B (8:42)

But.

A (8:42)

But if you find yourself available, boom. It'll be on your calendar. And I'm hosting a watch party for this thing unofficially. Flare is pretty cool. So like they're not pushing back on that. But I just announced because I'm going to this thing and I'm super psyched about it. I'm going to learn what the life of a ransomware operator actually is. Are they actually driving bugattis and drinking high end martinis while just clicking one or two buttons and getting paid straight cash, homie? Or does it suck? Are they grinding or are they on the run? Are they running payloads that aren't working? Are they getting yelled at? Right? Some of these organizations are very organized and they have management. Imagine not making your Q2 numbers as a ransomware threat actor. That sucks. I don't know. I don't know. We're gonna find out together. Go to Simply Cyber IO Flair to learn more. Register for this free webinar. I am amped the workshop this week. I am super amped about the flare training. I'm amped about. Okay, just to qualify all those things. Remember, stay tuned because at the mid roll, we're gonna get, we're gonna get right into it with Tidbits Tuesday. And I'm gonna, I'm gonna share some tidbits with you and I'm gonna dispel a myth that nobody talks about. And I want you to know it because somebody should have told me. I don't know why no one told me. But I'm gonna tell you the real real about my appointment yesterday and what you need to know for your own health. But first we're going to hear from Flair because their straight boss is killing it. I will be at Zero Trust World in March with Kathy Chambers and Kimberly Can Fix it and others. If you're going to Zero Trust World, let me hear it in chat. I'll be talking to you in chat as the ad role plays. And when it comes back, prepare for your face to be melted. Let's go. I want to give some love to the Daily Cyber Threat Brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night. Don't worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right everybody do me a favor. Marcus Kyler knows what's to do, but if you don't know what to do like some of our new time first timers, welcome to the party. What I need you to do is sit back, relax and let the cool sounds of the hot news wash over all of us in an awesome wave. I will see you guys at the mid roll.

B (11:34)

From the CISO series, it's Cyber Security Headlines.

C (11:41)

These are the Cyber Security headlines for Tuesday, January 27, 2026. Yeah, James Charlie Microsoft patches Office zero day vulnerability Microsoft pushed an emergency out of band patch for a high severity Office Zero day that attackers are actively exploiting. The flaw lets local unauthenticated attackers bypass security features with low complexity user interaction attacks by getting someone to open a malicious Office file. Office 2021 and Microsoft 365 received fixes immediately, but patches for Office 2016 and 2019 are not ready with Microsoft offering temporary registry mitigations in the meantime.

A (12:30)

Indian users all right, so Microsoft Office has notoriously been a cesspool of vulnerability and attack surface. I mean especially with macros back in the day. Gen Alpha is never going to believe when we tell them that we used to let you just write custom code and detonate it inside the app. They'd be like, what macros, Right? So Microsoft Office has got some other issues, and there's a couple things here. Number one, it does allow you to bypass security and via a malicious Office file. Now, the one thing about it that is worth noting is it's unauthenticated local attackers. So you would have to be on the same network. Now, that's not impossible, because if you compromise, if I compromise Rhonda Rummerfield, and she's on the same network as ab, then I can just move laterally. So this is. This is like the call is coming from inside the house. So a threat actor would already have to get you a little bit. But there are, you know, there's info stealers and stolen creds being sold on the network and access brokers and all that. So this is. This is not something that you need to, like, ignore. But it's also not something where I'm like, oh, Jesus, I'm glad I wore my brown pants to work today. So I'm. I clicked on the vulnerability itself to get some More information here. CVE 2020 621509. As always, I like doing EPSS lookup. We're actually gonna have a. Here. It's not in the database yet. We're actually gonna have a guest coming on simply Cyber Firesides pretty soon. Carla. Carla Sheffield, I believe her last name is. We just met for the first time. An introduction from Jack Scott. But she's got some real hot takes on how to prioritize vulnerabilities. And it's not CVSS and it's not epss, so stay tuned for that. That's coming up a little bit longer. Now, as far as this goes, most of you are dealing in an organization that has Microsoft Office, right? Like many of us do. So let's see how. Okay, so the fix. Jesus, hold on one second. Looks like there's two fixes, like a patch and then a. Okay, so if you're running office 2021 or later, you will be automatically protected via service site change, but you will have to start the Re. The Office app. Okay, so Microsoft's got your back. Ah, you got a Patrick. Okay. But if you're running office 16 or 19, you have to manually do some stuff. You can automate this with a. A gpo, basically, or a script you can run, and you have to, like, basically create some Registry keys. All right, this is a little bit of a pain in the butt, but if you're a Windows Environment administrator, you know, you could just write a PowerShell script and push this. So the, the, the remediation is okay. Obviously if you're not in it. Like if your organization is large enough that you have a different team managing your Windows infra you'll have to share this with them. I don't know what indicators of compromise look like, but again, it has to come through a malicious Office document. So you know, you educate your end users because they probably have to detonate the Office document. But that's. It's trivial to trick people if it's coming from an inside source. Like again, if Rhonda and AB work at the same company and Rhonda gets hacked and then a hacker sends a B an email as Rhonda, a B is going to have a lot of trust in clicking on it to look at it. So you know, your, your end user awareness training is going to be a little less effective in this situation. What I would recommend is just patch your stuff, right? Jesus.

B (16:37)

Ah, you gotta.

A (16:38)

Patrick, get with your IT team. They probably have weekly maintenance windows where they can push stuff like this. It doesn't look like the key disrupts anything else. You know, Office 9. Is Office 16 even supported? Office 16 supported. Okay, so really quickly I just want to point out that we're. If you're listening to the audio, I just looked up when Office 16 and 19 ended. They ended support October 14, 2025. So realistically, as I suspected, you shouldn't even be running this in the first place. And you know what, I get it. Budget issues, you know, competing priorities. But this went end of life three months ago. So you know, it doesn't have a. You know, honestly, this is an opportunity. I don't say this very often, but this is an opportunity where you can use this as leverage to just get everybody off 16 and 19. You know, I mean, yes, there's a registry key change that you can make, but why not Say again, this is a little deceptive. This is a little bit in the gray and I have done this in my career, but I don't lie. Hey it or workforce or whatever. Microsoft just released, released a an advisory of a vulnerability that can be exploited. There are no patches for office 16 and 19 because it went end of life. Now that like that is true. There are no patches and it did go end of life and we need people to upgrade to Office 21 because that is a supported and secure version. So let's, let's get it together team. Let's go. If you don't like it, too bad. We're doing that so you can. This is One of those opportunities where you can leverage the advisory in order to promote, you know, basically migration to supported versions. Again, in some instances you're going to run into it where they can't upgrade it for whatever reason. But this is a office suite. This is designed for end users. This is not some type of critical app that supports a server or some type of mission critical application. It's a friggin endpoint application for end users. So I don't think you're going to have much in the way of pushback on this one. So I would do it that way.

C (18:58)

Targeted by Black Moon researchers at E Center's threat response unit say a phishing campaign impersonating India's income tax department is delivering a multi stage backdoor to local users. The attackers use fake tax notices to drop a modified Black Moon banking Trojan along with a Chinese made remote monitoring tool called SyncFuture TSM, turning it into an espionage platform for persistence, surveillance and data theft. The malware chain includes DLL side loading, UAC bypass, antivirus evasion and privilege escalation. Connie targets.

A (19:41)

All right, so multi stage backdoor payload, if you're interested in that. Stay tuned to the tidbits Tuesday where we'll also be talking about multi stage backdoor payloads. Okay, so this is targeting the government, I mean the citizens of India with a, with a phishing email. That's, you know, straight fishing. Here, here's some tax stuff. Listen, this is the same as you know, targeting Americans with like, here's your tax refund stuff. It is Chinese based. I find it interesting that Chinese threat actors would be targeting India simply because, you know, brick the bricks and the, like the, the alliance of Brazil, Russia, India, China, South Africa and they've added some UAE or they've added some Middle Eastern countries as well. So you know, I mean that it, to me this would be like United States threat actors attacking the uk. It, it does happen but like, I don't know, China is usually a little bit more tightly controlled because they have the authoritative regime. But this is a multi stage payload and, and very sophisticated. So a zip file gets sent through a fake tax penalty notice. So obviously you're tricking people into being concerned. Remember, whenever you send a phishing email, there's two ways to get someone to fall for it. Or one, you scare the crap out of them so they're emotional and want to take action without thinking. Or two, you, you put so much honey and sweetener in it that they're like, oh my God, I gotta scoop this up. For example, I've got two tickets to the Masters. The first one to reply to this email gets it. I've got an extra laptop someone just quit I just got, and we have their laptop and we want to give it to someone in the workforce. First one to respond gets that email. I'm sure many of you have gotten. The first one to respond gets it. That's another way of sweetening it. Or, hey, you know, there's like money available, your tax refunds ready or whatever. Usually the fear tactic is used more often, but this one, this is. There should be a process flow diagram. There it is. This is like a standard process flow diagram. Also, by the way, for you newcomers here, this one absolutely gets the treatment. Get your saxophones ready, please. Oh, yeah, I love a good infograph. I don't even need to read this story because I can use the infograph. Look, spam email comes in. You want to know the easiest way to stop this from hurting your workforce? Get a good email security gateway and educate the crap out of your workforce. But anyways, they open a zip archive, which my Aunt Dorothea can't do, which, with all due respect, so, like, you're already kind of eliminating part of the group of people. They get an HTML, you know, so the browser pops open, runs a VB script. And once you do that, it's game over because you're, you're, you're detonating malware under your own permissions on your box. And there you go, you can see it detonates some shell code, it does an XOR LZNT1 compression. Like basically it's just obfuscated code. And then it runs like, at this point you're screwed, right? This is running binary second stage payloads, etc. Etc. And there you go. Oh, this is interesting. It does have a. Hey, welcome to the squad. Ash and Samurai. Good to see you. This does have like a little bit again, when you see malware, at least for, for me, in my opinion, when I look at malware, if it does anything beyond the initial, like whatever the thing is, right, if it does anything before besides info stealing, if it does anything besides running ransomware, it begins to elevate the sophistication of it and tells you something about the author of the malware. In this particular example, you can see the Black Moon dll, which is the final stage payload, right? It checks to see if, I guess a vast antivirus is running on the box for some reason. It chooses Avast versus just any av. It goes to timecha.com so it looks like it. It, it'll load a, a website and appear not to be malware. But if it does not check, if it does not see the anti malware solution, it'll then detonate and reach out to the C2 infrastructure. So this is basically malware that also has some anti analysis or it's not anti analysis as much as it is like anti detection because you know it's, it's, it's going to not detonate if it sees the anti malware solution. As Roswell UK puts in here, if you visibly see the mouse moving on its own, you've got a infection. And that's true really with anything. Okay, so what do you do here? Number one, run EDR in your environment. Number two, if you live in India, educate your workforce on this letter this email as being fraudulent. As always, don't just rely on this single email. You should educate them as a, as a best practice on how phishing emails work and you know, and what to look out for and how to report it to the infosec office. I want to point out really quickly, you and I, like, we know what fishes are and to me like, fishes are common knowledge. Like obviously everybody knows what a fish is. I teach at the Citadel Military College and they're 18, 19 year old students, American students from all over the country. Actually I have a lot of Saudi Arabian students this year and I asked all of them on the first day of class. Who knows what a fish is? None of them knew.00. So if you, if you, like me, made the mistake of thinking that fishes is a common knowledge thing. Guess what guys, we live in a bubble because normal people, I guess, I guess cyber people are abnormal. Normal people don't know what fishes are. So it's our job to educate them, right? So don't sleep on that. All right, let's go. All right. Whoa. Excuse me. Infograph misfire.

C (26:05)

Connie targets blockchain developers. Checkpoint Research says the Democratic People's Republic of Korea linked. Connie is targeting blockchain developers in Japan, Australia and India with phishing lures disguised as project docs to compromise development environments and, and access wallet credentials and crypto. The campaign uses an AI generated PowerShell backdoor with unusually clean structure, pointing to a shift towards longer term persistence beyond Connie's traditional South Korea focused operations.

A (26:44)

All right. Hey, really quick bruising hacks. When the registration closes for tomorrow, you can register right up until tomorrow. It's cool. And I think there's like 20, 20 seats left. We're gonna have a big class tomorrow. All Right, So DPRK or North Korea. Right, I'm almost positive. Yeah, that's North Korea. I forget what this stands for, but it's North Korea. It's like the People's Republic of Korea or whatever. Comey. Or Connie. Excuse me? Connie. Not to be confused with Connie Francis. Oh, my God. That's a deep cut. Targets blockchain developers with AI generated backdoor. Yeah, man. So AI is right in malware. Welcome to the party, pal. Okay, North Korean threat Group is using PowerShell backdoor to compromise dev environments and cryptocurrency holdings. Now, they say the Connie Group, but I mean, this sounds like Lazarus Group. So I don't know what the difference is between Connie and Lazarus or if somebody has just named them. Separate. Here, let me. I'm gonna. Here's what I do. Threat actor groups can have multiple names for the same group because different, you know, threat intelligence organizations name them. So I always like to go to Miter Attack Framework. That's my go to place, right? And look at Lazarus Group. And then I'm going to see if K O N I is here. K O N I I is not here. So I'm going to back out and I'm going to search on the main page here. And it's not here either. So Miter Attack doesn't have Connie in it. K O N N I. So I don't know what this is. This is like, new on the scene. And again, I. I love cyber security. I've worked in the industry for very, like, decades, and new crap comes out every day. So don't think. Like, if you saw this, Connie, and you're like, oh my God, I'm behind. I'm behind already. Like, there's people talking about threat actor groups that we don't even know. And it's like, no. Like we're all figuring this out for the first time. Okay, so what are they doing here? Goes outside the GFA scope using AI to develop a back door. They say novel back door. We'll see about that. That seems awfully subjective. All right, okay, so they're targeting Asia pac. Okay. North Korea is getting in on the pounding India train. So India is having a rough day. China's coming at him from with tax, fake fishing, tax letters and back doors. And North Korea is coming at them to seal their crypto. Let's see. They use phishing to get started around project documentation. The threat checkpoint, which is a security company. Threat intelligence is suggesting that they've been given new orders by leadership. Basically, stop attacking academia and Go make us money. To me, that's. I don't know, Elliot Matice, you tell me, using your lecture from Simply CyberCon 2025, that makes me think that maybe North Korea is having some financial woes. Right. Trying to get. Trying to refill the coffers, not to be confused with cabal coffers, an amazing magic card that I'm on the lookout for right now. All right, so they're targeting developers. Okay, so if you. Here's the thing. This story's about Japan in Asia. I mean, excuse me, Japan and India developers getting targeted pro. More likely developers for cryptocurrency tools so they could steal their money. So, you know, Davy, crack it. You know, I don't know where you work, Davey, crack it. But I don't know if you work in Japan or India. I don't think you do. So this story may not resonate with you, but. But don't sleep on this. This. Just because it's not happening to us today doesn't mean that we shouldn't learn something from it. Right? So they're using AI assisted tooling to accelerate development. Guys, AI development is cut like cursor and Visual Studio with the AI thing in, is cutting down, not just time to develop. So project that would take months, can take weeks. It also takes down, needing many, many developers. One developer can do it, in fact, usually AI is writing it and the developer is just kind of guiding it. Okay. Vibe coding. Right. So you know, it's basically just going to continue detonating. You've got to run EDR in your environment. Okay. You can see it's targeting blockchain developers. Yeah. Here's what I would say on this particular story, right? If you, if you're a software company and you have developers and stuff, you absolutely, absolutely should have EDR solution in place. You should use conditional access on your developer accounts. You should educate your developers on, you know, best practices and education. You, if it's possible, have detections around, you know, anomalous behavior or API keys being used in ways that they shouldn't. They're getting your developer accounts, right? And if you can, I. You can't force a developer to have like a great password, but, you know, if you can convince them to have a good one, that's good. Multi factor authentication. Why am I frozen? Okay, multi factor authentication. But again, if a threat actor falls for a phishing lure and runs malware on their box, it's. It's not good. It's game over. They don't really need the credentials Anymore, they can move laterally through it. But this to me sounds more like it's getting, it's, it's stealing credentials and stuff in order to get in the environment or dumping API keys to be able to use like whatever the, whatever the developers are interfacing with from third parties. Okay? So if I could, I would recommend this one. This particular story right here has a lot of great pieces of the pie on a cyber kill chain all the way from, you know, recon, right? Like they're changing their target profile of who they're attacking. So, you know, they're doing recon on it. You can presume then their kill chain is fully loaded here and they have a back door. They have, they're stealing credentials, API keys, it's got everything. So basically what I'm trying to say is if you have a job interview coming up or you, you know, this is one of those stories that you, you should read a couple times over, get really familiar with because no matter where you go in the job interview, you could probably bring this story into the interview as part of your responses and look like, you know, like the smartest kid on the block because, you know, it's timely, it's relevant. Everybody knows about North Korea. Most people are talking about North Korea. Fake IT actors. This one's like using AI to write malware. That's very hot, very modern. That Hansel's so hot right now. It's talking about backdoors, persistence mechanisms. If you're going for a GRC job, you might be like, oh, this isn't for me. Well, guess what? GRC people and GRC mafia, please. Spam chat if you identify as GRC Mafia. This is all about updating your threat models, right? Last week the these, this threat actor was not targeting me, they were targeting governments. And now all of a sudden I work at a fintech company, then this is targeting me. Good thing I stay up to date with the daily cyber threat brief. I'm going to update my threat models. So this is. There's all value here, okay?

C (34:50)

Releases new cryptography categories. CISA published an initial list of hardware and software product categories that already support or are transitioning to post quantum cryptography. Developed with NSA under a 2025 executive order, the list is meant to guide procurement as quantum computing threatens. Current public key crypto categories include cloud services, browsers, messaging, endpoint security and networking with PQC used for key establishment and digital signatures. CISA says future purchases in these categories should be PQC capable to prepare for quantum era encryption. Risks.

A (35:37)

Hey, tech grunt. Drink. All right, guys, so CESA is doing their job. They now have a list of post quantum cryptography products. So if you work in an environment where you need to worry about, you know, basically how quantum computers are going to compromise your security, I'm talking national security secrets, you know, really sensitive stuff, mostly national security or like, you know, like Lockheed Martin with the F35 black or F35 super jet, whatever, like those type of things. Then you should worry about this. You know, for, for, for many of us, you know, it's, it's not going to like ruin our day, right? I mean we should, if you, if you have the ability to get, budget and purchase things and it happens to be post quantum cryptography, like aware or sensitive or mindful, then go for it. But I don't know guys. Here's my, here's my, here's my thing. Okay, really quickly. This is cool and thank you Sisa and thank you NIST for developing post quantum resistant encryption algorithms. I'm all for it. However, like Carl in accounting is going to fall for a phishing email, give up their creds and, and then detonate malware on his box and domain. You know, for whatever reason, threat actor is going to move laterally. Carl and accounting has crappy passwords. Carl in accounting wants to get off work early and it's just clicking through things. So while post quant, like quantum computers introduces like kind of new risk around confidentiality compromises in, you know, tomorrowland at Epcot, for most of us, including me, quantum is not on my radar, it's not on my roadmap, it's not on my five year plan on where, how I'm going to secure an organization. If you have the choice between implementing multi factor authentication and upgrading your firewall to be post quantum cryptography compliant, I recommend mfa. You know what I'm saying? Like, I'm not saying don't, I'm not saying ignore post quantum cryptography products. I'm just saying if I buy some technology and it happens to be post quantum crypto compliant, yay. But if I'm evaluating two products in the post quantum cryptography, one cost twice as much, I'm going to spend that delta on something else that helps protect my organization in a much broader way. All right, so again, I'm not poo pooing quantum. I'm just saying this is the deal man. This is what GRC is. I'm given a hundred bucks, right? And I'm told to feed the family a I E. Protect the organization. I need to spend that hundred bucks in the way that it gets the biggest risk reduction for my organization. And spending 70 bucks on, you know, something that addresses a risk that isn't really that big a risk for my organization is just, you know, kind of bad, bad practice.

C (39:13)

Huge. Thanks to our sponsor, Conveyor. True story. An infosec team had to give customers MapQuest style directions just to navigate their Trust Center Spoiler it didn't reduce follow up questions and created even more work for everyone involved. With Conveyor's new Trust Center AI agent, customers get answers instantly and can even upload questionnaires for the agent to complete. This way, customers find what they need and keep it pushing without your team needing to intervene.

A (39:48)

Learn more@conveyor.com all right, QKB3128 says if one takes the master class, do you do they get help finding a job? If you're talking about my GRC Analyst master class at Simply Cyber Academy, I mean do you get help finding a job? I mean I have an entire collection of lectures at the end of the course that helps you find a job. But you don't get like one on one. You don't get like I don't sit with you and try to help you find a job. It like in, in physical state. Like I made videos to do it. All right, let's do this really quickly. All all right guys. Hey, BW5542 says this is my OPIC. I'm not sure what specifically you're referring to as myopic. My is it my take on post quantum cryptography and how I would invest my money in other broader controls or what I just need there's we're talking about a lot of stuff BW5542 so I'm not sure what what you're specifically referring to. All right guys, we've done all the ad reads, but I do want to say thanks again to the sponsors. Threat locker, Anti siphon flare and area. Definitely all about good times really quick. Every single day of the week has a special segment and Tuesdays is tidbits Tuesday. What I'm about to say is appropriate for all audiences, although it will be a little dodgy. Yep, Soul Shine. I have a collar on the shirt which means I am teaching today. All right guys, here's the real real I had a colonoscopy which is a totally normal procedure. It's maintenance. Basically it's maintenance on your body, right? You should go get one. Here's the big here's the big thing, right? I don't want. I, I wasn't really comfortable with having my, My, my butt basically exposed to the world. I want to dispel a myth. Everybody knows what the process is. Everybody knows what's going on. I want to tell you. They, they run it like an oil change, basically. They got bays of people. You hop in a bed. I mean, you're wearing a robe, right, with nothing else going on. You're covered in nice warm blankets. And then when it's your turn, they wheel your bed into the. Or they, you lay on your side and you literally go to sleep. Like, you are passed out before anything happens. Like, the blankets are on you. And when you wake up, you're back in your holding bay and your wife's standing there and you're talking nonsense, right? It's. It's a great experience. Like, I didn't feel violated in any way. So if you, if you have been nervous about the procedure because of basically having your situation out in a room full of random people, I got news for you. That doesn't happen. So, I don't know. Great experience for me. FYI, this is a PSA to get your. Get your annual maintenance done. Thank you very much for coming to my TED Talk. All right, let's keep. Well, hold on. Let me look at Chat really quickly. Okay, so BW5542 is saying myopic. Considering quantum crypto is not worth the investment. We could certainly talk about that during jawjacking tomorrow. BW5542, it's just I've built and run cyber security programs for very large organizations. You don't get a ton of budget, and you've got a ton of risk. So if you're going to carve out a huge chunk of money to a deal with Quantum number one, you've got to explain what is the risk of Quantum to your organization to warrant them giving you 100 grand or whatever to buy this particular solution. And then if you get popped because you don't have something else in place like mfa, you're going to look like a donkey. So. But we can definitely talk about. I'm open to your take on it as well. Did you say. All right, so a couple questions really quickly. Did you say anything funny coming out of the thing? I asked the doctor if I was a good patient. I thought my wife thought that was kind of funny. James McQuiggin is really funny saying some things in chat. AB was praying when he woke up. So, yeah, dude, it feels Just like an oil chain. Like, not like you feel like you got an oil change, but like the process of like, like in, in processing, going to your thing, coming back. It's, it's a thing. All right, let's keep cooking here. We got, we got work to do, y'. All.

C (44:13)

Cloud flare misconfig miss behind BGP route leak Cloudflare says a recent 25 minute IPv6 BGP route leak that caused congestion, packet loss and roughly 12 gigabits per second of dropped traffic was triggered by a router policy misconfiguration in Miami, Florida. This appeared to accidentally redistribute internal IPv6 prefixes to external peers, violating Valley Free routing rules. Engineers detected the issue, then reverted the config, paused automation and restored normal routing.

A (44:54)

All right, so cloud dude, here's the reality. Like only a couple, a couple organizations kind of run the Internet, right? Akamai, Facebook, Meta, Google, Cloudflare. Google especially like most of like the what what websites are okay. And not even if you're using a solution. Most of them are looking at what Google's saying. Cloudflare has a misconfiguration. I'll give you a hint who did that. And it took, it took down part of the Internet right Now the good news is part of the Internet didn't black out like splatter your bladder night down in Tijuana. But you know, basically it was a BGP update. Most people, most people do not know what BGP is because you never really deal with it when you're think about the Internet for a second. And this is kind of like an extra lesson learned when you think about the Internet. The Internet is really just a network of networks. That's it. And the ASNs are kind of the top of the, the network for each of the networks that are connected that make the Internet. And BGP is how they talk to each other. So it's a lot like any routing in your local network. But BGP does it at that level. And when there is a route update that is bad, it can cause an issue for, for whatever that ASN is. Now the good news is it was only 25 minute mistake. Excuse me. Excuse me. Oh my gosh. Excuse me. So what I suspect is somebody some. Oh yeah, I'll tell you about splatter your bladder. So somebody probably made a mistake and then said oh crap. And then they, they, you know, they changed it. Like they're like. And then they're like oh crap, I gotta let me hit Ctrl Z and commit it but it possibly the BGP routing, this is the cool thing and the dangerous thing about the Internet networking protocols and networking in general is incredibly resilient. Like networks will kind of self heal themselves as far as being able to get packets to their destination. The problem is when you make a route update in order for it to percolate through the system, it can take time. Yeah, you can see here they're talking about the ASNs. It would be worth spending 20 minutes learning what BGP is at a very high level, just so you're aware. Oh, here we go. Look, this, this infographic gets no saxophone. Peer prefixes leaked. I don't know anything about Valley Free routing policies, so I'm not sure what that is, but. Oh my gosh. So there's rules about propagation of network routes based on business relationships. I didn't know that. I did not know that Routes cared about like businesses and money. Straight cash, homie. All right, All right, so here's the. I mean this is literally what happened. And dude, you can throw this casually into a job interview. Cloudflare explained that the root cause of this BGP route leak was a policy change, which was done by a human. A policy change intended to prevent Miami from advertising Bogota IPv6 prefixes. So Miami was, you know, promoting Colombia and we were trying to stop it. Now I, I'd be curious why Cloudflare was doing that. That's interesting. So I don't understand the why behind this, but it caused a problem. They backed it up. Tldr, this is an interesting postmortem. This has nothing to do with you. This. Everything is fixed. Everything about this is already done. So you may have experienced some network congestion, but that, and this is part of the reason why system flaws unlock.

C (49:11)

Doors at euro firms. SEC Consult found more than 20 vulnerabilities in dormakaba's exospaced physical access control systems used by major European enterprises. Flaws included hard coded credentials and weak crypto and command injection and path traversal, potentially letting attackers remotely unlock doors, harvest pins, or pivot inside networks. Dormakaba patched the issues over the past 18 months and says exploitation would typically require internal network access, though researchers identified Internet exposed systems that could be opened directly. Malware guarantee.

A (49:55)

Well, that's not good. All right, so I said this, and I've said this before, I'll say it again. I'll say this every time. It happens whenever there is a system that is related to security. So whether it's an identity access system or it is a firewall system or It's a VPN or it is a physical access system, like swipe badges and door locks and stuff like that. It needs to be an elevated priority because it's security, right? I mean it's, it's the whole point, right? So this particular system, which is called Dorm Makaba Door Makaba. Had a bunch of vulnerabilities that they took a year and a half to fix. But it looks like it could have been paired with like basically a threat actor could remotely unlock a door or whatever. You still have to physically be there to do it. I'll tell you a couple things. One, if you are running Door Makaba, which it looks like it's mostly European people, so like Roswell uk etc, like if you're running Dor Makaba access control systems, you absolutely need to verify like whatever the vulnerability is here that your systems have been updated. This might be something that require, it might be centralized, like the console just needs to be updated. This could be a cloud based system and you have to do nothing. It could require firmware pushes to all the door swipe badge systems. I don't know. But you do need to look at it and you should know if you're running this system or not because you, you wouldn't typically have like Dormakaba like partly implemented and then like Castle implemented somewhere else. Like you're typically going to have like one access control system. This is your physical security group. So if you work at a hospital or whatever, this, there's usually like a physical security workforce, like former cops typically, that are responsible for the physical security of the environment, like patrolling the garages, making sure combative patients or patient family members are controlled. They're the ones to talk to. So if you don't even know where to look, go talk to them. But you need to verify whether or not you're using this system or not. And remember, this is very much like it has to be two parts, right? So like a threat actor isn't going to be standing outside the door on their laptop and they're like, I'm going to unlock the door right now. I feel like this would be a more coordinated thing like, hey, guy, back in the office in the chair. I'm at door 7522. Unlock it. And then the person's like, and the door unlocks like you see in a Mission Impossible or a spy movie. All right, so I, I, while you were exposed to these vulnerabilities, I don't suspect that it could have resulted in physical compromise. There's too. I mean there's not too much risk. But most of the threats that we're worried about, the threat actors are doing it remotely all day, every day because it's faster, it's easier, they don't want to get arrested. This, you'd have to physically be there in order to compromise. It can be done, but I think less likely still get it patched.

C (53:10)

These phishing extensions Uncle Chrome Web Store Verona's researchers uncovered a new malware as a service dubbed Stanley that sells malicious Chrome extensions designed to pass Google's web store review. They overlay full screen phishing iframes while preserving the real URL bar and support silent installs on Chrome Edge and Brave. Stanley offers subscription tiers up to a Lux plan that includes publishing support plus C2 polling, geotargeting and notification lures.

A (53:45)

New all right, so I mean whatever malware is a service, there's a lot of them now. And this is marketing, hey, you know, 100% money back guarantee, free trial, seven days, give it a shot. We offer malicious Chrome extensions. Okay, like it's, it's marketing. Just educate your end users. This is an educate your end users one because they're the ones who are going to install extensions on their Chrome browser. If you're particularly secure environment, you might be able to disable the ability for Chrome extensions. But you know, these are getting into the Chrome Store. Google's pretty good about flagging these and getting them out. But you know, see phishing content to the attacker's choice. They advertise silent auto install on Chrome Edge Brave browsers and support for custom tweaks. I don't understand what auto installation is. So like you drive by infection. See 2000 bucks you get a basic extension with full site spoofing. For four grand you get the premium package. Get a little bit of a, you get a silent EXE installer and then if you want the, the Platinum, the high roller package at six grand, you get full support from the threat actor. All right. This particular malware will overlay a full screen iframe with malicious content. So your victim just sees malicious content and they don't understand like where they're, where's the web page that they were wanting to see? This is not good. So it also allows push notifications in the victim's browser. So the pop ups where it says whatever. So you could see here, new bookmark available. Test, testing. Yeah, I mean that's a great way to get some user to take action. Okay, so there is persistency to polling every 10 seconds. Okay, so if you have EDR endpoint detection response on your endpoints and they get compromised, EDR might be able to detect this because that's an abnormal behavior. If you're have, you know, good firewalls or a SIM that's pushing network logs, I mean a sim that is ingesting network logging from endpoints and stuff. There's a tool called RITA from Black Hills that only does one thing, it looks for beaconing. You see how this pulls every 10 seconds? Every 10 seconds is not a human behavior, it's very much a computer behavior. So because of that you can detect it like a heartbeat. And that would be an indicator that, oh geez, this is pulling into C2, so be careful of that. All right, for the sake of time, I'm going to keep cooking.

C (56:48)

Phishing attacks break into SSO accounts Cybercrime groups appear to be running a new wave of real time voice phishing attacks against single sign on accounts using spoofed SSO domains and live phone calls to sync MFA prompts and steal credentials. Mandiant and Okta report that actors identifying as Shiny Hunters are breaking into software as a service environments, exfiltrating data and issuing extortion demands with some victims, including SoundCloud and Betterment. Researchers say there's no vendor vulnerability involved, just social engineering with more convincing tooling.

A (57:30)

Every yeah, Shiny Hunters is very good. Lapsis group, scattered spider. They're good at social engineering, right? Whether it's deceptive or that like threatening, like hey IT help desk, reset this user's account or I'm going to come to your house and mess up your family, right? Like they'll, they don't care. Again, this particular threat actor group is very, they're like 20 years old plus or minus two years, you know what I'm saying? So they're a little aggressive, a little braggadocious and the only way to do this really is they're targeting single sign on services, right? So federated authentication, you know, I get your creds and then I can log into all the things that are, you know, support that, which is great. I love federated authentication, don't get me wrong, because it's nice to be able to, it's a better experience for your end users because you know, they can just access things without much friction. They only have to remember one account and when you, when they, when they leave the company, you can terminate their access quite easily. But you know, these threat actors are vishing so this all day, every day. This is an opportunity, guys, to it's grc. Educate your end users. Right? Educate your end users. And I would take this as a call to action. Get with your help desk. Get with your support desk. Get with whoever it is that's taking phone calls from the workforce and is designed to help them get access to their computer or help them reset their password. You have to get in front of them and you have to tell them about these kind of stories. And then. And you have to get support from management to be able to push back on the call. If the person says, oh, like, I'm. I'm the new vice president that just got hired. Reset my creds. And, you know, the person's like, well, I need you to verify your identity. And they're like, I'm not going to that. I'm a vice president. I will fire you if you do not reset my password. You have to give that person the support to know that they can push back in that position and. And not be treated with. What's it called? When. Retribution. I think that's the word anyways. Otherwise, it's going to be a field day because these guys are doing it and they're effective at it. Okay, so the call to action here. Here's the deal. Don't stop doing. Single sign on, right? That's not a good idea in my opinion. It's. It's too convenient and too, too desirable. All right. Roswell UK says the use of Salesforce as a primary target is a masterclass in efficiency. Once you have the CRM, you got the customer list, deal sizes, etc. Yeah, I mean, honestly, guys, I have said for years, I don't understand why threat actors don't attack accounting firms and lawyer firms more often. Just because, like, they have all the details on how much money and who the key people are in the finance department or. Or in leadership or whatever. Anyways. All right, guys, that's gonna do it for today's Simply Cyber daily cyber threat brief. But we're not done yet. We got more value. I want to appreciate. I want to extend my appreciation to all of you. Thank you so very much for coming today. I hope you got value from the show. I got a boogie out of here and go teach the Citadel cadet students. But we've got Jawjacking. It is Tuesday, which means Eric Taylor coming over from the Barricade Cyber salute. Barricade Cyber is going to be hosting. So he's. He's taken a turn in as part of the Simply Cyber Media Group for Simply Cyber's Jawjacking. It's a half hour AMA style podcast. So if you have any questions, bring them. Eric has a lot of experience as a cyber professional, so he can bring his insights to bear on helping you level up as a cyber security professional. I'm Jerry from Simply Cyra. Thank you all so very much. I'm just going through my mind really quickly. If there's anything I got to tell you about. Reminder. The workshop is on Wednesday tomorrow, and Simply Cyber Firesides is on Thursday. And oh my God, just really quick because this is actually like going kind of gangbusters. I've been. I've been releasing videos every single Sunday. And I'm doing something called Simply Cyber Media Group, which is why, like, Eric is coming on as, you know, part of the Simply Cyber Media Group for Jawjacking. I'm doing this Simply Cyber Media Group where I'm making videos, but I've also asked members of the cyber security community to bring to bear their expertise. Michelle Khan did an OSINT video for Simply Cyber Media Group and it released on Sunday and you can see like almost at 3, 000 views in one day. People are like loving this video and this whole video series. Michelle's actually going to do another video because it's been killing it. So I just want to drop this in chat right here. So if you want, go check out this OSINT video. It is sick. All right. For real now. I'm Jerry from Simply Cyber. Until next time, stay secure. Let's go get Eric. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your your burning questions about the cyber security field. Live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking.

B (63:24)

What is going on? I gotta make sure I didn't do. Yep. So communication is there. All right, cool. I really. I got to put in a feature request to Restream. I really, really do. Because I would love it to. When you're on zoom or teams, the microphone like fluctuates and it shows you like. Yeah, yeah, your audio is good. Restream doesn't do that. So I got to put in that feature request because every time I'm. I have like the digi dji mic and stuff like that that I hook up to my camera. Sometimes I have time to put it in, sometimes I don't. Whatever. But anyway, Sorry. Getting pinged by a client. What is going on, you beautiful people? It's good to see each and every one of you. We are Playing some the AI generated lounge stuff in here. Comb your hair, dude. Oh, you might be talking to Jerry. So, you know, I was making fun of him. Like what is going on with that little like reverse Dennis the Menace like porcupine thing in the mod chat a little bit. So anyway, let's see. Thank you so much. What camera are you using? Looks good. It is kind of. Okay. You can see now like I gotta, I gotta figure either I gotta get like a light, a USB light or something that sits behind this monitor or something because you will see it, it goes. The, the lighting does not stay. But it's a Sony with this other monitor, I, AC11 or AC7. I think it's a Sony DLSR. I've had it for about two years now. Love the deal. DS, DL, SR cameras, they just do a really, really good picture. Unfortunately, I do know with like some of the platforms like do not show it, you know, the full 60 frames and stuff like that. So like While I'm doing 1080p at 30 frames a second, a lot of this stuff can be 60 frames a second just depending on the receiving platform. AKA you know, YouTube, which does do it. But I think link LinkedIn and X do not do 60 frames per second, I believe. Anyway, I'm going on a complete tangent. What's going on? James McQuiggin got. Got the Dolphins going. Greatly appreciate it. Yeah, it just need that lighting and I just got to figure something I've got to do. I don't know as techie as I am and I love all things tech or I, I really, really do. I like growing up in the generation that I did, I was always one to tinker. Like I, I don't mind tinkering, I don't mind getting my hands dirty and really slaughtering stuff and. But I think I've reached that age. Like, I just love the simplicity of stuff. That's why I've really enjoyed over the. You know, I really balked it for many years about getting, you know, switching from Android over to Apple because wife, kids, everybody, they were all completely Apple and I was the oddball out. So, you know, being able to effectively communicate with, you know, family, especially when I was traveling and stuff like that, it was always problematic. And sometimes the KISS method is the best method. Ring light. I don't have enough room in between my monitors, which I've got to rework. So I've got a big, wide curved one to. When I'm looking at the camera to my left and then I got a flat one Right here to my right. And the camera literally sits right in between the two monitors. So I can look at this monitor, I can look at these and stuff like that. And a lot of times my laptops sit over here. And so being able to adjust the monitors to apply for a ring around the camera, unless I move it up higher, is just not going to work. I do know there are some of.

A (68:02)

Those.

B (68:05)

Like standalone LED soft light ones that can cut, that could be mounted on a stand and things like that that could go like above the monitor. One here and like one there just to do the natural lighting and stuff like that. So that's probably where I'm going to end up going. So excuse me, one thing. So I got a candle in my office and you can probably see that. You see like all the wax stuff that's stuck there. I don't get OCD about much, but I don't know, for some reason I just like a clean ring. And I do know that there's no. I. I know I'm taking a little bit of time to get into the question, so bear with me one second. We, we are able to go a little long today, so I'm just kind of taking my time a little bit. So that's a little bit of tidbits. Tuesday, like I said, I don't get OCD about much, but before I light, it's like I've got to clean off all that. All of that. Anyway, two things or a couple things. If you have any questions, you've probably seen it in chat, but if you haven't, you kind of figure out, trying to figure out what in the world's going on. If you have questions, put Q, colon, mark in the chat. So that way when I do my control F and be able to look for questions, I'm able to find me James McQuiggin pinging me. Appreciate it. I would definitely take you up on that, Mr. McQuiggin. Oh, he's even sent me on the back. James McQuiggin, you know me. Thank you for sending that in signal because I hate discord anyway, so if you have a question put in there. Oh, oh, oh, oh. Because these things, these things go long sometimes and you know, we are, you know, it's going to be coming back in where. And I'm going to show my screen. Let's, let's pivot. Let's pivot. Let's pivot. Let's pivot. Yes. I'm in a very good, weird mood today, even though earlier I was very, very salty. And very freaking tired. But not too take away from the jawjacking. But a lot of times we have a lot of questions that don't get answered or, hey, you know, I've even got people that message me from time to time and like, hey, I got a question about this, but it doesn't really apply to jawjacking. And I get that right? So if for some reason your question does not get answered or it doesn't really apply to this, you got business questions, you got this, you got that. Ask Barricade.com we're going to come up with a new channel or we're going to do a different playlist. But this will take you to the HubSpot form where you ask Barricade answers. So either myself, Kimberly, Lisa, anybody from the team that may relate to this particular question will answer your question. Ask Barricade.com goes to a HubSpot forum. We're not going to spam you. The only thing we do ask is like, if you're going through, like, I'll even do it here. So we'll do Bubba the cable guy. But actually I'll just copy that. So we'll do Bubba Jones. And yes, I know I misspelled that. Bubba bc.com just because. Whatever. I can't put an exclamation mark in there. Next. 843 8. Was it 867-530-9. ABC store down the road. Box cutter. Yeah, we do ask you a good bit of stuff. We want to know who we're talking to, right? So in here, let me actually blow this up in case you can't see it. So, you know, you can put your. You don't have to put this in. But like, do you agree to have your name being mentioned? We want to be able to do that. Like, hey, James McQuiggin from Twitter or from YouTube or whatever. Ask this, you know, and we want your permission to do that. You may want to be anonymous. We don't. Don't know. And when we do post it, we want to know, like, we gotta fix this one. We're working on this, so bear with us. But you know, definitely check the box that you're doing and then just fill out your social media links here. And then you can just ask your question here, right? And then do you want us to notify you via email? So that's like really the only email that you'll get from us. Maybe you might get. I have to talk to Kimberly. I do think we want to maybe have you added to our E newsletter. Yeah so instead of so you may get this and you may be added to our newsletter or you may get a separate email. Hey, subscribe to our newsletter as well. Goof head. But anyway, again, not to offset this platform by any means. By any means. Yo. I am here as long as Jerry allows me to be here and I love doing the jawjacking, I love doing the overtime with you guys but if for some reason you have something that doesn't get answered or you doesn't apply or whatever the case is, here's here's another vertical for you as well. So again ask Barricade.com oh if you are we are barricade. I'm I'm a. I'll tell you guys about it first. We we are getting ready to do another hire Been really focusing on what exactly this role is going to be and you know, for those that are off a while, you know I'm a huge fanboy of CrowdStrike. I know they've had some problems in the past but proper policy management, things like that Our customer not a lot of our customers had that issue. Like a lot of have been using our we didn't have a lot of customers that were affected like the global outages and stuff like that from a couple years ago and stuff like that. But we it will be a Falcon administrator and you're going to be working right aside with us and you're going to be learning crossword Falcon. You're going to be. I mean I'm preferring to find somebody with certifications in the Falcon platform that knows Python knows PowerShell can help build automations Like I'm very, very busy in a lot of other stuff and being able to step away from Falcon and somebody who knows this thing or the ability to learn this thing and has some programming, some automation, knows some APIs, things of that nature. You know we will be I'll be making the formal job posting on LinkedIn at the beginning of the month and we'll probably run it for a month unless we find somebody right away. So if you know anybody, tell them to go follow Barricade. So entry level higher from Cryptic Roses unfortunately if you've got the if you have the proper attitude and it's clearly visible, yes we will entertain an entry level but I mean you can't be entry level as in I don't know what an IPv4 and IPv6 is like I don't know what PowerShell is I don't know what an API is like that's too entry Level for this. Like, and that's not to downplay anybody. It's just I do need a level. I don't know how to say it without saying like an a hole and the sophistication is not the right word. But not professionalism, but experience. I do need a certain level of experience for this. And you really got to know some basic stuff. Right? So, Yes. Powershell. Powershell. I heart powershell. Can we get Jerry to do a shirt for that? I heart PowerShell. Yeah, So I'm not your guy for Python. I'm doing hyper automations with Sentinel One. Yeah, it could be Python or PowerShell. I prefer to be in PowerShell because then I can contribute to the automation and I can help bug fix bugs and stuff like that. But PowerShell or Python's okay too. I am not going to let my programming language language of choice interfere with the overall stuff. But anyway, let me see. I know I've seen a couple questions. Let me. We have four of them. Let me see. And we'll talk about this in depth. You know, if you, you have legitimate questions about this, definitely put P, put a Q in there. What team are you repping the front of the half for? Anybody want to take any guesses? Anybody want to take any guesses? The Atlanta Braves die hard Brave fan. I don't like a lot of hats and my hair is going to be completely destroyed. But because the, I don't really care for the Velcro and that snap in plastic thing like you're, you're adjusting. I don't know, I, I just love a nice fitted hat. It just, it looks proper borderline professional because at least you put a little time and cares like, okay, I'm wearing a hoodie. I have this while it's not dress up, but I do think this works in a professional setting to some degree. I didn't mean to highlight that again. What's the most interesting thing barricade has encountered at work that you can talk about new trends, interesting wrinkles used by a threat actor or some. Something new. Also. Thanks for doing these. Yeah, absolutely.

A (79:58)

So.

B (80:04)

Most interesting thing. I don't know about interesting, but it's definitely. It gets to be annoying sometimes and it, I guess it could be interesting as well. So a biz nine times out 94, 95 of the time we are brought in on an incident and we are responding to said incident, whether insider threat or a compromise or ransomware or whatever. Right. We're brought in on a bunch of stuff and the internal technology team and sometimes the Security teams view us as a threat to their job. I mean, granted, yeah, the forensics may show some very interesting and weak policies and things that need to be fixed, but all in all, we're here to help. We're just responding to this incident. We're not here to throw somebody under the bus unless there's like massive gross negligence being done. And just we've had to get in some cases that I can't talk about, but there's been cases where three letter agencies had to be notified about information that we stumbled across. And trust me, in no way, shape or form do I ever go look for this stuff. I don't really care what your data is. I really don't care. You know, I'm there to hunt evil. That's my job. I'm here to hunt evil and find out the who, what, when, where, why. That's my job. And some of this other stuff, again, I don't really care. But if I stumble across it, I gotta say something. It's like, crap. I don't. And I feel bad for about it, but to some degree, some of the stuff that I report, I don't feel bad about. It's like you're a bad, bad individual. Read between some of those lines. But yeah, those, those definitely get to be. Some interesting scenarios that you got to navigate and how to do that professionally. Question. Do you get a lot of spam for using your real name on, on YouTube? Yeah, I get a lot of spam on everything, to be quite honest with you. The real cockle, I'll just say use it, dude. It's going to take a while for people to understand or make that correlation of the real Kyle. Kyle Cow. And you know your real name. Right? But I mean, I guess it depends, right? Like for me, I've got to use my real name because I can't be on here and be like, my name is Bob Weaver. And then somebody calls the company to hire Bob Weaver at Barricade and they're like, we don't know who you're talking about. Who's Bob Weaver? He's all over YouTube. Oh, you're talking about Eric. His real name is Eric. Yeah. So it depends on what your, I guess your goal is per se. How public do you want to be now? Because I'm very public. I'm not saying I'm. Please don't tie me to the word influencer or any of that crap, but you know, there is a level of separation between me and the family, at least from a public Persona. Now people can easily figure out and can make some of the dots because of Hunter and stuff like that that went on a couple years ago and all the stuff that led up. You know, can somebody make those connections? Yes, it takes a little bit but like all the family knows not to post, you know, me in family pictures and stuff on social media because we're. I'm unfortunate this is the part of cyber that nobody really talks about. But cyber is not all sunshine and rainbows. Cyber is a very, very dark world. It really is. And you're going to come across stuff and see stuff that will make you feel nauseous for days. And while we have not had any threats on any team members lives because of the work that we do, I do see other larger organizations going through that. Sentinel one's gone through it, Mandian's gone through it, things of that nature. I've been called out in threat actor comms because they were sitting in the email system, right? Because they wouldn't use out of bound when we're going through a becoming or it was a ransom, it was either bec or ransomware, I forget I think it was a ransomware now I think about it and the MSSP is like oh yeah, there's no sign of threat actor activity so we kind of took them at the words like okay, well I guess we'll just use your real email then. But they were sending in the emails but anyway I got instantly called out and you know, I was able to pivot and get away from that. It's like I don't know what you're talking about. This isn't me or whatever so it's whatever. So again it really depends on what what you got going on. Question if I know that the what and the why but lacking the how to entry level. If I know the what and the why. I'm assuming you're talking about dfir. And I unfortunately I would say probably.

A (87:15)

So.

B (87:17)

For forensics, you know, being able to go through it and say this look, this is malicious or potentially malicious and this is potentially not malicious being able to go through that discernment. It's probably probably still a little too green. Again, I don't say that in a negative context by any means. Question is a 6,000 page pen test report standard what the Holy f. You gotta be kidding me. Is that a pen test or is that a result of freaking a nessus nexus Nessus or nessa scan result that's gonna show you so many freaking false positives and everything that's just asinine 6,000 pages. Get the F out of here. No, that sounds like some tool that was run and they just gave you the results of it with no little to no verification on anything. Maybe I'm just. Maybe I'm just, you know, naive and that's what the industry does now. But no, when I did it, no remote work or in the state. Oh, for the. I'm debating that. I mean, we got an office now and all that. Even though we're all pretty much remote. I don't know. I guess, I don't know. But if it is on premise or if it has to be, you know, come to the office. Even if it's, you know, a couple times a month or something like that. We're in South Carolina, right outside of Charleston, South Carolina. So I am trying to figure that one out because. It does seem like remote work is fake work sometimes. I'm just gonna say that, not talking crap about anybody. And I see it all over the place. I mean, it's very easy to get sucked into other event life, other lives or other events in your life and step away and just be fully disconnected for hours. So it's something I'm entertaining. I'm not sure which way we're going to go. When you think of the L1 SOC analyst, should you consider moving to L? What? When do you. Oh, sorry. When do you think the L1 sock analyst should be? Cons should consider moving to the L2. Looking at the job descriptions for L2 honestly, what are other companies in your same space? Let's just say hypothetically you are soft analyst for a bank. I would go to LinkedIn and look at Sock Analyst Level 2. What are other banks in financial institutions doing as a prerequisite for an L2? And I'm not a huge fan of using, you know, the whole job bouncing and stuff like every six months in one year, freaking jumping jobs just because you got a higher title or something like that. Get out of here. That's like using AI for everything you're doing. You're gonna look, you're gonna lose your skills. But yeah, I would say what the industry. I'm a little removed from soc analyst, so I can't properly say if you meet this skill, this skill. But I will say I know enough. This say, what is your industry mentioning as a comparable L2? Right. And the only reason I say industry is because there are nuances to the financial infrastructure or financial banking in world. There's nuances to construction, there's nuances to manufacturing and even subpart Auto bill manufacturing, airplane manufacturing, you know, insert manufacturing here. Right. So using your industry as much as possible to make that correlation, what are again, what are other companies in your industry looking for in an L2 and if you can find out what your current company put as an L2 and maybe it was a job posting hypothetically three years ago. Well, things change, right? You know, go to the boss. Hey, you know, I've been, I've been really thinking, you know, that my role has really expanded and that I've got this knowledge base now and I'm able to do more and take on more and I've demonstrated that. I'll let you in on a little secret. Most businesses promote people who are already doing a job. Like you're already demonstrating it. You're already doing 80 to 90% of the job already and you're getting that promotion because you're already doing it. My personal experience. Right. Good. Whether it's good, bad or indifferent, they're doing the job. So most companies are going to hire or promote those in that aspect and being able to say, look, about three years ago you were looking for this, but you know, we, we really don't use these type of technologies. But I, you know, I'm not saying I'm trying to leave, but let's just say Volvo and Diamond Chrysler and whatever. You know, when I look at what they're doing and the requirements, don't talk about pay, but just say from the requirements that they are putting together for an L2, I believe I meet most of these things. I would love your thoughts on that. Would I meet level 2 SOC in this organization? And if not, why? What do I got to do to meet that requirement for you? Try to take the help me help you mentality as much as you can. Hopefully that helps. Do you know of any way to get hands on with Falcon? No, I haven't been able to use it yet, but I've been wanting to try it out. They don't offer like a free trial or anything like that that I know of. Like even their Falcon Go, you've got to be tied to an enterprise account for the home use and things of that nature. Unfortunately. It's definitely one of those. You've got to be in the business to have the experience. Unfortunately. Let's see. I think I've got all the questions answered. Let me check a dc cord, dysy dsy d cord, make sure mods are not. Oh, sorry Jerry, I'm seeing your messages now. My apologies. Yeah, noted, sir. If you're in the green room.

A (96:04)

I'm not sure.

B (96:04)

But anyway, I'll respond to you. All right, ladies and gentlemen, we are at the bottom of the hour. Thank you all so much for tuning in. I do greatly appreciate it. We'll see y' all next week. Take care all.

A (96:22)

Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily cyber threat briefings 8am Eastern time as well as Thursday at 4:30pM we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.