Modern Cyber with Jeremy Snyder - Episode
11

Craig Taylor of CyberHoot

In this episode of the Modern Cyber podcast, Jeremy talks to Craig Taylor of CyberHoot. The pair discuss critical aspects of cybersecurity, focusing on incident response, tabletop exercises, the importance of regular testing, updating of backup systems and much more...

Watch Now
Craig Taylor of CyberHoot

Podcast Transcript

Jeremy at Firetail (00:02.51)
Hello, welcome to another episode of the Modern Cyber Podcast brought to you by firetail .io. I am your host as always, Jeremy. I am thrilled to be with you today. And just a request for anybody listening, remember that we cover a broad range of cybersecurity topics, not only the stuff that we work on at Firetail in cloud, APIs, AI, et cetera. So if you've got requests, if you've got suggested guests that we should have on the podcast, please do reach out and also take that time. You know, sharing is caring.

Like, subscribe, follow, rate, review, all that good stuff. You know what to do. You know what we're going to ask you for. We've got a guest coming from a domain space that I don't know a lot about today. And so I am really looking forward to the conversation and to learning a thing or two. To that end, I am thrilled to be joined by Craig Taylor. Craig is a certified information system security professional, CISSP since 2001 and a 25 year veteran of cybersecurity. In 2014, Craig co -founded cybersecurity training company, CyberHOOT.

that teaches cyber literacy skills. During his career, Craig has led cybersecurity organizations in web hosting, finance, and manufacturing at companies like CSE, JP Morgan Chase, and Vista Print respectively. Additionally, Craig leads a cybersecurity consulting practice, delivering virtual chief information security officer or V -CISO services to more than 40 companies. Craig is a toast master, a rotarian in Portsmouth, New Hampshire, and a philanthropist, having raised over $110 ,000 for the Dana -Farber Cancer Research Institute in the last 10 years.

and Craig has a bachelor's in psychology from the University of Guelph in Ontario, Canada. Craig, thank you so much for taking the time to join us today.

Craig Taylor (01:34.465)
Jeremy, it's a pleasure to be here. Thank you for reading all that.

Jeremy at Firetail (01:37.646)
It's my pleasure as part of the job. So I signed up for this. Awesome. But hey, listen, one of the things I mentioned in the intro is that I really don't know that much about this space. I have been on, let's say the user side of cybersecurity training where I've joined organizations and I've had to go through the onboarding and, you know, take the general cyber literacy test and click through the videos and take those scenarios and the multiple choice answers and so on.

And I know that you kind of have a different view on training. And one of the things I read is that cyberhood has kind of reinvented fish testing and you've kind of eliminated negatives and brought a new methodology. What can you tell us about that?

Craig Taylor (02:19.969)
So thanks for asking. We call it our hootfish simulations. And we looked at the problem of attack -based fish testing, where an MSP or your IT department will send you or send all the users in your organization a test email. You have to break through a lot of the email filters to get it to the inboxes. You have a Goldilocks problem where you have to pick the perfect phishing attack email that's not too hard.

It's not too easy, it's just right, and it fits your technology stack, it fits your industry. There's just an enormous amount of effort that goes into this. And then what ends up happening is the IT department or the MSP burns through goodwill with their end users because end users don't like to take the blame for clicking on something. They'll say, you know, that was really devious and difficult and I can't believe you sent that to me when I have a thousand emails coming into my inbox. Or, you know,

It's been dumbed down. The technology and the methodology that's in those attack emails takes a domain name and simplifies it so far off the beaten path of the vendor they're impersonating that it's quite obviously wrong. And that gives a false sense of security to the end users. You might test a hundred people and they say, I know how to catch fishing. I just look at the center and if it's sent from...

I don't know, Netflix and it's like, you know, in our own case, if we were to send something in an attack method, it would be ch -accounts .com for cyberhood -accounts. It's so obviously wrong that it gives people a false sense of security. When in fact a hacker will send an email, if they're truly trying to fish you and get you to click on something, they'll send it from netflix .com where the I is missing in the domain name. Now that domain won't last for more than a week. It'll be taken down pretty quickly.

but after they've compromised or been able to convince people to click multiple times because they've been receiving these simplified attack phishing messages that are watered down. Not only that, there's so many other problems in attack phishing. You get a metric for half your users. You have three buckets. The first bucket is the people that failed the test. They're the ones that are kind of mad and you're burning up that goodwill or the bank account with those individuals. They...

Craig Taylor (04:41.793)
You know, you want to empower as an IT department, you want to empower and raise up your users, not punch them down from failing tests. But you get the 5 % that failed it. You get a metric for the 35, 45 % that passed because you can track who opened the email. And if they opened the email but didn't click on the link to the malicious website or the supposed malicious website, they pass.

Jeremy at Firetail (05:01.902)
Mm -hmm.

Craig Taylor (05:08.673)
But that still leaves 50 % of your users in many cases where you have no knowledge of what those people did. And phishing is the number one method. We'll get into this maybe later, that hackers breach companies phishing attacks. It's no different today than it was 20 years ago. They still use social engineering and phishing. And so you need a metric or a score for every last user.

Jeremy at Firetail (05:15.118)
Mmm.

Craig Taylor (05:33.153)
boosting and building their cyber literacy on how to spot and avoid phishing attacks. So we looked at all these problems. We said, what can we do different at cyber? And we've created a simulation that isn't watered down, that requires no administration. In fact, when you enroll in our platform, we automatically pick from our database and assign these phishing simulations to your users. You don't have to write any allow lists, set up X headers or bypass anything.

It's just delivered to the inbox and it brings the user. They're told this is a phishing assignment. They're told, and they click on a link. They visit the cyber hoop website that's branded for your company or for your MSP. And you're told you're going to learn the seven components or I call them puzzle pieces to phishing. If you ask any one person today, how do you spot phishing attacks? They'll tell you, I look at this thing or I look at that thing and they're not a hundred percent clear on exactly what they're looking for.

It might be an opaque puzzle piece. It's not crystal clear. What we've set out to do is construct all seven pieces of the phishing puzzle into a crystal clear picture to allow the end user to learn confidently, efficiently, and securely how to spot phishing by examining those seven components of an email. The sender, the subject, the greeting, spelling, punctuation, and grammar, links to external websites, attachments, and most importantly,

Emotionality, urgency, or a fear of missing out. Those three things are bundled together because hackers have learned what social psychologists have learned. Remember my backgrounds in psychology? That people make more mistakes when they react to something. So if a hacker knows that, they're gonna get you to react without thinking, I've gotta get this great offer, or I have to fix my account before they lock it out on me because it's really important, my Netflix account, right? So for example,

Jeremy at Firetail (07:27.054)
Yeah, yeah.

Craig Taylor (07:28.865)
to get you to react before you think about it. Cause I can tell you when all the investigations I've done, people come to me and go, you know, Craig, if I had just stopped for a minute, even a second, I wouldn't have clicked, but it was so urgent. I was off to lunch. I was thinking about my family and I wasn't thinking about my email and I just wanted to get it done. And then boom, I infected our whole company with ransomware or I gave my credentials to my email account or what have you. And suddenly there's a much bigger problem involved. So,

By doing it our way, we're changing negative reinforcement, which is that shock collar approach. Like you can train a dog with a shock collar at a park to do the obstacle course. And when they make the mistake, cause you're directing them around, you can shock them, correct them, and they'll come back in and they'll do it right. But it's not a pleasant experience for either person, the dog or the human. Or you can train them with treats and praise and positivity.

Attack phishing is the shock collar approach. You're zapping your users when they fail, redirecting them to more remedial training that may or may not actually teach them those seven puzzle pieces and then hoping that they don't do it again. And by the way, you don't know if everybody does this. You only have evidence on half of them, right? So with us, you get a score for every last user. If you don't do it, your manager finds out. If they're, if they don't do it, their manager finds out and it's all done recursively with reminders and reporting and all of that.

but at the end of the test, you pass the test. You've completed the puzzle. You have a crystal clear picture. So a lot of people come to me, Jeremy, and they say, does it work Craig? And I say, well, here's what I hear. Before Cyber Hoot, we got dozens of emails a week asking, IT department, is this a fish? Is this an attack? Is that an attack? I don't want to make a mistake, but I'm not sure. Something doesn't seem right. They lacked confidence and they wasted so much time stressing about their email.

Jeremy at Firetail (08:57.422)
Okay.

Craig Taylor (09:25.985)
before sending it to the IT department is a colossal waste of time for everyone involved. The IT department has to comb through the emails and write these responses up on why it is or it isn't an attack. But after Cyber Hoot, those go away, largely. There's still some people you will never be able to train on this, believe it or not, but those emails go away and sometimes are replaced with, hey, IT department, I found this fish, I deleted it, but I wanted you to know, aren't you proud of me?

Jeremy at Firetail (09:31.022)
Yeah.

Jeremy at Firetail (09:45.134)
Yeah, yeah, yeah.

Jeremy at Firetail (09:55.182)
Yeah, interesting. And well, I was just going to ask, I mean, so what kind of results do you see from that? Because, you know, along the lines of positive reinforcement, and I'm a parent and you know, I saw this with my own children kind of, and on the one hand, I kind of hate to use that parallel. But on the other hand, I think it may be the most appropriate parallel in terms of, of training and teaching people where positive reinforcement generally brings better results. And I think, you know, there's enough domain evidence to see that. So.

Craig Taylor (09:55.809)
So it's a positive reinforcing.

Jeremy at Firetail (10:25.294)
When you see that as the types of phishing emails have evolved, you must see the need for continuous kind of training and reinforcement, right? Or what do you see as being the ongoing benefits of continuing the positive reinforcement?

Craig Taylor (10:42.049)
So we structure it with a periodicity or frequency of these phishing simulations that mirrors physical fitness. And let me explain. I go to a lot of companies and they say, Craig, we want to do an annual training of our staff members on cybersecurity. Can you give us a one hour overview of cybersecurity? I said, sure, I can, but it isn't going to work.

Jeremy at Firetail (10:54.222)
Okay.

Craig Taylor (11:06.081)
It's like asking someone to go to the gym once a year, working out for five hours and hoping that they get in shape and don't hurt themselves. Truthfully, it's repetition and consistency over time and building this culture of cyber literacy across all your employees with repeated assignments. And so the frequency that we've settled on in our automatic program is once a month video, three to five minutes on a variety of cyber literacy topics from physical security, such as, you know,

Jeremy at Firetail (11:13.838)
Yeah.

Yeah.

Craig Taylor (11:36.129)
walking through a door and holding the door. Yeah, not leaving your laptop in the back of a car, tailgating through a priviledged door, access door, things of that nature. Two USB sticks you find in the parking lot. Don't put them in your computer because it's going to blow it up or not blow it up, but literally it could introduce a virus. From that to the stalwarts of every single year we cover, phishing, social engineering, password hygiene, multi -factor, Wi -Fi security.

Jeremy at Firetail (11:36.334)
Don't leave your laptop open at a, yeah, yeah.

Jeremy at Firetail (11:52.206)
Yeah, yeah, yeah.

Craig Taylor (12:04.449)
all of the foundational concepts that aren't that complicated, but no one has spent the time teaching our youth, our adults, these cyber literacy skills. To put it in finer point, most people have computer literacy today. My parents might be excluded from that and they'll admit it to you when they call me every so often to get support. But very few people have been taught cyber literacy, these basic skill sets, you know? And that's where it's up to us.

Jeremy at Firetail (12:31.022)
Yeah. Yeah. Yeah.

Craig Taylor (12:34.241)
up to our companies, the owners of companies, the IT departments to fill that gap or else suffer the consequences. And it's Friday night ransomware response and restoring data all weekend. It's business email compromise and responding to 5 ,000 emails just went out to every person that our salesperson has ever talked to with an attachment on an invoice that we didn't send. And it's going to ask those people for their credentials. my God.

Jeremy at Firetail (12:47.054)
Yeah.

Jeremy at Firetail (12:58.414)
Yeah. Yeah, yeah, yeah, yeah. You mentioned something earlier that I want to circle back and make sure I heard you correctly. So you said basically the way that these attacks are starting hasn't changed in like 20 years. Can that be true?

Craig Taylor (13:14.689)
It absolutely is. So Verizon is a U .S. company that produces a data breach report every year. It's the DVIR. I think you may have heard of it.

Jeremy at Firetail (13:22.862)
Yeah, I think most of our audience will probably know the Verizon DBIR.

Craig Taylor (13:27.553)
And last year's report compared longitudinally 2003, the data from that year against 2023, 20 years later. And they concluded the attacks are the same. Social engineering via phishing and password hygiene combined with a lack of MFA. Those are the same. Now, distant third, unpatched vulnerabilities on internet facing devices. Yes, there are always these other ways in, but the majority is the easy, quick,

Jeremy at Firetail (13:36.462)
Okay.

Craig Taylor (13:57.601)
automated attack by hackers who can splay out these phishing campaigns to millions of businesses. And with AI, here's the newest twist on this stuff. It's much more focused. We used to separate phishing into spear phishing and whaling and generic phishing. You know, everyone's gotten the, hey, valued customer, click here to log into your Amazon account, right? That's just generic phishing. But if it says, Jeremy, log into your Amazon account because we know you like

Jeremy at Firetail (14:20.27)
Yeah, yeah, yeah, yeah.

Craig Taylor (14:27.041)
X, Y, and Z products because they went to your social media page and they saw that you're a podcaster and you might like this new microphone that everybody's raving about. That's spearfishing. And AI allows them to create these really customized things. So the trends are the same. The attacks are the same. They're just getting more sophisticated with AI. They're getting more frequent. And then once they breach, they are more damaging because they're taking your data and they're

Jeremy at Firetail (14:34.03)
Yep, yep.

Jeremy at Firetail (14:48.75)
Yeah, yeah, yeah.

Jeremy at Firetail (14:55.214)
Yeah.

Craig Taylor (14:56.929)
pulling it out of your organization. They're not just encrypting it with the traditional ransomware, they're exfiltrating it. And if you don't pay, they're gonna release sensitive and critical information to the public internet to embarrass you. So it's a double ransom, right? It's not just, you can't have access to your data, we're gonna embarrass you as well.

Jeremy at Firetail (15:00.334)
Yep, yep, yep.

Jeremy at Firetail (15:15.95)
Yeah. And in fact, I think the latest twist that I saw was somebody actually submitting the required breach notification to the SEC on behalf of the customer and kind of starting the regulatory response like, okay, we breached you, you didn't pay the ransom, we exposed the data, you still don't respond, guess what, we're gonna file this report. And then I think that kicks off a chain of notifications to shareholders, customers, et cetera, and probably.

will trigger some kind of regulatory backlash to the organization in question. So, so those haven't changed. I'm curious about a couple of things there. So one is, you know, if these core basics, and things like, you know, password management, password hygiene, not reusing the same password, etc. If all of that hasn't changed,

Craig Taylor (15:46.561)
Exactly right.

Jeremy at Firetail (16:05.934)
why should we ever worry about some of the new attack surfaces, right? When like our core basics, we haven't gotten better in 20 years, why worry about the cloud? Why worry about, you know, APIs like we do? Why worry about new emerging technologies?

Craig Taylor (16:21.633)
Well, it's like anything. I usually talk to my virtual CISO clients as follows. I say, if you show up in the emergency room because you've been in a car accident and you've got some, you're bleeding, they're not going to check your cholesterol or your blood or, you know, your LDLs and, you know, all of those more longevity kind of tests. They're still important, right? The fact that you do or don't have hardening of your arteries.

Jeremy at Firetail (16:48.27)
Yeah.

Craig Taylor (16:51.649)
or high blood pressure, all of that matters. But if you don't have stop the bleeding, the patient will die. So in a cybersecurity analogy, if you don't have your basic cyber literacy buttoned up, you're going to be breached by that far beyond far before some hacker teases out a zero day on your infrastructure or some API vulnerability potentially. It's not guaranteed, but it's like this. If if.

the doors in your house are open, why would they climb onto the roof and try to go through an upstairs, upstairs window when they can walk right in the front door? It's the hackers and people in general are all trying to find the easiest way in. And so email goes right into the center of the organization and social engineering can convince anybody to click on anything if they haven't had any cyber literacy training. That's the easiest way in.

Jeremy at Firetail (17:31.31)
Yeah.

Jeremy at Firetail (17:37.55)
Yeah.

Jeremy at Firetail (17:49.998)
Fair enough, fair enough. I'm curious about something else. You've been working in this space for a long time, and I know you've worked on incident response, and I know you've worked in a broad range of industries. I'm curious what differences you've seen, let's say, between some of those industries in either the way that they approach incident response or in the way that they get breached or any kind of high -level lessons that you might have learned across industries.

Craig Taylor (17:51.073)
Thank you.

Craig Taylor (18:14.177)
Well, that's a great question. You can answer that from multiple different angles. I start usually answering that about the data. What is the data the industry has in their possession? Because that's what makes them a target. When we start with basic cyber literacy training in our videos at CyberHoo, we explain there are five or six different kinds of groups of hackers, right? You've got nation state hackers who have access to all kinds of resources in zero days. And if they target you,

There's not much anyone can do to keep them out. There's organized crime that hire hackers and maybe develop some of these skills within their organizations and they're out to make money. So they're targeting you if they can monetize their breach. So through ransomware, if you have enough money to pay ransom, insurance, if you carry cyber insurance for a while, there's been over the last two years, enormous numbers of school systems that have been breached because they carry...

government funded cyber insurance. And they know student records, student data has to be recovered and you can't release it to the internet with these data exfiltration. So hackers know they can make money and get those ransoms from that. Healthcare, change healthcare just got huge breach because those health records are more valuable than credit cards on the dark map, on the dark internet, on those different forums. So depending on the industry, it tells you what kind of target you might be.

versus the kinds of attackers that are coming after you. If you're in infrastructure in the United States, that might be state sponsored that wanna infiltrate our electrical systems or our wastewater treatment plants in Florida, you may have heard of a recent attack there. There's all sorts of things that are going on, but you have to understand it boils down to the data and what that value of that data is to the attackers. Can they monetize it? Can they leverage it for nation state advantage? Can they?

Jeremy at Firetail (19:58.734)
Mm -hmm.

Craig Taylor (20:11.617)
It could be script kiddies or someone that can't write their own code, but they've used chat GPT and other worm GPT or fraud GPT to write their own software to exploit things and see what they can do. Like just to gain access and gain credibility with their peer group. There's not a lot of maliciousness there, but it is a lot of harm that can come from it. So knowing what you have and knowing what the attackers might want from you will help you understand the kinds of attacks that you're likely to experience from ransomware.

business email compromise to a land and expand, you know, I just want to have access to that electrical grid network and keep it.

Jeremy at Firetail (20:51.566)
Gotcha. Interesting. But there's something in there that you said that I want to dig on a little bit because I might have a slightly different opinion to you. So you talked about, let's say, like, healthcare data making a healthcare organization a target. I'm kind of of the opinion nowadays that everybody's a target all the time. And I just think like the level of automation, and I tell people this all the time, look, hackers have automation, hackers have cloud, right? And so things that previously would have been like,

valid approaches such as security through obscurity, nobody cares about us, we're a small company, we're a small target, that's gone. Things that also would have been valid in the sense of like, we just keep our servers by IP address, we don't really put stuff out there with domain name, listings, etc. We only interact with partners over IP addressing, like those are things of the past. And IP filtering off of bad threat actor IP addresses,

Craig Taylor (21:42.689)
Yeah, that doesn't happen anymore. I agree.

Jeremy at Firetail (21:49.646)
you're just going to cycle through a hundred IP addresses, sometimes, you know, or a thousand in one attack, by the way, right. So,

Craig Taylor (21:52.673)
or a thousand.

Yeah, yeah, they're not they have bot networks that are tens of thousands, if not larger.

Jeremy at Firetail (21:59.982)
Exactly. Okay, okay. So I just wanted to validate with you that that kind of matches the experience that you're seeing when you deal with customers and

Craig Taylor (22:07.361)
absolutely. In fact, one of the myths that we have some infographics, which you can anyone can ask for a copy of our infographics that we produce. There's 31 that we set up for October Cybersecurity Awareness Month. We'll give those away for you for free. Just email cyberhood .com sales at cyberhood .com to get those or you can visit our website and make a request there. But one of them is the myths of cybersecurity. And to your point, companies with 11 to 100 employees.

are 15 times more likely to be attacked successfully than larger and smaller companies today. And that's straight out of the Verizon Data Breach Report when they analyze the types of attacks. The simple thinking is that any company of that size can afford to pay a ransom, has some IP or some things that might be worth stealing. And they don't have necessarily the same resources as the larger companies do. When you get much smaller than 10 or 10 people, there's just not a lot that you can.

Jeremy at Firetail (22:39.886)
Yeah.

Craig Taylor (23:03.169)
milk out of those companies if they're that small. Now that being said, I think your last comment applies to the folks that are 10 or less. You may not have a lot to be ransomed, but you can be down for days and days and weeks, and that could be very, very disruptive to your business. It's kind of like, what do you call it? Friendly fire, or not friendly fire, but when someone...

Jeremy at Firetail (23:28.654)
Yeah, collateral damage.

Craig Taylor (23:31.553)
collateral damage, right? They're attacking these 10, 11 to 100 companies, but they're indiscriminate and they can damage all these small companies that have very little recourse to recover. They may not even have cyber insurance to help them get back on their feet.

Jeremy at Firetail (23:46.158)
Yeah. And I just think that's such a great point. You know, we're, we live in an era where, you know, historically I kind of empathize when I was a cyber practitioner, I kind of empathize with customers who would come to be in, sorry, customers, users inside the organization, internal customers who would come to me and say, look, Jeremy, you know, cyber is not my job. I am an accountant. I am a salesperson. I'm in marketing. Your job is to take care of the IT infrastructure. Your job is to take care of the cybersecurity.

Craig Taylor (23:51.617)
ahem

Craig Taylor (24:07.873)
Mm -hmm.

Jeremy at Firetail (24:13.23)
Yes, I understand I have my little piece to play when it comes to not clicking on viruses, malware, phishing links, blah, blah, blah, blah, blah. But the rest of it, that's all on you. And I kind of feel like that can also no longer be taken as a given, right? You know, every also because of the fact that like we work in distributed environments nowadays.

We're working with online file share systems. We're not working in protected networks that are, you know, in a physical location very often where we could apply a DLP across the whole network or where we could have a lot of kind of a network and centralized controls. You know, those things are kind of gone. Cybersecurity is kind of everyone's responsibility. And that is the message that I certainly preach to all of our customers. And I imagine you have the same message, right?

Craig Taylor (25:02.305)
We absolutely do. Cyber security is everyone's problem to help play a part in protecting and it's not the IT manager or ops director's responsibility. In fact, if anyone is to be singled out, it's the board of directors who are now being held accountable for the cyber resiliency and preparedness of the companies they're advising. There's been recent legislation in New York and other places that are holding boards of directors, advisors,

Jeremy at Firetail (25:22.03)
Right.

Craig Taylor (25:32.161)
accountable to holding the CEO, CFO, CTO accountable for cybersecurity and making sure that things are buttoned up. If you're not funding cybersecurity, you are going to be held to account. And, you know, the good news in all of this, Jeremy, is that this isn't rocket science. We're not trying to go to the moon to solve cybersecurity problems and create cyber literacy. We're teaching very basic things around

urgency, emotionality, and email, you know, social engineering attacks. And then beyond that, we're looking at adopting tools like password managers, or as we've blogged about many, many times at cyberhoot .com slash blog, pass keys, which is a big Fido Alliance of the big three, you know, Apple, Microsoft, Google have gotten together and found a more secure way of authenticating users using pass keys. And it's a really big thing.

And it's being, you can go to Target and use your passkey to log in and order stuff at Target now. So it's adoption is really growing because it is easier, it's more secure. You still need a password manager because you got to store these passkeys somewhere and password managers are really good at that. So that would be another good tip for your users to see, build support for passkeys into your applications as well as adoption.

Jeremy at Firetail (26:50.638)
Yep. Yeah, it makes a ton of sense. So when you think about kind of something that you mentioned there about the regulatory landscape, I'm curious, the new regulatory reporting requirements around kind of breach disclosure, and I think it's 72 hours right now, or maybe it's 96 from the.

Craig Taylor (27:09.281)
I think there's some there are some parameters to that. For example, in health care, you have to have a breach of more than 500 records for it to be reportable to the Department of Homeland Security and CISA. In finance terms, there is a timer, but it could be 72 hours of of a suspected breach. And then from there, you know, your insurance provider, all these different steps in your incident response plan have to be actuated. Right. Yes.

Jeremy at Firetail (27:12.91)
Okay.

Jeremy at Firetail (27:20.142)
Okay.

Jeremy at Firetail (27:37.134)
Okay. And so do you feel like, you know, as somebody who's done a lot of incident response, do you feel like it is a reasonable guideline to have whether it's 72 or 96? I just pulled it up for business day. So 96 hours of reporting material breaches and to your point, material does vary here. It looks like by industry and maybe by company size as well. But do you feel like this is?

reasonable? Do you feel like it's too short? Do you feel like it's too long? Is it just right? Is it the Goldilocks amount of time? How do you feel about this 96 hour thing?

Craig Taylor (28:08.689)
I think it's good because it's holding companies accountable to doing the right thing. Now, when we do incident response, there's two phone calls we like to start the incident or a tabletop exercise. For example, when we're practicing an incident with a client, first two questions are, do we want to get legal involved? Legal representation on that call provides attorney -client privilege to the discussions that are there, making it not discoverable.

if it were to go to a court of law later. And there's some flexibility that allows you to discuss the incident in frank and open terms without the risk of causing a bigger problem. Then the second is your cyber insurance underwriter because they often drive the forensics and the response with their forensic teams that they have on standby to go and help mitigate the damage, contain it, eradicate, recover from these incidents.

But I think 96 hours is from a confirmed or material breach is fair. You should know what's going on and you should have an incident response that has everything well in hand within 96 hours. Many times we all as the public don't hear about these breaches because along the second or third day when you realize that this is a multinational company and hackers are in the network and they've stolen some amount of data.

Jeremy at Firetail (29:19.31)
Yeah.

Craig Taylor (29:33.825)
The next call is to your local FBI office and the crimes, internet crimes, and suddenly there's a, you can't talk about it with anybody. So even though 96 hours you're supposed to report it, you can report it, but no one's allowed to talk to anybody about it until the investigation concludes when it's of that size and scope. So you'll hear many times that there's been this big breach, solar winds. They didn't know for days and weeks what was going on because there was an active investigation. There were,

nation states potentially in the networks at those companies. And we didn't want to tip our hand to knowing that there were nation states in these companies. And we were trying to track down the hackers behind the scenes. So yeah, to answer your question, 96 is far and away enough time to put together a brief summary. They're not asking for a full incident response document of what you did in the minute by minute. You just want to...

Jeremy at Firetail (30:18.798)
Right.

Craig Taylor (30:32.928)
be alerted that there's been a material breach and you're in an active investigation.

Jeremy at Firetail (30:39.118)
Yeah, fair enough. So along those lines, I mean, the two things that come to my mind, well, actually maybe three or four, but you mentioned one of them. One of them is kind of tabletop exercise. And it's one of the things that I find companies maybe do, but maybe pay more lip service to than actually doing them is, you know, sitting down and kind of mapping out what your incident response plan is going to be. You know, if we have an incident of type X, what are, what are the actions that are taken by whom and, you know,

actions that are taken by whom and by the way, if Craig's out, who's the next person in charge to take over and having some resiliency in that plan and you go through it. And second is, you know, some of the core basics around just logging and monitoring so that you know the scale and the scope of a breach and then backups. And I just find that like these are things that are consistently taken for granted that people put them in place once, but they never go back and test the backups. They never.

Craig Taylor (31:13.057)
night.

Craig Taylor (31:26.145)
Mm -hmm.

Jeremy at Firetail (31:37.358)
you know, maybe run a simulation of what that is like at a moment's notice to see, Craig is on vacation this week is that second in command person available and ready to jump into action. Does that kind of match things that you see? Or do you think that people are getting better with this?

Craig Taylor (31:54.721)
I think there's both sides of that coin. I think there are companies that treat it very seriously. And I have a jaded view on this because I'm working with companies that view cybersecurity important enough to hire a virtual CISO to then do a tabletop, to then ask the question, where's the call tree? When was it last updated? How do we know who we're going to call first? Has a backup been tested from Restore? Do we have backups that are offline? Do we have three?

We always call it the three to one rule of backups, three copies, two different mediums, one offline. Excuse me. So there's that. But so I, there are many other companies that I get pulled into in response to an incident that's occurred and you look at it and you say, well, okay, what's happening here? There was a basic lack of cyber literacy. Again, going back to the types of breaches, it's always boiling back to the phishing.

social engineering, weak passwords, a lack of MFA. If you do one thing today, turn on MFA on all your online accounts. If you do two things, start training your users on cyber literacy skills, three things, fish simulate them so they can learn to spot these things and avoid them. But there's another interesting trend to that end, Jeremy, because of COVID and even before that, we were calling it the digital transformation. And that was removing these servers from on premises and putting them in the cloud.

With the cloud services that are out there, there's a lot better logging, reporting, and monitoring by Google and Microsoft and some of these other providers out there so that it's harder for hackers to do things without a written trail. So there is some improvements there by going to those cloud applications in that sense, whereas you were responsible yourself for the best practices on your own server infrastructure and your own VPN.

So I see some improvements in that sense.

Jeremy at Firetail (33:51.694)
Okay, okay. And you know, we're coming coming up to time on our episode here today. But you know, it's 2024. Legally, I am required to ask you about AI and phishing and incident response. So quick thoughts. I mean, what are you thinking? We I've had multiple guests on where we've talked about who's going to get the first advantage, who's going to get the better long term sustained advantage. And look, I think opinions vary. And we're still very, very early in this exploration. So

Craig Taylor (34:03.041)
Yes.

Jeremy at Firetail (34:20.75)
There can be a lot of opinions, I'd just love to hear yours.

Craig Taylor (34:24.385)
AI is going to be the great enabler and the great downfall of companies because, you know, one of our phishing metrics is spelling, punctuation, and grammar. Anyone that does AI in the world today can put it through, I'm sorry, does phishing attacks, can put it through an AI agent and convert it into any language in the world. So you might lose cultural translations and nuances, but you're not going to have...

anything that's obviously incorrect from a grammar spelling punctuation perspective. So it's helping hackers do better jobs. It's also helping hackers when they do a vulnerability scan and they find vulnerabilities and they don't know how to breach those vulnerabilities, they just ask AI and it says, you need this meta exploit with this plugin and that and then these parameters and you can take advantage of it. So it helps you exploit the vulnerabilities you find. So it's really helping there. And then the hackers are saying, well, it would be nice if I had a password.

Jeremy at Firetail (35:06.702)
Yep, yep, yep, yep.

Craig Taylor (35:17.345)
cracking solution. And so write me a password cracking solution so that the AI is also helping hackers write code that helps them do these things that they wouldn't otherwise have ability to write themselves or have time to write. Right. There's a lot of great hackers, just busy people. AI just makes it so much quicker and easier. So that's on the negative side. On the positive side, IDS, intrusion detection systems, intrusion prevention systems are

Jeremy at Firetail (35:32.142)
Right.

Jeremy at Firetail (35:36.238)
Yeah. Yeah.

Craig Taylor (35:44.705)
looking for needles in not just a haystack, but in a universe of haystacks, right? And so the ability of AI, there was a test recently where there was like a thousand page document and one researcher put in one extra sentence in that thousand page document that didn't belong. And it said, AI, can you spot it? And within a split millisecond, it said, yeah, it's this sentence right here. It doesn't belong in this whole thing. It's very, very good at identifying abnormalities.

outside the norm stuff. So if you got a login at 3am, that's kind of an easy one for most IDS and IPS systems and SOCs and NOCs to spot. But there are much more subtle things, right? The 601 login that is normally this person's gone at five every day, but it's now six o 'clock and time zones being time zones, maybe they're working remote from somewhere else. Well, that could be an anomaly that gets escalated and it looks well, yeah.

Jeremy at Firetail (36:21.486)
Yeah.

Craig Taylor (36:39.329)
The time zone doesn't match because they just logged in over here from this time zone, but it's a different time zone with the 601 login. So that's another teasing out of that defense. So breaches will be easier to spot in some of the tools that are AI driven. And we're starting to see some of that in both the EDR, endpoint detection response, MDR, managed detection response, those areas.

Jeremy at Firetail (36:48.878)
Yeah, yeah.

Jeremy at Firetail (37:03.342)
Awesome. And I'm curious, do you think that it means though, that the breach vectors change, or do you think it continues to be business email compromise, et cetera? Do you think it'll shift more towards like publicly exposed vulnerabilities?

Craig Taylor (37:14.977)
It's going to be the same. Well, so if we get to a threshold of cyber literacy across everyone, which I don't see a future where that's going to occur anytime soon, you know, there's reading, writing, arithmetic and computer literacy, but there's not cyber literacy, right? Until the schools of the world all teach password management and multifactor and all this stuff in the schools, you're going to have a...

Jeremy at Firetail (37:29.038)
Yep, yep.

Jeremy at Firetail (37:35.726)
Yeah, yeah.

Jeremy at Firetail (37:39.918)
Yeah, yeah.

Craig Taylor (37:43.073)
a whole generation of people that don't have the raw basic skills to avoid the simplest attack, which gets to everybody's computer through all the gateways and filters and malicious protection mechanisms. So it's going to stay the way it is now for the foreseeable future. If at some point we deal with cyber literacy and everyone learns it in school and you're tested periodically and your companies are testing you and...

mandating that you take this training, we'll see a shift towards the use of AI and more vulnerability scanning, maybe even code scanning to find zero days within the code to try and punch holes in the existing infrastructure that's out there. And certainly nation states are already doing that. That's what, you know, the spooks are all after. So it's going to continue that way. It might grow a little bit, but there's so many more fish in the barrel that are easy picking that,

Jeremy at Firetail (38:30.67)
Yeah.

Craig Taylor (38:42.049)
it's gonna stay this way for a while.

Jeremy at Firetail (38:44.91)
Awesome. Well, Craig, I've got just one more question I'd like to ask you before we went on the air. You asked, you told me about some gift cards. Tell us the story.

Craig Taylor (38:52.865)
yes. So this was a few years back. In fact, it's an origin story of Cyber Hoot. I was acting as a V -Siso for a company and they had an incident. They called me in on a Friday night. They said, listen, we've had this incident. We had a person in our human resources department go out and buy gift cards. And that person, I'm not going to say male or female because it doesn't matter, but that person went out and maxed out their work credit card, then their personal credit card.

then got an extension on the work credit card to allow for more money before anyone was wiser on what this person was doing. And they were buying gift cards for the president of the company. They had just started two weeks prior at this company. They had posted on their social media account, really excited to be working at X, you know, not X the company, but X company. And they were targeted. Someone looked up the CEO said, hey, I'm the CEO of this company. I'm trying on the download to reward.

Jeremy at Firetail (39:41.102)
Yep, yep. Yeah, yeah.

Yeah.

Craig Taylor (39:51.841)
employees with gift cards. I want you to buy as many hundred dollar gift cards as you can, scratch off the back, take a picture and send them to me. 50 at a time, this person did, what was it? $26 ,000 in gift cards. These are hundred dollar gift cards. And I keep them as a reminder for what can happen when you don't teach people basic cyber literacy skills of social engineering combined with the penchant for people to post where they're going to work on social media and they get targeted.

Jeremy at Firetail (40:07.726)
Cheers.

Craig Taylor (40:21.793)
And there's lots of simple things you can do around, you know, banner messages and emails and, you know, impersonation detection. There's technical protections that you can do, but more importantly, it's the end user. You have to teach them basic raw cyber literacy skills so that that doesn't ever happen again. And that's what we set out to do at cyber who with our hoot fish training, positive reinforcement training with our videos that we put together an annual program that covers all the basics of cyber literacy and a whole bunch more.

We've got quite an automated solution in place for our clients. I think we're at 45 ,000 or more users now in our platform.

Jeremy at Firetail (40:59.374)
That's awesome. That's awesome. And it's really important work, Craig. And I know people who have fallen for similar things and I know both the emotional and the business impact that it can have. And so it's important work that you guys are doing there. I wish you guys all the best in continuing to build out what you're doing at Cyber Hoot. Thank you so much for taking the time to join us today on Modern Cyber, Craig.

Craig Taylor (41:21.505)
My pleasure, Jeremy. Thank you.

Jeremy at Firetail (41:23.758)
Awesome. My guest today has been Craig Taylor. We've had a great conversation about ransomware, about phishing training, about incident response, about a lot of things. You can find information about Craig and his company at cyberhut .com. We'll have links in the show notes to the infographics that he mentioned, as well as to the SEC reporting guidelines that we touched on in this episode. Thanks for joining us on this episode. We'll see you next time.

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.
Start Trial

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!