What Is an Initial Access Broker — and Why Should You Care?

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we look at something most people I don't think have even heard

of, but definitely need to know about, and that's the initial access broker.

These are the bad folks that wanna break into your network,

but then just sell that access to whoever's willing to pay the most.

They pick your lock and then hand the keys to somebody else.

We have Dr. Mike Sailor from Black Swan Cybersecurity, my co-author and of

course, persona to help break down how these guys operate, how they get your

credentials, who buys them, and most importantly, what you can do to stop them.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over

30 years, ever since I had to tell my boss there were no backups of the

production database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host w Curtis Preston, AKA, Mr. Backup.

And I have with me Judge mc judger face Prasanna.

Molly Yondi.

How's it going?

Prasanna feeling a little judgy today.

Someone needs to judge you and make sure that you are doing the right things and

being most effective with your resources.

I, I, I really appre, I didn't realize that I had appointed

you CFO of my, you know.

uh, do you not know all the other things?

You're non-ad advisor, financial advisor, your non-medical health person.

Shall I continue going down the list?

Curtis?

I, I just, I'm just saying for those that care Okay.

Is that I just had like a five minute phone call with Prasanna

during which I felt very judged for starting a new cloud service.

The, a new AI based cloud service that I'm very excited

about, called Fixer, F-Y-X-E-R.

Um, anyway.

I'm just saying I felt very judged.

Anyway, I'm moving on.

Uh, we also have with us, uh, my, my co-author from the book,

right, right over my left shoulder.

And a blue team expert at Black Swan Cybersecurity.

We have Dr. Mike Sailor.

How's it going, Mike?

It is going well guys.

Thanks for having me

Oh.

Can you judge Curtis now too?

Just, just just start a conversation and I think Curtis needs

that sort of love all around.

sure.

I'll, I'll work that into the conversation.

I feel, I feel so judged.

Um, so today, um, we're gonna talk about, we talked about this a little bit, I

think in a previous episode, but, uh, it looks that like this topic comes up

enough that people just don't understand.

This, this entity or this type of, can we call it a business?

Mike?

Would you call it a business?

It's a business, right?

business.

Yeah.

And that is an initial access broker.

Um, so why don't you start with this story that you had, that you used in the book as

a case study about something that happened with one of your clients back in 2024?

Sure.

We had a client call and say, you know, someone broke into our stuff and we're

not sure how, because, uh, you know, we we're not seeing any failed login attempts

or weird logins from, from other places.

We'd call those risky logins.

Uh, so how did this happen?

And so it takes quite a while to analyze.

Even legitimate logins.

to figure out where the anomalies are.

so you narrow that down.

You find out, you know, who, who patient Zero might've been, and then you go,

you have to go talk to them because you don't have you don't have visibility

or access into their, their whole life, uh, and things they have access to.

But in that conversation, this employee, uh, it turned out and,

and they were very open, uh, and, and almost somewhat, uh, naive about

what they were telling us, which.

That's a whole other problem.

Uh, so this, this user, uh, we'll call them Bob.

Uh, Bob's like, I, I don't, I don't know how my account

could have been compromised.

I don't, I don't think I'm the one that caused this problem here at work.

Uh, but in discussion with him about just weird things that may have happened

over the last several months or year, uh, he says, now, now granted, this,

this event was happening, you know, October, November of a given year.

And talking to this employee, he says, oh yeah, back in like April, you know,

around Easter, my personal email account was compromised and I've just been

fighting with, with Google to, to maintain access to my account and control over it.

You know, I keep changing the password.

It keeps, keeps changing back.

They keep, you know, uh, my, my recovery email keeps changing.

And we thought, okay, well, well, tell us about how you.

How you use that personal account, is it really just like, you know,

uh, you use it when you sign up for stuff like a newsletter or you, you,

you go to Amazon, you buy something?

He said, yeah, I do all that.

Okay.

And, and by the way, this is normal interrogation techniques.

You, you ask the simple questions first.

you

build report, you get up to the the sticky questions.

And eventually I just said, so, you know, what others, what other type

of information do you do you store in your, in your personal account?

He goes, oh, well, everything.

And I said, yeah, like, like what?

Well, you know, I, uh, my, my work email and, and password, my bank information.

I said, okay, well, you know,

that's, that's probably

not good.

And, I said, okay, well, well talk to me about how you do that.

Did you have a question?

So I was like, alright, so how do you, how do you store that stuff in there?

Is it like in a spreadsheet?

Uh, is it a, is it a note to yourself?

Like a draft email?

He says, oh no, I created a Google Docs folder called passwords okay.

Uh, so, so that's what happened.

Uh, bad guys at some point compromised his account likely through phishing

or the compromise of some third party.

Uh, application or website.

'cause you know, it all trickles down and bad guys go for the, they want fish

in a big pond, then when they, when they catch fish out of the big pond, you

know, they cultivate that and see what they have access to and, and et cetera.

So it's all, it's all kind of interconnected.

But long story short, these bad guys are just, you know, going

through the neighborhood, looking for un unlocked doors or doors that

are easy to pick and, and open.

And once they identify those vulnerable and accessible.

Uh, organizations or, or houses in this analogy, that's what they sell.

They're like, Hey, I picked this lock.

I guessed that code.

I've opened this door.

I've established this, this access.

And that's what they're selling.

So they never go in the house.

They never steal anything.

They never use that, that access to, you know, for, for, um, extortion or,

Uh, solicitation or, or even fraud.

They're just gaining the access and selling it.

And

So they're hoping for large volume, I'm guessing at that point, right Where

for, yeah.

Or, or some, you know, exceptionally valuable access,

Gotcha.

like

Like a celebrity or a

right?

or a specific organization type of thing.

or, or a, um, a high value target.

Or like a, like an like an administrative account, for example, at a right.

Like if you

or

Yeah.

Critical infrastructure or something like that.

Yep.

Or a research institution.

We've, we've seen that over the last

Hmm.

Uh,

so this initial access broker found this credential folder sold

it and bad guys bought it and used the credentials to this, uh, this.

Subsequently this, this victim organization that,

that called us for help.

Um, and those bad guys use that access to commit their attack.

Now I'm guessing that these initial access brokers, probably gather up

thousands, tens of thousands, whatever large number of credentials or initial

sort of compromise points at these organizations or with these people.

But it's not like they're just selling it to a single individual, right?

they like take that same package and be like, Hey, I'm gonna sell it to you.

I'm gonna sell it to this other person.

I'm gonna sell it to this third person, where all these sort of buyers might have

access to the same sets of credentials.

so there is a bit of reputation here, believe it or not.

So if, if I had a hundred valid and, and backing up a little bit too.

So, so let's say, let's say bad guys found a, uh, a vulnerable organization, and

maybe that organization is a mobile app.

know, we all, we all downloaded it, you know, a million people downloaded this

mobile app we've created an account a lot of us being human

will use information that we coincidentally use in other places.

So, same password on this app that we use for our bank.

You know, horrible situation, but it happens.

Alright, so bad guys.

Compromise this mobile app.

They collect or harvest all of these, you know, million credentials.

If they want the true value out of those credentials, they

will go and validate them.

So out of a million, 90% still work.

So they can sell 90% of those.

They can either sell it as one big chunk, which is less likely.

What they'll probably do is analyze that data set and look for commonalities.

Like I've got out of, out of 900,000, I've got, um, a hundred thousand, uh.

Edu or, or military or public, public, uh, organization emails.

And they'll, they'll bundle that.

So there's some, you know, uh, relationship with that.

'cause that's sometimes how threat actors work.

They want to target something specific.

All right.

So they, they will bundle to some degree.

but then to your, to your question too, if I, if I sold, if I sold

900,000 to Curtis, would I also sell that same 900,000 to Prasanna?

Well, maybe.

Yeah, not likely because if you found out, because maybe Curtis used that

password, that account first, and something happened and it got locked

out, and that happened over a period of time, and then you go try to do it.

And now that now it's not, they're not valid accounts, right?

and so you can often find out that been sold more than once.

Well, then you're not gonna buy from that person again.

Right.

It's a reputation.

Yeah, and I think you had mentioned in a previous podcast episode, sort of if

it's like invalidated email addresses or whatever else, it might sell at

a lower cost sort of things that you know, have been validated and verified.

Interesting.

So very often, um.

Yeah, there's probably only a couple of, of different categories of initial access.

Like there's just normal like email addresses.

Um, there's remote access, and I think I might be getting ahead of, uh,

Curtis's, uh, uh, talking points here.

domain admin level credentials, and then, um, that would give us a, a

broad foothold within an organization.

Hmm.

So those range from $10.

account for just email all the way up to a hundred thousand

plus for an entire organization.

Well, it, it would be, it would be like email and a password.

Right.

Or email in a way to authenticate right.

And, and that's right.

So sometimes these happen in combination because of

multifactor authentication, right.

So maybe I've got, um, a company credential.

And then the multifactor goes to a personal email.

So if I can, if I can, as an initial access broker, put

those two pieces of valuable

Hmm.

together, I can sell that for more money.

Which again, why you don't use email as a method, as

multifactor authentication factor.

Um, so yeah, that's interesting.

I hadn't thought about that.

The, the people could be able to, again, you, this is their job, right?

This, their, their entire, their, uh, I'm gonna mispronounce

this, but the ra, uh, right.

Um.

better.

Um, yeah, the reason for being right.

Um, and so they figured out ways to increase the value of the

different, um, user IDs that they're trying to access, right?

So if they can say, here's Curtis and here's, and we know that Curtis uses

his email address as, um, you know, as is multifactor, then, um, you know,

these two go together and that makes that that package worth even more.

Uh, that's very interesting.

Okay.

So we've talked about so far, primarily username and password,

uh, and perhaps a, you know, a pairing of of of email addresses.

What other access methods might, uh, an IAB sell?

I.

Uh, so it could be information like how to access something.

So that could be, uh, IP address plus port number plus.

Service plus, you know, protocol, uh, plus, the necessary like VPN client.

Hmm,

so information is also, uh, considered access if that's what's

necessary to conduct the access.

So for that one, Mike, would it also be, as an example, say a threat actor

is like, okay, I discovered something new in VMware, or take a software stack.

And so would IAPs be responsible then, or potentially be like, Hey, let me scour

the internet, find all of the public facing VMware servers that are running

X version and give you back a list.

Is that something an IAB would potentially.

so that, that, that's a little higher level.

Okay.

what, what they would do in that case.

So I, as an example, um, let's just say the Fortinet, you know, zero

days that came out that allowed us to, attack a firewall and gain a

foothold and, and all that good stuff.

It would be very easy to run a,

an internet script to find all those vulnerable Fortinet firewalls.

What an internet access broker would do is start to go one by one and

actually exploit that vulnerability.

To gain the access, and then they would sell that persistent access.

So that's not a credential, that's access, it's, it's, it's a live thread.

Maybe it's running on a, running from a, you know, a,

um, a leased server or botnet.

That's what they would then sell.

So instead of credentials, it's a live, it's a live, uh, a

Remote access.

Yep.

So that's a, a vulnerability that was exploited.

Right.

Um, and there's a, there's a whole group of people that they discover

these vulnerabilities, right?

And then these guys watch.

For the announcement of these vulnerabilities and they're like, okay,

we're gonna go scan for open, whatever.

Right.

Um, and so, so we talk about again, email, password, and now

vulnerabilities of particular services.

Um, any, anything else that there might be selling.

So it could be a compromised machine.

So, you know, let's say someone that, that writes

they get paid for malware.

Someone that wants to, um, gain access to a computer might buy the malware

and hire or conduct phishing exercises.

Right.

So

now someone clicked on the email that got the, that,

Um.

had the malware in it, and now I've got access to a computer

within an organization.

Um, so instead of access at the perimeter, I've got access the internal

network and now I can sell that.

So the IB itself writes malware in that case deploys it, if you will,

and then sells to other people, Hey, I have access to this particular

computer within the organization.

So very similar to like an ev uh, uh, a traditional burglar, right?

They're gonna break into a building.

They've got all these different tools.

They've got, you know, something that can fuzz a camera.

They've got something that can pick a lock or disable alarm systems or social

engineer somebody into letting them in the building pretending to be a vendor,

uh, that now has access to the building to deliver a package that, you know.

So if you, if you kind of think of it in real world terms.

Uh, it is that, um, that burglar, that, that can into a building and, and

facilitate, uh, access to something.

And that's what they're selling.

So they never, they never leave with anything of value.

Uh, they don't, they don't, they don't steal anything.

corrupt anything.

They don't manipulate anything.

They just create the access, or sell the access.

And, you know, another on the, on the delivery part.

'cause we've, we've done, when, when companies hire us to do red teaming,

we've done some creative things too.

One of the creative things that we did was we, we custom configured an iPhone.

This was a long time ago.

Uh, we custom configured an iPhone.

'cause we couldn't, we couldn't gain access through the, the

perimeter of the company.

And it was, it was fairly well guarded as far as a campus goes.

we did is we configured an iPhone and we shipped it to them.

it sat in their mail room turned on, and we hacked their wireless network

from an iPhone gained access to their network over the, the cell cellular

data network through the iPhone.

And so you think of a, um, uh, kind of an out of band, um, access attack,

uh, things like that are, are.

You know, few and far between, but you know, bad guys are creative.

another thing that you could do is, um, as far as the supply chain goes,

is if you know they're ordering a bunch of computers, configure a computer,

brand new, you know, go buy a brand new Dell and put your malware on it.

They did this with picture frames a long time ago.

I don't know if y'all remember that, those

L-E-L-C-D picture frames, they came custom, custom built with malware.

Um.

that they could spy on you and do other weird stuff, but,

I would think I, I would think that with these, these, I, you

know, you talked about that.

They're business, they're going after the stuff.

I, I'm wondering the, the type, the type of stuff you're talking about right there.

It, it seems a a lot more targeted,

mm-hmm.

and where you say, I want to attack this company.

Right.

Um, and so I'm gonna do whatever it is I need to do.

Right.

Um, I'm gonna, you know, like you said, send in and we, we did a whole episode

on this, by the way of, uh, do you remember what the title of that was?

Prasanna?

That there was a whole episode about like creating devices that you put in

there, you know, um, it was a while ago.

Um, but the.

The, the seems very targeted and, and almost personal.

Is that something an IAB would do is, or is that like a

different type of organization?

Uh, it is.

And to your point though, um, or, or maybe to touch on that a little more

is that I, I Bs or, or access brokers operate in a, a few different ways.

Uh, or anything.

I guess it also depends on the threat actor, but so we can.

As an IAB, we can search the internet, right?

For, for weaknesses and, and what's out there.

Sometimes an IAB just buys credentials from someone else that hasn't validated

them, so then I'm gonna go validate them

and resell them as valid credentials.

They do the same thing with credit cards and, PI, I like social security numbers

and so on, but the other part of that is I can asano as a, as a. Uh, a more

involved threat actor, maybe I'm gonna go hire an access broker to find the

access I need to a particular target.

So that

would be more targeted.

So I wanna, I want to break into this defense contractor.

I'm gonna hire an IAB to figure out the best way to do that, and

then sell me the access they get.

So we had talked on a previous podcast episode about.

ransomware as a service.

Mm-hmm.

And so do these ransom as a service organizations also have their own IAB

as an offering within that package, or do they typically sort of contract

with other IABs that exist to gain that initial foothold and then,

or foothold and then they start?

Yeah, it depends.

Uh, some, some threat actors have a, a whole enterprise

that, that does everything.

You know, you're just, you're in the IAB department.

Uh, but then

So bonkers.

others, others will go out and source information based on the,

the, the, requirements or the need.

So you could hire me as a ransom, as a service, um, threat actor.

Part of that onboarding or, or that discussion will be determining if, if you

have a target or a particular objective.

If so, then I can go source that, you know, I, I've got my Rolodex of

bad guys and I'll, I'll go find a. Access broker that can help me with

whatever your particular needs are.

If not, then I'll just go buy a, a blind list off the dark web for,

you know, whatever, because you've already paid me my money as a, as a

service.

Um, I'm not, I'm not too concerned if all that information's been validated or not.

Gotcha.

So let's talk about some of the ways that this happens, right?

So with the stolen credentials, uh, is this primarily phishing?

Um, and, and similar activities?

It's not.

Um, so when to collect, um,

I,

to be most effective at collecting credentials, you're gonna go after a

source that has a lot of credentials.

okay.

and so like shiny hunters is a threat actor group that's active right now,

and they've been active for a while.

And their claim to fame, um, is I believe one of the largest data

compromises in history, part of it.

Uh, it may have been them in another group working together, but what

they, what they've done is, again, realizing that we're all human and

we reuse information all the time.

Instead of attacking your phone or your bank or your email

for the one at, you know, one at a time type of value,

they've gone to, uh, mobile apps and third party apps that are

really just for entertainment.

Realizing that an entertainment app's not gonna have as much

security as a banking app.

And so if I can go and compromise that.

A company that built that game, like talking Tom as an example.

if I can compromise that and get access to the millions of people that have

signed up for that app over time, very likely, high percentage wise.

Uh, and, and I've actually got a chart for this that I did several years ago, so it's

dated, but I think it's representative, the vast majority of credentials used

in third party apps, mirror identically.

to the credentials people use at work, not just, not just the

password, but also the email.

So they didn't sign up for talking Tom with their personal email.

They signed up for it with their military email or their edu or whatever, and

Why.

password because you know what?

We're lazy and it's just easy.

Well, and, and also, I mean, doesn't that also mean that there's some

vulnerability And I, you know, you started by saying that, that, that that

app possibly is not as security focused, but this means that if they're getting

the username and password, that means that there's also vulnerability in how

they're storing the passwords, right?

Because you normally, you're gonna get salted and hashed passwords, right?

This wouldn't be within the app.

This would be the.

Uh, an attack on the data store in the backend at the company.

So they're not attacking the app, they're attacking the company.

that makes sense.

But again, the same concept applies, right?

That, that perhaps they didn't use the best cybersecurity when

storing the, when creating the, the backend infrastructure, right?

Right.

Well, and, and I know a little bit about the mobile app.

Ecosystem and you know, it's all, you know, how much, how much can I make with,

you know, doing as little as possible.

And with AI these days, I mean it's, it's crazy, but a lot of those

apps aren't focused on security because there's really no security.

And, and the only reason they're asking for credentials is so they can track

you as a user to push advertising to you, which is how they make their money.

Uh, so they're, they're not security focused at all.

Um.

So, yeah, it's, it's usually pretty, pretty easy, or, or it has been, uh,

to compromise those, those software companies to get access to the data.

All right, so you've got this, this, you're going after these third party apps

and sites and whatnot to get credentials.

Uh, and that, I get that because that's gonna be like a large

source of a, of a large number of, you know, names and passwords.

Uh, and then after that, is this now where we're talking about things like phishing.

Nope.

Oh, you're killing me.

on the

Really?

Okay.

harvesting

I, it's just, we talk about it so much.

Well, so phishing is, is, uh, it's usually for delivery, um, or, or affiliate, um,

Oh, I see what you're saying.

Getting you, getting you to download the, the, the, um, the payload.

Right.

Yep, yep.

Okay.

All right.

Or, or to, to redirect you to a website.

So an affiliate gets paid,

Yeah.

site or something

Okay.

All right.

That's why we talk about it so much.

All right.

Um.

so when you think about phishing, um, and, and I mentioned this uh, in a prior

episode too, and, and the numbers have changed, but it's, it's relatively,

and so I'm just gonna say around, but give or take, you know, maybe 5%.

The success rate at phishing is, is around 22%.

The success rate at, you know, collecting a million.

by attacking a low security third party app developer is pretty high.

Hmm.

Yeah.

that's disheartening.

Okay.

If so, if, if phishing isn't next, what is next?

After the, going after the giant database of username and

password, what's next after that?

those would be the onesie, twosie large organizations.

Um, but it, it, it's all the same strategy.

It's how many, you know, the, the one to many.

Strategy, how many, how many of these one, you know, singular attacks will result

in this, know, volume of credentials?

you know, I'm not gonna attack a small company with 10 employees.

I'm gonna attack a large company with a thousand employees or 200,000 employees.

Um, and so the access broker then is going to strategize on the best

way to do that is that, maybe I get hired there, so now I'm an insider.

Um, and I just, you know, steal all the, you know, the, the password

database, the SAM database, or I go to work for a, uh, IT support company.

And now, so that's one to many, right?

So I'm an, I'm an MSP that supports multiple clients, and so I have access

into all these different environments,

Yeah, there, there was a few years ago, there was that, uh, service

provider for dentists, right?

That, um, that they got hacked and then basically you had access

to all these dentists, right?

Yep.

And so, um, you know, that, that remote access, you know, the, um, remote desktop

access, uh, into those environments in.

Yeah, there is a problem with that too, because a lot of

times it's the same password.

So as a support company, you know, maybe I'm supporting Curtis's

Company and Prasannas company.

My, my credentials to log into your environments are the same.

Ugh.

We see that a

That's just wrong.

Uh, you brought up, you brought up my ears.

P picked up or picked up there, I heard remote desktop.

RDP is like my favorite, uh, tool to pick on from a, from a, you know, please

stop using this the way you're using it.

You want to talk about that a little bit.

So RDP and, and there's

Wait, and by the way, that's the, that's the, I call it the

ransomware deployment protocol, but it's the Remote Desktop Protocol.

So.

Copyright pending.

has some inherent issues that they've gotten better over time.

I mean, back in the day, uh, when an admin RD would use RDP to a server,

you could capture those keystrokes live across the network, and just replay it.

Uh, but.

in general is, is a pretty insecure protocol, uh, on its own.

Well, what we've seen a lot and, and bad guys understand this too, is, is cis

admins are using RDP across the internet, uh, when connecting in to, to do remote

support after hours or on the weekends.

You know, I don't wanna drive to the office and do this.

I can just RDP.

And so, I mean, it's, it's, it's not a good solution, um, for remote

support, but we still use it.

Or in, actually, even in environments where we don't use it, that service

is still turned on and available.

And so

And, and of, and accessible via the internet, which is just wrong.

All kinds of wrong, right?

yep.

So if, if you haven't, if you haven't customized your firewall to prevent

certain protocols like RDP or FTP or Telnet through your firewall,

um, yeah, that's, that's something bad guys will find pretty quick.

There's a search engine, and I don't think we've, we've talked about it, but

there is a search engine called Show Dan.

Hmm.

and you know, there's free accounts and then there's, you know, the

premium accounts, but you can search for any vulnerability,

anything you're looking for.

Shodan has already mapped, the internet, the entire world internet.

Uh, so when a new vulnerability comes out, you can go shodan and go, Hey, show

me, show me all these Fortinet firewalls,

and it will show you all of them what ports are open and

what services are running.

And yeah,

It is scary.

if you're.

If you're not maintaining good hygiene, someone's gonna, someone's

gonna suggest you buy some deodorant.

Um, so I, I like, you know, basically stolen credentials from various,

the, the, the one, it, it just kills me the, the statement you made, and

I, and I know that, and I guess I shouldn't be surprised the idea that.

People use the same username and password, you know, everywhere, right?

Um, and especially across personal and, um, you know, um, corporate, right?

Um, and you know, we all know that we, you should not be having

RDP publicly accessible, uh, you know, via the internet, right?

Um, there are other ways to do that.

Um.

What, c Can you think of other ways that they're grabbing?

Uh, and, and by the way, that's just in general, I'd say any remote access

thing like that, that isn't designed to be publicly accessible shouldn't be.

So I, I, I'm looking at a list of of concerns and I see web shells.

You wanna talk about that a little bit?

So a web shell is, you know, well first of all, a shell is, is like a command prompt.

So if you can, we call it pop in a shell.

So you can get root, you know, shell level access to a computer, uh, a command line,

uh, which is usually more effective than, than the normal interface that we're,

we're accustomed to clicking around and opening folders and that kind of thing.

So shell access, is that c prompter or admin prompt.

Uh, the web shell is, is just access to a web-based environment.

So whether that's, like a cloud infrastructure like Azure

or AWS, or it could be that, that cloud-based system, uh, so maybe

your, your financial system or your, your ERP is cloud hosted or, uh.

Your, your bank account or, or whatever it is, your bank system, inventory systems.

And so the web shell or web session would be a compromise of how that, that system,

that, that website, that web portal, that web infrastructure, uh, uh, authenticates.

So it's you, you stole someone's session cookies, and you can replay those or,

or, or copy them or re uh, or sell them.

Or it's, um, uh, persistent access.

So for example, if I sit at Starbucks with my, my rogue wireless access point

that says, Starbucks, this, this, you know, 5G plus, so you're gonna use that

one 'cause it's faster than regular 5G.

Or I knock everybody off of the Starbucks one and they rejoined my fake one.

Uh, and now all of that traffic is flowing through my fake.

A access point.

And I can capture, especially if I am, I'm watching you.

'cause I'm sitting next to you at Starbucks and you're logging

into your bank or, that website.

Uh, I know traffic as it's flowing and I can capture that stuff and

potentially replay it, uh, or hijack it.

And so now I'm, I'm in your session and I kick you off.

And now it's just me.

Uh, so there's a lot you can do.

Over the internet, uh, whether you're, we, we've call some of those man in

the middle attacks where you started it, and I can see where you're going.

I inject myself in the middle and, and manipulate traffic or, or replay traffic.

Uh, so those are types of things you can do, but at the end of the

day, it's what, what can I do to get me access to something that's

valuable enough for me to resell

and.

The other question you mentioned about other things that, that they sell, um,

and some of 'em based on vulnerabilities.

So vulnerabilities in, you know, Cisco VPN or Fortinet, VPN or Citrix, or,

uh, some of these insecure protocols.

Uh, again, it's just spending the time to do the research to figure out who's,

who's vulnerable to these things.

Validating it by actually compromising the security through

a vulnerability or, or known.

Um, known method, establishing some persistent access there and selling it.

Yeah, so philosophical question, or maybe theoretical.

If so, ransomware is prevalent, right?

The number of attacks right, have gone through the roof.

If we focused all the efforts on eliminating IABs, would

that make a difference?

Nope.

It'll just make the other threat actors have to work harder.

'cause right now they're just outsourcing it.

You know, it's like being a general contractor.

You don't do all the work.

You find the subcontractors to, to make your life easier and you just put money.

You just, you know, you mark it up.

Yeah,

Yep.

Yeah, it's like the, yeah.

the IABs go away, then you just bring everything in-house.

Well, and that's the way it used to be.

Um, everybody was kind of siloed in their, in their profession.

Uh, they, they were less capable because they were more focused

on their skillset and their.

Um, their, their preferred attack methods and that kind of thing.

And so then, uh, you know, as, as the, the criminal, cyber, criminal organ,

uh, ecosystem grew, uh, you, you started having these kind of like cyber

criminal conferences and we got to know each other and, uh, what can you do

and how can we work better together?

And so there was a little bit of, uh, you know, entrepreneurial, you know, uh,

demarcation, uh, uh, activities going on.

So now you've got this.

Uh, almost, uh, diversification.

So, and, and, and there was at the same time a, a bit of, integration, uh, uh,

physical security and cybersecurity.

People that were really good at breaking into buildings and social engineering

people and extorting them in real life.

Uh, can now work with cyber, uh, and, and to the benefit of one or the other.

so now you've got, you know, a, a more dynamic, multi-layer threat.

Um, but yeah, uh, once, once the bad guys started to recognize other bad guys and

their skillsets, they started to go, well,

I know, I know Bob, Bob, the bad guy knows how to do that better than me, and I'm.

Yeah, I can imagine that once you, you know, you get really good, if you're

really good at like getting credentials and gaining access and stuff, you know,

you're like, Hey, I'm just gonna do this.

Um, I actually know one of those, uh, entry guys by the way.

Um, that does physical, uh, penetration testing.

Um, basically his job is to get into a room where he's not supposed

to be and then, uh, take a, take a selfie and then get the hell out.

Um.

Yep.

But, um, so we're, we're, we're kind of getting a little longer

than I, than I had intended.

Let's talk about like, the things that we can do.

I think we've, we've, if you've been listening, if you've been paying

attention, obviously please don't, for the love of God, don't use the

same password everywhere, right?

Um, and, and the more sensitive the thing is, the more that thing

needs to have its own password.

I mean, everything should have its own password, needs to be using

password managers, but whatever, you know, let's, please don't use.

The same password, you know, sensitive stuff.

Right.

Um, and then also don't put RDP accessible via the internet.

Uh, what was that?

Prasanna

Patching

and patching.

Yeah.

And, and you know, vulnerabilities as they are, they're going

to continue to, to happen.

Monitor the CBSS, like for the full, for the, uh, the CVEs, for the

vulnerabilities for your environment.

Um, and, you know, I can think of a, there was, the big story that

we covered with Rackspace a few years ago where they were attacked.

Simply because they didn't on a timely basis, patch a, uh,

an advertise vulnerability.

And with, you know, within a matter of days, uh, the, you know, the bad guys

were in their environment and it destroyed their entire hosted exchange environment.

Um, that was a bad, bad story.

You have any other, um, takeaways, Mike, in terms of,

you know, dealing with these iab.

So change your credentials as soon as you think they're compromised.

Don't wait until your employer calls and asks about your personal life.

Uh, don't store your credentials in plain text anywhere.

use a, use a scheme for, you know, hints, you know, to help

you remember what the password is.

Don't write your password down.

Use a password manager if you can.

Uh, and don't use coincidental passwords.

I did find the data I

What's a, what's a coincidental password, by the way?

so a coincidental password is, or even credentials, is something that

you use in more than one place.

So.

If I use, I love my dog at work.

I don't use, I love my dog anywhere else.

Alright.

Uh, I did find the, I was talking about where the, the data was, uh, compromised.

So in 20, 20, 30 7 billion records were compromised, which is more

than the prior six years combined.

And it was primarily one, uh, and at the, at the time, it was

the largest data breach ever.

Over 80 million emails and PII records.

And it was conducted by shiny hunters, uh, who then sold 564 million record

bundle, uh, which was compromised across 49 different databases.

and they sold for roughly 10 they broke it into three buckets

and sold it for $10,000 each.

But out of, out of 564 million records, 1.12 million.

Were unique email addresses related to where that person worked.

So

That's not good.

s and p, one hundred.gov, dot edu, et cetera.

Um, all right.

Any final thoughts on ibs?

Turn it off when you're not using it.

Turn what off?

When you're not using it?

Everything.

anything?

Yep.

All right.

All right.

All right.

Well, thanks a lot.

Thanks for being on Mike.

Anytime.

Thanks for being on Prasanna,

I

Judgey.

All right.

That is a wrap.