BEHIND SCENES of REAL Data Breach Response Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

BEHIND SCENES of REAL Data Breach Response

November 13, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 7 • Episode 53

What really happens during a cyber attack?
Not the Hollywood version — the real one. The kind businesses experience every single day when a single compromised password, phishing email, or zero-day vulnerability ignites a full-scale crisis.

In this full episode, we take you inside the anatomy of a real data breach with digital first responders from NetGain Technologies — the cybersecurity professionals who live inside ransomware events, Business Email Compromise (BEC) incidents, and wire-fraud attacks every week.

You’ll see how attacks start, how fast they spread, what attackers do once they’re inside your email, and the exact steps that decide whether a company recovers… or collapses.

What You’ll Learn:
• How a phishing email turns into credential theft and internal compromise
• Why Business Email Compromise (BEC) is now the #2 most expensive breach type
• The tricks attackers use to hide inside inboxes and impersonate executives
• How wire transfer fraud really happens — and how the 2-person rule stops it
• What zero-days look like in the wild (and why patches aren’t enough)
• The role of MFA, phishing-resistant MFA, email controls, and layered security
• Why backups must be immutable, air-gapped, and isolated
• How incident response teams contain malware without destroying evidence
• When to call cyber insurance, law enforcement, and breach counsel
• The IR playbook: detection → containment → communication → forensics → recovery
• Why every business — no matter how small — IS a target

⌚ CHAPTERS
00:00 – Intro: What BEC Really Looks Like Today
03:42 – How One Email Starts the Attack Chain
11:20 – Why Finance Teams Are Target #1
19:05 – The Social Engineering Playbook
27:48 – Live Breakdown of a Real BEC Incident
38:22 – What Happens During Wire Fraud Recovery
46:10 – Technical Controls That Actually Work
55:36 – How to Build a No-Nons

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Support the show

🔥New Special Offers! 🔥

Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

You’ll see how attacks start, how fast they spread, what attackers do once they’re inside your email, and the exact steps that decide whether a company recovers… or collapses.

Who This Episode Is For:
• SMB and mid-market leaders
• IT & security teams
• Finance teams approving payments or vendor updates
• Healthcare, manufacturing, finance, and public-sector organizations
• Anyone who wants to understand how modern cybercrime actually works

This is the clarity most organizations only get after a catastrophic incident.
Watch now, get ahead, and protect your business before attackers make you their next case study.

Speaker 1 (00:13.646)
You know, most people think that a data breach occurs from some kid in a hoodie, some hacker living in his mom's basement, eating Hot Pockets, drinking Red Bull, using advanced code. Well, it isn't. These days, it's a sign of the times that it usually happens like this. An employee, even a good employee.

reuses passwords. Those credentials wind up for sale on the dark web. Or they save their passwords into a browser and those browser cookies get sold on the dark web, just like Amazon. Or a single phishing email or text or Teams or Slack chat that look completely normal.

from someone you trust, from someone you think you know, sent to the exact person at the right time, who can unlock sensitive data, approve payments, or maybe even hire you. Today we're taking a behind the scenes of a true ransomware attack.

and we're going to explain them plain terms, what the FBI calls business email compromise, the kind that drains bank accounts, cripples operations and blindsides organizations that thought that they were too small to be targeted. If you want to see how cybercrime actually works, what attackers actually look for and how to stop this.

then stay with me. It's going to be something that most organizations only find out after it's too late. This is Cybercrime Junkies, and now the show.

Speaker 1 (02:25.28)
Every 11 seconds, another organization's fall victim to a cyber attack here in the United States. Sometimes it's a complete shutdown of production and other times, like in healthcare, it can kill. Today, we're more dependent on the technology that we use than ever before in human history. We've gone away from the kinetic physical processes and operations that we used to have. When cyber attacks hit,

they're much more devastating than they were even five to 10 years ago. But what really happens behind the scenes when that attack gets detected? When alerts hit the screen and the clock starts ticking. Today we're pulling back the curtain on the anatomy of a compromise, how it starts, how it spreads. And we're gonna hear from digital first responders like the cybersecurity leaders here at NetGain and how they jump into action and respond.

when every second counts.

With us today is Scott Logan and Braxton Moulton, experienced cybersecurity professionals who have lived through those incidents and helped businesses recover even stronger. Spoiler alert, planning ahead has never been more important. Let's get into what actually happens in those first chaotic moments after detection and how your organization can be ready before it's too late.

Speaker 2 (03:59.672)
Let's hop right in and start by defining terms about security compromises. We will walk us through the difference between a security event, an incident, and a full blown breach and tell us why do those distinctions matter.

you

Guy, me to get started on that?

You wanna call us out? Ashley? Like Scott? Blah blah or... Or just open it.

or would you just like a-

Speaker 1 (04:37.486)
Makes sense.

You're muted, actually.

Just hop right in with it. Okay. Go ahead, big.

So here on the slide, we've got a few different definitions for things. To be clear, when we talk about incident response, the terms and definitions can vary and they can vary based off of what the business needs. But this is just a general idea. So typically when we're looking at, you know, a potential security event, we're looking at just something that's unusual, something that we're not used to seeing inside the environment. typically, you know, we have a pretty good idea of what the normal day to day is.

in our environment. So anytime that we see something that kind of raises an eyebrow or piques our interest, that's something that we know we understand that we need to be a little bit more discerning to that. That can escalate. It can become what is commonly referred to as a security incident, where that security event or that something unusual has led to a material impact to security or operations.

Speaker 3 (05:44.674)
The potential security of accounts is compromised. The potential operations for the business is impacted in some way. Maybe it's a minimal impact. Maybe something is completely down, some critical service that you can't provide. And then there is like the dreaded breach. The thing that people don't want to experience, vendors don't want to experience. This is like an unauthorized disclosure of information or unauthorized access to data. Because at the end of the day, that's what cybersecurity and a lot of

compliance regulations are all about is how we're protecting specifically the data and the controls that surround that data and how we're limiting that potential access or disclosure.

Now these terms should be something that is common throughout your incident response planning. It helps you from reacting or overreacting to situations until they have been confirmed. So having these types of definitions really puts an organization to your incident response planning.

Speaker 2 (06:48.95)
Have seen times when mixing up these terms slowed down the response?

I not the response. mean, I think ideally you want your response to be pretty standard. You want it to be as close to real time as possible. That's why we've seen, you know, the advent of socks in, why we've seen the advent of like machine learning that can immediately pick out these, these like newer attacks as they happen. You want to be notified as soon as you know, as close to the point of Genesis as possible. That's why we see these tools. what I have seen is,

you know, misdiagnosing the, you know, the impact or a security event, an incident to a breach has kind of undermined the whole point of having an incident response plan, which is ensuring that, you know, you have a proper procedure and process to, to, to follow through on certain types of events or incidents or breaches. and, ensuring that you have like a timely response to those things and that you can do it with, limiting the overall impact of one of these.

occurrences. So when you misdiagnose them, the impact and scale of the action that you take can be way, way beyond the proportion of what's actually happening.

If you look at it like in manufacturing on a production line for an employee to pull the line to stop production causes an enormous amount of financial loss to the business while production is stopped. So it requires a major incident for the decision made to pull that rope and stop that line. This is the same type of thing. When do we take it to the next level?

Speaker 2 (08:36.14)
When does an event need to be elevated to an incident? When does a breach need to be identified? We don't want to pull the rope and stop production because somebody reports a fish. We want to verify what's going on in the actual incident to make the determination of action.

That makes sense. Anything to add David?

No, I mean, I think it seems like not all incidents are equal, right? Like there are some that occur and you alert and you guys seem to know right away this one's get this one seems to be escalating very quickly. And we need to address it right away. Other ones take a little bit more research. Is that fair? Yeah.

That's fair.

Speaker 2 (09:28.686)
So we will dive into the impact of a compromise and we're going to touch on our business email compromise here.

Yeah, so research shows that about 30 % increase in BEC attacks, business email compromise attacks. These are attacks that come from outside an organization where they're impersonating either a trusted vendor or one of the employees. Just in this last year alone, that's a pretty significant increase. And they're now the second most expensive breach type, according to recent reports, averaging $4.89 million.

So how do you guys define business email compromise attacks? Like how are they, how do they get defined and what are they? What's driving that, that increased cost? Start with you Braxton.

you

Well, mean, we define business email compromises to whether or not there was an account within, for example, a business's Office 365 tenant that had their credentials leaked and someone has access to that account that is not the proper owner of the account. At any time that that happens, it's pretty, know, cut and dry that that's a business email compromise. Understanding the impact of it is more difficult. So...

Speaker 3 (10:54.104)
The moment that that happens, someone inside the account can do a wealth of things. They can start reading emails, they can start accessing files, sticking to the example of Office 365, they might have SharePoint access and access to the files that are in there. You have to understand them. have to, there's a bit of time that has to go into understanding what all was done while the...

the bad actor was inside the account, understanding what types of data that they accessed, the sensitivity of the data, and whether or not you have regulations behind if you have to report that type of data. And the actions, other actions that the bad actor might have taken while they were inside that account, different types of phishing emails that they might have sent, additional malicious payloads that they might have sent to vendors or to just people internally.

You can see the list kind of goes on. That understanding of specifically like financial impact varies. the fact that it can spread so quickly is why we see these types of inflated financial impacts.

Makes sense because it's connected to other systems, right? And, and oftentimes I think you and I have discussed in the past how we've seen they can change inbox rules and mailbox rules and things like that, right? So that people wouldn't see legitimate emails and then the attacker would see them and then impersonate or, or act like, that trusted vendor or that employee. Brutal. Yeah.

Any other insights, Scott?

Speaker 2 (12:39.884)
Well, mean, you know, businesses through a BEC could potentially be looking at financial loss or at least financial information compromise. They could be looking at or dealing with fraudulent wire transfers and unauthorized payments that are occurring. There could be even costs associated to what the instant response is going to be or any legal fees associated to it or regulatory fines. All these things associate probably back to reputational damage.

And that's a very difficult thing to put a price tag on. So it's no surprise to me that the dollar amounts associated to these types of tax are so high. Even the amount of protection that businesses try to leverage to be protective against a BEC costs money. Social awareness training, other things that businesses try to deploy to help, you know, avoid these types of events cost money.

So this is not surprising.

Speaker 1 (13:44.074)
Excellent Ashley did you have any follow-up?

Yeah, with 40 % of those BEC phishing emails being AI generated, how do you see that affecting things? I mean, we're getting a lot more of them because they're quicker to create.

There's not a lot of skill that's typically involved with a phishing email. It's the easiest or the lowest floor in terms of the skill that you need to enact one of these attacks. Some of the markers that we used to look for in potential phishing emails like bad grammar, just the way that if you're trying to pose as somebody, even their cadence and how they...

compose an email and how, you know, their vocabulary, all that can be off. Those are things that can kind of signal alarms to you. But with like the advent of, you know, these language models and AI that are able to do like quick analysis on, you know, previously sent emails or just to compose a phishing email in general, you don't have those obstacles and roadblocks anymore. So it just makes it more difficult for end users to be more discerning.

and cautious with the potential phishing emails that they may or may not receive.

Speaker 2 (15:05.71)
If you could implement just one control tomorrow to cut the risk of business email compromise dramatically, what would it be?

I've got one in mind, Scott.

God

probably focus on advanced detection platforms, things that can actually detect through behavioral analytics, whether something that's going on in the enterprise that may be an AI driven type of attack. Having

the protection of a multi-factor authentication to the user so that there's a second leg of authentication. So even if the user does get compromised associated to the initial attack, that the attacker would not have that second leg, that multi-factor piece in order to be able to actually execute the infection. So those are a couple of things I put my focus on.

Speaker 3 (16:03.96)
that I was.

I would actually, I would also add onto that. MFA is great. You can have MFA, you should have it. If you have the choice, you should really, I would suggest actually focusing on phishing resistant MFA. So some of the vulnerabilities behind MFA where you're using SMS is like a text message or a one-time passcode where you receive that on your phone or you receive that to email. It's vulnerable to man in the middle attacks. So if someone's already in your email and they try to log into something else and you're getting a passcode, you know,

to that email.

that email, well, they've got it that didn't help you at all. But like fishing resistant MFA is like, for example, like a hardware token, there's an example, but you keep the key something on a USB that you have to have with you only you have it only you have the ability to get it or

happening inside to like the device that you're logging in on. So you have to be in a specific location on a specific device so that if there is a bad actor like across the globe, they're not on that device. So that's another form of MFA that is protected through that.

Speaker 2 (17:06.968)
Yeah. I am talking multifactor authentication. That's correct. compromises becoming very common associated to a BEC event.

And what about authenticator apps that are logged in from a mobile device? Are those considered phishing resistant?

There is this thing called token theft. So it does depend on you have to do some research based off of like the app that you're using. Like think Duo is like a Fido recommended passkey where that cryptographic exchange that's performed is really only tied to your device. So there are other apps that don't necessarily have that function. So you would have to do your research depending on what you're looking at.

Got it. Excellent. Well, let's walk through an actual compromise. When we think about the different stages, Stage one is that initial awareness, right? Suspicious email comes in. What when that first phishing email lands? And you know, granted, there's a lot of attacks that have multi channels, right? Whether it's a

a text, a vishing, whatever. We're really just for sake of conversation, we're just talking about a phishing email that lands because it's so common. How does your team decide whether it's just noise or the beginning of something more serious?

Speaker 1 (18:47.224)
Braxton, you wanna start?

Yes, I can unpack that a few different ways. So I'm trying to figure out how to that. I mean, if I really wanted to be like technical with you, David, I would say I don't know that a phishing email is ever noise. We need to take action on it in some degree, whether it's just removing it from the inbox, making sure it didn't go to other users and just removing it that way.

I figured you could, that's why.

Speaker 4 (19:05.61)
Okay, good point.

Speaker 3 (19:18.112)
I maybe to make it more clear, would rephrase the question as how do we determine if this is just spam or noise and or a phishing email.

Get out. That's let me rephrase the question. Hey, how do you determine whether an email that comes in is, let's say it looks funky. The user reports it to the IT team and your team sees it. How do you determine whether it's just spam or whether it's a calculated phishing?

Yeah, now we're getting somewhere. So there's some pretty common things that we would look for in a potential phishing email. Is it urgent? Does it, well, does it communicate the sense of urgency? Are you expecting it? Is there a call to action? So if you're not expecting it.

All right. Thank you.

Speaker 3 (20:10.594)
That's an indicator, right? I'm not expecting this invoice, this PDF invoice from this random person. This is not someone that I often communicate with. It's suddenly urgent. So now I've received some sort of highly important document that I'm not aware of, gets your anxiety going and they're claiming it's this really important thing that needs to be looked at right away. And then there's that call to action. Hey, can you look at this? Can you click this link? Can you sign off on this PDF and send it back to me? So on and so forth.

They're trying to make you more anxious that you need to look at something right away. Stop it to trying to not get you to think about what it is that you're receiving and so on and so forth. All to make you do something. Input data, click the link, get access to your account, know, what have you. Spam comes in a lot of different ways. You know, if you sign up for, you know, if you're an off, if you often shop at like JCPenney or something, you'll get coupons from them or whatever.

There's, you there isn't, you know, a whole lot of malice behind certain spam emails or solicitations like that. You might get emails from salespeople, you know, you know, what have you. so you have to look for those types of signs and signals and what they're receiving in the email to really kind of help you narrow in on what types of action you need to take.

Makes sense. Okay. And then how important, you know, for it to get to your attention, how important is it that users see something and say something like the importance of user reporting?

No, no, yeah, I mean...

Speaker 2 (21:46.594)
That's first step, right? mean, users are your first line of defense. They have to have the proper training and understanding to make the recognition of a potential threat in order to bring it to our attention. The more that they are empowered to be preventive, the stronger your defenses are. Their ignorance to certain types of attack vectors associated to phishing

can cause a lot of problem within the enterprise. And so it's just really important. Those organizations out there that do that one time training on hire are really not doing the amount of justice that is required in order to improve the understanding of the end user and how to recognize them.

Absolutely. I mean, it's it's it's almost a form of professional development, right? It has to be ongoing. has to be job embedded. has to be relevant so that they can be aware to see the context, right? And really only that user will know the context, right? They'll know better than you guys would whether they often see that type of invoice like Braxton mentioned. So they'll be the ones to actually flag it for you and just say there's something up. I have a feeling about this.

I wasn't expecting this. It doesn't look right.

Yeah, that's great. So what's the next move that you guys take right after you detect it? Do you isolate it to begin investigating, do you communicate with the user? What's a sample?

Speaker 3 (23:30.35)
Isolation is a little bit heavy-handed to do that right off the top of it, right? So typically in that whole process when we're, you if it's been something's been reported to us, we reach out to the user, we talk to them to try to ascertain, you know, what is this someone you talk with a lot? Were you expecting this? So on and so forth. And then we ask the one million dollar question of, and I mean that literally in some cases, of what did you do with it?

Is that important?

Speaker 1 (23:53.762)
Did you click? Did you already click? Right?

Do click it. some end users don't pay attention to whether or not they do. Some know and they don't want to, you know, they feel like they're going to get in trouble. And some will be honest with you, which is fine. So we'll ask you, you know, right away, did you click on it? And if, you know, if you tell us no, we're going to double check just to make sure. Not that we necessarily think you're lying, but you know, maybe you just misremembered or you didn't think you did. So we're going to double check just to make sure. But at that point, once we hear that

you

Speaker 3 (24:26.542)
you you might have done something or you forwarded it to somebody else and to ask them what they thought about it and so on and so forth. If you did something with it in that regard, we're gonna start to dig a little bit deeper to see who clicked it, who all has it been sent to, what's in it, what's the potential payload, what do we need to be concerned about?

you

Speaker 3 (24:47.35)
And then hopefully, like if nothing really happened with it, all we're going to do is probably just delete that email and purge it from the other recipients' inboxes and, you know, thank them for reporting it and moving on with our lives. But if they clicked it or if they input data or they forwarded to other people that did these things, now the scale of our response has to go a lot further than that. Scott, do you want to dig into that a little bit?

Yeah, I mean, I think that's where we go on to the stage too, right? Actually, you're going to ask them, you know, what happens when it's not just spam or it's not just a fish that we can isolate and nobody's clicked?

Speaker 2 (25:35.214)
Yeah, I was like, a tiger gets valid credentials, how fast can things escalate internally? Which I think is what you were getting at there. what's the most critical thing to contain first? The account, network?

Speaker 2 (25:54.306)
Let's talk first about how fast things can escalate. Once the attacker obtains valid credentials, escalation can occur within minutes, especially if the mailbox rules or automated actions are set to hide their activity. That's something that's very common in a BEC is that rules are created to basically hide them from recognition. Anything that is being sent out by them is being trashed by the rule.

So therefore the actual mailbox owner never gets notification that something is happening with their email. So that is something that happens a lot. Immediate detection and notification obviously helps us improve how fast we can manage these types of threats. But once again, once those actual credentials are compromised, they can move laterally very quick to the organization.

normally sending emails as the user in an attempt to gain trust in their malicious approach or attack.

Speaker 2 (27:09.612)
How do you manage communication inside the company without tipping off the attacker?

This is tricky and obviously you don't use the email because that's what they're monitoring and managing. Part of your incident response planning should have methods of communication established and identified. You want to use something that is offline from the email system. So phone calls obviously are very important. Having teams calls so that you can organize what information sharing needs to occur.

I do want to put caution to too much sharing. You don't want to provide information internally and most importantly externally that indicates any level of liability or fault associated to an incident. So I think if you've got lawyers involved at some point in time during a scenario like this, they would warn you about being able to keep that information under control.

You don't want to introduce any level of liability or fault.

Speaker 3 (28:27.224)
from my perspective.

No, seems to make sense. So as the attack kind of evolves and we move on to the third stage, like malicious attachments are contained and they're detected. Once malware is in the mix, how does your playbook change?

Well, the playbook changes based off of your definitions that we talked about earlier. So you would, you continue to operate off of your incident response plan and how, you know, you've defined your escalation levels. So I'm probably in a lot of cases when we start seeing like malicious software malware starting to be.

propagated or installed on other devices is probably going to elevate things a touch. So the scale and the overall impact of your response is also going to escalate. So we're talking about containing devices, making sure that it can't spread, understanding what the account is that's propagating it. We probably have a pretty good idea of that already in this specific example. So locking out that account, making sure that any

bad actors that were in there no longer have access, making sure that that compromise hasn't spread to other accounts, ensuring that there is very limited lateral movement, if at all, that can occur across endpoints where this malware is being spread. And then hopefully once it's contained, we can start to do a little bit of like an autopsy to understand what all has been fully impacted and to what level, what scope, and then start focusing on recovery.

Speaker 1 (30:09.742)
Yeah

In the effort of malware now being part of the scenario, communication protocols probably heightened as well. Information needs to probably be shared with stakeholders and potentially regulatory bodies may need to be informed if there's levels of compromise at that level. When remediation efforts are escalated to restore normal operations and patch vulnerabilities need to be executed.

Right, we have to get rid of the malware that's been identified. So getting whatever patches are that are necessary to do that need to be executed.

Yeah, and keeping in mind that we can plan for everything, but we can't predict everything that's going to happen. So a lot of this is determined as like a first responder, right? Like you're like, well, that might not be directly in the plan, but it is it falls under this category, right? How do you guys decide as you're flying along when to shut systems down or when to keep

systems live or isolate certain certain attacks at this at this stage of it.

Speaker 1 (31:27.96)
Okay. Offline. Good point.

couple things happen. Number one, we no longer have access to it in order to do forensics. So we're blind to what's going on on that system. Number two, you could be actually destroying information that could give us the forensic definitions that we need to identify because they could be lost in memory or other areas that we no longer can see. So it's very important that you don't shut it down. Take it off the network so that we can do proper levels of forensics and

clean up on those devices. Some solutions that are out there will actually contain it and keep a channel open for the ability to be able to manage the device without it being public facing or internally facing.

Got it. So you've kind of separated it from other aspects that could do more harm, but you keep it alive so that way it can be accessed for forensics. That's correct. make sense?

Several levels of segregation are capable. You can do it at the machine itself through those controls I mentioned. You can do it through VLAN management. can do it through switch controls. A lot of different ways to be able to take it away.

Speaker 1 (32:43.298)
Yeah, depending on their stack, right?

Yeah, don't want to destroy any evidence that exists on that machine that could help us identify what's going on.

Yeah, and that's a good phrase that you just use as evidence because at this stage, the technology of the client is really, you have to think in terms of chain of custody. You have to think in terms of law enforcement or a lawsuit and discovery and all of that, right? Like it becomes evidence at this point so that you can figure it out. Whether or not he gets to that point or not, really, you have to treat it like that.

And it's super important, especially, you know, at this scenario, you may have already reached out to cyber insurance to get their understanding of an event that has occurred within the organization. Cyber insurance, most times, almost every time, takes over and they define the forensic control that's going to proceed what's happening within this organization during this event. And they're going to need

the forensic evidence in order to be able to do the determination of the threat. So you don't want to take it away.

Speaker 1 (33:59.726)
makes perfect sense. So Ashley, you want to walk us through the next stage?

Yeah, for sure. So this is when where things get kind of scary. The attacker is inside of your conversations and how does this really happen? How do you balance transparency with panic when you realize communication itself is compromised?

So this happens a lot actually. I mean, this is how wire transfer frauds happen. Foremost is, know, in a lot of cases in a smaller business, small to medium sized business, there are, you know, maybe one, two, if we're lucky, people that are involved in like the approval of a wire transfer. You know, having like a one person rule or sorry, a two person rule on wire transfers is

highly important. So if there is a, like if someone that has this power and this ability to, you know, approve wire transfers in the business, if their email is compromised, it is child's play to pretend to be that person because you are that person according to the email account. So you don't have to worry about things like, you know, your email signature being the same, your, you know, your email font type being the same and this and that.

So it's incredibly easy to just see where you've had like previous communications regarding wire transfers who you need to speak to and then just getting one done in your own way. And if you're the only person that approves it, that's also extremely easy. So that's why we talk about having like a two person rule with wire transfers is yes, I can approve it, but I also need somebody else inside the business to approve it before this happens.

Speaker 3 (35:56.238)
someone else that can, you know, ask some more discerning questions about it. About transparency and how do you handle communications when emails already compromised in any type of attack like this, immediately, I mean, you should immediately switch to a different means of communication. Sticking with the example of an Office 365 account that's compromised, avoid teams. Obviously, can't use Outlook, so just...

call somebody, use text message. If you're in the same office, go to them, whatever it is. And just use like you would to verify if a phishing email is legitimate, reach out to somebody through a different means of communication to start to initiate an incident response.

Actually, in an event to avoid panic, your communication needs to be well structured. A lot of times we recommend, through the incident response planning, to leverage lawyers to make sure that the message that you're providing, once again, avoids the language of alarm. You don't want to...

indicate breach or something like that to your clients if there's not the necessity of doing so until it's under control. And so make sure that your language in your communication is structured. Get lawyers to help you with that structuring, but make sure that your message is clear and precise. And like I said before, doesn't indicate levels of fault or liability. I also recommend that communication internally and externally are separate.

and the same amount of control leveraged across each. You want to make sure that what you tell your employees is the same message that they're telling clients. So make sure that that communication is expressed accordingly.

Speaker 1 (37:53.038)
So that's really significant to me because what you're saying is it gets back to the definitions of all the different stages and the fact that not all breaches are equal or not all compromise is actually rise to the level of a breach, right? Breach is actually a legal term of art. And so there can be a lot of these stages occurring, but the attacker necessarily hasn't.

achieved exfiltration, which is a fancy word for stealing or the actual compromise of sensitive data, right? They might still be inside, but they haven't caught it yet, which means it very well wouldn't arise to the level of a breach. And so that's why it's so important to be communicating with counsel and privacy counsel, data breach counsel, so that they can address that and address the qualification of it. Is that fair?

You know, we get involved in incident response planning. Braxton and I have both served as incident response managers, therefore providing the directive about what needs to happen. There are so many times that people in the organization want to panic. They want to shut systems down. They want to start calling lawyers. They want to start calling cyberinsurances. Like, we have to make sure that we understand

what's going on in the organization before we make those calls, before we pull that rope and stop that production line. So very important to have that structure and as an as a response manager, that is your primary goal. Your primary job is to make sure that you pull the triggers when they need to be pulled.

And this is often, not every time, but this is often like on holiday weekends, right? Like, or after hours, like they don't tend to attack when the organization is fully staffed and defense and all the defenders are there, right? Like they kind of, it seems like they, they are attacking when staffs are, are generally supposed to, or at least scheduled to be off or lower, right?

Speaker 1 (40:16.948)
That's strategic.

They don't have a full IT staff on, you know, so that they can be protective or at least recoverable. Yeah, those things happen for a reason.

So the next stage, we called it stage five. These aren't formal stages, but let's say there's a Trojan found or a zero day. Walk us through what a zero day is and how do you begin to address those when you find it? Like who makes the call on external escalation once something like that is found?

A zero day is a vulnerability that we haven't been alerted to until like that day of, and that's a zero day. In some cases, the vendor wasn't even aware of it. In some cases, they were aware of it. They just hadn't disclosed it yet. The idea is that in general, it's a new vulnerability that hasn't been disclosed to the general public until that very moment. Right. So that's zero day, zero day that it's been around. So,

Yeah.

Speaker 1 (41:27.116)
Meaning they're in plain terms, there's no patch yet, right? Like we didn't even know you could break in this way and the whatever, the platform or the software or whatever has this vulnerability and nobody's even aware of it. Like we don't have a patch. We can't plug the hole yet. So they're inside.

In some cases, Print Nightmares is the best example of that. recent years, there wasn't an immediate patch. There were some workarounds. Oftentimes, if the vendor discloses the vulnerability finally, they will often have guidance on, here's the version of our software or firmware for hardware that's not affected by this. Here's a workaround if you can't update your firmware or what have you.

like a direct patch to affect those things. Yeah, sometimes we don't have that. So that's, that's what a zero day is in general. I don't mean that it didn't exist prior to that. No, it did. That's whole problem. It's that we didn't know it existed, but attackers did, bad actors did. So they had found this and they're obviously not going to tell vendors that this stuff is out there because they're going to use it for evil means. So

See you.

Speaker 3 (42:45.07)
That's why they're called that. How do we prepare ourselves for that? So we talk about defense and depth in cybersecurity. We talk about having a multi-layered approach in cybersecurity, having controls that protect your organization from multiple layers. So from the external layer in your firewall,

you

Speaker 3 (43:11.48)
to anything like that's coming as ingress traffic communications at the spam filter, the firewall, to all the way down to like how things are moving internally from endpoint to endpoint, what's being controlled on the endpoint itself, and then even going outside of it from who's sitting in front of the endpoint to training your end users. there is no one specific control to handle zero days that's in their nature. We don't know what they are.

You have to have several levels of your goals so that everything works together cohesively to help compensate from how these zero days can actually be enacted.

Yes. Which makes sense. And then when that happens, what do you like, how do you make the determination on escalating communication? I guess it gets back to what we talking about earlier, right? Like at what point as an incident manager, do you guys make the call to engage law enforcement, let's say, or?

or cyber insurance? The answers may vary depending on who you're engaging, right?

It does. It all depends on the level of compromise that's occurring in order to make that decision. First of all, it's the responsibility of the CISO for the organization. It could be the responsibility of a C-level attendance within the incident response team. Usually that's the designation in the incident response team who's going to be the one that does the contact to cyber insurance or to the lawyer.

Speaker 2 (44:53.114)
They usually have them on speed dial anyway, but nonetheless, that's the ones that going to hold those triggers and the CISO's job is to tell them when to do it. And once again, that's based on the severity of what we're dealing with. Any level of compromise, any level of breach needs to be dealt with accordingly. We want to make sure that the cyber insurance team is aware as quickly

And as appropriately as possible to an actual incident that is associated to data loss and or some level of compromise in the organization that's going to eliminate operations, we need to get them in the know so that they can get their side going. They can provide an understanding, financial understanding of what they're dealing with with coverage, how much they're going to be able to get in order to deal with this incident that's going on.

Some insurance companies have ransomware levels that they provide that we got a $2 million platform. We have a $5 million platform, whatever you need to know what's available. And they will also tell you what your out of pocket is going to be. As there's not going to be everything's covered, right? You're going to have some level of out of pocket you need to be ready for and start setting that up. having somebody that's experienced with that communication is an assessment.

Well, and as important as insurance is, because it clearly is here, because otherwise the financial impact would be enormous. It doesn't cover everything, right? Like it is still like that, that the reputation and the lost trust from clients and a lot of the other, you know, intangibles that happen through all this. That's, that's not what insurance does. Right. And so there's

That's all the more reason why preparation and, you know, looking at it like a fire drill. We all did fire drills back in school. Like, why would you not do a fire drill for a $25 million company that you have? Like, right? Like you need to be ready so that on the day of when every minute counts and you guys are engaged, that you guys have run through simulations like this before.

Speaker 2 (47:06.463)
What?

Okay.

fire drill. yeah, I mean the preparedness of it and the reason why we do instant response planning is so that we can prepare ourselves for what is going to happen and what we're not prepared to manage. Having identified gaps in an instant response test or plan evaluation is okay because you're finding it without the fire.

You want to find those things so that you can correct it so that the next time you're even better. The more you prepare, the better you're going to respond. And I want to add one more thing to Braxton's protectiveness associated to Zero Days backups. Make sure that you have backups. You can be protective as you possibly can be. Have the best firewalls, have the most social awareness testing and training going on.

the best alerting tools, but if you do not have your backups, then you do not have that method of recovery. So you need to make sure that your backups are safe. You need to make sure that they're air gapped, meaning that they're not associated to your primary domain so that they can, they don't access in order to get them something that would not be shared or learned by the primary attack or attack on the primary domain.

Speaker 1 (48:28.012)
and the fantastic

Speaker 2 (48:37.866)
And you want to make sure that they're immutable in the efforts that they cannot be overwritten. They cannot be removed by the attacker.

Yep. So in the in final stage, Ashley, why don't you walk us through that? This is when when the data is on the move.

Yeah, so at this point, the data is already for sale on the dark web. on the move. What does damage control look like at this point?

all right. So now we're, you know, we're dealing with, you know, some level of data that's been expelled from the organization and now somebody is threatening to sell it on the dark web. usually that's associated to some type of auction, where you have a timeframe in order to submit, a payment of their request, in order to stop that from happening. Let me tell you right now that there's no guarantee they're not going to still do it. All right. So

Obviously law enforcement would tell you the same, do not pay in order to try to prevent them from releasing your data. It would be very important in the forensics of what's happening for them to identify and verify that they actually have done what they say they have done, that they have the information that they say that they have. A lot of times attackers will say that they have something that they really do not have. So you need to make sure that you verified that as well.

Speaker 2 (50:06.798)
Obviously, we can go on back to the notification process and the communication of the stakeholders, making sure that the lawyers are involved with this because we're talking about the sensitivity of client information or even employee information. So HR usually gets involved with efforts of employee compromise. If they've had financial health care information stolen or compromised, that would be something that HR would need to manage.

If it's external or clients or even vendors that need to be notified, usually that's done once again through a communication platform that's established by usually the lawyers and then communicated by the lead of the organization so that they understand what's happening and what's being done. A lot of times what the communication normally provides is that

Something is happening at the organization that is being monitored and addressed. And we're going to keep you in the understanding. Once again, without saying the words breach, without saying the words liability, without saying the words fault, it's just, it's been something happened, it's being addressed, and we will continue to know.

Speaker 2 (51:23.854)
What would you say the single most important lesson every business should learn before they reach this stage would be?

Speaker 3 (51:33.102)
You are not boring enough for a bad actor to not care. promise. You've got something they want or you've got access to something that they want. So you are a target. I don't care how small you are. I don't care how little that you've got. You could be a means to an end. That's all they need.

Speaker 2 (51:58.434)
That's a big lesson would be learned was that you need to prioritize your prevention controls and make sure that you're doing everything you can to leverage against an attack. Do regulatory audits on yourself so that you can understand where risk may exist in your organization so that actors won't be able to influence that risk. Employee training. Can't say it enough. Get your

your employees in the know, especially in the elements of business email compromise. mean, that's a public facing forum, right? It's going to get attacked. So you got to be prepared on how to recognize and potentially stop that at the door when it's recognized. Having all these things in place help you in dealing with business email compromise. If there's a lessons learned,

Braxton said it the most, don't think that you're not a target. You are. Even if it's random. Not all targets are focused. They're not all going straight after this company because they have this much money in the bank. They have spiders out there that just look for something that responds in the effort that it becomes vulnerable. And then they leverage against it.

Yeah, absolutely. So when we think about this.

It gets back to what you were just talking about, about the absolute critical importance of planning ahead and the incident response planning and doing those tabletop exercises. So tell us the, what a tabletop exercise, what does that look like and why is it so important to run these scenarios ahead of time?

Speaker 2 (53:55.304)
There are slides that you use to demonstrate a business email compromise come straight out of one of our incident response plan programs. The idea is that you get a collective of your incident response team. First of all, that needs to be certain players in the organization and maybe even vendors that are dependent on the operational controls getting their involvement in it so that

you have somebody that's going to manage their role in a breach or in some level of incident. And the instant response plan is to put a scenario out there of what is going on in the organization and getting the team that's responsible for the response to actually start ingesting their role into what's going to happen. Tom.

This is going to be a scenario where ransomware got involved in it. What is your role? What are you going to be doing? And then Jim, what is your responsibility? How are you going to be managing it? And by introducing it in stages, you can leverage up. It doesn't have to be that final stage where everybody's in the notification process. You can build up to detection. You can build up through containment. You can build up through communication.

and manage it effectively. And once again, you don't have to be perfect on your score. The whole point is learning where there are gaps and be able to fix those gaps so that the next time you're even better.

And I would imagine based on the evolution of the attack that the roles might change, right? Like at some point somebody might be responsible and have to take action, but at a different stage they might just need to be made aware at that stage, right?

Speaker 2 (55:53.208)
Yeah, that is correct. One of the things that we see a lot is that during an intimate response tabletop and you're going through a scenario, you'll have one guy that's constantly raising his hand saying, I'm doing that. I'm doing that. I'm doing that. And finally, what I have to usually say is, okay, you're out. You're part of the compromise. Maybe the compromise was a tornado and you're home and you're not available anymore. Who is doing it? Who is your backup?

And is that back designated? And are they aware of their responsibilities? So scenario driven approach is very important and having that role designation shared across multiple people also helps improve the ability to manage it should an incident occur.

That's a great point, because if one resource is taking ownership of many phases, Then, I mean, if you run the scenario in the simulation six months before the actual occurrence, then what if that person left the company by then, right? Like then who is going to do it? You have to figure that out on the fly.

It's a responsibility of any time you have a change, a major change in the organization that would involve an administrative level person or a C level person to pull your incident response plan back out, dust it off and update it accordingly to any change that's been introduced to you.

Excellent.

Speaker 1 (57:24.906)
Any any final thoughts to add Braxton or Scott?

Now just redundancy matters in your personnel just as much as it does in your solutions when it comes to incident response. So having a backup is can be vital given this scenario.

And when you're following through on an incident response, make sure that that last piece is your learning piece. What did you learn from it? If you don't do that, then you're not going to be able to put definition on where we need to improve. And so make sure that that's a very important part of the final piece of the incident response understanding is that you've got that lessons learned piece and that you're improving from it.

Absolutely. So we thank everybody for attending. Ashley, thank you so much for putting this together. Everybody that's attended, we welcome the opportunity. We have an offer of a complimentary technology workshop. We can identify gaps, assess your current state from a high level, provide you with some guidance. There's a QR code to find out more details.

And there's no strings attached, no cost whatsoever, simply there to help organizations kind of identify where they kind of sit today and where they want to be. And we welcome the opportunity to help everyone. Ashley, thanks.

Speaker 1 (59:05.646)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

David Mauro

Host

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Breaching the Boardroom

NetGain Technologies, LLC