recommend that every time is kind of, giving, giving options and, and educating and helping people understand.
[00:33:15] Jonathan: Andrew, this has been fantastic, and I have, before I let you go, it comes very clear through, through everything that you’ve said that, these scenarios, you have a healthy appreciation maybe, but I wouldn’t say a fear. Not, you’re not scared of ’em. Of course you don’t want there to be a sequel, but you realize that there is going to be a sequel in some shape or form, and you wanna be there for it. Any other advice you want to leave for folks?
Closing
[00:33:38] Andrew: I mean, whatever you can do to be prepared ahead of time. We talked a little bit about this before. I think there’s two types of organizations in the world. Those who acknowledge that they’ve been breached or those that don’t realize that they already have been. So it’s gonna happen to you eventually if it hasn’t already happened.
[00:33:53] I think it’s really important to establish those roles and responsibilities ahead of time. Establish your incident response process. Having a tabletop exercise with the people who are involved, helps ’em to really cement it and understand it now instead of in the middle of an incident, because what you want to be focusing on in the middle of an incident is.
[00:34:14] Eradicating the issue and being able to do your root cause analysis and being able to give your recommendations for how to move forward. You don’t want to be defining communication plans, figuring out who to call, all that kind of stuff. That stuff should already be defined ahead of time and it’s a great time to do it now.
[00:34:30] So as much as you can be prepared for those things. We talked about this before, establishing relationships with local law enforcement, figuring out who your external legal counsel is, who’s your incident response team, all of those kinds of things, maybe based on your cyber insurance. Go take a look at that.
[00:34:45] So having all that stuff ready ahead of time is really what you need to do. And you may have other priorities or projects that you’re working on. I encourage you to put those things on hold or slow those down so you can get this stuff in place. And I’m sure you can use generative AI to help you to create tabletop scenarios to create your documentation that you need.
[00:35:05] So go and use the tools that are out there. That’s my advice.
[00:35:09] Jonathan: Great recommendation and we’ll be sure to share a few others. Table topping incident response is something that comes up a lot. And so, but how do people actually do that and making that… So it’s amongst all the other things you’re trying to do, it’s actually something you can do pretty easily.
[00:35:24] That’s something we’re super interested in. So we’ll definitely share resources.
[00:35:27] Andrew: By the way, another plug for CISA. CISA, the cybersecurity, man, I can’t remember what the acronym means, means for anyway, CISA. They will do free tabletop exercises for your organization. Contact them.
[00:35:41] Jonathan: Amazing. So it takes a village, right? And, you should absolutely leverage your resources. Don’t be the lone person in the horror movie that says, I’ll be right back. Andrew Wilder, Chief Security Officer at Vetcor. Thank you so much for taking the time outta your busy day to share your horror stories and all your great advice. Really appreciate you.
[00:36:00] Andrew: My pleasure, Jonathan. Thanks for having me. Cheers.
