167: Threatlocker

Hello, hello! Today's a great day, isn't it? In this episode, I'm going to gush about ThreatLocker. Why? Well, currently they're my biggest sponsor, which makes them my favorite sponsor. But what I'm saying is that this whole episode is brought to you by ThreatLocker. But don't worry, I found some pretty great stories from them that I think you'll find interesting and educational. So, let's go! These are true stories from the dark side of the internet. I'm Jack Rees-Sider. This is Darknet Diaries. Do you want to mention your name or company name or R or do you want to keep that out? No, I'll keep that out. I'll keep that out. I guess that's just to do with the fact that we don't want people to know what we use. Yeah, I feel the same way. Everyone's asking me, like, what's your privacy stack? And I'm like, if I tell you, now you know exactly how to target me. Yeah, exactly. Okay, so the first question was, who are you and what do you do? Yeah, I can generalize. So I'm the group head of IT operations for a manufacturing company. and I look after the operational running of the IT across the business. We're a thousand employee business operating across 17 different sites in the UK and Europe. I look after the security, cloud, operations, infrastructure, servers, client support, etc. Okay, you get the picture. This guy manages a huge network with a thousand employees, which probably means there's like 10,000 computers that are all up and operating. Picture a factory. No, picture lots of factories spread all over Europe. Yeah, we have distribution centers, offices, and big manufacturing sites. So, how's the network called now? Have you had any problems? I mean, right now we're in a good place. If you rewind back five years ago, we were in a very bad place. What happened? Well, unfortunately for me, I was actually on my way on holiday. So I was in the process of driving the family down to the south coast of the UK. And I got a phone call. And I remember the exact words. One of my technicians said, I don't mean to worry you, but something worrying is happening. And I was like, okay, calm down and explain exactly what's happening. he was like, I've just had a ticket in where somebody's tried to go to some files and all the files are all renamed. And I was like, what do they say? He was like, they all end in the word dot Conti. I was like, oh no. Yikes. Conti is a type of ransomware. It's kind of more than that actually. It's practically a full company that's in the business of ransomware. They're Russian-based and they build the ransomware but then they have sort of an affiliate program that someone could use their ransomware and go infect a company and then that person will get a cut of the money if the company pays a ransom. It's devastating and brutal to be hit with it. And this doesn't sound good at all. So I had to make phone calls, continue to drive the rest of the three hours remaining of my six-hour drive because I had my whole family with me, drop them off, then turn around and drive six hours back making furious phone calls the whole way. Yeah. Oh, my gosh. Is there a protocol? Is there a go-to runbook or something that like, okay, if ransomware comes in, here's the button we hit. We got to turn the network off as fast as we can or something to keep it from spreading. Do you have a procedure in place? We do now. We didn't then. A number of the people in my team had experienced situations like this, kind of. but not on the scale that we got here on this. And I know five years ago, it was a long time ago, and a lot of things have changed, and a lot of things that people are more aware of what to do and to have those sort of playbooks in place. And we had an element of, what do we do? And the first thing we reached to was, let's turn everything off. But too much turmoil was going on, making too many calls and trying to deal with everything. And I just remember at one point, my senior infrastructure engineer just told everybody to shut up and give him five minutes to think because everybody was just asking too many questions and we were trying to work out how we respond to this. Yeah, I imagine it's a really hard time to focus. So how bad did it spread or how bad did it knock you out? Well, in the space of 15 minutes, it encrypted all 250 servers. and like I said, it hit about 350 endpoints as well. So the 250 servers, were those all Windows servers? Yes. Okay, so your whole infrastructure is down. Yep. Jeez, I mean, that sounds like business is going to stop. Yeah, and it did. It stopped at that very moment in time and we assembled a team. I had a very nervous six-hour drive back, making loads of calls to everybody trying to work out what's going on work out which way to go had to get people to sites this was on a friday evening afternoon around about quarter past four that it happened which is quite a common um tactic used because people are just switching off on a friday afternoon and we pretty much just had to just turn everything off and then work out where we go from there give ourselves some headspace to think because it was just too quick We just couldn't react to 15-minute window. A lot of CISO CEOs reach out and they say, I would like to be a guest on your show. And I always say, well, only if we're going to talk about the worst day of your life. That's the kind of stuff I'm interested in. Would you say that this was the worst day of your life as far as career-wise goes? I say that to everybody I talk to about it, which I don't actually like talking about it because taking myself back to that day, that sinking feeling in your stomach it is absolutely the worst most stressful situation I've been through in my career hands down I think I did 27 days straight after that Yeah, I mean you've got to even worry if your job is on the line here as well because if you're the one in charge of this sort of stuff and now this is what should happen are there people blaming you? Well, I mean that's the first thing that comes into your head well, after you've tried to work out how to deal with everything you think am I going to get blamed for this? But then very quickly after that, you realize you've just got to focus on actually doing what you are paid to do. Because ultimately, you know, hackers and people that are trying to attack you are trying to attack you all the time. And it's a constant battle. Okay, so you drive back frantically, you arrive late night Friday. Do you go right to the office in the night? Yep. Wow. and then so okay so I mean there's a lot of people out there you know armchair experts that are just like well you just restore from backup like what's the big deal I mean the the problem with that is you don't know whether they're in the backups you don't know whether they've we're already in that in your environment and they were just waiting for the right time to push the button which we thoroughly believe they were so what we focused on was stopping everything and then working out How? How did they get in? Where did they come from? What method did they use to actually spread and initiate the attack? Good point. It's like trying to set up dominoes when your cat is on the table. You want to get rid of the threat in the network before beginning to restore it. If you restore and the thing just reinfects you, that's a waste of effort. And maybe it'll show them where your backups are kept and infect those too. So once we've worked that out, we then established a process to be able to check our backups, check each VM as we brought them back online. We established a protocol for rebuilding machines. We printed signs off at the doors of every office and told people where to go with their machines so that we could rebuild them. We kind of employed the whole red, amber, green process. What's the red, amber, green process? So every laptop until it's checked is considered red, then it goes into amber as it's being worked on and green is good to go back to the user. Pretty simple. But it keeps easy to manage because you've got a small team and I have a team of 10 of us at the time. And you're managing the throughput of upwards of 600 laptop users at multiple sites. So you need a process to check in, check out everything. everything. Yeah, I mean, their devices were toast and you were just re-imaging them from a fresh image, right? Yeah, but we'd lost our imaging servers. So we had to rebuild them manually for a while until the process the team that were dealing, my sort of sub-team that were dealing with the servers, were to the point where they were bringing the imaging servers back up. And then you've got users wanting to know what's going on, you've got Middle management, senior management, board of directors, everybody wants to know what's going on. And that completely flusters the situation. So you can't understand, you can't get a clear head to actually focus on the task at hand. Yeah, I imagine there's a bunch of emotions to manage in this, which is stuff I don't think anyone talks about, right? You look at the CISSP manual and they don't explain, okay, well, you're in the middle of a breach situation. Here are the motions you're dealing with and how to detect them and what to do about them. There's definitely moments where you kind of just sit there and you feel like maybe you can't actually do this. Maybe you can't get it back. There's an element of shaky hand syndrome and anybody can claim to be cool and calm until they're actually in the trenches with this situation. and it can really, there was a lot of team fighting and arguments and falling out and people popping under the pressure. It was a hell of a ride. When you say popping, what was some of the stuff you were thinking? Well, I had like a team member walk out because he didn't agree with a certain methodology to fix one thing and another team member fall out with another team member and arguments happening on meetings while we were trying to work out what's the best methodology to bring something back online or to grant somebody some slight access. Because I turned around to the business and said, look, I can get us back for backups in about five days. But if you really want the best solution, give me three weeks and we will build it back how it should have been done in the first place. What a proposal for leadership to decide on, huh? Business is down. There is no manufacturing happening, no shipping, no revenue coming in. And the question is, Do we get business back up as fast as we can? Or because those old systems are end of life and need to be replaced badly, take advantage of this outage and upgrade everything properly and build for the future. And of course, this incident is all that the business leadership can focus on. All other meetings and projects are canceled until business can come back up. Okay, so what path did they choose? Five days, three weeks, or somewhere in the middle? Three weeks. Really? They wanted the whole thing? I mean, that's an ambitious thing to say, I'll redo the entire infrastructure properly this time. Three weeks, they didn't mind being down for three weeks. Well, what I did was make sure that certain services came up as reasonably quickly as possible. So email communications and then focused on a major system of here or a major system there and slowly brought everything back on But you know by getting those some of those primary services back up and running I was able to then get the headspace to concentrate on the other 80% of the business and the business accepted that there would be some interruption in that process and they wouldn't necessarily get everything back. So a good example was we didn't turn wi-fi back on until the very end of the three weeks. So nobody had Wi-Fi. That was to stop rogue devices turning up and undoing all our hard work. You know, what if there was still something running on a laptop that we hadn't got to or identified? Internet was shut down at every single site, and then we only, we kind of had like a board where you had every site and all the services and sort of, again, the red, amber, green of when we were ready to start bringing stuff back on. Ah, yeah, that's got to be the moment of truth, you know? When you flip the switch on and bring the network back up, are you sure every device got cleaned up? Because Conti is notorious for spreading quick. So if you bring the Wi-Fi up and there's just one device that's still infected, it will try to spread all over again. They really need a solution that could give them visibility and, crucially, be able to stop this from spreading again. We bought Malwarebytes, the enterprise platform version of Malwarebytes, and paid quite a lot of money for it. but quite quickly found that it wasn't really doing the job that we'd hoped. It was good as a helper, as an assistant to check machines for being clean, servers and whatnot, but it didn't really do everything. It was more of in the traditional sense of a signature-based scanning tool more than it was anything else, and it found some registry entries and things. So then we started looking, well, what do we actually need to put in place? We need an endpoint solution, an actual proper EDR. But we don't feel like that's good enough or going to protect us 100%. So we probably need something that's going to do application control, as in application whitelisting. So I reached out to a bunch of suppliers whilst at the sort of tail end of that three weeks and was like, can you find me something that does this? And one supplier actually said, oh, we use ThreatLocker in our environment ourselves. And so I jumped on a call and had a demo, looked at the software, and I was like, that's amazing. I need that right now. And that's where we discovered ThreatLocker. So what was amazing about it, Thiel? It stopped everything from running if you didn't allow it to run. It's as black and white as that. Hmm, stops everything from running? Okay, let's think about that. You know the difference between a router and a firewall? They're both network devices. They look at the packet coming in or the data going in, and then to decide where it needs to go and then send that along. At their core, they're very similar. But there's a big difference. A router really, really, really wants to get all the packets to pass through it and on their way. But a firewall really, really wants to stop every packet from going through it. See, by default, a router permits everything, while a firewall will deny everything, which means the firewall acts as a security guard stopping everything it doesn't like but the router acts like a public park just anyone could come and go and so you have to poke holes in the firewall if you want anything to get through it so the question is when you go to run an app or a game or anything on your computer should it act like a router and just permit anything you try to open or should it act like a firewall and say hold on buddy you need a permission slip to open that traditionally all our computers just do what we tell them to do, which makes sense. Open app. Okay, done. Because when you need to use an app, you obviously need to use it. But the thing is, malware is tricky. It's sneaky. It's hiding. It's being quiet. But it's also opening and running and doing stuff without us seeing all secretly in the background. So what ThreatLocker does is it says, okay, let's start by blocking every app from opening and running. But if you, the user, wants to open something, just ask and we'll let you open it. We just want to block apps that you didn't try to open or apps that you don't actually need. And we figured in a world where we've just been absolutely burnt to high hell, we need to stop everything running unless, of course, we allow it. Every single device, server, client, we needed to know that it was not going to run anything that we did not want it to run. And our supplier was using it in their own environment, which is always a very good sign, and that if the person trying to sell you it is also the person that is using it. And we were like, yep, how quickly can you get me the installers? So when you get ThreatLocker, it goes through a learning period where it just listens and allows everything. And from there, you get a sense of what apps everyone in the business is using. And so you add those apps to the allow list so business can continue and then switch it over to secure mode, where if your app isn't on the allowed list, now it's going to be stopped from running. It just says no. And it comes up and says, it's been blocked by ThreatLocker. you can request it and then when you request it we have a portal where we can just say yes or no and then there's a lot of tinkering with how you set up the policy but we pretty much just say no to everything And so how annoying is this to the users? You know, you imagine some people are just like you can't run anything on this laptop this is stupid do people complain a lot about it or are they okay with it? Maybe they did originally. And I think even if they did complain, you've got such an easy card to pull out. You could just be like, okay, back in 2020, let me tell you what happened. We cannot afford to have three weeks of outage again because this is very serious stuff. I've used that so many times. And I turn around to the users and go, you can't have this piece of software. and they'll be like, why? And I was like, because it's open source. It allows plugins. We don't know whether it will be safe and it could be exploited. And I'd say, do you want to be the reason that this company gets hit again? And just put it on them. Or if they escalate it to their director, okay, then I'll say to the director, do you want to be the person that authorized this software that takes the business down? And people back off really quick when you say that. Yeah. Okay. Okay, so since getting ThreatLocker, any big security incidents? No, but I don't like saying that because I don't like tempting fate. Yeah, exactly right. But no, we haven't had anything. I hear you sighing like that. Yeah, I don't like saying it. Ransomware is the most successful business model cyber criminals have ever invented. The people infecting us with ransomware are making tens if not hundreds of millions of dollars by hacking into a company, locking up their data, and holding it for ransom. It's on the rise even. Just last month, I heard it's more ugly than ever. It's also one of the most disruptive types of cyber attacks. When a company gets hit with it, it becomes a huge deal. Companies have gone out of business from ransomware. So I wanted to talk with someone who defends companies from this type of attack. My name's Hunter Clark. I'm one of the cybersecurity engineers at ARK Technology Consultants. My main focus is around endpoint security and how we can help organizations implement some of those zero trust principles in their organization. ARK is an MSSP, which is a managed security service provider, which means they take care of a bunch of people's networks. A lot of businesses don't have a cybersecurity team to keep their networks safe, so they hire an MSSP who can keep an eye on everything and help keep it secure. And one of the networks he was put in charge of securing was a hospital. Yeah, there's a lot of servers in the environment that run applications that are critical, like imaging software, solutions that the doctors leverage to diagnose patients. A lot of it runs on servers. So those are typically what we try to secure. So he took a look at this hospital's network, and it didn't have very sophisticated security tools. So him and his team brought in ThreatLocker, installed it on all the servers and computers, and went through the learning process of what apps are normal in the network, and then locked it down so no new apps could run. Along with that, they installed an EDR, an endpoint detection and response tool, to monitor for suspicious activity. And then they suggested adding multi-factor authentication, or MFA, on all the internet-facing portals and computers. But the hospital said no. They didn't have the budget for implementing MFA. They didn't want to have to train users on how to use it, doctors complaining about having to use MFA. So they did not have MFA. Okay, well, if they don't have the budget, they don't have the budget. You do what you do to protect them with what you've got. But late one night, something happened. The incident originated, obviously, in the middle of the night, as all incidents do. But we got a call from the EDR-MDR solution that we were using, that there was someone in the environment. And this is something that people should consider, is that not all MDR solutions are created equal. Some of them will pull the fire alarm, but not help you put out the fire. Right. So they'll let you know something's going on, but not necessarily step in to stop it until they're able to get a hold of you. And in this case, you know, it happened at 3 a.m. and there, you know, we received the detections that something was going on. And we're able to then early the next day, 5 a.m., 6 a.m., whenever we got up, start investigating what had actually happened. And that was whenever, as part of that investigation, we started looking into ThreatLocker logs to see, okay, what actually, what did the threat actor try to do? What user account was likely compromised? Seeing the threat actor bounce around to different servers. And that's whenever we saw that ThreatLocker had blocked the solutions that the threat actor had planned on leveraging, such as AnyDesk and Rclone. Someone got into the network, gained access to a Windows server, tried to infect it with ransomware, but Threadlocker denied it. Nice. Okay, but how did they get in? The threat actor had bought credentials off the dark web for a domain administrator account for the environment and was able to just remote in through the VPN and had full domain admin rights across the environment. Ah, that darn VPN. I mean, VPNs are great. It allows you to connect securely into a company from home or on the go. They are essential even. But they also are exposed to the internet. They're a portal into a company's network. But that's something that should be super secure since it is out on the internet. But in this case, all that was needed to get into this hospital's VPN was a username and password, which happened to be for sale on the dark web. How wild is that? A username and password is not good enough to keep people out anymore. One of the questions that came up was, would MFA have prevented this event from happening? And it was a pretty clear yes that if MFA would have been implemented, then at least that initial access, the threat actor would have had to find a different way in than through the VPN. Anyway, this is why there's defense in depth. You want layered security so that there are multiple places that should have stopped this attacker. And they were lucky that they had ThreatLocker to stop this. But this attacker was clever and motivated. And even though they were stopped, they weren't done yet. This hospital system used to be made up of multiple different hospital locations. A few of them had been sold off, but they still needed to maintain VPN tunnels between the sites because of certain application dependencies that the hospitals hadn had time to build in their own environment So because of those VPN connections to the threat actor it looked like it was just one network right It probably looked to them like it was just one big connected network. But really, they ended up bouncing to a different hospital system that was not a customer of ours, that obviously did not have ThreatLocker in the environment, and was able to deploy what they needed on those devices. Oh no, they bounced from this hospital to another hospital that was connected internally and were able to do damage there. The threat actor ultimately reached out later that week saying, hey, we would compromise your environment, we have terabytes of data. And they wanted the hospital to pay hundreds of thousands of dollars in ransom to get it back. Whenever this happens, the company, if they have cyber insurance, they should read their cyber insurance because it probably says in there that if they're in the event of an incident, you need to call us because we have instant response companies that we trust that we want to have involved in this. So that's what happened. And as part of that cyber insurance, there's also usually some sort of will negotiate on your behalf with the threat actor to try to get that ransom cost dropped as much as possible. So with the knowledge that we had of what ThreatLock was able to see, they were able, I know, to drop it by quite a bit. I don't know exactly the number it dropped, but I'd heard that they were able to negotiate pretty effectively because they knew what the threat actor actually had been able to get to. Okay, so they lowered the ransom and then they paid the ransom? Yeah, this hospital system did end up paying the ransom. them. The hospital was able to ask the threat actor, hey, how can we improve? How can we get better? What should we be doing? And the threat actor responded, saying that they quickly realized that ThreatLocker was on the Windows devices, so they knew that they wouldn't be able to use those for the purposes that they intended, and they began to pivot to other locations in the environment that did not have ThreatLocker. Tell us who you are and what do you do? So I'm Danny Jenkins. I'm CEO and co-founder of ThetLocker. But what I do is really build solutions and educate the world on how denying by default is the best way to address security. And it doesn't have to be difficult. So you started ThetLocker. How did all this get started for you? The first thing is, I wanted to do something fun and I started doing some ethical hacking. I ended up doing more ransomware recoveries than ethical hacking, to be honest, because people were calling me and I wanted to make money. So they'd say, hey, I've been hit by ransomware, can you help with this recovery? We paid a ransom. And there was this particular case in Australia, which was the first one I dealt with. It was an insurance broker, so about 50 employees insurance company. And I got called in by the MSP, managed IT company, to help with the recovery. and I came in and they'd paid this $22,000 ransom and they hadn't got their data back. So they'd got some keys, but the keys didn't work. They weren't decrypting the files. Their Exchange database was encrypted. Their SQL database was encrypted. Everything was encrypted and broken. And they'd asked me to come in. So we start trying to reverse engineer the code, see if the decryption keys are in the code, try to use low-level data recovery tools to get things from the disk that had been deleted or written over for encryption. We're recovering from OST files, email databases. We're trying everything we can to get this company back up and running. And during the recovery, the owner of the company called me and he got quite, first he got quite mad. He was like, when's this going to be done? I've been waiting two weeks and I still have my servers up and running. And he's getting quite mad. And I was like, look, you need to be realistic here. I'm trying to recover your files, but you have everything encrypted. You have no backups. You've paid a ransom. You didn't get your data back. And I don't know if it's going to be back. And we're doing everything we can to make sure you can get your data back. And it then turned into quite an emotional call and his voice started crackling. He started almost crying down the phone. And I got really awkward at that point because I really didn't know what to say. And to me, this was different because every other cyber, I call it cyber attack I dealt with, every other malware attack I dealt with, because prior to 2014, most malware attacks were really just IT issues. It was, you know, you're getting adverts, someone sending email out from your server. It'd been an IT problem. IT needs to fix the server because we're sending spam emails. IT needs to fix the computer because it's getting pop-ups. The worst I'd seen before that was someone crying because they saw an inappropriate picture. And what I did was, it suddenly hit home. that this is a real problem and this guy's going to lose his entire business and he's close to retirement age because somebody decided to download a piece of software and i didn't at that think go i'm going to go start companies to solve this what i said to the it team and what i said to him after we were and we managed to recover enough was you need to use application control you need to block software by default and he said to me okay well i'm going to go and do that and then the IT team told him that Danny's stupid, don't listen to him, that's not viable, we can't do that. And I went out to prove him wrong. And I couldn't prove him wrong, the IT team. And that was really when the first time we said, well, let's try and build something to prove him wrong. And I kind of went back and forth on this idea quite a bit, because it wasn't an easy lift to build a solution for this. But we had to, it was really, in 2017, we had a product, we had a concept product. and I still wasn't sure this was the right thing to do because we knew in order to make zero trust viable and today we've got 70,000 companies that use our product from small businesses right up to some of the biggest companies in the world, federal government, airports, banks, everything. But back then I was like, I need to make this so it's viable for everyone. I need to make it so we can deploy application control, we can block software by default, we can ring fence applications and make it so you can deploy it in hours and days, not months and years. And I wasn't sure that it was going to be viable without me hiring hundreds, well, I ended up hiring hundreds and hundreds of people. But I think in 2017, my mindset shifted because before 2017, I was thinking about building a business that 1% of the world would sign up to. After 2017, I made the decision, we don't want 1% of the world, we want to change the markets, and 90% of the world are using a zero-trust approach. Okay. So you coded it at the beginning? You built it? Yeah. So I coded the first version, and there's four parts of ThreatLocker, if you like. There's a service, there's a driver, there's a portal, and there's an API. That's the four original components of ThreatLocker. And I wrote an entire version of it. And I wasn't so good at the driver stuff. I caused a lot of blue screens. So we ended up bringing, at the very beginning, I wrote the whole thing, and then I got somebody else to come and rewrite my driver code because, frankly, it just wasn't very good. And since then, that's probably been one of the best decisions we made. And today, of course, we've got 250 people in our R&D department. Back then, it was just me writing code and Sammy and John testing and deploying. Can you tell me about the first network you installed it on? Well, so I guess that we obviously installed it on our own machines. I think the first network outside of our own that we installed Threat Locker on was actually my kid's school. And they had a problem as well. We were looking after our kid's school IT. We were getting very actively involved because we couldn't afford private school for our kids at the time. And we were getting essentially help with scholarships because we were helping them with the IT systems and everything else. And they were getting malware every single day. It was like a complete nightmare. And we pushed it out to them. Now, it was very difficult and somewhat unstable in many areas because there was things we didn't even think about and we were seeing a lot of noise. But they went from malware every day to never since. And still today, they're using the product. And my kids aren't in the school anymore, but our chief product officer's kids are actually in the school now. And their IT management went down from full time to a couple of hours a month because these systems became very stable, very easy. Deny all apps by default seems like a radical idea. Like to block everything seems like it's going to halt productivity. Radical depends on where you start. And if you start in a situation where my network is running smoothly and I'm very happy, you would never approach with that idea. you'd approach with the idea, we're going to learn what we have, we're going to review the list and remove the things from the list we don't want. Whereas if you start with the situation that I've been hit by ransomware, attackers are in my network, the alternative is you shut down the entire network. Or the plus side is you allow the network to run, but you only allow these trusted apps. And then every time someone wants something, they request it for the first time, we add it to the list. And it doesn't seem so extreme now, because the alternative is the whole network shut down until we've reformatted every single computer and guaranteed that nothing's bad on it. So it really depends where you start. For 90% of customers, they're starting from a clean slate. So they'll learn and they'll remove the things from the list they didn't know about. For the other side of the customers who are starting from, hey, we've already been hacked. It's not extreme to say, hey, everything's blocked until we've approved it. And it's also not that difficult because most people think, well, what about all the software we don't know about? But the average user uses 10, 20, 30 apps on their machine. And it's Chrome, Zoom, Office, Firefox, and then they have an SAP system or whatever that may be. So it really doesn't take long, even when you're dealing with a response. I mean, you never want to be doing it from response. But even when you're not in learning mode and you say, if you need something, hit request, we'll review it and we'll approval deny it. It's still not the end of the world because that's a lot better than where you were where ransomware is actively running in our environment. The traditional way we would secure networks was kind of like a castle and moat type of system. Everyone inside the castle wall was trusted. They could go anywhere, do anything. And then you put up this giant gate and moat around the whole thing, keeping everyone out that you don't want in. But the problem with this is that if someone does sneak in, well, now they've got access to everything. There's nothing to stop them once they're in. If an employee turns rogue or clicks on a phishing link and gets infected, that employee's computer can go anywhere and do anything. So the new way people are securing networks today is called zero trust. And that simply means to verify everything. No longer is everyone on the inside trusted by default. They're now given the least amount of privileges to do what they need to do. And tools like ThreatLocker are great for implementing zero trust, since you can see and lock down any and all activity in the network very easily and quickly. So in the world of zero trust, you essentially grant access where access is required. Everyone thinks it means no. It doesn't mean no. It means if you're the finance director and you need access to all of the financials, we're going to give you access to the financials because that's your job. If you need to be able to upload those financials to the internet, we're going to allow you to upload those financials to the internet because that's part of your job and requirements. So in the world of zero trust, it's not about no. It's about if you need it for your job, we will grant that permission. In the world of detection and response, you're saying if I detect an anomaly or something suspicious, I'm going to block and respond to that anomaly or something suspicious. But if we don't detect something suspicious, we're just going to allow it. So in the world of detection and response, everyone can access the financials. In the world of zero trust, only the people that need to. What is your mission or what ThreatLocker mission or what are you trying to change in the world So it very simple I want to change the way the world thinks about security from default allow to default deny So rather than going into a computer and saying I allowed access to everything until someone's decided it's bad for me to access this, which is how most security works right now on endpoints, I want to change it. So I go in and I need to access everything I need to do to my job and everything else is denied until somebody's decided and granted me that permission. That's our mission as a company. It's been our mission since the beginning. we attend over a thousand trade shows or threat lockers attended over a thousand trade shows this year we host zero trust world um and the reason we do this is education i think i did 120 trips this year and i will do local events we'll do zero trust world i'll go to black hat to rsa um to gartner events and it's about educating people why this is so important but also how it's not difficult because people think it's going to take them months and years and I've onboarded people in hours. I mean, ideally we want to do it over a week so we can do a nice learning baseline, but it's very easy to do. It's very effective to do. And so my mission is to make sure people understand why this is so important and then also educate them how it can be done. Yeah, so educate me, educate us. So you say deny by default. You could explain why that's so important or even pick another topic and say this is what else is important to me. Okay, so deny by default is so important because think about this. If we go back and we've never, as a world, we've never been very good at stopping viruses. Let's face it, we go back to 2000, 2001, we had the love bug virus. It infected a third of the world's business computers. Now that virus said, I love you and emailed your friends and said, I love you. So it wasn't the end of the world. We had the blaster virus after that. All of these times we had antivirus. We were denying by exception. We were allowing by default and denying by exception. And we weren't very good at doing that. In 2007, 2008, we started seeing botnets, emails being sent out. Again, people were getting malware all the time. They were sending the spam emails. They were getting pop-ups. But it was a problem, and it was an IT problem. Switched to 2014, we start seeing malware that actually encrypts files and takes down businesses. Malware and software are the same thing. They're literally written in the same languages, work the same way. The only difference is the intent at which it was created. So every piece of software you run on your computer, whether it's Angry Birds or Logitech support app or Microsoft Office or Google Chrome, or a piece of ransomware can see all of the files that the user who runs it can see. So you don't have to be an admin. If you're a finance director, if you're in sales, it can see all of your files. So if you were to say, I want to deny software by default and only allow software that's been approved by the company, what you end up with is a situation where you're no longer just relying on, am I going to detect the latest threat? But you're now saying, I'm going to block everything. It doesn't matter if I detect it, because if the software isn't approved by the business, it's not allowed to run. And that is so efficient at stopping ransomware, malware, but also things like TeamViewer remote access tools, which are often used by scammers to gain initial access to your network. This is great. Keep going. Tell us more about how to secure a network. Every security, or mostly, most security attacks can be stopped with one of three methods. The people, detection, and controls. And the first one is through people. But the first example I'll give you is phishing. In the event that someone wants to phish you or someone in your company, they're going to send an email to you or a text message, whatever it may be. As a user, you have the power to stop that attack immediately in its tracks by not clicking on the link, not putting your credentials in, the attack is gone if you don't do that. So that's method one. The people don't make the mistakes, don't click on the phishing links, don't give somebody access to their machine. The second method is to detect a threat. And this is where we look at phishing, this is where we'll say, is this a known bad website? Does it exhibit signs that it's a phishing attack? And again, detection is not a guarantee because the website might just be spanned up. attackers will switch the website out, use techniques. It's brand new. You don't know it's a bad website. But it's a method. If you manage to detect it and you can block that phishing link from being used, the threat is neutralized. The third way is the idea of controls. And controls are where zero trust really fits in. And this is the most simple way. And this is where you say, well, I'm going to turn on things like dual-factor authentication. I'm going to turn on things like IP restrictions so it can only be accessed from one of our known IP addresses. And when you do this, you basically say that I accept my user might click on the link and give the person, the attacker, my password or their password. I accept that my emails of security may not detect the phishing email, but I won't accept that they can still get into my machine. So what I'm going to do in addition to this, I'm going to restrict which IP addresses can log into my Microsoft Office tenant to only the IP addresses of my devices. And I'm also going to enforce dual-factor authentication, so the password by itself isn't allowed. They're going to have to have the user's physical device. As an IT or security professional, the controls are the only thing that you actually can control. You can't control, you can train your users, but users are going to make mistakes. People are going to make mistakes all the time. You can buy detection, but detection can't tell the intent if it's new, if it's unknown. But you can control whether if If someone puts their passwords in, will somebody be able to get into your system? So that's the first example of where that's really important. The second example is when we think about malware. I can put an antivirus on a machine and say, if you download GNOME malware, block this GNOME malware from running. And Windows Defender comes shipped with every machine, and sometimes it blocks the malware, sometimes it doesn't. I can tell my users to never download attachments, don't open things that you don't know where their source is. And if the user doesn't do it, the threat is foiled. But I cannot guarantee either of those two are going to apply. If I block untrusted software by default, if one and two fail, three is always going to be successful. And this is where security has to be. And if we go back to even the 80s and the 90s, we didn't used to have firewalls on our network. We didn't used to have firewalls on our computers. Windows didn't have a firewall built in until Windows XP. And we'd get constant malware and then Microsoft would patch it and then we'd get malware again and Microsoft would patch it. But Microsoft released a firewall on the computer and suddenly malware from the user dialing up to the internet or connecting to a broadband connection vanished. And it became people downloading malware because they implemented a we deny network traffic by default policy. That's how all security should operate. Do you have any statistics that you can tell me that tells me that ThreatLocker is effective? I mean, when I go to the doctor and they give me medicine to prevent an illness, I don't know if it actually prevented the illness because I can't tell if I got ill and the medicine fixed it, right? So if ThreatLocker is here to prevent ransomware, how do I know it worked? So I will tell you, you know, so I've got 70,000 roughly companies that use ThreatLocker. And I think the best one is my kids' school. 70,000 companies that use that locker from small businesses through MSPs right up to large, some of the biggest software companies, banks, financial companies, hospitals, airports in the world. So it really is a mass scale. Not a lot of them go through MSP. So you take an MSP, they have 100 small businesses, they'll manage it. I have never had a customer with a ransomware case that wasn't ignoring obvious signs. So like we will send a report saying you have your machines in monitor only mode. And the bottom line is, and there's no such thing as unhackable. But the only way somebody, if you go out and you install network control and you close ports and you stop untrusted software and you stop PowerShell accessing things, nothing's impossible, but it's almost impossible to get through that. And if I look at those 70,000 businesses, I'm tracking about 125 ransomware cases on them. And every single one of them as being pure, their machines were not secured. Or the other one we see is where they didn't have, they had open ports on their hypervisor and someone got in, they shut down the VMs and put them in safe mode or something like that. But if they followed the policies that they followed, we're going to stop on trusted software, we're going to close ports and only allow them to trust the devices. I have never seen a case where somebody gained access to a machine. ThreatLocker is hiring, but beware, they'll tell you in the interview that it's the hardest job you'll ever have. Yeah, I mean, every person that we hire, we make sure that they're aware this is going to be one of the hardest jobs I've ever had. And because I try and always say to our, I make sure everyone in the company knows, we are not supporting a software product. We are supporting a hospital, an airport, a government agency, a local business. And when someone calls in and they're having a problem, and the thing is about what we're doing is we often, I would say 70 to 80% of our support tickets have nothing to do with us. And the reason people call us first is because if you say, well, I've got an EDR and I've got a zero trust endpoint security product, and suddenly one piece of my dental software is not working. It's very, very easy for you to say, well, assume it's to do with zero trust. Always. Like I've spent literally four hours proving and diagnosing and working with a competitor of ours on the EDR space to say, look, you have a problem here with your software. We'll uninstall ThreatLocker. We'll show them the issue is still happening. And then we'll actually go in with a vendor and say, you've got a problem with your software here. And because I think it's easy to assume that Zero Trust is the problem, but most of the time it isn't. But you've got this culture change which you're trying to change. So people have to know it's hard. But I think it's also incredibly rewarding. I think what we do is there's nothing better than a feeling that we just stopped a major ransomware attack. My door never gets closed. My phone is never turned off. And I always say to anyone, if you can't fix a customer issue and you can't get someone else to help you, go over to the development department, go over to your peers. But also, at the end of the day, if it's 2 a.m. in the morning and it's not working, come and call me. Like call me, call Sammy, who's our other co-founder and like call and say, hey, I've got a customer on the phone and they're saying that something's wrong and something's getting blocked and it shouldn't be. And they don't understand it. I don't understand why. And I can't find anyone else. It's like, well, let's see what's wrong. Because I think it's important for everyone to know that we're willing to take a phone call at 2 a.m. in the morning if it solves the customer issue. And how many phone calls do you get a month during your sleep? Probably six or seven. jeez I hope you get paid overtime for that yeah but I think it's we have a 24 hour we have customers in Australia we have offices in Australia, in Dubai, in Dublin we have staff in 11 different countries we have customers all over the world I think it's more important that we solve the issue for the customer and that's the bottom line. Thank you so much to our guests and especially Danny Jenkins from ThreatLocker. To learn more about them or to get a free trial, visit ThreatLocker.com. The show is made by me, the real SQL shady, Jack Recider, mixing by Proximity Sound and our theme music is by the mysterious Breakmaster Cylinder. I got tired of forgetting my password. So I just changed it to the word incorrect. And whenever I go and I type in the wrong one, the website always says, your password is incorrect. And I'm like, oh yeah, thanks for the reminder. This is Darknet Diaries.