Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 18 - Proactive vs. Reactive Cybersecurity

There is a lot of talk about "proactive cybersecurity against threats" but what does that really mean and is it better than reactive? On this week's show, the guys discuss proactive versus reactive cybersecurity considerations and where to focus.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security criminals  and now here's your hosts mike rotondo zach fuller  
and lauro chavez hello and welcome to the cyber  ants podcast this is your co-host zach fuller  
joined by lauro chavez and mike rotondo mike why  don't you kick us off with the news today good  
morning some headlines today i think i got 13 or  14 of them the first one is researchers uncovered  
a new malware builder dubbed apo macro split  it's used to create weaponized excel documents  
they've seen this in the wild already experts  warn of threat actors abusing google alerts to  
deliver unwanted programs what's happening here is  clicking on links sent by google alerts related to  
matches and fake stories uh users are redirected  to malicious websites so be careful out there new  
silver sparrow malware in facts 30 000 max for  unknown purpose there's uh malware out there  
they've detected about 30 000 devices across 153  countries primarily in the united states and uk  
it's delivered it's distributed two different  files updater pkg and update pkg or dot pkg  
and uh no one knows what it's there for so  interesting from the creepy side of cyber  
criminals if there is such a thing a nursery cam  daycare cam server shut down after security breach  
uh this is a service in the uk apparently  someone had breached the system and was watching  
children's sleep so yeah you go shadow attacks let  attackers replace content and digitally sign us  
pdfs uh basically what's happening is  that they're able to create a pdf with  
two different contents one is of the party  expected to sign something the other pieces  
of hidden content that that's displayed once  the pdf has signed and they're using this as  
a back door these hackers sell network logins to  the highest bidder and ransomware gangs are buying  
we now have a new development in cyber criminals  that we now have brokers that break into networks  
rather than exploiting the campaigns they just  resell them to middlemen access to remote desktop  
protocol rdp is the most sought after listing  obviously uh but yeah this is a new a new thing  
uh i think a couple weeks ago we talked about the  the malware the cyber criminals that were stealing  
other criminals credit cards that they'd stolen  well now we've got brokers selling access bitter  
apt enhances its capabilities with windows kernel  zero day exploit there's a new exploit new zero  
day that supposedly was patched february 2021  so sometime this month it was patched uh it's  
exploit cve 2021-1732 needs to say another  microsoft exploit um legal firm leaks 15 000  
cases via the cloud an unsecured aws s3 bucket  containing 55 000 documents is left wide open  
uh so be careful with your legal providers out  there abt-32 state hackers are targeting human  
rights this comes from amnesty international which  said that uh certain bloggers i've been receiving  
spyware email emails containing spyware  between 2018 and november 2020. 100 and this  
one blows my mind 119 000 threats per minute were  deducted detected in 2020. i said that seems low  
yeah email born threats such as fishing attacks  accounted for 91 percent of the 62.6 billion  
threats blocked by trend micro last year this is  just trend micro's number so yeah it probably is  
well nearly 14 million unique phishing urls  is detected by the company with home networks  
being the primary target uh this is scary the  home the cyber attacks on home network starts  
210 percent year-over-year to just under 2.9  billion vast majority strikes however are  
against brute forcing logins on smart devices and  routers so make sure those are secured make sure  
you get a long password uh make sure you change  it every once in a while microsoft president  
asked congress to force private sector orgs to  publicly admit when they've been hacked okay  
well when microsoft admits it then we'll admit it  uh smith argued it's time not only to talk about  
a way to force uh private entities to admit  publicly that they've been hacked so that's some  
more good news from your government there's two  note stories that came out about critical flaws  
in the vmware esxi vsphere clients basically patch  it immediately the error allows unauthorized users  
to send specially crafted requests which  will later give them an opportunity to  
execute arbitrary commands on the server and it is  accessible from the internet and has been seen in  
the wild so um check out that headline in the blog  um microsoft lures populate half of credential  
swiping phishing emails according to researchers  beyond the 45 percent of credential stealing  
phishing attacks targeting microsoft basically  microsoft's a huge target and uh always will be  
and that includes sharepoint onedrive and office  365 but they're also attacking google forums and  
adobe file sharing services but microsoft  is the big target out here lastly criminals  
are targeting quickbook databases there's two  different attacks there's a powershell command  
that runs inside the nemosis email and the other  one is a word document that has a malicious macro  
or link in it so if you got quickbooks be careful  and with that said laurel anything you got for us  
yeah i got a few things i got a shirt design um  idea for anybody out there listening that wants  
to make me a shirt i i'd like a can or a ryu from  street fighter shooting at a fireball only it says  
powershell i think that'd be cool anyways uh so  for this week really is only one thing to talk  
about um so if you're not if you're not familiar  with uh with raxis uh their their security  
firm specializes in penetration testing one of  their senior guys um ryan matt dunn i was able  
to produce a really cool metasploit module that  takes advantage of the remote desktop web access  
uh client so when you've got rdp open you can  enable that web access portion of that and so this  
is an authentication timing attack and it's just  it's a it's a really cool it's it's a really cool  
method to validate um user names that you might  have for admins and stuff like that and so uh  
it's not verified but just taking a look at  all the the python 3 code that it i mean it  
i can't imagine it wouldn't work but i'm really  excited to try this out so i'm trying to get up a  
windows 10 vm spun up so i can i can see if  this if this actually um works is designed  
uh but for everybody else out there make sure that  your windows desk if you're running rdp external  
at all make make sure you've got some form of  security boundary in place to protect that whether  
you're using whitelisting or hardware certs or vpn  or however you're doing it i just know that these  
these these types of attacks are becoming more  prevalent especially from a proof of concept  
perspective and now they're just adding these  to the they're just building metasploit modules  
for you so cool stuff that's all i got before we  dive into it mike i can't help but bring this up  
for the people on office 365 because i hear about  it over and over and over again just heard about  
another one please please please make your users  use hard passwords and two-factor authentication  
with the authenticator app not text to your cell  phone because office 365 continues to get breached  
left and right like crazy it's just it's just nuts  but you'd be amazed how many organizations are not  
using the basic security features uh to prevent  this just wanted to throw that out there hopefully  
it saves somebody from getting an email compromise  and sending out wires to um malicious actors  
that said that dovetails right into our topic  today and the topic is all about reactive versus  
proactive security but what does that mean you  know you hear a lot about proactive security  
and being proactive with your security program  and all those things but very few people stop  
and really talk about that and define the  the difference and talk about both sides  
of the equation right so that's what we're here  to answer today and i think just to talk on the  
proactive side briefly and kind of what what  that's generally uh used for in in in terms of  
content on websites and blogs and everything else  are generally talking about proactive being you  
know getting in front of the threat as meaning  the threat being an attacker but i would argue  
that it's also getting in front of security  questionnaires coming down before they come  
down to your organization right so growing tech  companies for example right getting in front of  
compliance requirements before there's an audit  those things i think also need to be taken into  
account so that's what we're here to talk about  today mike lauro any thoughts any any ideas start  
out on on recommendations on how to look at  each and where you really need to be focusing  
the majority of your time or at least  how to balance your time between the two  
good topics zach i think to talk about  it i think a lot of organizations may  
you know may be in various i mean they're all in  various you know places with this right with cyber  
security both you know from understanding  it to just getting some base level tools  
installed where they're you know really kind of  reactive and and sort of just trying to understand  
the data that the tools are delivering and that if  you're there um and you know we i'm sure we'll get  
into a little deeper here but i mean just for  high level right if you're if you're stuck in  
that mode that's okay i think a lot of a lot of  organizations are you know you have to kind of  
go through this evolution right where you you  know you don't know what's going on you get  
some tools now you have a lot of data you're not  quite sure what's going on um and then you know  
now once you once that once the dust settles on  that you can begin sort of a proactive um posture  
now um but while you're being reactive and while  you're still trying to understand the data that  
you're getting today with maybe new tools or new  capabilities telemetry that you may have installed  
make sure that you're thinking ahead right  you also need that parallel track because  
defensive and reactive is not near enough you  need to have that proactive visibility toward  
attack surface modeling and threat hunting and  those sorts of things yeah absolutely um i think  
we we have the uh technology aspect and then the  governance aspect as well and i think that's what  
a lot of the tendency to be reactive in nature  from a cyber security perspective is because the  
strategy and upfront planning hasn't  been done for the organization  
uh and and so that just kind of forces  them into default mode i think by  
by default the reactive mode is is kind of you  know the way companies will operate if they don't  
actually take the time to stop and think through  their program and start to formalize that program  
and it's not just on the technology side but  also we have to look at the human element  
right in a big way equipping them so there's lots  of information out there on security awareness  
training and such one you know that's not the  purpose of today's episode but that's a big factor  
i think in in uh trying to get ahead of threats um  looking at it from all angles of the organization  
uh rather than waiting for a tool to pop up  a red flag and saying oh wait now we got to  
investigate this so it's an interesting thing  and then you know but on on the reactive side  
there there's certainly a need to define  that as well right where we see a lot of  
organizations fall short is in their  incident response planning for example  
if something happens they don't necessarily know  how to quantify it how to how to classify it  
and as a result they don't know the appropriate  actions to take uh and are kind of [ __ ] caught  
off guard completely uh that's that can  be a very very big problem so i think that  
there's a certain amount of consideration that  needs to go into the reactive side as well but  
um how to blend the time i i don't know if  there's a i don't know if there's a magic  
answer for that you know where do you spend more  of your time so for your ir and dr plans which  
are arguably reactive plans but there's  a proactive component to it and that's  
the blend is proactively we're going to test this  we're going to do tabletop exercises occasionally  
we're going to do a full failover to our hot site  we're going to have our workers work remotely  
one day this week just to verify although this  is less relevant now because most people are just  
to verify that our infrastructure can handle  it right we ran into this prior to covid and  
we had a client that swore up and down they would  have no problem and all of a sudden covert hidden  
went they went all crap nothing's working so um  that's the proactive side of that reactive piece  
right and so you know what they say about  assuming it makes butts out of everybody  
anyways you know it you know you're right zach a  lot of organizations they they don't know this i  
mean out of all the clients that i've ever worked  with i've only ever been outside the department  
of defense only ever been with one public sector  client that was like we're gonna build something  
that sounds like a cool idea how do we secure  it from the get-go it's only happened one time  
one time right um so i wish it was more common  but everyone else seems to speed to market and  
then realize that in order to obtain a hold  in you know maybe some places or into some  
larger companies they they have to meet you know  these these sort of compliance regulations and  
that is like you said that when they begin the  whole pathway of like oh we want the sale so how  
do we how do we implement security and they'll be  reactive and then that'll be a bare minimum right  
isn't that kind of how the tone goes right well  how can we what's the cheapest way we can do this  
and meet the meet this initiative um as opposed to  looking at the what what the principle should be  
is how do we secure our business so that we don't  have a loss of integrity we don't have a lot of  
customers we can maintain that you know we've  we've thought about this from the get go right  
it's when we look at it from a reactive from  a perspective of an attack happening or some  
sort of potentially malicious activity uh you know  something out of the norm that's that's one side  
of the equation but another thing that can be  detrimental is like you said when when all of a  
sudden a company is reacting because a prospect a  prospective client engagement is on the line right  
and they could lose that i think where that can  be detrimental from a revenue perspective is that  
it you know the companies spend all this time  building beautiful websites great user interface  
everything is really dialed in they got their  sales process set everything's looking good so  
on the front end um that their their prospects say  okay all this looks good but as soon as they pull  
back the curtains the very next thing they're  going to look at is a cyber security program  
and when that's not in line and the company  can't show it that undermines all that other  
work that they did and they can lose the  client i mean it happens it happens daily  
uh out there and so that that can be tremendous  in terms of looking at you're looking at um  
you know the the risk factors it's not just a risk  factor from a breach it's opportunity costs lost  
revenue right and and um money spent on trying to  acquire clients that don't come through because  
you get stuck in the vendor vetting process and  they go elsewhere um not to mention that they're  
willing to pay more for companies that are secure  that are really dialed in do have their ducks in  
a row from a security standpoint so we see that  uh regularly out there in the markets phase in  
the b2b b2b environments especially supply  chain security that's what they're calling  
it right they want all the third parties that  are involved in you know providing something  
technical for your business is that technical  supply chain they want those all to be secure  
you know secure third parties right they're gonna  assess you and and and they're gonna expect you  
to um you know to answer properly or like you  said they'll they'll pay more to not have their  
the integrity loss uh to their business brand  yeah absolutely yeah um but you know i mean  
it's it's interesting and you know even even  security tools i'm gonna throw this out here  
right we we get we get pitched cyber security  tools a lot because we're a cyber security firm  
right and there's a lot of cool stuff out there  and what is the very first thing we ask well what  
are you doing on the behind the scenes have you  had a pen test can we can we talk about methods  
you're using today to secure you know access  controls inside the code of the application and  
today we've we've not had a solid answer even from  organizations that are building tools that you  
know cyber security professionals and team cyber  security teams would use for their businesses  
it's kind of interesting right you still have  that that kind of method of thinking um out there  
even even with the prevalence of cybersecurity  today and the need for it yeah absolutely i mean  
in in in kind of looking at it in a in a  linear fashion let's talk a little bit about  
how companies should get into a more  proactive state as an organization  
while still having the reactive side covered right  because you can't stop everything um nothing's 100  
secure so you need you need the reactive side but  let's let's talk a little bit about about um you  
know from getting getting from point a to point b  in this and that's uh you know for us it's always  
starts with clients with pretty much anybody that  we're working with on an ongoing basis to build  
a formalized security program we need to start out  by choosing an industry standard framework right  
doing a risk assessment a gap analysis against  that framework and then creating a roadmap with  
a plan of action milestones to move forward  right so to me um and certainly opened it to  
your thoughts but to me it's the the step number  one priority number one is creating clarity across  
the org the entire organization understand where  you are today where you need to go and and plot  
the route to get there and then from there and  i'd even say in parallel we're already starting  
to do some preventative measures right getting to  understand the environment doing pen testing doing  
vulnerability scanning understanding where the  potential attack surfaces are to to seal those up  
um and and then that that kind of gives us the we  call it the system's triage phase right trying to  
get under understand what the low-hanging fruit is  what attackers are seeing um or could potentially  
see and then taking care of that first right  it's kind of the immediate because they're the  
the implementation of everything else is going  to take take a while but at least we can kind  
of cover the basis uh first and to me i think  that's the kind of the first phase of proactive  
cyber security any any other thoughts on that any  any ideas yeah i mean you know i think you know  
you make a good point so if we look at  other just common things in the world like  
um if you have a cdl right for those of  out there that have cdls before you can  
move that that commercial vehicle anywhere there  has to be an inspection done on it you have to  
go around and make sure all the lights work right  make sure you've got air in the tires and there's  
just there's a you can't just same thing for  pilots you can't just get in hit the button and go  
um we should think about technology  and delivering you know these types of  
built for purpose uses in the same manner and  to zach your point you know i i would i agree  
with you that is absolutely the plan but before  that i'd say step zero has to be commitment right  
and we've talked we taught this before you you  have as a business as a leader you have to commit  
to cyber security because once you get that gap  assessment there are no more there there is no  
more ability for for plausible deniability right  there are no not going to be any unknowns anymore  
they're going to be unknown unknowns but you're  gonna now see where you where you sit against a  
framework and it's most times it's gonna be on the  low bar and you're gonna need to you know start  
making that that stairway to heaven so to speak  and so that that's gonna take time and it's going  
to take patience and it's certainly in most cases  going to take a little bit of money being moved  
around in certain aspects depending on what you've  done already sometimes not so much sometimes a lot  
more but i think that commitment piece is key  would you agree yeah it has to start with uh it  
has to start with a leadership decision commitment  and then that has to be articulated well to the  
rest of the organization because everybody's  going to be involved and have some level of of
capability in terms of preventing cyber attacks  right totally and at the other side of the coin  
right once you've done all this you know because  we've talked a lot there's probably a lot of  
organizations listening to this that are you  know in this probably spot but there's probably  
a small aspect that have already gotten  through all this they have the road map  
they've got a team they've got telemetry they're  investigating they're writing tickets right  
they're chasing ghosts in the machine they're  getting to the point where they're starting to  
parse out the data that's meaningful to them  in a dashboard style so that they understand  
you know from from from millions and or  billions of bytes of data what's really  
meaningful right the actual couple  kb that's actually a meaningful thing  
they're getting to that point and i think it's  it's a good thing for them to know that that's  
you know that's great that you're there but  you know it's like getting to the top of mount  
everest that's fantastic now you've got to go back  down so don't don't forget that there's still you  
know there has to be that proactive window  that we've talked about right threat hunting  
maybe consistent penetration testing  campaigns with you know automated tools  
that are going out there you can certainly  use automated bots to do a lot of work for you  
um and the more often you do it the the the more  you're going to know about the organization so if  
you're to that place right if you've already got  the maturity there and you've got an attestation  
to a framework and you've been doing it for  a couple years and your teams are starting to  
kind of plateau on chasing ghosts in the machine  and actually ignoring all that stuff and now your  
telemetry is giving you really meaningful data  that's you know even before this though but it's  
hard for organizations to start that proactive  piece with threat hunting and all those things  
while they're still just trying to  understand the tools they have um  
perfect world you would be doing both at the same  time but if you're if you've plateaued that's  
where you need to start looking for advanced  threats and those things in the architecture  
that may not be visible to the automated tools  where you're going to need domain knowledge  
of the deployed architecture to understand what  weaknesses may exist right real real threat honey  
well then staying over vigilant just telling off  what you were saying is is the key right you're  
never cyber you're never secure there's always a  threat that as we you know know in the headlines  
they're evolving daily if not hourly um so you  got to stay up you got to stay up you got to  
stay on trends you got to stay trained you  got to stay you know in the news you got to  
read what's going on and and stay proactive from  that perspective as well keep your people engaged  
send them the training send them the seminars  all those things keep keep you secure long term  
and for those organizations that are uh have  have a bit more matured cyber security program  
like you're like you're referring to um that's  outstanding but keep in mind too um there there  
are there's always a next next evolution right  of the program and a lot of times what we see  
for organizations that have built a good program  they're monitoring well they're they're being  
proactive in their assessment of the organization  testing of the organization um a lot of times the  
next uh struggle is always staffing right and  the the actual human element side and so that's  
another thing when you're when you're at that  point everything's looking really good we'll look  
at start looking at the human element in more  detail do we have redundancies in our subject  
matter experts um how is our uh recruiting going  right do we have a pipeline of of people that um  
we could potentially work with if we lose somebody  right what are what are those those backups in  
place um and then also the the um managerial side  or the the leadership side of it right are we  
going to continue to get full buy-in i think one  of the one of the things is that we look outside  
of the organization for threats and such in  terms of of trying to be proactive but then  
we also have to look at the fact that you know i  hate to say it but when nothing happens in cyber  
security um a lot of times it gets you know kind  of put put by the wayside right the executive  
leadership will tend to just say well you know  where else where can we cut costs here and there  
we see this happen out there when things are  going well from our perspective it means that  
the rest of the organization doesn't have to hear  about it right there's nothing there's nothing to  
report because uh that you know there's no  bad news it's a cyber security's offer an  
afterthought until something breaks and then  it's like well where are the security people  
exactly exactly we have to have to remember that  otherwise you know i hate to say it but funding is  
going to dwindle support from the organization's  going to dwindle so you have to be constantly  
putting out that message internally don't think  of your threats as all you know all as you know  
um apts and such out there in the world and and  you know nation state adversaries that are after  
um you know money and everything else it's it's  not that's not always the biggest threat for  
organizations a lot of times it's internal  know i think you also have to change the  
mindset and think about that we're actually  i mean it's really war it's cyber warfare out  
there i mean these are people that are trying to  take your stuff they're declaring war on you um  
and i i think you know and you guys can speak this  better than i can but you know if the army gets  
complacent in the battlefield then it is apt to  lose its edge and become you know ineffective and  
it's the same thing with internal cyber security  people and your cybersecurity thinking is if you  
become complacent then problems are going to  arise absolutely yeah proactive doesn't mean  
outpacing the threats proactive means continually  getting better yourselves as an as an organization  
right regardless of what the  the world around you is doing  
um continuing to push um and i think that's true  in any business or even with athletes and such uh  
you know it's all it's all about that continuous  improvement continuous focus rather than than  
uh checking the blocks so that said we are there  we could we could talk on all kinds of different  
uh nuanced aspects of this but we're uh running  out of time here any final thoughts for the day
uh you know one thing if you're if you're if  you're to the point where you're doing you know  
you've got your incident response you need  to be running tabletop exercises make it fun  
i like to uh those who get to work with me know  that i do a d and d style kind of larp with the uh  
with the incident response and the dr exercises  and so you know think of things like this to  
make it fun so it's not so um you know not so  not fun that's it well also you know bring in a  
third party to run it so you're not having you  know the same people running the dr exercise  
or the ir exercise that'll add it to us too of uh  uncertainty as well that's a good idea great point  
outstanding well thank you everybody for joining  us today thank you for listening please rate us uh  
rate the podcast let us know what you think let  us know of uh topics you'd like us to cover in  
the future and we will be happy to address those  thank you so much have a great day take care bye  
pick up your copy of the cyber ants book  on amazon today and if you're looking to  
take your cyber security program to the next  level visit us online at  
join us next time for another  edition of the cyber rants podcast